Welcome to this week’s edition of the Threat Source newsletter.
This week, I’m coming to you from Cisco Live in San Diego where I’ve just talked to a room that some of you may have been in, so writing this feels a bit surreal. It’s really hard to try and write a cogent newsletter with all that’s happening in the world, some directly outside my door. To purposefully butcher Charles Dickens, “It was the worst of times, it was the even worse times.” Nevertheless, I’m persisting.
I’ve had great conversations with so many smart people this week, but I was reminded once again that the most important tool you can leverage in protecting and securing your environment is knowing your environment and knowing yourself.
Knowing your environment can and should be tooled and processed so that it can be repeatable. Continuing to know your environment requires constant vigilance and effort. Knowing yourself requires a level of introspection that is hard — and honestly, sometimes I just lift the rug and sweep my issues under it when I can’t tackle that negativity.
I’ll give you an excellent example: every single thing I write would get flagged as AI. Everything. Why? I use an em dash (“—”) for roughly every four words I write — sometimes more, if I let it fly. It’s clear that I could never go back to school successfully, despite the comedy gold that it would produce. For those of you old enough to remember “Back to School” with Rodney Dangerfield, I think you can imagine. I don’t even want to talk about my kludgy code. Sure, it runs, but at what cost?
So my advice? Do as I say, not as I do. Learn everything about your environment in a repeatable way, with a clear and documented process. Then analyze your own weaknesses in your work — let’s not try to make miracles happen — and identify chances for you to learn, fill the gaps in your skill set and then do it all over again. The bad guys are really good at learning your environment; make it as hard for them as you can.
The one big thing
Cisco Talos recently disclosed several vulnerabilities across various software, including catdoc, Parallel, NVIDIA and High-Logic FontCreator. While most vulnerabilities were patched by their respective vendors, catdoc posed an exception as the vendor was unreachable, prompting Talos to provide patches directly.
Why do I care?
These vulnerabilities highlight risks in widely used software, potentially exposing systems to attacks such as privilege escalation, memory corruption and data leaks. Understanding these risks is crucial to protect your systems.
So now what?
If you use these programs, update them immediately with the latest patches to protect yourself. If you’re on a security team, grab the latest Snort rules to detect possible exploits and keep an eye out for suspicious activity. And if you’re a developer, take notes from these vulnerabilities to strengthen your own code and avoid similar pitfalls in your projects. Security is everyone’s job!
Top security headlines of the week
NHS in England calls for blood donors after ransomware attack The UK’s National Health Service (NHS) is calling for one million donors after a Qilin ransomware attack last summer caused a severe shortage of O-negative blood. (Cybernews)
Let them eat junk food: Major organic supplier to Whole Foods, Walmart, hit by cyberattack North American grocery wholesaler United Natural Foods told regulators that a cyber incident temporarily disrupted operations, including its ability to fulfill customer orders. (The Register)
Google fixes bug that could reveal users’ private phone numbers A security researcher has discovered a bug that could be exploited to reveal the private recovery phone number of almost any Google account without alerting its owner, potentially exposing users to privacy and security risks. (TechCrunch)
SinoTrack GPS Devices Vulnerable to Remote Vehicle Control via Default Passwords Two security vulnerabilities have been disclosed in SinoTrack GPS devices that could be exploited to control certain remote functions on connected vehicles and even track their locations. (The Hacker News)
Can’t get enough Talos?
Microsoft Patch Tuesday for June 2025 Microsoft has released its monthly security update, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.” Read the blog here.
PathWiper targeting Ukrainian critical infrastructure Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper.” Learn more.
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three zero-day vulnerabilities in catdoc, as well as vulnerabilities in Parallel, NVIDIA and High-Logic FontCreator 15.
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, in adherence to Cisco’s third-party vulnerability disclosure policy, except in the case of the catdoc zero-day vulnerabilities, which were patched by our researcher (patches found in this repository). This is an unusual case, because the vendor could not be reached to fix these high-risk bugs; our policy does not include fixing third-party vulnerabilities.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
TALOS-2024-2128 (CVE-2024-48877) is a memory corruption vulnerability in the Shared String Table Record Parser implementation in xls2csv utility version 0.95. A specially crafted malformed file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.
TALOS-2024-2131 (CVE-2024-52035) is an integer overflow vulnerability which exists in the OLE Document File Allocation Table Parser functionality of catdoc 0.95., and TALOS-2024-2132 (CVE-2024-54028) is an integer underflow vulnerability in the OLE Document DIFAT Parser functionality. A specially crafted malformed file can lead to heap-based memory corruption for either vulnerability, and an attacker can provide a malicious file as a trigger.
Parallel integer overflow vulnerability
Discovered by KPC of Cisco Talos.
Parallels is a desktop emulator for Mac computers that enables virtual Windows applications.
TALOS-2025-2160 (CVE-2025-31359) is a directory traversal vulnerability exists in the PVMP package unpacking functionality of Parallels Desktop for Mac version 20.2.2 (55879). This vulnerability can be exploited by an attacker to write to arbitrary files, potentially leading to privilege escalation.
There are three privilege escalation vulnerabilities in the virtual machine archive restoration functionality of Parallels Desktop for Mac version 20.1.1 (55740).
TALOS-2024-2126 (CVE-2024-36486): When an archived virtual machine is restored, the prl_vmarchiver tool decompresses the file and writes the content back to its original location using root privileges. An attacker can exploit this process by using a hard link to write to an arbitrary file, potentially resulting in privilege escalation.
TALOS-2024-2124 (CVE-2024-54189): When a snapshot of a virtual machine is taken, a root service writes to a file owned by a normal user. By using a hard link, an attacker can write to an arbitrary file, potentially leading to privilege escalation.
TALOS-2024-2123 (CVE-2024-52561): When a snapshot of a virtual machine is deleted, a root service verifies and modifies the ownership of the snapshot files. By using a symlink, an attacker can change the ownership of files owned by root to a lower-privilege user, potentially leading to privilege escalation.
NVIDIA integer overflow vulnerability
Discovered by Dimitrios Tatsis of Cisco Talos.
NVIDIA cuobjdump is a command-line utility included in the NVIDIA CUDA Toolkit. Similar to the standard `objdump` utility, it parses CUDA executable files and displays information like PTX disassembly, section headers, relocations etc.
TALOS-2025-2151 (CVE-2025-23247) is an integer overflow in the ELF Section Parsing functionality of NVIDIA cuobjdump 12.8.55. A specially crafted fatbin file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.
High-Logic out-of-bounds read vulnerability
Discovered by KPC of Cisco Talos.
High-Logic FontCreator is a font editor for Windows & macOS. The program allows you to create, edit and export OpenType, TrueType and responsive variable fonts.
An out-of-bounds read vulnerability, TALOS-2025-2157 (CVE-2025-20001), exists in High-Logic FontCreator 15.0.0.3015. A specially crafted font file can trigger this vulnerability which can lead to disclosure of sensitive information. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.
ANY.RUN’s Threat Intelligence Feeds (TI Feeds) provide security teams with exclusive intel on threats targeting 15,000 companies worldwide. With TAXII protocol, you can safely and easily reinforce your company’s proactive detection with TI Feeds.
Why Use TAXII for TI Feeds?
TAXII (Trusted Automated eXchange of Indicator Information) allows for swift and comfortable delivery of threat intelligence feeds. It’s a popular standard acknowledged for its security and usability.
TI Feeds are available for integration with the support of TAXII protocol. With this combo, you’ll achieve:
Secure and Standardized Data Exchange: TAXII provides a secure framework for transferring threat intelligence.
Customizable Data Delivery: TAXII allows you to tailor the data you receive, whether it’s all available IOCs or specific types like IPs, URLs, or domains.
Integrate Threat Intelligence Feeds in your SOC Start with 14-day trial
How ANY.RUN’s TI Feeds Strengthen Businesses’ Proactive Security
TI Feeds empower your SOC with actionable intelligence to proactively monitor and prevent threats, mitigating breach risks and associated costs.
With ANY.RUN, MSSP companies get to stand out among competitors by enriching their infrastructure with data on real threats targeting companies across industries.
Integrate TI Feeds into your system for an easy access to all of their perks:
Detect Threats Early: Access high-quality indicators from threat investigations across 15,000 organizations worldwide to proactively identify and prevent threats from compromising your systems.
Expand Threat Coverage: Get unique IOCs from Memory Dumps, Suricata IDS, and internal threat categorization systems allowing you to catch the most evasive malware. for better monitoring and alert triage.
Minimize False Positives: The feeds are pre-processed to ensure indicators are reliable and false positive rate is near-zero.
Accelerate Response through Automation: Automatically block malicious IPs, flag related logs, or trigger playbooks based on TI Feeds’ data to reduce manual workload and enable faster reactions.
Gain Better Attack Visibility: Our indicators of compromise come with extensive metadata, as well as links to related sandbox sessions for further analysis.
Simplify Setup: In addition to TAXII protocol support, we offer API and SDK to deliver ANY.RUN’s feeds in a structured, easy-to-use format—STIX or MISP.
TI Feeds & TAXII: How It Works
Integration through TAXII protocol is available for all users with paid plans. You can easily setup TI Feeds as a TAXII endpoint in their system, be that SIEM, TIP, EDR/XDR, NGFW, or other Security Operations solutions.
Upon connection to ANY.RUN’s TAXII server, your system automatically receives fresh threat intelligence. Check out what our feeds look like by downloading a sample in STIX or MISP format.
After that, your infrastructure will be enriched with uniquely sourced threat data, adding to its efficiency. Feeds will be ready for further processing: you can determine correlations, launch playbooks, and more.
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
On June 10, as part of its Patch Tuesday, Microsoft, among other problems, fixed CVE-2025-33053 — an RCE vulnerability in Web Distributed Authoring and Versioning (WebDAV, an extension of the HTTP protocol). Microsoft doesn’t categorize it as critical, but three facts suggest it’s worth installing the corresponding patches asap:
CVE-2025-33053 has a fairly high rating on the Common Vulnerability Scoring System scale — 8.8;
its exploitation has been detected in the wild;
Microsoft decided to patch not only modern Windows, but also a number of outdated, no longer supported versions of its operating system.
What is WebDAV and what is the CVE-2025-33053 vulnerability?
At some point in the distant internet-past, users of the net required a tool that would allow them to collaborate on documents and manage files on remote web servers. In answer, a special working group created DAV — a set of extensions to the HTTP protocol. Support for the new protocol was implemented in the default Windows browser — Microsoft Internet Explorer.
Fast-forward to the beginning of 2023, and Internet Explorer was finally decommissioned, but as we’ve already written, the browser is still very much alive. A number of its mechanisms are still used in third-party applications, as well as in the new Microsoft Edge browser. Therefore, attackers continue to search for vulnerabilities that can be exploited using IE. CVE-2025-33053 is one of them. It allows attackers to execute arbitrary code if the victim clicks on a link to a WebDAV server they control. That is, all that is required of the attackers is to convince the victim to follow the link. The exact operating principle of the exploit for this vulnerability has not yet been publicly disclosed, but according to the Check Point researchers who initially found CVE-2025-33053, exploitation occurs through manipulations with the working directory of a “legitimate Windows tool”.
Who can exploit CVE-2025-33053, and how?
Check Point researchers discovered exploitation of this vulnerability in attacks attributed to the Stealth Falcon APT group — known to be operating in the Middle East. However, it’s obvious that after the publication of the research and the update to the system itself, other cybercriminals will try to reverse engineer the patch and create their own exploits as soon as possible. The ease of exploitation and prevalence of the vulnerable browser makes CVE-2025-33053 an ideal candidate for malware delivery — especially ransomware.
How to stay safe?
Windows operating systems should be updated as soon as possible. Microsoft has released patches even for the outdated Windows Server 2012 and Windows 8 (you can find them in the description of CVE-2025-33053). In addition, we recommend using reliable security solutions on all devices used for internet access — they’re able to detect both attempts to exploit vulnerabilities and the launch of malicious code. It also makes sense to regularly raise employee security awareness (for example, using the Kaspersky Automated Security Awareness Platform), because most modern cyberattacks begin with emails or other messages from attackers — who most often use fairly standard tricks.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-11 11:06:472025-06-11 11:06:47CVE-2025-33053: RCE in WebDAV | Kaspersky official blog
Modern Security Operations Centers (SOCs) face an unprecedented challenge: defending against an ever-evolving threat landscape while managing alert fatigue, resource constraints, and the need for rapid response times. The integration of high-quality Threat Intelligence (TI) feeds has proven itself as a force multiplier for SOC teams, transforming reactive security postures into proactive defense strategies.
ANY.RUN’s Threat Intelligence Feeds exemplify how comprehensive, contextual threat data can enhance SOC performance across multiple operational dimensions. By providing real-time indicators of compromise (IOCs), behavioral insights, and detailed malware analysis, these feeds address core challenges of security teams.
Quick Recap: How Threat Intelligence Feeds Help SOCs
Core SOC Challenges and TI Feeds Solutions
Delayed threat detection
Deliver real-time IOCs for instant alerts
Correlate network traffic with known threats
Early alerts before internal tools trigger
Slow, manual incident response
Automate IP/domain blocking
Trigger SOAR response playbooks
Flag related activity in SIEMs
Lower MTTR with seamless integrations
Limited visibility into attack context
Linked sandbox sessions provide IOC metadata (malware family, behavior) and TTPs
Enable proactive rule updates
Analyst overload and burnout
Filter out false positives with curated data
Prioritize alerts with risk scores
Free analysts for strategic tasks
High business risks
Highlight critical vulnerabilities
Allow better prioritization
Faster detection/mitigation reduces dwell time
Further, we shall elaborate on the role of indicator feeds in optimizing main performance vectors of security teams on the example of ANY.RUN’s Threat Intelligence Feeds.
1. Early Detection of Incidents
Early detection is critical to preventing full-scale breaches. Threats should be identified before they can establish persistence or cause significant damage. Traditional signature-based detection systems often lag behind emerging threats, creating dangerous gaps in coverage during the critical early stages of an attack.
ANY.RUN’s TI Feeds offer real-time access to a continuous stream of fresh Indicators of Compromise (IOCs) gathered from thousands of interactive malware sandbox sessions daily. These indicators include malicious IP addresses, domain names, and URLs that can be quickly integrated into SIEM platforms and security tools.
Unique indicators from Memory Dumps, Suricata IDS, and internal threat categorization systems
Verified malicious IPs, domains, and URLs, updated every few hours
Early detection is particularly powerful when combined with automated threat hunting workflows. SOC analysts can configure their systems to automatically query historical logs and network traffic against newly received indicators to uncover ongoing attacks. This retrospective analysis capability means that even if a threat initially bypasses existing controls, it can be identified and contained as soon as relevant intelligence becomes available.
By reducing the Mean Time to Detection (MTTD) organizations can significantly limit the potential impact of security incidents.
Request access to Threat Intelligence Feeds and start improving SOC KPIs
In cybersecurity, minutes can mean the difference between a contained incident and a major breach. ANY.RUN’s Threat Intelligence Feeds enable automated response mechanisms that dramatically reduce the time between threat identification and mitigation actions.
The feeds’ structured data format allows for seamless integration with Security Orchestration, Automation, and Response (SOAR) platforms and other security tools. When new malicious indicators are received, automated playbooks can immediately trigger protective actions such as blocking malicious IP addresses at firewalls, quarantining suspicious files, or isolating potentially compromised endpoints. The reduction in manual intervention not only accelerates response times but also ensures consistent execution of response procedures regardless of analyst availability or expertise level.
Test TI feeds for the capabilities and integration options
The feeds also support threat hunting automation, where new indicators automatically trigger searches across historical data, network logs, and endpoint telemetry. Automatization results in a significant reduction in Mean Time to Response (MTTR), often cutting response times from hours to minutes. This acceleration is particularly critical for threats that exhibit rapid lateral movement or data exfiltration capabilities.
You can request an ANY.RUN’s TI Feeds sample with preferred settings and get assistance with your integration:
3. Better Attack Visibility and Proactive Defense
Understanding the full scope and context of cyber threats is essential for effective defense. ANY.RUN’s Threat Intelligence Feeds provide SOC teams with actionable visibility into campaigns through metadata and direct links to detailed sandbox analysis sessions.
Each indicator of compromise comes enriched with contextual information, including malware family classification, detection timestamps, related artifacts, and campaign attribution data. This metadata enables analysts to know not just what to block, but why the threat is significant, and how it fits into broader attack patterns.
Related sandbox sessions show threats’ execution and TTPs
IOCs are linked to specific threats
The integration with ANY.RUN’s Interactive Sandbox provides an additional layer of research depth. When investigating an alert triggered by a threat intelligence indicator, analysts can access the complete sandbox session that generated the IOC, observing the malware’s behavior in real-time.
A malware analysis session with network activity, processes, and other data
By understanding the tactics, techniques, and procedures (TTPs) associated with specific threat actors, SOC teams can implement preventive measures and monitoring strategies tailored to anticipated attack vectors.
4. Reduced Analyst Fatigue
An average SOC handles 11,000 alerts daily, with only 19% worth investigating, per the 2024 SANS SOC Survey. Analysts get routinely overwhelmed by high volumes of security alerts, many of which prove to be false positives. ANY.RUN’s Threat Intelligence Feeds address this challenge by improving alert quality and providing the context necessary for rapid triage and decision-making.
The contextual metadata and sandbox links accompanying each indicator further reduce investigation time by providing analysts with immediate answers to common questions. The sandbox integration is particularly helpful for junior analysts who may lack the skills and experience required for advanced malware analysis.
The effect is a more sustainable SOC workflow where analysts can focus on high-value activities such as threat hunting, incident response, and security architecture improvements rather than being overwhelmed by alert triage and manual investigation tasks.
5. Risk Reduction
The ultimate goal of any security operation is risk reduction, and ANY.RUN’s Threat Intelligence Feeds contribute to this objective through mechanisms that address both immediate tactical threats and overall security posture.
At the tactical level, the feeds enable rapid identification and mitigation of active threats, directly reducing the organization’s exposure to compromise and impact from successful attacks. The automated response mechanisms fueled by TI Feeds ensure that threats are contained before they can achieve their objectives, whether those involve data theft, system disruption, or lateral movement.
The proactive defense capabilities enabled by ANY.RUN’s Threat Intelligence Feeds also contribute to long-term risk reduction by helping organizations stay ahead of emerging threats. Rather than simply responding to attacks after they occur, SOC teams can implement preventive measures based on observed attack trends and threat actor innovations.
How to Integrate Threat Intelligence Feeds from ANY.RUN
Spot and block attacks quickly to prevent disruptions and damage.
Keep your detection systems updated with fresh data to proactively detect emerging threats.
Handle incidents faster to lower financial and brand damage.
ANY.RUN also runs a dedicated MISP instance that you can synchronize your server with or connect to your security solutions.
Conclusion
ANY.RUN’s Threat Intelligence Feeds help SOCs transform into proactive, intelligence-driven operations. The combination of real-time IOCs, rich metadata, and sandbox integration provides SOC analysts with the framework they need to protect their organizations effectively.
Businesses implementing TI feeds can expect measurable improvements in key performance indicators including Mean Time to Detection, Mean Time to Response, false positive rates, and analyst retention. More importantly, they can expect a fundamental shift from reactive to proactive security operations, with improved resilience against both current and emerging threats.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
Microsoft has released its monthly security update for June 2025, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.”
In this month’s release, none of the included vulnerabilities have been observed by Microsoft being actively exploited in the wild. Out of eleven “critical” entries, nine are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Windows Remote Desktop Service, Windows Schannel (Secure Channel), KDC Proxy service, Microsoft Office, Word and SharePoint server. There are two elevation of privilege vulnerabilities affecting Windows NetLogon and Power Automate.
CVE-2025-32710 is the RCE vulnerability in Windows Remote Desktop Services and is given CVSS 3.1 score of 8.1. Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker could successfully exploit this vulnerability by attempting to connect to a system with the Remote Desktop Gateway role, triggering the race condition to a use-after-free scenario, and then leveraging this to execute arbitrary code. Microsoft has assessed that the attack complexity is “high,” and exploitation is “less likely.”
CVE-2025-29828 is an RCE vulnerability in Windows Schannel (Secure Channel), a security support provider (SSP) in the Windows operating system that implements Secure Sockets layer (SSL) and Transport Layer Security (TLS) Protocols. It is part of the Security Support Provider Interface (SSPI) and is used to secure network communications. Microsoft noted that a missing release of memory by Windows Cryptographic Services could trigger this vulnerability, allowing an unauthorized attacker to execute code over a network. An attacker can exploit this vulnerability through the malicious use of fragmented ClientHello messages to a target server that accepts TLS connections. Microsoft has assessed that the attack complexity is “high”, and exploitation is “less likely”.
CVE-2025-33071 is the RCE vulnerability in Windows KDC Proxy Service (KPSSVC) given CVSS 3.1 score of 8.1. To successfully exploit this vulnerability, an unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Kerberos Key Distribution Center Proxy Service to perform remote code execution against the target. Microsoft has noted that this vulnerability only affects Windows servers that are configured as a Kerberos key Distribution Center (KDC) Proxy Protocol server, and Domain controllers are not affected. Microsoft has assessed that the attack complexity is “high”, and exploitation is “more likely”.
CVE-2025-47172 is the RCE vulnerability in Microsoft SharePoint server given CVSS 3.1 score of 8.8. Microsoft noted that this vulnerability in Microsoft Office SharePoint is due to improper neutralization of special elements used in a SQL command which would allow an authorized attacker to execute code over a network. To exploit this vulnerability an authenticated attacker in a network-based attack, with a minimum of Site Member permission, could execute arbitrary code remotely on the SharePoint server. Microsoft has assessed that the attack complexity is “low,” and exploitation is “less likely.”
CVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 are RCE vulnerabilities in Microsoft Office. The vulnerabilities CVE-2025-47164 and CVE-2025-47953 are “use after free” (UAF) vulnerabilities that occur when Microsoft Office tries to access memory that has already been freed. CVE-2025-47162 is a heap-based buffer overflow in Microsoft Office and the CVE-2025-47167 is a “type confusion” vulnerability which is triggered when Microsoft Office interprets a block of memory as the wrong data type. An unauthorized attacker exploits these vulnerabilities and executes arbitrary code on the victim’s machine. Microsoft has assessed that for CVE-2025-47162, CVE-2025-47164 and CVE-2025-47167, the attack complexity is “low,” and exploitation is “more likely.” For CVE-2025-47953, the attack complexity is “low,” and exploitation is “less likely.”
Microsoft listed two critical elevations of privilege vulnerabilities.
CVE-2025-33070 is an elevation of privilege critical vulnerability in Windows Netlogon. An attacker could exploit the vulnerability by leveraging an authentication bypass in the Windows Netlogon service using uninitialized resources. An attacker, by successfully exploiting this vulnerability, could gain domain administrator privileges. Microsoft has assessed that the attack complexity is “high,” and exploitation is “more likely.”
Microsoft noted that the CVE-2025-47966 is a critical elevation of privilege vulnerability in Power Automate in the Windows OS. Power Automate is a Microsoft tool for automating repetitive tasks and business processes across different applications and services. This vulnerability in Power Automate exposed sensitive information to an unauthorized actor, allowing privilege escalation over a network. Microsoft has reported that this vulnerability with CVSS 3.1 base score of 9.8 has been fully mitigated and no further action is required by the users.
Talos would also like to highlight the following “important” vulnerabilities as Microsoft has determined that exploitation is “more likely:”
CVE-2025-32713 – Windows Common Log File System Driver Elevation of Privilege Vulnerability.
CVE-2025-32714 – Windows Installer Elevation of Privilege Vulnerability.
CVE-2025-47962 – Windows SDK Elevation of Privilege Vulnerability.
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 55802, 56290, 65030-65043. There are also these Snort 3 rules: 301220, 301250-301255.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-10 22:06:452025-06-10 22:06:45Microsoft Patch Tuesday for June 2025 — Snort rules and prominent vulnerabilities
Recently, we hosted a webinar exploring the everyday challenges SOC teams face and how ANY.RUN helps solve them. From low detection rates to alert fatigue, poor coordination, and infrastructure overhead, our team outlined a practical action plan to tackle it all.
Missed the session? Here are the key highlights in this quick recap.
Quick reminder Try ANY.RUN’s services with 14-day trial to improve your SOC metrics
Challenge: Malware is getting trickier. Fileless techniques, multi-stage payloads, and threats that hide behind user interactions are slipping past traditional tools. This leaves SOC teams blind to critical risks.
Solution: ANY.RUN tackles this head-on by giving analysts a fully interactive sandbox environment. You don’t just watch malware from a distance but also engage with it like a real user. Open files, enter passwords, click suspicious links, whatever it takes to trigger the full execution chain.
One real-world case shows exactly why this is so important.
Fake document with malicious PDF displayed inside ANY.RUN sandbox
A phishing email came through with an SVG attachment and a password hidden in the message body. Opening the SVG revealed a fake document with a link to download a PDF. That triggered a download of a ZIP archive; one that could only be extracted by manually entering the earlier password.
Entering password hidden in the message body
Inside we found an executable file. When run, ANY.RUN flagged it immediately as AsyncRAT, a remote access trojan capable of spying on and controlling infected systems.
AsyncRAT detected by ANY.RUN sandbox
Without interactivity, none of this would have unfolded. A fully automated tool wouldn’t have clicked the link, copied the password, or opened the archive. The attack would’ve gone undetected.
More importantly, the sandbox gave the team:
A full process breakdown, showing exactly how the malware executed
Network activity visibility, helping block C2 communication before data exfiltration
Malware configuration (MalConf), revealing hardcoded domains and other indicators
Why it matters for business
Higher detection rates: Fewer blind spots and stronger cyber resilience
Cost efficiency: Avoiding costly breaches by stopping threats early
Proactive threat mitigation: Addressing vulnerabilities before attackers exploit them
2. Accelerating Alert Triage and Incident Response
Challenge: When a threat gets past initial defenses, every second counts. The longer it takes to triage an alert or respond to an incident, the higher the risk of malware spreading, systems being compromised, and costly damage being done.
Solution: ANY.RUN provides real-time visibility into malware behavior; no waiting for the sandbox session to end. SOC teams can spot malicious activity the moment it begins, with some malware families being identified even in under 40 seconds.
In one case, a suspicious executable was submitted. Within just 18 seconds, ANY.RUN identified it as RedLine Stealer, an infostealer known for targeting credentials and sensitive data.
That rapid detection enabled the security team to take immediate action, cutting off further exposure and containing the threat before it spread.
Why it matters for business
Minimized risk exposure: Stop malware early, before it spreads across systems
Operational efficiency: Reduce alert fatigue and free up analyst resources
Faster, more reliable incident handling: Protect brand trust and stakeholder confidence
3. Streamlining Training and Onboarding
Challenge: Most security tools come with a steep learning curve. New hires, especially junior analysts, often need months of training before they can contribute meaningfully. That slows down onboarding and increases your team’s dependency on a handful of experts.
Solution: ANY.RUN’s intuitive interface and interactive analysis experience make it a powerful learning environment even for less experienced team members.
New analysts work directly with real threats in a controlled, visual sandbox environment. Features like Script Tracer and AI Summary break down even complex threats into clear, understandable steps.
In one case, a junior analyst explored a sample involving malicious scripting. By opening the Script Tracer, they followed each function call and saw how the attack unfolded line by line. No guesswork. No external tools.
And with the AI Summary, they quickly reviewed the session’s key events, including dropped files, command-line activity, and network behavior, all explained in plain terms.
AI Summary provided by ANY.RUN sandbox
What the sandbox offered for junior specialists:
Hands-on practice with real malware builds confidence and accelerates learning
Step-by-step script analysis simplifies complex attacks into teachable moments
Automated summaries make onboarding easier and less resource-intensive
Why it matters for business
Skilled workforce: Accelerate team readiness and reduce reliance on senior staff
Cost-effective training: No need for expensive onboarding and training
Faster onboarding: New hires start contributing sooner, without draining resources
4. Addressing Infrastructure Maintenance
Challenge: Maintaining local infrastructure for malware analysis can be a huge drain on time, budget, and IT resources. From server upkeep to licensing and hardware limitations, scaling your operations becomes a logistical challenge, especially across global or hybrid teams.
Solution: ANY.RUN eliminates that overhead with a fully cloud-based sandbox platform. There’s no setup, no hardware dependency, and no waiting around for installations or updates. Everything runs in the browser.
Your team can launch pre-configured virtual machines (Windows, Linux, or Android) in seconds, whether they’re in the office or halfway across the world. There’s no cap on the number of analyses, and you can scale instantly by adding users without touching infrastructure.
In fact, one of our enterprise clients, Expertware, reduced their IOC extraction and investigation turnaround time by over 50% after switching to ANY.RUN, all without deploying a single server.
Cost savings: No on-prem infrastructure or licensing overhead
Scalability: Add new users instantly without extra drag
Faster time to value: Onboard, analyze, and act faster than traditional setups
5. Improving Team Coordination
Challenge: Even the best tools fall short when teams can’t work together efficiently. In many SOCs, communication gaps between analysts, team leads, and managers lead to duplicated work, missed alerts, and delays in decision-making.
Solution: ANY.RUN’s built-in Teamwork Mode is designed to make collaboration effortless no matter if your team works in the same office or across time zones. You can create different teams, assign roles, manage access, and track progress, all from a single interface.
Team management in ANY.RUN
You also get full control over privacy settings. Make all submissions private by default or customize access levels for each user based on their role. That means sensitive data stays protected without compromising collaboration.
Better visibility for managers: Monitor investigations without slowing the team down
More structure across teams: Define roles and workflows clearly
Improved security posture: Ensure sensitive data is only seen by the right people
6. Freeing up Analysts for More Important Tasks
Challenge: Manual analysis takes time, and relying on human input for every alert doesn’t scale. But the alternative, fully automated tools, often miss threats that require user interaction to activate, like phishing pages behind CAPTCHAs or payloads inside password-protected files.
Solution: ANY.RUN bridges that gap with Automated Interactivity, a unique feature that emulates real user behavior inside the sandbox. It clicks, types, solves CAPTCHAs, and opens files, just like a real analyst would, ensuring full detonation of the threat and speeds up investigations.
That means even in automated mode, your team doesn’t miss threats that rely on tricking the user into doing something first.
In this session, the sandbox was given a phishing URL. It required a CAPTCHA check to reach the final malicious page; something most tools would skip. But with Automated Interactivity, ANY.RUN solved the CAPTCHA, reached the phishing content, and flagged the threat immediately.
CAPTCHA solved with Automated Interactivity
Why it matters for business
Scalable analysis workflows: Handle more alerts without expanding your team
Lower operational costs: Less time per case, more automation without blind spots
Consistent detection quality: Get the same deep results whether done manually or programmatically
7. Gaining Better Visibility into Emerging Threats
Challenge: One of the biggest challenges for SOCs today is staying ahead of threats. When you don’t have enough intel, or worse, outdated intel, you’re forced to react instead of prepare. That slows down your defenses and increases your exposure.
With over 40 filterable parameters, your team can create advanced queries to uncover patterns, spot repeat offenders, and enrich investigations with up-to-date threat data.
Let’s have a look at the following TI Lookup query:
This query helps to collect intel on phishing threats that host malicious pages on the glitch.me domain and use Telegram for exfiltration.
After hitting enter and see fresh threat samples and indicators that match our request. This includes IPs, URLs, domains, and links to sandbox analyses of actual phishing attacks.
TI Lookup query and results
That’s how in seconds we gained over a hundred new indicators that can enrich our defense infrastructure.
By having just one or two artifacts, you can quickly connect them to the threats, attacks, and campaigns behind them.
Enrich threat investigations with TI Lookup Get 50 trial requests to collect your first intel
Our database is constantly updated with unique indicators because the data comes from the latest sandbox analyses globally.
As a result, your team gains:
Fast, flexible search to find IOCs by threat name, behavior, domain, file type, and more
Fresh, actionable data sourced from real sandbox detonations globally
Subscription-based monitoring to stay informed on new threats matching saved queries
ANY.RUN’s TI Lookup turns passive intel into an active advantage, giving your team the context they need to protect your business from evolving threats.
Why it matters for business
Proactive defense: Equip your team with the intel they need to strengthen defenses before an attack happens, not after
Continuous monitoring: Subscribe to threat patterns and stay informed about evolving risks specific to your environment
Faster triage and response: Quickly link isolated indicators to known threats and campaigns, helping your team respond with precision and speed
8. Expanding Threat Monitoring and Detection Capabilities
Challenge: Many detection systems rely on outdated or generic threat feeds. The result is missed attacks, wasted time chasing false positives, and a growing gap between what your team sees and what attackers are actually doing in the wild.
Solution: ANY.RUN’s Threat Intelligence Feeds (TI Feeds) deliver fresh, high-confidence IOCs straight from live sandbox investigations submitted by over 15,000 companies around the world. These feeds include metadata-rich indicators linked to real execution behavior and attack chains.
The feeds are available in widely supported formats (STIX, MISP) and integrate via the TAXII protocol, making it easy to plug directly into your SIEM, SOAR, or XDR platform.
Request access to Threat Intelligence Feeds and start improving SOC KPIs
Enriched detection systems supplemented with data from active malware campaigns
Unique indicators for identifying emerging malware pulled from memory dumps, Suricata alerts, and internal categorization
Context-aware intel with IOCs tied to sandbox sessions, giving full visibility into how the threat behaves, which is essential for timely and effective incident response
Why it matters for business
Improved detection rates: Expand your visibility with threat data that reflects what attackers are doing right now, not last quarter
Competitive advantage: Stay ahead of emerging threats, build resilience, and position your organization as security-forward
Proactive security: Fresh, actionable feeds allow your team to take preventive measures, reducing the chances of successful attacks before they even begin
Solve Your SOC Challenges with ANY.RUN
Security teams today are under constant pressure to detect more, react faster, and do it all with limited resources. ANY.RUN is built to help modern SOCs meet those demands with speed, precision, and clarity.
ANY.RUN helps your team reduce effort, increase impact, and stay ahead of evolving threats with the tools they actually need.
ANY.RUN supports over 15,000 organizations across industries such as banking, manufacturing, telecommunications, healthcare, retail, and technology, helping them build stronger and more resilient cybersecurity operations.
With our cloud-based Interactive Sandbox, security teams can safely analyze and understand threats targeting Windows, Linux, and Android environments in less than 40 seconds and without the need for complex on-premise systems. Combined with TI Lookup, YARA Search, and Feeds, we equip businesses to speed up investigations, reduce security risks, and improve team’s efficiency.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-10 13:06:442025-06-10 13:06:44How SOC Teams Save Time and Effort with ANY.RUN: Action Plan
Gen Z, or “Zoomers”, are those born between ~1997 and 2012. That’s a 15-year age gap between the oldest and youngest. So what could they possibly have in common? Well, every member of Gen Z is a digital native. They barely remember a time before computers, smartphones, and social media. More than any other generation, Gen Z loves games (especially our own — Case 404 — we hope!), TV shows, and movies. Sometimes, they even shape their identities by constantly connecting with their favorite characters. Naturally, this level of immersion makes them a prime target for malicious actors.
Kaspersky experts have released two reports detailing how cybercriminals target Gen Z through their love of games, movies, TV shows, and anime. Check out the full versions of the first and second reports to dive deeper.
How gamers get attacked
In the one-year period from April 1, 2024, we recorded at least 19 million attempts to distribute malware disguised as games popular with Gen Z. The top three games targeted by these attacks were GTA, Minecraft, and Call of Duty, together accounting for a staggering 11.2 million attempts. So, why are these particular games at the top of both gamers’ and cybercriminals’ lists? We just might know the reason. They’re replayable; that is, players can dive back in any time and still get a fresh experience. Besides, these titles boast massive online communities. Players are constantly creating content, making mods, and searching for cheats and cracked versions.
One of the most common threats facing Gen Z gamers is phishing — where cybercriminals impersonate a trusted entity and tempt players with promises of free in-game rewards to lure them into sharing personal data. Enticing trade offers and easy ways to earn money are some of the most popular tricks used against gamers.
We uncovered a phishing site that looked eerily similar to a legitimate Riot Games campaign. The campaign aimed to blend two different universes: the game Valorant and the animated series Arcane. Players were invited to “spin the wheel” for a chance to win exclusive new skins. In reality, gamers who participated in this “contest” essentially handed over their gaming accounts, banking details, and phone numbers to third parties. Of course, they received no skins in return.
A beautiful background and recognizable characters — what more do you need to fall for a scam?
But it’s not just about scams. In November 2024, our experts from the Global Research and Analysis Team (GReAT) uncovered a campaign where attackers were distributing the Hexon stealer disguised as game installer files. Once installed, this malware attacked gaming platforms; for example, it could extract user data from Steam. On top of that, Hexon targeted messaging apps like Telegram and WhatsApp, and other social media platforms, such as TikTok, YouTube, Instagram, and Discord.
These fake installers flooded gaming forums, chats on Signal and Telegram, Discord channels, and popular file-sharing sites. The cybercriminals promoted the Hexon stealer using a malware-as-a-service model, where some malicious actors provide malware to others — often less tech-savvy ones — for a fee.
Example of attackers’ message in a Discord channel
Interestingly, a short while later, the creator of Hexon announced a rebrand. The stealer was now called “Leet”, and was offered at a 50% discount. Unlike its predecessor, the updated version can bypass sandboxes by checking the infected device’s public IP address and system specifications. If the stealer detects signs of being in a virtual machine, it shuts down immediately.
How movie, TV show, and anime fans get attacked
We dug into some data provided by the Kaspersky Network Security (KSN) — our global threat intelligence network which processes cyberthreat information from every corner of the world. We analyzed the data for the same one-year period starting April 1, 2024, and here’s what we found:
Netflix was dangled as bait in about 85 000 attacks. That’s nearly 233 times a day.
Gen Zers aren’t the only ones passionate about anime. Cybercriminals are big fans too, with 250 000 attacks recorded during the reporting period.
The total number of leaked streaming-service accounts exceeded seven million.
When it comes to the most exploited streaming platforms, alongside Netflix, we found Amazon Prime Video, Disney+, Apple TV+, and HBO Max at the top of the list. Scammers used these brand names in their campaigns throughout the year, with no significant peaks or troughs in popularity. Mostly, they used a classic approach: sending phishing links to fake websites while pretending to represent a streaming platform. The pretexts, however, varied. In some instances, attackers would prompt users to renew their subscriptions or update payment details — only to direct them to a fake site to do so. Such emails often mimicked the streaming service’s official style, making it easy to miss the red flags.
Phishing website imitating the official Netflix page
Beyond just harvesting personal data, these bad actors also distributed various malware. RiskTool was a big one, accounting for around 80% of all attempts. While not malicious on its own, it’s often used in conjunction with other threats, such as miners, helping them conceal their presence in the infected system.
Many of the attacks were designed to steal users’ personal information. We uncovered roughly seven million compromised accounts across Netflix, Amazon Prime Video, Disney+, Apple TV+, and HBO Max. Stolen accounts are typically used by cybercriminals to spread phishing links and malware to more users, or they’re sold off to other malicious actors at a low price.
Anime fans weren’t spared by the digital villains, either. Unsurprisingly so — recent data shows that over 65% of Gen Z watch anime. To gauge just how often attackers targeted fans of Japanese animation, we focused on five popular anime titles: Naruto, One Piece, Demon Slayer, Attack on Titan, and Jujutsu Kaisen. We recorded over 250 000 attack attempts centered around just these five titles. The undisputed leader? Naruto, with over 114 000 attempts.
How Gen Zers can stay cybersafe
Zoomers should protect themselves in the same way as everyone else who enjoys TV shows, games, movies, and anime, and is generally active online. Here’s a short list of the “golden rules” to help protect your accounts, banking details, and devices from prying eyes.
(If you want to learn more about cybersecurity, try your hand as a detective in our new, free browser-game, Case 404. It features three storylines, each showing what can go wrong when you skip out on proper digital hygiene. But for now, let’s get back to those rules.)
Stick to official sourceswhen downloading games, TV shows, and anime. Seriously, ditch the torrents, sketchy third-party sites, and random links strangers share on forums and in chats. And here’s a heads-up: even official game stores can sometimes get infiltrated by malware. To learn more, read Gamers beware: Trojans have invaded Steam.
Remember the adage about a free lunch? Yep — there’s no such thing. Be skeptical of giveaways of skins, cheats, in-game currency, or supposedly leaked episodes of your favorite TV show or anime.
When you’re paying online, only use virtual cards with spending limits. That way, your main bank account stays safe — even if something goes sideways.
Use robust security. A security solution will warn you when you’re about to open a phishing website, and help you detect threats in time, even if they’ve already made their way onto your device.
Read the full reports on attacks targeting Gen Z. The report on movies, TV shows, and anime is here, and the one on gaming attacks can be found here.
The last, but perhaps one of the most important, rules is to stay one step ahead.Subscribe to our Telegram channel to make your online life safer.
How else attackers target Gen Z as well as other demographic groups:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-09 14:06:462025-06-09 14:06:46Kaspersky study looks at how cybercriminals use games, TV shows, and anime to target Gen Z | Kaspersky official blog
Welcome to this week’s edition of the Threat Source newsletter.
I’ve discovered that being a rent guarantor for someone is an involved experience. While I’m glad that I can help out a loved one secure a better rental property, the process of verifying my identity and ability to cover any missed payments required handing over far more personal and financial data than I was comfortable with.
I asked the agent about their information security policies and cybersecurity posture. I was relieved to hear that they delete all the personal data within two weeks of processing, but I was concerned that the person dealing with my dossier didn’t think that they were at risk of a cyber attack. They believed that because they had a low online profile and their organisation was small, they didn’t present as a target.
Not wanting to jeopardise my position as a guarantor, I didn’t argue further beyond offering a few words of advice. The truth is that everyone is a target. Many criminals do not discriminate; they seek to compromise anyone and see how they can make money from a compromise once access is achieved. Sophisticated criminals research their targets and their wider ecosystem of suppliers and partners in depth to identify potential weak points. It only takes a moment’s inattention for anyone to fall for a phishing or social engineering scam.
Cybersecurity training needs to reinforce the fact that anyone can be a victim of a cyber attack. No matter how careful you might be, how insignificant you think that you might be, an attack can still catch you off guard. The good news is that by ensuring basic cyber hygiene, we can make a lot of progress towards preventing harm.
Impressing on users the need to install updates promptly, the importance of having end-point protection and using multi-factor authentication is not a panacea, but it is a basic foundation upon which more advanced protection can be built.
Good cybersecurity begins with an awareness of the threat, an acknowledgement that we are all at risk, and knowing the potential consequences. Nobody is too insignificant, too small or too well hidden to escape the risk of cyber attack. Suitable protection follows from reflecting on what is at risk and what could possibly go wrong.
The one big thing
Talos has uncovered a destructive attack on Ukrainian critical infrastructure involving a new wiper malware, “PathWiper,” deployed through a legitimate endpoint administration framework. Talos attributes this attack to a Russia-linked APT actor, underscoring the persistent threat to Ukraine’s infrastructure amid the ongoing war.
Why do I care?
This attack highlights the sophisticated tactics of state-sponsored threat actors and the risks critical infrastructure entities face, which could have global implications for cybersecurity and geopolitical stability.
So now what?
Organizations, particularly those managing critical infrastructure, should strengthen their endpoint security, monitor for unusual administrative activity, and stay informed on evolving threats to mitigate potential risks.
Top security headlines of the week
New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch The high-severity flaw is being tracked as CVE-2025-5419 (CVSS score: 8.8), and has been flagged as an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine. (The Hacker News)
Vanta bug exposed customers’ data to other customers Compliance company Vanta has confirmed that a bug exposed the private data of some of its customers to other Vanta customers. The company told TechCrunch that the data exposure was a result of a product code change and not caused by an intrusion. (TechCrunch)
Data Breach Affects 38K UChicago Medicine Patients UChicago Medicine released a statement that the data of 38K patients may have been exposed by a third-party debt collector’s system breach. The exposed data may include SSNs, addresses, dates of birth, medical information, and financial account information. (UPI)
Can’t get enough Talos?
Fake AI installers target businesses. Catch up on the ransomware and malware threats Talos discovered circulating in the wild and masquerading as legit AI tool installers. Read the blog or listen to our most recent Talos Takes to hear Hazel and Chetan, the author, discuss the blog more in-depth.
Talos at Cisco Live 2025. From sessions featuring a live IR tabletop session to learning how to outsmart identity attacks, there’s plenty of Talos to keep you going in San Diego next week. Browse sessions Talos is participating in, and we’ll see you there!
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-05 18:06:402025-06-05 18:06:40Everyone’s on the cyber target list
According to OpenLogic’s “State of Open Source” report, 96% of surveyed organizations use open-source solutions (OSS). Such solutions can be found in every segment of the IT market — including infosec tools. And they’re often recommended for building SIEM systems.
At first glance, OSS seems like a great choice. A SIEM system’s primary function is systematic telemetry collection and correlation, which you can set up using well-known data storage and processing tools. Just gather all your data with Logstash, hook up Elasticsearch, build the visualizations you need in Kibana — and you’re good to go! A quick search will even get you ready-made open-source SIEM solutions (often built on the same components). With SIEMs, adapting both data collection and processing to your organization’s specific needs is always key, and a custom OSS system offers endless possibilities for that. Besides, the license cost is zero. However, the success of this endeavor hinges on your development team, your organization’s specifics, how long your organization is willing to wait for results, and how much it’s ready to invest in ongoing support.
Time is money
A key question — one whose importance is consistently underestimated — is how long it’ll take before your company’s SIEM not only goes live but actually starts delivering real value. Gartner data shows that even a fully-featured, ready-made SIEM takes an average of six months to fully implement — with one in ten companies spending a year on it. And if you’re building your own SIEM or adapting an OSS, you should expect that timeline to double or triple. When budgeting, multiply that time by your developers’ hourly rates. It’s also hard to imagine a full-fledged SIEM being by a single talented individual — your company will need to maintain an entire team.
A common psychological pitfall is being misled by how fast a prototype comes together. You can deploy a ready-made OSS in a test environment in just a few days, but bringing it up to production quality can take many months — even years.
Skill shortages
An SIEM needs to collect, index, and analyze thousands of events per second. Designing a high-load system, or even adapting an existing one, requires specialized and in-demand skills. Beyond just developers, the project would need highly skilled IT administrators, DevOps engineers, analysts, and even dashboard designers.
Another kind of shortage that SIEM builders have to overcome is the lack of hands-on experience needed to write effective normalization rules, correlation logic, and other content that comes out of the box in commercial SIEM solutions. Of course, even that out-of-the-box content requires significant adjustments, but bringing it up to your organization’s standards is both faster and easier.
Compliance
For many companies, having an SIEM system is a regulatory requirement. Those who build an SIEM themselves or implement an OSS solution have to put in considerable effort to achieve compliance. They need to map their SIEM’s capabilities to regulatory requirements on their own — unlike the users of commercial systems, which often come with a built-in certification process and all the necessary tools for compliance.
Sometimes, management might want to implement an SIEM just to “tick a box”, aiming to minimize the expense. But since PCI DSS, GDPR, and other local regulatory frameworks focus on the actual breadth and depth of SIEM implementation — not just its mere existence — a token SIEM system implemented just for show would fail to pass any audit.
Compliance isn’t something you can consider only at the time of implementation. If, during self-managed maintenance and operation, any components of your solution stop receiving updates and reach end-of-life, your chances of passing a security audit would plummet.
Vendor lock-in vs. employee dependence
The second most important reason for organizations to consider an open-source solution has always been flexibility in adapting it to their specific needs, along with avoiding reliance on a software vendor’s development roadmap and licensing decisions.
Both of these are compelling arguments, and in large organizations they can sometimes outweigh other factors. However, it’s crucial to make this choice with a clear understanding of its pros and cons:
OSS SIEMs can be simpler to adjust for unique data inputs.
With an OSS SIEM, you maintain complete control over how data is stored and processed.
The cost of scaling an OSS SIEM primarily consists of prices for additional hardware and the development of required features.
Both the initial setup and ongoing evolution of an OSS SIEM demand seasoned professionals who are well-versed in both development practices and SOC realities. If the team members who best understand the system leave the company or change roles, the system’s evolution might come to a halt. What’s worse, it gradually becomes less functional.
While the upfront implementation cost of an OSS SIEM might be lower due to the absence of license fees, this difference often erodes during the maintenance phase. This is because of the continuous, additional expense of qualified staff dedicated solely to SIEM development. Over the long term, the total cost of ownership (TCO) for an OSS SIEM often turns out to be higher.
Content quality
The relevance of detection and response content is a key factor in an SIEM’s effectiveness. For commercial solutions, updates to correlation rules, playbooks, and threat intelligence feeds are typically provided as part of a subscription. They’re developed by large teams of researchers, undergo thorough testing, and generally require minimal effort from your in-house security team to implement. With an OSS SIEM, you’re on your own when it comes to updates: you need to search community forums, GitHub repositories, and free feeds yourself. The rules then require detailed vetting and adaptation to your specific infrastructure, and the risk of false positives ends up being higher. As a result, implementing updates in an open-source SIEM demands significantly more effort from your internal team.
The elephant in the room: hardware
To launch an SIEM, you need to acquire or lease hardware, and depending on the system’s architecture, this expense can vary dramatically. It doesn’t really matter much whether the system is an open-source or proprietary commercial solution. However, when implementing an open-source SIEM on your own, there’s a greater risk of making sub-optimal architectural decisions. In the long run, this translates into persistently high operational costs.
We cover the topic of evaluating SIEM hardware needs in detail in a separate post.
The final tally
While the idea of a fully customizable and adaptable platform with zero licensing fees is highly appealing, there is a significant risk that such a project would demand far more time and effort from your internal development team than an off-the-shelf commercial solution. It may also hinder your ability to quickly adopt new innovations and shift your security team’s focus from developing detection logic and response scenarios to dealing primarily with operational issues. This is why a managed, expert-supported, and well-integrated commercial solution often aligns more closely with a typical organization’s goals of effective risk reduction and predictable budgeting.
Commercial SIEMs enable your team to leverage pre-built rules, playbooks, and telemetry parsers, allowing it to focus on organization-specific projects — such as threat hunting or improving visibility in cloud infrastructure — instead of reinventing and refining basic SIEM features, or struggling to pass regulatory audits with a homegrown system.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-06-05 15:06:382025-06-05 15:06:38Commercial vs. open-source SIEM: pros and cons | Kaspersky official blog
Quick reminder
