Scanning the hard drives of work computers is a simple daily procedure that happens without impacting the user or requiring any manual action. In the case of servers, however, things are more complex — especially if done in response to an incident, after which all company storage (perhaps tens of terabytes worth) need an unscheduled scan. What’s more, you need to ensure absolute data security and no noticeable drop in performance for users.
We’ve compiled a list of tips and precautions to save you time and prevent further incidents. All tips related to our products are using Kaspersky Endpoint Security as an example, but the same logic applies to other EPP/EDR security products.
Preliminary checks
Check the configuration of the computer that will perform the scan. Make sure that the OS is updated to the latest version and can connect to all disks being scanned and process the data correctly — that is: read long Unicode file names, handle very large files and files on case-sensitive partitions, and so on. To speed up the scan, use a computer with a powerful multicore CPU, generous memory, and fast local storage for temporary files.
Make sure that disk-access is fast. The computer should connect to all storage either directly (local storage) or through a fast network interface using a high-performance protocol (preferably SAN-type).
Check your backups. Although scanning should not affect stored data, it’s important to have a plan B in case of malware infection or file corruption. Therefore, carefully check the date and contents of the most recent backup of all data, consider when data-recovery drills were last performed, and generally make sure the current backup versions are usable. If current backups aren’t available, assess the risks and time frames, and possibly back up critical data before scanning.
Clarify the nature of the data on the disks and the storage specifications. This is to optimize the scan settings. Are the disks arranged in a RAID array? If so, what type? You need to decide whether to scan different disks in parallel, and whether this will boost performance. If the disks are accessible independently, consider parallel scanning from multiple computers. Here again, both access speed and server capacity are key. For a powerful computer limited mainly by access speed to different disks, you can run parallel scanning tasks on a single machine.
The nature of the data will greatly affect your decision. If the disks contain many heterogeneous files, or archives with a large number of files, scanning will require significant resources of all types: CPU, memory, temporary folders, etc. The load will be lower if large files in a safe format (video editing sources, database tables, backups/archives known to be untouched) make up a major part of what’s being stored.
Preparing for scanning
Schedule the scan time. Ideally, a weekend, nighttime, or other period when few users access the data. Then you can either completely remove the disks and servers to be scanned from public access, or warn users about possible system slowdown and be sure that only a very small group of people will be affected.
Make sure there’s enough free space on the disks. Scanning may involve unpacking archives and images, which sometimes requires a lot of space.
Check quarantine storage settings. If many infected and suspicious files are found, quarantine may overflow and older samples will be deleted. So it’s worth allocating plenty of space for quarantine.
Agree and enforce an exclusion policy. To reduce scan time, exclude resources that pose no risk and would take a very long time to scan. This category typically includes very large files (with the cutoff ranging from hundreds of megabytes to several gigabytes, depending on the situation), distribution kits, backups, other files that haven’t been modified since previous scans, and files that are known to be non-executable. However, the last category is not so clear-cut, as there can be malicious fragments hidden in plain text files and images. So it’s better to be safe than sorry and scan images as well.
Delete temporary files and folders so you don’t waste time on them.
Scan settings
These recommendations should be adjusted in line with your prior assessments and the nature of the data, but the basic advice is:
Set the maximum amount of memory and CPU time for scanning, taking into account the server usage profile. If the server is unavailable to users during scanning, you can allocate up to 80% of CPU and memory resources — any higher and the computer may become sluggish. For servers that remain under normal load, these numbers should be significantly lower.
In our product settings enable iChecker and iSwift. These technologies speed up scanning of some file formats and exclude data that’s been unchanged since the last scan.
Here, you can also enable additional options to prevent overloading the system: ” Do not run multiple scan tasks at the same time” and “Scan only new and modified files”.
Disable scanning of password-protected archives; otherwise, password requests will cause the application to stop scanning.
Set the maximum size of files for scanning in accordance with what we discussed above.
Set the heuristic analysis level to medium.
Select actions for infected objects; quarantine will likely be the best choice.
Set the logging settings so that the logs contain sufficiently detailed information about scanned objects and scan results.
Performance settings are described in more detail on our support site: for Windows and for Linux.
Running the scan
Start by scanning a small partition or subset of files weighing no more than a terabyte. Evaluate the impact of the scan on server performance (especially important if it continues to serve users) as well as the total time taken, and check the logs for errors. If the scan seems to take too long, try to figure out from the logs what caused the bottleneck. Using this data, adjust the settings accordingly and schedule a “big scan”.
Even after the test, we don’t advise running a full scan of the entire data volume in one task. It’s better to create multiple scan tasks — each targeting only one of the many storage fragments, such as individual disks. This reduces the risk of a prohibitively long scan time, or a failed scan that has to be restarted from scratch.
In the basic scenario, these subtasks are run sequentially as they’re completed. But if the system configuration allows it, dividing the scan into multiple tasks will let you scan independent disks in parallel.
During scanning, monitor the system load and the scan progress so as to intervene in time in case of abnormal situations. And after each task is completed, be sure to drill down into the logs!
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-26 19:06:362025-02-26 19:06:36How to scan huge file storage | Kaspersky official blog
If you are a student, you might be several years away from getting a degree and a profession – and about a month away from becoming a malware analyst. The latter is made possible by ANY.RUN’s Security Training Lab.
There is no point in advertising a career in cybersecurity nowadays. Money talks louder: ransom sums, possible financial costs of operational disruption, and reputational losses hint that investing in cybersecurity teams is a wise solution for any business.
Security Training Lab can be a step towards a specter of career paths that imply cybersecurity literacy and understanding of malware analysis. It also can be a valuable addition to an academic course on threat detection, malware analysis or other cybersecurity subjects.
So, let’s take a closer look at the program.
What is Security Training Lab
It is an interactive digital course on malware analysis produced by ANY.RUN. It comprises 30 hours of academic content on cyber threats, including written materials, video lectures, tasks and tests.
ANY.RUN is a cybersecurity company with 9 years of experience in providing malware analysis and threat intelligence services to individual security researchers, Managed Security Service Providers (MSSPs), and SOC departments of the largest companies around the world.
Security Training Lab stands out from other courses on malware analysis by focusing on teaching you practical skills with real-world examples of the latest cyber threats.
Comprehensive Learning: 30 hours of academic content with written materials, video lectures, interactive tasks, and tests.
Hands-On Experience: Full sandbox access with special plans for teachers and team licenses for students.
Real-World Practice: Learn through real-world threat samples and labs.
User-Friendly Platform: Easy-to-use and fast management system.
Community Support: Private Discord community with tips, lifehacks, and news
Try Security Training Lab Get an individual quote or for your team
Security Training Lab is not just a manual for ANY.RUN’s Interactive Sandbox. As part of the program, a student gets acquainted with a variety of professional tools and more importantly, with the key concepts and methods of cyber threat analysis and research.
Skills You’ll Learn to Analyze Real-World Threats
STL’s contents and structure
In the course of Security Training Lab, you’ll acquire several key analytical skills, including, but not limited to, the following.
Conducting Advanced Static Analysis
Static analysis examines a suspicious file without executing it. You will learn to understand the structure and the source code of executable files, the functions of Windows API, use file hashes to identify and track threats, and evaluate files’ entropy.
You will learn to use static analysis tools like DiE
This data defines whether a file is malicious, what its real functions are, how it behaves, and how exactly it threatens the target.
Advanced static analysis implies disassembling malware’s code to see its structure, variables, loops, conditional operators, and other elements of the program, which helps to better understand the logic of its operation.
During the course, you will practice using a free tool for advanced static analysis and will become able to navigate through the code, set breakpoints for debugging, change values in memory and registers, gaining full control over the program being analyzed.
Static Analysis Skills You’ll Learn
Dissecting binaries to extract indicators of compromise (IOCs)
Understanding and modifying assembly code for deeper analysis
Using disassemblers and decompilers to reconstruct malware logic
Dealing with Encryption in Malware
The course will teach you to perform analysis of encrypted traffic
While encryption is a reliable shield to protect confidential data, it is also a tool in hackers’ hands that allows them to hide malicious activity and bypass protective mechanisms.
You will learn to identify encryption and decrypt malware with practical examples
You’ll discover the principles of encryption, different approaches to its implementation, the most popular encryption algorithms from XOR to RSA and RC4 with their strengths and weaknesses, and the basics of decryption.
The acquaintance with encryption algorithms helps to detect the signs of software’s malicious nature: code obfuscation, encrypting network traffic for hiding activity or data for extortion. Knowing how data is decrypted allows one to bypass malware’s protection against analysis.
Malware Decryption Skills You’ll Learn
Identifying and analyzing obfuscated and encrypted payloads
Extracting encryption keys and decrypting malicious payloads
Bypassing malware encryption techniques to reveal hidden threats
Identifying Malicious Behavior
Understanding and predicting malware behavior is the main task of malware analysis. The more we know about the stack of current malicious capabilities, the easier it is to deal with future threats.
A malware’s tactics and techniques shown in Interactve Sandbox
When executed, the malware generates files, establishes connections, and modifies processes. It also takes measures to avoid detection and analysis, maintain persistence, to hide its launch, and enhance its privileges.
These actions are traceable and can help to identify an ongoing attack, assist in the analysis process, or develop a cybersecurity strategy to protect against known malware strains.
You will explore MITRE ATT&CK — a constantly updated database of attacker tactics and techniques — and practice using it in malware behavior analysis.
Malware Behavior Analysis Skills You’ll Learn
Mapping malware actions to MITRE ATT&CK techniques
Detecting persistence mechanisms and evasion tactics
Using sandbox environments to log and analyze malware activity
Performing In-depth Dynamic Analysis
Dynamic Malware Analysis module will teach you to use tools like x32/x64dbg
For dynamic analysis we need to watch malware in action, so we let it loose within a safe virtual machine environment. Basic dynamic analysis gives us a first glimpse of how the malware interacts with the system. Advanced dynamic analysis is like examining the behavior of a malware under a microscope: we get into the intricacies of the malicious code to understand its algorithms and find weaknesses.
One of the tasks on understanding dynamic analysis
Security Training Lab will equip you with powerful tools for advanced dynamic analysis (API Monitor and x64dbg) and guide you through debugging and anti-debugging techniques. You will learn to combine debugging with static analysis to maximize its efficiency.
Dynamic Malware Analysis Skills You’ll Learn
Utilizing debugging tools to trace malware execution
Bypassing anti-analysis techniques used by advanced threats
Extracting runtime indicators and identifying malicious system modifications
Analyzing Script- and Macro-Based Attacks
Malicious scripts require our close attention: they have become incredibly popular with attackers in recent years, mainly because they effectively bypass traditional endpoint defenses and are easy to obfuscate.
Macros are small programs written in scripting languages and embedded in other applications. They get direct access to the Windows API, making them incredibly powerful both for legitimate use and for hackers.
You will learnto analyze macros in malicious documents
You will get to know the two main approaches to dissecting scripts — viewing the source code or dynamically executing it and observing it — and master ANY.RUN’s built-in tools for analyzing script-based malware and compiled malware that uses scripts.
Malicious macros are given special attention since they are used in a number of real-world attack scenarios, and their code usually is heavily obfuscated which complicates analysis. You will learn to use tools like ANY.RUN can help you identify their behavior without resorting to tedious deobfuscation.
Scripts and Macros Analysis Skills You’ll Learn
De-obfuscating malicious scripts to extract payloads
Analyzing PowerShell and JavaScript-based malware
Detecting macro-based threats in Office documents and emails
Get Access to Security Training Lab
Interested in trying Security Training Lab yourself or bringing it to your educational institution?
Send us a message and our team will get in touch to discuss your specific needs and provide a customized quote.
Get in touch with us to learn more about Security Training Lab
Security Training Lab provides a comprehensive and hands-on learning experience for mastering malware analysis. Completing this course will equip you with essential skills to detect, analyze, and mitigate real-world cyber threats.
With in-depth knowledge and practical exercises, you will gain the confidence to navigate the ever-evolving landscape of cybersecurity threats and contribute effectively to digital defense strategies.
For students looking to begin a career in cybersecurity, this course serves as a solid foundation. The skills you acquire will prepare you for roles such as malware analyst, security researcher, or SOC analyst, helping you take the first step toward a successful and impactful career in the field.
By mastering real-world threat analysis techniques, you will stand out in the job market and be ready to face the challenges of modern cybersecurity.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-26 11:07:062025-02-26 11:07:06Learn to Analyze Real-World Cyber Threats with Security Training Lab
Network traffic analysis is one of the most effective ways to detect and investigate malware infections. By analyzing communication patterns, researchers and security teams can uncover signs of malicious activity, such as command-and-control (C2) connections, data exfiltration, or DDoS attacks.
In this guide, we’ll explore how traffic analysis helps detect malware, the key tools used for this purpose, and real-world examples of Linux malware analyzed in ANY.RUN’s Interactive Sandbox.
How Traffic Analysis Helps Detect Malware
Some types of malware rely on network communication to receive commands, exfiltrate stolen data, spread across systems, or launch attacks. That’s why network traffic analysis is one of the most effective ways to detect and investigate malware infections.
By looking at how data flows in and out of a system, you can reveal a variety of malicious activities that might otherwise go unnoticed.
1. Distributed Denial-of-Service (DDoS) Attacks
Some malware turns infected devices into zombies within a botnet, instructing them to flood a target server with requests. This can cause service disruptions, slow down websites, or even take entire networks offline.
Signs in network traffic
Unusually high volumes of outgoing traffic
Sudden bursts of connections to multiple IPs
Large numbers of SYN packets
2. Command and Control (C2) Communication
Many malware strains, from trojans to ransomware, rely on C2 servers to receive instructions from attackers. These communications can include downloading additional payloads, executing commands, or transmitting stolen data.
Signs in network traffic
Repeated communication with suspicious or newly registered domains
Encrypted traffic over unusual ports
Beaconing patterns
3. Data Exfiltration & Credential Theft
Some malware is designed to steal sensitive data, such as login credentials, financial information, or intellectual property. This data is often encrypted and sent to an attacker-controlled server.
Signs in network traffic
Outbound traffic to unknown foreign IPs
Unusual spikes in file transfer protocols (FTP, SFTP)
Large volumes of outbound DNS queries
4. Exploitation Attempts & Lateral Movement
Advanced malware doesn’t just infect one machine. It looks for vulnerabilities to move laterally across a network, escalating privileges and compromising more devices.
Signs in network traffic
Repeated login attempts from a single source (brute-force attacks)
SMB traffic spikes
Use of internal IP scanning tools like Nmap
5. Malware Download & Dropper Activity
Many infections start with a simple download: malware that acts as a dropper, pulling additional payloads from the internet.
Signs in network traffic
Downloads from unusual or newly registered domains
Traffic to known malware-hosting services
Execution of PowerShell or wget/curl commands from unknown sources
What Tools to Use for Traffic Analysis
Various tools help security professionals inspect network traffic and identify suspicious activities. Here are some of the most widely used ones:
Malware Sandboxes
Real-time network analysis inside ANY.RUN Linux VM
A dynamic analysis environment like ANY.RUN allows users to observe malware behavior, including network communications, in a controlled setting. The sandbox logs network requests, DNS queries, and protocol usage, making it easier to detect malicious patterns.
Analyze Linux and Windows threats inside the safe and secure ANY.RUN Interactive Sandbox
A powerful packet analysis tool that enables deep inspection of network activity. Analysts use it to capture live traffic or examine PCAP files for suspicious network behavior.
tcpdump
A command-line tool for packet capturing and analysis. It provides a lightweight method to monitor network traffic directly from Linux terminals. With tcpdump, analysts can capture packets that flow through a network interface, apply filters to focus on specific traffic, and save captures for later analysis.
mitmproxy
An interactive, SSL-capable proxy for analyzing and modifying HTTP/HTTPS traffic in real time. It’s useful for inspecting malicious web traffic generated by malware.
Analyzing Linux Malware Traffic with a Sandbox
ANY.RUN’s Interactive Sandbox provides a real-time, dynamic analysis environment that helps researchers and security teams uncover malicious network activities associated with Linux malware.
Let’s discover how ANY.RUN can make Linux malware traffic analysis more effective:
Real-time network monitoring: Observe malware’s network behavior live and view outbound HTTP, HTTPS, and DNS traffic, detect hardcoded C2 servers, and spot encrypted connections on unusual ports.
Interactive analysis: Engage with the infected environment to trigger malware behaviors, bypassing sandbox evasion tactics and uncovering hidden threats.
Packet capture (PCAP) export: Capture and export all network traffic for deeper analysis in Wireshark or other packet inspection tools.
Suricata-driven threat detection: The sandbox automatically flags malicious network behavior, including botnet communications, exploit attempts, and data exfiltration.
Network activity displayed inside ANY.RUN Linux sandbox
Faster investigations: Reduce time spent on manual traffic analysis with live, actionable insights and automated reporting.
Real-World Linux Malware Analyzed in ANY.RUN Sandbox
To demonstrate the power of ANY.RUN’s Linux Sandbox for malware traffic analysis, let’s examine three real-world Linux malware cases:
Case 1: Gafgyt (BASHLITE) – Massive DDoS Attack
Gafgyt, also known as BASHLITE, is a notorious Linux botnet malware that infects IoT devices and servers to launch DDoS attacks.
After examining it inside ANY.RUN’s sandbox, we can see that the malware hijacked the VM, turning it into a botnet. It then attempted to establish connections with over 700 different IP addresses, flooding the network with malicious traffic.
Network connections observed inside ANY.RUN Linux VM
After examining it inside ANY.RUN’s sandbox, we can see that the malware hijacked the VM, turning it into a botnet. It then attempted to establish connections with over 700 different IP addresses, flooding the network with malicious traffic.
Try advanced malware analysis firsthand with ANY.RUN’s Enterprise plan
The malware established connections with botnet C2 servers, triggering a Suricata alert due to suspicious network behavior.
You can observe this detection in the “Threats” section under Network Activity Analysis in ANY.RUN:
Suricata rule triggered by Gafgyt malware
ANY.RUN provides a PCAP export feature, allowing you to analyze captured network traffic in Wireshark or other specialized tools by exporting the packet capture file for deeper inspection and threat analysis.
PCAP export feature for deeper analysis
Case 2: Mirai – Detecting Malicious Network Behavior
Mirai is a notorious Linux-based malware that primarily targets IoT devices, such as routers, cameras, and other connected systems. It infects devices by exploiting weak or default credentials, turning them into botnet nodes used for large-scale DDoS attacks.
Once infected, these compromised devices begin scanning the internet for other vulnerable systems to expand the botnet.
In this analysis session, we observe a Mirai attack within a controlled environment using ANY.RUN’s Interactive Sandbox.
The malware’s behavior was automatically detected, as it triggered a Suricata rule, confirming its presence through network traffic analysis.
The session shows how Mirai communicates, spreads, and attempts to establish connections with remote servers.
Suricata rule triggered by Mirai malware
Case 3: Exploit – Behavioral Detection in Network Traffic
Exploits are a common attack vector used by threat actors to gain initial access to Linux systems. These attacks take advantage of system vulnerabilities, often unpatched software or misconfigurations, to execute malicious payloads, escalate privileges, or establish persistence.
Once inside, attackers can deploy additional malware, steal sensitive data, or take full control of the compromised machine.
Improve network security: Identify and block malicious traffic before it spreads.
Get deeper insights: PCAP exports and interactive analysis allow teams to get deeper insights.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
There are many risks associated with selling items on online marketplaces that individuals and organizations should be aware of when conducting business on these platforms.
Many of the general recommendations related to the use of these platforms are tailored towards purchasing items; however, there are several threats to those selling items as well.
Recent phishing campaigns targeting sellers on these marketplaces have leveraged the platforms’ direct messaging feature(s) to attempt to steal credit card details for sellers’ payout accounts.
Shipment detail changes, pressure to conduct off-platform transactions, and attempted use of “friends and family” payment options are commonly encountered scam techniques, all of which seek to remove the seller protections usually afforded by these platforms.
There are several steps that sellers can take to help protect themselves and their data from these threats. Being mindful of the common scams and threats targeting sellers can help sellers identify when they may be being targeted by malicious buyers while it is occurring so that they can take defensive actions to protect themselves.
The emergence of online marketplaces has facilitated the convenient exchange of goods between individuals and organizations around the world. It has also provided a means for people to easily resell items, enabling them to recapture value from assets they may not otherwise wish to maintain ownership of. The type of new and used items sold via marketplaces varies widely, and platforms such as Ebay, Facebook Marketplace, Reverb, and others are extremely popular avenues for selling everything from $15 vintage tissue boxes to $40,000 Gibson Les Paul guitars. You can even find $70,000,000 domains targeting affluent individuals with above-average BMIs being sold on online marketplaces.
When we think about online safety in the context of these platforms, we often concentrate the majority of our efforts and recommendations on the threats targeting buyers. In many cases, scammers are also actively targeting the people selling items on these platforms as well. From an adversarial perspective, it makes sense to target sellers, as these are likely to be individuals with large amounts of cash sitting in their accounts as they frequently receive payments for items they sell. Likewise, adversaries can easily monitor the public listings of seller accounts to identify when high-value items are listed, as well as when they are sold, so that they can identify when a target could reasonably be expected to receive an influx of cash into their accounts.
Likewise, many platforms train their sellers to expect frequent, unsolicited account verification prompts delivered in any number of ways, which provides the perfect pretext for scammers seeking to take advantage of this pool of targets. From a detection and analysis standpoint, these types of attacks are often difficult to effectively combat, as platform providers, intelligence analysts, and law enforcement agencies are forced to primarily rely on self-reporting from victims to quantify the scope and impact of these types of threats. Let’s break down a few examples of some of the most common scams that target the individuals or organizations selling products on online marketplaces.
Phishing and malware scams
While some scams attempt to fraudulently steal items, others are primarily aimed at stealing financial information from sellers by leveraging the platform’s messaging feature(s) as a mechanism to directly communicate with them for the purposes of phishing or malware distribution. In some cases, phishing is used to compromise the seller account itself, enabling the attacker to manipulate listings, shipments, modify automated payout settings, and communicate with current and previous buyers to conduct additional fraudulent activities. In other cases, phishing is used to obtain financial information, such as bank account or credit card information, that can be used to steal money from the seller.
Payout account verification scams
In a recent example, a /r/guitarpedals user reported that they had received a suspicious direct message on their Reverb seller account. The message was crafted to appear as if it was sent from the Reverb team itself. It informs the seller that their item has sold and prompts them to complete account verification to ensure that they receive payment for the item(s) they have sold.
A hyperlink, present in the message (and shown below), attempts to leverage Reverb’s own redirection functionality to direct victims who click on the hyperlink to a malicious web server under the attacker’s control.
This technique uses percent encoding, an obfuscation technique, to mask the destination of the redirect and make it appear as if the link is pointing to the legitimate Reverb website.
This URL, when accessed, returns an HTTP/302 redirection to another attacker-controlled web server, but ultimately the victim receives the following landing page. The attacker has put effort into making sure it appears legitimate and mimics what the victim expects to see. A chat message prompts the victim to complete the verification process by following the on-screen instructions.
A “Receive Funds” button has been positioned behind the chat popup shown in the previous screenshot. When the victim clicks this button, they are presented an input form and prompted to provide the credit card information necessary to verify their desired payout account. Throughout this process, additional chat message popups are delivered to lend credibility to the process.
Since this is the account the seller would like to use to receive payments for items sold on the platform, it likely also contains any funds associated with previous sales, and will likely frequently receive lump sums when future items are sold, presenting a myriad of opportunities for attackers to monetize the account and assets within it, now or in the future. For example, if a threat actor successfully obtains credit card details for a seller account with multiple high-value items actively listed, they can simply wait until an item sells before attempting to monetize it.
Assuming the victim enters valid credit card details, a message will be displayed requesting additional information.
The additional information in this case is the balance of the account that is being “verified.” A new chat message appears, prompting the user to enter the balance in their account, presumably so that the attacker can more effectively prioritize which accounts to empty first.
Assuming the victim enters their balance information, they are presented with the following message letting them know that it will take a period of time before they notice any changes to their accounts.
At this point, the adversary has obtained credit card details that they can then monetize however they choose. It’s important to note that while this particular example targeted sellers using the Reverb platform, most other online marketplaces experience similar threats as well. We have also observed Reverb often taking rapid response actions when attempting to send messages containing percent-encoded hyperlinks, indicating that the platform is aware of the issue and has put in place some mechanisms to help reduce the frequency and quantity of these types of messages on the platform.
Reverb also presents warning messages to let users know when they are being redirected to a third-party domain, as shown in the screenshot below.
It is important to always validate the destination of hyperlinks received from unsolicited sources and to limit access to off-platform resources when conducting business on online marketplaces.
It is also important to note that direct messaging within marketplaces is not the only mechanism used for this type of scam. Below is a screenshot of an email received by a Shopify storefront owner attempting to convince them to verify their payout account information, similar to the previous example described above.
Below is another example. In this case, the threat actor has sent an email claiming that the seller has received a chargeback claim from a customer and prompting them to take action. Since chargebacks are often received for a variety of reasons, sellers may be more easily convinced to provide account or credit card information when prompted with a claim related to a chargeback.
If an email is received from an online marketplace, the platform will typically also provide warning messages, banners, and other mechanisms to alert sellers of the same issue. In the case that a seller receives an unexpected email related to payment issues, sellers should attempt to resolve issues directly on the platform rather than accessing content or responding to the email.
Scams to remove seller protection
When selling new or used items using online marketplaces, one of the most important elements influencing platform and payment method selection for many people are the seller protection policies in place. These policies often provide protection from common types of fraudulent claims that may be made by buyers, such as non-receipt, damage, etc. In order to remain in effect, they generally require both the buyer and seller to perform the transaction following certain requirements that enable proper resolution should an issue arise.
In an effort to remove these protections and make it easier to successfully monetize their scam(s), scammers posing as buyers will often attempt to convince sellers to conduct portions of the transaction “off-platform,” as this will void the protection policy that would otherwise be in place using a variety of different pretexts and themes. Likewise, some scammers target the shipping part of the transaction process, attempting to convince sellers to modify the shipping to void the seller protection policy afforded by the platform. By removing the ability for the seller to leverage the protection policy afforded by the platform used to sell the item, many of the normal recourse steps usually taken when dealing with fraudulent buyers are no longer available to the seller.
Off-platform transactions
Scammers also frequently use a variety of pretexts to attempt to convince sellers to perform the financial transaction associated with an item purchase using third-party platforms separate from the one on which an item was originally listed. They will attempt to trick victims into moving to an alternative mechanism for performing the transaction so that the seller loses most of the protection(s) afforded by the marketplace.
In many cases, scammers will use additional pressures, such as time sensitivity, urgency, or manipulated screenshots showing failed transaction attempts, to convince sellers to perform transactions using alternative means, such as wire transfers or money transfer platforms, where seller protections are limited and—in the case of fraud—most recourse options are no longer available.
There are countless examples of different pretexts being used in varying capacities, all ultimately for the same purpose, to convince sellers to leave the marketplace to perform the transaction elsewhere so that seller protections against fraudulent activity on the part of the buyer are removed.
Shipment detail changes
Since a seller account’s past and current item listings are easily accessible from the seller’s profile, it is easy for adversaries to leverage information contained within these listings (including photos) when building pretexts that are used to target the individual operating the seller account. One common way that adversaries leverage this information is by tailoring their messaging to account for both active and recently sold listings related to the seller they are communicating with.
In the screenshot below, a scammer is contacting sellers on Ebay claiming to be an individual who purchased an item recently sold by the seller(s). The scammer hopes that by timing their message properly, they can take advantage of sellers who may not be paying close attention to the username listed in the message. For many sellers who are managing large numbers of listings, it can often be overwhelming to maintain many different streams of communication and/or multiple transactions simultaneously, leading them to respond quickly or otherwise take action (like modifying shipping instructions) without properly validating the content of the message.
Online reports indicate that it is not uncommon to receive these types of unsolicited messages, regardless of whether a seller has recently sold an item, which may be due to some level of automation being used to generate and transmit the messages.
If the seller is convinced to change the destination address for the shipment due to receipt of one of these scam messages, the item that was sold may be shipped to an address under the attacker’s control. The attacker is then able to monetize the item while the original buyer does not receive the item that they purchased. Many of the protections afforded by online marketplace are lost when the shipping address used does not reflect what was present on the order at time of purchase, opening the seller to additional exposure as the buyer’s loss will still need to be resolved.
The “friends and family” option
Social media sites like Reddit have become very popular for posting used items to solicit interest from other users of a given subreddit. In some subreddits, there are even official or unofficial “Want to Buy / Want to Sell” (WTB/WTS) threads, where users can list items they are selling or items they would like to purchase. This creates an ideal pool of potential victims for scammers seeking to target users of these platforms.
Since Reddit is not an online marketplace, the transactions associated with this activity typically take place using money transfer platforms, such as Paypal, Zelle, or Venmo. Scammers will often leverage compromised accounts on these money transfer platforms when communicating with sellers (or buyers), often attempting to convince them to use the “friends and family” (or equivalent) payment option available on many of these platforms. Often, sending or receiving money with this option enabled removes many of the mechanisms in place to protect sellers from chargebacks and other fraudulent activity. Sellers should never enable this option when processing payments for goods they may sell via online marketplaces, social media sites, or in any transaction where protection against fraud is desired.
In some cases, this method may be combined with other methods seeking to convince sellers to perform transactions outside of established platforms, then once the seller has agreed, scammers can leverage this option to further remove seller protections.
Recommendations
Most of the online literature related to defending against the scams pervasive on online marketplaces is geared towards the buyer experience. Recent trends in social media reporting indicate that sellers are also being increasingly targeted. While some of the scams faced by sellers resemble those faced by buyers, there are many that are unique. It is important that individuals or organizations leveraging online storefronts and/or marketplaces be aware of these threats so that they can prevent themselves from falling victim.
It is extremely important that online marketplace accounts be protected with multi-factor authentication (MFA) whenever the platform supports this capability. This will provide an enhanced layer of security in cases where the account credentials are compromised as an additional authentication factor will still be needed to successfully access the account.
When posting listings for items, be mindful of any photos that accompany the listing. Not unlike posting images to other social media platforms, items or objects in the background may unintentionally disclose sensitive information that could be used for malicious purposes. The information provided could also be leveraged to create more convincing or effective pretexts for later scam activities targeting the seller(s).
Avoid using third party services or platforms when conducting business transactions on online marketplaces. Take advantage of the protections afforded by the platform and avoid taking any actions that may jeopardize them. Reasonable buyers will be willing and able to conduct business following the standard platform transaction process. Sellers should avoid feeling pressured or worried about losing a sale and insist that the transaction take place in accordance with the policies of the online marketplace platform.
Verify the account associated with any messages received on online marketplaces. Always spend the time to validate that the message was actually received from the account of the buyer who purchased any recently sold items. Likewise, most platform support teams will not contact users via direct messaging for account verification or other sensitive processes as most of the time, these processes are directly supported by the platform itself. If a seller receives a direct message purporting to be from the platform itself, caution should be exercised and the message should be validated by contacting the support team separately using the information published on the marketplace website.
Sellers should also avoid modifying destination shipping addresses after orders have been placed. If a buyer asks to change the shipping address for an item they recently purchased, sellers should consider suggesting that they change their address using the online marketplace itself and contact support facilitate the change prior to shipping. This helps ensure that the seller is not deviating from the order that was placed, and helps ensure that they do not lose the seller protections afforded by the platform.
Share this document
We created this handy guide for you to share with anyone you know who sells online:
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Indicators of Compromise
IOCs for this research can also be found at our Github repository here.
Can you imagine a world where, every time you wanted to go somewhere, you had to reinvent the wheel and build a bicycle from scratch? We can’t either. Why reinvent something that already exists and works perfectly well? The same logic applies to programming: developers face routine tasks every day, and instead of inventing their own wheels and bicycles (which might even be not up to par), they simply grab ready-made bicycles code from open-source GitHub repositories.
This solution is available to anyone — including criminals who use the world’s best free open-source code as bait for attacks. There’s plenty of evidence to back this up, and here’s the latest: our experts have uncovered an active malicious campaign, GitVenom, targeting GitHub users.
What is GitVenom?
GitVenom is what we named this malicious campaign, in which unknown actors created over 200 repositories containing fake projects with malicious code: Telegram bots, tools for hacking the game Valorant, Instagram automation utilities, and Bitcoin wallet managers. At first glance, all the repositories look legitimate. Especially impressive is the well-designed README.MD file — a guide on how to work with the code — with detailed instructions in multiple languages. In addition to that, attackers added multiple tags to their repositories.
Attackers used AI to write detailed instructions in multiple languages
Another indicator reinforcing the apparent legitimacy of these repositories is the large number of commits. The attackers’ repositories have tons of them — tens of thousands. The attackers weren’t, of course, manually updating each of the 200 repositories to maintain authenticity, but simply used timestamp files that updated every few minutes. The combination of detailed documentation and numerous commits creates the illusion that the code is genuine and safe to use.
GitVenom: Two years of activity
The campaign started a long time ago: the oldest fake repository we found is about two years old. In the meantime, GitVenom has affected developers in Russia, Brazil, Turkey, and other countries. The attackers covered a wide range of programming languages: malicious code was found in Python, JavaScript, C, C#, and C++ repositories.
Regarding the functionality of these projects, the features described in the README file didn’t even match the actual code — in reality, the code doesn’t do half of what it claims. But “thanks” to it, victims end up downloading malicious components. These include:
A Node.jsstealer that collects usernames and passwords, crypto wallet data, and browser history, packages the stolen data into a .7z archive, and sends it to the attackers through Telegram.
A clipper that searches the clipboard for crypto wallet addresses and replaces them with attacker-controlled addresses. Notably, in November 2024, the hacker wallet used in this attack received a one-time deposit of about 5 BTC (approximately US$485,000 at the time of the study).
You can read more about the details of this malicious campaign in our full research published on SecureList.
How to protect yourself from malicious code on GitHub
In short, the best defense is vigilance. Since over 100 million developers use GitHub, attackers will likely continue to spread malicious code through this popular platform. The only question is how they’ll do it — a decade ago, no one imagined that attackers would be able to conduct campaigns like GitVenom for so long and with such persistence. Therefore, every developer should maintain their cybersecurity hygiene when working with GitHub.
Analyze code before integrating it into an existing project.
Check less obvious indicators carefully: contributor accounts, the number of stars (likes), and the project creation date. If the account was created three days ago, the repository two days ago, and it only has one star, there’s a good chance the project is fake and the code is malicious.
Don’t download files from direct links to GitHub shared in chats, suspicious channels, or on unverified websites.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-25 09:06:422025-02-25 09:06:42Malicious code in fake GitHub repositories | Kaspersky official blog
We live in the age of AI hype. Artificial intelligence is here, there, and everywhere – so promising, slightly mysterious, but undeniably guiding humanity toward a brighter future of technological singularity that’s still somewhat incomprehensible and potentially a black hole.
Some readers might detect sarcasm in this statement – but that would be a mistake. Machine learning-driven automation (ML), neural networks, and other AI technologies have already taken over many industries. And there’s more to come in the evolution of Homo sapiens. If you’re interested in diving deeper into this topic, check out the history of the various industrial revolutions: first, second, third, and even fourth.
In line with this trend, cybersecurity was perhaps one of the pioneers in adopting new, smart technologies. And what makes me particularly proud of this process is that our company was one of the first in the industry to successfully implement this bright AI-driven future. How else could we possibly handle nearly half a million new malicious programs emerging every single day as of early 2025? No educational system in the world can produce enough experts to keep up with that. The only solution is to create intelligent systems capable of independently and highly accurately neutralizing cyberattacks. Experts are then left with only the most complex cases – and, of course, the challenging task of inventing and continuously improving these systems.
A few days ago, we celebrated an exciting anniversary. Twenty years ago was born the prototype of our first AI/ML technology for automatic malware analysis and the creation of “detections” – antivirus updates that protect computers, gadgets, and other devices from new attacks.
The technology was given a name that’s rather odd at first glance – Avtodyatel, which translates as Auto-Woodpecker! But there’s a simple explanation for it: within our team, security analysts were affectionately referred to as woodpeckers – tirelessly pecking away at viruses and processing streams of suspicious files. And then we added the “Auto” to “Woodpecker” for the name of the tech designed to do this job automatically (incidentally, I was a woodpecker myself back then).
After digging through our archives, we found not only the birthdate of this first automation baby, but also some fascinating photos of the original plans for its creation. We even recalled its birthplace – the 14th floor of the Radiophysics building near the Planernaya metro station in northwest Moscow where we rented office space at the time. So get comfy, and I’ll tell you a fascinating story. It all started kinda like this…
A quarter of a century ago, malicious programs were much rarer – and, paradoxically, much more advanced – than today’s typical malware, despite being written by pioneering enthusiasts, inventive lone programmers, and cyber pranksters. This made researching them a real pleasure – each new virus taught you something new. Back then, like my fellow woodpeckers, I manually analyzed the stream of malicious programs – what would now be called “malware research”.
By that time, it was already difficult to compile all existing malware into a single reference book as had been done back in 1992. But we still managed the flow, and at the end of each work week, I manually compiled antivirus database updates.
However, over time, malware creation evolved from mere mischief and boundary-pushing into a full-fledged criminal industry. Cybercriminals no longer just wanted to infect as many computers as possible – they sought to profit from it. For example, they harvested email addresses from infected machines and sold them for spam distribution.
Sensing profit, these bad actors triggered exponential growth in malware production. But instead of inventing fundamentally new threats, they started mass-producing slightly modified versions of existing ones. And I realized we couldn’t keep up manually; if we were to continue down this path, we’d drown in an endless flood of cyber-garbage.
Fortunately, technological advancements at the time required much smaller investment and less development time. You could just buy some pizza (pineapple-topped, of course!), gather a few brilliant minds in a meeting room, and spend a couple of hours brainstorming project ideas. And so, on February 22, 2005, I assembled my colleagues to develop plans for automating our malware analyst work.
Just take a look at this beauty!
We had some primitive automation tools before, of course. But Auto-Woodpecker was the first system with a fundamentally new level:
It freed up valuable experts from repetitive tasks, allowing them to focus on more advanced challenges.
It massively scaled up operational efficiency.
It helped highlight similar (or related) incidents for further analysis.
In simple terms, the system automatically received new files from agents (“crawlers”) that scanned websites, email traps, and network sensors. These files were then automatically unpacked and executed in a secure environment – an artificial setting designed to observe malware behaviour.
There, the samples were analyzed by automated scanners, classified, and then compiled into antivirus databases.
The key challenge when encountering a new malware sample was determining whether it was a never-before-seen threat, or simply a variation of a known one. This is where the file auto-classifier (marked as “FF” in the diagram above) came into play, utilizing AI/ML principles – now an essential feature in nearly every cybersecurity product (except for fraudulent ones).
It didn’t work perfectly at first, but it quickly improved. We systematically documented all our ideas, detailed how subsystems would interact, how data would be exchanged, and how false positives would be handled. Then we rolled up our sleeves and got to work.
A few months later, the first version of Auto-Woopecker went live.
The results were instant and dramatic. Previously, five of us manually analyzed around 300 malware samples per week – an impressive number at the time. But with Auto-Woodpecker our productivity skyrocketed. And as the technology improved, this skyrocketing just kept on… skyrocketing!
Before long, Auto-Woodpecker was processing the entire incoming stream – leaving only 2-5% of all suspicious files for manual expert review. Today, of course, our tools are far more advanced, and AI-driven technologies play an even bigger role in cybersecurity.
To give you a glimpse of how far we’ve come, here are just a few recent examples:
Kaspersky MLAD (Machine Learning for Anomaly Detection): A predictive analytics system that detects early signs of equipment failure, process disruptions, cyberattacks, and human errors in industrial telemetry signals – long before they cause real damage.
Kaspersky MDR (Managed Detection and Response) This service has been using an AI analyst for several years to filter out false positives, reducing the workload on SOC specialists and allowing them to focus on complex threat investigations.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-24 12:06:412025-02-24 12:06:41Auto-Woodpecker’s anniversary! | Kaspersky official blog
Your messaging-app account might be of interest to more than just jealous spouses or nosy coworkers. Stolen WhatsApp accounts fuel large-scale criminal activity — ranging from spam distribution to complex scam schemes. That’s why cybercriminals are constantly on the lookout for WhatsApp accounts — using various methods to hijack them. Here are eight signs your account may already be compromised.
You get replies to messages you never sent.
Friends complain about strange messages coming from your account.
You notice deleted messages in chats, including from yourself — even though you never sent or deleted anything there.
You receive a WhatsApp login verification code that you didn’t request or expect.
Your account has a status or has posted stories you didn’t create.
Your profile picture, name, or account description has changed unexpectedly.
You’ve been added to chats or groups you never joined.
When you try to log in, WhatsApp informs you that your account is in use on another device and prompts you to re-register (this is the most telling sign).
Pay special attention to the first three signs, and act immediately if you notice them — hackers often use compromised accounts to scam a victim’s friends and family. They might impersonate you to request urgent financial help, promise gifts, or invite people to participate in fake polls. In any of these cases, your friends could get scammed — with your unwitting help.
Two ways hackers can hijack your WhatsApp account
Cybercriminals can take control of your WhatsApp account in one of two ways. They either add another device to your account using the “Linked devices” feature, or re-register your account on their device as if you’d bought a new phone.
In the former case, you continue using WhatsApp as usual but the criminals also have access to it, including to your recent conversations.
In the second case, you lose access to your account, and when you try to log in, WhatsApp notifies you that your account is in use on another device. The attackers can control your account, but won’t have access to your past conversations.
What to do if your WhatsApp account has been hacked
Make sure the SIM card linked to your WhatsApp account is inserted in your smartphone.
Open WhatsApp on this smartphone.
If it opens normally:
Go to the WhatsApp settings — Settings on iPhone, or the additional menu (three dots) on Android. Tap Linked devices.
Tap each device listed on this page.
Tap Log Out. This will disconnect all additional devices from your account and cut off the attackers.
If the messenger tells you that you’re logged out and need to register:
Enter your phone number.
Request a one-time registration code.
Wait for an SMS or a voice call with the code.
Enter the received code.
If your account was protected with a two-step verification PIN, after entering the one-time registration code, enter your PIN as well.
WhatsApp may offer to restore your chats and settings from a backup in iCloud, Google Drive, or local storage. Accept!
If you hadn’t previously set a two-step verification PIN, but WhatsApp requests it after you enter the one-time code, the attackers may have set a PIN to prevent you from regaining access to your account.
The PIN can be reset using the Forgot PIN
If an email address is linked to your WhatsApp account, you’ll receive a PIN reset link instantly. Go to your email, open the latest message from WhatsApp, tap the link inside, and then Confirm. After this, you can return to WhatsApp and set a new PIN.
If you hadn’t linked an email address, you can still request a PIN reset, but you’ll have to wait a week before the PIN is removed. During this time, your WhatsApp account will remain inaccessible. After a week, you can log back in to your account following the instructions above.
Once you’ve completed these steps, the attackers will be disconnected from your account. However, they may attempt to hijack it again, so be sure to follow the security tips below.
Warn your friends and family
Attackers may have sent tragic or provocative messages to your contacts, impersonating you. To ensure no one panics thinking you’re in hospital, got arrested, or had an accident — and to prevent them from sending money to “help” — inform as many people as possible that your account was hacked and that they should ignore any strange or unexpected messages sent earlier. For close friends, family, and coworkers, it’s best to call them personally. A less intrusive way to warn many people at once is to update your WhatsApp status. Go to Settings, tap your name, and in the About field, write something like, “My WhatsApp was hacked! Don’t trust messages from me, don’t send money, no help is needed”. It’s also a good idea to post the same warning on other social networks.
If your account has been restricted or banned for spam
If hackers used your account to send spam, WhatsApp may temporarily restrict it for a few hours or days. After following the steps above and regaining control of your account, you may find you’re unable to send messages.
In this case, appeal the restriction using the Request a review button, found under the notification about the imposed restrictions. After tapping this button, the restriction won’t be lifted immediately — depending on WhatsApp’s internal algorithms, it can take anywhere from a couple of hours to three days. Unfortunately, there’s no way to speed up this process.
How to protect your account from being hacked again
We’ve provided a detailed guide on WhatsApp security and privacy settings in a separate article, but here are the key points:
Enable two-step verification in WhatsApp and memorize your PIN — it’s not a one-time code. To do this, go to Settings → Account → Two-step verification.
Never, ever share your PIN or one-time registration codes with anyone. Only scammers ask for these details.
WhatsApp recently introduced support for passkeys. If you enable this option (Settings → Account → Passkeys), logging in to your account will require biometric authentication, and instead of PIN codes, your smartphone will store a long cryptographic key. This is a very secure option, but it may not be convenient if you frequently change devices and switch between Android and iOS.
Set up a backup email address for account recovery: Settings → Account → Email address.
If you’ve already added an email address, log in to your email account and change your password to a strong, unique one. To store it securely, use a password manager, such as Kaspersky Password Manager.
Make sure you haven’t fallen victim to a SIM swap scam. Contact your mobile carrier — preferably in person — and verify that no duplicate SIM cards have recently been issued for your number. Also, make sure there’s no unauthorized call-forwarding set up on your number. Cancel any suspicious changes and ask the staff about additional security measures for your SIM card. These may include prohibiting SIM-related actions without your being present, an extra password required for authentication, or other protections. Available security measures vary significantly by country and mobile carrier.
Any security measures in WhatsApp will be of little use if your smartphone or computer is infected with malware. Therefore, be sure to install comprehensive protection on all your devices.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-21 13:07:062025-02-21 13:07:06What to do if your WhatsApp is hacked: a step-by-step guide | Kaspersky official blog
Welcome to this week’s edition of the Threat Source newsletter.
Benjamin Franklin once said, “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” In much the same way, those who rush for efficiency without taking into account security end up neither efficient nor secure.
The past week the Department of Government Efficiency (or DOGE) has put on a clinic of how not to do things. For example, the Doge.gov website was easily and immediately compromised. Researchers were able to push updates to the public website via access to a database of government employment information. Not to be outdone the DOGE team hastily stood up the Waste.gov website which still had a placeholder WordPress default template, including the sample text which features an imaginary architecture firm called Études, from a default WordPress theme called Twenty Twenty-Four. This slapdash nonsense was hidden behind a password wall after the research information became public.
It’s really an excellent lesson in what happens when security is not taken into account and the instant ramifications. As an entire infosec community we’ve talked at length about how baking security into every decision is incredibly important and that trying to bolt on fixes after the fact not only doesn’t work but highlights the lack of rigor and awareness of security in the room – creating an attractive target.
Let’s take a deep breath, take a moment to create a more secure process, follow those processes, and ensure security is in place at every step – then we can attack matters of efficiency.
Newsletter reader survey
We want your feedback! Tell us your thoughts and five lucky readers will receive Talos Swag boxes.
Cisco Talos has published a blog on the ongoing research into Salt Typhoon. Cisco Talos been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies, an issue that we have been concerned with for a long time here at Talos. The activity, initially reported in late 2024 and later confirmed by the U.S. government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon.
A hallmark of this campaign is the use of living-off-the-land (LOTL) techniques on network devices. It is important to note that while the telecommunications industry is the primary victim, the advice contained herein is relevant to, and should be considered by, all infrastructure defenders.
Why do I care?
State sponsored actors have been aggressively targeting global network infrastructure and understanding and mitigating these actions will help you improve your network infrastructure resilience.
So now what?
Cisco Talos has released an extensive list of preventative measures for general and Cisco-specific devices which can be found in the Salt Typhoon blog post.
Top security headlines of the week
Palo Alto Networks has warned that hackers are exploiting another vulnerability in its firewall software to break into unpatched customer networks. (TechCrunch)
Security researchers warn a critical vulnerability in SonicWall’s SonicOS is under active exploitation.(CyberSecurityDrive)
Two security vulnerabilities have been discovered in the OpenSSH secure networking utility suite that, if successfully exploited, could result in an active machine-in-the-middle (MitM) and a denial-of-service (DoS) attack, respectively, under certain conditions. (TheHackerNews)
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-20 19:06:432025-02-20 19:06:43Efficiency? Security? When the quest for one grants neither.
About a year ago, UnitedHealth Group, the U.S. health-insurance giant, was targeted in one of the largest ransomware attacks ever. It had such far-reaching, severe consequences that new details about the attack and its aftermath have continued to emerge since the incident. To mark its anniversary, we’ve compiled a summary of all the data available today.
The ransomware attack on UnitedHealth Group
Before we proceed, let’s briefly introduce this organization to those unfamiliar with it. With a capitalization of approximately $500 billion, UnitedHealth Group is the largest company in the U.S. market for health insurance and healthcare services. It ranks ninth globally in terms of revenue — right after Apple.
UnitedHealth Group comprises two companies. One of them, UnitedHealthcare, focuses on health insurance. The other, Optum, specializes in delivering a broad spectrum of healthcare services ranging from pharmaceuticals and direct medical care to the IT systems underlying healthcare operations.
Optum Insight, one of Optum’s three divisions (and the most profitable), handles the latter. In the fall of 2022, UnitedHealth Group acquired the Change Healthcare platform, and Optum Insight integrated it. This digital platform processes insurance claims — acting as a financial intermediary between patients, healthcare providers, and insurers.
Change Healthcare was the target of the attack. On February 21, 2024, its systems were infected with ransomware — rendering the platform inaccessible. The incident wreaked havoc on the U.S. healthcare system, leaving many patients to shoulder the financial burden of medical expenses as insurance claims couldn’t be processed quickly. Healthcare providers were forced to process bills manually.
Recovering the compromised systems took several months. For instance, the Change Healthcare clearing service didn’t resume full operations until November. UnitedHealth Group even set up a dedicated website to track the restoration efforts. Even now, a year after the attack, the company is still regularly publishing updates on the website, and some systems are still listed as only “partially available”.
Timeline of the attack on UnitedHealth Group
A few months after the incident, on May 1, the CEO of UnitedHealth Group, Andrew Witty, was summoned to testify before Congress. From that testimony, the general public was finally able to learn about how the attack on the company unfolded.
According to Witty, the attack began on February 12. The attackers used compromised credentials to gain access to the Change Healthcare Citrix portal, which was used for remote desktop connections. Two-factor authentication should have stopped them but… it wasn’t enabled. Thus, attackers were able to gain entry simply by using the compromised credentials.
After gaining initial access, they began to move laterally and harvest data. The attackers clearly managed to collect a substantial amount of valuable data within the following nine days. In any case, on February 21, they deployed ransomware — initiating the encryption of Change Healthcare’s systems.
Faced with this situation, UnitedHealth decided to disconnect Change Healthcare data centers from the network to contain the ransomware attack.
Witty argued that the decision effectively prevented the infection from spreading to Optum, UnitedHealthcare, UnitedHealth Group, and any external organizations. However, the complete shutdown of a critical digital platform had a devastating impact on both UnitedHealth Group’s business operations and the broader U.S. healthcare system as a whole.
Thus, the most extensive ransomware attack of 2024 was caused by the absence of two-factor authentication on a remote desktop access portal — precisely the place where it absolutely should have been enabled. As Oregon Senator, Ron Wyden, summarized, “This hack could have been stopped with cybersecurity 101”.
UnitedHealth Group pays up
Several days after the breach, the BlackCat/ALPHV cybercrime gang claimed responsibility for it. The attackers claimed to have exfiltrated 6TB of confidential data — including medical records, financial documents, and personal information belonging to U.S. civilians and military personnel, among other sensitive information.
In March 2024, UnitedHealth Group paid a ransom of $22 million to the gang. But the story didn’t end there: after receiving the ransom, ALPHV feigned having their infrastructure seized by the FBI again. This was likely a ploy to double-cross one of their associates — pocketing the funds and disappearing into the ether.
Said associate claimed ALPHV had failed to give them their cut, and later teamed up with another ransomware gang — RansomHub. That gang made some of the stolen data public in April 2024, and then tried to extort more money from UnitedHealth.
Post by RansomHub demanding a second ransom from UnitedHealth Group. Source
It remains unclear whether UnitedHealth ever paid the second ransom, as there was no official confirmation. However, the demand was later removed from RansomHub’s website, and no further leaks of the stolen company data have been observed. Therefore, it can be assumed that the company did, in fact, pay twice. This is even more likely if one considers that the ransom amounts are dwarfed by the massive financial impact the attack had on UnitedHealth Group.
The aftermath of the ransomware attack on UnitedHealth Group
UnitedHealth Group posted $872 million in losses associated with the cyberattack in Q1 2024 alone. The company also estimated in its Q1 report that the annual cost of the breach could reach $1.35 to $1.6 billion.
Those initial estimates proved to be far too optimistic: predicted damage kept growing quarter after quarter, first increasing to $2.3 to $2.45 billion, and then to $2.87 billion.
By the end of the fiscal year, as reported by UnitedHealth Group in January 2025, the incident resulted in a total annual loss of $3.09 billion. Although the damage estimate for 2024 is now finalized, the total damage could still increase substantially as the company continues to deal with the consequences of the attack.
An official estimate of the number of individuals whose data could have been stolen by the cybercriminals took a long time to materialize. It was only eight months after the incident, on October 24, 2024, that UnitedHealth Group finally came up with a tally. It was a mind-boggling figure: 100 million, or nearly a third of the entire population of the United States.
Nevertheless, it would become evident that these estimations were as overly hopeful as the original predictions about the financial losses. Three months later, at the end of January 2025, UnitedHealth Group released an updated report that put the number of those impacted by the breach at 190 million.
Protecting your company against ransomware
Clearly, the most obvious lesson to be learned from the UnitedHealth Group breach is that two-factor authentication is a must for any public-facing service. Otherwise, a single compromised password could cause massive problems and billions of dollars in losses.
Essential as it is, two-factor authentication is by no means sufficient protection against ransomware. Defending corporate infrastructure from ransomware attacks must be multilayered. Here are some additional tips:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-20 18:06:482025-02-20 18:06:48The complete story of the 2024 ransomware attack on UnitedHealth
Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies. The activity, initially reported in late 2024 and later confirmed by the U.S. government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention of the actor’s activities.
Public reporting has indicated that the threat actor was able to gain access to core networking infrastructure in several instances and then use that infrastructure to collect a variety of information. There was only one case in which we found evidence suggesting that a Cisco vulnerability (CVE-2018-0171) was likely abused. In all the other incidents we have investigated to date, the initial access to Cisco devices was determined to be gained through the threat actor obtaining legitimate victim login credentials. The threat actor then demonstrated their ability to persist in target environments across equipment from multiple vendors for extended periods, maintaining access in one instance for over three years.
A hallmark of this campaign is the use of living-off-the-land (LOTL) techniques on network devices. It is important to note that while the telecommunications industry is the primary victim, the advice contained herein is relevant to, and should be considered by, all infrastructure defenders.
No new Cisco vulnerabilities were discovered during this campaign. While there have been some reports that Salt Typhoon is abusing three other known Cisco vulnerabilities, we have not identified any evidence to confirm these claims. The vulnerabilities in question are listed below. Note that each of these CVEs have security fixes available. Threat actors regularly use publicly available malicious tooling to exploit these vulnerabilities, making patching of these vulnerabilities imperative.
Therefore, our recommendation — which is consistent with our standard guidance independent of this particular case—is always to follow best practices to secure network infrastructure.
The use of valid, stolen credentials has been observed throughout this campaign, though it is unknown at this time exactly how the initial credentials in all cases were obtained by the threat actor. We have observed the threat actor actively attempting to acquire additional credentials by obtaining network device configurations and deciphering local accounts with weak password types—a security configuration that allows users to store passwords using cryptographically weak methods. In addition, we have observed the threat actor capturing SNMP, TACACS, and RADIUS traffic, including the secret keys used between network devices and TACACS/RADIUS servers. The intent of this traffic capture is almost certainly to enumerate additional credential details for follow-on use.
Configuration exfiltration
In numerous instances, the threat actor exfiltrated device configurations, often over TFTP and/or FTP. These configurations often contained sensitive authentication material, such as SNMP Read/Write (R/W) community strings and local accounts with weak password encryption types in use. The weak encryption password type would allow an attacker to trivially decrypt the password itself offline. In addition to the sensitive authentication material, configurations often contain named interfaces, which might allow an attacker to better understand the upstream and downstream network segments and use this information for additional reconnaissance and subsequent lateral movement within the network.
Infrastructure pivoting
A significant part of this campaign is marked by the actor’s continued movement, or pivoting, through compromised infrastructure. This “machine to machine” pivoting, or “jumping,” is likely conducted for a couple of reasons. First, it allows the threat actor to move within a trusted infrastructure set where network communications might not otherwise be permitted. Additionally, connections from this type of infrastructure are less likely to be flagged as suspicious by network defenders, allowing the threat actor to remain undetected.
The threat actor also pivoted from a compromised device operated by one telecom to target a device in another telecom. We believe that the device associated with the initial telecom was merely used as a hop point and not the intended final target in several instances. Some of these hop points were also used as a first hop for outbound data exfiltration operations. Much of this pivoting included the use of network equipment from a variety of different manufacturers.
Configuration modification
We observed that the threat actor had modified devices’ running configurations as well as the subsystems associated with both Bash and Guest Shell. (Guest Shell is a Linux-based virtual environment that runs on Cisco devices and allows users to execute Linux commands and utilities, including Bash.)
Running configuration modifications
AAA/TACACS+ server modification (server IP address change)
Loopback interface IP address modifications
GRE tunnel creation and use
Creation of unexpected local accounts
ACL modifications
SNMP community string modifications
HTTP/HTTPS server modifications on both standard and non-standard ports
Shell access modifications
Guest Shell enable and disable commands
Started SSH alternate servers on high ports for persistent access, such as sshd_operns (on port 57722) on underlying Linux Shell or Guest Shell
/usr/bin/sshd -p X
Created Linux-level users (modification of “/etc/shadow” and “/etc/passwd”)
Added SSH “authorized_keys” under root or other users at Linux level
Packet capture
The threat actor used a variety of tools and techniques to capture packet data throughout the course of the campaign, listed below:
Tcpdump – Portable command-line utility used to capture packet data at the underlying operating system level.
Tcpdump –i
Tpacap – Cisco IOS XR command line utility used to capture packets being sent to or from a given interface via netio at the underlying operating system level.
Tpacap –i
Embedded Packet Capture (EPC) – Cisco IOS feature that allows the capture and export of packet capture data.
Monitor capture CAP export ftp://<ftp_server>
Monitor capture CAP start
Monitor capture CAP clear
Operational utility (JumbledPath)
The threat actor used a custom-built utility, dubbed JumbledPath, which allowed them to execute a packet capture on a remote Cisco device through an actor-defined jump-host. This tool also attempted to clear logs and impair logging along the jump-path and return the resultant compressed, encrypted capture via another unique series of actor-defined connections or jumps. This allowed the threat actor to create a chain of connections and perform the capture on a remote device. The use of this utility would help to obfuscate the original source, and ultimate destination, of the request and would also allow its operator to move through potentially otherwise non-publicly-reachable (or routable) devices or infrastructure.
This utility was written in GO and compiled as an ELF binary using an x86-64 architecture. Compiling the utility using this architecture makes it widely useable across Linux operating systems, which also includes a variety of multi-vendor network devices. This utility was found in actor configured Guestshell instances on Cisco Nexus devices.
Defense evasion
The threat actor repeatedly modified the address of the loopback interface on a compromised switch and used that interface as the source of SSH connections to additional devices within the target environment, allowing them to effectively bypass access control lists (ACLs) in place on those devices (see “Infrastructure pivoting” section).
The threat actor routinely cleared relevant logs, including .bash_history, auth.log, lastlog, wtmp, and btmp, where applicable, to obfuscate their activities. Shell access was restored to a normal state in many cases through the use of the “guestshell disable” command.
The threat actor modified authentication, authorization, and accounting (AAA) server settings with supplemental addresses under their control to bypass access control systems.
Detection
We recommend taking the following steps to identify suspicious activity that may be related to this campaign:
Conduct comprehensive configuration management (inclusive of auditing), in line with best practices.
Monitor syslog and AAA logs for unusual activity, including a decrease in normal logging events, or a gap in logged activity.
Monitor your environment for unusual changes in behavior or configuration.
Profile (fingerprint via NetFlow and port scanning) network devices for a shift in surface view, including new ports opening/closing and traffic to/from (not traversing).
Where possible, develop NetFlow visibility to identify unusual volumetric changes.
Look for non-empty or unusually large .bash_history files.
Additional identification and detection can be performed using the Cisco forensic guides.
Preventative measures
The following guidance applies to entities in all sectors.
Cisco-specific measures
Always disable the underlying non-encrypted web server using the “no ip http server” command. If web management is not required, disable all of the underlying web servers using “no ip http server” and “no ip http secure-server” commands.
Disable telnet and ensure it is not available on any of the Virtual Teletype (VTY) lines on Cisco devices by configuring all VTY stanzas with “transport input ssh” and “transport output none”.
If not required, disable the guestshell access using “guestshell disable” for those versions which support the guestshell service.
Disable Cisco’s Smart Install service using “no vstack”.
Utilize type 8 passwords for local account credential configuration.
Use type 6 for TACACS+ key configuration.
General measures
Rigorously adhere to security best practices, including updating, access controls, user education, and network segmentation.
Stay up-to-date on security advisories from the U.S. government and industry, and consider suggested configuration changes to mitigate described issues.
Update devices as aggressively as possible. This includes patching current hardware and software against known vulnerabilities and replacing end-of-life hardware and software.
Select complex passwords and community strings and avoid default credentials.
Use multi-factor authentication (MFA).
Encrypt all monitoring and configuration traffic (SNMPv3, HTTPS, SSH, NETCONF, RESTCONF).
Lockdown and aggressively monitor credential systems, such as TACACS+ and any jump hosts.
Utilize AAA to deny configuration modifications of key device protections (e.g., local accounts, TACACS+, RADIUS).
Prevent and monitor for exposure of administrative or unusual interfaces (e.g., SNMP, SSH, HTTP(s)).
Disable all non-encrypted web management capabilities.
Verify existence and correctness of access control lists for all management protocols (e.g., SNMP, SSH, Netconf, etc.).
Enhance overall credential and password management practices with stronger keys and/or encryption.
Use type 8 passwords for local account credential configuration.
Use type 6 for TACACS+ key configuration.
Store configurations centrally and push to devices. Do NOT allow devices to be the trusted source of truth for their configurations.
Analyst’s comments
There are several reasons to believe this activity is being carried out by a highly sophisticated, well-funded threat actor, including the targeted nature of this campaign, the deep levels of developed access into victim networks, and the threat actor’s extensive technical knowledge. Furthermore, the long timeline of this campaign suggests a high degree of coordination, planning, and patience—standard hallmarks of advanced persistent threat (APT) and state-sponsored actors.
During this investigation, we also observed additional pervasive targeting of Cisco devices with exposed Smart Install (SMI) and the subsequent abuse of CVE-2018-0171, a vulnerability in the Smart Install feature of Cisco IOS and Cisco IOS XE software. This activity appears to be unrelated to the Salt Typhoon operations, and we have not yet been able to attribute it to a specific actor. The IP addresses provided as observables below are associated with this potentially unrelated SMI activity.
Legacy devices with known vulnerabilities, such as Smart Install (CVE-2018-0171), should be patched or decommissioned if no longer in use. Even if the device is a non-critical device, or carries no traffic, it may be used as an entry door for the threat actor to pivot to other more critical devices.
The findings in this blog represent Cisco Talos’ understanding of the attacks outlined herein. This campaign and its impact are still being researched, and the situation continues to evolve. As such, this post may be updated at any time to reflect new findings or adjustments to assessments.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-20 13:06:412025-02-20 13:06:41Weathering the storm: In the midst of a Typhoon
Static Analysis Skills You’ll Learn
Malware Decryption Skills You’ll Learn
Malware Behavior Analysis Skills You’ll Learn
Dynamic Malware Analysis Skills You’ll Learn
Scripts and Macros Analysis Skills You’ll Learn
Signs in network traffic
