ANY.RUN proudly presents Threat Intelligence Reports: investigative reports on cyber threats and attacks focused on delivering actionable insights to security professionals and decision makers.
Manually composed by our experienced analysts, the Reports provide data for threat monitoring and detection, incident mitigation and response, R&D, education, strategic planning and compliance.
These detailed attack overviews are based on comprehensive research of cyber threats, including malware, ransomware, phishing campaigns, and other malicious activities. APTs and cybercriminal groups are under special scrutiny as one of the most critical and persistent hazards to organizations and individuals.
How to Get TI Reports
Discover TI Reports at intelligence.any.run
TI Lookup’s paid customers get access to detailed reports with comprehensive intelligence data. For a wider audience, summaries on actors and threats are available. Some reports are also fully available for free.
TI Reports are founded on fresh real-world data about new and ongoing threats, handpicked and processed by ANY.RUN analysts. Our Interactive Sandbox, among other sources, provides us with a constantly filling community-powered collection of malware sample analyses.
Each report lets researchers dive deeper into any indicator or artifact with pre-created TI Lookup search queries to discover more relevant data.
Info You Can Find in TI Reports
Each report begins with the actor or vehicle overview and continues with its basic description: aims, origins, first-seens, targeted industries and countries. The description helps to grasp the scale and context of a threat, letting you understand its relevance to specific industries.
An example of a recent report
A list of TTPsused by the attackers contains their tactics, techniques and procedures which are methods and tools that adversaries engage and combine in their campaigns. TTPs are followed by a collection of indicators — of compromise (IOCs), of behavior (IOBs) and of attack (IOAs) — associated with the threat or the group.
TTPs and indicators are essential for setting up proactive cyber defense and are listed along with links to sandbox sessions showing them in action.
An example of a recent report, continued: data on IOCs
Last but not least, YARA and SIGMA rules are included for tuning the detection systems.
An example of a recent report, continued: YARA rules
References and links for wider research are integrated into report text, and more are added as an appendix.
Learn to Track Emerging Cyber Threats
Check out expert guide to collecting intelligence on emerging threats with TI Lookup
Read full guide
Benefits for SOC Teams
For security analysts and SOC teams, Threat Intelligence Reports are to fuel the critical measures in building and supporting a robust cyber security infrastructure:
Enhanced Threat Detection: gather IOCs, IOBs, IOAs, and TTPs to tune monitoring and detection for SIEMs and firewalls; compose new rules and fine-tune existing ones.
Incident Response: use reports to understand the scope, impact, and nature of threats for reducing response time.
Proactive Defense: block known threats preemptively and prepare mitigations for similar attacks.
Threat Hunting: watch TTPs to look for similar behaviors that might indicate an attack before it unfolds.
Research and Development: add the Reports’ data to your sources for studying new or evolving malware.
Benefits for Businesses
For organization stakeholders and decision makers, TI Reports are a valuable resource for fulfilling security-related business goals and objectives:
Risk Assessment: understand the risk landscape better, see how threats might impact business operations, grasp risks specific to your industry or organization.
Strategic Decision Making: allocate security resources based on threat intelligence, align your budget with actual risks.
Strategic Planning: develop cybersecurity strategies and policies to protect business assets.
Compliance and Reporting: use Reports to signal due diligence in cybersecurity practices, your adequacy in threat monitoring and response.
Communication and IR: accommodate Reports to explain the state of cybersecurity to non-technical stakeholders, to illustrate why certain investments or actions are necessary.
Reputation Management: manage the narrative around how the incident was handled in case it happens.
Insurance and Legal: strengthen your position for insurance purposes or in legal scenarios with access to comprehensive threat intelligence: it can be beneficial in proving due diligence or in understanding the extent of a security incident.
Conclusion
Threat Intelligence Reports, as unique pieces of research crafted by ANY.RUN’s threat analysts with proactive approach to cyber attacks in mind, can assist both security teams in their everyday routine, and management in their strategic planning.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-13 12:06:392025-02-13 12:06:39Threat Intelligence Reports: Get Fresh Research on the Latest Cyber Attacks and APTs
Cyble’s weekly industrial control system (ICS) vulnerability report to clients warned about internet-facing medical imaging and critical infrastructure asset management systems that could be vulnerable to cyberattacks.
The report examined six ICS, operational technology (OT), and Supervisory Control and Data Acquisition (SCADA) vulnerabilities in total, but it focused on two in particular after Cyble detected web-exposed instances of the systems.
Orthanc, Trimble Cityworks Vulnerabilities Highlighted by CISA
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued advisories alerting users to vulnerabilities in medical imaging and asset management products.
Orthanc is an open-source DICOM server used in healthcare environments for medical imaging storage and retrieval, while Trimble Cityworks is a GIS-centric asset management system used to manage all infrastructure assets for airports, utilities, municipalities, and counties.
In a February 6 ICS medical advisory, CISA said the Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled, which could result in unauthorized access by a malicious actor. The Missing Authentication for Critical Function vulnerability, CVE-2025-0896, has been assigned a CVSS v3.1 base score of 9.8, just below the maximum score of 10.0.
Orthanc recommends that users update to the latest version or enable HTTP authentication by setting the configuration “AuthenticationEnabled”: true in the configuration file.
Cyble provided a publicly accessible search query for its ODIN vulnerability search tool, which users can use to find potentially vulnerable instances.
“This flaw requires urgent attention, as Cyble researchers have identified multiple internet-facing Orthanc instances, increasing the risk of exploitation,” the Cyble report said. “The exposure of vulnerable instances could allow unauthorized access to sensitive medical data, manipulation of imaging records, or even unauthorized control over the server. Given the high stakes in healthcare cybersecurity, immediate patching to version 1.5.8 or later, along with restricting external access, is strongly recommended to mitigate potential threats.”
CVE-2025-0994 is an 8.6-rated Deserialization of Untrusted Data in Trimble Cityworks that was reported to CISA by Trimble, which quickly patched the vulnerability and issued mitigation guidance. CISA issued an advisory on the vulnerability, which affects Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10, and also added the vulnerability to CISA’s Known Exploited Vulnerabilities catalog.
Cyble provided an ODIN search query for users to check for exposed Cityworks instances and a hash query for ODIN subscribers.
Recommendations for Mitigating ICS Vulnerabilities
Cyble recommends several important controls for mitigating ICS vulnerabilities and improving the overall security of ICS systems. The measures include:
Staying on top of security advisories and patch alerts issued by vendors and regulatory bodies like CISA. A risk-based approach to vulnerability management reduces the risk of exploitation.
Implementing a Zero-Trust Policy to minimize exposure and ensure that all internal and external network traffic is scrutinized and validated.
Developing a comprehensive patch management strategy that covers inventory management, patch assessment, testing, deployment, and verification. Automating these processes can help maintain consistency and improve efficiency.
Proper network segmentation can limit an attacker’s potential damage and prevent lateral movement across networks. This is particularly important for securing critical ICS assets, which should not be exposed to the Internet if possible and properly protected if remote access is essential.
Conducting regular vulnerability assessments and penetration testing to identify gaps in security that might be exploited by threat actors.
Establishing and maintaining an incident response plan and ensuring that it is tested and updated regularly to adapt to the latest threats.
All employees, especially those working with Operational Technology (OT) systems, should be required to undergo ongoing cybersecurity training programs. The training should focus on recognizing phishing attempts, following authentication procedures, and understanding the importance of cybersecurity practices in day-to-day operations.
Conclusion
These vulnerabilities show the danger that medical and critical infrastructure system vulnerabilities can pose to patients, utilities, airports, and other sensitive environments. The organizations and CISA responded rapidly in these cases, but now users must do the same and ensure that the systems are patched and properly protected.
Regardless of the sector, staying on top of ICS vulnerabilities and applying good cybersecurity hygiene and controls can limit risk. This includes limiting internet exposure and properly protecting assets that must be accessed remotely.
To access the full report on ICS vulnerabilities observed by Cyble, along with additional insights and details, click here. By adopting a comprehensive, multi-layered security approach that includes effective vulnerability management, timely patching, and ongoing employee training, organizations can reduce their exposure to cyber threats. With the right tools and intelligence, such as those offered by Cyble, critical infrastructure can be better protected, ensuring its resilience and security in an increasingly complex cyber landscape.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-13 12:06:392025-02-13 12:06:39Cyble Warns of Exposed Medical Imaging, Asset Management Systems
In a recent update to its Known Exploited Vulnerabilities Catalog, the Cybersecurity and Infrastructure Security Agency (CISA) has added four security vulnerabilities that are currently under active exploitation. These vulnerabilities span across multiple platforms and pose substantial security risks for both organizations and individual users.
The vulnerabilities identified in CVE-2024-40891, CVE-2024-40890, CVE-2025-21418, and CVE-2025-21391 can be exploited with relative ease if security updates are not applied promptly. Users and organizations should follow the guidance provided by vendors like Zyxel and Microsoft, ensuring that their systems are updated regularly to address the latest security flaws.
For organizations relying on Zyxel DSL routers or Windows-based systems, it is crucial to assess the exposure to these vulnerabilities and take immediate steps to update firmware or software versions.
Details of the Vulnerabilities and Active Exploitation
CVE-2024-40891 and CVE-2024-40890: Critical Command Injection Vulnerabilities in Zyxel DSL Routers
The two vulnerabilities—CVE-2024-40891 and CVE-2024-40890—are related to a series of Command Injection Vulnerabilities affecting Zyxel DSL CPE devices. Specifically, these vulnerabilities affect the Zyxel VMG4325-B10A router model running firmware version 1.00(AAFR.4)C0_20170615.
Both vulnerabilities share a common thread: they allow authenticated attackers to execute arbitrary operating system (OS) commands on the affected devices via Telnet (CVE-2024-40891) or a crafted HTTP POST request (CVE-2024-40890). This puts devices at high risk of being compromised by threat actors who can exploit these weaknesses to gain control of the affected systems.
According to the official Zyxel advisory, both vulnerabilities have been assigned a CVSS severity score of 8.8 (High). These flaws stem from improper neutralization of special elements used in OS commands (CWE-78: Improper Neutralization of Special Elements used in an OS Command). Once successfully exploited, the vulnerabilities could allow attackers to bypass authentication and execute malicious OS commands, effectively compromising the security of the devices.
Zyxel has issued advisories urging users to update their firmware to mitigate these vulnerabilities. Devices using older firmware versions are especially at risk. The active exploitation of these vulnerabilities could lead to severe consequences, such as unauthorized access, data breaches, or complete system takeovers.
CVE-2025-21418: Windows Ancillary Function Driver Buffer Overflow Vulnerability
The third vulnerability in the catalog, CVE-2025-21418, is related to a Heap-based Buffer Overflow in the Windows Ancillary Function Driver for WinSock. This vulnerability affects various Windows operating systems, including Windows 10 (version 1809 and newer) and Windows Server editions, and could allow an attacker to elevate their privileges on the system.
Exploiting this flaw, cybercriminals can gain higher privileges, potentially leading to system compromise. The CVE has been assigned a CVSS score of 7.8, marking it as high severity. The vulnerability arises from improper handling of buffers, specifically during the interaction between the Windows Ancillary Function Driver and WinSock.
Windows users and organizations are encouraged to install security updates to mitigate this threat. If left unpatched, the vulnerability could allow attackers to perform malicious actions that compromise system integrity and confidentiality.
CVE-2025-21391: Windows Storage Link Following Vulnerability
Finally, CVE-2025-21391, a Windows Storage Elevation of Privilege Vulnerability, has been added to the CISA catalog. This vulnerability is tied to an issue in Windows Storage where the system improperly resolves links before accessing files. Known as link following (CWE-59), this vulnerability allows an attacker to perform elevation of privilege attacks, potentially granting them access to files and resources they should not have access to.
This vulnerability affects multiple versions of Windows, including Windows 10, Windows Server 2019, and Windows 11. With a CVSS score of 7.1, this vulnerability is considered moderately severe but still presents cybersecurity risks if left unaddressed. Attackers exploiting this vulnerability can manipulate file access controls to gain higher-level privileges and access critical system components.
Conclusion
The inclusion of CVE-2024-40891, CVE-2024-40890, CVE-2025-21418, and CVE-2025-21391 in CISA’s Known Exploited Vulnerabilities Catalog highlights the ongoing risk of cyberattacks exploiting vulnerabilities in widely used systems. Command injection, buffer overflows, and improper link resolution remain common attack vectors. Organizations must stay vigilant, apply patches promptly, and prioritize security to prevent data breaches and system compromises.
Cyble, with its AI-driven cybersecurity platforms, helps businesses stay protected at all times by providing proactive threat intelligence and real-time vulnerability monitoring. Staying informed and prepared is essential to protecting sensitive data from cyber risks.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-13 12:06:382025-02-13 12:06:38CISA Updates Known Exploited Vulnerabilities Catalog with Four Critical Issues
BTMOB RAT is an advanced Android malware evolved from SpySolr that features remote control, credential theft, and data exfiltration.
It spreads via phishing sites impersonating streaming services like iNat TV and fake mining platforms.
The malware abuses Android’s Accessibility Service to unlock devices, log keystrokes, and automate credential theft through injections.
It uses WebSocket-based C&C communication for real-time command execution and data theft.
BTMOB RAT supports various malicious actions, including live screen sharing, file management, audio recording, and web injections.
The Threat Actor (TA) actively markets the malware on Telegram, offering paid licenses and continuous updates, making it an evolving and persistent threat.
Overview
On January 31, 2025, Cyble Research and Intelligence Labs (CRIL) identified a sample lnat-tv-pro.apk (13341c5171c34d846f6d0859e8c45d8a898eb332da41ab62bcae7519368d2248) being distributed via a phishing site “hxxps://tvipguncelpro[.]com/” impersonating iNat TV – online streaming platform from Turkey posing a serious threat to unsuspecting users.
Figure 1 – Phishing site distributing this malicious APK file
On VirusTotal, the sample was flagged by Spysolr malware detection, which is based on Crax RAT, developed by the Threat Actor EVLF. During our analysis, we also checked the official Spysolr Telegram channel, where the TA announced a new project called “BTMOB RAT.”
Figure 2 – BTMOB RAT announcement on the SpySolr Telegram Channel
The malware sample downloaded from the phishing site demonstrated typical RAT behavior, establishing a WebSocket connection with a Command and Control (C&C) server at hxxp://server[.]yaarsa.com/con. The request body revealed the “BTMOB” string along with version number “BT-v2.5”, confirming that the sample is indeed the latest version of BTMOB RAT.
Figure 3 – Request body containing the reference of a BTMOB String
Through their Telegram channel, the TA has been advertising BTMOB RAT, highlighting its capabilities, including live screen control, keylogging, injections, lock feature, and collecting various data from infected devices. The actor is offering a lifetime license for $5,000 (in a one-time payment) with an additional $300 per month for updates and support for the latest version of this malware.
Figure 4 – BTMOB RAT advertisement on the Threat Actor’s Telegram channel
Since late January 2025, we have identified approximately 15 samples of BTMOB RAT (v2.5) in circulation. Earlier variants, active since December 2024, were associated with SpySolr malware, which communicated with hxxps://spysolr[.]com/private/SpySolr_80541.php.
The latest BTMOB RAT version exhibits a similar C&C structure and codebase, indicating that it is an upgraded version of SpySolr malware.
Like many other Android malware variants, the BTMOB RAT leverages the Accessibility service to carry out its malicious actions. The following section provides a detailed overview of these activities.
Technical Details
Upon installation, the malware displays a screen urging the user to enable the Accessibility Service. Once the user turns on the Accessibility Service, the malware proceeds to grant the requested permissions automatically.
Figure 5 – Prompting the victim to grant Accessibility Service access
Meanwhile, the malware connects to the C&C server at “hxxp://78[.]135.93.123/yaarsa/private/yarsap_80541.php,” which follows a structure similar to the Spysolr malware. Once connected, it initiates a WebSocket connection for server-client communication and transmits JSON data containing the device ID (pid), BotID (idf), connection type (subc), and a message (msg).
The image below illustrates the “join” connection type request sent to the server, after which the client receives a “Connected” response with the “type” value in JSON.
Figure 6 – WebSocket Connection
Over the course of our analysis, we observed that the malware receives 5 different responses for value “type” as listed below:
Type
Description
proxy
Establish other WebSocket connection
stop
Stops activity based on server response
join
Sends a join message along with device ID and bot ID
com
The malware receives various commands through this response type
connected
The server sends this response upon successful connection establishment
Unauthorized access
The server sends this response when the client fails to register the device
After successfully establishing a WebSocket connection, the malware transmits device-related information, including the device name, OS version, model, battery status, wallpaper, malicious app version number, and the status of malicious activities such as key logs, visited apps, visited links, notifications, and other activities.
Figure 7 – Sending device information to the TA’s server
The malware receives commands from the server using the “com” response type. The first command it received was “optns.” Along with this command, the server transmits the activity status to be initiated, which the malware then stores in a shared preference file.
Figure 8 – “optns” command
Our analysis revealed that the malware receives a total of 16 commands from the server, each of which is listed below, along with its description.
Command
Description
optns
Get action status to enable malicious activities
fetch
Collects the mentioned file in the response or device phone number based on the sub-command
brows
Loads URL into WebView, and perform actions based on JavaScript
lock
Receives lock pin and other details related to lock, and saves them to the Shared Preference variable
ject
Manages injection
file
Manages file operations
clip
Collects clipboard content
chat
Displays a window with the message received from the server, gets the reply entered in the edit field, and sends to the server
wrk
Receives additional commands to perform other activities such as collecting SMS, contacts, location, files, managing audio settings, launching activity, and many other
srh
Search file
mic
Records audio
add
Get all collected data, including keylogs, active injections, links, device information, wallpaper, and SIM information
bc
Opens alert Window or displays notification with the message received from the server
upload
Downloads injection files
screen
Handles live screen activity
scread
Collects content from the screen
brows Command
The primary function of this command is to load a URL or HTML content into the WebView and execute actions like collecting input, clicking, and scrolling using JavaScript.
When the malware receives a “brows” command, the server sends additional parameters within a JSON object, including “ltype” and “extdata”. The “ltype“ parameter dictates specific actions for the malware, such as loading a URL or HTML code into the WebView, keeping a record of visited websites, along with timestamps and input data, and transmitting the collected data, as illustrated in Figures 9 and 10.
Figure 9 – “ltype” actionsFigure 10 – Loading HTML code or URL into WebView
Once the malware loads a URL or HTML code into the WebView, it runs JavaScript to collect user-entered data from the webpage. The extracted information, which may include sensitive details like login credentials, along with the date and website link, is then stored in a JSON object.
Once the data is collected, it is saved in a map variable and later transmitted to the C&C server when the malware receives the “lp” value through the “ltype” parameter.
Figure 11 – Using JavaScript to get input details
The malware can receive additional commands through the “extdata” parameter, which includes actions such as scrolling, clicking, entering text, navigating, and loading another URL.
The “text” and “enter” actions are executed using JavaScript, while navigation, scroll, and other movement-based actions are carried out using Motion events.
Figure 12 – Additional actions performed via the “extdata” parameter
This feature enables the malware to steal login credentials while also providing various options to automate the credential theft process.
screen Command
When the malware initially receives the “optns” command, it checks the live screen activity status to determine whether to proceed. Based on this status, the malware then initiates screen capture using Media Projection.
Figure 13 – Screen capturing using Media Projection
To perform live actions, the malware receives the command “screen” along with different actions as listed below:
L: With this action, the malware receives a “lock” value, determining whether to lock or unlock the device. It checks the lock type (PIN, password, or pattern) and unlocks the device accordingly.
Figure 14 – lock/unlock function
If the device is locked with a password, the malware retrieves the saved password from the “mob_lck” shared preference variable, which was previously extracted during “LockActivity”. It then enters the password using “ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE”, as shown in the figure below.
Figure 15 – Unlocks device using the password
If the device is locked with a pattern or PIN, the malware retrieves the pattern coordinates or PIN digits and uses the dispatchGesture API to either draw the pattern or simulate taps on the PIN keypad to unlock the device.
Figure 16 – Unlocks device using lock pattern
Q: Receives the compression quality number to control the quality of screen content
kb: Controls keyboard state
mov: Moves the cursor on the screen using specified x and y coordinates.
nav: Executes navigation actions such as returning to the home screen, switching to recent apps, or going back.
vol: Adjusts the device’s audio volume.
snap: Captures a screenshot.
block: Displays a black screen to conceal live screen activity from the victim.
paste: Gets the text from the server and enters it using “ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE”
sklecolor: Receives a color code to change the color of rectangular boundaries using Accessibility Service API
skilton: Turns on the service responsible for capturing screen content
ject Command
The malware utilizes the “ject” command to manage injection activities, including removing the injection list, collecting extracted data during injection, and deleting the extracted injection data from the device.
Figure 17 – ject command operation
The malware maintains an ArrayList “d” to store target application package names, injection paths, and data collected from injection activities. It uses the “upload” command to download an injection ZIP file into the “/protected” directory. The ZIP file is then extracted, and its contents are saved using the “jctid” filename received from the server.
Figure 18 – Downloading injection files
The malware retrieves the package name of the currently running application and checks if it exists in its list. If a match is found, it loads the corresponding injection HTML file from the “/protected” directory and launches “WebInjector.class” to execute the injection.
Figure 19 – Initiating injection activity
The WebInjector class loads the injected HTML phishing page into a WebView. When the user enters their credentials on this fake page, the malware captures the input and sends it to the C&C server.
Figure 20 – Loading HTML injection page into the Webview
wrk Command
When the malware receives a “wrk” command, it also gets a parameter called “cmnd”, which includes additional instructions for executing various malicious activities.
Figure 21 – Receiving additional commands via the “wrk” command
This command enables the malware to perform various malicious activities, including:
Managing files (deleting, renaming, creating, encrypting, or decrypting).
Terminating services.
Taking screenshots.
Stealing images.
Conclusion
BTMOB RAT, an evolution of the SpySolr malware, poses a significant threat to Android users by leveraging Accessibility Services to perform a wide range of malicious activities. From stealing login credentials through WebView injections to manipulating screen content, collecting sensitive data, and even unlocking devices remotely, this malware demonstrates a high level of sophistication.
This potent malware uses WebSocket communication with a C&C server to allow real-time command execution, making it a powerful tool for cybercriminals. The malware’s distribution through phishing websites and continuous updates by the threat actor indicate an ongoing effort to enhance its capabilities and evade detection.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Download and install software only from official app stores like Google Play Store or the iOS App Store.
Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
Use strong passwords and enforce multi-factor authentication wherever possible.
Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
Be wary of opening any links received via SMS or emails delivered to your phone.
Ensure that Google Play Protect is enabled on Android devices.
Be careful while enabling any permissions.
Keep your devices, operating systems, and applications updated.
The 2023/24 Cyber Threat Report from New Zealand’s National Cyber Security Centre (NCSC), led by Lisa Fong, Deputy Director-General for Cyber Security at the Government Communications Security Bureau (GCSB), sheds light on the country’s rapidly changing cyber threat landscape. The report highlights an increase in cyber incidents targeting individuals, businesses, and critical national sectors, underlining the growing complexity of cyber threats.
For the year ending June 2024, the NCSC recorded a whopping total of 7,122 cybersecurity incidents, marking a new milestone since CERT NZ’s integration into the NCSC. Of these incidents, 95% (6,799) were handled through the NCSC’s general triage process. These incidents primarily affected small to medium businesses and individual users and resulted in a reported financial loss of $21.6 million. While these incidents did not require specialized technical interventions, they still had a substantial impact on those affected, particularly in terms of financial losses and reputational damage.
A smaller subset of incidents, 343 in total, was categorized as having national significance. These incidents were more complex and targeted critical infrastructure or large organizations. Among them, 110 were linked to state-sponsored actors, signaling a slight increase in cyber activities from such groups. Financially motivated cybercriminal activities were responsible for 65 of these high-impact incidents, emphasizing the persistent threat from financially driven attacks such as ransomware and data exfiltration.
2023/24 Cyber Threat Report: State-Sponsored Cyber Threats and Ransomware
One of the most concerning findings in the 2023/24 Cyber Threat Reportwas the rise of state-sponsored cyber activities, particularly those linked to espionage. These threats have been exacerbated by geopolitical tensions, notably the ongoing Russia-Ukraine conflict. The NCSC observed an uptick in cyber incidents linked to Russian state-sponsored actors and pro-Russian hacktivists. It also noted the growing challenge in distinguishing between state-sponsored cyber activities and financially motivated criminal operations, as some cybercriminals operate with tacit state approval or support.
Ransomware continues to be a security concern, targeting both large organizations and smaller entities, including schools. Although there were efforts to disrupt certain types of financially motivated cyber incidents, experts warn that ransomware actors are evolving and diversifying their operations. Ransomware actors increasingly exploit exfiltrated data to extort payments, causing severe financial and reputational damage. Additionally, Distributed Denial-of-Service (DDoS) attacks are being utilized as an extortion tactic when encryption or data leaks are not feasible.
The Growing Threat of Cyber-Enabled Fraud
The report also highlights a rise in cyber-enabled fraud and online scams, particularly those conducted through social media platforms and cryptocurrency channels. Cybercriminals are increasingly compromising business or corporate email accounts to impersonate trusted organizations. This tactic enables them to deceive victims into sharing sensitive personal information. These types of fraud are causing significant financial and reputational harm as unsuspecting victims fall prey to sophisticated social engineering tactics.
Despite the rise in cyber incidents, the NCSC’s proactive measures in 2023/24 helped prevent an estimated $38.8 million in potential harm. Through swift interventions, the agency disrupted over 10.3 million malicious events, a sharp increase compared to previous years. The NCSC’s efforts in raising cybersecurity awareness, issuing vulnerability alerts, and promoting sector-based security collaborations are crucial in strengthening New Zealand’s collective cyber resilience.
The report strongly urges all New Zealanders and organizations to adopt effective cybersecurity practices and stay vigilant in the face of evolving cyber threats. As the country’s reliance on technology continues to grow, so does the need for better security frameworks to reduce the risk of cyberattacks.
The Role of Technology in Expanding Cyber Threats
The growing accessibility of advanced cyber tools has significantly lowered the barrier for malicious actors. Tools once reserved for well-resourced nations are now widely available to both state-sponsored actors and cybercriminals alike. This proliferation of sophisticated cyber capabilities, coupled with the widespread use of compromised credentials and vulnerabilities in public-facing infrastructure, has made it easier for malicious actors to operate at scale. The impact of these activities can be catastrophic, especially for organizations that rely heavily on technology to deliver services.
Emerging technologies like artificial intelligence and the increasing connectivity of systems have made the cyber threat landscape more complex and widespread. Cybercriminals are leveraging these advancements to launch more sophisticated attacks, exploiting vulnerabilities that were previously difficult to target.
Social Engineering and Phishing Attacks
Social engineering remains one of the most successful tactics used by cybercriminals to deceive victims into compromising their personal information. By exploiting human psychology, attackers manipulate individuals into taking actions that compromise their security.
The NCSC has seen an increase in social engineering tactics, particularly phishing scams targeting individuals and organizations alike. While technological defenses like multi-factor authentication (MFA) can mitigate some attacks, phishing remains a powerful and persistent tool for cybercriminals.
In 2023, the NCSC recorded global data breaches, some of which involved New Zealanders’ personal information. These breaches expose individuals to further cyber risks, such as phishing and account compromises, which remain prevalent and often lead to significant financial losses.
Trends in Cybersecurity Incidents
The NCSC categorizes incidents based on severity, with the most significant incidents classified as C3. These high-impact incidents often involve ransomware or data exfiltration activities and affect critical infrastructure or key organizations. The report notes that 2023 saw a decline in ransomware incidents compared to previous years, although the attacks that did occur were still highly disruptive. While ransomware remains a concern, other types of attacks, such as phishing and malware, are equally problematic.
In contrast to C3 incidents, moderate (C4) and routine (C5) incidents saw an increase in frequency. Many of these incidents were linked to vulnerabilities being exploited multiple times.
Conclusion
The 2023/24 Cyber Threat Report from New Zealand’s NCSC highlights the increasingly complex nature of cyber threats despite a decrease in overall incident volume. The most common attack techniques included exploiting vulnerabilities in public-facing applications and reconnaissance activities like vulnerability scanning and credential gathering.
The report also emphasizes the growing risk of adversary-in-the-middle (AITM) phishing attacks, which bypass traditional security measures like MFA, urging organizations to adopt more robust solutions such as phishing-resistant MFA methods. While the NCSC’s proactive efforts have successfully mitigated many threats, the expanding reliance on technology and the growing availability of cyber capabilities necessitate ongoing vigilance and adaptability.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-13 05:06:432025-02-13 05:06:43New Zealand’s National Cyber Security Centre (NCSC) Reports Surge in Cyber Threats and Vulnerabilities
If you’re still under the illusion that scammers only target illiterate simpletons and would never be interested in you, think again. Fraud is a subtle art, and even the most tech-savvy person could fall for a well-crafted scheme. In 2025, scammers are leveraging artificial intelligence, chatbots, and the global trend toward automation.
With Valentine’s Day coming up, we reveal how scammers exploit the feelings of both those in love and those seeking it.
“This is Brad Pitt. I’m seriously ill and I need someone like you by my side”
At the start of 2025, a wholly unbelievable story shook the internet: a French woman thought she’d been dating Brad Pitt for a year-and-a-half online — only to discover it was a scam. The scammer used the actor’s image to swindle her out of about $850,000. He employed a classic scheme: claiming to be ill, “Brad Pitt” wanted to send his beloved expensive gifts but couldn’t pay the customs fees from his own accounts. So, he asked the woman to cover the costs, which she did. To appear more convincing, the scammer maintained almost daily contact and sent the victim poorly edited photos. The woman even received messages from a fake “Brad Pitt’s mother”, who thanked the woman for supporting her “son” during difficult times.
The fake Pitt showed the victim signed postcards with her name and sent sad photos from his hospital bed. Source
This is pretty much classic sextortion. Sextortion comes in a number of colorful varieties, but most often scammers send a message like this: “Hello! We represent a major security company and have gained access to all the data on your spouse’s personal devices. He/she is cheating on you, and we have evidence. Click the link to see it”. Hopefully, regular readers will have already guessed that there’s no “evidence” behind that link, and the “security company” is just another front. The only real thing here is the malicious link itself, leading you to loss of money and data.
An updated variation of this scam involves a teaser of a deepfake porn video featuring your significant other — and you can “purchase the full video” via the link. In yet another scenario, the scammers threaten to distribute AI-generated porn starring you to all your friends, colleagues, and contacts, unless you pay up immediately. Of course, you should absolutely never pay the criminals in this case — as Eugene Kaspersky explained in detail a few years ago. By the way, you can learn about other popular types of sextortion in our dedicated post, Fifty shades of sextortion.
Unexpected betrayal
Sadly, sometimes the biggest privacy threats come from current or former partners. For example, they might make your intimate photos public without your consent or knowledge. A 2024 study by our experts found that one-third of respondents store nudes on their devices, while one-in-four share intimate photos with their partners without considering the risks.
But even those who never take nudes can land in trouble: “I never took photos of myself naked, but one day, I started getting messages from strangers telling me how hot and sexy I looked. Turns out, my husband of ten years had been secretly photographing me while I slept and uploading the pictures to various forums”. For a video report on this and similar cases, plus tips on protecting yourself from revenge porn and removing leaked nudes from the web, check out our article, The Naked Truth.
“I’m something of a detective myself”
Some overly jealous individuals go as far as spying on their partners. And no, these days, you don’t need to hire a private detective — jealous lovers usually resort to spyware (stalkerware/spouseware) or Bluetooth tracking devices.
Software surveillance. Last year, a story went viral on social media about a woman who received a high-end smartphone as a gift from her boyfriend. Months later, she was shocked to discover that he knew a little too much about her whereabouts, conversations with friends, and private life in general. It turned out that before giving her the phone, her jealous partner had loaded it with all sorts of spyware to track her location and eavesdrop on her conversations.
Commercial surveillance apps are widely available. They’re often disguised as “parental control” apps, but once installed, they typically remain completely invisible on the device. They may also disguise themselves as something innocuous — a messaging app, a game, or a photo-gallery app. These apps are particularly easy to install and conceal on Android devices.
However, installing them usually requires physical access to the device. That’s why the first step to protect yourself is to set a strong screen lock password and never share it with anyone.
Wireless tracking. A tiny Bluetooth tracker can be slipped into a victim’s bag, car, or personal belongings — transmitting their location and movements to the stalker. It’s worth noting that even some of the latest wireless earbuds (TWS headphones) can also be used as tracking devices.
How to protect yourself from scams targeting lovers or the lovelorn
No matter how sophisticated a scam is, you can almost always protect yourself — especially when it comes to romance-related schemes. Here’s a list of tips to make your private life a little safer:
Use online dating apps safely. Create a private profile, share minimal confidential information, and be especially careful when interacting with new people.
Secure your devices with reliable protection to safeguard yourself from jealous partners or stalking exes.
Learn to tell real photos from deepfakes. Always double-check suspicious images.
Don’t engage with scammers who demand money or personal data in exchange for not releasing deepfake porn or nudes. It’s a bluff.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-12 12:06:372025-02-12 12:06:37How scammers trick people on Valentine’s Day | Kaspersky official blog
Advanced persistent threats (APTs) stand out as one of the most formidable challenges for businesses in the cybersecurity landscape. These threats can cause irreparable damage, leading to financial losses, data breaches, and reputational harm.
APTs are defined as sophisticated targeted attacks typically conducted by highly funded adversaries: national agencies, state-sponsored groups, organized crime groups, corporate espionage actors.
What Are APTs
The name speaks for itself, APTs are:
Advanced: Having at hackers’ disposal the full (and ever-growing) arsenal of techniques and tools to get and maintain access to the target.
Persistent: The aim is to keep long-term access to the targeted system or network. This involves constant improving and updating of the tools to evade detection.
Threats: Such campaigns are intentionally malicious and inevitably harmful. They are backed by coordinated actions of skilled, motivated, organized, and well-resourced professionals.
Why Are APTs a Significant Threat to Businesses
APTs prefer to target large corporations, government entities, and critical infrastructure. Finance, manufacturing, healthcare, and energy are prime targets for APTs due to the high value of their assets, data and infrastructure. The consequences of a successful APT attack extend beyond financial loss and corporate damage — they can impact national security, cause market instability, disrupt economies, and put lives at risk.
But no business, however modest-scale and unrelated to strategic industries, can consider itself safe:
Small and medium companies still possess valuable assets, handle sensitive customer information, financial data, or intellectual property
They are part of supply chains that can be disrupted by attacks
A successful infiltration into their communications grants access to larger partners or clients.
Along with all this, they have weaker security posture, invest less in cyber threat prevention.
Detect Early, Defend Better: The Power of Threat Intelligence
Threat intelligence is a pivotal element of an APT-resistant cybersecurity strategy. By gathering, analyzing, and applying intelligence on cyber threats, organizations can proactively detect and neutralize them before they escalate.
TI provides:
Early Detection: Identifying indicators of compromise (IOCs) before damage occurs.
Threat Hunting: Actively searching for hidden threats within the network.
Stronger Security Posture: Defenses based on real-world threat insights.
Incident Response Efficiency: Rapidly responding to and mitigating APT incidents.
How Threat Intelligence Lookup Facilitates APT Reconnaissance
TI Lookup helps organizations enrich threat dataon the latest cyber attacks
ANY.RUN’s Threat Intelligence Lookup is a solution fit for all these tasks: a state-of-the-art search engine for threat researchers and cybersecurity teams. It provides detailed insights into indicators of compromise (IOCs), malware behavior, and attack patterns.
It supports over 40 search parameters to query a constantly updated database of threat data, collected from millions of public malware and phishing samples and manually analyzed by a team of threat analysts.
For a business, it’s a source of actionable information for preventing, detecting and mitigating all sorts of cyberattacks up to APTs, thus avoiding operational disruptions, financial and reputational damages.
Collect intelligence on active APTs with ANY.RUN’s TI Lookup
Wicked Panda APT: Closer Look at an Abused Registry Key
A notorious Chinese APT group, APT41 aka Wicked Panda, employs a PowerShell-backdoor for compromising systems.
To maintain persistence, it adds its payload in Windows registry entry HKCUEnvironmentUserInitMprLogonScript which allows it to run malicious code automatically at each user login into the system. Besides, the hackers abuse a legitimate Microsoft’s forfiles.exe utility.
This data is enough to combine a query for TI Lookup:
From the search results, we can extract additional IOCs associated with such campaigns, like file hashes or mutexes, and use them for setting up threat detection and alerts.
Sandbox session with an APT41 backdoor attack
The Tasks tab shows recent sandbox sessions with analysis of the attack. The sessions can be viewed in ANY.RUN’s Interactive Sandbox to study TTPs and other components of the attack.
MuddyWater APT: Identifying a Backdoor via Mutexes
Another example: MuddyWater APT group from Iran is known for using PackageManager and DocumentUpdater mutexes in their malware campaigns. The mutexes are generated by their BugSleep backdoor.
The attack starts through a phishing email, BugSleep gets deployed, creates a mutex and decrypts its configuration, including the addresses of command-and-control servers. This behavior has been observed in MuddyWater campaigns targeting organizations in Israel and other countries.
We can accommodate both mutexes into a TI Lookup search request:
Mutex name search results in TI Lookup Synchronization tab
Diving deeper in the search results, we can identify the actual samples that use this mutex.
Bugsleep backdoor and its behavior demonstrated by the ANY.RUN Sandbox
We can navigate to the sandbox sessions where these mutexes were used to explore the threat and its behavior in greater detail.
Learn to Track Emerging Cyber Threats
Check out expert guide to collecting intelligence on emerging threats with TI Lookup
Read full guide
Lazarus Group: Following North Korea’s Biggest APT
Lazarus is one of the most active threats coming from North Korea. The group has been involved in many cyber attacks on both businesses and individuals. One of the recent examples involved conducting fake interviews with tech professionals to install malicious programs on their devices.
With TI Lookup, we can not only explore the most recent samples and collect indicators related to Lazarus but also subscribe to receive updates on specific queries.
TI Lookup lets users subscribe to specific queries and receive updates on new results
Let’s use the simple query like threatName:”lazarus” and click the bell icon to subscribe to updates.
TI Lookup lists all of your subscriptions along with info on new results
As soon as new indicators or sandbox sessions relevant to the query appear in TI Lookup’s database, we will be notified about them.
APTs represent a high level of cyber threat due to their strategic nature, the resources behind them, and their capability to adapt and evolve over time. Organizations, especially those in critical sectors or handling sensitive information, need robust cybersecurity strategies to defend against such threats. Threat intelligence is a cornerstone of such a strategy, and TI Lookup from ANY.RUN has proven itself as a comprehensive tool for fueling intelligence with fresh contextual data.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
Microsoft has released its monthly security update for February of 2025 which includes 63 vulnerabilities affecting a range of products, including 4 that Microsoft marked as “critical” and one marked as “moderate.”
There are two notable “critical” vulnerabilities. The first is CVE-2025-21376, which is a remote code execution (RCE) vulnerability affecting the Windows Lightweight Directory Access Protocol (LDAP). This vulnerability is a remote unauthenticated Out-of-bounds Write (OOBW) caused by a race condition in LDAP and could potentially result in arbitrary code execution in the Local Security Authority Subsystem Service (lsass.exe). This is a process in the Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. Successful exploitation of this vulnerability requires an attacker to win a race condition. CVE-2025-21376 has been assigned a CVSS 3.1 score of 8.1 and is considered “more likely to be exploited” by Microsoft.
CVE-2025-21379 is another notable critical remote code execution vulnerability. It was found in the DHCP Client Service and was also patched this month. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications. This vulnerability has been assigned a CVSS 3.1 score of 7.1 and is considered “less likely to be exploited” by Microsoft.
CVE-2025-21177 is a critical privilege escalation vulnerability in the Microsoft Dynamics 365 Sales customer relationship management (CRM) software. A Server-Side Request Forgery (SSRF) allows an authorized attacker to elevate privileges over a network.
CVE-2025-21381 is a critical remote code execution vulnerability affecting Microsoft Excel and could enable an attacker to execute arbitrary code on vulnerable systems. This vulnerability could be triggered via the preview pane in affected applications. This vulnerability has been listed “less likely to be exploited” by Microsoft.
CVE-2025-21368 and CVE-2025-21369 are RCE vulnerabilities flagged “important” by Microsoft. They have a CVS 3.1 score of 8.8. To successfully exploit one of these remote code execution vulnerability, an attacker could send a malicious logon request to the target domain controller. Any authenticated attacker could trigger these vulnerabilities. It does not require admin or other elevated privileges.
CVE-2025-21400 is also an RCE vulnerability flagged “important” by Microsoft, affecting the Microsoft SharePoint Server. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. This attack requires a client to connect to a malicious server and could allow an attacker to gain code execution on the client. Microsoft considers this vulnerability as “more likely to be exploited”.
CVE-2025-21391 and CVE-2025-21418 are the only vulnerabilities this month which are known to be exploited in the wild. Both are privilege elevation vulnerabilities. An attacker can use CVE-2025-21391 to delete critical system files. CVE-2025-21418, nestled within the Ancillary Function Driver (AFD), exposes a pathway to local privilege escalation through the Winsock API. An attacker who successfully exploits this vulnerability could gain SYSTEM privileges.
Talos would also like to highlight the following vulnerabilities that Microsoft considers to be “important”:
CVE-2025-21190 Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21198 Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability
CVE-2025-21200 Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21201 Windows Telephony Server Remote Code Execution Vulnerability
CVE-2025-21208 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2025-21371 Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21406 Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21407 Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21410 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 58316, 58317, 62022, 62023, 64529-64532, 64537, 64539-64542, 64545. There are also these Snort 3 rules: 300612, 301136, 301137, 301139, 301140.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-11 20:06:482025-02-11 20:06:48Microsoft Patch Tuesday for February 2025 — Snort rules and prominent vulnerabilities
Recently we had a chance to sit down for a chat with the Head of Cybersecurity at an investment bank. An hour-long conversation gave a sneak peek into the work of their cybersec team, challenges they face, and the use of ANY.RUN’s Interactive Sandbox.
Here’s what we learned.
Company and Team Overview
We’re an investment bank based in Brussels. The total number of employees is about 750 people with 12 of them being on my cybersecurity team. Just like most companies out there we have to make do with limited resources and stay lean. That means wearing multiple hats and sharing different roles depending on the current situation at hand. Our threat analysts can jump in and handle incident response if need be and so on.
What Made the Team Look for a Sandbox
When I first took over this role, coming from a large international bank, my number one task was to take a look at the business’s entire cybersecurity setup and find ways to make it more efficient. In reality, it turned out to be messier than I expected.
The team was literally getting swamped with alerts every day with no end in sight. Thankfully, having seen what a properly functioning cybersecurity department looks from the old job, I knew what kind of levers I had to start pulling to get the things to where they had to be.
Fixing workflow meant new tools. A good malware sandbox was at the top of the list. Back at the large bank we had a whole selection of these from different vendors, including ANY.RUN. The CISO there often said, “Investing in good cybersecurity costs less than the incidents it prevents.” That helped a lot in securing budget whenever we wanted to test a new tool.
Investing in good cybersecurity costs less than the incidents it prevents.
Basically, because I’d already seen sandboxes in action, I knew how critical they would be for building a more effective department. But if you are going to press me to pick one thing that made me jump to sandboxes right away, it was the speed boost they offered. Not just in terms of malware analysis, I mean across the board, for everything from spotting threats to responding to incidents.
So, it was a total no-brainer to start looking at sandbox options from the day I stepped into my role.
Why ANY.RUN
After spending a week scrolling through vendors’ websites, I decided to just put together all the must-haves I wanted to see in the ideal solution. Eventually it came down to the two main features, apart from the basic stuff, of course.
Banking means a ton of data privacy compliance, so we had to know our data would be secure in the sandbox and that it would meet all the regulations. Vendor’s privacy policies, the location of their servers, and how they handled data were really important.
Naturally, threat detection performance was essential. But practicality for the team was also crucial. We needed a tool that gave us as many insights as possible, be it network traffic or system logs. It had to be helpful for both our initial triage and our more in-depth incident response work.
And after I threw in ANY.RUN’s price, the choice became obvious.
Gain instant insights into malware and phishing threats with ANY.RUN’s Interactive Sandbox
We’ve been using ANY.RUN for approximately 18 months now.
Sandbox’s Impact on CyberSec Operations
Integrating the sandbox was part of a bigger workflow overhaul, so we saw results almost instantly, in the first week. The team was able to churn through alerts and threat analysis at least twice as fast. This saved the bank hefty sums of money on incident response and recovery that were avoided thanks to our timely actions. But it was not just about going faster, though.
Our threat understanding improved too. And it’s really down to ANY.RUN’s VM control. It lets the team explore files, browse websites, download and execute files. The hands-on approach saves hours of work and has now become our secret weapon for understanding complex malware behavior in the shorter time period. It is also much cheaper and more effective than running custom-built VMs on isolated computers that require a week of preparation.
The combination of speed and knowledge allowed us to identify and prevent cyber attacks better than ever before.
The combination of speed and knowledge allowed us to identify and prevent cyber attacks better than ever before. It also helped us plan smarter, strategically and tactically, and respond to attacks much more effectively.
How ANY.RUN Fits into Larger Cybersecurity Strategy
We regularly use ANY.RUN with other security solutions, which once again contributes to more efficient workflows, faster reaction time, and no money lost for the company.
In one of the instances, the API helps us automatically submit suspicious files from our email gateway and other sources directly to the sandbox for analysis. When running the sandbox with an endpoint security solution, I recommend turning the automated mode on (Automated Interactivity — Editor). The service does a good job identifying threats on its own, which once again gives us a chance to save time for our team members.
Common Threats Faced by the Bank
Everyone knows that the financial industry is the number one target for criminals. That is why we face a myriad of threats at the same time. But for us, social engineering threats like phishing emails are a constant headache. The number of ransomware and credential stealing attempts we have prevented thanks to the sandbox is already in the hundreds. Had we not identified them, this would be devastating for the business.
The number of ransomware and credential stealing attempts we have prevented thanks to the sandbox is already in the hundreds.
Beyond just reacting to threats, we also use the sandbox for proactive threat hunting. When we encounter new, unknown malware strains, we detonate them in the sandbox specifically to collect detailed behavioral data. This intelligence then allows us to enrich our detection rules across our security infrastructure and better protect against future variations of these threats.
Stopping Ransomware from a Supplier Email
Let me share a concrete example where the sandbox truly proved its worth. One day we received an email from our long-term supplier. It was a fairly routine communication, but it contained a zip attachment with a password, which raised a red flag for our email security system.
Following our procedures, one of the analysts detonated the email within the sandbox, opened the archive, and discovered an executable inside. After the executable ran in the sandbox environment, we quickly saw the entire attack chain: the executable turned out to be a loader, which downloaded and initiated a ransomware within the virtual machine.
Timely sandboxing prevented the company from suffering millions of dollars in losses, damaged reputation, and years of litigation.
Thanks to the sandbox, we were able to identify this ransomware threat before it could reach any of our actual systems. We blocked the email across our organization and warned other departments about this specific phishing campaign. Timely sandboxing prevented the company from suffering millions of dollars in losses, damaged reputation, and years of litigation.
Learn to analyze cyber threats
See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis
Read full guide
Future Plans
We never stop improving our security infrastructure, and with strong advancements in AI, we cannot afford to ignore this trend. Right now we focus on AI-assisted automation and our plans include deeper integration with the SOAR and SIEM platforms.
Of course, the AI-powered analysis within ANY.RUN’s sandbox fits perfectly into this strategy. Our team regularly turns to this feature for quick tips on the malicious activities detected during analysis.
Advice for Other Organizations Choosing a Sandbox
Before you even start evaluating vendors, be crystal clear about why you need a sandbox and what specific security problems you’re trying to solve. What are your biggest malware-related pain points? Having defined use cases will help you focus your evaluation and ensure the sandbox you choose truly addresses your needs.
But let’s be honest: no security solution is a magic bullet. The final decision always rests with you and your team.
Conclusion
We want to thank the guest for sharing their detailed insights into the inner workings of a security team at a financial institution. We hope this story can help other organizations facing similar issues. If you are using ANY.RUN’s products and willing to share your experiences with the community, please send us an email at content@any.run.
How ANY.RUN’s Services Help Banks
ANY.RUN’s suite of cybersecurity tools is trusted by numerous businesses in the finance industry.
Interactive Sandbox offers fast and extensive malware and phishing analysis to streamline security operations and maintain better defense.
TI Lookup provides instant context for indicators of compromise (IOCs), indicators of behavior (IOBs), and indicators of attack (IOAs) to help banks speed up incident response, threat hunting, and save resources.
TI Feeds allows banks to identify emerging threats before they have a chance to inflict damage by supplying a real-time stream of network indicators.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-11 13:06:402025-02-11 13:06:40I Used a Sandbox to Strengthen Bank’s Security—Here’s How It Worked
Researchers from universities in Germany and the U.S. recently showcased an interesting attack — or rather, two attacks — exploiting two different vulnerabilities in Apple CPUs. Picture this: someone sends you a link in a chat. When you click it, nothing looks suspicious at first. It doesn’t ask for your work email password, doesn’t try to get you to download a sketchy file. The page might even contain something fun or useful. But while you’re busy browsing it, hidden code is secretly harvesting data from another browser tab — checking your location, recent online purchases, and even stealing your emails.
The description of the attack seems simple enough, but in reality, we’re talking about a very complex attack that exploits the features of so-called speculative execution by the CPU.
Wait a minute! Haven’t we heard this before?
You just might have. The core idea of the new attacks resembles various Spectre-type attacks that exploit other, albeit somewhat similar, vulnerabilities in Intel and AMD CPUs. We’ve covered those attacks before. In 2022, four years after the first Spectre vulnerability was discovered, we concluded that there was no realistic, easy, or effective way to exploit those vulnerabilities. Although exploiting these new Apple chip vulnerabilities isn’t straightforward either, the difference this time is that the researchers have already provided fairly realistic attack scenarios and proved their feasibility. To see just how dangerous these vulnerabilities are, let’s briefly recap the basic principles behind all such attacks without getting bogged down in complicated research.
Exploiting speculative execution logic
Speculative execution refers to a situation where the processor executes the next instruction without waiting for the previous one to finish. Let’s draw a somewhat odd yet helpful analogy here with a car. Imagine your car starts the engine automatically every time you approach it. If you’re just passing by, the engine stops (as such, the operation is unnecessary). But if you’re about to set off driving, it’s ready to go as soon as you get in.
Similarly, a CPU can decide to run an operation in speculative execution mode. And by the time the previous computation is complete, the program’s logic might have changed, making this operation unnecessary; in this case it’s discarded. CPU designers utilize a variety of techniques to improve branch-predictor capability to forecast instructions that are most likely to be executed next. To accomplish this, they gather instruction execution statistics: if a certain code segment is always invoked under particular conditions, it’s probable that it will be invoked under the same conditions again.
Such a computation may involve rather sensitive operations such as accessing protected memory areas containing secret data. The issue lies in the fact that even if a program shouldn’t have access to such data, it can still potentially “train” the speculative execution algorithm to access it.
Before the Spectre attack was discovered in August 2018, it wasn’t considered to be a data leakage risk. Secret information, such as encryption keys and private user data, is stored in the restricted-access CPU cache. However, the researchers who discovered Spectre found that cached data could be extracted indirectly — by performing hundreds and thousands of read operations and measuring the execution time of these instructions. They found that one could “guess” cached values that way: if the guess is correct, the instruction would execute fractions of a second faster.
So, there are two crucial components to a Spectre-like attack. One is the ability to trick the speculative execution algorithm into accessing a forbidden memory area. The other is the capability to read this data indirectly through a side channel.
SLAP and FLOP attacks on Apple CPUs
The researchers from Germany and the U.S. wrote two separate papers at once — because they’d discovered two different vulnerabilities in Apple CPUs. One issue was found in the Load Address Predictor. This is one of many speculative execution systems that predicts the RAM address that a running program will most likely access. The second vulnerability was found in the Load Value Predictor system. This additionally attempts to anticipate the actual value that will be retrieved from RAM.
The researchers named the two attacks “SLAP” and “FLOP”: short for “Speculative Load Address Prediction” and “False Load Output Prediction”. Although both attacks have a common principle and result in a similar outcome, the methods of exploiting these vulnerabilities differ significantly — hence the two different studies. In the former case, the researchers demonstrated how the Load Address Predictor could be exploited to read restricted data. In the second case, while no data was actually read, the system’s accurate prediction of what would be read could again expose sensitive information.
How dangerous are SLAP and FLOP attacks?
Nearly all Spectre-type attacks are subject to numerous limitations that hinder their practical use for malicious purposes:
The “malicious code” exploiting a vulnerability in the speculative execution system must be running on the same CPU core as the targeted process.
The ability to steal data often depends on the presence of code with certain features in the OS kernel or other software that the attacker has no control over.
Carrying out a remote attack over a network or through a browser is extremely difficult because measuring the instruction execution time to obtain data through a side channel becomes a lot more complicated.
Therefore, all previous attacks could be categorized as very complex, and only applicable for attempts to access highly valuable data, which means the attacker needed considerable resources to develop such an attack. All in all, that’s good news, as patching certain hardware vulnerabilities in production CPUs is either virtually impossible or associated with a substantial decrease in performance.
SLAP and FLOP open up a different perspective. They affect the latest processors made by Apple. The Load Address Predictor was introduced on desktop computers and laptops with the Apple M2 CPU model, and mobile devices with the Apple A15. The more advanced Load Value Predictor first appeared in the Apple M3 and A17, respectively.
Implementing these attacks is still a challenge. However, a key difference in this study compared to previous ones is that it immediately both proposed and verified the feasibility of practical attacks. The researchers demonstrated how SLAP and FLOP can be used to bypass multiple security layers both in the CPU and the Safari browser to gain access to sensitive data.
This alone might not be enough reason for cybercriminals to develop functional malware targeting Apple devices; however, there are other reasons why attempts to use SLAP and FLOP could be made in the wild.
Apple devices are rather well protected. Exploits allowing one to bypass an iPhone’s security system and gain access to the owner’s private data command exorbitant prices on the gray and black markets. Thus, it’s reasonable to assume that a hardware vulnerability that’s highly likely to remain at least partially unfixed will be exploited in targeted attacks when particularly valuable data is sought. It’s therefore not out of the question that we’ll see such vulnerabilities exploited in targeted attacks on Apple devices.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-10 16:06:422025-02-10 16:06:42SLAP and FLOP vulnerabilities in Apple CPUs | Kaspersky official blog