Welcome to this week’s edition of the Threat Source newsletter. 

I am unbelievably lucky to do the work that I do. My title is technically ‘Senior Security Strategist’. It’s a very fancy title, but basically: I get to research threats with my colleagues and friends to keep people safe here at Talos. I also get to travel and talk to our customers and communities about that work and how we fight that good fight. This has taken me to some interesting places – from Ukraine to California and lots of places in between. Not bad for a guy from a small town in Alabama.  

This gig isn’t for everyone. You must have some extroverted tendencies, and as the youth would say, some ‘rizz’. It’s not enough to talk about something like, say, ransomware. You need to be able to explain it in high technical detail if needed and then explain it to a board of C-levels and speak the language of business they understand. And you need to do it in an engaging way to keep your audiences bought in. It’s a unique blend of security practitioner expertise and the ability to communicate that to audiences, some technical, some not.  

If you’re thinking this also requires some kind of social media influencer level of Hemsworth caliber good looks and hyper charisma, have no fear. I’m about as much a security influencer as Chris Farley was a Beverly Hills ninja. I am just a security nerd who likes to talk. Like I said – I’m very lucky.  

Sometimes this gig takes you to very unexpected places. A couple of weeks ago I found myself at the Ford Foundation Center for Social Justice. I was there to attend and support the NGO-ISAC annual summit. The NGO-ISAC ‘is a non-profit organization improving the cybersecurity of US-based nonprofits.’ They do amazing work supporting cyber security for non-governmental organizations that help protect and promote civil society. We’re also fortunate at Talos to be a partner with them and donate time and resources to support their mission of helping the helpers.  

We are proud to be partners and volunteer our time with NGO-ISAC and it’s members. If you ever want to be truly humbled, spend time with an NGO and learn about what they do. The energy and heart those people have is incredible and will inspire you. They help feed the hungry, cloth the homeless, protect refugees, promote democracies, and generally help take care of some of the most vulnerable people and institutions our society relies upon. They also traditionally struggle with cybersecurity – security investments and practitioner expertise can be difficult to obtain when your budgets are built upon donations to support your mission. They are the embodiment of fighting the good fight, and we at Talos will always have the time to help them help others.  

While I was there, we debuted a custom NGO version of Backdoors & Breaches I helped co-develop with the NGO-ISAC. It was a real hit, and we ran demo games that resonated very well with the audiences. Helping teach cybersecurity to NGOs is fantastic. If we can help them stay secure, there’s so many others who will be helped by it. Also, keep your eyes peeled for a blog post in January about how we designed and created a custom expansion for Backdoors & Breaches.  

Also, the Ford Foundation? Amazing building. It’s in the heart of NYC and is an island of pure serenity. They have an indoor atrium/park that is next level. They pipe in some absolute jazz bangers throughout the entire building that, mixed with the decor, exudes a class I’ve rarely encountered in my travels. If I could make a blanket out of that entire vibe and wrap myself up in it, I’d do it.  

The one big thing 

QR Codes, am I right? Sometimes you can scan one with your phone and maybe win a free cheeseburger, sometimes it can take you to a fake O365 phishing site. The tricky bit with QR codes in e-mails is how easily they can avoid spam filters. My man Jaeson Schultz did some great research on attacks, prevalence, and detection of QR codes in e-mail messages. The parts on AI-generated QR imagery are fantastic – be careful what you scan! 

Why do I care? 

E-mail phishing and evading defenses are a tried and tested tactic with attackers. QR codes are another method of attack, and because they can be difficult to defang/detect, defenders have to work extra hard to understand those threats and stop them.  

So now what? 

Exercise serious caution when scanning a QR code. If possible, detonate those suspicious QR code e-mails in a sandbox, like Threat Grid. 

Top security headlines of the week 

At least 97 major water systems in the US have serious cybersecurity vulnerabilities and compliance issues, raising concerns that cyberattacks could disrupt businesses, industry, and the lives of millions of citizens. (Dark Reading) 

The NSA updated its mobile devices security best practices report. Reboot those phones at least once a week friends.  (ZDNet) 

The United States and other Western nations released guidance Tuesday designed to evict the China-linked group in the wake of the high-profile hack. (CyberScoop) 

Can’t get enough Talos? 

• New PXA Stealer targets government and education sectors for sensitive information 
• The TTP Episode 7: Explore this year’s Macro-ATT&CK findings  
• Beers with Talos is back (kind of) with a special “B Team” episode: Misadventures, Rabbit Holes, and Turkey Lurkey Goes to the Movies 

Upcoming events where you can find Talos 

AVAR (Dec. 4-6)   

Chennai, India  

Vanja Svancer and Chetan Raghuprasad from Cisco Talos will both present, Vanja will be discussing Exploring Vulnerable Windows Drivers, while Chetan presents Sweet and Spicy Recipes for Government Agencies by SneakyChef.   

Most prevalent malware files from Talos telemetry over the past week  

SHA 256: 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647 

MD5: bbcf7a68f4164a9f5f5cb2d9f30d9790 

VirusTotal: https://www.virustotal.com/gui/file/0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647/details 

Typical Filename: cwjhtmbwgyomzrhbo.exe 

Claimed Product: n/a 

Detection Name: Win.Dropper.Scar::1201  

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/detection 

Typical Filename: VID001.exe 

Claimed Product: n/a 

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   

MD5: 200206279107f4a2bb1832e3fcd7d64c  

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details%C2%A0 

Typical Filename: lsgkozfm.bat  

Claimed Product: N/A  

Detection Name: Win.Dropper.Scar::tpd    

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   

MD5: 71fea034b422e4a17ebb06022532fdde   

VirusTotal: https://www.virustotal.com/gui/file/bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a/details 

Typical Filename: VID001.exe   

Claimed Product: N/A   

Detection Name: RF.Talos.80   

SHA 256: 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   

MD5: 8b84d61bf3ffec822e2daf4a3665308c   

VirusTotal: https://www.virustotal.com/gui/file/3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66/details%C2%A0 

Typical Filename: RemComSvc.exe   

Claimed Product: N/A   

Detection Name: W32.3A2EA65FAE-95.SBX.TG   

Cisco Talos Blog – ​Read More

Recently, our analyst team shared their research into a zero-day attack involving the use of corrupted malicious files to bypass static detection systems. Now, we present a technical analysis of this method and its mechanics. 

In this article, we will:  

• Demonstrate how attackers corrupt archives, office documents, and other files 
• Explain how this method successfully evades detection by security systems 
• Show how corrupted files get recovered by their native applications 

Let’s get started. 

Sandbox Analysis of a Corrupted File Attack

To first see how such attacks unfold, we can upload one of the corrupted filles used by attackers to ANY.RUN’s sandbox.  

View analysis session. 

Thanks to its interactivity, the sandbox lets us simulate a real scenario of user opening the broken malicious file inside the file’s corresponding application. 

In our case, it’s a docx file. When we open it with Word, the program immediately offers us the option to recover the content of the file and successfully does it. 

Inside, we find a QR code with a phishing link. The sandbox also automatically detects malicious activity and notifies us about this. 

How Corrupted Files Bypass Antivirus Software and Other Automated Solutions

Analysis inside the ANY.RUN sandbox showed how a corrupted file gets restored thanks to Word’s built-in recovery mechanisms, which allows us to identify its malicious nature. 

Yet, if we submit the same corrupted file to VirusTotal, which provides verdicts from numerous security solutions, we will see zero threat detections. The question is why? 

The answer is simple: most antivirus software and automated tools are not equipped with the recovery functionality that is found in applications, such as Word. This prevents them from accurately identifying the type of the corrupted file, resulting in a failure to detect and mitigate the threat. 

Docx is not the only file format used by attackers. There are also corrupted archives with malicious files inside, which easily bypass spam filters because security systems cannot view their contents due to corruption.  

Once downloaded onto a system, tools like WinRAR easily restore the damaged archive, making its contents available to the victim. 

Now, let’s see how exactly it works on a technical level. 

Technical Analysis of a Corrupted Word Document 

The Structure of a Word Document 

Since the mid-2000s, office documents (OpenOffice.org 2.0 — released in 2005) have been structured as archives containing the document’s content. 

In the image below, you can see the structure of a Word document. 

As we can see, all structures within this archive are interconnected, and this relationship begins from the end. 

At the end of the archive, there is a structure called the End of Central Directory Record (EOCD). This structure contains information about the size of the Central Directory File Header (CDFH), its offset, and the total number of entries in the archive. This structure helps locate the CDFH.  

The CDFH duplicates the data stored in the Local File Header (LFH) and the offsets to it. Yet, this structure does not contain the compressed data itself but rather represents a hierarchy of files within the archive. This part of the structure allows you to find the LFH of each file in the archive.  

The LFH is considered the header for each file in the archive. It contains important data such as the file name, compressed and uncompressed sizes, CRC32 checksum, and other parameters.  

The compressed data is located after the header. 

How the File Structure Can Be Manipulated by Attackers 

As shown in the image above (Figure 1), the archive is structured backward, starting with the end, while all parts are linked together.  

This has led us to test three different hypotheses (Figure 2): 

1. Can Word or an archiving program recover and successfully open a file if additional data is added to the beginning of the archive? 

2. Can Word or an archiving program recover and successfully open a file if we corrupt the linking between the parts and delete the CDFH, which does not contain the file data itself?  

3. Can Word or an archiving program recover and successfully open a file if we corrupt the linking between the parts and erase the EOCD, which is a crucial part of the recovery process? 

You can see the results of our hypothesis testing in the table below.

During our hypothesis testing, we’ve made several noteworthy observations: 

1. For minimal recovery of a Word document, the following files are essential: 

[Content_Types].xml,   

Word/document.xml,   

word/_rels/document.xml.rels,   

_rels/.rels;   

These contain crucial information regarding the relationships between elements and form the standard file hierarchy required for Word to interpret the document. 

2. A ZIP archive with corrupted Local File Headers will only show the file structure. The actual file content will be empty. 

3. If the end part of the ZIP file is damaged, the archiving software and Word will attempt to use an alternative recovery method: by leveraging intact Local File Headers. 

Our findings demonstrate that Word is more resilient to file corruption than ZIP. While Word successfully recovered files with corrupted CDFH, EOCD, and even when random bytes were added to create a non-existent LFH structure, ZIP failed in the first hypothesis, where random bytes were added to the beginning of the file. 

Why Security Systems Fail to Read Corrupted Files 

Security systems attempt to identify file types, including by using Magic Bytes in File Headers. In the case of office documents and ZIP archives, because the file effectively starts from the end, we can corrupt the archive structure and magic bytes, making it difficult for detection systems to identify the file type.  

This leads to the inability to unpack and inspect the contents. 

Consider this email with a corrupted Word document. 

The sandbox once again has no problem detecting the threat, returning a “malicious activity” verdict.

But, when run in VirusTotal, almost zero threat detections come back for this file. 

Conclusion

Our study revealed a vulnerability in document and archive structures. By manipulating specific components like the CDFH and EOCD, attackers can create corrupted files that are successfully repaired by applications but remain undetected by security software. As a result, we face a situation when security systems have not yet developed a clear logic for detecting such attacks, exposing the security of their users.

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

• Detect malware in seconds
• Interact with samples in real time
• Save time and money on sandbox setup and maintenance
• Record and study all aspects of malware behavior
• Collaborate with your team 
• Scale as you need

Explore all Black Friday 2024 offers →

The post Zero-day Attack Uses Corrupted Files to Bypass Detection: Technical Analysis appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Overview 

A coalition of cybersecurity agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), Australia’s Australian Signals Directorate (ASD), the Australian Cyber Security Centre (ACSC), as well as counterparts from Canada and New Zealand, has issued a hardening guidance to strengthen communications infrastructure against cyber espionage and other malicious cyber activities.   

This hardening guidance focuses on visibility enhancements and hardening practices for network devices. It aims to help engineers and defenders safeguard their systems from the growing threats posed by China-affiliated threat actors. The latest intelligence reports reveal that Chinese hackers have compromised networks of major telecommunications providers globally, conducting extensive cyber espionage campaigns.  

These groups have been targeting vulnerabilities in telecommunications networks, gaining unauthorized access to sensitive data. This activity aligns with known weaknesses in existing network infrastructure and highlights the urgent need for organizations to address security gaps.  

The agencies involved in this effort, including the ASD and the ACSC, emphasize that while the tactics used by these threat actors are not novel, their success stems from exploiting well-established vulnerabilities in communications infrastructure. The newly issued hardening guidance, therefore, provides actionable steps for network engineers and defenders to strengthen visibility, detect malicious activities, and harden systems against future exploitation.  

Hardening Guidance: Enhancing Visibility in Communications Networks  

One key strategy in this guidance is to improve visibility across communication networks. For organizations to effectively monitor, detect, and respond to cyber threats, they must have thorough insight into network traffic, user behavior, and overall data flow. High visibility enables swift identification of anomalies that may indicate a cyber intrusion, allowing defenders to take immediate action.  

Monitoring Network Configurations and Changes  

Network engineers are advised to closely monitor configuration changes in critical network devices, such as routers, switches, and firewalls. Any alterations outside the formal change management process should raise red flags. Additionally, regular audits and monitoring for unusual activities, such as unauthorized changes to routes or protocols, can help detect malicious intrusions early.  

Centralized Configuration Management  

The guidance recommends centralizing configurations and storing them in a secure, centralized location. This prevents devices from becoming the sole source of truth for their own configurations, which could be manipulated in the event of a breach. Network engineers should also implement strong network flow monitoring solutions to gain insights into the ingress and egress points of data across the network.  

Monitoring Accounts and Logging  

A proactive approach to monitoring user accounts and logins is also essential for mitigating threats. Monitoring anomalies in user and service account activity—such as abnormal login times, failed login attempts, or logins from unexpected locations—can help identify malicious actors who have gained unauthorized access to the network.  

Organizations should also ensure that logging mechanisms are vigorous, secure, and centralized. Logs should be encrypted in transit and stored off-site to prevent tampering. Using Security Information and Event Management (SIEM) systems is encouraged to help analyze logs and correlate data from various devices for rapid incident detection.  

Hardening Network Systems  

Beyond improving visibility, securing the underlying network systems through hardening is a critical defense strategy. Hardening aims to reduce vulnerabilities by ensuring that network devices and protocols are securely configured to minimize the attack surface. The collaboration between CISA, ACSC, and other agencies has provided valuable hardening guidance that organizations can apply to their communications infrastructure.  

Isolated Management Networks  

One of the most critical recommendations in the guide is the use of out-of-band management networks. By ensuring that network infrastructure devices can only be managed from physically separate, trusted networks, organizations can prevent the lateral movement of hackers within their systems. This isolation limits the potential impact of a breach, as attackers cannot easily move between devices on the network once one device has been compromised.  

Segmentation and Access Control  

Segmentation of networks into isolated zones, such as using Virtual Local Area Networks (VLANs) and private VLANs (PVLANs), helps protect critical systems and restricts access to sensitive data. Access Control Lists (ACLs) should be configured with a default-deny policy to control both inbound and outbound traffic, ensuring that only authorized connections are allowed.  

Securing Virtual Private Networks (VPNs)  

The guidance stresses the importance of securing VPN gateways by limiting their exposure to the internet and enforcing strong cryptographic protocols for key exchange and data encryption. VPNs should be configured to only allow strong authentication methods, and unused cryptographic algorithms should be disabled to reduce the risk of exploitation.  

Proactive Authentication and Account Management  

In addition to securing network devices, organizations should focus on improving authentication methods to ensure that only authorized users can access their networks. Implementing phishing-resistant multi-factor authentication (MFA) for all users, especially those with administrative privileges, is one of the primary strategies to prevent unauthorized access.  

The guidance also emphasizes the importance of strong password policies, including the use of secure hashing algorithms and the requirement to change default passwords immediately upon deployment. Additionally, organizations should regularly review user accounts to ensure that inactive or unnecessary accounts are removed, and all accounts are assigned the minimum necessary permissions.  

Conclusion   

Adopting a “secure by design” approach is crucial for software manufacturers to enhance the security of their products and reduce the need for customers to manually implement hardening measures.   

As cyber threats, especially Chinese threat actors, continue to target global organizations, collaboration between international agencies like CISA, ACSC, and other stakeholders is important to protect global communications infrastructure. Australia’s leadership, through agencies such as the ASD and ACSC, plays an important role in fighting cybercrime.  

By focusing on hardening guidance, improving visibility, and working together internationally, organizations can strengthen their security posture, mitigate vulnerabilities, and contribute to the collective global effort to protect digital life. 

The post Australia’s ACSC and ASD Team Up with CISA, NSA, FBI, and International Allies to Protect Communications Infrastructure appeared first on Cyble.

Blog – Cyble – ​Read More

Finding information on specific cyber threats in a vast amount of data can be challenging. Threat Intelligence Lookup from ANY.RUN simplifies this task with wildcards and operators that provide you with the ability to create flexible and precise search queries.

Let’s take a look at how you can use them to identify and collect intel on malware and phishing attacks more effectively. 

About Threat Intelligence Lookup 

Threat Intelligence (TI) Lookup is a fast and efficient tool designed to simplify cyber threat investigations. It allows for flexible searches for Indicators of Compromise (IOCs), Indicators of Attack (IOAs), and Indicators of Behavior (IOBs).  

TI Lookup provides access to a constantly updated database of threat data collected from millions of public malware and phishing samples analyzed in ANY.RUN’s Interactive Sandbox.  

Each sandbox session contains detailed logs of system and network events that occur while a threat is executing. By searching through this comprehensive data, you can easily find connections between seemingly unrelated pieces of information and tie them to a specific threat. 

Here’s how TI Lookup can help you and your organization: 

• Investigate Threats Quickly: Gather extensive and in-depth information on emerging and persistent cyber threats with over 40 search parameters (e.g. threat names, command lines, registry logs, etc.). 

• Receive Real-Time Updates: Stay informed with real-time updates on results for your search queries. 

• Enrich Threat Intelligence: Get relevant context, indicators, and samples manually analyzed by threat analysts. 

Search Operators in TI Lookup 

Search operators are essential tools in TI Lookup that allow you to combine several indicators to refine your search queries effectively. They act as logical connectors that help you specify the relationships between different conditions in your search and achieve greater flexibility and precision in your searches. 

TI Lookup supports logical operators like AND, OR, and NOT, as well as grouping with parentheses. Let’s take a closer look at each of these. 

AND 

What it does  

The AND operator helps you combine multiple conditions. 

Why use it  

AND is great for narrowing down your search to find threats by including as many unique indicators as possible.  

It is equally effective in situations when you have several completely disparate artifacts, like an IP address and a mutex, and want to link them to a particular threat. 

Example 

This query is designed to search for sandbox sessions where both thum[.]io and logo[.]clearbit[.]com domains were found. 

• Thum[.]io is a real-time website screenshot generator. 

• logo[.]clearbit[.]com is a service for fetching company logos. 

TI Lookup almost instantly provides results: associated IP addresses and sandbox sessions, all of which contain a “malicious activity” label and a “phishing” tag. 

We can click any session of our interest to investigate the threat further.

By reviewing the analysis report, we can spot that this is a cyber attack which uses thum[.]io to dynamically generate phishing pages with the backgrounds of a website that coincides with that of the victim. Attackers also use logo[.]clearbit[.]com to add corresponding company logos to make fake pages appear more legitimate. 

OR 

What it does 

The OR operator helps return matches where at least one of the given conditions is found. 

Why use it  

OR is excellent in situations when you are not sure which one of two indicators is related to a threat. It is also useful for broadening your search to include results where both indicators are found, but necessarily together in the same session.  

Example  

It searches for entries where the synchronization object name is “DocumentUpdater” or “PackageManager”. If you’re investigating a threat that could be using either of these sync objects, this query ensures you don’t miss any relevant information. 

TI Lookup shows that the synchronization objects are mutexes and provides sandbox sessions where they were previously discovered. 

NOT 

What it does 

The NOT operator excludes results that match the specified condition. 

Why use it 

NOT is helpful when you want to refine your search and see sandbox sessions where no certain item, like a domain or file name, was observed. 

Example 

This query is looking for phishing samples but excludes any entries where the initial submission uploaded to the ANY.RUN sandbox was a URL.

It helps us find email, html, zip, exe, or other types of files, used in phishing attacks. 

Parentheses () 

What they do 

Parentheses group conditions and control the order of operations to ensure they are processed in the order you specify. 

Why use them  

Parentheses are essential for creating complex queries, making your search more precise and effective. 

Example

This query searches for sandbox sessions and their related data where the process “mshta.exe” was observed along with connections to destination ports of either 80 or 443. The parentheses ensure that the OR condition is processed first, making the search more precise. 

TI Lookup returns a wealth of threat data related to our query. Some of the results include malicious domains and IP addresses, as well as a list of network threats detected during analyses. 

Wildcard Characters 

Wildcards in TI Lookup act as placeholders in your search queries. They can represent different types of character sequences. 

Asterisk (*) 

What it does  

The asterisk represents any number of characters, including none. This means it can stand in for zero, one, or multiple characters. The asterisk is added by default at the start and end of each query, so you in most cases there is no need to enter it manually.

Why use it 

The asterisk is great for when you’re not sure about the exact content of a string. It helps you find matches even if there are unknown parts or certain variations in your query string. 

Example 

This query searches for sandbox sessions where the command line includes paths to specific script files located in the C:UsersPublic directory. The scripts must be of types .vbs (Visual Basic Script), .bat (Batch file), and .ps1 (PowerShell script).  

Yet, the names of these scripts are replaced with the asterisk wildcard, representing any string of characters, as they can vary.

This helps us discover scripts with different file names and see how each of them fits into a wider context of the entire attack analyzed in the sandbox.

In the image above, you can see the execution of one of the found scripts inside the ANY.RUN sandbox. 

Question Mark (?) 

What it does  

The question mark represents any single character or its absence. This means it can stand in for exactly one character or none at all. 

Why use it  

The question mark is perfect for situations when you are not sure about a certain character in your string or know that it varies. 

Example  

Here, we can borrow a query from Jane_0sint’s article on phishing investigations, which is intended for identifying samples of Mamba2FA attacks.  

A notable part of this query is that we can see the question mark being used twice. Yet, there is a difference between these two instances: 

• The first one is the wildcard that serves as a stand-in for the characters “m”, “n”, and “o” that are commonly used in Mamba2FA URLs.  

• The second question mark is a part of the address. To escape it, we use the slash symbol. 

We once again can observe a variety of results, including command lines that contain different URLs matching our query. 

Dollar Sign ($) 

What it does 

The dollar sign ensures that the search term must appear at the end of the string. It excludes matches with any characters after the specified content. 

Why use it  

The dollar sign is useful when you know the exact ending of a string but are unsure about the beginning. It helps you find matches that end with your specified term. 

Example 

This query searches for any synchronization object whose name ends with _STOP. 

Among the results, we can see mutex names such as biudfw_stop, jeboi_stop, and nonij_stop. As always, we can explore each of them in detail by navigating to their corresponding sandbox sessions. 

Caret (^) 

What it does  

The caret ensures that the search term must appear at the beginning of the string. It prevents matches with any characters before the specified query content. 

Why use it 

The caret is helpful when you know the exact starting point of a string but are unsure about the rest. It narrows down your search to items that begin with your specified term. 

Example 

This query finds domain names that start with 0ffice and end with .com, with any characters allowed in between. The caret (^) and dollar sign ($) ensure the exact start and end. 

TI Lookup provides us with domains that match our query along with sandbox sessions, where they were found. 

Conclusion 

wildcards and operators in TI Lookup provide the flexibility and precision needed to perform threat intelligence searches. By learning how to use these tools, you can make your threat hunting efforts more effective.

Give it a try by requesting a free trial of TI Lookup.

About ANY.RUN  

ANY.RUN’s Threat Intelligence Lookup and YARA Search services allow for precise threat hunting and the extraction of valuable insights into current cyber threat trends. What’s impressive is how fast these scans are—they significantly speed up the analysis process, allowing for quick detection of threats and malware. 

See Black Friday deals for ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup →

The post Search Operators and Wildcards for Cyber Threat Investigations appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Overview

Dubai is making significant strides in integrating advanced technologies while emphasizing strong cybersecurity frameworks. A recent study by the World Economic Forum (WEF), titled “Navigating Cyber Resilience in the Age of Emerging Technologies,” highlights how the city is utilizing technologies such as artificial intelligence (AI), blockchain, quantum computing, and smart city solutions across critical sectors.

The Dubai Electronic Security Center (DESC) plays a central role in supporting the secure adoption of these emerging technologies. Initiatives such as the Dubai Cyber Security Strategy and the UAE National Strategy for Artificial Intelligence 2031, along with policies like the Dubai AI Security Policy and autonomous vehicle security standards, aim to balance innovation with a focus on digital security.

This blog delves into DESC’s contributions, Dubai’s cybersecurity strategies, and the city’s efforts to enhance cyber resilience and enable secure digital transformation.

The Role of DESC in Dubai’s Cybersecurity Strategy

The Dubai Electronic Security Center (DESC) is at the heart of Dubai’s digital transformation. As a key player in Dubai’s Cyber Security Strategy, DESC focuses on securing digital assets, fostering innovation, and establishing Dubai as a leading secure digital hub.

His Excellency Yousuf Hamad Al Shaibani, CEO of DESC, highlighted the center’s proactive measures, saying, “The Center continues to coordinate with governmental, regional, and international entities to study the security requirements of modern and emerging technologies and set standards and controls that ensure their safe adoption across various sectors.”

DESC has introduced multiple initiatives to ensure the secure implementation of emerging technologies:

• Dubai AI Security Policy: A framework for safe use of AI technologies across sectors.
• Autonomous Vehicle Security Specification: The first of its kind globally, providing security standards for self-driving vehicles.
• RZAM Cybersecurity Application: A real-time solution leveraging AI to protect internet users from malicious websites and phishing attacks.

These policies stress Dubai’s efforts to create a secure environment for the adoption of advanced technologies.

Advancing Emerging Technologies

Dubai’s leadership in cybersecurity is closely aligned with the UAE National Strategy for Artificial Intelligence 2031. This strategy, combined with substantial investments in technologies such as quantum computing, 5G communications, and the Internet of Things (IoT), is designed to drive innovation while maintaining robust digital safeguards.

For example, DESC has been instrumental in supporting Dubai’s Self-Driving Transport (SDT) Strategy. The SDT Strategy aims to convert 25% of Dubai’s total transportation to self-driving vehicles by 2030. To achieve this, DESC recently published a study on connected vehicles, highlighting the security specifications required to mitigate cyber risks in IoT-enabled transport systems.

The Economic Impact of AI

Artificial intelligence is central to Dubai’s digital transformation efforts. The WEF report estimated that AI will contribute USD 320 billion to the UAE economy by 2030. In line with this, DESC issued a detailed study examining AI’s potential across various sectors in Dubai.

This study analyzed:

• AI’s Economic Contributions: Estimating how AI can drive Dubai’s economic growth.
• Ethical and Societal Considerations: Exploring the implications of widespread AI adoption.
• Risk Mitigation: Identifying challenges and solutions for safe AI integration.
• Stakeholder Collaboration: Promoting partnerships to enhance AI research and application.

These efforts are part of a broader vision to position Dubai as a global hub for AI research, development, and implementation.

Global Partnerships and Regulatory Frameworks

DESC has also been instrumental in establishing partnerships with public and private stakeholders at both local and international levels. By collaborating with research institutions and global technology leaders, Dubai is developing regulatory frameworks to safely integrate cutting-edge technologies.

These partnerships are crucial in fostering an environment where innovation can thrive without compromising security. Policies such as the Dubai AI Security Policy and the autonomous vehicle security standards reflect the city’s commitment to balancing innovation with cybersecurity.

Building a Resilient Digital Infrastructure

Dubai’s success in integrating new technologies is rooted in its digital infrastructure and forward-looking strategies. The Dubai Cyber Security Strategy serves as a guiding framework for ensuring the resilience and reliability of digital systems.

By focusing on key areas like secure IoT adoption, AI governance, and blockchain implementation, DESC is driving Dubai’s vision of a smart and secure city. These efforts are complemented by national initiatives such as the UAE’s investments in advanced communication technologies like 5G and quantum computing.

The Future of Cyber Resilience in Dubai

Dubai’s approach to cybersecurity offers valuable lessons for other cities and nations seeking to embrace emerging technologies. With DESC leading the charge, Dubai is not only addressing present-day challenges but also preparing for future risks associated with digital transformation. Its comprehensive strategies and global collaborations ensure that innovation is securely integrated into all aspects of life.

References: https://www.desc.gov.ae/world-economic-forum-study-highlights-descs-innovative-efforts-in-securing-emerging-technologies/

The post DESC Leads Dubai’s Journey to Becoming the World’s Safest Digital City appeared first on Cyble.

Blog – Cyble – ​Read More