Investigating Phishing Threats with TI Lookup: Use Cases from an Expert

TI Lookup from ANY.RUN is a versatile tool for gathering up-to-date intelligence on the latest cyber threats. The best way to demonstrate its effectiveness is to hear from actual security professionals about how they use the service in their daily work.  

This time, we asked Jane_0sint, an accomplished network traffic analyst and the first ANY.RUN ambassador, for her real-world cases of using TI Lookup. Lucky for us, she agreed to share her insights and sent us a few examples, which include finding intel on phishing kits like Mamba2FA and Tycoon2FA. 

About Threat Intelligence Lookup 

TI Lookup is a searchable hub for investigating malware and phishing attacks and collecting fresh cyber threat data. Powered by a massive public database of millions of samples analyzed in ANY.RUN’s Interactive Sandbox, it contains various Indicators of Compromise (IOCs), Indicators of Attack (IOAs), and Indicators of Behavior (IOBs), from threats’ network activity to system processes and beyond. 

The service provides you with extensive search capabilities, allowing you to create custom requests that feature different data points to home in on specific threats. It offers: 

  • Quick Results: Searches for events and indicators from the past six months take just 5 seconds on average
  • Unique Data: It contains over 40 types of threat data, including malicious IPs, URLs, command line contents, mutexes, and YARA rules
  • Large Database: TI Lookup is updated daily with thousands of public samples uploaded to ANY.RUN’s sandbox by a global community of over 500,000 security professionals

Black Friday 2024: Get x2 search requests
for your TI Lookup plan 



See details


Investigating the Mamba2FA Phishing Kit 

Mamba2FA is a phishing kit that has seen a significant rise over the past several months. To investigate this threat and gather more context, we can utilize a typical URL pattern commonly found in its campaigns. This pattern follows the structure {domain}/{m,n,o}/?{Base64 string}.

When translating this into an actual query for TI Lookup, we can use the following search string: 

Let’s break down this query: 

  • Asterisk (*): This wildcard character indicates any character string. It helps expand our search to include all domains used in Mamba2FA attacks, ensuring a comprehensive investigation
  • Question Mark (?): This is another wildcard character that indicates exactly one character or none at all. In our case, there are two question marks in the query. The first one is the wildcard that serves as a stand-in for the characters “m”, “n”, and “o” that are commonly used in Mamba2FA URLs. The second question mark is a part of the address. To escape it, we use the slash symbol
  • c3Y9: This is a Base64-encoded parameter found across Mamba2FA attacks. When decoded, it translates to sv=, which specifies the appearance of the phishing page
TI Lookup provides threat intel all sandbox sessions with the matching command line strings

Submitting this search query to TI Lookup allows us to access plenty of results that match our string, from command lines with URLs to sandbox sessions where these command lines were logged. 

CyberChef recipe used for decoding the URL string

We then can collect the full URLs found and decode the base64-encoded parts to reveal more information on the attack and extract the list of domains from them. 

Investigating the Tycoon2FA Phishing Kit 

Tycoon2FA is another phishing kit, which is known for faking Microsoft authentication pages to steal victims’ credentials. With the help of TI Lookup, we can collect plenty of intel on its latest samples and wider infrastructure.  

A good practice for constructing queries in TI Lookup is to link each condition of the query to specific features of the phishkit: 

  • If the phishkit hides its pages behind Cloudflare Turnstile, we add a condition for this; 
  • If there is content encryption, we add a condition for the encryption library; 
  • If the phishing page stores content on a specific CDN (Content Delivery Network), we add a condition for that as well.  

An example of this query construction method for searching Tycoon2FA phishkit attacks can be seen below. 

As noted, one of the signature features of this threat is the abuse of Cloudflare’s Turnstile challenges as a barrier for automated security solutions. For the challenge to work, Tycoon2FA loads the library api.js. 

During the challenge, Tycoon2FA also loads another library, crypto-js.min.js, which it uses at later stages of the attack to encrypt its communication with the command-and-control center (C2). 

The phish kit also accesses elements stored on the legitimate domain ok4static[.]oktacdn[.]com and utilizes them to build phishing pages designed to imitate Microsoft’s login pages. 

The two libraries and the domain make solid pieces of intel to pivot on using TI Lookup to find instances of Tycoon2FA attacks. 

TI Lookup pulls relevant threat data from sandbox sessions where both libraries were detected 

In response to the query, the service provides a list of matching events found in 20 decrypted sandbox sessions over the past 180 days. Search queries created on this principle based on domains bring more results because they work not only on decrypted network sessions but also require a larger number of conditions in the query. We can collect the information and take a closer look at the sessions to observe attacks as they unfolded in real time. 

Tracking APT-C-36 Phishing Campaigns 

Threat Intelligence Lookup can be helpful in your investigations into campaigns that are attributed to advanced persistent threats (APTs). 

Consider the example of Blind Eagle, also known as APT-C-36, which is a group that targets Latin America. You can learn more about their activity in ANY.RUN’s article on the threats discovered in October 2024.  

Knowing that APT-C-36 uses phishing emails with attachments that contain malware, such as AsyncRAT and Remcos, and attempts to reach targets in LATAM countries like Colombia, we can put together a TI Lookup query to find more relevant samples related to their attacks: 

Results for the query investigating APT-C-36

The service provides 100 sandbox sessions that match our request along with events from those sessions. 

One of the phishing emails containing an AsyncRAT payload discovered via TI Lookup

Among them, we can find samples of actual phishing emails belonging to Blind Eagle’s campaigns which were publicly uploaded to ANY.RUN’s sandbox for analysis by users in Colombia. 

Identifying Phishing Attacks Abusing Microsoft’s Infrastructure 

Another useful way to utilize TI Lookup is to proactively research phishing attacks that use legitimate resources to access content as legitimate account login pages do. For example, attackers often use parts of the Azure Content Delivery Network (CDN), like backgrounds or login forms. 

To find these examples with TI Lookup, you can specify the Azure domain. However, it’s important to filter out non-malicious instances. You can do this by excluding Microsoft’s domains from the query using the NOT operator and setting the threat level to “suspicious.” You are free to add exceptions at your discretion if you wish to cleanse your query results of unsolicited submissions. 

We can also include parameters with empty values. This signals the system to show all possible results for those parameters.

Adding domainName:”” and suricataMessage:”” will display all domains and Suricata messages found across sandbox sessions that match our query. 

In response to our query, TI Lookup provides extensive threat data, including the Suricata rules that were triggered during analysis.

Suricata rules that match our query

We can also observe all the domains in sessions involving phishing attacks. We can collect them and examine each of them separately to check if they are used as part of attackers’ infrastructure. 

Apart from domains, TI Lookup also presents IP addresses and URLs

We also get a list of sandbox sessions that feature examples of actual phishing attacks abusing Microsoft’s infrastructure.  

Sandbox sessions that match our request

Let’s explore one of them in greater detail. 

Suricata rule displayed in the ANY.RUN sandbox

In this session we can see a Suricata rule that indicates a request to Azure’s content delivery network.  

You can build upon this search by adding a commandLine parameter. Specifically, we can tell the service to look for command lines that include URLs with the # anchor, which attackers use to add a victim’s email address. 


ANY.RUN cloud interactive sandbox interface

Learn to Track Emerging Cyber Threats

Check out expert guide to collecting intelligence on emerging threats with TI Lookup



To find results with URLs containing email addresses, include the @ symbol in your query. Use the * wildcard to account for any characters between the anchor and the @ symbol. 

Command line data from logged during ANY.RUN sandbox sessions 

Apart from relevant sandbox sessions, the service returns a list of command lines extracted from these, allowing us to see the URLs used by attackers that include emails of victims. 

About ANY.RUN  

ANY.RUN’s Threat Intelligence Lookup and YARA Search services allow for precise threat hunting and the extraction of valuable insights into current cyber threat trends. What’s impressive is how fast these scans are—they significantly speed up the analysis process, allowing for quick detection of threats and malware. 

See Black Friday deals for ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup →

The post Investigating Phishing Threats with TI Lookup: Use Cases from an Expert appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Spoofing via CVE-2024-49040 | Kaspersky official blog

Among the vulnerabilities highlighted by Microsoft on the latest patch Tuesday on November 12 was CVE-2024-49040 in Exchange. Its exploitation allows an attacker to create emails that are displayed in the victim’s interface with a completely legitimate sender address. It would seem that the vulnerability was fixed, but, as it turned out, on November 14, Microsoft temporarily suspended distribution of the updates for Exchange Server. In the meantime, we’ve already observed attempts to exploit this vulnerability. So far the cases have been isolated: it looks like someone is testing the proof of concept. That’s why we at Kaspersky’s Content Filtering Methods Research Department have added to all our email security solutions a method for detection of attempts to use CVE-2024-49040 for spoofing.

What’s the problem with the CVE-2024-49040 vulnerability?

CVE-2024-49040 is a vulnerability with a CVSS rating of 7.5 that’s relevant for Exchange Server 2019 and Exchange Server 2016 and classified as “important”. Its essence lies in an incorrectly formulated P2 FROM header processing policy. An attacker can use it to have this header contain two email addresses: the real one – which is hidden from the victim, and the legitimate one – which is shown to the victim. As a result, Microsoft Exchange correctly checks the sender’s address, but shows the recipient a completely different one that doesn’t look suspicious to the user (for example, an internal address of an employee of the same company).

With the November 12 patch, Microsoft added a new feature that detects P2 FROM headers that don’t comply with the RFC 5322 internet message format standard, and that should have fixed the situation. However, according to a post on the Microsoft blog, some users began to have problems with the Transport rules, which sometimes stopped working after installing the update. Therefore, distribution of the update was suspended and will be resumed after it’s re-released.

How to stay safe

To prevent your company’s employees from being misled by exploitation of CVE-2024-49040, we’ve added a rule for detecting attempts to exploit it to all relevant solutions that are used to protect corporate mail. It works in Kaspersky Security for Microsoft Exchange Server, Kaspersky Security for Linux Mail Server, and Kaspersky Secure Mail Gateway.

Kaspersky official blog – ​Read More

Notorious Ursnif Banking Trojan Uses Stealthy Memory Execution to Avoid Detection

Ursnif

Key takeaways

  • Cyble Research and Intelligence Labs (CRIL) has identified a malicious campaign likely targeting business professionals across the United States.
  • The campaign employs a malicious LNK file, masquerading as a PDF with encoded data. This file is decoded by leveraging certutil.exe, which then delivers the next-stage payload: an HTA file.
  • The HTML Application (HTA) file contains VBScript that extracts and executes a lure document and a malicious DLL file, both embedded within the HTA file.
  • The DLL file acts as a Loader, decrypting the subsequent payload and shellcode, which are responsible for executing the Ursnif core component.  
  • The Threat Actor (TA) behind this campaign uses a multi-stage operation that executes entirely in memory, effectively evading detection by security products.
  • The final payload file (DLL) is identified as Ursnif malware, capable of establishing a connection with the C&C server and downloading additional modules to steal sensitive information from the victim’s machine.

Overview

CRIL recently identified an active malicious campaign utilizing a malicious LNK file as the initial infection vector, delivered within a ZIP archive, potentially through spam emails. This LNK file is cleverly disguised as a PDF, tricking users into thinking they are opening a legitimate document.

Based on the lure document observed in this campaign, CRIL has concluded that the campaign is likely targeting business professionals across the United States.

When executed, the LNK file runs a command via cmd.exe to invoke the legitimate certutil.exe tool on the compromised system. This process decodes and prepares the next-stage payload embedded within the LNK file. The decoded payload is identified as a malicious HTML Application (HTA) file, which is executed using the legitimate mshta.exe utility. Upon execution, the HTA file opens a PDF lure document to trick the victim and simultaneously drops a malicious DLL file embedded within its content. The DLL is then executed using regsvr32.exe.

The DLL functions as a loader, decrypting both the shellcode and another encrypted DLL file from its resource section, and then executing the shellcode. Once the shellcode is executed, it loads the decrypted DLL, which subsequently loads another embedded malicious DLL identified as Ursnif—a notorious banking trojan. Ursnif then establishes a connection to its Command and Control (C&C) server and retrieves additional payloads designed to steal sensitive information from the victim’s machine. The below image shows the infection chain of this campaign.

Infection chain
Figure 1 – Infection chain

Technical Analysis

The ZIP archive contains an LNK file disguised as a PDF. Once extracted, the file appears as “staplesds02_23.pdf,” but it is actually an LNK file with a dual extension (.pdf.lnk) crafted to mislead users into believing it is a legitimate PDF document. When the user opens the disguised LNK file, it triggers cmd.exe and leverages certutil.exe to decode and execute malicious content embedded within the file. The following image shows the command line configured within the malicious LNK file.

command line to decode an embedded content
Figure 2 – command line to decode an embedded content

Certutil is a Windows command-line utility primarily used for managing certificates. However, it is frequently abused by TAs to decode files encoded in Base64 format. In this case, the malicious LNK file contains Base64-encoded data, enclosed within the “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” tags, as shown in the figure below.

Partial content of LNK file
Figure 3 – Partial content of LNK file

The decoded content results in an .hta file (HTML Application), which is saved in the system’s temporary directory (C:UsersuserprofileAppDataLocalTemp) and executed using mshta.exe. The image below shows the content of the dropped HTA file.

Partial content of HTA file
Figure 4 – Partial content of HTA file

The initial section of the HTA file contains a VBScript designed to retrieve data from a remote server at hxxps://docusign-staples[.]com/api/key via an HTTP GET request. Once a response is received, the script verifies that the HTTP status code is 200 (OK) and that no errors occurred before executing further actions. If an error occurs or the status code is not 200, the script terminates its execution.

Upon receiving the response from the remote server, the VBScript decodes the response body into a readable string. It then extracts the first five characters from the decoded data and compares them to the hardcoded string “QG099.” If the strings do not match, the script terminates execution; otherwise, it continues with further actions.

When the first five characters of the decoded response body match the hardcoded string, the VBScript extracts a portion of the file’s content, starting at byte offset 7956 (1F14h) with a length of 138617 bytes. The image below displays a portion of the extracted content at this offset.

Embedded PDF file
Figure 5 – Embedded PDF file

The extracted content, identified as a PDF, is saved in the temporary folder as staplesds.pdf. The script then opens this PDF, presenting it as a lure document to the victims. The figure below shows the lure document.

Lure document
Figure 6 – Lure document

The Figure below shows another lure document observed in this campaign.

Lure document 2
Figure 7 – Lure document 2

Then, the VBScript disables Windows Defender protection by adding the C: drive to the exclusion list through PowerShell commands.

  • Add-MpPreference -ExclusionPath “C:” ; timeout 15

After adding the exclusion path, the VBScript extracts another large chunk of data from the file, starting immediately after the PDF content, and retrieves a block of 1,416,704 bytes. As shown below, this extracted data corresponds to a PE (Portable Executable) file.

Embedded PF file content
Figure 8 -Embedded PF file content

The retrieved PE file is then saved as a DLL file named “x.dll” in the temporary location. Additionally, the script pads the newly created DLL file with empty spaces by writing 35 blocks, each containing 10 million space characters.

Finally, the HTA script sets the current working directory to the user’s Desktop and executes a command to use regsvr32, registering the newly created DLL file as a system component.

Loader DLL

Upon execution, the DLL calls the ntdll.LdrFindResource API to access a resource named “FAMILY.” This resource contains two encrypted pieces of content, which are stored within the executable, as shown below.

Encrypted Resource Contents
Figure 9 – Encrypted Resource Contents

The DLL reads the encrypted contents and decrypts them using a hardcoded key present in the file. The following figure shows the code snippet responsible for decrypting the encoded data.”

Decryption Loop
Figure 10 – Decryption Loop

The first encrypted content is a shellcode that, when decrypted, is responsible for mapping another PE (Portable Executable) file into memory, as illustrated below.

Figure 11 – Decrypted Shellcode

The second encrypted content is a PE DLL file, which acts as another loader for executing the core module of the Ursnif component. This core component is responsible for establishing a connection to the C&C server and downloading additional Ursnif modules to steal sensitive information from the victim’s machine. The figure below shows the decrypted file, with control being transferred to the shellcode after decryption.

Decrypted DLL and the control transfer to Shellcode
Figure 12 – Decrypted DLL and the control transfer to Shellcode

Shellcode Execution

Next, the shellcode copies the hardcoded API strings that are necessary for dynamically resolving the required APIs.

Hardcoded API Names
Figure 13 – Hardcoded API Names

The shellcode then passes the hardcoded checksum “0xBDBF9C13” of the “LdrLoadDll” to a custom function. This function scans the loaded DLLs in memory that have export functions. If an export function is found, it calculates the checksum based on the DLL name, then iterates through the APIs associated with that DLL, calculating the checksum for each API.

It adds the checksum of each API name to the DLL name checksum and compares the result with the hardcoded checksum. If there is a match, the shellcode identifies the corresponding address to dynamically resolve the “LdrLoadDll” function. Similarly, it resolves the “LdrGetProcedureAddressEx” API by passing the checksum “0x5ED941B5.”

Passing Hardcoded Checksum to Resolve APIs
Figure 14 : Passing Hardcoded Checksum to Resolve APIs

After resolving, it uses LdrLoadDll and LdrGetProcedureAddressEx to resolve the following APIs:

  • VirtualAlloc
  • VirtualProtect
  • FlushInstructionCache
  • GetNativeSystemInfo
  • RtlAddFunctionTable 
  • LoadLibraryA

The shellcode then uses the VirtualAlloc API to allocate a new memory region. Afterward, it copies the decrypted DLL (previously extracted from the resource section) into this newly allocated memory, excluding the DOS header. To ensure the DLL can be executed properly, the shellcode modifies the memory protection of the allocated space using the VirtualProtect API, as shown below.

Calling VirtualProtect API
Figure 15 – Calling VirtualProtect API

Finally, the shellcode calls the RtlAddFunctionTable API to add a dynamic function table to the list of function tables in memory. Afterward, it uses the FlushInstructionCache API to ensure that the changes made to the memory are permanently written and reflected in the processor’s cache. Once the necessary memory modifications are made, it proceeds to execute the loaded DLL by invoking the DllRegisterServer function, which typically registers the DLL with the system and allows its functions to be used for further malicious activities.

Second Stage DLL

The second-stage DLL contains another embedded DLL, which is the core component of the Ursnif malware. This DLL holds encrypted configuration data, including crucial information such as the C&C server address, user agent, bot-details, and more. Upon execution, the second-stage DLL loads the embedded DLL found in the .data section, maps it into memory, and modifies its protection using the VirtualProtect API. It then transfers control to the entry point of the DLL, as illustrated below.

Transferring Control to the Core Component.
Figure 16 – Transferring Control to the Core Component.

The final DLL file now reads the encrypted configuration details stored in the .bss section, passes it through a decryption loop, and retrieves the C&C server details from the decrypted configuration, as shown below.

C&C Server Details
Figure 17 – C&C Server Details

The decrypted configuration file also contains additional information, such as the user agent details and the structure used for communication with the C&C server, as shown below.

Decrypted configuration File
Figure 18 – Decrypted configuration File

After decrypting the configuration file, the malware calculates a checksum based on the creation time of pagefile.sys or hiberfil.sys present on the system. It then generates a checksum of the victim’s username. To ensure that only one instance of the malware is running at any given time, it creates a mutex named “GlobalDbEls,” as shown below.

Mutex Creation
Figure 19 – Mutex Creation

After creating the mutex, the malware uses GetCurrentThreadId, OpenThread, and QueueUserAPC APIs to launch a new thread. This new thread is responsible for handling communication with the C&C server.

Launching New thread
Figure 20 – Launching New thread

C&C Communication

The malware constructs a specific format for its C&C communication, which is shown in the figure below. This structure is designed to facilitate the exchange of data between the infected machine and the C&C server.

Creating Structure for its C&C Communication
Figure 21 – Creating Structure for its C&C Communication

Filed Description
version Bot Version
user Checksum calculated previously based on the victim’s username
group Bot ID
System Checksum created based on the creation time of pagefile.sys or hiberfil.sys
file Checksum of the filename
arc File architecture
crc File checksum
size File size

The malware then prepends a random string “emst=urxll&” to the created format, as shown below.  

  • emst=urxll&version=100123&user=810e007f91e84a5f&group=1000&system=61c6080c8c3fd701&file=8fd8a91e&arc=0&crc=00000000&size=0

The malware then utilizes the following APIs to encrypt the format it generated for its C&C communication, using AES encryption:

  • CryptAcquireContextW
  • CryptImportKey
  • CryptsetKeyParam
  • GenRandom
  • CryptReleaseContext
  • CryptEncrypt

After encryption, the malware invokes the CryptStringToBinaryA API to convert the encrypted content into a BASE64-encoded format, as shown below.

Encrypted content for C&C communication
Figure 22 – Encrypted content for C&C communication

Finally, the malware generates a boundary and uses the following boundary and User-Agent string to communicate with its C&C server at “budalixt.top/index.html.” In this instance, the malware utilizes an outdated User-Agent for its communication, as shown below.

C&C communication
Figure 23 – C&C communication

In the next stage, the malware receives a response from the C&C server, which is intended to download and execute additional malware to carry out malicious activities. Unfortunately, we were unable to retrieve any response from the C&C server as it was down, preventing us from fully analyzing the next stage of the attack.             

Conclusion

The Ursnif malware campaign exemplifies the growing sophistication in cyber threats. By utilizing advanced techniques such as dynamic API resolution, encrypted payloads, and memory manipulation, Ursnif successfully evades detection and establishes secure communication with its C&C server. Each stage of the malware’s execution, from initial resource loading to the final encrypted C&C communication, is designed to ensure persistence, data exfiltration, and the ability to adapt to changing environments.     

Yara rule to detect the latest ursnif loader, available for download from the Github repository.      

Recommendations

  • This campaign reaches users via potential phishing campaigns, so exercise extreme caution when handling email attachments and external links. Always verify the legitimacy of the sender and links before opening them. 
  • Implement advanced email filtering solutions to detect and block malicious attachments and links.
  • Use EDR solutions to detect the execution of regsvr32 in unusual contexts or locations, especially when the DLL is from non-standard directories (e.g., AppData or Temp).
  • Limit the execution of scripting tools to necessary users only and enforce least privilege policies to prevent malware from escalating privileges and performing malicious actions.
  • The campaign abused the legitimate certutil and mshta utility; hence, it is advised to monitor the activities conducted by these tools and restrict access to limited users.
  • Implement behavior-based detection systems that can identify malicious actions, such as frequent attempts to contact C&C servers or unexpected encrypted data being transmitted.

MITRE ATT&CK® Techniques

Tactic Technique Procedure
Initial Access (TA0001) Phishing (T1566) This campaign is likely to reach users through spam emails
Execution (TA0002) Command and Scripting Interpreter: Windows Command Shell (T1059.003) Executes Certutil,exe to decode the next stage payloads
Defense Evasion (TA0005 Masquerading: Masquerade File Type (T1036.003 The .lnk file is named to appear as a PDF file to deceive users. 
Defense Evasion (TA0005)  System Binary Proxy Execution: Mshta (T1218.005 Abuse mshta.exe to proxy execution of malicious hta file 
Defense Evasion (TA0005) Deobfuscate/Decode Files or Information (T1140 Deobfuscate/Decode Files or Information 
Command and Control (TA0011 Application Layer Protocol: Web Protocols  (T1071.001 sends HTTP POST requests to communicate with its C&C server. 
Exfiltration (TA0010 Exfiltration Over C2 Channel (T1041 System information and potentially other data are exfiltrated over the established C&C channel. 

Indicators of Compromise

Indicator Indicator Type Comments
fdc240fb8f4a17e6a2b0d26635d8ab613db89135a5d95834c5a888423d2b1c82 SHA-256 Zip File
dd20336df4d95a3da83bcf7ef7dd5d5c89157a41b6db786c1401bf8e8009c8f2 SHA-256 Malicious LNK file
13560a1661d2efa15e58e358f2cdefbacf2537cad493b7d090b5c284e9e58f78 SHA-256 HTA file
hxxps://docusign-staples[.]com/api/key
hxxps://betterbusinessbureau-sharefile[.]com/api/key
URL Remote server
aea3ffc86ca8e1f9c4f9f45cf337165c7d0593d4643ed9e489efdf4941a8c495 SHA-256 DLL file
budalixt[.]top/index.html URL C&C
11a16f65bc93892eb674e05389f126eb10b8f5502998aa24b5c1984b415f9d18 SHA-256 Similar LNK file
468d7a8c161cb7408037797ea682f4be157be922c5f10a812c6c5932b4553c85 SHA-256 Similar ZIP file

Reference

https://www.sonicwall.com/blog/emotet-campaign-with-bloated-file

https://cloud.google.com/blog/topics/threat-intelligence/rm3-ldr4-ursnif-banking-fraud

The post Notorious Ursnif Banking Trojan Uses Stealthy Memory Execution to Avoid Detection appeared first on Cyble.

Blog – Cyble – ​Read More

ASEAN at the Forefront: U.S. Outlines New Defense Vision for Regional Stability

ASEAN

Overview

The United States has reaffirmed its commitment to nurturing a prosperous, secure, and sovereign Southeast Asia, anchored by the principles of self-determination, free trade, and mutual respect. Guided by ASEAN centrality, the U.S. Department of Defense revealed a comprehensive vision aimed at enhancing regional cooperation and supporting defense capacities in the face of evolving global challenges.

This strategic initiative emphasizes the United States’ long-standing partnership with Southeast Asia, promoting stability, sovereignty, and prosperity across the Indo-Pacific.

The vision statement comes at a critical time, reflecting the U.S.’s strategic alignment with ASEAN’s principles outlined in its Outlook on the Indo-Pacific. With the 15th anniversary of the ASEAN Defense Ministers’ Meeting-Plus (ADMM-Plus) approaching in 2025, the United States seeks to further deepen its ties with ASEAN member states by building capabilities in domain awareness, cyber defense, maritime security, and defense industrial capacity.

Here’s a detailed look at the U.S. Department of Defense’s key lines of effort and its broader implications for the Southeast Asian region:

Strengthening Regional Security and Sovereignty

At the heart of the U.S. vision is the goal of empowering ASEAN nations to safeguard their sovereignty against external coercion and illegal intrusions. By supporting enhanced domain awareness and defense capabilities, the U.S. aims to enable Southeast Asian countries to detect, respond to, and deter threats across air, maritime, cyber, and information domains.

Key efforts include:

  • Air Domain Awareness: Improving capabilities to monitor airspace, Exclusive Economic Zones (EEZs), and Air Defense Identification Zones, ensuring sovereignty and compliance with international agreements.
  • Cyber Defense: Enhancing collaboration with ASEAN’s Cybersecurity and Information Centre of Excellence (ACICE) through tabletop exercises, capacity-building programs, and professional training to address regional cyber threats.
  • Maritime Security: Strengthening maritime operational capabilities by leveraging AI-driven technologies and unmanned systems to enhance continuous presence and regional cooperation under international law.

These initiatives align closely with ASEAN’s Outlook on the Indo-Pacific, reinforcing a rules-based order and advancing collective resilience against emerging security threats.

Strengthening Historical Ties with ASEAN

The U.S. has had a longstanding relationship with ASEAN, dating back to the inaugural ASEAN Defense Ministers’ Meeting-Plus (ADMM-Plus) in 2010. Former U.S. Defense Secretary Robert Gates’ attendance at the meeting symbolized Washington’s commitment to engaging with ASEAN nations on defense and security. Since then, every U.S. Secretary of Defense has supported the forum, emphasizing its importance in addressing shared security challenges.

As the ADMM-Plus approaches its 15th anniversary in 2025, the U.S. aims to solidify these ties further. The alignment between the U.S. Indo-Pacific Strategy and ASEAN’s own Outlook on the Indo-Pacific reinforces mutual objectives, such as promoting transparency, good governance, and adherence to international law. These shared principles serve as the foundation for the U.S.’s renewed defense cooperation strategy.

Key Investments in Regional Security

The U.S. has made significant investments in strengthening the defense capabilities of Southeast Asian nations. Key milestones include:

  • $17 Billion in Military Sales: Since 2005, the U.S. has delivered advanced military equipment to ASEAN member states, addressing their security needs with cutting-edge capabilities.
  • 40 Annual Military Exercises: The U.S. conducts a range of bilateral and multilateral exercises with regional partners, involving over 30,000 personnel to enhance readiness and interoperability.
  • Training for Over 76,000 Defense Personnel: U.S.-sponsored professional military education programs have cultivated deep people-to-people ties and elevated the expertise of ASEAN defense officials.
  • $475 Million for Maritime Security: Through the Maritime Security Initiative, the U.S. has bolstered maritime operational capabilities for seven ASEAN nations, ensuring a common operating picture in regional waters.

These efforts demonstrate a strong commitment to empowering Southeast Asia to address emerging challenges independently while fostering collaboration with the U.S. and other allies.

Strategic Lines of Effort

To advance regional security, the U.S. has outlined six primary focus areas:

1. Domain Awareness and Defense

The U.S. is working to enhance regional capacity in the air, maritime, and cyberspace domains. Specific initiatives include:

  • Airspace Surveillance: Upgrading capabilities to monitor sovereign airspace and Exclusive Economic Zones (EEZs).
  • Cybersecurity: Partnering with Singapore’s ADMM Cybersecurity and Information Centre of Excellence to address capacity gaps and train cybersecurity professionals.
  • Maritime Operations: Leveraging AI and unmanned systems to enhance maritime domain awareness and protect regional waters.

2. Joint Exercises

The U.S. will expand its annual exercises, including Balikatan, Cobra Gold, And Super Garuda Shield, to improve partner readiness and interoperability. Plans are underway for a second ASEAN-U.S. maritime exercise in 2025, further cementing multilateral cooperation.

3. Education and Training

Programs like the Emerging Defense Leaders’ Program and longstanding International Military Education and Training (IMET) courses will continue to nurture the next generation of Southeast Asian defense professionals. The State Partnership Program also fosters enduring relationships between U.S. states and ASEAN nations.

4. Defense Industrial Capacity Building

The U.S. aims to support the region’s defense industrial growth through academic collaborations, science and technology demonstrations, and investment opportunities. These efforts seek to create a more integrated defense ecosystem, fostering resilience and innovation.

5. Institutional Capacity Building

Through initiatives like the ADMM-Plus Expert Working Groups (EWGs), the U.S. supports ASEAN’s institutional growth. Recent efforts include co-chairing the Military Medicine EWG alongside Indonesia, with a focus on Women, Peace, and Security principles.

6. Climate Resilience

The U.S. will collaborate with ASEAN nations to address the impacts of climate change on defense readiness. Workshops and technical demonstrations will provide member states with tools to enhance resilience and mitigate climate-related risks.

The Timor-Leste Factor

The U.S. supports ASEAN’s decision to admit Timor-Leste as its eleventh member and is committed to including the nation in its defense capacity-building initiatives. Assistance programs will focus on helping Timor-Leste meet accession milestones and integrate seamlessly into ASEAN’s security framework.

Challenges and Strategic Implications

The U.S.’s enhanced engagement in Southeast Asia comes against the backdrop of intensifying competition with China. By investing in defense capabilities, the U.S. seeks to counter coercive actions and illegal intrusions, particularly in contested maritime zones like the South China Sea. Additionally, the emphasis on cybersecurity reflects growing concerns over state-sponsored cyberattacks in the region.

However, the success of these initiatives hinges on ASEAN’s ability to maintain unity and speak with a collective voice on key issues. The U.S. vision aligns closely with ASEAN’s Outlook on the Indo-Pacific, but implementing these programs will require careful navigation of regional sensitivities and power dynamics.

Conclusion

The U.S. Department of Defense’s vision for Southeast Asia represents a strategic blend of historical ties, vigorous investments, and a forward-looking approach to regional security. By prioritizing sovereignty, transparency, and mutual respect, the U.S. aims to empower ASEAN nations to address shared challenges while fostering a stable and prosperous Indo-Pacific.

As the U.S. deepens its partnerships with ASEAN, its success will be measured not only in terms of defense capacity but also in its ability to uphold a rules-based international order that benefits the broader region.

Source: https://asean.usmission.gov/u-s-department-of-defense-vision-statement-for-a-sprosperous-and-secure-southeast-asia/

The post ASEAN at the Forefront: U.S. Outlines New Defense Vision for Regional Stability appeared first on Cyble.

Blog – Cyble – ​Read More

Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform

Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform

By Philippe Laulheret

ClipSP (clipsp.sys) is a Windows driver used to implement client licensing and system policies on Windows 10 and 11 systems.

Cisco Talos researchers have discovered eight vulnerabilities related to clipsp.sys ranging from signature bypass to elevation of privileges and sandbox escape:

This research project was also presented at both HITCON and Hexacon. A recording of the latter’s presentation is embedded at the end of this article.

What is ClipSp?

ClipSp is a first-party driver on Microsoft Windows 10 and 11 that is responsible for implementing licensing features and system policies, and as such it is one of the main components of the Client Licensing Platform (CLiP). Little is known about this driver; while most Microsoft drivers and DLLs have publicly available debug symbols, in the case of ClipSp, those were removed from Microsoft’s symbol server. Debug symbols provide function names and other related debug information that can be leveraged by security researchers to infer the intent behind the many functions of a binary; their absence hinders that. Surprisingly, the driver is also obfuscated, a very rare occurrence in Microsoft binaries, likely to deter reverse engineering even further. Limited public research exists, much of which either predates our findings or was released in response to our reports. The latter research also shares symbols from an older version of ClipSp, which could be a useful springboard for anyone wanting to research this driver. The most interesting aspect of this software involves implementing features related to licensing Windows applications from the Windows App store and activation services for Windows itself.

 

Deobfuscation

The driver is obfuscated with Warbird, which is Microsoft’s proprietary obfuscator. Luckily, past research comes in handy, and we can adapt to suit our needs. The plan to deobfuscate the driver is to leverage the binary emulation framework Qiling, to emulate the part of the driver responsible for deobfuscating the obfuscated sections, and dump the executable memory range to import it into our favorite reversing tool.

During normal operation, the obfuscation appears as follows:

Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform

We can see that a decrypt function is called twice with different parameters, followed by a call to the actual function being deobfuscated and, finally, two calls to re-obfuscate the relevant section.

Using Ida Python, we can track all the references to the decrypt functions (there are actually two distinct functions), and recover their arguments by looking at the instructions that precede the function call where the RCX and RDX registers are being assigned. Per calling conventions, these two registers are the first and second arguments of the function. Then, we can feed this information to our modified Qiling script to emulate the decryption functions and dump the whole deobfuscated binary. Once the driver is deobfuscated, we can start reversing it to understand how Windows communicates with the driver, understand various business logic elements, and look for vulnerabilities.

Driver communication

Usually, drivers either register a device that can be reached from userland or export the functions that are meant to be used by other drivers. In the ClipSp case, things behave slightly differently. The driver exports a “ClipSpInitialize” function that takes a pointer to an array of callback functions that get populated by ClipSp, to then be used by the calling driver to invoke ClipSp functionalities. Grepping for “ClipSpInitialize” throughout the System32 folder shows that the best candidate for using ClipSp is “ntoskrnl.exe”, followed by a handful of filesystem drivers that use a limited amount of ClipSp functions. For the rest of this report, we will focus on how “ntoskrnl” interacts with ClipSp.

Analyzing the cross-references within the Windows’ kernel to ClipSp functions, it becomes clear that, to interact with them, a call to “NtQuerySystemInformation” with the SystemPolicy class is required. Other binaries in the CLiP ecosystem will issue these system calls, while also providing a remote procedure call (RPC) interface to decouple other software from the undocumented API. However, nothing stops us from interacting with the “NtQuerySystemIformation” endpoint directly, which becomes a handy trick to bypass some of the additional checks that are enforced by the intended RPC client library.

Obfuscated structures

Unfortunately for us, looking at how a legitimate binary interacts with the SystemPolicy class, we can see the following (from  wlidsvc!DeviceLicenseFunctions::SignHashWithDeviceKey):

Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform

This is another layer of obfuscation that encapsulates the data passed over to the API. The idea here is that a network of binary transformations (also known as a Feistel cipher) is used to encrypt the data with the various operations inline in the code (as seen above). Part of the API call will provide the list of operations that were used, and the kernel will call them directly with the appropriate parameters to decrypt the data. As such, the easier approach to dealing with this is to simply rip out both the encryption code and the associated parameters and re-use them in our own invocation of the API. Copying and pasting the decompiler’s output into Visual Studio is a little tedious but usually works fine. Before returning from the syscall, the resulting data is obfuscated in a similar fashion, and, once again, ripping out the data from a working implementation is the most straightforward way to deal with it. Overall, the data format looks as such:

Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform

The inner payload (left) is an array of size-value entries that contain the command number that needs to be executed, followed by the Warbird material used to encrypt the reply from the kernel, and finally command-specific data that depends on which ClipSp function is being invoked.

This data is then encapsulated into a structure that mostly specifies the number of entries there are in the provided array and the whole thing then gets encrypted. The remaining Warbird data in the righ-most part of the diagram is to instruct the kernel how to decrypt the provided data.

Here’s our best guess at the various available commands:

Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform

 

Most of them call into ClipSp, but a few (especially in the <100 range) may be solely handled by the Windows kernel.

Sandbox considerations

Microsoft provides a tool to test if a piece of code can be run within a low-privilege context called a Less Privileged Application Container (LPAC) sandbox. Using this with our proof of concept, we can confirm that ClipSp’s APIs are actually reachable from an LPAC context. This is particularly interesting as these application containers are usually used to sandbox high-risk targets, such as parsers and browser rendering processes. As such, any elevation of privilege vulnerabilities we could find would likely double as sandbox escapes as well.

 

Processing licenses

Throughout the reversing process, we observed that the license files handled by ClipSp were quite interesting. They are usually obtained silently from Microsoft when interacting with UWP applications (both coming from the App Store and those installed by default, such as Notepad). They can also be used for other purposes, such as Windows activation, hardware binding, and generally providing cryptographic material for various applications.

At first, license files appear to be opaque blobs of data that are installed via the “SpUpdateLicense” command. This can be invoked following the process described above with the command “_id = 100”. Existing licenses are stored in the Windows registry at the following location:

HKLNSYSTEMCurrentControlSetControl{7746D80F-97E0-4E26-9543-26B41FC22F79}

Only the SYSTEM user can access this registry key. From an elevated prompt, the following command can open regedit as SYSTEM:

PsExec64.exe -s -i regedit

The format for these licenses is mostly undocumented, but looking at how they are being parsed is pretty informative. These licenses are in a tag-length-value (TLV) format, where the list of authorized tags is contained in an array of tuples of the form (tag, internal_index) hardcoded inside ClipSp. Upon parsing, a pointer to each valid TLV entry is stored in an array at the location indicated by the internal_index:

Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform

Signature bypass (TALOS-2024-1964)

Licenses are signed by various signing authorities whose public keys are hardcoded in ClipSp. Verification code looks as such:

Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform

The “entry_of_type_24” value is a pointer saved during the parsing of the license and points to its signature. The difference between “entry_of_type_24” and “License_data” is pointer arithmetic used to count the number of bytes from the beginning of the license blob up to its signature. 

During the parsing, this looks as such:

Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform

If the internal index associated with the entry’s tag is 24, then the processing loop is temporarily exited. A pointer to the signature is saved, and if more data remains, the license processing is resumed.

We can see that this approach is flawed: If there is data after the license’s signature, it will still be parsed but not checked against the signature, effectively enabling an attacker to bypass the signature check of any license as long as they can get one that is already signed with the proper signing authority.

Out-of-bound read vulnerabilities (TALOS-2024-1965,TALOS-2024-1968, TALOS-2024-1969, TALOS-2024-1970, TALOS-2024-1971, TALOS-2024-1988)

We can cross reference where the license structure and its array of pointers to the TLV data is being used, and what we find is many wrapper functions that return either the length/size of a given entry or the data associated with it. In most cases, this is done in a secure fashion, but there are a few entries that make assumptions on the size of the data provided in the license blob, which leads to a handful of out-of-bound read vulnerabilities. An example of such vulnerabilities can be seen in the following screenshots:

Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform
Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform

These two functions retrieve either the size of the DeviceID field or its content. However, if the data is formatted in such a way that line 11 is reached (i.e., no entry of type 5 in the license provided) then the data field of entry 18 is used to provide both size and value by dereferencing its pointer, without checking if enough data was provided for that. For instance, if we append a DeviceID entry (type 18) at the end of a valid license blob, but make it so its data field is only one byte long, then the “get_DeviceIDSize” function will read one byte out of bound, as it is expecting two bytes of data. Furthermore, any function that calls “get_DeviceID” will receive a pointer that is pointing one byte past the end of the license file and will likely act on wrong information from the “get_DeviceIDSize” function for further out of bound (OOB)-read problems.

Turning an OOB-read into an OOB-write (TALOS-2024-1966)

If we look specifically at the case described above where the DeviceIdSize field can be read out of bound, this creates a particularly interesting situation where the expected size of the DeviceID object can change throughout its lifetime if the data immediately adjacent in memory changes in a meaningful way. The first byte of data after the license blob will also be read as the leading byte of the (unsigned short) value defining the size of the DeviceID. Looking at how these two functions are used in ClipSp, we can see that during the installation of a hardware license, the following happens:

Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform

We can see multiple calls to the “get_DeviceIDSize” function, with one providing the size field to a memory allocation routine, while another call is used as a parameter to a “memcpy”. If the size field changes in between the two calls, this may lead to an out-of-bounds write vulnerability.  

Exploiting a vulnerability like this is far from trivial, as one would have to win a race condition between the two fetches while being able to shape the PagedPool heap in such a way that there’s meaningful data located right after the malicious license blob.

Conclusion

As we have just seen, obfuscated code can hide low hanging fruit, trivial memory corruptions, and simple logic bugs. In the case of ClipSp, this issue is even more serious, as this attack vector may lead to sandbox escapes and potentially significant impact to the compromised user.

As such, this is a reminder for security researchers on the value of taking the less traveled path, even if it begins with a bramble of Feistel functions. And for the software engineers and project managers who decide to leverage obfuscation for their projects, this is also a stark reminder that this approach may hinder normal bug finding processes that would detect trivial bugs early on.

 

[Please embed video from: https://www.youtube.com/watch?v=9t0Xt40RZEc  ] 

Cisco Talos Blog – ​Read More

Weekly IT Vulnerability Report: Critical Exploits Highlighted in This Week’s Analysis

Vulnerability

Overview

Cyble Research and Intelligence Labs (CRIL) analyzed 25 vulnerabilities between November 13 and November 19, 2024, identifying several high-priority threats that security teams must address. This blog also highlights 10 exploit discussions on underground forums, increasing the urgency to patch.

Key vulnerabilities include issues in Apple’s macOS, VMware vCenter, and Zyxel devices, with observed exploitation activity. Apple’s zero-day vulnerabilities (CVE-2024-44308 and CVE-2024-44309) and VMware’s critical vulnerabilities (CVE-2024-38812 and CVE-2024-38813) have particularly raised concerns among cybersecurity experts.

Additionally, researchers observed active discussions of proof-of-concept (PoC) exploits for D-Link, Fortinet, and Palo Alto Networks products on dark web forums, raising the likelihood of broader exploitation.

Below are the critical vulnerabilities and exploit highlights.

Top IT Vulnerabilities

Cyble researchers emphasized these vulnerabilities as high-priority fixes:

  1. CVE-2024-44308, CVE-2024-44309: Two zero-day vulnerabilities in Apple’s macOS systems affecting WebKit and JavaScriptCore components. These flaws allow remote code execution and cross-site scripting (XSS). Apple has released emergency patches for macOS, Safari, and iOS to address these vulnerabilities.
  2. CVE-2024-38812, CVE-2024-38813: Critical vulnerabilities in VMware’s vCenter Server. CVE-2024-38812 enables remote code execution, while CVE-2024-38813 allows privilege escalation. Attackers have actively exploited these vulnerabilities in the wild, targeting corporate environments.
  3. CVE-2024-42057: A command injection vulnerability in Zyxel’s IPSec VPN feature. Unauthenticated attackers can execute OS commands on vulnerable devices. Researchers linked this flaw to the Helldown ransomware group, which uses it to infiltrate networks.
  4. CVE-2024-10914: A critical command injection vulnerability in legacy D-Link NAS devices. Exploiting the cgi_user_add function in the account_mgr.cgi script allows attackers to execute OS commands remotely. Over 61,000 vulnerable devices were identified online.
  5. CVE-2024-48990, CVE-2024-48991, CVE-2024-48992: Privilege escalation vulnerabilities in the “needrestart” package for Ubuntu systems. Local attackers can gain root privileges on vulnerable installations. While these vulnerabilities are less likely to be exploited remotely, they pose significant risks in shared environments.
  6. CVE-2024-11120: A command injection vulnerability affecting EOL GeoVision devices. Exploited by botnets, attackers use this flaw to conduct DDoS attacks and cryptomining.

Dark Web and Underground Exploit Activity

Cyble’s research uncovered multiple exploit discussions and PoCs shared on underground forums and Telegram channels:

  1. Fortinet FortiManager (CVE-2024-47575): Known as “FortiJump,” this vulnerability allows unauthenticated remote attackers to execute arbitrary commands. Threat actors have weaponized this exploit for lateral movement in corporate environments.
  2. D-Link NAS Devices (CVE-2024-10914): Threat actors shared exploit details enabling command injection via the account_mgr.cgi script. Researchers detected over 61,000 exposed devices, emphasizing the urgency of mitigation.
  3. Palo Alto Networks Expedition (CVE-2024-5910, CVE-2024-9464): Exploits for these vulnerabilities allow attackers to gain administrator privileges or execute OS commands with root access. Discussions on underground forums highlight chaining techniques for broader attacks.
  4. Microsoft Exchange Server (CVE-2021-34470): Despite being disclosed in 2023, this privilege escalation vulnerability remains a target in cybercrime forums, with fresh PoCs surfacing.
  5. Zero-Day Windows Exploit: A threat actor named “IOWA” offered a Local Privilege Escalation (LPE) vulnerability for Microsoft Windows and Windows Server. The asking price ranged from $200,000 to $400,000, reflecting its critical nature.

Cyble’s Recommendations

To address these vulnerabilities and mitigate potential risks, CRIL recommends the following steps:

  • Apply Patches: Regularly update all software and hardware systems with vendor-provided patches. Prioritize critical vulnerabilities like Apple’s zero-days, VMware vCenter flaws, and Zyxel command injection vulnerabilities.
  • Implement Patch Management: Develop a comprehensive strategy that includes testing and deploying patches promptly. Automate where possible to ensure consistency.
  • Network Segmentation: Isolate critical assets using VLANs, firewalls, and access controls to minimize exposure.
  • Monitor for Suspicious Activity: Use SIEM solutions to detect abnormal behavior. Analyze logs for signs of exploitation, particularly for internet-facing services.
  • Conduct Regular Assessments: Perform vulnerability assessments and penetration testing to identify weaknesses. Complement these efforts with security audits to ensure compliance.
  • Enhance Visibility: Maintain an inventory of internal and external assets. Use asset management tools to ensure comprehensive monitoring.
  • Adopt Strong Password Policies: Change default passwords, enforce complexity, and implement multi-factor authentication (MFA).

Conclusion

The vulnerabilities discussed in this report call for improved and robust cybersecurity practices. With active exploitation of critical flaws like Apple’s zero-days and VMware’s vCenter vulnerabilities, organizations must act swiftly to patch, monitor, and secure their environments. Proactive measures are essential to mitigate risks and protect sensitive systems from escalating cyber threats.

The post Weekly IT Vulnerability Report: Critical Exploits Highlighted in This Week’s Analysis appeared first on Cyble.

Blog – Cyble – ​Read More

Black Friday 2024 at ANY.RUN

Black Friday 2024 at ANY.RUN is here! As always, we’ve prepared time-limited deals to not only help you save on our tools but also improve collaboration with your colleagues. 

Here’s what we have in store for you this time. 

Hunter Plan: Two Subscriptions for the Price of One 

Hunter plan is designed for individual users, but it doesn’t mean you have to go it alone. Buy an annual Hunter subscription this Black Friday and receive a complimentary one-year Hunter license for your colleague.  

It is perfect for two researchers who want to minimize their expenses on quality malware analysis and get access to our sandbox’s PRO features for the price of just one license.

Get 2 Hunter subscriptions for the price of 1 



See details


Enterprise Plan: License Bundles 

For security teams, the special Enterprise license bundles offer unbeatable value.  

You can buy 5 Enterprise licenses and receive 2 additional ones for free. Go for 10 licenses, and we’ll give you 3 extra ones plus a complimentary Threat Intelligence Lookup basic plan as a gift.  

Special offer for current Enterprise users: If you decide to renew your Enterprise subscription for 24 months, we will also provide you with 6 additional months of free service

We understand that every team has unique needs, so individual packages are also available. Please reach out to us via the Contact Us page to discuss your custom offer and ensure you get the perfect solution for your team.

Get up to 3 Enterprise licenses for free 



See details


TI Lookup: x2 Search Requests 

If you’re a user of ANY.RUN’s TI Lookup or just want to purchase its subscription for the first time, we have great news.  

By buying a TI Lookup plan for 100/500/5,000 or more requests, we’ll double your available search requests. So, if you get a subscription with 100/500/5,000 requests/mo, you will receive a total of 200/1,000/10,000 monthly requests. 

Receive x2 search requests for your TI Lookup subscription 



See details


Don’t Miss Out! 

Our Black Friday special offers kick off on November 25th at 01:00 AM PST (UTC-8) and will run until December 8th, 2024, at 11:59 PM PST (UTC-8). Don’t wait – secure your deal today. 

Contact us today to learn more about these Black Friday offers.

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

  • Detect malware in seconds
  • Interact with samples in real time
  • Save time and money on sandbox setup and maintenance
  • Record and study all aspects of malware behavior
  • Collaborate with your team 
  • Scale as you need

Explore all Black Friday 2024 offers →

The post Black Friday 2024 at ANY.RUN appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Black Friday 2024: how to safeguard your finances against scammers | Kaspersky official blog

In the run-up to any holiday season, scammers get busy. A lot of the time, their actions are rather primitive. Getting ready for Christmas? Expect to be bombarded with fake discounts. Valentine’s Day round the corner? Watch out for fake gifts. Big soccer tournament coming up? There’ll be no shortage of fake tickets.

But the greatest amount of fake stuff appears the week before Black Friday, the day after US Thanksgiving that marks the start of the Christmas period, which is a global sales bonanza for retailers peddling anything from soap to smart TVs — and for scammers too. Today, in the countdown to Black Friday, we look at the latest cybercriminal tricks and ways to counter them.

Discounts! Discounts? Discounts…

Every year in late November, this word experiences a popularity spike. And the craze for low prices plays right into the hands of scammers, whose emails, coupons and phishing links merge with the mass of genuine offers.

Let’s look at an example: Walmart — the world’s largest wholesale and retail chain — appears to be offering customers a $750 gift card:

Follow just four simple steps to (not) get a gift card

Follow just four simple steps to (not) get a gift card

It’s pretty easy to spot the scam here:

  • For a start, $750 is a tidy sum. Ever seen a store offering that much before?
  • To claim your card, you first have to enter your email address and “Basic Info”. It’s effectively the legal purchase of personal data — but at an astronomical price. Would Walmart really be doing that? Hardly.
  • And what’s this third point about completing the recommended deal? To get a gift card, you also have to pay? That’s an obvious red flag. You’re definitely dealing with scammers.

At the very least, the cybercriminals will get the victim’s name and postal address (the goods need to be delivered somewhere, right?), bank card details, plus the money forked out to complete the recommended deal. It’s doubly distressing for said victim: they leak their own data, and are lamenting the $750 that never was; they may even blame Walmart itself.

Scammers are human too and understand how much we all love a freebie. And that makes Black Friday the perfect time for another popular scam: fake giveaways. The prizes are goods that everyone wants. For example, a snazzy iPhone 14. Seems like the scammers here aren’t aware that iPhones 15 and 16 are already with us, as is reliable protection for their owners.

A telltale sign of fraud is a countdown clock next to a pressing call to action

A telltale sign of fraud is a countdown clock next to a pressing call to action

Let’s take a closer look at the screenshot. The cybercriminals, lurking behind a big brand — Amazon — tempt the victim with a whiff of exclusivity (“We are offering great prizes to 10 users”), prompting them to answer four simple questions before the clock ticks down. It might look plausible at first glance, but the catch is always the same: the recipient of the “exclusive” offer must act quickly or risk missing out.

As you’ve already guessed, there’s no iPhone 14 to speak of: the scammers simply scrape what personal data they can and may even ask for some kind of payment via a phishing link. As a result, the victim hands over their personal data and bank details, putting their finances at great risk. Read more about Black Friday scams in our Securelist blogpost.

Black Friday for scammers

If you think that no one needs your data or it’s been leaked before (and not just once), this story is for you. Our experts have found lots of ads selling personal data at a discount on the dark web. It’s an effective scheme (for the scammers): they email out bulk phishing in advance, harvest victims’ data, then sell it at a discount to other scammers at the end of November. Black Friday for everyone!

Scammers are happy to give other scammers a 10% discount

Scammers are happy to give other scammers a 10% discount

All the data is sorted by country and product type: above we see a set of Canadians’ stored-value cards and Italians’ debit cards up for grabs. Admit it, you don’t really want your bank details to be part of a special offer for carders on the dark web.

How to save your finances on Black Friday

First of all, we advise taking extra special care during the sales season: carefully read giveaway terms and conditions, check the details with the organizers (not by using the link or phone number in the email, but by visiting the official website) and stay informed of all the latest scams and tricks by following our Kaspersky Daily blog.

We understand that navigating the saturated information-flow is tough when you’re being assailed on all sides by promotions, “exclusive” offers and discounts. That’s why we offer a straightforward solution: put your trust in automation.

The Kaspersky app has a Safe Money feature that shows the current level of protection of your finances — now for Android users, too.

Safe Money in Kaspersky for Android

Safe Money in Kaspersky for Android

For unbeatable security, we recommend enabling all protection components on the app’s home screen:

  • Safe Browsing. Blocks dangerous websites and checks all links before opening them for you, giving scammers no opportunity to lure you to a phishing site. Remember that Safe Browsing only works in three supported browsers: Google Chrome, Mozilla Firefox, and Yandex Browser.
  • Safe Messaging. Checks for phishing links in all texts and instant messages you receive.
  • Weak Settings Scan. Detects vulnerabilities in your phone settings and tells you how to improve your smartphone security.
  • VPN. Protects online payments and prevents your data from being intercepted when using public Wi-Fi.
  • Wi-Fi Security Check. Checks every Wi-Fi network you connect to and notifies you of any potential danger.

This combination of security features protects you and your finances from the vast majority of scams on Black Friday and beyond. For example, Safe Browsing will stop you from following a phishing link to a scam site to “claim your $750 gift card”; while Safe Messaging will keep cybercriminals at bay in Telegram and other messengers.

Kaspersky official blog – ​Read More

Top ICS Vulnerabilities This Week: Siemens, Baxter, and Subnet Solutions

ICS Vulnerabilities

This week’s Cyble ICS vulnerability report includes critical vulnerabilities like CVE-2024-39332 in Siemens, CVE-2024-9834 in Baxter Life2000 Ventilation System, and CVE-2024-45490 in Subnet Solutions that need urgent patching.

Overview

Cyble Research & Intelligence Labs (CRIL) has analyzed key Industrial Control System (ICS) vulnerabilities reported by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) for the week spanning November 12–18, 2024. It covers vulnerabilities across products from Siemens, Baxter, Subnet Solutions, and others, urging organizations to prioritize patching to mitigate risks.

This week, 21 ICS security advisories disclosed 129 vulnerabilities affecting multiple vendors.

The healthcare sector remains particularly vulnerable, with Baxter’s Life2000 ventilation systems spotlighted due to their potential to compromise patient safety.

Meanwhile, critical manufacturing continues to dominate in terms of affected infrastructure, accounting for 75.2% of reported vulnerabilities.

The Week’s Top ICS Vulnerabilities

Key vulnerabilities identified in this report include:

  1. CVE-2024-45490 (Subnet Solutions):
    • Product: PowerSYSTEM Center PSC 2020
    • Impacted Versions: v5.22.x and prior
    • Severity: Critical
    • Issue: Improper XML External Entity Reference
    • Impact: Affects SCADA, DCS, and BMS systems

  2. CVE-2024-9834 (Baxter):
    • Product: Life2000 Ventilation System (v06.08.00.00 and prior)
    • Severity: Critical
    • Issue: Cleartext Transmission of Sensitive Information

  3. CVE-2024-39332 (Siemens):
    • Product: SINEC INS
    • Impacted Versions: versions prior to V1.0 SP2 Update 3
    • Severity: Critical
    • Issue: Improper Input Validation

  4. CVE-2024-41153 (Hitachi Energy):
    • Product: TRO600 series firmware
    • Impacted Versions: v9.0.1.0 to 9.2.0.0
    • Severity: High
    • Issue: Command Injection

For the complete list of vulnerabilities and their respective mitigations, subscribe to Cyble’s AI-powered threat intelligence product suite!

Recommendations

To address these vulnerabilities and reduce exploitation risks, CRIL recommends:

  • Patch Management: Organizations should develop and implement a comprehensive patch strategy, including inventory, assessment, testing, and deployment. Leverage automation to enhance efficiency.
  • Network Segmentation: Limit attackers’ lateral movement and exposure by implementing robust segmentation practices.
  • Threat Intelligence Monitoring: Continuously track vulnerabilities listed in CISA’s KEV catalog to detect and mitigate actively exploited issues.
  • Physical Security: Protect devices and networks through physical barriers to deter unauthorized access.
  • Incident Response Planning: Maintain a tested and updated plan to respond effectively to cybersecurity incidents.
  • Staff Training: Regularly educate employees on recognizing phishing attempts, proper authentication practices, and adhering to security protocols.

Conclusion

This week’s ICS vulnerability report showcases the growing threats to critical infrastructure, particularly in manufacturing and healthcare. Organizations must prioritize resilience through prompt patching, enhanced monitoring, and proactive cybersecurity strategies to mitigate the risks posed by these vulnerabilities.

With the ICS landscape continually evolving, staying ahead of threat actors is essential to safeguarding vital operations and ensuring system integrity.

The post Top ICS Vulnerabilities This Week: Siemens, Baxter, and Subnet Solutions appeared first on Cyble.

Blog – Cyble – ​Read More

How to protect yourself from someone tracking you with stalkerware or an AirTag | Kaspersky official blog

These days, it’s not just government agencies or private detectives who can spy on you. Tracking has become so easy and cheap that jealous spouses, car thieves, and even overly suspicious employers are doing it. They don’t have to peek around corners, hide in stores, or even get close to their target at all. A smartphone and a Bluetooth tracking beacon — like an Apple AirTag, Samsung Smart Tag or Chipolo — will do the job perfectly. According to one of the lawsuits filed against Apple, this method of spying is used in a variety of crimes —  from stalking ex-partners to planning murders.

Luckily for all of us, there’s protection! As part of Kaspersky’s anti-stalking campaign, we’ll explain how you could be tracked and what you can do about it.

Online and offline tracking

Surveillance of a victim is typically carried out in one of two ways.

Method one: purely software-based. A commercial tracking app is installed on the victim’s smartphone — we call this category of apps stalkerware or spouseware. Such apps are often marketed as “parental control apps”, but they differ from legitimate parental controls because the app’s activity is kept hidden after installation. Most often, the app is entirely invisible on the device, though sometimes it disguises itself as something innocuous, like a messenger, game or photo-gallery app. Stalker apps can repeatedly transmit the victim’s geolocation to a server, send messages and other confidential data from the device to an attacker, and even activate the microphone to record audio.

The main drawback of stalkerware for the attacker is the difficulty of installation — it requires gaining access to the victim’s unlocked smartphone for some time. That’s why, in many cases, especially when it’s an ex-partner or car thief doing the stalking, they use the other method.

Method two: a wireless beacon. A tracking device is planted on the victim. In a car, it might be hidden in an inconspicuous spot, such as behind the license plate; for a person, the tracker could be slipped into a bag or among other personal items.

Originally, Bluetooth trackers — small devices about the size of a coin — were invented to help locate lost belongings such as keys, wallets or luggage. However, if planted on a target, their movements can be tracked in near real-time using a special app. Incidentally, many of today’s Bluetooth headphones also have built-in tracking functionality to make them easier to find — and these too can be used for stalking. So, if you happen to find a pair of fancy headphones lying around, don’t start thinking it’s your lucky day — they may have been deliberately planted in order to track your movements, even after you pair them with your own smartphone.

Tracking technology works even if the beacon is well beyond the Bluetooth range of the stalker’s smartphone: other smartphones help locate the “lost” item. Many of the latest Android and iOS devices report the location of nearby visible beacons to the central servers of Google or Apple. As a result, these tech giants are able to locate any beacon if there’s any modern Bluetooth-enabled smartphone with internet access nearby.

The most popular beacon is still the Apple AirTag, and Apple has gone to a lot of trouble since the first product launch to protect users from malicious use of the tracker. The latest AirTags start beeping to attract attention if they remain away from their owner’s smartphone for too long. However, attackers can easily bypass this protection by damaging the speaker on the tracker. Such hacked tags with disabled speakers can even by bought — easily.

How to protect yourself from surveillance

To safeguard yourself from both online and offline tracking, we recommend using Kaspersky for Android. This tool now includes the “Who’s spying on me” feature, which allows you to quickly detect surveillance.

Protection against tracking beacons. Fortunately, by their very nature, trackers can never be completely invisible, as they’re constantly signaling their presence via Bluetooth. A smartphone equipped with reliable protection can alert the user if an unregistered Bluetooth device is frequently detected nearby or in various different locations. If such a device moves around with you or stays close for too long, Kaspersky for Android will notify you.

Upon discovering a tracker, it’s essential to examine it closely. Sometimes, the situation may be innocent, such as if a family member you spend a lot of time with has a tracker attached to their keys. Occasionally, there may be trackers on rental vehicles or laptops (although rental companies are required to notify users and include this in the contract).

Protection against stalkerware. Kaspersky Premium detects known stalkerware apps. Oh, and by the way — did you know that Kaspersky products won a stalkerware detection test? If such apps — or even their installation files, whether downloaded by you or someone else — are found on your device, Kaspersky for Android will alert you immediately.

Kaspersky for Android detects both installed stalkerware apps (on the right) and their installation files (on the left)

Kaspersky for Android detects both installed stalkerware apps (on the right) and their installation files (on the left)

Even users of the free version of Kaspersky for Android can scan for stalkerware. The only difference in this case between Kaspersky Premium and the free version is that in Kaspersky Premium, scanning is done automatically and continuously. In the free version of Kaspersky for Android, users need to manually initiate each scan.

Suspicious beacons that appear frequently in your vicinity will be listed and labeled in the Device Scanner section.

Kaspersky for Android warns you about spy trackers and provides guidance on what to do

Kaspersky for Android warns you about spy trackers and provides guidance on what to do

Meanwhile, the permission-control feature regularly checks the access of apps to your camera, microphone, location and Bluetooth, so you can quickly identify suspicious new apps.

Additional precautions Several general security and cyber-hygiene measures can make it harder for anyone to track you, and are recommended for all users:

  • Never leave personal items unattended. This applies especially to digital devices that are powered on.
  • Set up biometric authentication on your smartphone.
  • Set the auto-lock screen time to 30 seconds or less.
  • Set up biometrics or a strong password for logging into your laptop, and always lock the screen if you leave your desk.
  • Make a password necessary to install apps from the app store (you can do this on both iOS and Android).
  • Disable the installation of apps from unknown sources on Android.
  • Update all your apps at least once a month and delete any that you no longer use.
  • Never share your passwords with anyone. If you’ve ever shared them with anyone, or you suspect they may have been intercepted, seen or guessed — change them immediately.
  • Avoid logging into personal accounts on shared devices at home or at work, and certainly don’t do this in libraries, hotels or cafes. If you absolutely have to log in, make sure to log out afterwards.
  • Use a password manager, create a unique password for each account, and enable two-factor authentication.
  • Be careful with what you share on social media and in messengers — avoid disclosing details that reveal your location, daily routine, or social circle.

For individuals at higher risk of stalking (say, from an unwanted admirer, disaffected spouse or business partner), here is a more comprehensive list of precautions, including physical safety and legal protection measures.

What to do if you detect surveillance

If you’ve discovered a beacon or tracking app and ruled out any innocent explanations, consider the possible reasons for why you might be under surveillance.

For those involved in domestic violence or serious conflicts, physical safety is the priority. Therefore, in such cases, it’s important not to reveal that you’ve detected the surveillance, but instead contact the police or dedicated support organizations. Likewise, it’s essential that the smartphone or beacon doesn’t end up in a location that would indicate the discovery (for example, a police station). You can either leave the smartphone at home while you go to the police, or arrange to meet a support group in a safe place. For more detailed advice on such tricky cases, consult our anti-stalking awareness guide.

If the risk of violence is low, you should still contact the police. Hand over the spy tracker, and let law enforcement create a digital copy of your smartphone to gather evidence of infection (if present). After that, you can remove the stalkerware from your smartphone.

Kaspersky official blog – ​Read More