New Guidelines Aim to Strengthen Security Against Scams, Phishing, and Smart Contract Exploits.

Overview

The rapid adoption of cryptocurrency has opened new doors for financial innovation and investment, but it has also made this digital asset an increasingly attractive target for cybercriminals. Recognizing the growing risks in this space, the Singapore Police Force (SPF) and the Cyber Security Agency of Singapore (CSA) have issued a joint advisory to help the public protect their cryptocurrency holdings. The advisory outlines the tactics employed by threat actors and provides best practices for safeguarding digital assets. This blog takes a closer look at the advisory, analyzes the evolving threats, and recommends preventive measures to ensure a safer cryptocurrency ecosystem in Singapore.

Threat Actors Target Cryptocurrency: Tactics to Watch Out For

As cryptocurrencies gain popularity, cybercriminals have refined their methods to exploit unsuspecting victims. SPF and CSA have highlighted several tactics used by threat actors:

1. Imposter Profiles
   • Cybercriminals impersonate legitimate blockchain entities on social media platforms, offering fake giveaways or promotions. Victims are tricked into verifying their wallets by sharing sensitive information such as login credentials.
   • In some cases, attackers pose as employers in cryptocurrency companies, asking victims to demonstrate their blockchain skills by executing malicious scripts, leading to unauthorized wallet transactions.

2. Phishing Websites
   • Fraudulent websites are created to mimic legitimate cryptocurrency wallets, exchanges, or platforms. These sites lure victims by promising lucrative investment opportunities or exclusive tokens with high returns.
   • Social media advertisements amplify the reach of these phishing schemes, making them more accessible to potential victims.

3. Exploiting Software Vulnerabilities
   • Threat actors actively identify and exploit software flaws in smart contracts, especially those involving multi-threading or recursion. One such example is the Re-entrancy Attack, where attackers interrupt ongoing smart contract transactions to execute unintended behaviors or repeat transactions.

4. Manipulating Automated Smart Contracts
   • Smart contracts designed for automated trading can be exploited. Cybercriminals deceive these contracts by creating liquidity pools that appear valuable, causing cryptocurrencies to flow into the attackers’ pools automatically.

Best Practices for Cryptocurrency Users

To counter these threats, SPF and CSA have outlined several precautionary measures:

1. Use Secure Wallets
   • Store cryptocurrencies in hardware wallets to keep them offline and shield them from online attacks.
   • If frequent transactions are necessary, use reputable software wallets and ensure they are updated with the latest security patches.

2. Set Strong Passwords and Enable Two-Factor Authentication (2FA)
   • Always use strong, unique passwords for wallets and online accounts.
   • Never share private keys, recovery phrases, or seed phrases. Keep them stored securely in physical form.
   • Enable 2FA for all accounts related to cryptocurrency to add an extra layer of protection.

3. Regularly Monitor Accounts
   • Frequently review wallet transactions to spot unauthorized activities.
   • Use tools like blockchain explorers to manage and revoke excessive token allowances.

4. Exercise Caution with Smart Contracts
   • Verify the legitimacy of smart contracts before interacting with them.
   • Avoid approving or signing transactions without fully understanding their implications.

5. Beware of Phishing Attempts
   • Avoid clicking on unsolicited links or downloading attachments from unknown sources.
   • Cross-check links and verify their authenticity through official channels.

6. Stay Informed
   • Keep up-to-date with emerging cryptocurrency threats and best practices by following trusted sources and industry updates.

Responding to Cryptocurrency Crimes

Despite precautions, falling victim to cryptocurrency crimes is still a possibility. SPF and CSA recommend the following steps if you suspect or confirm an incident:

1. Immediate Actions
   • Contact your cryptocurrency exchange to halt transactions or freeze your account.
   • Revoke any suspicious token approvals using wallet interfaces.
   • Transfer remaining assets from compromised wallets to secure ones immediately if a seed phrase is compromised.

2. Report the Incident
   • File a report with the Police and CSA’s SingCERT by emailing singcert@csa.gov.sg or using the reporting form on the CSA website.
   • For urgent assistance, call the Police Hotline at 1800-255-0000 or dial 999 for emergencies.
   • Use the ScamShield app or helpline (1799) to check, deter, and block scams.

Analyzing the Threat Landscape

The tactics outlined by SPF and CSA illustrate the deception of modern cybercriminals targeting cryptocurrency users. These methods leverage both technical exploits and psychological manipulation to deceive victims. For example:

• Social Engineering: Imposter profiles and phishing schemes prey on human trust and curiosity. The promise of high returns or exclusive opportunities can cloud judgment, leading victims to unknowingly divulge critical information.
• Technical Exploits: Attacks on software vulnerabilities highlight the need for rigorous testing of smart contracts and associated applications. Developers must adopt robust security practices to minimize risks.
• Automation Exploitation: Automated trading mechanisms, while convenient, require enhanced safeguards to prevent exploitation by malicious actors.

Fostering a Secure Cryptocurrency Ecosystem

Cryptocurrency security is a shared responsibility among users, developers, and regulatory bodies. Here are some actionable recommendations:

1. User Awareness
   • Public education campaigns should emphasize the importance of cybersecurity hygiene and vigilance in cryptocurrency transactions.
   • Sharing real-life case studies of cryptocurrency scams can help users recognize red flags.

2. Developer Best Practices
   • Developers must prioritize security when designing and deploying smart contracts. Comprehensive testing and vulnerability assessments are crucial.
   • Implementing monitoring mechanisms can help identify suspicious activities in real-time.

3. Regulatory Collaboration
   • Regulatory bodies and law enforcement agencies should collaborate to track and disrupt cryptocurrency-related criminal networks.
   • Encouraging the adoption of global security standards can strengthen the resilience of cryptocurrency platforms.

A Call to Action

As threats in the cryptocurrency space continue to evolve, staying one step ahead of cybercriminals is critical. The joint advisory from SPF and CSA underscores the importance of proactive measures to protect digital assets. By adopting best practices, users can significantly reduce their risk of falling victim to scams and attacks.

It’s equally important to foster a culture of shared responsibility and collaboration. Whether you’re a cryptocurrency user, developer, or policymaker, your role is integral to creating a safer cryptocurrency ecosystem.

Source: https://www.csa.gov.sg/docs/default-source/publications/singcert/2024/joint-advisory-on-the-safeguarding-of-cryptocurrency-assets-against-threat-actors.pdf?sfvrsn=79585f8_1

The post Singapore Warns Against Crypto Scams: Best Practices to Safeguard Digital Wealth appeared first on Cyble.

Blog – Cyble – ​Read More

Account hijacking in Telegram has become a serious criminal business in today’s world. Scammers employ sophisticated methods to steal access to accounts, and then use them to attack other users through deepfakes, social engineering, and other techniques. Here’s how it typically works: having stolen an account, scammers send phishing messages to all its contacts — such as “Hi, I urgently need money. Can you help me?”, Please vote for me if you have a moment or You’ve received a gift – a one-year subscription to Telegram Premium — to hijack even more accounts.

These messages often have phishing links at the other end, which look legitimate — for example, https://t.me/premium — but actually redirect users to fraudulent websites. If you click the link and follow the scammer’s instructions, you’ll likely lose access to your Telegram account (especially if you haven’t set up two-step verification in Telegram). Your contacts may then receive similar phishing messages from your account.

Stolen or fake accounts can also be used for complex targeted attacks — sometimes employing deepfakes to deceive employees of organizations. You might encounter messages allegedly from company management that include personal details like your full name, mentioning some kind of inspection by government authorities, and demanding confidential information or financial assistance in an air of complete secrecy. These are always fake.

Meanwhile, the original Telegram account owner might not even realize at first that their account has been compromised. They continue chatting with friends, reading their favorite channels, and assuming they’re safe from scammers. How is this possible? This happens because Telegram allows multiple sessions to the same account from different devices. Having gained access to your account, scammers open a session on their device without closing your active sessions. Then they send messages, and immediately delete them on the sender’s side only. In this way, recipients see the messages, but the victim doesn’t.

As we are seeing, scammers are interested in everyone — even the most ordinary of Telegram users. In this article, we address two key questions: how to know if your Telegram account has been hacked, and if it has, what should you do?

How to know if your Telegram account has been hacked

The following are possible signs that your account has been hacked: your username or profile picture has changed; you’ve been entered into some suspicious competitions; you see a message sent from your account that’s then immediately deleted; your friends tell you they’ve received strange messages from you that you can’t see. Let’s go through these one by one…

Changes to your username or profile picture. Scammers might alter your username to include a phishing link or put the link in your bio. They might also modify your profile picture to their advantage. For example, adding a note to your photo asking for help: “I’m in trouble, please help me however you can”. Any change of information without your knowledge indicates a compromise. In short, if something has changed “by itself”, then most likely attackers are responsible: you’ve been hacked.

Participation in suspicious activities. Scammers might send you a link to activate a Telegram Premium gift subscription, and if you “activate” it, your account will be stolen. This is a fairly popular account hijacking scam, which we’ve covered in detail on the Kaspersky Daily blog. Popular, yes — but far from the only one. Here’s another one: asking for help to win a vote.

Friends report receiving strange messages from you, which you don’t see. Scammers work hard to conceal the fact that your account has been hacked. They delete all messages sent from your account on the sender’s side. The recipient gets the message (and can even reply), but you won’t know about it unless your friends inform you.

You receive a login code for a new device. However, you definitely didn’t attempt to log in, and all your known devices are already connected to your account. Scammers usually delete such messages immediately, but if you spot a request for such a code, your account is under attack right there and then.

If you notice any of these signs, act quickly — you’ve only 24 hours to save your account. Why 24 hours? Telegram has built-in protection against account theft — preventing new devices from terminating active sessions on other devices within the first 24 hours. After 24 hours, the scammers will end all other sessions on your account, and you’ll lose all access.

What to do if your Telegram account has been hacked

Here are some basic countermeasures to take if you detect signs of a Telegram account hack.

Terminate all unknown sessions

To do this, go to Settings → Devices → Terminate all other sessions (in desktop clients, this section might be called Active sessions). This will log out all sessions except the current one, cutting off the scammers’ access to your account.

How to terminate sessions in Telegram

Alternatively, you can choose specific sessions to terminate by selecting them and clicking Terminate Session, or by clicking Edit in the top right corner of the screen.

Contact technical support

To do this, navigate to Settings → Ask a question to reach Telegram support. While this might seem a safe option, the 24-hour timeline could play into the scammers’ hands here: Telegram support is handled by volunteers, so a response may take time in coming. So first of all, you should terminate all unknown sessions (see above), and enable two-factor authentication (see below).

If you proceed with contacting support, you’ll enter a chat with the Volunteer Support bot. Note that this bot can only be initiated through Settings → Ask a question — remember this to avoid falling victim to scams. The bot will provide instant FAQ answers, but there’s no option for “Account hacked” in its standard menu. To get help from a human, either select Skip and process to volunteers, or type your request in the chat, and press Yes, redirect me. Telegram will inform you that most volunteers communicate in Russian or English.

How to contact Telegram support and speak to a person instead of a bot

If you’ve already lost access to your Telegram account, there’s another way to contact Telegram support: fill out a form on the official website specifying the issue, your phone number, and your email.

Recover access to your Telegram account via SMS code

If more than 24 hours have passed and you no longer have access to your account on any device (because the hackers ended all your sessions), try recovering it with your phone number:

1. Open the Telegram app
2. Enter your phone number and confirm it
3. Select Tap to get a code via SMS
4. Enter the received code
5. Enter your two-step verification password, if set
6. End all other sessions

Bear in mind that you need to act quickly here: once you enter your phone number, all devices with an active session linked to this number will receive a notification in Telegram. This means the hackers will know you’re attempting to regain access.

Create a new Telegram account with the same number

If you can’t recover your account, the only way to continue using Telegram with the same phone number is to delete the old account and create a new one. However, in this case, you’ll permanently lose your chat history and administrator rights in your channels.

You can only delete your Telegram account if you have access to it, or if you’ve set up two-step verification. If you’ve at least one open session, go to Settings → Privacy and Security → Automatically delete my account if away for… → Delete Account Now.

If you don’t have access to your account but have two-step verification set up, you can delete the account as follows:

1. Open the Telegram app
2. Enter your phone number
3. Select Forgot password?
4. Select Unable to access <your email address>
5. Select Reset account

If you don’t have access to your account on any device, and two-step verification is disabled, you can’t delete the account. Warn your friends and family about the loss of access so they don’t fall for scams sent from your account.

How to protect your Telegram account from being hacked

The best thing you can do right now to protect your account is to set up two-step verification. This means a password will be required in addition to a code when logging in from a new device. This additional security factor will make hacking more difficult, give you more time to react, and allow you to delete the account in case you lose access.

Go to Settings → Privacy and Security → Two-Step Verification. Next, create a password, enter a recovery email, and confirm it by entering the code you receive.

The password should be strong and unique to make it difficult for scammers to guess. To create and store secure passwords, we recommend using Kaspersky Password Manager.

Be sure to share this guide with friends and family — especially those new to Telegram, to help them stay safe in the digital space.

Kaspersky official blog – ​Read More

Overview

Cyble has identified multiple instances of exploitation attempts, malware intrusions, financial fraud, and brute-force attacks. The data is captured in real-time via Cyble’s comprehensive network of Honeypot sensors, providing valuable insights into the nature of cyber threats.

Cyble’s latest Sensor Intelligence report from December 4th to December 10th, 2024, provides in-depth analysis on a range of vulnerabilities, including high-profile malware variants, phishing scams, and CVE (Common Vulnerabilities and Exposures) attempts.

Cyble’s Global Sensors Intelligence (CGSI) network has detected several attack vectors, many of which target critical vulnerabilities in Internet of Things (IoT) devices and widely used software platforms.

The report covers a broad spectrum of threats, including well-known Linux malware variants such as Mirai and Gafgyt, along with exploitation attempts involving the Telerik UI and Cisco ASA. Below are some key insights into the most prevalent vulnerabilities observed during the reporting period.

Case Studies on Vulnerabilities and Exploits

1. PHP CGI Argument Injection Vulnerability (CVE-2024-4577)
   A critical vulnerability in PHP configurations has been detected, enabling attackers to execute arbitrary commands through specially crafted URL parameters. This vulnerability could lead to severe system compromise if left unpatched. Organizations are urged to patch PHP configurations and restrict access to vulnerable systems to mitigate potential exploitation.
2. OSGeo GeoServer Eval Injection Vulnerability (CVE-2024-36401)
   Cyble identified a remote code execution (RCE) vulnerability in GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2. This issue arises from the unsafe evaluation of request parameters, allowing unauthenticated users to execute arbitrary code. To mitigate the threat, the report recommends updating to the latest GeoServer versions and removing the vulnerable gt-complex library.
3. Ruby SAML Improper Signature Verification (CVE-2024-45409)
   The Ruby-SAML library, a widely used tool for implementing the client side of SAML authentication, was found to have improper cryptographic signature verification in versions 12.2 and 1.13.0 to 1.16.0. Attackers could exploit this vulnerability to forge SAML responses and gain unauthorized access to systems. Updating to Ruby-SAML versions 1.17.0 or 1.12.3 is recommended to mitigate this risk.
4. Cisco IOS XE Web UI Privilege Escalation Vulnerability (CVE-2023-20198, CVE-2023-20273)
   Cyble has reported ongoing exploitation of the web UI feature in Cisco IOS XE Software. The initial compromise occurs via the CVE-2023-20198 vulnerability, which allows attackers to gain access and escalate privileges to root. Organizations are advised to implement Cisco’s recommended patches to secure their systems.
5. Joomla Improper Access Check-in Webservice Endpoints (CVE-2023-23752)
   An improper access check vulnerability was discovered in Joomla versions 4.0.0 through 4.2.7, allowing unauthorized access to webservice endpoints. This can expose sensitive information and allow attackers to execute malicious actions. Updating Joomla to the latest version is critical for organizations using this content management system.
6. ownCloud GraphAPI Information Disclosure (CVE-2023-49103)
   A vulnerability in the ownCloud GraphAPI app can disclose sensitive system information, including environment variables, which may contain credentials and other sensitive data. To prevent data leaks, the app must be disabled or updated to the latest patched version.
7. Apache OFBiz SSRF Vulnerability (CVE-2023-50968)
   Apache OFBiz was found to have a server-side request forgery (SSRF) vulnerability that attackers could exploit to read arbitrary file properties. Upgrading to version 18.12.11 is recommended to eliminate this threat.
8. Citrix NetScaler ADC Buffer Overflow Vulnerability (CVE-2023-4966)
   Citrix NetScaler ADC and Gateway devices were found to be vulnerable to sensitive information disclosure due to a buffer overflow. This can lead to unauthorized access to internal network resources. Patch management and network monitoring are crucial to protecting against this vulnerability.

Malware and Attack Analysis

Cyble’s analysis also focuses on various malware threats observed across different regions. One notable example is the emergence of a new anti-banking Trojan called AppLite Banker. This sophisticated malware is distributed through phishing campaigns disguised as CRM applications. Once installed, it abuses Android’s Accessibility Services to overlay fake login screens on legitimate applications, tricking users into revealing their credentials.

AppLite employs advanced evasion techniques, such as manipulating APK file structures to avoid detection by static analysis tools. After installation, it can execute commands remotely, exfiltrate financial data, and even control infected devices through features like screen unlocking and interaction simulation. The malware’s global reach is further evidenced by its multilingual capabilities, making it a persistent threat to users worldwide.

CVE Attack Attempts: A Closer Look

In the past week, Cyble observed a high volume of exploit attempts targeting several CVEs. The most frequently attempted CVE was CVE-2020-11899, which saw 25,736 attack attempts. This vulnerability affects the Treck TCP/IP stack and can lead to an IPv6 out-of-bounds read. Other notable CVEs include CVE-2019-0708, a remote code execution flaw in Remote Desktop Services, and CVE-2021-44228, the infamous Log4j vulnerability, which continues to be a major vector for attacks.

Cyble’s extensive network of sensors detected these attacks and provided critical data to help organizations understand and defend against these vulnerabilities. As CVE-2020-11899 continues to be a primary target for cybercriminals, organizations are urged to patch vulnerable systems to prevent potential breaches.

Recommendations and Mitigations

To mitigate the risks highlighted in this report, Cyble recommends the following actions:

1. Regularly update software and hardware systems to patch known vulnerabilities. This includes applying updates for CVEs and software-specific flaws identified in the report.
2. Use threat intelligence feeds to block IP addresses associated with known attackers and malware distribution.
3. Enforce the use of strong passwords and implement multi-factor authentication (MFA) to reduce the risk of brute-force and credential-stuffing attacks.
4. Continuously monitor for Indicators of Compromise (IoCs), such as suspicious IP addresses, URLs, and file hashes, to detect potential attacks early.
5. Regularly audit systems, networks, and devices for vulnerabilities and misconfigurations that attackers could exploit.

Conclusion

The findings in Cyble’s Sensor Intelligence report highlight the growing sophistication and persistence of cyber threats. Through its AI-powered intelligence, Cyble provides essential insights that help organizations protect their digital assets.

With AI-powered platforms like Cyble Vision and Cyble Hawk, businesses can access real-time threat intelligence, monitor vulnerabilities, and receive automated remediation advice. Cyble’s solutions empower enterprises, governments, and individuals to stay protected from cybercriminals at all times.

The post Cyble’s Latest Sensor Intelligence Report Reveals Surge in Malware, Phishing, and IoT Vulnerabilities appeared first on Cyble.

Blog – Cyble – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

The new head of the UK’s National Cyber Security Centre, Richard Horne, recently remarked that there is a “clearly widening gap between, on the one hand, the threat and our exposure to it and, on the other, the defences that are in place to protect us.”

To those of us working in cyber security, the threat is evident. We spend our lives following the actions of threat actors and analysing their new attacks. Our thoughts and actions are rooted in how the threat landscape is evolving. Unfortunately, this is not necessarily the case for those who decide budget allocations.

Nobody wants to suffer a breach, but often security teams are frustrated by competing budget items and the difficulties of explaining complex mitigations to people who may have different priorities and interests.

If keeping informed is one half of the solution to closing the gap, the other is in recognising that we are all human. We’re all trying to do the best that we can with the information that we have available to us. What may be perceived as irrational behaviour to one observer, may be the most obvious course of action to another with a different point of view.

Constantly explaining how threat actors are changing and how attacks are evolving is vital to ensure that organisations can maintain a good security posture. Talking about cyber security to different audiences, using the language and metaphors with which they are familiar are all part of the solution in defeating cyber attacks.

If we are to move to a world free from cyber insecurity we must close the gap between threat and defense. This will take communication and understanding, both to communicate the threat, but also to understand the constraints that decision makers work under. Yet, we also need to express and recognise the effort and sometimes heroic acts of effort that cyber security teams undertake to keep businesses running and free from breaches.

This is all the more true during the holiday period, when many engineers and analysts are monitoring systems or on-call, keeping the systems running and the lights on, so that others can enjoy the festivities. If this is you, then know that we’re thinking of you.

The one big thing 

Hiding the origin and destination of network traffic is vital for the bad guys to cover their tracks and obfuscate their actions. A malicious connection that originates from the same IP space as legitimate employees’ connections is less likely to catch the attention of security teams than one from a distant country. Similarly, exfiltrating data in small chunks to many in-country residential IP addresses is less likely to raise alarms than exfiltrating to a single address.

Cybercriminals are increasingly compromising consumer and IoT devices to build vast networks of proxy systems, enabling them to mask their activities and route malicious traffic through a global pool of hijacked IP addresses.

Why do I care?

Routing malicious traffic through otherwise unsuspicious networks makes identification and attribution of attacks difficult. Owners and operators of compromised systems recruited to act as proxies suffer from reduced performance and the theft of network and CPU resources from their systems.

So now what?

Firstly, ensure that patches are applied, and default or easy to guess credentials are changed to avoid becoming part of the problem. Apply zero-trust principles to authenticate users via MFA in the context of the time and date of the access; importantly verify that the connecting device confirms to policy and is authorised to connect to corporate systems. For full details on how to respond to this threat see the blog post.

Top security headlines of the week 

Presidential Elections in Romania hit by Cyber Campaign

The first round of the presidential election in Romania has been annulled by the country’s constitutional court following claims of a foreign influence campaign to sway the vote, and cyber-attacks targeting electoral data.

(BBC News 1 & 2)

Secure Criminal Chat System “Matrix” Disrupted by Law Enforcement

The Matrix secure communication systems which offered encrypted messaging for criminals has been taken down by law enforcement authorities with millions of messages secured for investigation. This take down follows similar success against other criminal messaging systems such as EncroChat, Sky ECC and Ghost.

(The Register)

Wanted Russian Suspected Ransomware Actor Arrested

Authorities in Russia have arrested Mikhail Matveev, an individual wanted in the US in connection with alleged participation in LockBit, Hive and Babuk ransomware attacks. The broader significance of this arrest in Russia is unclear, although it does indicate that tolerance of the actions cyber criminals located within Russia does have limits.

(SecurityWeek)

Can’t get enough Talos? 

Upcoming events where you can find Talos

Cisco Live EMEA (February 9-14, 2025)

Amsterdam, Netherlands

Most prevalent malware files from Talos telemetry over the past week  

SHA256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

Typical Filename: VID001.exe 

Claimed Product: n/a 

Detection Name: Win.Worm.Bitmin-9847045-0

SHA256:3294df8e416f72225ab1ccf0ed0390134604bc747d60c36fbb8270f96732e341

MD5: b6bc3353a164b35f5b815fc1c429eaab

VirusTotal:

https://www.virustotal.com/gui/file/3294df8e416f72225ab1ccf0ed0390134604bc747d60c36fbb8270f96732e341

Typical Filename: b6bc3353a164b35f5b815fc1c429eaab.msi

Claimed Product: n/a 

Detection Name: Simple_Custom_Detection

SHA256:47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca

MD5: 71fea034b422e4a17ebb06022532fdde

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca

Typical Filename: VID001.exe

Claimed Product: n/a 

Detection Name: Coinminer:MBT.26mw.in14.Talos

SHA256:a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

MD5: 7bdbd180c081fa63ca94f9c22c457376

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

Typical Filename: img001.exe

Claimed Product: n/a 

Detection Name: Win.Trojan.Miner-9835871-0

SHA256:3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   

MD5: 8b84d61bf3ffec822e2daf4a3665308c   

VirusTotal: https://www.virustotal.com/gui/file/3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66/

Typical Filename: RemComSvc.exe   

Claimed Product: N/A   

Detection Name: W32.3A2EA65FAE-95.SBX.TG

Cisco Talos Blog – ​Read More

As cybersecurity threats grow more sophisticated, collaboration becomes a cornerstone of effective defense strategies. This is where MISP, an open-source threat intelligence sharing platform, comes into play.  

Recognizing its value, we are excited to announce the launch of our own MISP instance, enabling users to access and use indicators of compromise (IOCs) from ANY.RUN’s Threat Intelligence Feeds. 

What is MISP? 

MISP, which stands for Malware Information Sharing Platform, is a free, open-source platform designed to facilitate the exchange, storage, and correlation of threat intelligence data. MISP lets organizations and researchers: 

• Exchange critical data points to identify cyber threats. 
• Share signals or attributes indicating the compromise of information systems. 
• Automate the process of data sharing and find correlations between threat data. 

Benefits of ANY.RUN’s MISP Instance 

With ANY.RUN’s MISP instance, you can: 

1. Access ANY.RUN’s TI Feeds 

Receive a direct stream of the latest malicious IPs, URLs, domains, ports, file names, and hashes. These are extracted from public malware and phishing samples, including ones not found elsewhere, submitted and analyzed in ANY.RUN’s Interactive Sandbox by security professionals worldwide. IOCs are pulled from different sources, including network activities and malware configurations. 

2. Integrate It with Your Security Tools via API 

Connect your own monitoring and triage tools and systems, such as SIEM/XDR solutions, to ANY.RUN’s MISP instance via API. 

3. Improve Threat Detection  

Correlate and enrich your IOCs with ANY.RUN’s to develop a more comprehensive understanding of the threat landscape. 

4. Generate IDS Rules 

Export indicators (attributes) from ANY.RUN’s MISP instance in NIDS-compatible formats and import them in your detection tools like IDS/IPS or NGFW to improve network security of your organization and ensure proactive defense against current threats. 

5. Create Custom Workflows 

Leverage ANY.RUN’s indicators in your automated threat analysis workflows. 

6. Synchronize MISP Instances 

Synchronize your MISP instance with ANY.RUN’s to get relevant threat data. 

7. Visualize Threat Intelligence Data

Ensure a more convenient view of relevant threats by visualizing ANY.RUN’s TI Feeds data. 

8. Enrich with Your Threat Data 

Add your IOCs to the ones provided by ANY.RUN to gain a better picture of the threats at hand.

How to Integrate with ANY.RUN’s MISP Instance 

To get started with ANY.RUN’s MISP instance, simply contact our team via this page. 

You can test MISP feeds by getting a free demo sample here. 

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

Get a 14-day free trial of ANY.RUN’s Threat Intelligence service →

The post Access and Use ANY.RUN’s TI Feeds via MISP appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More