Welcome to the final Threat Source newsletter of 2024.
Watching “Die Hard” during the Christmas season has become a widely recognized tradition for many, despite ongoing debates about its classification as a Christmas movie. I know it isn’t everyone’s cup of tea. Whether you like the movie or not, let me share a story about what didn’t quite go as planned in my family last year.
When some celebrities had their social media accounts compromised, I saw it as the perfect opportunity to introduce my family to the world of multi-factor authentication (MFA) for their online accounts. Our home IT setup is diverse— With Linux, Macs, Windows; Androids, iOS, we needed something cross-platform. Also, we needed a user-friendly solution as we have both standard users and IT experts (never underestimate your users). From my professional standpoint, I decided to go “all in” with hardware tokens – they work cross platform and “survive” one or the other OS installs from scratch. Providing two for each person was mandatory in case one got lost, which had happened to me already. So it wasn’t a cheap exercise. In my defense, this was before the side-channel attack EUCLEAK was discovered, which has since expanded to affect more products as noted in the first release.
In the spirit of John McClane : “Now I know what a TV dinner feels like.”
The kids found the gift “boring” and almost a year later, the adoption rate is still only 30%. Fortunately, my wife had the foresight to prepare real presents for the family, saving Christmas Eve from being a “bad guys win” scenario. (Only John Thor can drive somebody that crazy.)
I share this anecdote not to discourage you, but to help you avoid making the same mistake and risking your celebrations. Unless everyone gathered around the Christmas tree is an infosec professional, it might not be the time to go “Yippee-ki-yay Mr Falcon” with tech gifts.
However, spending time with loved ones is a great opportunity to discuss the trends and importance of cybersecurity. We’ve been highlighting compromised credentials for a long time, as seen in our previous posts [here], [here], [here] and [here]. For the fourth consecutive time in over a year, the most observed means of gaining initial access was the use of valid accounts, making it clear identity-based attacks are becoming more prevalent, and wont be gone anytime soon.
Advocate for the use of a password managers—there are paid versions with family plans on one end, and excellent open-source alternatives on the other. Avoid storing credentials in browsers, as they can be extracted by info-stealers. Consider using passkeys where possible. According to the fido alliance, more than 20% of the world’s top 100 websites support passkeys already. If passkeys are not yet enabled for one of your services? Any MFA is better than none. Even using “just” TOTP in a software container is a significant improvement over just a password.
But it’s not just about enabling MFA. As Martin wrote last week, we need to close the gap by communicating and understanding the the threat landscape. When it comes to stolen credentials, share resources like https://haveibeenpwned.com/ or https://sec.hpi.de/ilc/?lang=en with your loved ones so they can check if their email has been part of a breach.
If you decide not to bother your friends & famliy (though I strongly believe Mbappe, Sweeny and Odenkirk would have preferred a more secure account) with Account/Password Hygiene, there are some more work related recommendations in Hazel’s “How are attackers trying to bypass MFA”
Whichever is your idea of Christmas, then, like Argyle said, “I gotta be here for New Year’s!”
We look forward to seeing you in 2025!
The one big thing
At the time of writing, our Vulnerability Research Team Disclosed 207 Vulnerabilities, and had another 93 reported to the respective Vendor in 2024. Di you know Talos has a team which investigates software and operating system vulnerabilities in order to discover them before malicious threat actors do? Every day, they try to find vulnerabilities that have not yet been discovered, and then work to provide a fix for those before a zero-day threat could ever be executed.
Why do I care?
We see threat actors exploiting known vulnerabilities constantly. Sometimes those CVEs are Years old.
So now what?
Maybe you want to check for some CVEs or conduct a network security assessments. You can our team’s reports,roundups,spotlights and deep dives on our blog.
Germany’s Federal Office for Information Security (BSI) says it blocked communication between appr. 30.000 Android IoT Devices which were sold with BadBox malware preinstalled, and their command and control (C2) infrastructure by sinkholing DNS queries (Bleeping Computer)
Law enforcement agencies worldwide disrupted a holiday tradition for cybercriminals: launching Distributed Denial-of-Service (DDoS) attacks. Booter and stresser websites were taken down, administrators were arrested and over 300 users were identified for planned operational activities. (Europool)
The Willow chip is not capable of breaking modern cryptography,” Google’s director of quantum tells The Verge.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-19 19:06:412024-12-19 19:06:41Welcome to the party, pal!
Europe embarks on a new chapter in cybersecurity with the entry into force of the Cyber Resilience Act (CRA). This marks the first-ever EU legislation addressing cybersecurity across a broad range of digital products. The CRA will have far-reaching implications for everything from simple connected devices like baby monitors and smartwatches to more complex systems supporting critical infrastructure.
With mandatory cybersecurity requirements imposed on manufacturers and retailers, the Act promises to make Europe’s digital space safer, fostering resilience against cyber threats. The Cyber Resilience Act introduces harmonized rules for products containing digital elements, aiming to ensure high levels of cybersecurity standards throughout their entire lifecycle.
This means manufacturers and retailers must meet strict cybersecurity standards at every stage of the product’s journey—from design and production to maintenance and eventual disposal. The goal is to enhance transparency, reduce vulnerabilities, and strengthen overall security for products connected to or interacting with other networks and devices.
The CRA’s requirements apply to all products with digital components, with a few exclusions such as medical devices and aviation equipment. By December 2027, any product sold in the EU containing digital elements will need to meet these cybersecurity standards and bear the CE marking, signifying compliance. The CE marking is a symbol that indicates a product meets EU safety and regulatory standards, and for the first time, it will also assure consumers that the product adheres to stringent cybersecurity measures.
The Cyber Resilience Act (CRA) Will Impact All Economic Operators
The CRA targets all economic operators placing products with digital components on the European market, meaning it applies to manufacturers, importers, and retailers. Some of the key factors of the act are:
Additional Guidance for SMEs: Microenterprises and small businesses (SMEs) will receive extra guidance to help them comply with the Cyber Resilience Act (CRA) requirements.
Flexibility for Member States: While the CRA sets minimum cybersecurity standards, Member States have the flexibility to enforce stricter regulations where necessary.
Third-Party Assessments for High-Risk Products: Certain high-risk products, such as firewalls, intrusion detection systems, and cybersecurity tools, will undergo mandatory third-party assessments to ensure compliance with security standards, especially if they are critical to infrastructure or essential services.
Open-Source Software Exemption: Open-source software is not subject to the same strict CRA requirements as commercial products. It is only regulated under the CRA when supplied for commercial use.
Exemption for Non-Commercial Open-Source Software: Software developed by nonprofits or small businesses for non-commercial use is exempt from CRA requirements.
Requirements for Commercial Open-Source Software: Open-source software developed for commercial purposes must adhere to cybersecurity best practices under the CRA. However, it is not required to have a CE marking.
Cybersecurity Standards for Open-Source in Commercial Products: Manufacturers incorporating open-source software into their products must ensure these components meet cybersecurity standards, including regular updates and vulnerability management.
Strengthening Cybersecurity for Critical Infrastructure
The Cyber Resilience Act plays a crucial role in protecting Europe’s critical infrastructure. Digital products used by these services must meet established cybersecurity standards to avoid potential disruption from cyberattacks.
Security of Critical Infrastructure: The CRA ensures that products integrated into critical infrastructure, such as power grids and transportation systems, are secure by default.
Complementing Existing Regulations: The CRA complements existing regulations like the EU Cybersecurity Strategy and the NIS2 Directive, creating a unified framework for resilience across various sectors.
Sector-Specific Requirements: Some sectors have additional or specific requirements, with existing EU rules on medical devices and vehicles remaining unaffected by the CRA.
Consistency in Radio Equipment Regulations: The cybersecurity of radio equipment will continue to be governed by pre-existing regulations, ensuring consistency within the EU’s legislative framework.
Focus on Security Updates and Vulnerability Management: Manufacturers must provide security updates for their products throughout their lifespan, addressing vulnerabilities as they arise.
Support Periods for Products: The CRA mandates at least five years of security updates for most products, with longer support periods required for products with longer lifespans, such as industrial systems or hardware.
Vulnerability Reporting and Fixes: If a vulnerability is discovered, manufacturers must promptly inform users and fix the issue.
Incident Reporting Requirements: If a product’s security is compromised, manufacturers must notify relevant authorities and affected users, including mandatory reporting to cybersecurity agencies like ENISA.
Ensuring Transparency and Market Compliance
Transparency is a critical element of the Cyber Resilience Act. The Act mandates that products with digital components must be assessed for conformity, with a special focus on those deemed to be higher risk.
Lifecycle Cybersecurity Assessments: Assessments will verify that products meet cybersecurity requirements throughout their lifecycle, ensuring manufacturers handle vulnerabilities responsibly and products are secure by default.
Market Surveillance and Compliance: The CRA provides a framework for market surveillance authorities to ensure that products meet cybersecurity standards. If a product poses significant cybersecurity risks or fails to comply with regulations, authorities can enforce corrective actions, including recalls or withdrawals.
CE Marking as Compliance Indicator: The CE marking will serve as the primary indicator of a product’s compliance with cybersecurity standards, helping consumers make informed purchasing decisions.
Harmonized Standards for Compliance: The CRA encourages the development of harmonized standards to simplify the conformity assessment process. Products meeting these standards will be presumed compliant, streamlining market entry and ensuring consistent security levels across the EU.
Cybersecurity Certifications: The EU Cybersecurity Certification Scheme (EUCC) will be an essential tool for manufacturers to demonstrate compliance with cybersecurity requirements for products sold within the EU.
Role of the European Commission: The Commission will adopt these cybersecurity standards and provide additional technical specifications as needed to support compliance.
Cybersecurity and the Digital Single Market
The CRA plays a pivotal role in the EU’s Digital Single Market, which aims to ensure the free flow of digital products and services while maintaining high standards of safety and security. By introducing the CE marking for compliant products, the CRA provides a unified approach that prevents the fragmentation of the digital market. Consumers will have confidence that the digital products they purchase are secure, reducing risks associated with cyberattacks and ensuring the integrity of Europe’s digital economy.
In this context, market surveillance authorities will work together to monitor compliance across Member States, while entities like ENISA and CSIRTs (Computer Security Incident Response Teams) will ensure that cybersecurity incidents and vulnerabilities are effectively reported and managed.
As the Cyber Resilience Act transitions into full effect by December 2027, Member States will provide support for small businesses and microenterprises to help them comply with the new cybersecurity requirements. This support could include regulatory sandboxes, training programs, and guidance to reduce the burden of compliance for smaller players in the market.
Additionally, financial aid may be made available to help reduce the costs of third-party conformity assessments, making it easier for smaller manufacturers to meet the high standards of the CRA.
Penalties for Non-Compliance
The Cyber Resilience Act (CRA) enforces penalties for non-compliance, emphasizing the importance of adhering to cybersecurity requirements within the European Union.
Penalties for Non-Compliance: Companies failing to meet the CRA’s obligations may face significant fines. Serious violations could result in fines of up to €15 million or 2.5% of the company’s worldwide annual turnover from the previous financial year, whichever is higher. For other breaches, fines could reach €10 million or 2% of annual turnover.
Fines for Misleading Information: Providing incorrect, incomplete, or misleading information to market surveillance authorities or notified bodies may incur fines of up to €5 million or 1% of the company’s worldwide turnover.
Penalty Structure: The penalties are designed to be effective, proportionate, and dissuasive, ensuring strong deterrents against non-compliance. Market surveillance authorities are responsible for enforcing these penalties and can take actions such as requiring corrective measures, restricting non-compliant products, or removing them from the market.
Role of Member States: Each Member State must establish rules for penalties and enforce them effectively, sharing information with other EU countries as necessary.
Factors in Determining Fines: Authorities will consider factors like the nature and severity of the infringement, its consequences, and the company’s size and market share when determining fines.
Combination of Fines and Corrective Actions: Administrative fines may be combined with other corrective measures to ensure that companies comply with cybersecurity standards and protect the digital ecosystem.
How Cyble, the award winning Cybersecurity firm, help you achieve compliance?
The Cyber Resilience Act (CRA) marks an important milestone in enhancing cybersecurity across Europe, solidifying the EU’s position as a prominent player in the global effort to secure cyberspace. With mandatory requirements for digital products, a focus on transparency in vulnerability management, and a framework for market surveillance, the CRA ensures the safety and security of Europe’s interconnected digital ecosystem.
To better understand the complexities of compliance and upgrade your cybersecurity efforts, Cyble, a leading provider of threat intelligence solutions, offers powerful tools to help organizations be compliance-ready. Cyble’s flagship platform, Cyble Vision, utilizes AI, machine learning, and human intelligence to monitor and manage digital risks effectively. With features like continuous deep and dark web monitoring, attack surface management, and real-time alerts, Cyble empowers businesses to identify vulnerabilities, mitigate threats, and maintain compliance with the CRA’s stringent requirements.
By integrating Cyble’s solutions, organizations can ensure secure products, manage vulnerabilities, and provide timely updates, helping them meet the rigorous cybersecurity standards set by the CRA. Cyble’s proactive threat intelligence capabilities and real-time insights enable businesses to protect their digital assets, comply with regulatory obligations, reduce cyberattack risks, and enhance overall resilience in the digital environment.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-19 13:06:362024-12-19 13:06:36Europe’s Cyber Resilience Act: A New Era of Cybersecurity for Digital Products
As cyber threats continue to evolve, threat actors are refining their techniques and focusing on industries that hold valuable information or play critical roles in society. From ransomware attacks paralyzing operations to data breaches compromising millions of individuals, no sector is immune to cyberattacks. Drawing from recent reports and insights, this blog explores the top 10 industries targeted by cybercriminals in 2024 and the measures they can adopt to bolster their defenses.
1.Government and Public Sector: Custodians of National Security
Government agencies and public sector entities face constant threats, often from nation-state actors seeking strategic advantages or hacktivists with ideological motivations. The sheer volume of citizen data and critical infrastructure managed by these organizations makes them prime targets.
Major Threats:
Espionage: Stealing sensitive data for strategic or financial advantage.
DDoS Attacks: Overwhelming systems to disrupt public services.
Mitigation Strategies:
Government entities need to prioritize inter-agency collaboration and establish centralized cybersecurity frameworks. Investments in AI-based threat intelligence platforms and public-private partnerships can also bolster resilience against sophisticated attacks.
2. Energy and Utilities: The Backbone of Critical Infrastructure
The energy and utilities sector plays a pivotal role in national economies and security. This makes it a frequent target for both cybercriminals and nation-state actors, with attacks often aiming to disrupt critical infrastructure.
Major Threats:
ICS Attacks: Compromise of control systems can lead to widespread outages.
Supply Chain Attacks: Threat actors exploit vulnerabilities in third-party vendors to infiltrate systems.
Mitigation Strategies:
To protect against these threats, the sector must prioritize ICS cybersecurity by segmenting operational networks from IT networks. Enhanced supply chain scrutiny, robust third-party risk management to monitor vendor vulnerabilities, and partnerships with government cybersecurity agencies can further strengthen defenses against advanced threats.
3. Healthcare: Where Lives and Data Intersect
The healthcare industry is one of the fastest-growing targets for cybercriminals, with a staggering 180% increase in ransomware and database leak incidents compared to 2023. Patient safety, critical care, and sensitive medical data make this sector highly lucrative for attackers.
Major Threats:
Ransomware: Delays in accessing medical records can have life-threatening consequences.
Database Leaks: Leaked patient records often lead to identity theft and insurance fraud.
Mitigation Strategies:
Healthcare organizations must adopt a layered security approach, including data encryption, multi-factor authentication, and comprehensive employee training programs to detect phishing attempts. Regular cybersecurity drills and incident response planning are also essential.
4. Manufacturing: The Cornerstone of Global Supply Chains
The manufacturing sector leads the list, experiencing an alarming 377 confirmed attacks in the first half of 2024 alone. Manufacturing remains vital to the global economy, and its reliance on interconnected systems, including Industrial Control Systems (ICS), exposes it to significant risks.
Major Threats:
Ransomware: By locking critical systems and demanding high ransoms, ransomware attacks in manufacturing can lead to halted production lines, financial losses, and delayed supply chains.
Database Leaks: Intellectual property, design data, and supply chain information have been prime targets for data exfiltration.
Mitigation Strategies:
To mitigate these threats, manufacturers should prioritize securing Industrial Control Systems (ICS) by isolating critical systems, conducting regular vulnerability assessments, and adopting robust endpoint protection solutions. Additionally, incorporating advanced network monitoring tools like Cyble Vision can help detect anomalies before they escalate into breaches.
5. Financial Services: A Prime Target for Monetary Gain
The financial services sector consistently ranks among the most targeted industries due to its access to funds and sensitive customer data. In 2024, cybercriminals have adopted sophisticated tactics, leveraging advanced persistent threats (APTs) and exploiting insider vulnerabilities.
Major Threats:
Ransomware: Demands for multimillion-dollar payments are becoming routine.
Cryptocurrency Exploits: Attackers target blockchain systems and exchanges to siphon off digital assets.
Phishing and Social Engineering: Deceptive tactics to gain unauthorized access to accounts.
Mitigation Strategies:
To combat these threats, financial institutions must deploy state-of-the-art AI-driven Threat Intelligence tools. These tools can identify anomalous patterns indicative of fraud or cyberattacks. Additionally, implementing strict access controls and conducting regular security audits are crucial for minimizing risk.
6. Professional Services: Custodians of Confidential Data
Professional service firms, including law, accounting, and consulting firms, have witnessed a 15% uptick in cyberattacks compared to 2023. These organizations store highly sensitive client data, making them attractive to threat actors.
Major Threats:
Ransomware: Disruption in service delivery can damage client relationships.
Database Leaks: Exposed data can lead to legal liabilities and reputational damage.
Mitigation Strategies:
Firms should enforce strict data access controls and encrypt all client information. Regular penetration testing and vulnerability scans can help identify weaknesses before attackers exploit them. Moreover, adopting secure communication platforms can safeguard sensitive exchanges.
7. Technology: Guardians of Innovation
Technology companies, encompassing software developers, IT services, and hardware manufacturers, remain high-value targets. Although a slight decline in attacks was noted in 2024, this sector is still vulnerable due to the sensitivity of its intellectual property.
Major Threats:
Data Breaches: Proprietary technology, source codes, and user data are often exfiltrated.
Incorporating advanced AI-driven cybersecurity solutions can detect and neutralize threats in real-time. Technology firms should also implement bug bounty programs to uncover vulnerabilities before malicious actors exploit them.
8. Retail and E-commerce: A Treasure Trove of Consumer Data
Retailers and e-commerce platforms process massive volumes of personal and payment information, making them a lucrative target for threat actors. In 2024, both online and physical operations have faced increased attacks.
Major Threats:
POS Malware: Point-of-sale systems are compromised to steal cardholder data.
Credential Stuffing: Attackers exploit reused passwords to breach user accounts.
Mitigation Strategies:
Retail businesses must adopt end-to-end encryption for payment data, deploy multi-factor authentication for account access, and regularly monitor systems for unusual activity. Cybersecurity awareness campaigns targeting both employees and customers can further reduce risks.
9. Education: Hubs of Knowledge and Innovation
Educational institutions, particularly universities, are increasingly targeted for their intellectual property, personal data, and operational vulnerabilities. Attackers often aim to disrupt operations or monetize stolen data on the dark web.
Major Threats:
Dark Web Exploitation: Selling stolen academic research and personal data.
DDoS Attacks: Crippling online learning platforms and administrative systems.
Mitigation Strategies:
Educational institutions must implement robust cybersecurity frameworks, including identity management systems and regular security awareness training. Strong network segmentation and frequent system updates can also help reduce exposure to cyber threats.
10. Small Businesses: The Underdogs in Cybersecurity
Small and medium-sized businesses (SMBs) are often perceived as easy targets due to their limited cybersecurity budgets and expertise. Despite their size, the impact of a breach on SMBs can be devastating.
Major Threats:
Phishing: Cybercriminals manipulate employees to gain access to sensitive data.
Ransomware: Locking systems and demanding ransoms can cripple operations.
Mitigation Strategies:
SMBs should focus on implementing basic yet effective cybersecurity measures, such as routine software updates, secure data backup solutions, and employee training programs to recognize phishing attempts. Outsourcing cybersecurity to managed service providers (MSPs) can also offer cost-effective protection.
Emerging Trends in Cybersecurity Attacks Across Industries
While the above industries remain top targets, certain emerging trends in cyberattacks warrant attention across sectors:
AI-Driven Threats: Threat actors are using AI to automate attacks and evade traditional security measures.
Deepfake and Impersonation Scams: These new-age tactics are used to manipulate trust and extract sensitive information.
Key Takeaways for 2024
Ransomware Dominates: Nearly every industry has faced ransomware attacks, underscoring the need for robust backup and recovery strategies.
Employee Awareness is Crucial: Phishing and social engineering remain the primary methods of attack. Training employees to recognize these threats can significantly reduce risks.
AI-Powered Defense is Essential: As attackers become more sophisticated, industries must leverage AI and machine learning to stay ahead.
Conclusion
The evolving cyber threat landscape in 2024 underscores the importance of vigilance, innovation, and collaboration in cybersecurity. Whether it is the manufacturing sector grappling with ICS vulnerabilities or small businesses struggling with limited resources, all industries must adopt a proactive stance. By prioritizing security investments, fostering a culture of awareness, and leveraging cutting-edge technologies, organizations can safeguard their operations, customers, and reputations in an increasingly connected world.
The road ahead demands resilience, adaptability, and a unified effort against cyber adversaries. Let 2025 be a year of strengthened defenses and collective action to combat the relentless tide of cyber threats.
With just a few days left before Christmas, overwhelmed shipping services might fail to deliver your gifts on time. Of course, you could always get a last-minute digital gift-card or subscription — but the fact is that everyone who might be interested in a Netflix or Spotify account probably already has one. And Telegram Premium? That’s a little awkward just now.
But there is a solution! Why not give the gift of an increased level of daily security this festive season? (A dull idea? Beats socks, surely?!) Many people know they should protect their data and online activity, but don’t have the time or energy to do so. A service that ensures their privacy is therefore not only an unusual gift, but a genuinely helpful one too.
Privacy services are generally paid for — with a few rare exceptions. After all, maintaining servers to store data and developing hack-resistant software comes with a cost. Without subscription fees, these services would have to sell user data to advertisers — just like Google and Meta do — which would defeat the point. So a year-long subscription to a privacy-enhancing service has financial value as well.
With our recommended services, your giftee can replace unsafe office applications, note-taking services, and messengers with privacy-focused alternatives that don’t misuse stored information.
But before making a purchase, keep in mind two key points:
First, services designed for communication or collaboration, such as encrypted messengers, are useless to gift to a single person. Who will you message if none of your friends use the app? It’s probably better to gift such a service to an entire group.
Second, privacy tools may offer less convenience and functionality compared to popular alternatives that prioritize less on security. Whether this compromise proves critical will depend on the recipient’s needs and habits.
With these provisos duly noted, let’s explore some high-quality privacy-oriented alternatives to popular services that would make great gifts this Christmas or New Year.
Office applications
Personal diaries, research-paper drafts, and financial calculations are becoming harder to protect from prying eyes. Services like Google Docs have always been completely online — sparking both concerns about leaks, and debates over how Google processes stored data. Microsoft has been trying to catch up in recent years, including with a host of questionable features even in its offline Office suite such as auto-saving to OneDrive, optional “connected experiences”, and LinkedIn integrations. Storing data in the cloud isn’t necessarily problematic in itself, but there are concerns that documents can be used for ad targeting, AI training, or other unrelated purposes.
Is it possible to combine collaborative document editing and cloud storage without these concerns? As it turns out, yes. A less feature-rich, yet convenient and private alternative to Google Docs and Office365 is the CryptPad service. You can work together on documents, slides, spreadsheets, and whiteboards, while storing all data on servers with end-to-end encryption.
If you want (and have the needed tech-wherewithal), you can set up a CryptPad server independently. However, there’s no need for ordinary users to do so. The developers themselves maintain the cryptpad.fr server, offering paid plans for increased storage and other benefits. Plans are available for €5, €10, and €15 per month, with discounts for annual payments. You can explore other public CryptPad servers here.
VPN
Although we’ve written repeatedly about the benefits of using a VPN, let’s remember once again that a VPN is not a standalone privacy tool. However, when used correctly alongside other tools, a VPN can indeed help enhance privacy. For example, it can protect against surveillance by your internet provider or Wi-Fi hotspot owner, and secures your data from hackers sitting at the next table in a cafe. There are thousands of VPN services to choose from, with people using them for a variety of practical ends. But free VPNs always come with a question: how do they remain free? After all, maintaining a VPN service has its costs. Alas, the adage “if you’re not paying for the product, you are the product” applies here too.
That’s why we recommend using a trusted, paid VPN instead of just some random one from the internet. Choose a paid-only service from a company with proven expertise in cybersecurity. For example, a fast and unlimited VPN like can be purchased either can be purchased either independently, or as part of the Kaspersky Plus or Kaspersky Premium subscriptions.
Messengers
While popular messengers like WhatsApp and Signal already provide end-to-end encryption, there’s still room for improvement when it comes to privacy. Both apps require a phone number for registration, and WhatsApp, as part of the Meta empire, collects metadata about users’ social connections.
The Threema messenger is free of these issues. Threema allows registration with a random ID and doesn’t require a phone number. It also enables users to manage the trust level of their contacts. For example, you can verify encryption keys by physically being near your conversation partner. While similar verification features exist in Signal and WhatsApp, they’re buried deep in menus. Threema, on the other hand, shows the trust level right next to the contact’s name.
The app is paid, but affordable — €6 for lifetime usage.
Note-taking apps
There are tons of note apps out there — and every smartphone comes with its own — but data synchronization between devices often lacks robust encryption. We compared several private note apps in a separate article, so here we’ll just remind you that one of the best options for securely storing notes is Obsidian, a very powerful app with rich functionality. Obsidian itself is free, but its encrypted note synchronization service, Obsidian Sync, costs around $48 per year.
Browsers and email
You’ll be hard pressed to find a gift subscription to a private browser or email service, as browsers are generally free — even private ones. Meanwhile, the privacy of a specific email service doesn’t mean much when emails are still sent via standardized, open communication channels to recipients who don’t use private services.
However, your everyday online activities can be made significantly more private by using Kaspersky Premium. This is the most advanced version of our comprehensive home user protection, with maximum privacy protection functionality. Thanks to Private Browsing and Webcam and Mic Control, Kaspersky Premium minimizes your digital footprint on the internet, and prevents more dangerous threats like spyware and phishing. The Safe Money feature protects your finances when shopping/paying online, while Identity Theft Check notifies you of any data leaks and advises on how to address them.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-19 11:06:352024-12-19 11:06:35The best privacy services as a gift | Kaspersky official blog
This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about malicious Windows drivers. Some of this research was presented at the AVAR conference in Chennai at the beginning of December 2024.
During our research into vulnerable Windows drivers, we investigated classes of vulnerabilities typically exploited by threat actors as well as the payloads they typically deploy post-exploitation. The attacks in which attackers are deliberately installing known vulnerable drivers only to later exploit them is a technique referred to as Bring Your Own Vulnerable Driver (BYOVD).
How are threat actors using BYOVD?
The malicious actors use these drivers to perform a myriad of actions that help them achieve their goals. In our research, we identified three major payloads used, which we describe below. Along with these payloads, we also identified recent activity linked to ransomware groups, which demonstrates real-world cases of malicious actors exploiting vulnerable Windows drivers to achieve their objectives.
Vulnerable drivers and common payloads
Local escalation of privileges (admin to kernel/system)
One of the most common payloads, when we consider vulnerable drivers with arbitrary kernel memory write vulnerabilities, is escalating the privileges of a malicious process. The access privileges for any process are stored in the primary access token structure, which is contained at an undocumented offset in the _EPROCESS structure, the kernel mode structure used to maintain information about each individual process by the Windows kernel. Vergilius Project contains the documentation and offsets of almost all undocumented Windows structures, including _EPROCESS, and can be used as a reference, equally by offensive researchers and defenders.
A common strategy for escalating privileges of an unprivileged process is to find the _EPROCESS structure of a higher privileged process in kernel memory and replace the access token of the unprivileged process with the access token of the privileged process, which is relatively simple if a vulnerable drivers can be used for reading and writing kernel memory space.
_EPROCESS structure contains Windows Process Primary access token (credit: Windows Internals 7th edition)
For example, a privilege escalation may be done by following the steps below:
Find one _EPROCESS structure/object
For example, load ntoskernel.exe in user mode and calculate RVA to PsInitialSystemProcess, which points to the System process (id: 0x04) _EPROCESS structure when ntoskernel.exe is loaded in memory during the boot process.
Use NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS) 11, ModuleInfo, 1024 * 1024, NULL))) // 11 = SystemModuleInformation to find ntoskernel VA – use the vuln driver to read the offset, add the RVA to find the _EPROCESS structure in kernel memory.
Read the token from the known offset using the vulnerable driver read or memory copy functionality.
Parse _EPROCESS to find the ActiveProcess links member that points to a linked list of other _EPROCESSES and iterate until the low privilege process is found.
Overwrite the unprivileged process access token with the one previously saved from the SYSTEM process, using a vulnerable driver kernel memory write functionality.
Loading of unsigned kernel code
Arbitrary kernel memory write vulnerabilities in drivers can be used to deploy unsigned malicious code into the kernel memory space, either in the shellcode format or a format of the unsigned malicious driver. There are several open-source unsigned device drivers loading utilities. In one instance, Lenovo Mapper was used as a base to develop a game cheat utility “sexy_girl_addy.exe”, which was uploaded to VirusTotal in May 2024. The utility used the code in Lenovo Mapper to load a driver which seems to attempt to disable the TPM-based license check in the game Valorant.
Lenovo Mapper code is used to deploy an unsigned cheat driver using the previously mentioned arbitrary memory write vulnerability CVE-2022-3699TPM driver functionality was disabled to prevent Valorant license check by the cheat
Bypass EDR software or game anti cheat software
To showcase an example of malware exploiting vulnerable drivers to terminate EDR tools, we chose a Gh0stRAT campaign from September 2024. The dropper drops an executable “nthandlecallback.exe”, a vulnerable Dell binary utilities driver “dbutil_2_3.sys”, and a ZIP file with the name “tree.exe”. The ZIP contains an executable file “EDR.exe”, a DLL file “irrlicht.dll” and an encrypted file “server.log”. “EDR.exe” is a variant of the open-source tool RealBlindingEDR used to disable EDR programs by exploiting arbitrary memory write vulnerability in Dell’s binary utility driver while the first executable loads the DLL, which decrypts the final Gh0stRAT payload from the encrypted file.
In September 2024, a Gh0stRAT campaign used RealBlindingEDR to disable EDR drivers
RealBlindingEDR is just one of many open-source tools developed for the purpose of disabling endpoint security software, and they are used by both threat actors and in red team-based exercises.
Dbutil_2_3.sys is one of the drivers supported for disabling EDR tools by RealBlindingEDR
Miscellaneous other payloads
Vulnerable drivers, mostly in the category of drivers with insufficient access controls, have been used in some advanced attacks. For example, in the Shamoon campaign, a RawDisk driver from Eldos was used to overwrite hard drives, while in February 2022, HermeticWiper used a proxy physical disk writing driver from “EaseUS Partition Master” driver partition manager “empntdrv.sys” for overwriting drives. HermeticWiper contained four embedded resources, which are compressed copies of drivers used by the wiper, depending on the Windows version and the default word memory size for the operating system.
Different versions of “EaseUS Partition Master” partition manager driver are embedded as resources into HermeticWiper code
Ransomware examples of malicious actors’ use of BYOD
With the wide availability of EDR bypassing tools exploiting vulnerable drivers, it is not a surprise that the exploitation moved from the domain of advanced threat actors into the domain of commodity threats, primarily ransomware. We document here some of the known ransomware groups employing the BYOVD technique.
January – Kasseika
In January 2024, Kasseika ransomware operators abused a vulnerable driver, “viragt64.sys”, which is part of the legitimate VirIT antivirus software, to disable a pre-determined list of 991 processes related to security tools and system utilities. The ransomware-as-a-service (RaaS) operation has been active since 2023 and uses double extortion techniques but does not operate a data leak site. In recent attacks, the ransomware first executes a script to load various tools, such as a malicious executable named “Martini.exe” and the vulnerable driver that is renamed “Martini.sys”. Next, Kasseika will create and start a new service whereby the driver is loaded into the malicious executable.
The executable starts scanning the environment for the hard-coded list of processes and, if detected, a control code is sent to the driver enabling it to terminate processes.
March – Akira
In March 2024, Akira has been observed abusing the legitimate, signed Zemana anti-malware kernel driver “zamguard64.sys” via PowerTool to disable EDR at the kernel level. The exploitation of the Zemana zamguard driver was a main component of the popular Terminator EDR killer tool listed for sale on illicit marketplaces beginning May 2023.
July – Qilin
In July 2024, the Qilin ransomware group, another group operating under a Raas model, was observed using a new malware dubbed “Killer Ultra” within an attack. Killer Ultra has a plethora of capabilities, including the ability to terminate security tools with a BYOVD technique, abusing a known arbitrary process termination vulnerability impacting Zemana Anti-Keylogger driver “ ”, tracked as CVE-2024-1853. The vulnerability enables attackers with the ability to terminate processes. Upon execution, Killer Ultra unpacks the vulnerable driver and creates a new service to looks for and disable a list of security tools.
July – BlackByte
Talos recently observed and documented developments in recent BlackByte attacks in July 2024 leveraging BYOVD to facilitate host encryption. The newer encryptor variant was observed dropping four vulnerable drivers as part of BlackByte’s usual BYOVD attack chain, which is an increase from the two or three drivers described in previous reports.These drivers consisted of RtCore64.sys, a driver originally used by MSI Afterburner a system overclocking utility, DBUtil_2_3.sys, a driver that is part of the Dell Client firmware update utility, zamguard64.sys, a part of the previously mentioned Zemana Anti-Malware (ZAM) application exploited by other threat actors, and gdrv.sys, a component of is the GIGABYTE tools software package for GIGABYTE motherboards.
These four drivers were renamed and dropped by the encryptor binary in all BlackByte attacks investigated by Cisco Talos Incident Response (Talos IR), each with a similar naming convention. The nomenclature for the vulnerable drivers consisted of eight random alphanumeric characters followed by an underscore and an iterating number value.
August – RansomHub
In August 2024, RansomHub ransomware actors were observed using a new malware known as EDRKillShifter to disable security tools prior to executing the ransomware binary. The EDRKillShifter can act as a loader for a vulnerable legitimate driver that, once exploited, can facilitate persistent defense evasion. Recent exploits used by the adversary are related to POCs found on Github leveraging RentDrv2, while the other exploited a driver called ThreatFireMonitor. The adversary initiated the process by launching the password-protected EDRKillShifter binary, which decrypts and executes an embedded resource in memory, unpacking and executing a payload to exploit the target vulnerable legitimate driver to escalate privileges and disable active EDR processes.
The malware then created and started a new service for the driver, loading it into the system. Finally, it continuously scanned for and terminated processes that match a hardcoded list of targets, for persistent defense evasion even on reboot.
The adoption of the BYOVD technique by RansomHub and Qilin may be linked to members of the financially motivated threat group Scattered Spider joining forces with these ransomware groups. The new partnership was identified and disclosed in public reporting in July 2024, but it is possible the relationship was already well established before then. Scattered Spider members are known for employing BYOVD tactics since at least December 2022.
Windows drivers and vulnerabilities
Creating malicious Windows drivers is increasingly difficult
Creating a new malicious Windows kernel driver is becoming increasingly difficult. New Windows drivers must be signed with a valid extended validation (EV) certificate by the developer, pass the Microsoft Hardware Lab Kit (HLK) compatibility tests, and be signed by the Microsoft Dev Portal.
However, this complex process, introduced for any newly created Windows kernel or user mode driver, does not apply to existing drivers, which means that legacy drivers signed with valid certificates will still be loaded into the Windows kernel space.
Installing and exploiting existing legacy vulnerable drivers may be one of the very few ways to make changes to kernel data structures or execute code in kernel, as drivers have the same permissions as any other Windows kernel component.
Exploiting vulnerability in a legacy driver is the same as exploiting any kernel vulnerability
Microsoft introduced a blocklist of known vulnerable drivers to tackle this issue. At the beginning, the list was included into the Windows Defender Application Control feature and was superseded by the Windows Security application in newer Windows versions.
Although the vulnerable drivers block list is turned on by default in systems running the Windows 11 2022 update or with systems with hardware virtualization code integrity (HVCI) turned on, there are still many systems which can be attacked by deploying a vulnerable driver or any newly discovered vulnerable driver that is not already on the blocklist.
Common classes of vulnerabilities in BYOVD drivers
While investigating vulnerable Windows kernel drivers commonly used by threat actors for BYOVD campaigns, we identified three classes of vulnerabilities that are typically exploited: arbitrary MSR writes, arbitrary kernel memory writes, and insufficient access controls to driver’s functionality. This classification is not strict, and one driver can belong to multiple classes of vulnerabilities.
Arbitrary MSR read/write vulnerabilities
To consider this class of vulnerabilities, we first need to introduce CPU model specific registers (MSRs). MSRs are additional CPU registers that are used by the CPU and the operating system for various purposes, including regulation of caching mechanism, regulation of fan speed, or transition from user mode into kernel mode. The MSRs can be addressed by their specific number, and some of them also have human readable names.
A specific MSR is key for making transition from user to kernel modes after calling a win32 API function
As a reminder, the transition from kernel to user mode happens in the lowest user mode DLL layer, usually “ntdll.dll”, when a system call number is placed into register rax and the syscall or the “int 0x2e” instruction is executed. During the transition, the syscall instruction updates the Instruction Pointer (RIP) and sets it to the address of the system call handler in the kernel as well as the Stack Pointer (RSP) to point to a stack in kernel space.
The first function to run is “KiSystemCall64”, and a question one can ask is how do Windows know where to start the execution in kernel mode? The answer lies in a MSR specifically used during user to kernel mode transition. For 64-bit Windows systems, it is the IA32_LSTAR (MSR 0xC0000082), which contains the address of the kernel-mode entry point for the syscall instruction, typically the KiSystemCall64 function.
MSR 0xc0000082 contains the address of the first instruction to execute in kernel mode
By having the ability to write content into arbitrary MSRs, attackers may be able to replace the pointer to KiSystemCall64 with the pointer to a malicious function that can run code in the kernel context.
As an example of a driver vulnerable to arbitrary MSR modifications, we chose WinRing0 driver, which is commonly used by XMRig cryptocurrency mining software to disable some processor features such as caching, to increase the performance of the miner. WinRing0 is also included in many open and closed source programs. Unfortunately, the driver is also exposed to an arbitrary MSR write vulnerability which can lead to kernel mode code execution in versions of Windows prior to Windows 8 or to escalation of privileges in later Windows versions. This method is mitigated in the latest Windows versions with the latest exploit mitigations, such as Virtualization Based Security (which will be discussed later in the post), which is enabled by default.
WinRing0 driver is vulnerable to an arbitrary MSR write vulnerability
The second class of vulnerabilities in frequently used BYOVD drivers is the arbitrary kernel memory write class. Here, a driver functionality to write arbitrary memory is used as a write primitive to deploy shellcode into kernel memory or change important kernel data structures to achieve escalation of privileges for a malicious user mode process.
A significant number of drivers with this class of vulnerability exists, and most of them are well documented. Readers are referred to the loldrivers project to find examples of vulnerable drivers allowing kernel memory write.
Any driver that uses one of the following kernel functions for may be regarded as a candidate for this class of vulnerabilities, although further analysis is almost always required to conclude that a user buffer and the target address can be supplied to the driver through a user-accessible device I/O control code (IOCTL):
Access to Physical Memory
MmMapIOSpace()
ZwMapViewOfSection()
PCI Config Space Access
HalSetBusDataByOffset()
HalGetBusDataByOffset()
Memory Copying Operations
memcpy()
memmove()
A good example of this vulnerability group is CVE-2022-3699, a vulnerability in a Lenovo driver that allows arbitrary memory reading and writing.
CVE-2022-3699 – memory write via exposed MmMapIoSpace function in a Lenovo driver
Misusing existing functionality in Windows drivers with insufficient access controls
The third and the last class of vulnerabilities used by threat actors in attacks using BYOVD drivers is misusing existing driver functionality caused by insufficient access controls.
INF files are files used during a driver’s installation, and among other things, they also contain permissions for the driver, specified using the SDDL language. The Security Descriptor Definition Language (SDDL) is a domain specific language that allows components to generate access control lists (ACLs) using a string format. It is utilized in both user-mode and kernel-mode programming. The diagram below illustrates how SDDL strings are structured for device objects.
The access value specifies the type of access allowed. The SID value specifies a security identifier that determines to whom the access value applies (for example, a user or group). For example, string “D:P(A;;GA;;;SY)(A;;GR;;;WD)” allows the system (SY) access to everything and allows everyone else (WD) only read access.
Security Descriptor Definition Language string format manages access permissions to driver objects
Programming Windows kernel drivers has a steep learning curve and, as a consequence, many drivers contain code that is copied from templates and example drivers, including their SDDL access permissions. When a driver is created, it is likely that its access permissions will be inadequate and will allow unprivileged users access to functionality that should otherwise be available to users with higher privilege levels.
A good example of a vulnerable driver with insufficient permissions would be an old version of an antimalware software driver “viragt64.sys” (VirIT Agent System) developed by TG Soft, which exposes the functionality of terminating a process from the kernel mode to users with lower levels of privileges. This driver is used by ransomware threat actors such as Kasseika to terminate other antimalware and EDR products.
The device IOCTL control code 0x82730030 is used to terminate an arbitrary process from the kernel modeViragt64.sys used ZwTerminateProcess to terminate arbitrary process, which can be misused by threat actors due to insufficient access permissions
In addition to documenting different classes of vulnerabilities in frequently used BYOVD drivers, we also investigated the most common payloads delivered by threats and potentially unwanted applications after exploiting vulnerable drivers and classified them into several groups including local escalation privileges, loading of unsigned code and bypassing EDR functionality.
Modern Windows mitigations and vulnerable drivers
Loading malicious code into kernel memory is one of the most powerful payloads attackers can use. This approach was frequently employed in the early days of Windows, prior to Windows Vista, when there were no requirements to sign drivers. The ability to load unsigned code into kernel mode was an incentive for the creation of several Windows kernel rootkits, such as Sinowal or TDL4, designed to hide the presence of malicious payloads from defenders by modifying kernel programs and data structures.
To respond to those threats and kernel exploitation in general, Microsoft introduced kernel patch protection (KPP), better known as Patch Guard, in x64 versions of Windows XP SP3. This was followed by the requirement for drivers to be signed in x64 Windows Vista.
The introduction of the mitigations into the Windows kernel sparked a race between threat actors and Microsoft. Attackers quickly responded to newly introduced mitigations by showing how digital signature enforcement can be turned off in a race with the Patch Guard, and Microsoft responded with more mitigations. Over time, the exploitation of Windows kernels became increasingly challenging. Next, we will briefly describe only four significant anti-exploitation features implemented with Windows 10 and 11.
Virtualization-Based Security (VBS)
Virtual Trust Levels (VTLs) are a key concept within Virtualization-Based Security (VBS), designed to enhance system security by creating isolated execution environments. VTLs leverage hardware virtualization to separate and protect sensitive processes from potentially less secure code running in the main operating system.
VTLs are essentially different security levels or “worlds” within the same physical machine, each providing a different level of trust. The main goal of VTLs is to isolate trusted operations and data from the rest of the system to prevent tampering. In Windows, there are two main VTL levels.
• VTL0: This is the standard trust level, where the traditional operating system and all user-mode and kernel-mode applications run.
• VTL1: This is a higher trust level used to execute sensitive security functions and store critical data. It is isolated from VTL0, meaning that operations in VTL0 cannot directly access or modify the code and data in VTL1. VTL1 is used to store sensitive information like encryption keys, password hashes, and security tokens (credentials guard).
High level architecture of Virtualization-based security concepts, credit: Windows Internals 7th edition, part 1
By running different parts of the kernel in different trust levels, effectively different virtual machines, Windows can use Second Level Address Translation (SLAT) to create different access permissions for memory pages depending on the source of access.
Essentially, in a process similar to shadowing page tables, VBS enforces exclusive write or execute page access permission. In other words, if a code from VTL0 attempts to change its own page table permissions from writable to executable this will be detected by the VTL1 and the data in the page still won’t be able to execute.
This mechanism is one of the key features of another important mitigation, Hypervisor-Protected Code Integrity (HVCI).
Hypervisor-Protected Code Integrity (HVCI)
When Hypervisor-protected Code Integrity (HVCI) is enabled on a Windows system, it enforces control over memory page permissions to mitigate executable code injection. HVCI is designed so that only verified and trusted code is executed in kernel mode, and it applies policies to manage how memory pages can be used and modified.
One of the important features enforced by HVCI (and supported by modern CPUs) is the prevention of pages being simultaneously writable and executable. This policy is known as Write XOR Execute (W^X), which prevents memory pages from being both writable and executable at the same time.
HVCI prevents direct execution of code from pages that were recently writable, unless specific security checks are passed. Before any code can execute from a page that has had its permissions altered, it must pass a code integrity check, ensuring it is signed by a trusted certificate. If the code does not meet these integrity requirements, execution will be blocked. HVCI attempts to ensure that any code running in kernel mode is signed with a valid certificate.
Kernel Control Flow Guard (kCFG)
Kernel Control Flow Guard (kCFG) is a security feature in Windows designed to protect the operating system’s kernel from certain types of attacks that attempt to manipulate the control flow of kernel-mode code. It builds on the principles of Control Flow Guard (CFG), used to secure user-mode applications.
kCFG aims to prevent exploits that involve redirecting the control flow of kernel code to unintended or malicious locations which should prevent exploits that hijack the control flow by overwriting function pointers and other data used for indirect code execution.
During the compilation of the Windows kernel, kCFG instruments the code to create valid address bitmap and any indirect call must finish at a target known at compile time. If the call is directed outside know target the system will cause a security check failure.
Kernel shadow stack
The primary purpose of the Windows kernel shadow stack is to ensure that the return addresses on the call stack cannot be tampered with, specifically to mitigate exploitation using Return Oriented Programming (ROP).
The shadow stack maintains a separate, copy of return addresses parallel to the regular call stack. When a function call occurs, the return address is pushed onto both the regular stack and the shadow stack. Upon function return, the system verifies the return address against the shadow stack to ensure it has not been altered. The shadow stack in Windows is hardware assisted for better performance through Intel Control-Flow Enforcement Technology (CET) and AMD Shadow Stacks.
Conclusion
In recent years, Windows platform security has improved to effectively prevent deployment of newly developed malicious drivers. However, kernel mode threats of vulnerable legacy drivers remain a concern. Luckily there are a few things we can do to mitigate the risks and detect potential campaigns using BYOVD technique.
This could include enforcement of Extended Validation (EV) and Windows Hardware Quality Labs (WHQL) certified drivers, preventing risks associated with legacy drivers. If the blocking of all legacy drivers is not possible, employing the Windows Defender Application Control (Windows Security) drivers blocklist is recommended way to prevent the execution of known vulnerable drivers.
Apart from the above, for threat detection and response, it recommended to develop a capability to monitor driver load events, such as those recorded by Sysmon’s event ID 6.
In summary, while Windows security has improved, maintaining vigilance against kernel mode threats requires adoption of best practices and monitoring techniques to protect against known and unknown driver vulnerabilities.
Starting this year, Cyble Research and Intelligence Labs (CRIL) has observed a significant trend where threat actors (TAs) have increasingly leveraged LNK files as an initial infection vector in multiple campaigns. These malicious shortcut files, often disguised as legitimate documents, have become a preferred entry point for attackers seeking to compromise systems. This shift in tactics aims to bypass traditional security mechanisms and deceive users into executing the malicious LNK file, thereby initiating a multi-stage cyber attack to deploy the final payload.
In these campaigns, the LNK files are meticulously crafted to execute commands using multiple Living-off-the-Land Binaries (LOLBins). By exploiting the inherent functionalities of these binaries, attackers can download or execute additional malicious components, thereby advancing their attack chain.
While modern endpoint detection and response (EDR) solutions have evolved to detect such activities by monitoring the behavior of LNK files and flagging suspicious use of known LOLBin binaries, this has led TAs to refine their techniques to bypass these advanced security measures.
Recently, CRIL uncovered an additional layer of sophistication in these attacks: the use of SSH commands within malicious LNK files to execute a range of malicious activities. This emerging technique highlights how threat actors leverage SSH commands to maintain persistence and control over compromised systems.
While the malicious use of SSH is not a new tactic, its ongoing relevance as an evasion technique underscores the need for continuous vigilance in monitoring trusted utilities for anomalous behavior.
Pivoting on the identified SSH abuse techniques, CRIL has tracked several campaigns where SSH commands were exploited to carry out malicious operations, further emphasizing the evolution of attack methods. Notably, APT groups have also incorporated this technique into their arsenal, highlighting their growing use in sophisticated cyber campaigns.
SSH using the SCP command
In this campaign, a malicious .LNK file is configured to execute SSH commands that use the scp (Secure Copy Protocol) command to download a malicious file and execute it on the local system. The image below illustrates the contents of the .LNK file.
Figure 1 – Contents of the .LNK file
The use of SSH commands and SCP on Windows systems is relatively less, which may allow malicious activity to go undetected by traditional security solutions that are not specifically configured to monitor such behavior.
The .LNK file is configured with the following SSH options to facilitate the attack:
-o “PermitLocalCommand=yes”: Allows the execution of a local command once the SSH connection is established.
-o “StrictHostKeyChecking=no”: Disables host key verification, bypassing prompts or errors when connecting to untrusted servers.
Once the SSH connection is established, the SSH client executes the SCP command:
This command downloads a malicious file named christmas-sale.exe from the /home/revenge directory on the remote server to the local directory c:userspublic. The downloaded file is then executed, advancing the attack chain.
Abuse of SSH and PowerShell Commands
In this campaign, a malicious .LNK file is configured to execute an SSH command that indirectly runs a malicious PowerShell command. The .LNK file utilizes a ProxyCommand option in the SSH command to execute PowerShell, which then invokes mshta.exe to access a remote malicious URL. The execution of this command allows the attacker to download and execute a potentially harmful payload on the local system. The image below shows the contents of the .LNK file.
Figure 2 – Contents of the .LNK File
The .LNK file is configured with the following SSH options:
The SSH client executes the PowerShell command, which runs mshta.exe to fetch and execute the malicious script from the specified URL.
Abuse of SSH and CMD Commands
In this campaign, a malicious .LNK file is crafted to execute an SSH command, which then triggers rundll32 to load a malicious DLL and launch a PDF file (lure document), both located in the current directory. The image below illustrates the contents of the .LNK file.
Figure 3 – Contents of the LNK file
The SSH client executes cmd.exe, which in turn launches the rundll32 utility to load the malicious DLL and execute the PDF, advancing the attack chain.
By analyzing the artifacts and DLL payload associated with this campaign, we observed behavior resembling stealer malware compiled in Go, which we previously discussed in a blog targeting the Indian Air Force. Additionally, another article highlights similar behavior, attributing the stealer payload (HackBrowserData—an open-source tool) to the APT group ‘Transparent Tribe’.
Conclusion
The combination of LNK files and SSH commands has emerged as a notable trend in recent campaigns, signaling a shift in the tactics used by threat actors. By leveraging SSH commands in conjunction with various LOLBins, attackers can establish connections to remote servers, download payloads, and maintain persistence on compromised systems. As demonstrated in the analyzed campaigns, these techniques are continuously evolving, with threat actors refining their methods to evade detection by exploiting trusted system utilities. As the cyber threat landscape progresses, organizations must remain vigilant and adapt their security strategies to effectively counter these increasingly sophisticated attack vectors.
The Sigma rule to detect these campaigns leveraging SSH commands is available for download from the GitHub repository.
Recommendations
To mitigate potential SSH abuse, closely monitor the activities of the legitimate SSH utility, restrict its usage to authorized users, and implement robust detection mechanisms to identify suspicious activities involving ssh.exe, particularly those with abnormal or malicious command-line parameters.
Disable OpenSSH features on systems where it is not required.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-19 10:06:352024-12-19 10:06:35LNK Files and SSH Commands: A Stealthy Playbook for Advanced Cyber Attacks
It’s December, and it’s high time to tell Santa how good girls and boys we’ve been at ANY.RUN. It’s time to reap acknowledgment from the industry, the community, and the customers. Here are the major tech awards we’ve received in 2024 as cybersecurity experts.
Cybersecurity Excellence Awards from Cybersecurity Insiders
We nailed it in the Threat Hunting category. And we are proud: the award is well respected throughout the industry. Winners are selected by both community votes and judging panel evaluations. This ensures that recognition reflects real-world impact and peer validation.
Holger Schulze, CEO of Cybersecurity Insiders:
With over 600 entries across more than 300 categories, the awards are highly competitive. Your achievement reflects outstanding commitment to the core principles of excellence, innovation, and leadership in cybersecurity.
ANY.RUN’s innovative, user-friendly malware analysis platform excels in its impact, value, and timeliness, making it a standout in the cybersecurity industry. The platform’s high quality and emotional quotient ensure it meets the evolving challenges of its users effectively.
TI Lookup lets you find and explore domains, IPs, events, files, and other details related to your query
For those who haven’t yet had a chance to explore Threat Intelligence Lookup, it is ANY.RUN’s flagship product that lets security professionals enrich their investigations into the latest malware and phishing threats.
It offers a searchable database of fresh Indicators of Compromise (IOCs), Indicators of Behavior (IOBs), and Indicators of Attack (IOAs), extracted from public samples analyzed in ANY.RUN’s sandbox.
We are in the list of Top 150 cybersecurity vendors. It is a well-respected global industry benchmark supported by IT-Harvest. It gathers top-tier vendors in cybersecurity — which is, by the way, a highly competitive and densely populated field.
ANY.RUN “managed to make an outstanding contribution to the cybersecurity landscape”, Richard Stiennon, Chief Research Analyst at IT-Harvest, says.
Best in Behavior Analytics by CyberSecurity Breakthrough Awards
We are grateful to be recognized for delivering quality behavior analytics, as it is among the key features of the ANY.RUN sandbox. It implies detailed analysis of network activity, and the processes malware agents initiate and engage in.
Automated Interactivityquicklyidentifies and detonates Formbook inside an archive attached to an email
Besides, this fall we’ve taken our Automated Interactivity feature to the next level by implementing the Smart Content Analysis mechanism. The enhanced Automated Interactivity simplifies malicious behavior analysis and spares user’s time by identifying and auto-detonating the key components of malware at each stage of the attack.
So the recognition was well deserved. But no time to rest on our laurels. We have huge plans for 2025, stay tuned!
Try Automated Interactivity and other PRO features of the ANY.RUN Sandbox for free
We would like to send our love and appreciation to our unique community.
Every analytic session, every piece of feedback, and every insight you provide helps us grow and improve. You are not just users — you are collaborators in our mission to build a safer digital world.
About ANY.RUN
ANY.RUN is a leading provider of a cloud-based malware analysis sandbox for effective threat hunting. Our service lets users safely and quickly analyze malware without the need for on-premises infrastructure. ANY.RUN is used by organizations of all sizes, including Fortune 500 companies, government agencies, and educational institutions.
With ANY.RUN you can:
Detect malware in seconds
Interact with samples in real time
Save time and money on sandbox setup and maintenance
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has directed the Federal Civilian Executive Branch to implement more than 50 policies to secure Microsoft 365 environments.
The new policies, Binding Operational Directive (BOD) 25-01: Implementing Secure Practices for Cloud Services, apply to Azure Active Directory/Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online and OneDrive, and Microsoft Teams.
CISA has the authority to secure the more than 100 agencies that make up the FCEB, which doesn’t include Defense, National Security, and Intelligence agencies. However, CISA said it “strongly recommends all stakeholders implement these policies … Doing so will reduce significant risk and enhance collective resilience across the cybersecurity community.”
CISA plans guidance for other cloud environments next year, including Google Workspace. The new cloud security directive comes amid a flurry of activity from CISA, including a draft National Cyber Incident Response Plan, as the agency’s leadership prepares to depart next month when the new Administration takes office.
Microsoft 365 Security Issues
The Microsoft guidance comes after a year in which Microsoft 365 security came under heavy scrutiny. A U.S. Cyber Safety Review Board (CSRB) report earlier this year detailed “a cascade of security failures at Microsoft” that allowed China-linked threat actors in July 2023 to access “the official email accounts of many of the most senior U.S. government officials managing our country’s relationship with the People’s Republic of China.” A Congressional hearing followed, along with pledges by Microsoft to make security a top priority.
Amazon recently paused a Microsoft 365 rollout after discovering security issues, according to a Bloomberg report, bringing fresh attention to the issue.
CISA’s Microsoft 365 Directive
CISA’s timeline gives federal civilian agencies until June 20, 2025, to “comply with a defined set of these Secure Cloud Baselines, deploy automated configuration assessment tools to check compliance, and to remediate deviations from these policies under BOD 25-01.”
The first policy in the directive requires Azure AD and Entra ID implementations to block legacy protocols that don’t allow multi-factor authentication (MFA).
Other Azure AD and Entra ID policies require that high-risk users and sign-ins be blocked, enforcing phishing-resistant MFA or an alternative, and setting the Authentication Methods Manage Migration feature to Migration Complete. Roughly two-thirds of the 21 policies in the Azure AD and Entra ID section involve securing privileged accounts.
Defender policies call for enabling standard and strict preset security policies, protecting sensitive accounts and information, and enabling logging and alerts.
Exchange policies include disabling SMTP AUTH and automatic forwarding to external domains, implementing SPF and DMARC policies, and enabling external sender warnings and mailbox auditing.
Power Platform policies call for limiting trial, production, and sandbox creation to admins, creating a DLP policy to restrict connector access in the default Power Platform environment, and enabling tenant isolation.
SharePoint Online and OneDrive policies include limiting external sharing and file and folder sharing, and preventing custom scripts on self-service created sites.
Teams controls include limiting access for external, unmanaged, and anonymous users, blocking contact with Skype, and disabling email integration.
CISA also provides assessment tools and guidance through the Secure Cloud Business Applications (SCuBA) project.
Conclusion
CISA has provided federal agencies with strong best practices for securing Microsoft 365 environments. These policies, based on principles of least privilege and strict authentication and access control, could also apply to other cloud environments.
Cyble’s Cloud Security Posture Management (CSPM) and threat intelligence tools offer organizations automated, cost-effective cloud compliance and monitoring, with the ability to detect misconfigurations and leaks before they turn into major incidents.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-18 14:06:582024-12-18 14:06:58CISA Orders Federal Agencies to Secure Microsoft 365 Environments
Today, AI-based technologies are already being used in every second company — with another 33% of commercial organizations expected to join them in the next two years. AI, in one form or another, will soon be ubiquitous. The economic benefits of adopting AI range from increased customer satisfaction to direct revenue growth. As businesses deepen their understanding of AI systems’ strengths and weaknesses, their effectiveness will only improve. However, it’s already clear that the risks associated with AI adoption need to be addressed proactively.
Even early examples of AI implementation show that errors can be costly — affecting not only finances but also reputation, customer relationships, patient health, and more. In the case of cyber-physical systems like autonomous vehicles, safety concerns become even more critical.
Implementing safety measures retroactively, as was the case with previous generations of technology, will be expensive and sometimes impossible. Just consider the recent estimates of global economic losses due to cybercrime: $8 trillion in 2023 alone. In this context, it’s not surprising that countries claiming 21st century technological leadership are rushing to set up AI regulation (for example, China’s AI Safety Governance Framework, the EU’s AI Act, and the US Executive Order on AI). However, laws rarely specify technical details or practical recommendations — that’s not their purpose. Therefore, to actually apply regulatory requirements such as ensuring the reliability, ethics, and accountability of AI decision-making, concrete and actionable guidelines are required.
To assist practitioners in implementing AI today and ensuring a safer future, Kaspersky experts have developed a set of recommendations in collaboration with Allison Wylde, UN Internet Governance Forum Policy Network on AI team-member; Dr. Melodena Stephens, Professor of Innovation & Technology Governance from the Mohammed Bin Rashid School of Government (UAE); and Sergio Mayo Macías, Innovation Programs Manager at the Technological Institute of Aragon (Spain). The document was presented during the panel “Cybersecurity in AI: Balancing Innovation and Risks” at the 19th Annual UN Internet Governance Forum (IGF) for discussion with the global community of AI policymakers.
Following the practices described in the document will help respective engineers — DevOps and MLOps specialists who develop and operate AI solutions — achieve a high level of security and safety for AI systems at all stages of their lifecycle. The recommendations in the document need to be tailored for each AI implementation, as their applicability depends on the type of AI and the deployment model.
Risks to consider
The diverse applications of AI force organizations to address a wide range of risks:
The risk of not using AI. This may sound amusing, but it’s only by comparing the potential gains and losses of adopting AI that a company can properly evaluate all other risks.
Risks of non-compliance with regulations. Rapidly evolving AI regulations make this a dynamic risk that needs frequent reassessment. Apart from AI-specific regulations, associated risks such as violations of personal-data processing laws must also be considered.
ESG risks. These include social and ethical risks of AI application, risks of sensitive information disclosure, and risks to the environment.
Risk of misuse of AI services by users. This can range from prank scenarios to malicious activities.
Threats to AI models and datasets used for training.
Threats to company services due to AI implementation.
The resulting threats to the data processed by these services.
“Under the hood” of the last three risk groups lie all typical cybersecurity threats and tasks involving complex cloud infrastructure: access control, segmentation, vulnerability and patch management, creation of monitoring and response systems, and supply-chain security.
Aspects of safe AI implementation
To implement AI safely, organizations will need to adopt both organizational and technical measures, ranging from staff training and periodic regulatory compliance audits to testing AI on sample data and systematically addressing software vulnerabilities. These measures can be grouped into eight major categories:
Threat modeling for each deployed AI service.
Employee training. It’s important not only to teach employees general rules for AI use, but also to familiarize business stakeholders with the specific risks of using AI and tools for managing those risks.
Infrastructure security. This includes identity security, event logging, network segmentation, and XDR.
Supply-chain security. For AI, this involves carefully selecting vendors and intermediary services that provide access to AI, and only downloading models and tools from trusted and verified sources in secure formats.
Testing and validation. AI models need to be evaluated for compliance with the industry’s best practices, resilience to inappropriate queries, and their ability to effectively process data within the organization’s specific business process.
Handling vulnerabilities. Processes need to be established to address errors and vulnerabilities identified by third parties in the organization’s system and AI models. This includes mechanisms for users to report detected vulnerabilities and biases in AI systems, which may arise from training on non-representative data.
Protection against threats specific to AI models, including prompt injections and other malicious queries, poisoning of training data, and more.
Updates and maintenance. As with any IT system, a process must be built for prioritizing and promptly eliminating vulnerabilities, while preparing for compatibility issues as libraries and models evolve rapidly.
Regulatory compliance. Since laws and regulations for AI safety are being adopted worldwide, organizations need to closely monitor this landscape and ensure their processes and technologies comply with legal requirements.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-18 12:06:392024-12-18 12:06:39Measures for safe development and use of AI | Kaspersky official blog
The video provides a step-by-step guide on investigating real-world threats, including how to quickly identify and analyze Indicators of Compromise (IOCs) and uncover key behavioral insights.
If you’re looking to improve your investigation workflows and see practical examples of malware analysis in action, we highly recommend watching the video to follow along with the expert’s process.
Here’s our overview of the key highlights covered in the video.
About ANY.RUN Sandbox
The ANY.RUN Sandbox is an interactive malware analysis platform that enables security professionals to analyze malicious files in a live, user-driven environment. It allows DFIR professionals to:
Uncover the behaviors and tactics of malware.
Quickly gather critical Indicators of Compromise (IOCs).
Explore malware configurations and identify threats in real time.
By providing detailed insights through features like process trees, network monitoring, and integrated ATT&CK mapping, ANY.RUN helps analysts stay ahead of emerging threats and streamline investigations.
Analyze malware and phishing threats in ANY.RUN’s Interactive Sandbox for free
Formbook is a widespread infostealer that targets credentials, cookies, and other sensitive data. Here’s how DFIR professionals can use ANY.RUN to analyze it.
Imagine you have received the following alert: malware detected and quarantined.
Use this information to initiate your investigation.
Check Previous Analyses
The first thing you should do is check if ANY.RUN analyzed this file previously. Navigate to ANY.RUN’s Reports section, located on the left-hand side.
Reports section inside ANY.RUN
Search for the hash of the flagged file. If the file has already been analyzed, review the existing reports. Otherwise, upload the file to initiate a fresh analysis.
In our case, there are 2 analysis sessions found from October 2024. Let’s choose the first report and look closer at what’s inside.
After clicking on the existing entry, you’ll be redirected to the ANY.RUN sandbox presented with a lot of useful information.
Public submissions related to specific IOC
Let’s use this analysis to see how the sandbox can help us.
Examine Initial Results
ANY.RUN provides an overview of the analysis, including malicious activity indicators, the operating system used for analysis (e.g., Windows 10 64-bit), and a suite of options, such as:
Get Sample: Download the file for deeper analysis.
IOC Tab: View all related IOCs.
MalConf: Explore indicators extracted from the malware’s configuration.
Restart: Re-run the analysis if needed.
Text Report: Get a detailed overview of findings.
Graph: Visualize the process tree and events.
ATT&CK Tab: Review associated tactics, techniques, and procedures (TTPs).
AI Summary: Summarize key findings.
Export Options: Save results in various formats like STIX or MISP JSON.
Malicious activity identified by ANY.RUN sandbox
Analyze the Process Tree
Study the parent-child relationship in the process tree to understand how the file behaves.
Process tree inside ANY.RUN
For example, Formbook may create a registry key to establish persistence. By clicking on the process, you can view command-line details and trace the registry key creation and file execution paths.
Process of creating registry key displayed inside ANY.RUN sandbox
Investigate Network Activity
Use the network-related tabs to track events like HTTP requests and connections. ANY.RUN simplifies this by flagging requests with reputation icons:
Green checkmark: Known and safe.
Question mark: Unknown.
Fire icon: Malicious. Document any flagged IOCs, such as suspicious IP addresses or domains, and cross-check them within your environment.
Reputation icons for faster malware analysis
Leverage Threat Hunting Features
Utilize tabs like MalConf and ATT&CK to uncover additional insights. For instance, MalConf may reveal hardcoded strings or configurations that can aid in threat hunting.
Malware configuration tab displayed in ANY.RUN sandbox
The ATT&CK tab provides a breakdown of associated TTPs, helping analysts understand how the malware evades detection or escalates privileges.
In the current analysis session, these are the TTPs the sandbox identified:
TTPs related to Formbook analysis session
AI Summary
The AI-powered summary distills the technical findings into easy-to-understand insights. This is particularly beneficial for:
Quickly understanding the file’s behavior without diving into the technical minutiae.
Assisting junior analysts or teams new to malware analysis by providing clear explanations of what the file is doing.
AI summary of processes inside ANY.RUN sandbox
By leveraging these features, DFIR professionals can perform detailed, thorough, and efficient malware analysis, tailoring their investigations to the specific needs of their organization.
Learn to analyze cyber threats
See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis
Read full guide
Use Case 2: Analyzing Lumma Stealer with Advanced Features
The next use case focuses on analyzing a file using the ANY.RUN sandbox, specifically targeting a different infostealer called Luma Stealer. The latter is another malware aimed at exfiltrating data.
For this demonstration, the free plan is used, but comparisons to the paid plan capabilities will also be highlighted.
Uploading a File to ANY.RUN
To analyze a file in ANY.RUN, start by selecting Submit File option from the available 3 options.
When uploading a file, keep in mind that as a free user Analysis will be public, meaning anyone can view it. Avoid uploading sensitive data. Always consult with your team if unsure.
The free plan, however, offers privacy options to restrict access to your analysis.
After selecting the file, you’ll see two key options:
Deep analysis: Ideal for file-based malware investigations.
Safebrowsing: Suitable for URL-based fast analysis.
For this case, we’re performing Deep Analysis on the Luma Stealer sample.
ANY.RUN allows you to customize execution and environment settings to simulate real-world scenarios. For instance, you can specify custom command-line arguments to trigger specific malware behaviors.
The free plan offers 60 seconds of analysis.
With the paid plan, you can extend to 10+ minutes for deeper analysis.
You can also choose where you want to execute the file, for instance, temp directory, desktop, downloads directory, AppData, and more.
For the network traffic the following options are available:
Then, choose the operating system, such as Windows 7 (32-bit), Windows 10 (64-bit), and Ubuntu 22.04. The paid plan also offers Windows 11.
Running the Analysis
Once configurations are set, click Run Analysis. If you decide to go with the Public mode, a warning will remind you that the analysis data will be publicly accessible. To make your analysis private, you will need to get a Hunter or Enterprise plan subscription.
The sandbox begins dynamic analysis, executing the file and recording all processes, behaviors, and network activities.
A timer (top-right) shows the remaining analysis duration. You can add time to capture extended malware behaviors.
Observing Results in Real Time
Once the analysis begins, you can interact with the sandbox environment. Have a look at the parent-child relationships of processes generated by the malware.
On the right corner you can already see the sandbox identifies the processes as Lumma malware and possible phishing.
Besides, we can note that the sandbox also detected a domain used for C2 connection:
Suricata rule triggered by Lumma malware
With the paid plan you can also see how this particular Suricata rule was generated:
Suricata rule details available for Hunter and Enterprise users
Extracting IOCs and Key Artifacts
The sandbox lists malicious IOCs that can be used to detect the threat
Once the analysis completes, go to the IOC tab to extract key indicators, including:
IP addresses
Domains
File hashes
URLs
Why DFIR Professionals Rely on ANY.RUN
ANY.RUN’s real-time, interactive capabilities make it a favorite among DFIR experts. Here’s why:
Speed: Analyze malware behavior and extract IOCs faster than ever.
Ease of use: Its intuitive interface works for both seasoned analysts and newcomers.
Flexibility: From free plans to enterprise solutions, ANY.RUN fits teams of all sizes.
Threat intelligence integration: Enrich your investigations with additional context to ensure thorough results.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Detect malware in seconds
Interact with samples in real time
Save time and money on sandbox setup and maintenance