ACSC Warns of Remote Code Execution Risk in Apache Struts2

/in

Cyble Apache Struts2

Overview

The Australian Cyber Security Center (ACSC) has alerted organizations about a severe vulnerability in the Apache Struts2 Framework. The vulnerability, CVE-2024-53677, has been identified in the Framework, posing a critical risk to organizations that use, develop, or support Java-based applications built on this widely adopted framework. 

This vulnerability primarily affects versions of Apache Struts2 before 6.4.0 and can lead to severe security breaches, including remote code execution (RCE). Australian organizations using these versions must take immediate action to mitigate the risks posed by this flaw.

CVE-2024-53677 is a critical file upload vulnerability in the Apache Struts2 Framework. It allows attackers to exploit path traversal flaws and manipulate file upload parameters. The flaw is found in the deprecated File Upload Interceptor component.

Under certain circumstances, this can lead to the uploading of malicious files that could be executed remotely, potentially giving attackers full control over the affected system. The issue is particularly concerning for enterprise Java applications that rely on Apache Struts2.

Details of Apache Struts2 Framework Vulnerability (CVE-2024-53677)

According to the Apache advisory, the affected versions of Struts include Struts 2.0.0 through 2.3.37 (end-of-life versions), Struts 2.5.0 through 2.5.33, and Struts 6.0.0 through 6.3.0.2. The vulnerability has been classified as “critical,” with a CVSSv3 score of 9.8, reflecting its potential for exploitation. 

This issue is not isolated; Apache Struts vulnerabilities have been popular targets for threat actors, with two major incidents occurring in 2017 and 2023. As such, CVE-2024-53677 must be taken seriously by organizations that continue to use older versions of Struts.

Organizations using Java applications that leverage the affected versions of Apache Struts2 are at high risk of exploitation. This includes various industries such as government, telecommunications, finance, and e-commerce, where the framework remains integral to business operations.

The critical nature of CVE-2024-53677 lies in its ability to facilitate remote code execution. Once an attacker successfully uploads a malicious file—often a web shell—through the vulnerable file upload mechanism, they can execute arbitrary commands, steal sensitive data, and further compromise the system.

Recommendations for securing your systems

Organizations are strongly advised to take the following steps to mitigate the risks associated with CVE-2024-53677:

  • The most effective way to address the vulnerability is to upgrade to Apache Struts 6.4.0 or a later version. This version replaces the deprecated File Upload Interceptor with the more secure Action File Upload Interceptor, which significantly reduces the risk of exploitation. However, migrating to this new file upload mechanism requires modifications to the existing code, as the old File Upload Interceptor is no longer secure.

  • If upgrading to Struts 6.4.0 is not immediately feasible, organizations should apply any available patches for affected versions of Struts. Additionally, continuous monitoring of systems for suspicious activity is crucial. Logs should be reviewed regularly for any indications of attempts to exploit the vulnerability.

  • Organizations should audit their Java-based applications to determine whether they are using the affected versions of Apache Struts. They should also verify whether the vulnerable File Upload Interceptor component is being used. Applications that do not rely on this component are not affected by CVE-2024-53677.

  • Given the critical nature of this vulnerability, organizations must stay updated on vendor advisories and any new patches or security releases. Apache’s security bulletins should be regularly checked to ensure that any new information or mitigation strategies are quickly applied.

Conclusion 

CVE-2024-53677 presents a critical risk of remote code execution (RCE), allowing attackers to exploit file upload vulnerabilities and gain unauthorized control over systems. Organizations using Struts2 versions prior to 6.4.0 must upgrade immediately and migrate to the new Action File Upload Interceptor.

Prompt patching and monitoring are essential to prevent exploitation. To strengthen defenses, businesses can turn to Cyble’s AI-powered cybersecurity solutions like Cyble Vision, which offer advanced threat intelligence, dark web monitoring, and proactive risk detection. Discover how Cyble Vision can enhance your cybersecurity strategy by booking a free demo today.

References:

https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-security-vulnerability-affecting-apache-struts2-below-6-4-0

The post ACSC Warns of Remote Code Execution Risk in Apache Struts2 appeared first on Cyble.

Blog – Cyble – ​Read More

Multiple Vulnerabilities in Google Chrome for Desktop: Update to Stay Secure

/in

Cyble Google Chrome

Overview

On December 16, 2024, the Indian Computer Emergency Response Team (CERT-In) issued a vulnerability note (CIVN-2024-0356) regarding multiple security flaws in Google Chrome for Desktop. These vulnerabilities, rated HIGH in severity, could allow remote attackers to execute malicious code or disrupt the system’s functionality through a Denial of Service (DoS) attack.

Affected Software Versions

These vulnerabilities impact the following versions of Google Chrome for Desktop:

  • Windows and macOS: Versions prior to 131.0.6778.139/.140 and 131.0.6778.108/.109.

  • Linux: Versions prior to 131.0.6778.139 and 131.0.6778.108.

All end-user organizations and individuals using Google Chrome for Desktop are urged to update their browsers immediately to prevent potential exploits.

Impact of the Vulnerabilities

The identified vulnerabilities can lead to the following risks:

  1. Remote Code Execution: A remote attacker could execute arbitrary code on a target system using a maliciously crafted webpage.

  2. Denial of Service (DoS): Attackers can crash the browser or make it unresponsive, causing system instability.

  3. Sensitive Information Disclosure: Exploitation may allow access to sensitive information stored in the browser.

Detailed Description of the Vulnerabilities

Google Chrome, a widely-used web browser across Windows, macOS, and Linux systems, is vulnerable to specific flaws caused by improper handling of memory during certain operations. Below is a breakdown of the vulnerabilities:

1. CVE-2024-12381: Type Confusion in V8

  • Severity: High

  • Description: The V8 JavaScript engine, used by Google Chrome to process web content, has a Type Confusion issue. Type Confusion occurs when the browser misinterprets the type of an object, leading to unexpected behavior. This flaw can result in heap corruption when a specially crafted HTML page is executed.

  • Reported by: Seunghyun Lee (@0x10n) on December 2, 2024.

  • Affected Versions: Google Chrome prior to version 131.0.6778.139/.140.

2. CVE-2024-12382: Use After Free in Translate

  • Severity: High

  • Description: A Use After Free vulnerability exists in Google Chrome’s Translate component. Use After Free occurs when memory is accessed after it has been freed, leading to unexpected behavior or crashes. Exploiting this vulnerability via a crafted HTML page can cause heap corruption or allow remote code execution.

  • Reported by: lime (@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group on November 18, 2024.

  • Affected Versions: Google Chrome prior to version 131.0.6778.139/.140.

3. CVE-2024-12053: Type Confusion in V8

  • Severity: High

  • Description: Another Type Confusion vulnerability in the V8 engine impacts earlier versions of Google Chrome. Exploitation through a malicious HTML page can result in object corruption, potentially leading to system compromise.

  • Reported by: gal1ium and chluo on November 14, 2024.

  • Affected Versions: Google Chrome prior to version 131.0.6778.108/.109.

How Can These Vulnerabilities Be Exploited?

Attackers can take advantage of these vulnerabilities by luring users to visit a specially crafted webpage. Once the webpage is loaded, it can trigger the security flaws, allowing the attacker to:

  • Execute malicious code remotely on the target system.

  • Corrupt memory, causing the browser to crash.

  • Steal sensitive data or compromise system functionality.

Given the widespread use of Google Chrome, it is critical to address these vulnerabilities immediately.

Solution: Update Google Chrome Immediately

Google has addressed these vulnerabilities by releasing updated versions of Chrome for Desktop on the Stable Channel. The updates are being rolled out gradually, and all users are advised to apply them as soon as possible.

Updated Versions

  • Windows and macOS: Version 131.0.6778.139/.140

  • Linux: Version 131.0.6778.139

To update Google Chrome:

  1. Open Google Chrome.

  2. Click on the three dots (Menu) in the top-right corner.

  3. Navigate to Help > About Google Chrome.

  4. Chrome will automatically check for updates and install the latest version.

  5. Restart the browser to apply the update.

Security Fixes and Acknowledgements

Google has credited several external security researchers for identifying and reporting these vulnerabilities:

  • CVE-2024-12381: Seunghyun Lee (@0x10n) – Awarded $55,000 for discovering the issue.

  • CVE-2024-12382: lime (@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group.

  • CVE-2024-12053: gal1ium and chluo – Awarded $8,000 for identifying the flaw.

In addition to contributions from external researchers, Google’s internal security teams continue to conduct audits, fuzzing, and other security initiatives to proactively identify and fix vulnerabilities.

Why Prompt Updates Are Crucial

  1. Rapid Threat Exploitation: Attackers often exploit known vulnerabilities within days of disclosure. Delaying updates leaves systems vulnerable.

  2. Prevention of Data Breaches: Remote code execution could allow attackers to access sensitive data, including saved passwords and browsing history.

  3. System Stability: Updating ensures that your browser runs smoothly without crashes caused by these vulnerabilities.

Best Practices for Safe Browsing

In addition to updating Google Chrome, here are some best practices to stay secure:

  1. Enable Automatic Updates: Keep your browser and software up-to-date.

  2. Use Security Extensions: Install reliable security extensions to block malicious content.

  3. Avoid Suspicious Links: Do not click on unknown or untrusted links in emails or messages.

  4. Enable Site Isolation: Chrome’s Site Isolation feature helps contain exploits.

  5. Regular Security Scans: Use antivirus software to detect and prevent malicious activity.

  6. Check Permissions: Regularly review website permissions (e.g., camera, microphone) to limit exposure.

Conclusion

The multiple vulnerabilities identified in Google Chrome highlight the importance of timely software updates to ensure system security and stability. The flaws—primarily Type Confusion in V8 and Use After Free in Translate—can be exploited by attackers to execute arbitrary code, cause system crashes, or steal sensitive data.

All users of Google Chrome for Desktop are urged to update their browsers to the latest stable version (131.0.6778.139/.140) without delay. By applying updates and following safe browsing practices, users can significantly reduce the risk of cyberattacks and ensure a secure online experience.

At Cyble, we remain committed to helping organizations stay ahead of evolving cyber threats through continuous threat monitoring and actionable intelligence. Stay informed, stay secure.

Schedule a demo today to see how Cyble can safeguard your systems against emerging vulnerabilities and cyber threats.

Source:

The post Multiple Vulnerabilities in Google Chrome for Desktop: Update to Stay Secure appeared first on Cyble.

Blog – Cyble – ​Read More

How to Set up a Windows 11 Malware Sandbox

/in

As Windows 10 approaches its end-of-life (October 2025), organizations are facing the need to adjust their security infrastructure to be better aligned with Windows 11. A malware sandbox, an isolated environment for analyzing malicious files and URLs, is a key tool for this transition.

Here are the benefits of deploying a Windows 11 sandbox and how you can do it.

What is a malware sandbox?

A malware sandbox is an isolated virtual environment designed to safely analyze cyber threats by detonating, observing, and interacting with them.

This controlled setting allows cybersecurity professionals to understand the behavior of malware post-infection, including file modifications, network calls, and registry changes.

A malware sandbox helps organizations and individual researchers to:

  • Safely explore malicious files and URLs to validate threat alerts or proactively identify cyber threats.
  • Observe detonation of malware and phishing attacks in real time to see how they are carried out in a live system.
  • Replicate specific network and system environments to assess the potential impact on the existing infrastructure.
  • Extract indicators of compromise from malware samples to enhance threat detection capabilities.
  • Intercept and analyze command and control communications to gather crucial IOCs.
  • Study malware behavior in depth to uncover tactics, techniques, and procedures (TTPs) to respond to security incidents or prepare for future attacks more effectively.

Analyze malware and phishing
in ANY.RUN’s Windows 11 sandbox 



Get a free trial


Which sandbox to choose? Built-in, on-premises, cloud-based

When it comes to choosing your sandbox, there are several options you can consider. Let’s focus on the three main ones.

Built-In Sandbox Feature Included with Windows 11

Windows 11 provides built-in sandbox functionality completely for free. This tool works well for quick checks, such as opening malicious links received via phishing emails or downloading and running suspicious files.

A limitation of this type of sandbox is its inability to provide verdicts on detonated malicious content or log system and network activities. This can make it difficult to accurately assess the threat level of evasive and complex malware. There are also no reports generated after the analysis.

These aspects make the built-in Windows sandbox an unsuitable option for professional use.

On-premises Windows 11 Sandbox

For more advanced analysis, organizations can opt for building their own sandbox environment, configured to their specific needs. Virtualization software like VirtualBox can be used here. Yet, this approach is generally recommended only if you need to reverse-engineer malware source code or analyze it with custom tools.

There are also a several things to take into consideration:

  • Complex Setup: Requires technical expertise to set up and configure.
  • Potential Risks: Misconfiguration can lead to malware escaping the sandbox and infecting the host system.
  • Resource-Intensive: Can be demanding on system resources.

Check out this guide on how to set up your own sandbox environment.

Cloud Malware Sandbox with Windows 11 Support

For professional malware analysis, a cloud sandbox is the best choice. These services offer all the benefits of virtualization software but with much less tinkering and setup, making it easier to gather deep insights. There’s also no chance to misconfigure something and let the malware escape the sandbox’s confines and infect the host.

The ANY.RUN sandbox is a tool that lets you configure and deploy a fully-interactive Windows 11 environment in seconds. It also provides you with the ability to engage with the system just like on a standard computer: launch programs, download attachments, browse web pages, and type.

Some malware families may rely on specific tools and mechanisms present in certain OS versions; running them on the wrong version may not trigger their malicious actions. That is why, apart from Windows 11, ANY.RUN provides other operating systems, including Windows 7, 10, and Ubuntu, letting you switch between them with ease.

Benefits of ANY.RUN’s Interactive Sandbox:

  • Quick and Easy Setup: Simply upload your file or link and start the analysis process in seconds.
  • Real-time Insights: Get an in-depth view of malicious activities, including network events, registry changes, dropped files, script execution, as they occur.
  • Interactivity: Perform user actions and see how threats respond in a live system.
  • Comprehensive Reporting: Collect detailed reports on analysis results, such as indicators of compromise (IOCs), malware families config info, and other actionable info.
  • VM Customization: Configure VM settings, enabling custom VPN, MITM Proxy, FakeNet, and other features for targeted investigations.
  • Privacy Control: Choose between public and private analysis based on data sensitivity.
  • Team Management: Invite, manage, and remove team members, with options for temporary access and productivity tracking.


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis


Read full guide


How to Set up a Windows 11 Sandbox

Let’s demonstrate how you can quickly get started with ANY.RUN’s Interactive Sandbox.

Step 1: Upload a Sample

ANY.RUN home screen lets you quickly upload your sample

First, create an account or log in and choose your upload option: a file or URL.

As an example, let’s upload a .bin file to the service.

Step 2: Configure the VM

ANY.RUN allows you configure your analysis system for each session

Once we submit the sample, we’ll be able to customize the analysis environment to fit our needs. Check out the ultimate guide to the ANY.RUN sandbox to learn more about the features available in the setup window.

For now, let’s select Windows 11 from the list of operating systems, set the privacy mode of the session, and run the analysis.

Step 3: Analyze the Threat

Analysis of a malicious file in the ANY.RUN sandbox

Once the session starts, the sandbox detonates the sample, allowing us to see how the system gets infected with the Amadey malware.

ANY.RUN identifies any malicious activities related to the spawned processes

Thanks to the Process Tree, we can discover that after the initial infection, Amadey continues to deploy additional malware, Lumma and Stealc.

Suricata IDS rule used for detecting C2 connections of the Lumma Stealer

Once these threats gain foothold on the system, they connect to their command and control (C2) servers, receive commands from threat actors, and begin to exfiltrate stolen data.

Conclusion

By providing a safe and isolated environment for analyzing malicious files and URLs, a malware sandbox helps enhance threat investigations and improve security. Organizations transitioning to Windows 11 need to utilize a reliable sandbox solution to effectively examine emerging malware and phishing attacks.

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

  • Detect malware in seconds
  • Interact with samples in real time
  • Save time and money on sandbox setup and maintenance
  • Record and study all aspects of malware behavior
  • Collaborate with your team 
  • Scale as you need

Get a 14-day free trial to test all features of ANY.RUN’s Interactive Sandbox →

The post How to Set up a Windows 11 Malware Sandbox appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

CISA Reveals Draft Update to National Cyber Incident Response Plan for Public Feedback

/in

Cyble National Cyber Incident Response Plan

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has published the draft update to the National Cyber Incident Response Plan (NCIRP) for public comment on the Federal Register. Developed through collaboration with the Joint Cyber Defense Collaborative (JCDC) and in close coordination with the Office of the National Cyber Director (ONCD), this update addresses new changes in cybersecurity and incorporates significant changes in policy, law, and operational processes since the plan’s initial release in 2016.

The NCIRP serves as the strategic framework guiding the U.S. response to cyber incidents. It aligns efforts across government agencies, private sector entities, state and local governments, tribal and territorial authorities, and international partners. The plan outlines four critical lines of effort (LOEs) to ensure a cohesive and coordinated approach to incident response: Asset Response, Threat Response, Intelligence Support, and Affected Entity Response. These efforts aim to manage cyber incidents of varying severity and ensure timely actions during the response lifecycle.

The release of this draft update marks an important step in enhancing the nation’s ability to respond effectively to cyber threats‘ growing complexity and sophistication. CISA has worked closely with government and industry partners to create an agile, actionable framework that keeps pace with their rapid evolution.

Key Updates to the National Cyber Incident Response Plan

Several critical updates have been introduced in this draft version of the NCIRP, which are designed to improve coordination and responsiveness during cyber incidents. These changes include:

  1. Defined Path for Non-Federal Stakeholder Participation: This update clarifies the process by which non-federal stakeholders, including private sector entities, can participate in cyber incident response efforts. Given the growing role of the private sector in cybersecurity, this path ensures more comprehensive engagement in the event of a major cyber incident.

  2. Improved Usability: The plan has been streamlined to enhance its usability. The updated version aligns with the operational lifecycle of incident response, making it more straightforward for agencies and organizations to implement during real-world incidents.

  3. Incorporation of Legal and Policy Changes: The draft incorporates the latest legal and policy developments impacting the roles and responsibilities of agencies involved in cyber incident response. These updates ensure that the plan is in line with current regulatory frameworks and legal requirements.

  4. Predictable Update Cycle: The NCIRP will now undergo regular updates, ensuring that it remains relevant as the threat landscape evolves. The predictable cycle will allow for continual refinement based on feedback, emerging threats, and changing technological realities.

In her statement on the publication of the draft update, CISA Director Jen Easterly emphasized the necessity of a seamless, agile, and effective incident response framework. She noted that “Today’s increasingly complex threat environment demands that we have a seamless, agile, and effective incident response framework” and encouraged public comment to refine the document further.

Overview of the National Cyber Incident Response Plan

The NCIRP is an important guide for coordinating responses to cyber incidents that could affect national security, the economy, or public health. The plan was initially published in 2016 and is an essential component of the U.S. government’s broader cybersecurity strategy. The 2023 National Cybersecurity Strategy called for the update to reflect new cyber threats, organizational changes, and policy shifts.

The NCIRP is not a step-by-step guide but rather a flexible framework for coordinating efforts during a cyber incident. It defines the roles and responsibilities of various stakeholders, including federal agencies, state, local, tribal, and territorial (SLTT) governments, private sector entities, and civil society organizations. By laying out these roles and mechanisms, the NCIRP fosters coordinated action across sectors and jurisdictions, ensuring that resources are deployed effectively during a crisis.

Four Lines of Effort for Cyber Incident Response

The NCIRP outlines four primary lines of effort that guide the U.S. government’s response to cyber incidents. These are:

  • Asset Response: Led by CISA, this effort focuses on helping affected entities protect their assets and mitigate the impacts of a cyber incident. It includes providing technical assistance to organizations and supporting them in securing critical infrastructure.

  • Threat Response: The Department of Justice (DOJ), the FBI, and the National Cyber Investigative Joint Task Force (NCIJTF) are responsible for leading efforts to neutralize cyber threats and track down cybercriminals. The FBI, in particular, plays a central role in law enforcement response and investigations.

  • Intelligence Support: The Office of the Director of National Intelligence (ODNI), through the Cyber Threat Intelligence Integration Center (CTIIC), provides essential intelligence to guide response efforts. This line of effort helps ensure that the U.S. government has the latest information on adversary tactics, techniques, and procedures (TTPs).

  • Affected Entity Response: In cases where a federal agency or private sector organization is directly impacted, it is responsible for leading its own response, though it coordinates with CISA, the Department of Defense (DOD), or other federal partners as needed. This effort is vital for managing the operational continuity of affected entities.

These lines of effort are managed through structured coordination bodies such as the Cyber Unified Coordination Group (Cyber UCG), which brings together stakeholders from across the government and the private sector to ensure unified, cohesive action. The Cyber Response Group (CRG) focuses on broader policy and strategic coordination, ensuring alignment with national cybersecurity priorities.

The Detection and Response Phases

Cyber incident response is broken down into two main phases: Detection and Response.

  1. Detection: This phase involves continuous monitoring, analysis, and engagement with critical infrastructure owners to validate whether an incident is significant enough to require a full-scale response. Detection includes analyzing anomalies, working with the cybersecurity community, and validating the severity of the incident.

  2. Response: Once an incident has been confirmed as significant, the response phase begins. This phase focuses on containment, eradication, and recovery, as well as supporting law enforcement in their efforts to attribute and hold perpetrators accountable. The response efforts also include supporting affected entities as they recover and restore services.

In both phases, the roles of federal agencies, SLTT governments, and private sector entities are critical. The JCDC plays a central role in coordinating public-private collaboration, ensuring that both sectors are aligned in their efforts to defend against and recover from cyber incidents.

Conclusion

The updated National Cyber Incident Response Plan (NCIRP) emphasizes continuous improvement and collaboration. After an incident, the Cyber Response Group (CRG) reviews the response and prepares a report, which helps refine future efforts. The Cyber Safety Review Board also provides independent recommendations to strengthen cybersecurity.

CISA is committed to regularly updating the NCIRP, incorporating feedback from the public and private sectors, and adapting to new threats and technologies. The Joint Cyber Defense Collaborative (JCDC) plays a key role in ensuring coordinated efforts. The updated NCIRP aims to strengthen national preparedness and ensure effective response to future cyber incidents.

References

The post CISA Reveals Draft Update to National Cyber Incident Response Plan for Public Feedback appeared first on Cyble.

Blog – Cyble – ​Read More

Mamont banker under the guise of a tracking app | Kaspersky official blog

/in

We’ve discovered a new scheme of distribution of the Mamont (Russian for mammoth) Trojan banker. Scammers promise to deliver a certain product at wholesale prices that may be considered interesting to small businesses as well as private buyers, and offer to install an Android application to track the package. However, instead of a tracking utility, the victim installs a Trojan that can steal banking credentials, push notifications, and other financial information.

Scheme details

The attackers claim to sell various products at fairly attractive prices via number of websites. To make a purchase, the victim is asked to join a private Telegram messenger chat, where instructions for placing an order are posted. In essence, these instructions boil down to the fact that the victim needs to write a private message to the manager. The channel itself exists to make the scheme look more convincing: participants of this chat ask clarifying questions, receive answers, and comment on things. Probably, there are both other victims of the same scheme and bots that create the appearance of active trading in this chat.

The scheme is made more credible by the fact that the scammers don’t require any prepayment — the victim gets the impression that they’re not risking anything by placing an order. But some time after talking to the manager and placing an order, the victim receives a message that the order has been sent, and its delivery can be tracked using a special application. A link to the .apk file and the tracking number of the shipment are included. The message additionally emphasizes that to pay for the order after receiving it, you must enter a tracking number and wait while the order is loading (which can take more than 30 minutes).

The link leads to a malicious site that offers to download a tracker for the sent parcel. In fact, it’s not a tracker, but the Mamont banking malware for Android. When installed, the “tracker” requests permission to operate in the background, as well as work with push notifications, SMS and calls. The victim is required to enter a code, supposedly for tracking the parcel, and wait.

What is this malware and why is it dangerous?

In fact, after the victim enters the received “track code”, which is apparently used as the victim’s identifier, the Trojan begins to intercept all push notifications received by the device (for example, confirmation codes for banking transactions) and forward them to the attackers’ server. At the same time, Mamont establishes a connection with the attackers’ server and waits for additional commands. Upon command, it can:

  • change the application icon to a transparent one to hide it from the victim;
  • forward all incoming SMS messages of the last three days to the attackers;
  • open an interface for uploading a photo from the phone’s gallery to the attackers’ server;
  • send an SMS to an arbitrary number.

In addition, the attackers can show the victim arbitrary text with boxes for entering additional information — this way they can manipulate the victim to submit additional credentials, or simply collect more information for further attacks using social engineering (for example, for threatening letters from regulators or law enforcement agencies). They probably steal photos from the gallery for the same purpose. This is especially dangerous if the victim is a small business owner: they often use their phone camera to quickly take photos of business information.

Our security solutions detect the malware distributed during this attack as Trojan-Banker.AndroidOS.Mamont.*. A more detailed technical description of the malware, as well as indicators of compromise, can be found in the dedicated Securelist blog post.

Targets of this scheme

This campaign is aimed exclusively at Russia-based users of Android smartphones. The attackers emphasize this and refuse to “deliver goods” anywhere else. However, cybercriminals’ tools often become freely available on the darknet, so it’s impossible to guarantee that users from other countries are immune to this threat.

How to stay safe

We recommend following simple safety rules to avoid infecting your smartphone with this (or any other) malware. This is especially true if the phone is used not only for personal needs, but also for business. Here are these simple safety rules:

  • be skeptical of especially-favorable offers of goods and services on the internet (if the price is significantly lower than the usual market price it means the seller’s benefiting in some other way);
  • do not run .apk files obtained from unknown sources – they should be installed from official stores or from the official resource of a specific service;
  • use a reliable security solution, which will prevent malware from being installed on your device and block malicious links.

Kaspersky official blog – ​Read More

What’s Inside ANY.RUN’s Cyber Threat Intelligence Feeds?

/in

ANY.RUN’s Threat Intelligence (TI) feeds provide an invaluable solution for organizations seeking to detect and mitigate the latest malware and phishing campaigns, attacks, and cybercriminal tactics.

But what exactly is inside these feeds, and how can they help companies strengthen their cybersecurity?

Let’s dive into the details.

What Are ANY.RUN’s Threat Intelligence Feeds?

ANY.RUN’s Threat Intelligence (TI) feeds are a comprehensive collection of Indicators of Compromise (IOCs) that can expand security systems’ threat detection capabilities. These feeds don’t just give you the basics, they go deep, providing malicious IPs, URLs, domains, file hashes, and even links to actual analysis sessions, showing you how threats behave.

Where does this data come from? An international community of over 500,000 researchers and cybersecurity pros who upload and analyze real-world malware and phishing samples every day to ANY.RUN’s Public submissions repository.

With TI Feeds from ANY.RUN, organizations can:

  • Expand Threat Coverage: Extend your security systems’ ability to detect emerging malware and phishing attacks. 
  • Improve Incident Response: Enrich incident response processes with contextual data from the feeds, providing deeper insights into threats and their behaviors. 
  • Strengthen Security Posture: Ensure proactive defense against new and evolving threats. 
  • Optimize Threat Hunting: Streamline threat hunting activities, identifying and investigating potential threats more efficiently. 

Want to integrate CTI Feeds from ANY.RUN??
Reach out to us and we’ll help you set it up 



Contact us


Key Features of ANY.RUN’s CTI Feeds

Here’s what makes ANY.RUN’s CTI feeds valuable for cybersecurity teams:

  • Fresh Data: Contain data extracted from the latest public samples uploaded to our interactive sandbox by a global network of over 500,000 security professionals. 
  • Actionable Indicators: Supply indicators from decompressed traffic, memory dumps, and malware configurations along with those manually collected by our team of malware analysts, as well as data from partners and OSINT sources. 
  • Contextual Information: Offer more than just IOCs by providing direct links to full sandbox analysis sessions that include memory dumps, network traffic, and events. 
  • Rigorous Pre-Processing: Use advanced algorithms and proprietary technology for data filtering and validation. 
  • Continuous Updates: Updated every few hours, helping security teams stay ahead of emerging threats and respond quickly to new threats. 
  • STIX and MISP Formats: Deliver threat intelligence feeds in the STIX and MISP formats, making it easy for security teams to integrate our data into their existing infrastructure. 
  • API Support: Integrate into existing security systems via API for real-time threat updates and automated responses. 

What’s Inside ANY.RUN’s CTI Feeds?

The IOCs include information on malicious IP addresses, domain names, and URLs, enriched with contextual details such as related files and ports. Here’s a closer look at what’s inside:

IP addresses

IP addresses are important for detecting and preventing malicious network activity. They serve as digital markers of cybercriminal operations, often linked to Command-and-Control (C2) servers or phishing campaigns.

By analyzing IP addresses, cybersecurity teams can:

  • Identify malicious sources: Pinpoint harmful traffic and proactively block it.
  • Trace attack origins: Gain insights into the geolocation and tactics of attackers.
  • Monitor threat patterns: Detect repeated use of IPs across campaigns.
  • Enhance network security: Use IP-based firewalls and intrusion prevention systems (IPS) to block unwanted traffic.

Example:

type: ipv4-addr
      id: ipv4-addr--75725b48-17a3-575d-a5de-b5d9798bde8d
      value: 103.168.67.9
      created: '2024-06-13T06:26:00.704Z'
      modified: '2024-06-13T06:26:00.704Z'
      external_references:
        - source_name: ANY.RUN task 11ce507f-d535-4bf1-8973-989d7654017a
          url: https://app.any.run/tasks/11ce507f-d535-4bf1-8973-989d7654017a
      labels:
        - RedLine
      related_objects:
        - relationship_type: contains
          source_ref: ipv4-addr--75725b48-17a3-575d-a5de-b5d9798bde8d
          target_ref: file--49ef9153-94eb-5d05-bac2-19a54738afab
      created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
      score: 90
      revoked: false

ANY.RUN’s TI feeds don’t just list malicious IPs. They provide detailed context that turns raw data into actionable insights for cybersecurity teams. This enriched information helps assess the behavior and impact of each IP. Here’s what’s usually included:

  • External references: Links to relevant sandbox sessions.
  • Label: Name of the malware family or campaign.
  • Detection timestamps: “Created” and “Modified” dates provide a timeline to understand if a threat is ongoing or historical.
  • Related objects: IDs of files and network indicators related to the object in question.
  • Score: Value representing the severity level of the IOC.
  • Revoked: Field indicating whether the IOC has been invalidated.

Domains

Domains play a crucial role in hosting malicious content, phishing campaigns, and distributing malware. They are often used as staging points for cyberattacks, making them a key focus for threat detection and mitigation.

ANY.RUN’s TI feeds provide comprehensive information about domains, including all the details available for IP addresses, such as threat names, types, detection timestamps, and related file hashes.

Example:

type: domain-name
      id: domain-name--f17dd142-08ac-54cb-bb88-97f1e07fb6fc
      value: mail.sdil.ac.ir
      created: '2024-06-10T21:13:17.465Z'
      modified: '2024-06-17T13:37:53.620Z'
      external_references:
        - source_name: ANY.RUN task 64e1d470-dcd4-4d78-b1f0-aa4d9bd6f225
          url: https://app.any.run/tasks/64e1d470-dcd4-4d78-b1f0-aa4d9bd6f225
        - source_name: ANY.RUN task 090c21da-a050-4f88-bb09-1bae142df1cb
          url: https://app.any.run/tasks/090c21da-a050-4f88-bb09-1bae142df1cb
      labels:
        - AgentTesla
      related_objects:
        - relationship_type: contains
          source_ref: domain-name--f17dd142-08ac-54cb-bb88-97f1e07fb6fc
          target_ref: file--dbee2af2-3be4-5e2a-9bf3-94e3fe8637b3
        - relationship_type: contains
          source_ref: domain-name--f17dd142-08ac-54cb-bb88-97f1e07fb6fc
          target_ref: file--9794dd40-085a-5c84-8d95-70cbd8efcf1d
      created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
      score: 100
      revoked: false

Keep in mind that domains provide a higher-level view of malicious activity, often connecting multiple IPs or malware instances within a single campaign.

Give CTI Feeds from ANY.RUN a try
Start with a free demo sample in STIX or MISP 



Contact us


URLs

URLs play a significant role in cybercriminal operations, often serving as gateways to distribute malware, execute phishing campaigns, or redirect users to malicious content. Their flexibility and ease of use make them a preferred tool for attackers.

How URLs are used:

  • Malware delivery: Embedded in emails or websites, URLs download malware or redirect to exploit kits.
  • Phishing campaigns: Lead users to fake websites designed to steal sensitive information.
  • Command-and-Control (C2): Facilitate communication between malware and attackers for issuing commands or data exfiltration.
  • Exploitation and redirection: Redirect victims to malicious sites hosting drive-by downloads or exploits.

By analyzing URLs, cybersecurity teams can uncover attack patterns, block harmful traffic, and prevent unauthorized access to systems and data.

Example:

type: url
      id: url--001c0f70-93f8-583d-96ce-7c260da3a193
      value: http://www.goog1evip15.com/dogw/
      created: '2024-06-11T21:35:59.640Z'
      modified: '2024-06-11T21:35:59.640Z'
      external_references:
        - source_name: ANY.RUN task 55051854-38c4-4d03-a70a-6dd2ce3d89ca
          url: https://app.any.run/tasks/55051854-38c4-4d03-a70a-6dd2ce3d89ca
      labels:
        - Formbook
      related_objects: []
      created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
      score: 100
      revoked: false

Note that URLs often serve as entry points for malicious activity, acting as gateways for malware delivery, phishing attacks, or redirection to exploit kits, making them critical for identifying and mitigating cyber threats.

Additional Indicators in ANY.RUN’s TI Feeds

In addition to the core Indicators of Compromise (IOCs) such as URLs, domains, and IPs, ANY.RUN’s CTI feeds include a wealth of contextual information.

This additional data enriches the IOCs, offering deeper insights into the nature and behavior of each indicator.

Files

For file indicators, ANY.RUN’s CTI feeds provide detailed information to help identify and assess malicious files. Here are the key data fields included:

Example:

type: file
      id: file--249382b0-209d-5904-b725-b47663c6c412
      hashes:
        SHA-256: d564eb94afb174fe3b854de086eda2a4e015d778a9aea9806e79f82044eac74e
        SHA-1: 14b96459dff641245aea6dacd34512830d945ee2
        MD5: 5edee175c5003771dea841893ea46602
      created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
      score: 100
      file_name: d564eb94afb174fe3b854de086eda2a4e015d778a9aea9806e79f82044eac74e.exe
    - type: url
      id: url--d65b67ec-39f2-5309-8cc9-56e016b6a48f
      value: http://109.248.151.196/rvBZyVEAb230.bin
      created: '2024-06-11T18:44:15.898Z'
      modified: '2024-06-11T18:44:15.898Z'
      external_references:
        - source_name: ANY.RUN task 35d75e14-c1a2-418c-b98f-f7d58cca93cb
          url: https://app.any.run/tasks/35d75e14-c1a2-418c-b98f-f7d58cca93cb
      labels:
        - guloader
      related_objects:
        - relationship_type: contains
          source_ref: url--d65b67ec-39f2-5309-8cc9-56e016b6a48f
          target_ref: file--249382b0-209d-5904-b725-b47663c6c412
      created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
      score: 100
      revoked: false

Ports

Port indicators describe network activities related to specific port usage, offering insights into malicious connections.

Example:

type: port
      id: port--60027215-4cf1-5773-bef7-62051468dbd3
      port_value: 5555
      created: '2024-06-16T02:32:35.010Z'
      modified: '2024-06-16T02:32:35.010Z'
      labels:
        - NjRat
      related_objects:
        - relationship_type: services
          source_ref: domain-name--8ee2a029-d3e7-53f1-84fb-bee3008c0060
          target_ref: port--60027215-4cf1-5773-bef7-62051468dbd3
      created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
      score: 100

Integrate ANY.RUN’s TI Feeds 

ANY.RUN offers demo feeds samples in STIX and MISP formats 

You can test ANY.RUN’s Threat Intelligence Feeds in STIX and MISP formats completely for free by getting a free demo sample here

ANY.RUN also runs a dedicated MISP instance that you can syncronize your server with or connect to your security solutions. To get started, contact our team via this page

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

Get a 14-day free trial of ANY.RUN’s Threat Intelligence service →

The post What’s Inside ANY.RUN’s Cyber Threat Intelligence Feeds? appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Singapore Warns Against Crypto Scams: Best Practices to Safeguard Digital Wealth

/in

Singapore Cyble

New Guidelines Aim to Strengthen Security Against Scams, Phishing, and Smart Contract Exploits.

Overview

The rapid adoption of cryptocurrency has opened new doors for financial innovation and investment, but it has also made this digital asset an increasingly attractive target for cybercriminals. Recognizing the growing risks in this space, the Singapore Police Force (SPF) and the Cyber Security Agency of Singapore (CSA) have issued a joint advisory to help the public protect their cryptocurrency holdings. The advisory outlines the tactics employed by threat actors and provides best practices for safeguarding digital assets. This blog takes a closer look at the advisory, analyzes the evolving threats, and recommends preventive measures to ensure a safer cryptocurrency ecosystem in Singapore.

Threat Actors Target Cryptocurrency: Tactics to Watch Out For

As cryptocurrencies gain popularity, cybercriminals have refined their methods to exploit unsuspecting victims. SPF and CSA have highlighted several tactics used by threat actors:

  1. Imposter Profiles
    • Cybercriminals impersonate legitimate blockchain entities on social media platforms, offering fake giveaways or promotions. Victims are tricked into verifying their wallets by sharing sensitive information such as login credentials.

    • In some cases, attackers pose as employers in cryptocurrency companies, asking victims to demonstrate their blockchain skills by executing malicious scripts, leading to unauthorized wallet transactions.

  2. Phishing Websites
    • Fraudulent websites are created to mimic legitimate cryptocurrency wallets, exchanges, or platforms. These sites lure victims by promising lucrative investment opportunities or exclusive tokens with high returns.

    • Social media advertisements amplify the reach of these phishing schemes, making them more accessible to potential victims.

  3. Exploiting Software Vulnerabilities
    • Threat actors actively identify and exploit software flaws in smart contracts, especially those involving multi-threading or recursion. One such example is the Re-entrancy Attack, where attackers interrupt ongoing smart contract transactions to execute unintended behaviors or repeat transactions.

  4. Manipulating Automated Smart Contracts
    • Smart contracts designed for automated trading can be exploited. Cybercriminals deceive these contracts by creating liquidity pools that appear valuable, causing cryptocurrencies to flow into the attackers’ pools automatically.

Best Practices for Cryptocurrency Users

To counter these threats, SPF and CSA have outlined several precautionary measures:

  1. Use Secure Wallets
    • Store cryptocurrencies in hardware wallets to keep them offline and shield them from online attacks.

    • If frequent transactions are necessary, use reputable software wallets and ensure they are updated with the latest security patches.

  2. Set Strong Passwords and Enable Two-Factor Authentication (2FA)
    • Always use strong, unique passwords for wallets and online accounts.

    • Never share private keys, recovery phrases, or seed phrases. Keep them stored securely in physical form.

    • Enable 2FA for all accounts related to cryptocurrency to add an extra layer of protection.

  3. Regularly Monitor Accounts
    • Frequently review wallet transactions to spot unauthorized activities.

    • Use tools like blockchain explorers to manage and revoke excessive token allowances.

  4. Exercise Caution with Smart Contracts
    • Verify the legitimacy of smart contracts before interacting with them.

    • Avoid approving or signing transactions without fully understanding their implications.

  5. Beware of Phishing Attempts
    • Avoid clicking on unsolicited links or downloading attachments from unknown sources.

    • Cross-check links and verify their authenticity through official channels.

  6. Stay Informed
    • Keep up-to-date with emerging cryptocurrency threats and best practices by following trusted sources and industry updates.

Responding to Cryptocurrency Crimes

Despite precautions, falling victim to cryptocurrency crimes is still a possibility. SPF and CSA recommend the following steps if you suspect or confirm an incident:

  1. Immediate Actions
    • Contact your cryptocurrency exchange to halt transactions or freeze your account.

    • Revoke any suspicious token approvals using wallet interfaces.

    • Transfer remaining assets from compromised wallets to secure ones immediately if a seed phrase is compromised.

  2. Report the Incident
    • File a report with the Police and CSA’s SingCERT by emailing singcert@csa.gov.sg or using the reporting form on the CSA website.

    • For urgent assistance, call the Police Hotline at 1800-255-0000 or dial 999 for emergencies.

    • Use the ScamShield app or helpline (1799) to check, deter, and block scams.

Analyzing the Threat Landscape

The tactics outlined by SPF and CSA illustrate the deception of modern cybercriminals targeting cryptocurrency users. These methods leverage both technical exploits and psychological manipulation to deceive victims. For example:

  • Social Engineering: Imposter profiles and phishing schemes prey on human trust and curiosity. The promise of high returns or exclusive opportunities can cloud judgment, leading victims to unknowingly divulge critical information.

  • Technical Exploits: Attacks on software vulnerabilities highlight the need for rigorous testing of smart contracts and associated applications. Developers must adopt robust security practices to minimize risks.

  • Automation Exploitation: Automated trading mechanisms, while convenient, require enhanced safeguards to prevent exploitation by malicious actors.

Fostering a Secure Cryptocurrency Ecosystem

Cryptocurrency security is a shared responsibility among users, developers, and regulatory bodies. Here are some actionable recommendations:

  1. User Awareness
    • Public education campaigns should emphasize the importance of cybersecurity hygiene and vigilance in cryptocurrency transactions.

    • Sharing real-life case studies of cryptocurrency scams can help users recognize red flags.

  2. Developer Best Practices
    • Developers must prioritize security when designing and deploying smart contracts. Comprehensive testing and vulnerability assessments are crucial.

    • Implementing monitoring mechanisms can help identify suspicious activities in real-time.

  3. Regulatory Collaboration
    • Regulatory bodies and law enforcement agencies should collaborate to track and disrupt cryptocurrency-related criminal networks.

    • Encouraging the adoption of global security standards can strengthen the resilience of cryptocurrency platforms.

A Call to Action

As threats in the cryptocurrency space continue to evolve, staying one step ahead of cybercriminals is critical. The joint advisory from SPF and CSA underscores the importance of proactive measures to protect digital assets. By adopting best practices, users can significantly reduce their risk of falling victim to scams and attacks.

It’s equally important to foster a culture of shared responsibility and collaboration. Whether you’re a cryptocurrency user, developer, or policymaker, your role is integral to creating a safer cryptocurrency ecosystem.

Source: https://www.csa.gov.sg/docs/default-source/publications/singcert/2024/joint-advisory-on-the-safeguarding-of-cryptocurrency-assets-against-threat-actors.pdf?sfvrsn=79585f8_1

The post Singapore Warns Against Crypto Scams: Best Practices to Safeguard Digital Wealth appeared first on Cyble.

Blog – Cyble – ​Read More

IT Vulnerability Report: Cleo, Windows Flaws Under Attack

/in

Cyble IT Vulnerability

Cyble Research and Intelligence Labs (CRIL) researchers investigated 16 IT vulnerabilities and 11 dark web exploits in the week ended Dec. 10, including actively exploited vulnerabilities in Cleo managed file transfer (MFT) software and Microsoft Windows.

Other vulnerabilities analyzed by Cyble affect WordPress and Ivanti Cloud Services Appliances (CSA), while dark web exploits include claims of an exploitable zero-day vulnerability in Palo Alto Networks devices.

Here are the vulnerabilities highlighted by Cyble’s vulnerability intelligence unit as meriting high-priority attention by security teams.

The Top IT Vulnerabilities

CVE-2024-50623 hasn’t been rated by NVD yet, but researchers have discovered that this high-severity vulnerability in Cleo managed file transfer (MFT) software solutions is being actively exploited in remote code execution (RCE) data theft and corporate network attacks, and CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on Dec. 13. The vulnerability affects Cleo Harmony, Cleo VLTrader, and Cleo LexiCom MFT products used for secure and efficient data exchange between organizations. The flaw leads to unrestricted file upload and download, which could lead to RCE attacks.

CVE-2024-49138 is another high-severity vulnerability awaiting NVD analysis, but this one was added to CISA’s KEV Catalog as soon as Microsoft released a patch for it in its December 2024 Patch Tuesday updates. The flaw in the Windows Common Log File System (CLFS) Driver has been exploited in the wild and can enable attackers to gain SYSTEM privileges.

CVE-2024-38193 is a high-severity elevation of privilege vulnerability affecting Windows Ancillary Function Driver for WinSock, commonly referred to as afd.sys. The critical system driver in the Windows operating system plays a vital role in managing network communications and handles the Winsock API, which is essential for TCP/IP networking. The vulnerability was observed to be actively exploited by North Korean hackers to install a rootkit on targets in August 2024. With a recently released public proof of-concept (PoC) code available, there could be a new wave of exploitation attempts.

CVE-2024-49041 is a medium-severity spoofing vulnerability identified in Microsoft Edge (Chromium-based). The vulnerability arises from the user interface performing incorrect actions in response to user requests, which can lead to spoofing attacks. This means that an attacker could potentially manipulate the UI to mislead users into taking actions that they did not intend.

CVE-2024-11205 is an 8.5-severity vulnerability affecting WPForms, a widely used WordPress plugin designed for creating various types of online forms quickly and easily. The flaw can lead to unauthorized data modification due to a missing capability check on the ‘wpforms_is_admin_page’ function in versions starting from 1.8.4 up to and including 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.

CVE-2024-11639 is a 10.0-severity critical authentication bypass vulnerability in Ivanti Cloud Services Appliance (CSA), an internet appliance that serves as a secure gateway for enterprise users to access internal network resources. The flaw lies in the admin web console of Ivanti CSA before 5.0.3, allowing a remote, unauthenticated attacker to gain administrative access.

CVE-2024-11680 is a 9.8-severity improper authentication vulnerability affecting ProjectSend, an open-source file-sharing application designed for secure and private file management, particularly aimed at facilitating interactions between businesses and their clients. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application’s configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript. Threat Actors were observed discussing exploits of the vulnerability on the dark web (see next section).

Vulnerabilities and Exploits on Underground Forums

CRIL researchers observed multiple Telegram channels and cybercrime forums where threat actors (TAs) shared or discussed exploits weaponizing vulnerabilities. Cyble also observed a TA offering an exploit chain for an undisclosed vulnerability present in Palo Alto Networks devices. The TA quoted a price of USD $5K for the exploit. The other vulnerabilities discussed by TAs include:

CVE-2024-51378: A critical security vulnerability in CyberPanel versions prior to 1c0c6cb that allows remote attackers to bypass authentication, enabling them to execute arbitrary commands on the server.

CVE-2024-11680: A critical authentication vulnerability affecting ProjectSend versions prior to r1720. Remote, unauthenticated attackers can exploit the flaw by sending crafted HTTP requests to the options.php endpoint.

CVE-2024-38144: A critical security vulnerability in Microsoft Windows, specifically related to the Kernel Streaming WOW Thunk Service Driver, that allows for Elevation of Privilege attacks.

CVE-2024-10914: A critical command injection vulnerability in legacy D-Link NAS devices that allows unauthenticated attackers to inject arbitrary OS commands via HTTP GET requests, exploiting the cgi_user_add function in the account_mgr.cgi script.

CVE-2024-50483: A critical vulnerability affecting the Meetup plugin for WordPress versions up to and including 0.1 that is characterized as Authorization Bypass Through User-Controlled Key, which allows unauthenticated attackers to gain access to user accounts by exploiting improper verification processes during authentication.

CVE-2024-42327: A critical SQL injection vulnerability affecting Zabbix server versions 6.0.0 to 6.0.31, 6.4.0 to 6.4.16, and 7.0.

CVE-2023-6553: A TA shared a list of about 100,000 websites vulnerable to this critical Remote Code Execution vulnerability identified in the Backup Migration plugin for WordPress. The vulnerability affects all versions up to 1.3.7.

CVE-2024-35286, an SQL injection vulnerability, and CVE-2024-41713, a path traversal vulnerability, impact the NuPoint Unified Messaging (NPM) component and are critical vulnerabilities that could be exploited in sequence.

CVE 2024-11477: A critical vulnerability affecting versions of 7-Zip prior to 24.07 that allows for remote code execution due to an integer underflow in its Zstandard decompression feature. A TA quoted a price of USD $8K for the exploit.

Cyble Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following best practices:

  • To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.

  • Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.

  • Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.

  • Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents, including ransomware-resistant backups. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.

  • Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.

  • Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.

  • Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.

Conclusion

These vulnerabilities highlight the urgent need for security teams to prioritize patching exploitable vulnerabilities in important products, as well as vulnerabilities that could be weaponized as entry points for wider attacks. With increasing discussion of these exploits on dark web forums, organizations must stay vigilant and proactive.

Implementing strong security practices is essential to protecting sensitive data and maintaining system integrity. A comprehensive threat intelligence solution like Cyble can monitor for threats and leaks specific to your environment, allowing you to respond quickly to events and prevent them from becoming wider incidents.

The post IT Vulnerability Report: Cleo, Windows Flaws Under Attack appeared first on Cyble.

Blog – Cyble – ​Read More

Telegram account hacked: what to do? | Kaspersky official blog

/in

Account hijacking in Telegram has become a serious criminal business in today’s world. Scammers employ sophisticated methods to steal access to accounts, and then use them to attack other users through deepfakes, social engineering, and other techniques. Here’s how it typically works: having stolen an account, scammers send phishing messages to all its contacts — such as “Hi, I urgently need money. Can you help me?”, Please vote for me if you have a moment or You’ve received a gift – a one-year subscription to Telegram Premium — to hijack even more accounts.

These messages often have phishing links at the other end, which look legitimate — for example, https://t.me/premium — but actually redirect users to fraudulent websites. If you click the link and follow the scammer’s instructions, you’ll likely lose access to your Telegram account (especially if you haven’t set up two-step verification in Telegram). Your contacts may then receive similar phishing messages from your account.

Stolen or fake accounts can also be used for complex targeted attacks — sometimes employing deepfakes to deceive employees of organizations. You might encounter messages allegedly from company management that include personal details like your full name, mentioning some kind of inspection by government authorities, and demanding confidential information or financial assistance in an air of complete secrecy. These are always fake.

Meanwhile, the original Telegram account owner might not even realize at first that their account has been compromised. They continue chatting with friends, reading their favorite channels, and assuming they’re safe from scammers. How is this possible? This happens because Telegram allows multiple sessions to the same account from different devices. Having gained access to your account, scammers open a session on their device without closing your active sessions. Then they send messages, and immediately delete them on the sender’s side only. In this way, recipients see the messages, but the victim doesn’t.

As we are seeing, scammers are interested in everyone — even the most ordinary of Telegram users. In this article, we address two key questions: how to know if your Telegram account has been hacked, and if it has, what should you do?

How to know if your Telegram account has been hacked

The following are possible signs that your account has been hacked: your username or profile picture has changed; you’ve been entered into some suspicious competitions; you see a message sent from your account that’s then immediately deleted; your friends tell you they’ve received strange messages from you that you can’t see. Let’s go through these one by one…

Changes to your username or profile picture. Scammers might alter your username to include a phishing link or put the link in your bio. They might also modify your profile picture to their advantage. For example, adding a note to your photo asking for help: “I’m in trouble, please help me however you can”. Any change of information without your knowledge indicates a compromise. In short, if something has changed “by itself”, then most likely attackers are responsible: you’ve been hacked.

Participation in suspicious activities. Scammers might send you a link to activate a Telegram Premium gift subscription, and if you “activate” it, your account will be stolen. This is a fairly popular account hijacking scam, which we’ve covered in detail on the Kaspersky Daily blog. Popular, yes — but far from the only one. Here’s another one: asking for help to win a vote.

Friends report receiving strange messages from you, which you don’t see. Scammers work hard to conceal the fact that your account has been hacked. They delete all messages sent from your account on the sender’s side. The recipient gets the message (and can even reply), but you won’t know about it unless your friends inform you.

You receive a login code for a new device. However, you definitely didn’t attempt to log in, and all your known devices are already connected to your account. Scammers usually delete such messages immediately, but if you spot a request for such a code, your account is under attack right there and then.

If you notice any of these signs, act quickly — you’ve only 24 hours to save your account. Why 24 hours? Telegram has built-in protection against account theft — preventing new devices from terminating active sessions on other devices within the first 24 hours. After 24 hours, the scammers will end all other sessions on your account, and you’ll lose all access.

What to do if your Telegram account has been hacked

Here are some basic countermeasures to take if you detect signs of a Telegram account hack.

Terminate all unknown sessions

To do this, go to Settings → Devices → Terminate all other sessions (in desktop clients, this section might be called Active sessions). This will log out all sessions except the current one, cutting off the scammers’ access to your account.

How to terminate sessions in Telegram

How to terminate sessions in Telegram

Alternatively, you can choose specific sessions to terminate by selecting them and clicking Terminate Session, or by clicking Edit in the top right corner of the screen.

Contact technical support

To do this, navigate to Settings → Ask a question to reach Telegram support. While this might seem a safe option, the 24-hour timeline could play into the scammers’ hands here: Telegram support is handled by volunteers, so a response may take time in coming. So first of all, you should terminate all unknown sessions (see above), and enable two-factor authentication (see below).

If you proceed with contacting support, you’ll enter a chat with the Volunteer Support bot. Note that this bot can only be initiated through Settings → Ask a question — remember this to avoid falling victim to scams. The bot will provide instant FAQ answers, but there’s no option for “Account hacked” in its standard menu. To get help from a human, either select Skip and process to volunteers, or type your request in the chat, and press Yes, redirect me. Telegram will inform you that most volunteers communicate in Russian or English.

How to contact Telegram support and speak to a person instead of a bot

How to contact Telegram support and speak to a person instead of a bot

If you’ve already lost access to your Telegram account, there’s another way to contact Telegram support: fill out a form on the official website specifying the issue, your phone number, and your email.

Recover access to your Telegram account via SMS code

If more than 24 hours have passed and you no longer have access to your account on any device (because the hackers ended all your sessions), try recovering it with your phone number:

  1. Open the Telegram app
  2. Enter your phone number and confirm it
  3. Select Tap to get a code via SMS
  4. Enter the received code
  5. Enter your two-step verification password, if set
  6. End all other sessions

Bear in mind that you need to act quickly here: once you enter your phone number, all devices with an active session linked to this number will receive a notification in Telegram. This means the hackers will know you’re attempting to regain access.

Create a new Telegram account with the same number

If you can’t recover your account, the only way to continue using Telegram with the same phone number is to delete the old account and create a new one. However, in this case, you’ll permanently lose your chat history and administrator rights in your channels.

You can only delete your Telegram account if you have access to it, or if you’ve set up two-step verification. If you’ve at least one open session, go to Settings → Privacy and Security → Automatically delete my account if away for… → Delete Account Now.

If you don’t have access to your account but have two-step verification set up, you can delete the account as follows:

  1. Open the Telegram app
  2. Enter your phone number
  3. Select Forgot password?
  4. Select Unable to access <your email address>
  5. Select Reset account

If you don’t have access to your account on any device, and two-step verification is disabled, you can’t delete the account. Warn your friends and family about the loss of access so they don’t fall for scams sent from your account.

How to protect your Telegram account from being hacked

The best thing you can do right now to protect your account is to set up two-step verification. This means a password will be required in addition to a code when logging in from a new device. This additional security factor will make hacking more difficult, give you more time to react, and allow you to delete the account in case you lose access.

Go to Settings → Privacy and Security → Two-Step Verification. Next, create a password, enter a recovery email, and confirm it by entering the code you receive.

The password should be strong and unique to make it difficult for scammers to guess. To create and store secure passwords, we recommend using Kaspersky Password Manager.

Be sure to share this guide with friends and family — especially those new to Telegram, to help them stay safe in the digital space.

Kaspersky official blog – ​Read More

How infostealers are used in targeted cyberattacks

/in

Although malicious programs that hunt for passwords, financial, and other sensitive data have been around for over 20 years, the word “infostealer” was coined only in the early 2010s. Recently, however, this relatively simple type of malware has been popping up in unexpected role — deployed as a springboard for major targeted hacks and cyberattacks. For example, the theft of the data of 500 million Ticketmaster customers and a ransomware attack on the Brazilian Ministry of Health were both traced to infostealers. The main challenge posed by infostealers is that they can’t be defeated solely at the infrastructure level and within a company’s perimeter. The non-work activities and personal devices of employees also need to be considered.

Modern infostealers

Infostealers are programs indiscriminately installed on any accessible devices by threat actors looking to steal sensitive information of any kind. Their primary target is account passwords, crypto wallet credentials, credit card details, and browser cookies. The latter can be used to hijack a user session in an online service. In other words, if the victim is logged in to a work account in the browser, by copying cookies to another computer an attacker in some cases can gain access to it without even knowing the victim’s credentials.

Infostealers can also:

  • Intercept email and chat messages
  • Pilfer documents
  • Steal images
  • Take screenshots of the screen or windows of specific applications

And there are exotic specimens that apply optical character recognition to read text in JPG image files (pictures of passwords and financial data, for example). The infostealer sends all collected data to the C2 server, where it’s stored pending resale on the dark web.

Among recent years’ technical developments in the field of infostealers are: new methods of stealing data from protected browser storage, modular architecture for harvesting new types of data from already infected computers, and migration to a service model for distribution of this malware.

The cybercriminal market demands versatile infostealers, capable of data theft from dozens of browsers, crypto wallets, and popular applications, such as Steam and Telegram. The stealers must also be resistant to detection by security software, requiring developers to make frequent modifications to the malware, repackage it, equip it with anti-analysis and anti-debugging tools, and beef up its stealth. The “vendors” also often need to re-upload packaged malware to different hosting sites. This is necessary because old sources of malware are quickly blocked by infosec companies in cooperation with search engines and hosting providers.

Infostealers are mainly made for Windows and macOS systems — with the latter case being far from exotic but an up-and-coming segment in the cybercriminal market. There are stealers for Android, too.

Some common delivery channels for infostealers are spam and phishing, malicious advertising, and SEO poisoning. Besides campaigns involving infostealers kitted out with hacked software or game cheats, such malware may also be installed under the guise of a browser or antivirus update, as well as video conferencing applications. But in general, attackers monitor the zeitgeist and clothe their malware accordingly: this year, fake AI image generators were popular, and during the global CrowdStrike outage, there even appeared an infostealer masquerading as device recovery instructions.

Infostealer ecosystem

A clear division of labor has taken root in the world of cybercrime. Some threat actors develop their own infostealers — plus the tools to manage them. Others get these programs onto victims’ devices using phishing and other techniques. Still others utilize stolen data. These three categories of criminals usually operate independently — not as one group, but they do have commercial relations with each other. The first of them increasingly offers infostealers under the malware-as-a-service (MaaS) model, often packaged with a handy cloud-based dashboard for customization.

The operators of actual attacks spread the malware but don’t use the stolen data themselves — instead putting large databases of harvested information up for sale on underground forums where other cybercriminals buy them and search for specific data they want using special tools. The same database can be purchased and repackaged many times: some buyers will extract gaming accounts, others look for bank card details or accounts in corporate systems. This latter type of data in particular has been gaining popularity since 2020 as threat actors have come to realize it provides a stealthy and effective way to penetrate an organization. Stolen accounts allow them to log in to a corporate system as a real user without exploiting any vulnerabilities or malware — thus arousing no suspicion.

The COVID-19 pandemic forced companies to make greater use of cloud services and allow remote access to their systems, causing the number of potentially vulnerable businesses to skyrocket. And more company employees are now using remote access from personal computers, where information security policies are less well-enforced (if at all). Thus, a home computer infected with an infostealer can ultimately lead to unwelcome guests in the corporate network.

Attackers who have obtained corporate credentials verify their validity and pass this filtered data to the operators of targeted cyberattacks.

How to guard against infostealers

Securing every corporate computer and smartphone (EDR/EMM) is only the start. You need to also protect all employees’ personal devices against infostealers, and, in case of infection, mitigate the consequences. There are several ways to address this issue — some of which complement each other:

  • Deny access to corporate systems from personal devices. The most drastic, inconvenient, and not-always-feasible solution. In any case, it doesn’t fix the problem entirely: for example, if your company uses public cloud services (email, file storage, CRM) for work tasks, a blanket ban will be impossible.
  • Use group policies to disable browser synchronization on corporate computers so that passwords don’t end up on personal devices.
  • Implement phishing-proof two-factor authentication at the corporate perimeter, in all important internal and public services.
  • Make mandatory the installation of an Enterprise Mobility Management (EMM) solution on personal laptops and smartphones in order to monitor their security (check for up-to-date security solution databases, whether the solution is disabled, and whether the devices are password- and encryption-protected). A properly configured EMM system maintains strict separation of work and personal data on the employee’s device and doesn’t affect personal files and applications.
  • Deploy an advanced identity management system (for the accounts of employees, devices, and software services) across your organization to help quickly locate and block accounts showing abnormal behavior; this will prevent, for example, employees from logging in to systems not needed for work or from suspicious locations.
  • Get the latest dark-web threat intelligence with live reports on fresh leaks of your corporate data (including stolen accounts).

Kaspersky official blog – ​Read More