The adventures of an extroverted cyber nerd and the people Talos helps to fight the good fight

The adventures of an extroverted cyber nerd and the people Talos helps to fight the good fight

Welcome to this week’s edition of the Threat Source newsletter. 

I am unbelievably lucky to do the work that I do. My title is technically ‘Senior Security Strategist’. It’s a very fancy title, but basically: I get to research threats with my colleagues and friends to keep people safe here at Talos. I also get to travel and talk to our customers and communities about that work and how we fight that good fight. This has taken me to some interesting places – from Ukraine to California and lots of places in between. Not bad for a guy from a small town in Alabama.  

This gig isn’t for everyone. You must have some extroverted tendencies, and as the youth would say, some ‘rizz’. It’s not enough to talk about something like, say, ransomware. You need to be able to explain it in high technical detail if needed and then explain it to a board of C-levels and speak the language of business they understand. And you need to do it in an engaging way to keep your audiences bought in. It’s a unique blend of security practitioner expertise and the ability to communicate that to audiences, some technical, some not.  

If you’re thinking this also requires some kind of social media influencer level of Hemsworth caliber good looks and hyper charisma, have no fear. I’m about as much a security influencer as Chris Farley was a Beverly Hills ninja. I am just a security nerd who likes to talk. Like I said – I’m very lucky.  

Sometimes this gig takes you to very unexpected places. A couple of weeks ago I found myself at the Ford Foundation Center for Social Justice. I was there to attend and support the NGO-ISAC annual summit. The NGO-ISAC ‘is a non-profit organization improving the cybersecurity of US-based nonprofits.’ They do amazing work supporting cyber security for non-governmental organizations that help protect and promote civil society. We’re also fortunate at Talos to be a partner with them and donate time and resources to support their mission of helping the helpers.  

We are proud to be partners and volunteer our time with NGO-ISAC and it’s members. If you ever want to be truly humbled, spend time with an NGO and learn about what they do. The energy and heart those people have is incredible and will inspire you. They help feed the hungry, cloth the homeless, protect refugees, promote democracies, and generally help take care of some of the most vulnerable people and institutions our society relies upon. They also traditionally struggle with cybersecurity – security investments and practitioner expertise can be difficult to obtain when your budgets are built upon donations to support your mission. They are the embodiment of fighting the good fight, and we at Talos will always have the time to help them help others.  

While I was there, we debuted a custom NGO version of Backdoors & Breaches I helped co-develop with the NGO-ISAC. It was a real hit, and we ran demo games that resonated very well with the audiences. Helping teach cybersecurity to NGOs is fantastic. If we can help them stay secure, there’s so many others who will be helped by it. Also, keep your eyes peeled for a blog post in January about how we designed and created a custom expansion for Backdoors & Breaches.  

Also, the Ford Foundation? Amazing building. It’s in the heart of NYC and is an island of pure serenity. They have an indoor atrium/park that is next level. They pipe in some absolute jazz bangers throughout the entire building that, mixed with the decor, exudes a class I’ve rarely encountered in my travels. If I could make a blanket out of that entire vibe and wrap myself up in it, I’d do it.  

The one big thing 

QR Codes, am I right? Sometimes you can scan one with your phone and maybe win a free cheeseburger, sometimes it can take you to a fake O365 phishing site. The tricky bit with QR codes in e-mails is how easily they can avoid spam filters. My man Jaeson Schultz did some great research on attacks, prevalence, and detection of QR codes in e-mail messages. The parts on AI-generated QR imagery are fantastic – be careful what you scan! 

Why do I care? 

E-mail phishing and evading defenses are a tried and tested tactic with attackers. QR codes are another method of attack, and because they can be difficult to defang/detect, defenders have to work extra hard to understand those threats and stop them.  

So now what? 

Exercise serious caution when scanning a QR code. If possible, detonate those suspicious QR code e-mails in a sandbox, like Threat Grid

Top security headlines of the week 

At least 97 major water systems in the US have serious cybersecurity vulnerabilities and compliance issues, raising concerns that cyberattacks could disrupt businesses, industry, and the lives of millions of citizens. (Dark Reading

The NSA updated its mobile devices security best practices report. Reboot those phones at least once a week friends.  (ZDNet

The United States and other Western nations released guidance Tuesday designed to evict the China-linked group in the wake of the high-profile hack. (CyberScoop

Can’t get enough Talos? 

Upcoming events where you can find Talos 

AVAR (Dec. 4-6)   

Chennai, India  

Vanja Svancer and Chetan Raghuprasad from Cisco Talos will both present, Vanja will be discussing Exploring Vulnerable Windows Drivers, while Chetan presents Sweet and Spicy Recipes for Government Agencies by SneakyChef.   

Most prevalent malware files from Talos telemetry over the past week  

SHA 256: 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647 

MD5: bbcf7a68f4164a9f5f5cb2d9f30d9790 

VirusTotal: https://www.virustotal.com/gui/file/0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647/details 

Typical Filename: cwjhtmbwgyomzrhbo.exe 

Claimed Product: n/a 

Detection Name: Win.Dropper.Scar::1201  

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/detection 

Typical Filename: VID001.exe 

Claimed Product: n/a 

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   

MD5: 200206279107f4a2bb1832e3fcd7d64c  

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details%C2%A0 

Typical Filename: lsgkozfm.bat  

Claimed Product: N/A  

Detection Name: Win.Dropper.Scar::tpd    

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   

MD5: 71fea034b422e4a17ebb06022532fdde   

VirusTotal: https://www.virustotal.com/gui/file/bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a/details 

Typical Filename: VID001.exe   

Claimed Product: N/A   

Detection Name: RF.Talos.80   

SHA 256: 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   

MD5: 8b84d61bf3ffec822e2daf4a3665308c   

VirusTotal: https://www.virustotal.com/gui/file/3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66/details%C2%A0 

Typical Filename: RemComSvc.exe   

Claimed Product: N/A   

Detection Name: W32.3A2EA65FAE-95.SBX.TG   

Cisco Talos Blog – ​Read More

Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot

Manufacturing, Cyberattack, Malware

Key takeaways

  • Cyble Research and Intelligence Labs (CRIL) identified a malicious campaign targeting the manufacturing industry, leveraging a deceptive LNK file disguised as a PDF file.
  • This campaign leverages multiple Living-off-the-Land Binaries (LOLBins), such as ssh.exe, powershell.exe, and mshta.exe, to bypass traditional security mechanisms and remotely execute the next-stage payload.
  • The Threat Actor (TA) used Google Accelerated Mobile Pages (AMP) URL along with a shortened URL to evade detection by traditional URL scanners.
  • The attack heavily relies on file injection techniques, where the TAs execute malicious payloads directly in memory to bypass conventional security mechanisms.
  • The attack chain leverages DLL sideloading and IDATLoader to deploy the Lumma stealer and Amadey bot, enabling the attacker to gain control and exfiltrate sensitive information from the victim’s machine.

Overview

CRIL recently identified a multi-stage cyberattack campaign originating from an LNK file. The initial infection vector remains unknown; however, the attack likely begins with a spear-phishing email, prompting the recipient to click on a link that leads to an LNK shortcut file disguised as a PDF document. The file is hosted on a remote WebDAV share at

hxxp://download-695-18112-001-webdav-logicaldoc[.]cdn-serveri4732-ns.shop/Downloads/18112.2022/Instruction_695-18121-002_Rev.PDF.lnk“.

Upon searching for the file name “695-18121-002_Rev” on Google, we discovered a technical engineering drawing for a component. Additionally, we observed similar samples using the name “Instruction_18112,” which led us to another technical document detailing the installation of a chair. The malicious LNK file hosted on the URL impersonates LogicalDOC, a cloud-based document management system commonly used in Manufacturing and Engineering firms. Based on the targeting and nature of these attacks, we suspect that the campaign is likely targeting the manufacturing industry.

Once executed, the LNK file triggers a command to launch ssh.exe, which subsequently runs a PowerShell command. This PowerShell command fetches and executes an additional malicious payload from a remote server using mshta.exe.

The remote server is accessed via a URL that abuses Google’s Accelerated Mobile Pages (AMP) framework, combined with a shortened URL that redirects to a location hosting malicious PowerShell code.

The PowerShell code then triggers another malicious script hosted on Pastebin, controlled by the TA. This script contains an encoded PowerShell command that downloads a ZIP archive to the Temp directory, extracts its contents, and executes a legitimate executable. The executable, in turn, sideloads a malicious DLL file.

In this sophisticated campaign, the TA uses multiple stages of code injection to deploy the Lumma stealer, which then downloads the Amadey Bot onto the victim’s system. The figure below shows the infection chain.

Infection Chain
Figure 1 – Infection chain

Technical Analysis

Threat Actors are increasingly exploiting LNK files as their initial vector for malware distribution due to their flexibility in executing various commands. In this campaign, they specifically leveraged the Windows SSH client (C:WindowsSystem32OpenSSHssh.exe) as an alternative target in the LNK file’s “Target” field. This approach reduces the likelihood of detection compared to using cmd.exe or powershell.exe as the target. The image below shows the LNK command.

SSH, Link
Figure 2 – LNK using SSH as a target

When a user opens the disguised LNK file, it triggers “ssh.exe” to run a PowerShell command through the ProxyCommand option in ssh.exe. The embedded PowerShell command contains obfuscated content, as shown in the image above. The de-obfuscated code attempts to execute PowerShell content hosted at the AMP URL “hxxps://www.google[.]ca/amp/s/goo.su/IwPQJP” using mshta.exe. In this case, the hosted content contains AES-encrypted data, as shown in the image below.

Encryption
Figure 3 – AES-encrypted content hosted in AMP URL

Upon decryption, the data reveals Base64-encoded content, which is displayed in the image below.

Base64
Figure 4 – Base64-encoded content

The decoded Base64 content reveals an obfuscated PowerShell command, as shown in the image below.

PowerShell
Figure 5 – Obfuscated PowerShell command

This PowerShell command manipulates security protocols and performs the following actions:

  • First, it configures various security protocols, including TLS 1.0, TLS 1.1, TLS 1.2, and SSL 3.0, using the .NET ServicePointManager class.
  • Then, it initiates a web request using Invoke-WebRequest (iwr) to fetch a payload from the URL hxxps://Pastebin[.]com/raw/0v6Vhvpb, which is then immediately executed using Invoke-Expression (iex).

The image below shows the retrieved payload from the Pastebin URL.

Pastebin URL
Figure 6 – Partial PowerShell script fetched from the Pastebin URL

The retrieved content from the Pastebin link consists of a PowerShell script that performs several actions:

  1. The script begins by sanitizing the content fetched from Pastebin, removing newline characters (“n”) and commas (,).
  2. The cleaned string is then decoded from Base64 into binary data.
  3. Using a hardcoded decryption key, the script decrypts the binary data.
  4. Once decrypted, the script extracts a portion of the data starting from the 64th byte to the end, which is the actual code to execute. This code is then converted into a readable PowerShell command using UTF-8 encoding.
  5. Before executing the decoded command, a 2-second delay is introduced with Start-Sleep. Finally, the decoded PowerShell command is executed in memory using Invoke-Expression.

The image below shows the decrypted PowerShell code extracted using the above steps.

PowerShell
Figure 7 – Decrypted PowerShell code

The newly introduced script represents the final stage in delivering malicious files to the system. The script operates as follows:

  1. The script first verifies the system’s internet connectivity by sending HTTP requests to two distinct domains: 360.net and baidu.com. These requests ensure the system is online before proceeding with further actions.
  2. Once the victim’s system is connected to the internet, the script downloads a malicious CPL file named naailq0.cpl from the remote URL hxxps://berb.fitnessclub-filmfanatics.com/naailq0.cpl.
  3. The downloaded CPL file is saved as a ZIP file within the Temp directory. This ZIP file is then copied to a newly created folder under the LocalAppData folder. The folder name is dynamically generated using a GUID (Globally Unique Identifier).
  4. After extraction, the script scans the folder for any executable files (EXEs). Any EXE files found within the extracted contents are then executed.
  5. The script includes a commented-out line that, if activated, would delete the extracted files and folder after execution, potentially covering its tracks.

The image below shows the contents of the downloaded ZIP file. The ZIP file also contains encrypted files, which will be decrypted and loaded in the subsequent stages of infection.

Archive
Figure 8 – Extracted files in the archive

In this case, the script executes “syncagentsrv.exe”, which performs DLL sideloading by loading the malicious “Qt5Network.dll” upon execution. The malicious DLL then reads an encrypted file named “shp” from the same directory, decrypts its contents, and reveals strings such as LoadLibraryA, VirtualProtect, and dbghelp.dll, as shown in the figure below.

Decryption
Figure 9 – Decrypted content

After decryption, the malicious DLL extracts the string “dbghelp.dll” from the decrypted content and utilizes it to load the DLL via the LoadLibraryA API. The “dbghelp.dll” is a Microsoft Windows library designed for debugging and managing symbol information. After loading the DLL, the malicious code employs the VirtualProtect API to modify the memory region permissions of “dbghelp.dll” to PAGE_EXECUTE_READWRITE, as illustrated below.

Permissions
Figure 10 – Modifying permission of dbghelp.dll

It then overwrites the contents of “dbghelp.dll” with the decrypted data and subsequently modifies the memory protection of the overwritten region to PAGE_EXECUTE_READ, as depicted below.

Figure 11 – Modifying the permissions of dbghelp.dll

After modifying the memory protection, the malicious code begins executing the injected content within “dbghelp.dll“. The injected code then proceeds to read another file named “bwvrwtn“, located in the same directory. The file “bwvrwtn” is an encrypted IDAT file containing multiple encrypted chunks, each prefixed with the string “IDAT,” as illustrated below.

IDAT
Figure 12 – IDAT marker

The DLL now searches the strings IDAT, takes four bytes following IDAT, and performs a comparison with C6 A5 79 EA. If the comparison is successful, the DLL proceeds to copy all the data following IDAT into memory, decrypts it using the XOR key, and then decompresses the decrypted content using the RTLDecompressBuffer API, as shown below.

Decompressed Data
Figure 13 – Decompressed data

It then loads a legitimate “pla.dll” from the %syswow64% directory using the LoadLibraryW API. After loading, it changes the memory permissions of “pla.dll” to PAGE_EXECUTE_READWRITE, copies the decrypted content into its memory, changes the permissions to PAGE_EXECUTE_READ, and finally executes the injected code in the “pla.dll” as shown below.

Code Injection
Figure 14 – Executing the injected code

The code within “pla.dll” proceeds to inject malicious code into “more.com” and then executes it. The malicious code in “more.com” is responsible for deploying the final payload by injecting it into a newly created process, “msiexec.exe.” The injected payload is Lumma Stealer – which is capable of stealing sensitive information from the victim’s machine. The figure below shows the memory string of “msiexec.exe” containing Lumma Stealer’s C2 details.

Memory Strings
Figure 15 – Msiexec Process memory strings

Amadey Bot

The TA behind this campaign also deploys the Amadey bot in the “%temp%” directory, employing the same technique of injecting code into “more.com.” This injected code further injects the final Amadey bot payload into “explorer.exe“. To achieve persistence, the malware creates a Task Scheduler entry named “NodeJS Web Framework.” This task is configured to execute a copy of the Amadey bot stored in the %Appdata% directory, as illustrated below.

Persistence
Figure 16 – Task Scheduler for Persistence

The figure below shows the execution flow of Lumma Stealer and Amadey bot.

Execution Flow
Figure 17 – Execution Flow

Conclusion

This multi-stage cyberattack campaign demonstrates the increasing sophistication and adaptability of threat actors. By leveraging various evasion techniques such as URL shortening and AMP URLs, the attackers successfully bypass traditional security mechanisms.

The use of legitimate system tools like ssh.exe and mshta.exe to execute malicious PowerShell commands further illustrates the complexity of the attack. The final payload, which involves the deployment of both Lumma stealer and Amadey bot, highlights the TA’s intent to steal sensitive information and maintain persistent control over compromised systems.

Yara and Sigma rule to detect this campaign, available for download from the Github repository.      

Recommendations

  • The initial breach may occur via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to identify and prevent the dissemination of harmful attachments.
  • Exercise caution when handling email attachments or links, particularly those from unknown senders. Verify the sender’s identity, particularly if an email seems suspicious.
  •  Disable WebDAV if it is not required for business operations to minimize potential attack vectors.
  • Consider disabling the execution of shortcut files (.lnk) originating from remote locations, such as WebDAV links, or implementing policies that require explicit user consent before executing such files.
  • The campaign abused the legitimate ssh utility; hence, it is advised to monitor the activities conducted by the ssh utility and restrict access to limited users.
  • Consider limiting the execution of scripting languages, such as PowerShell and mshta.exe, on user workstations and servers if they are not essential.
  • Implement application whitelisting to ensure only approved and trusted applications and DLLs can be executed on the systems.
  • Monitor AMP links using advanced URL filtering and threat intelligence feeds to detect suspicious activity.
  • Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.

MITRE ATT&CK® Techniques

Tactic Technique Procedure
Initial Access (TA0001) Phishing (T1566) The LNK file may be delivered through phishing or spam emails
Execution (TA0002) User Execution:  Malicious Link (T1204.001)    Command and Scripting Interpreter: PowerShell (T1059.001) Execution begins when a user executes the LNK file.
The LNK file executes PowerShell commands.
Defence Evasion (TA0005) Masquerading: Masquerade File Type (T1036.008) Uses LNK files with altered icons to disguise as legitimate
Defense Evasion (TA0005) System Binary Proxy Execution: Mshta (T1218.005) Abuse mshta.exe to proxy execution of malicious files.
Defense Evasion (TA0005)  Obfuscated Files or  
Information (T1027)  
Scripts include packed or encrypted data.
Defense Evasion (TA0005)  System Binary Proxy Execution: Msiexec (T1218.007) msiexec.exe used for proxy execution of malicious payloads
Privilege  
Escalation 
(TA0004) 
DLL Side-Loading (T1574.002 Malicious DLL Side loaded. 
Privilege  
Escalation 
(TA0004) 
Process Injection (T1055 Injects malicious content into explorer.exe and other process.
Persistence (TA0002) Scheduled Task/Job (T1053.005) Adds task schedular entry for persistence.
C&C 
(TA0011) 
Application Layer Protocol 
(T1071
Malware communicates to the C&C server. 
Exfiltration (TA0010) Automated Exfiltration (T1020 Data is exfiltrated after collection 

Indicators Of Compromise

Indicators Indicator Type Description
5b6dc2ecb0f7f2e1ed759199822cb56f5b7bd993f3ef3dab0744c6746c952e36 SHA-256 Instruction_695-18121-002_Rev.PDF.lnk
8ed1af83cf70b363658165a339f45ae22d92c51841b06c568049d3636a04a2a8 SHA-256 Malicious PowerShell Script downloaded from Pastebin(0v6Vhvpb)
7b8958ed2fc491b8e43ffb239cdd757ec3d0db038a6d6291c0fd6eb2d977adc4 SHA-256 Zip file disguised as .cpl
dc36a3d95d9a476d773b961b15b188aa3aae0e0a875bca8857fca18c691ec250 SHA-256 Malicious DLL (Sideloaded)
hxxps://www.google[.]ca/amp/s/goo.su/IwPQJP   hxxps://pastebin[.]com/raw/0v6Vhvpb   hxxps://berb.fitnessclub-filmfanatics[.]com/naailq0.cpl URL remote servers
hxxp://download-695-18112-001-webdav-logicaldoc[.]cdn-serveri4732-ns.shop/Downloads/18112.2022/ URL WebDAV server link hosting malicious LNK file

References

https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-Lumma-infostealers

https://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-idat-loader-to-bruteratel

The post Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot appeared first on Cyble.

Blog – Cyble – ​Read More

Zero-day Attack Uses Corrupted Files to Bypass Detection: Technical Analysis

Recently, our analyst team shared their research into a zero-day attack involving the use of corrupted malicious files to bypass static detection systems. Now, we present a technical analysis of this method and its mechanics. 

In this article, we will:  

  • Demonstrate how attackers corrupt archives, office documents, and other files 
  • Explain how this method successfully evades detection by security systems 
  • Show how corrupted files get recovered by their native applications 

Let’s get started. 

Sandbox Analysis of a Corrupted File Attack

To first see how such attacks unfold, we can upload one of the corrupted filles used by attackers to ANY.RUN’s sandbox.  

View analysis session

Analysis of a corrupted docx file in the ANY.RUN sandbox

Thanks to its interactivity, the sandbox lets us simulate a real scenario of user opening the broken malicious file inside the file’s corresponding application

Word asking to restore a corrupted file

In our case, it’s a docx file. When we open it with Word, the program immediately offers us the option to recover the content of the file and successfully does it. 

ANY.RUN allows you to manually open a broken file with Word

Inside, we find a QR code with a phishing link. The sandbox also automatically detects malicious activity and notifies us about this. 

Black Friday 2024: Get up to 3 sandbox licenses for free 



See details


How Corrupted Files Bypass Antivirus Software and Other Automated Solutions

Analysis inside the ANY.RUN sandbox showed how a corrupted file gets restored thanks to Word’s built-in recovery mechanisms, which allows us to identify its malicious nature. 

VirusTotal shows no detections for such corrupted files

Yet, if we submit the same corrupted file to VirusTotal, which provides verdicts from numerous security solutions, we will see zero threat detections. The question is why? 

The answer is simple: most antivirus software and automated tools are not equipped with the recovery functionality that is found in applications, such as Word. This prevents them from accurately identifying the type of the corrupted file, resulting in a failure to detect and mitigate the threat

Docx is not the only file format used by attackers. There are also corrupted archives with malicious files inside, which easily bypass spam filters because security systems cannot view their contents due to corruption.  

Once downloaded onto a system, tools like WinRAR easily restore the damaged archive, making its contents available to the victim. 

Now, let’s see how exactly it works on a technical level. 

Technical Analysis of a Corrupted Word Document 

The Structure of a Word Document 

Since the mid-2000s, office documents (OpenOffice.org 2.0 — released in 2005) have been structured as archives containing the document’s content. 

In the image below, you can see the structure of a Word document. 

Word document structure (Figure 1)

As we can see, all structures within this archive are interconnected, and this relationship begins from the end

At the end of the archive, there is a structure called the End of Central Directory Record (EOCD). This structure contains information about the size of the Central Directory File Header (CDFH), its offset, and the total number of entries in the archive. This structure helps locate the CDFH.  

The CDFH duplicates the data stored in the Local File Header (LFH) and the offsets to it. Yet, this structure does not contain the compressed data itself but rather represents a hierarchy of files within the archive. This part of the structure allows you to find the LFH of each file in the archive.  

The LFH is considered the header for each file in the archive. It contains important data such as the file name, compressed and uncompressed sizes, CRC32 checksum, and other parameters.  

The compressed data is located after the header. 

How the File Structure Can Be Manipulated by Attackers 

As shown in the image above (Figure 1), the archive is structured backward, starting with the end, while all parts are linked together.  

This has led us to test three different hypotheses (Figure 2): 

Three hypotheses we tested (Figure 2)

1. Can Word or an archiving program recover and successfully open a file if additional data is added to the beginning of the archive? 

2. Can Word or an archiving program recover and successfully open a file if we corrupt the linking between the parts and delete the CDFH, which does not contain the file data itself?  

3. Can Word or an archiving program recover and successfully open a file if we corrupt the linking between the parts and erase the EOCD, which is a crucial part of the recovery process? 

You can see the results of our hypothesis testing in the table below.

   Word   ZIP  
Hypothesis 1   Success  Fail (the file is no longer an archive)  
Hypothesis 2  Success  Success 
Hypothesis 3  Success (thanks to undamaged Local File Headers)    Success (thanks to undamaged Local File Headers)   

During our hypothesis testing, we’ve made several noteworthy observations: 

1. For minimal recovery of a Word document, the following files are essential: 

[Content_Types].xml,   

Word/document.xml,   

word/_rels/document.xml.rels,   

_rels/.rels;   

These contain crucial information regarding the relationships between elements and form the standard file hierarchy required for Word to interpret the document. 

2. A ZIP archive with corrupted Local File Headers will only show the file structure. The actual file content will be empty. 

3. If the end part of the ZIP file is damaged, the archiving software and Word will attempt to use an alternative recovery method: by leveraging intact Local File Headers

Our findings demonstrate that Word is more resilient to file corruption than ZIP. While Word successfully recovered files with corrupted CDFH, EOCD, and even when random bytes were added to create a non-existent LFH structure, ZIP failed in the first hypothesis, where random bytes were added to the beginning of the file. 

Why Security Systems Fail to Read Corrupted Files 

Security systems attempt to identify file types, including by using Magic Bytes in File Headers. In the case of office documents and ZIP archives, because the file effectively starts from the end, we can corrupt the archive structure and magic bytes, making it difficult for detection systems to identify the file type.  

This leads to the inability to unpack and inspect the contents. 

Consider this email with a corrupted Word document

ANY.RUN’s Sandbox identifies malicious activity of the corrupted file

The sandbox once again has no problem detecting the threat, returning a “malicious activity” verdict.

Only one detection in VirusTotal

But, when run in VirusTotal, almost zero threat detections come back for this file. 


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis



Conclusion

Our study revealed a vulnerability in document and archive structures. By manipulating specific components like the CDFH and EOCD, attackers can create corrupted files that are successfully repaired by applications but remain undetected by security software. As a result, we face a situation when security systems have not yet developed a clear logic for detecting such attacks, exposing the security of their users.

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

  • Detect malware in seconds
  • Interact with samples in real time
  • Save time and money on sandbox setup and maintenance
  • Record and study all aspects of malware behavior
  • Collaborate with your team 
  • Scale as you need

Explore all Black Friday 2024 offers →

The post Zero-day Attack Uses Corrupted Files to Bypass Detection: Technical Analysis appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

How to guard against webcam and microphone tracking | Kaspersky official blog

Just a decade ago, people who taped over their webcam were seen as a little eccentric, shall we say. Fast forward to today, and many laptop models feature a built-in privacy shutter that lets you cover the webcam with a single swipe. Useful, yes – but if the mic is still on, the overall benefit is less clear. Is it still worth covering your webcam in 2024, or is such practice a relic of the past?

Spies in the woodwork

Ever heard of spyware? That’s what we call Trojans designed for spying and stalking. And just like they did ten years ago, many members of this family are still spying on victims through their webcam and mic. Back then, however, malware was limited mostly to taking webcam screenshots, while today, besides this, it can steal passwords from the clipboard, intercept keystrokes, remotely control your device, and play cat-and-mouse with security solutions (but not with ours). One example is the SambaSpy Trojan, which was recently discovered by our experts.

As for peeping, attackers’ motives can vary: some are just voyeurs; others might organize commercial surveillance against a CEO; still others might add such functionality to their malware on the off-chance that something interesting crops up.

Tracking can take many forms, and we’ve covered them all many times. But how to defend yourself? There are many protection methods, but they can all be divided into two groups: physical and software. Meanwhile, for those without reliable protection, covering the webcam, turning off the mic, and checking the permissions granted to newly installed programs is a no-brainer.

How to physically guard against webcam and mic surveillance

Physical protection methods are both useful and inconvenient at the same time, and compromises have to be made to ensure your privacy. What to do?…

Buy a device without a webcam or mic

Just think: intruders won’t be able to spy and eavesdrop even if they somehow get malware onto your device. But it’s hard to find such devices these days, and in most cases they’ll be either outdated or very low-performance. That said, some companies are modifying smartphones on the market by removing cameras: how do you like, for example, the non-camera iPhone? Such devices are in high demand at government and military agencies and restricted-access facilities, and even by highly religious people.

Disable the webcam and mic

Owners of desktop computers, nettops, or the above-mentioned laptop models without built-in webcam and mic can use external wired accessories. The most reliable option would be to disconnect them with a physical switch or pull them out of the socket when not in use. But there’s a danger of laziness creeping in: some users won’t bother doing it more than a couple of times, which is when RATs and nasties can appear.

In addition, there are tons of online guides on how to physically disable the laptop webcam or mic yourself. But not all devices make the procedure painless: for example, modern MacBooks use the camera as a sensor, and go into Safe Mode if it’s disabled. And once it is disabled – there’s no way back.

Opt for a “super-private” device

Some companies – such as Purism – make laptops with hardware switches that let you physically turn off the camera, microphone, Wi-Fi, or Bluetooth. However, they’re expensive, and demanding users are often left dissatisfied with the features available.

Cover the webcam

A good and common option – but not foolproof. Sure, it will thwart video surveillance, but the sound from the mic can still be potentially eavesdropped and used against you. Cover the microphone too? Modern laptops often have several mics to enhance sound quality, and taping over them all will be difficult. In some models, however, built-in microphones are disabled when you connect an external one. A life hack for them is to plug a dummy into the microphone jack (or the universal jack for mics and headphones). Your laptop will think that an external mic is connected and turn off all its built-in ones.

Software protection against tracking

In most cases, software protection is more convenient than physical – but not always as reliable.

Disable the built-in webcam and mic in the BIOS/UEFI

On many PC-compatible laptops – especially business models – you can go into the BIOS/UEFI settings at startup (if this sounds Greek to you, just scroll to the next method), find there the lines Integrated camera, Camera, Webcam, CMOS camera, Microphone or similar, and select Disabled mode. This is a good way to restrict laptop-based spying, but there’s a catch: you’ll have to reboot and undo everything should you ever need to video-call someone.

Disable devices in the OS settings

On a Windows PC, you need to do this in Device Manager. In the Start menu, go to Device Manager, find there Cameras or Audio inputs and outputs, right-click the device you need and select Disable device. You can just as easily turn it back on later, if necessary. This is much faster than rebooting the computer every time and poking around in the BIOS – but where’s the guarantee that a Trojan can’t do the same thing and turn the camera back on?

Disabling a built-in webcam and microphone in Windows Device Manager

Disabling a built-in webcam and microphone in Windows Device Manager

Control permissions

Android device owners can view information about dangerous and special permissions in the Permissions section in Kaspersky for Android: All functionsMy apps → Permissions. This way, only apps authorized by you will have access to the camera and microphone.

Viewing permissions in Kaspersky for Android

Viewing permissions in Kaspersky for Android

iOS devices offer similar functionality. To check permissions, open the Settings and go to Privacy & Security. In the menu that opens, like in Android, you can view app permissions.

Viewing permissions on iPhones

Viewing permissions on iPhones

Users of the Windows versions of our Kaspersky Standard, Kaspersky Plus and Kaspersky Premium can protect their devices against webcam and microphone tracking with Webcam and Mic Control, which lets you configure your own access settings: Gear icon at the bottom of the Home windowPrivacy SettingsWebcam and Mic Control Settings. There you can ask Kaspersky to:

  • Notify you when an app uses the camera or microphone.
  • Deny access for all apps without exception.
  • Allow only trusted apps to connect to the webcam and microphone.
Webcam and Mic Control Settings on a Windows device

Webcam and Mic Control Settings on a Windows device

Mac owners too have the option to completely block the webcam with Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium: Home → Block Webcam. Our application completely blocks access to system libraries used by the webcam, so no programs can access it.

Block Webcam on a Mac device

Block Webcam on a Mac device

Protect yourself

Physical or software protection — the choice is yours, but we recommend a combination of the two. For example, buy a webcam shutter and configure Kaspersky to disable the mic. The main thing is that your device – whether a smartphone, laptop or desktop – must be properly protected.

Kaspersky official blog – ​Read More

Australia’s ACSC and ASD Team Up with CISA, NSA, FBI, and International Allies to Protect Communications Infrastructure

CISA

Overview 

A coalition of cybersecurity agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), Australia’s Australian Signals Directorate (ASD), the Australian Cyber Security Centre (ACSC), as well as counterparts from Canada and New Zealand, has issued a hardening guidance to strengthen communications infrastructure against cyber espionage and other malicious cyber activities.   

This hardening guidance focuses on visibility enhancements and hardening practices for network devices. It aims to help engineers and defenders safeguard their systems from the growing threats posed by China-affiliated threat actors. The latest intelligence reports reveal that Chinese hackers have compromised networks of major telecommunications providers globally, conducting extensive cyber espionage campaigns.  

These groups have been targeting vulnerabilities in telecommunications networks, gaining unauthorized access to sensitive data. This activity aligns with known weaknesses in existing network infrastructure and highlights the urgent need for organizations to address security gaps.  

The agencies involved in this effort, including the ASD and the ACSC, emphasize that while the tactics used by these threat actors are not novel, their success stems from exploiting well-established vulnerabilities in communications infrastructure. The newly issued hardening guidance, therefore, provides actionable steps for network engineers and defenders to strengthen visibility, detect malicious activities, and harden systems against future exploitation.  

Hardening Guidance: Enhancing Visibility in Communications Networks  

One key strategy in this guidance is to improve visibility across communication networks. For organizations to effectively monitor, detect, and respond to cyber threats, they must have thorough insight into network traffic, user behavior, and overall data flow. High visibility enables swift identification of anomalies that may indicate a cyber intrusion, allowing defenders to take immediate action.  

Monitoring Network Configurations and Changes  

Network engineers are advised to closely monitor configuration changes in critical network devices, such as routers, switches, and firewalls. Any alterations outside the formal change management process should raise red flags. Additionally, regular audits and monitoring for unusual activities, such as unauthorized changes to routes or protocols, can help detect malicious intrusions early.  

Centralized Configuration Management  

The guidance recommends centralizing configurations and storing them in a secure, centralized location. This prevents devices from becoming the sole source of truth for their own configurations, which could be manipulated in the event of a breach. Network engineers should also implement strong network flow monitoring solutions to gain insights into the ingress and egress points of data across the network.  

Monitoring Accounts and Logging  

A proactive approach to monitoring user accounts and logins is also essential for mitigating threats. Monitoring anomalies in user and service account activity—such as abnormal login times, failed login attempts, or logins from unexpected locations—can help identify malicious actors who have gained unauthorized access to the network.  

Organizations should also ensure that logging mechanisms are vigorous, secure, and centralized. Logs should be encrypted in transit and stored off-site to prevent tampering. Using Security Information and Event Management (SIEM) systems is encouraged to help analyze logs and correlate data from various devices for rapid incident detection.  

Hardening Network Systems  

Beyond improving visibility, securing the underlying network systems through hardening is a critical defense strategy. Hardening aims to reduce vulnerabilities by ensuring that network devices and protocols are securely configured to minimize the attack surface. The collaboration between CISA, ACSC, and other agencies has provided valuable hardening guidance that organizations can apply to their communications infrastructure.  

Isolated Management Networks  

One of the most critical recommendations in the guide is the use of out-of-band management networks. By ensuring that network infrastructure devices can only be managed from physically separate, trusted networks, organizations can prevent the lateral movement of hackers within their systems. This isolation limits the potential impact of a breach, as attackers cannot easily move between devices on the network once one device has been compromised.  

Segmentation and Access Control  

Segmentation of networks into isolated zones, such as using Virtual Local Area Networks (VLANs) and private VLANs (PVLANs), helps protect critical systems and restricts access to sensitive data. Access Control Lists (ACLs) should be configured with a default-deny policy to control both inbound and outbound traffic, ensuring that only authorized connections are allowed.  

Securing Virtual Private Networks (VPNs)  

The guidance stresses the importance of securing VPN gateways by limiting their exposure to the internet and enforcing strong cryptographic protocols for key exchange and data encryption. VPNs should be configured to only allow strong authentication methods, and unused cryptographic algorithms should be disabled to reduce the risk of exploitation.  

Proactive Authentication and Account Management  

In addition to securing network devices, organizations should focus on improving authentication methods to ensure that only authorized users can access their networks. Implementing phishing-resistant multi-factor authentication (MFA) for all users, especially those with administrative privileges, is one of the primary strategies to prevent unauthorized access.  

The guidance also emphasizes the importance of strong password policies, including the use of secure hashing algorithms and the requirement to change default passwords immediately upon deployment. Additionally, organizations should regularly review user accounts to ensure that inactive or unnecessary accounts are removed, and all accounts are assigned the minimum necessary permissions.  

Conclusion   

Adopting a “secure by design” approach is crucial for software manufacturers to enhance the security of their products and reduce the need for customers to manually implement hardening measures.   

As cyber threats, especially Chinese threat actors, continue to target global organizations, collaboration between international agencies like CISA, ACSC, and other stakeholders is important to protect global communications infrastructure. Australia’s leadership, through agencies such as the ASD and ACSC, plays an important role in fighting cybercrime.  

By focusing on hardening guidance, improving visibility, and working together internationally, organizations can strengthen their security posture, mitigate vulnerabilities, and contribute to the collective global effort to protect digital life. 

The post Australia’s ACSC and ASD Team Up with CISA, NSA, FBI, and International Allies to Protect Communications Infrastructure appeared first on Cyble.

Blog – Cyble – ​Read More

Vulnerabilities in ICS: A Detailed Analysis of Recent Security Advisories and Threats 

Vulnerabilities

Overview 

The recent Weekly Industrial Control System Vulnerability Intelligence Report from Cyble Research & Intelligence Labs (CRIL) covers the vulnerabilities disclosed by the Cybersecurity and Infrastructure Security Agency (CISA) from November 26, 2024, to December 02, 2024.  

The report sheds light on online threats, especially vulnerabilities affecting critical systems such as those from Schneider Electric and Hitachi Energy, two of the most prominent vendors in the ICS sector. During the report’s timeframe, CISA issued five major security advisories, focusing on 12 vulnerabilities that impact a wide range of ICS products.  

These vulnerabilities have been identified in devices and systems from key vendors, including Schneider Electric and Hitachi Energy. The vulnerabilities identified in these systems are critical to address due to their potential to expose vital infrastructures to cyberattacks.  

Schneider Electric: A Major Focus for ICS Vulnerabilities  

Schneider Electric, a leading vendor of control systems, was prominently featured in the advisories due to the numerous vulnerabilities impacting their devices. These vulnerabilities range from issues with weak password recovery mechanisms to the use of hard-coded credentials, both of which pose a risk to the integrity of ICS devices.  

Among the affected products is the PM5560 series, which includes multiple versions susceptible to vulnerabilities like weak password recovery mechanisms for forgotten passwords (CVE-2021-22763). This flaw, coupled with improper authentication (CVE-2021-22764), increases the potential for unauthorized access. Such vulnerabilities undermine the effectiveness of ICS security, allowing attackers to potentially take control over critical systems like actuators, sensors, and power supplies.  

One particularly concerning vulnerability (CVE-2023-6408) affects the Modicon M340 CPU and other related Schneider Electric products. This vulnerability arises from improper message integrity enforcement during transmission across communication channels, which could allow attackers to manipulate the integrity of communications between devices, creating openings for man-in-the-middle attacks. The high-severity nature of this vulnerability highlights the ongoing need for organizations to implement stronger security practices, including effective patch management and encryption protocols.  

Additionally, Schneider Electric’s use of hard-coded credentials (CVE-2023-6409) in its devices presents a high-risk issue, making it easier for attackers to gain access to systems. This particular vulnerability is found in several product lines, including the Modicon M580 and Modicon M340 CPUs, which are integral to many ICS operations. These devices are widely used in critical sectors such as energy and manufacturing. 

Hitachi Energy: Security Flaws in SCADA and Control Systems  

Another major player in the ICS sector, Hitachi Energy, also faced critical security challenges during the same reporting period. The vulnerabilities affecting Hitachi’s MicroSCADA Pro/X SYS600 system are especially concerning because they affect key operational components within control systems and supervisory control and data acquisition (SCADA) environments.   

These vulnerabilities could allow attackers to bypass authentication (CVE-2024-3982), potentially gaining unauthorized access to control systems that are vital for managing electricity grids and other industrial processes. Additionally, path traversal vulnerabilities (CVE-2024-3980) were identified, which could allow an attacker to manipulate file paths within the system, gaining unauthorized access to sensitive files.  

These vulnerabilities are classified as high and critical risks, as they could be exploited by attackers to infiltrate ICS systems, causing online disruption to operations. A notable vulnerability in Hitachi Energy’s systems is the authentication bypass by the capture-replay flaw (CVE-2024-3982), which allows attackers to bypass authentication mechanisms by replaying captured credentials.  

Given the high-security requirements of control systems like SCADA, the existence of this vulnerability calls for immediate attention from organizations to ensure these critical systems remain secure. The MicroSCADA Pro/X SYS600 system is also affected by a missing authentication for critical functions (CVE-2024-7940) vulnerability. This flaw could enable attackers to exploit critical functions within the system without proper authentication, allowing them to manipulate system settings or gain unauthorized access to sensitive data.  

The Severity of ICS Vulnerabilities  

The vulnerabilities analyzed in the CRIL report show that the majority of the vulnerabilities in ICS systems fall under high severity. This highlights the critical need for organizations operating ICS devices to adopt proactive cybersecurity measures. Weak passwords, improper authentication, and hard-coded credentials are among the most common issues found across various ICS products. Addressing these vulnerabilities requires rigorous patch management practices, including regular updates and configuration checks.  

The vulnerabilities disclosed by CISA and highlighted in the report are particularly important as they impact critical infrastructure sectors such as energy, critical manufacturing, and communications. Schneider Electric and Hitachi Energy alone account for a notable portion of the vulnerabilities in the ICS space, underlining the need for greater focus on security within the industrial sector.  

Impact on Critical Infrastructure Sectors  

A sector-wise analysis of the vulnerabilities reveals that Critical Manufacturing accounts for the largest portion of vulnerabilities, with an overwhelming 83.3% of the cases. This is due to the expansive operations and critical nature of manufacturing processes that rely heavily on ICS.  

In contrast, the Energy sector, which includes power grids and electrical infrastructure, accounts for 8.3% of the reported vulnerabilities, while the Wastewater Systems sector is also impacted with a similar share. The Commercial Facilities sector reports the smallest share, with only 0.8% of the vulnerabilities.  

This distribution denotes the varied risk levels across critical infrastructure sectors and emphasizes the importance of prioritizing cybersecurity efforts, particularly in manufacturing and energy, where ICS vulnerabilities could lead to more severe consequences.  

Mitigation Strategies and Recommendations  

Here are some of the best practices recommended to mitigate potential risks:  

  1. It is essential to regularly update systems and apply patches as soon as they are released. Many vulnerabilities in ICS are a result of outdated software or firmware, which can be addressed by keeping systems up to date.  

  1. Implementing a zero-trust security model is crucial in preventing unauthorized access. This involves treating every request for access as if it originates from an untrusted source, requiring strict verification before granting access.  

  1. By segmenting networks, organizations can limit the ability of attackers to move laterally across systems, thus reducing the risk of widespread damage.  

  1. Strengthening authentication protocols, such as using multi-factor authentication (MFA), is critical to reducing the likelihood of unauthorized access to ICS devices.  

  1. Continuous security assessments through vulnerability scans, penetration testing, and audits help identify potential security gaps in ICS before they can be exploited by attackers.  

  1. Organizations should invest in cybersecurity training programs for employees to ensure they are aware of the risks posed by phishing, social engineering, and other attack methods.  

Conclusion  

The vulnerabilities in ICS highlighted in the latest report from CISA, along with those analyzed by Cyble Research & Intelligence Labs, highlight the increasing risks faced by critical infrastructure sectors. With vulnerabilities in high-severity products from vendors like Schneider Electric and Hitachi Energy, it is important that organizations address these potential threats before they can compromise sensitive information.  

By implementing security measures, including effective patch management, strong authentication protocols, and comprehensive training programs, organizations can better protect their ICS systems from cybersecurity risks. 

The post Vulnerabilities in ICS: A Detailed Analysis of Recent Security Advisories and Threats  appeared first on Cyble.

Blog – Cyble – ​Read More

Search Operators and Wildcards for Cyber Threat Investigations

Finding information on specific cyber threats in a vast amount of data can be challenging. Threat Intelligence Lookup from ANY.RUN simplifies this task with wildcards and operators that provide you with the ability to create flexible and precise search queries.

Let’s take a look at how you can use them to identify and collect intel on malware and phishing attacks more effectively. 

About Threat Intelligence Lookup 

Main page of TI Lookup

Threat Intelligence (TI) Lookup is a fast and efficient tool designed to simplify cyber threat investigations. It allows for flexible searches for Indicators of Compromise (IOCs), Indicators of Attack (IOAs), and Indicators of Behavior (IOBs).  

TI Lookup provides access to a constantly updated database of threat data collected from millions of public malware and phishing samples analyzed in ANY.RUN’s Interactive Sandbox.  

Each sandbox session contains detailed logs of system and network events that occur while a threat is executing. By searching through this comprehensive data, you can easily find connections between seemingly unrelated pieces of information and tie them to a specific threat. 

Here’s how TI Lookup can help you and your organization: 

  • Investigate Threats Quickly: Gather extensive and in-depth information on emerging and persistent cyber threats with over 40 search parameters (e.g. threat names, command lines, registry logs, etc.). 
  • Receive Real-Time Updates: Stay informed with real-time updates on results for your search queries. 
  • Enrich Threat Intelligence: Get relevant context, indicators, and samples manually analyzed by threat analysts. 

Black Friday 2024: Get 2x search requests
for your TI Lookup plan 



See details


Search Operators in TI Lookup 

Search operators are essential tools in TI Lookup that allow you to combine several indicators to refine your search queries effectively. They act as logical connectors that help you specify the relationships between different conditions in your search and achieve greater flexibility and precision in your searches. 

TI Lookup supports logical operators like AND, OR, and NOT, as well as grouping with parentheses. Let’s take a closer look at each of these. 

AND 

What it does  

The AND operator helps you combine multiple conditions. 

Why use it  

AND is great for narrowing down your search to find threats by including as many unique indicators as possible.  

It is equally effective in situations when you have several completely disparate artifacts, like an IP address and a mutex, and want to link them to a particular threat. 

Example 

This query is designed to search for sandbox sessions where both thum[.]io and logo[.]clearbit[.]com domains were found. 

  • Thum[.]io is a real-time website screenshot generator. 
  • logo[.]clearbit[.]com is a service for fetching company logos. 
TI Lookup lets you navigate to the ANY.RUN sandbox to see and run analysis of each sample

TI Lookup almost instantly provides results: associated IP addresses and sandbox sessions, all of which contain a “malicious activity” label and a “phishing” tag. 

We can click any session of our interest to investigate the threat further.

The phishing page contains a fake form for stealing victim’s credentials

By reviewing the analysis report, we can spot that this is a cyber attack which uses thum[.]io to dynamically generate phishing pages with the backgrounds of a website that coincides with that of the victim. Attackers also use logo[.]clearbit[.]com to add corresponding company logos to make fake pages appear more legitimate. 

OR 

What it does 

The OR operator helps return matches where at least one of the given conditions is found. 

Why use it  

OR is excellent in situations when you are not sure which one of two indicators is related to a threat. It is also useful for broadening your search to include results where both indicators are found, but necessarily together in the same session.  

Example  

You see how these mutexes are used by exploring their corresponding sandbox sessions

It searches for entries where the synchronization object name is “DocumentUpdater” or “PackageManager”. If you’re investigating a threat that could be using either of these sync objects, this query ensures you don’t miss any relevant information. 

TI Lookup shows that the synchronization objects are mutexes and provides sandbox sessions where they were previously discovered. 

NOT 

What it does 

The NOT operator excludes results that match the specified condition. 

Why use it 

NOT is helpful when you want to refine your search and see sandbox sessions where no certain item, like a domain or file name, was observed. 

Example 

This query is looking for phishing samples but excludes any entries where the initial submission uploaded to the ANY.RUN sandbox was a URL.

Results include sandbox sessions with the tag “phishing” that feature malicious files

It helps us find email, html, zip, exe, or other types of files, used in phishing attacks. 

Parentheses () 

What they do 

Parentheses group conditions and control the order of operations to ensure they are processed in the order you specify. 

Why use them  

Parentheses are essential for creating complex queries, making your search more precise and effective. 

Example

This query searches for sandbox sessions and their related data where the process “mshta.exe” was observed along with connections to destination ports of either 80 or 443. The parentheses ensure that the OR condition is processed first, making the search more precise. 

You can explore domains, IPs, synchronization objects, events, files, and other details related to the query

TI Lookup returns a wealth of threat data related to our query. Some of the results include malicious domains and IP addresses, as well as a list of network threats detected during analyses. 

Wildcard Characters 

Wildcards in TI Lookup act as placeholders in your search queries. They can represent different types of character sequences. 

Asterisk (*) 

What it does  

The asterisk represents any number of characters, including none. This means it can stand in for zero, one, or multiple characters. The asterisk is added by default at the start and end of each query, so you in most cases there is no need to enter it manually.

Why use it 

The asterisk is great for when you’re not sure about the exact content of a string. It helps you find matches even if there are unknown parts or certain variations in your query string. 

Example 

This query searches for sandbox sessions where the command line includes paths to specific script files located in the C:UsersPublic directory. The scripts must be of types .vbs (Visual Basic Script), .bat (Batch file), and .ps1 (PowerShell script).  

Yet, the names of these scripts are replaced with the asterisk wildcard, representing any string of characters, as they can vary.

Asterisks are used to replace any string of characters

This helps us discover scripts with different file names and see how each of them fits into a wider context of the entire attack analyzed in the sandbox.

ANY.RUN’s Interactive Sandbox offers advanced script executiion analysis

In the image above, you can see the execution of one of the found scripts inside the ANY.RUN sandbox. 


ANY.RUN cloud interactive sandbox interface

Learn to Track Emerging Cyber Threats

Check out expert guide to collecting intelligence on emerging threats with TI Lookup



Question Mark (?) 

What it does  

The question mark represents any single character or its absence. This means it can stand in for exactly one character or none at all. 

Why use it  

The question mark is perfect for situations when you are not sure about a certain character in your string or know that it varies. 

Example  

Here, we can borrow a query from Jane_0sint’s article on phishing investigations, which is intended for identifying samples of Mamba2FA attacks.  

A notable part of this query is that we can see the question mark being used twice. Yet, there is a difference between these two instances: 

  • The first one is the wildcard that serves as a stand-in for the characters “m”, “n”, and “o” that are commonly used in Mamba2FA URLs.  
  • The second question mark is a part of the address. To escape it, we use the slash symbol. 
Make sure to escape ? when it is part of your search string

We once again can observe a variety of results, including command lines that contain different URLs matching our query. 

Dollar Sign ($) 

What it does 

The dollar sign ensures that the search term must appear at the end of the string. It excludes matches with any characters after the specified content. 

Why use it  

The dollar sign is useful when you know the exact ending of a string but are unsure about the beginning. It helps you find matches that end with your specified term. 

Example 

This query searches for any synchronization object whose name ends with _STOP. 

Each mutex can be explored in detail in its corresponding sandbox session

Among the results, we can see mutex names such as biudfw_stop, jeboi_stop, and nonij_stop. As always, we can explore each of them in detail by navigating to their corresponding sandbox sessions. 

Caret (^) 

What it does  

The caret ensures that the search term must appear at the beginning of the string. It prevents matches with any characters before the specified query content. 

Why use it 

The caret is helpful when you know the exact starting point of a string but are unsure about the rest. It narrows down your search to items that begin with your specified term. 

Example 

This query finds domain names that start with 0ffice and end with .com, with any characters allowed in between. The caret (^) and dollar sign ($) ensure the exact start and end. 

TI Lookup returns all matching domains found across its database over the past 180 days

TI Lookup provides us with domains that match our query along with sandbox sessions, where they were found. 

Conclusion 

wildcards and operators in TI Lookup provide the flexibility and precision needed to perform threat intelligence searches. By learning how to use these tools, you can make your threat hunting efforts more effective.

Give it a try by requesting a free trial of TI Lookup.

About ANY.RUN  

ANY.RUN’s Threat Intelligence Lookup and YARA Search services allow for precise threat hunting and the extraction of valuable insights into current cyber threat trends. What’s impressive is how fast these scans are—they significantly speed up the analysis process, allowing for quick detection of threats and malware. 

See Black Friday deals for ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup →

The post Search Operators and Wildcards for Cyber Threat Investigations appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Undeclared functionality in machine learning systems

Over the coming decades, security risks associated with AI systems will be a major focus of researchers’ efforts. One of the least explored risks today is the possibility of trojanizing an AI model. This involves embedding hidden functionality or intentional errors into a machine learning system that appears to be working correctly at first glance. There are various methods to create such a Trojan horse, differing in complexity and scope — and they must all be protected against.

Malicious code in the model

Certain ML model storage formats can contain executable code. For example, arbitrary code can be executed while loading a file in a pickle format, the standard Python format used for data serialization (converting data into a form that is convenient for storing and transferring). Particularly, this format is used in a deep learning library PyTorch. In another popular machine learning library, TensorFlow, models in the .keras and HDF5 formats support a “lambda layer”, which also executes arbitrary Python commands. This code can easily conceal malicious functionality.

TensorFlow’s documentation includes a warning that a TensorFlow model can read and write files, send and receive network data, and even launch child processes. In other words, it’s essentially a full-fledged program.

Malicious code can activate as soon as an ML model is loaded. In February 2024, approximately 100 models with malicious functionality were discovered in the popular repository of public models, Hugging Face. Of these, 20% created a reverse shell on the infected device, and 10% launched additional software.

Training dataset poisoning

Models can be trojanized at the training stage by manipulating the initial datasets. This process, called data poisoning, can be either targeted or untargeted. Targeted poisoning trains a model to work incorrectly in specific cases (for example, always claiming that Yuri Gagarin was the first person on the Moon). Untargeted poisoning aims to degrade the model’s overall quality.

Targeted attacks are difficult to detect in a trained model because they require very specific input data. But poisoning the input data for a large model is costly, as it requires altering a significant volume of data without being detected.

In practice, there are known cases of manipulating models that continue to learn while in operation. The most striking example is the poisoning of Microsoft’s Tay chatbot, which was trained to express racist and extremist views in less than a day. A more practical example is the attempts to poison Gmail’s spam classifier. Here, attackers mark tens of thousands of spam emails as legitimate to allow more spam through to user inboxes.

The same goal can be achieved by altering training labels in annotated datasets or by injecting poisoned data into the fine-tuning process of a pre-trained model.

Shadow logic

A new method of maliciously modifying AI systems is to introduce additional branches into the model’s computational graph. This attack does not involve executable code or tampering with the training process, yet the modified model can exhibit a desired behavior in response to specific pre-determined input data.

The attack leverages the fact that machine learning models use a computational graph to structure the computations required for their training and execution. The graph describes the sequence in which neural network blocks are connected and defines their operational parameters. Computational graphs are designed for each model individually, although in some ML model architectures they are dynamic.

Researchers have demonstrated that the computational graph of an already trained model can be modified by adding a branch at the initial stages of its operation that detects a “special signal” in the input data; upon detection, the model is directed to operate under a separately programmed logic. In an example from the study, the popular video object detection model YOLO was modified to ignore people in a frame if a cup was also present.

The danger of this method lies in its applicability to any models, regardless of storage format, modality, or scope of application. A backdoor can be implemented for natural language processing, object detection, classification tasks, and multimodal language models. Moreover, such a modification can be preserved even if the model undergoes further training and fine-tuning.

How to protect AI models from backdoors

A key security measure is the thorough control of the supply chain. This means ensuring that the origin of every component in the AI system is known and free of malicious modifications, including:

  • The code running the AI model
  • The computing environment in which the model operates (usually cloud hosting)
  • The files of the model
  • The data used for training
  • The data used for fine-tuning

Major ML repositories are gradually implementing digital signatures to verify models’ origins and code.

In cases where strict control over the origins of data and code is not feasible, models from questionable sources should be avoided in favor of reputable providers’ offerings.

It’s also crucial to use secure formats for storing ML models. In the Hugging Face repository, warnings are displayed when loading models capable of executing code; also, the primary model storage format is Safetensor, which blocks code execution.

Kaspersky official blog – ​Read More

DESC Leads Dubai’s Journey to Becoming the World’s Safest Digital City

Dubai

Overview

Dubai is making significant strides in integrating advanced technologies while emphasizing strong cybersecurity frameworks. A recent study by the World Economic Forum (WEF), titled “Navigating Cyber Resilience in the Age of Emerging Technologies,” highlights how the city is utilizing technologies such as artificial intelligence (AI), blockchain, quantum computing, and smart city solutions across critical sectors.

The Dubai Electronic Security Center (DESC) plays a central role in supporting the secure adoption of these emerging technologies. Initiatives such as the Dubai Cyber Security Strategy and the UAE National Strategy for Artificial Intelligence 2031, along with policies like the Dubai AI Security Policy and autonomous vehicle security standards, aim to balance innovation with a focus on digital security.

This blog delves into DESC’s contributions, Dubai’s cybersecurity strategies, and the city’s efforts to enhance cyber resilience and enable secure digital transformation.

The Role of DESC in Dubai’s Cybersecurity Strategy

The Dubai Electronic Security Center (DESC) is at the heart of Dubai’s digital transformation. As a key player in Dubai’s Cyber Security Strategy, DESC focuses on securing digital assets, fostering innovation, and establishing Dubai as a leading secure digital hub.

His Excellency Yousuf Hamad Al Shaibani, CEO of DESC, highlighted the center’s proactive measures, saying, “The Center continues to coordinate with governmental, regional, and international entities to study the security requirements of modern and emerging technologies and set standards and controls that ensure their safe adoption across various sectors.”

DESC has introduced multiple initiatives to ensure the secure implementation of emerging technologies:

  • Dubai AI Security Policy: A framework for safe use of AI technologies across sectors.
  • Autonomous Vehicle Security Specification: The first of its kind globally, providing security standards for self-driving vehicles.
  • RZAM Cybersecurity Application: A real-time solution leveraging AI to protect internet users from malicious websites and phishing attacks.

These policies stress Dubai’s efforts to create a secure environment for the adoption of advanced technologies.

Advancing Emerging Technologies

Dubai’s leadership in cybersecurity is closely aligned with the UAE National Strategy for Artificial Intelligence 2031. This strategy, combined with substantial investments in technologies such as quantum computing, 5G communications, and the Internet of Things (IoT), is designed to drive innovation while maintaining robust digital safeguards.

For example, DESC has been instrumental in supporting Dubai’s Self-Driving Transport (SDT) Strategy. The SDT Strategy aims to convert 25% of Dubai’s total transportation to self-driving vehicles by 2030. To achieve this, DESC recently published a study on connected vehicles, highlighting the security specifications required to mitigate cyber risks in IoT-enabled transport systems.

The Economic Impact of AI

Artificial intelligence is central to Dubai’s digital transformation efforts. The WEF report estimated that AI will contribute USD 320 billion to the UAE economy by 2030. In line with this, DESC issued a detailed study examining AI’s potential across various sectors in Dubai.

This study analyzed:

  • AI’s Economic Contributions: Estimating how AI can drive Dubai’s economic growth.
  • Ethical and Societal Considerations: Exploring the implications of widespread AI adoption.
  • Risk Mitigation: Identifying challenges and solutions for safe AI integration.
  • Stakeholder Collaboration: Promoting partnerships to enhance AI research and application.

These efforts are part of a broader vision to position Dubai as a global hub for AI research, development, and implementation.

Global Partnerships and Regulatory Frameworks

DESC has also been instrumental in establishing partnerships with public and private stakeholders at both local and international levels. By collaborating with research institutions and global technology leaders, Dubai is developing regulatory frameworks to safely integrate cutting-edge technologies.

These partnerships are crucial in fostering an environment where innovation can thrive without compromising security. Policies such as the Dubai AI Security Policy and the autonomous vehicle security standards reflect the city’s commitment to balancing innovation with cybersecurity.

Building a Resilient Digital Infrastructure

Dubai’s success in integrating new technologies is rooted in its digital infrastructure and forward-looking strategies. The Dubai Cyber Security Strategy serves as a guiding framework for ensuring the resilience and reliability of digital systems.

By focusing on key areas like secure IoT adoption, AI governance, and blockchain implementation, DESC is driving Dubai’s vision of a smart and secure city. These efforts are complemented by national initiatives such as the UAE’s investments in advanced communication technologies like 5G and quantum computing.

The Future of Cyber Resilience in Dubai

Dubai’s approach to cybersecurity offers valuable lessons for other cities and nations seeking to embrace emerging technologies. With DESC leading the charge, Dubai is not only addressing present-day challenges but also preparing for future risks associated with digital transformation. Its comprehensive strategies and global collaborations ensure that innovation is securely integrated into all aspects of life.

References: https://www.desc.gov.ae/world-economic-forum-study-highlights-descs-innovative-efforts-in-securing-emerging-technologies/

The post DESC Leads Dubai’s Journey to Becoming the World’s Safest Digital City appeared first on Cyble.

Blog – Cyble – ​Read More

CISA Releases Updated TIC 3.0 Security Capabilities Catalog (SCC) Version 3.2

TIC 3.0

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has published the updated version of the Trusted Internet Connections (TIC) 3.0 Security Capabilities Catalog (SCC) version 3.2. This new release incorporates essential updates based on the latest National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) Version 2.0, ensuring that TIC continues to adapt to modern technologies.

The SCC provides a comprehensive set of deployable security controls, capabilities, and best practices to assist federal agencies in implementing secure network environments. With this update, the catalog enhances the guidance for the secure implementation of technology solutions and ensures agencies remain compliant with cybersecurity standards.

The TIC 3.0 SCC serves as a foundational guide for federal agencies, enabling them to meet stringent security requirements across various computing environments. It offers a thorough catalog of security capabilities designed to protect federal information and mitigate cyber risks. By leveraging the latest NIST CSF mappings, the catalog helps agencies strengthen their cybersecurity postures through a series of strategic and technical security measures.

One of the important aspects of the TIC 3.0 SCC Version 3.2 is its alignment with the NIST CSF, which is structured around the core functions of Govern, Identify, Protect, Detect, Respond, and Recover. This mapping ensures that the security controls and capabilities within the catalog are aligned with best practices in risk management, incident detection, and threat response.

The Role of the Security Capabilities Catalog

The SCC is an important resource that assists agencies in applying best practices and risk management principles to protect information in various computing scenarios. This includes guidance for different networking environments, such as cloud, mobile, and traditional on-premises infrastructure. As the federal government continues to transition to more decentralized and cloud-based environments, the TIC 3.0 SCC helps agencies ensure that they maintain security measures across their entire IT ecosystem.

Agencies are encouraged to apply guidance within the SCC to identify potential risks and implement compensating controls when necessary. These controls address potential gaps or residual risks that might remain after deploying the recommended security capabilities. Additionally, CISA emphasizes the importance of collaborating with vendors to ensure that security solutions are adequately implemented, configured, and maintained. This collaboration ensures that agencies can fulfill security requirements and remain protected.

Security Objectives of Security Capabilities Catalog TIC 3.0

The TIC program outlines a set of security objectives aimed at mitigating risks and securing federal data as it moves through various trust zones. As federal agencies increasingly leverage cloud and mobile services, TIC’s security objectives are designed to provide consistent and scalable protections regardless of where the data resides or how it is transmitted.

The objectives of TIC 3.0 include:

  1. Manage Traffic: This objective focuses on observing and filtering data connections to ensure they align with authorized activities. It also applies the principle of least privilege and default-deny policies.
  2. Protect Traffic Confidentiality: This ensures that only authorized parties can access data in transit, protecting the confidentiality of sensitive government communications.
  3. Protect Traffic Integrity: The integrity of data during transmission is critical to prevent and detect any alterations that could indicate a cyberattack or data breach.
  4. Ensure Service Resiliency: With cyber threats constantly evolving, the ability to ensure the continuous operation of critical services and applications is a central focus of TIC 3.0.
  5. Ensure Effective Response: This objective encourages agencies to establish processes for timely responses to cybersecurity incidents, with a focus on adapting security policies as new threats emerge.

These objectives are designed to align with the functions of the NIST Cybersecurity Framework, ensuring that TIC 3.0 offers a comprehensive approach to securing federal networks.

Universal and PEP Security Capabilities

The SCC is divided into two main sections: Universal Security Capabilities and PEP (Policy Enforcement Point) Security Capabilities. These capabilities are critical in securing federal networks and ensuring agencies can manage cybersecurity risks efficiently.

Universal Security Capabilities

Universal security capabilities are high-level principles that are applicable to all federal agencies, irrespective of their individual use cases. These capabilities help agencies implement broad cybersecurity measures that apply to enterprise-level risks. Some of the key universal security capabilities include:

  • Backup and Recovery: Ensures data and configurations are backed up and can be quickly restored after an incident, failure, or corruption.
  • Central Log Management with Analysis: This function collects, stores, and analyzes telemetry to support security analysis and detect malicious activity.
  • Incident Response Planning and Handling: Helps agencies prepare for and respond to cyberattacks, ensuring that recovery and detection measures are in place.
  • Least Privilege: Grants minimum resources and authorizations necessary for entities to perform their functions, reducing exposure to potential threats.
  • Patch Management: Identifies, acquires, installs, and verifies patches to secure systems from known vulnerabilities.

These capabilities are mapped to the NIST CSF, providing a comprehensive set of actions for each area. This ensures that agencies can implement the appropriate security measures based on the severity of the risk.

PEP Security Capabilities

The PEP capabilities focus on specific technical implementations and are more granular in nature. These capabilities support the TIC 3.0 security objectives and are aligned with Zero Trust Architectures. For example, the following PEP security capabilities are critical in network environments:

  • Anti-malware: Detects and quarantines malicious code that could compromise the integrity of the network.
  • Network Segmentation: Divides networks to reduce attack surfaces and limit the potential spread of cyber threats.
  • Multi-factor Authentication: Adds an additional layer of authentication, ensuring that only authorized users gain access to sensitive data.

These PEP capabilities can be adapted depending on the agency’s specific requirements, such as the use of cloud, email, web, or network security solutions.

Conclusion

As cybersecurity threats become increasingly sophisticated, the TIC 3.0 SCC will continue to adapt to new changes. The document is periodically updated to reflect new security practices and technologies. Agencies are encouraged to actively engage with CISA and vendors to ensure that their implementations remain effective.

The TIC 3.0 SCC version 3.2 is a crucial update in protecting federal networks. As agencies adopt more complex computing environments, the need for new and upgraded security measures like the Security Capabilities Catalog, Trusted Internet Connections, and TIC frameworks grows. This updated catalog equips agencies with the tools to understand these challenges, ensuring the protection of sensitive information while maintaining secure operations.

References

The post CISA Releases Updated TIC 3.0 Security Capabilities Catalog (SCC) Version 3.2 appeared first on Cyble.

Blog – Cyble – ​Read More