At ANY.RUN, we’re always working to improve our services, and this time, we’ve focused on making our Linux sandbox even better. We’ve fine-tuned every detail to ensure it runs as smoothly and reliably as our Windows environment.  

From bug fixes to feature enhancements, our Linux sandbox is now more powerful and stable than ever, giving you a seamless experience when analyzing Linux malware. 

What’s Updated in ANY.RUN’s Linux Sandbox? 

We’ve packed our latest update with powerful new features and improvements that upgrade both performance and usability.  

Here’s what’s new in our Linux sandbox and how these enhancements benefit you: 

Stable Chrome browser by default: We’ve integrated a stable version of Chrome as the default browser for Linux environments. This ensures smoother, faster browsing and more reliable interaction with suspicious websites during your analysis sessions. 

Improved process tree performance: We’ve eliminated the lag that previously occurred when navigating the process tree. Now, you can explore process details without any delays, making malware behavior analysis much more efficient. 

Additional file uploads for Linux: This means that you can now upload files in real time while an analysis session is running, enabling a more dynamic investigation process. Instead of having to restart or set up a new session for each file, you can simply upload more files during the current session. 

File events tracking: This feature allows users to monitor and log every action the malware performs on files within the Linux sandbox environment. For example, if the malware creates, modifies, deletes, or moves files, those actions are now captured and presented in the analysis report. 

Now you can get a clearer view of how the malware interacts with the file system, providing deeper insights into the malware’s behavior and making it easier to trace malicious activities. 

Clipboard feature: A new clipboard function has been introduced, allowing you to copy and paste content directly within the sandbox. This small addition significantly improves workflow and efficiency during interactive sessions. 

Improved Locale (OS Language) selection: We’ve enhanced the Locale (OS Language) choice feature in the Linux sandbox, making it more reliable and error-free. Now, during configuration, you can easily select the desired locale from the dropdown menu, ensuring that the operating system language is set correctly for your analysis session. 

This improvement is crucial because malware often behaves differently depending on the system’s language settings. For example, some malware may only activate in specific locales, or attackers may target systems based on region-specific characteristics. By choosing the correct locale, you can replicate real-world scenarios more accurately.

Internal stability improvements: We’ve also carried out other optimizations to ensure the Linux sandbox runs as smoothly and reliably as our Windows sandbox.  

These improvements include removing various bugs, making performance tweaks, and implementing backend updates. While these changes might not be immediately visible, they play a crucial role in enhancing the overall stability and efficiency of the Linux sandbox, giving you a seamless experience when analyzing malware. 

Let’s Analyze Mirai Malware in Linux Sandbox 

To see the updated Linux sandbox in action, let’s dive into how one of the most infamous Linux malware threats, Mirai, can be analyzed in just a few steps. 

It’s easy, fast and straightforward: 

1. Choose the right option for analysis 

To begin the analysis, we need to choose one of the options: 

Upload the suspicious file: You can explore a variety of formats, including shell scripts, ELF executables, tarballs, and more. Even common files like Word documents, which might carry hidden malware targeting Linux, can be checked thoroughly. 

Copy and paste the suspicious link: Safely browse shady websites, whether they’re suspected of hosting malware or trying to pull off phishing scams. 

2. Configure the sandbox settings

After selecting the option you need, you can adjust the sandbox settings. A key step is choosing “Linux OS” from the list of operating systems in the dropdown menu. This ensures the analysis session will run on a Linux system, providing the right environment for your testing. 

Ready? Hit that “Run analysis” button and start interacting with the file or link to check if it’s malicious. 

In our case, we’re running a malware analysis session with Mirai: 

3. Start analyzing the Linux malware 

After launching the analysis, the Linux sandbox will display tags related to the threat at hand.  

Just take a glance at the top-right corner of the screen. In our case, the sandbox provides tags “mirai” and “botnet”.

Once you finish the analysis, the sandbox will show the final verdict, letting you know if the file or link is malicious or safe.  

If you want more details about the specific malware, you can click on the links provided by the Tracker located next to the indicators. This will take you to the malware tracker, where you can read a detailed description of the malware, including its origin, execution analysis, distribution methods, and much more. 

Detailed malware processes 

Next, over on the right side, you’ll find the process tree, showing all the parent PIDs and their child PIDs. This gives you a clear view of how malware behaves across processes. Want more details? Just click on any process, and you’ll get a deep dive into its activity. 

Network analysis details 

Below the virtual machine, you’ll also see a breakdown of all the network activity—split into HTTP requests, connections, DNS requests, and detected threats. This info is key for understanding the malware’s behavior.  

For example, in our analysis session with Mirai malware, we can see how it uploads ELF files designed for specific system architectures. 

By piecing together these insights, you get a comprehensive look at how the malware operates, making it easier to investigate and respond to potential threats. 

Collection of IOCs and network reputation 

For further analysis of the malware, you can easily gather all the IOCs (Indicators of Compromise) linked to the task by clicking the IOC button on the right side of the screen. 

No need to jump between tabs—everything you need is collected in one place, making it quicker and easier to manage.

Plus, before each IOC, you’ll find a network reputation indicator that lets you know whether the item is whitelisted or flagged as malicious, so you can prioritize it in your investigation. 

MITRE ATT&CK tactics and techniques 

ANY.RUN’s Linux sandbox also includes the MITRE ATT&CK Matrix framework, which is super helpful for understanding the techniques and tactics used in malware attacks.  

Simply click the ATT&CK button, and you’ll be redirected to a new page showing all the techniques employed in the specific malware activity.  

MITRE ATT&CK tactics and techniques used for Mirai malware attack

For example, in our Mirai malware analysis, one of the tactics used by the attackers was leveraging wget to download additional content—highlighting just how attackers manipulate common tools for malicious purposes. 

Process graph 

ANY.RUN’s Linux sandbox offers a process graph that visually maps out the entire malware attack, showing every action the malware takes from start to finish. This graph gives you a clear, easy-to-understand view of the attack’s flow—how it starts, what files are accessed, and what processes are executed. 

This feature is especially useful for more complex malware, where multiple actions happen simultaneously. You can zoom in on individual processes or view the bigger picture to get a complete understanding of how malware spreads and what it’s trying to accomplish. 

Here is the process graph of our analysis, showing how Mirai infiltrates the system: 

Mirai malware analysis text report 

During our interactive analysis of Mirai malware in the Linux sandbox, we saw just how detailed the investigation can get. From process trees to network interactions, the sandbox provides a deep dive into every aspect of the malware’s behavior. 

If you need to collect and review all this information later, you can easily do so by clicking the “Text Report” button in the upper right corner. This feature gathers all the critical details into one report, combining everything from the process graphs to the full scope of network activity for further analysis.  

Learn more: Malware Analysis Report in One Click 

Why Use ANY.RUN’s Linux Sandbox? 

ANY.RUN’s Linux sandbox is built for both security professionals and beginners who need a reliable and fast environment to analyze malware targeting Linux systems. 

Real-time analysis: Watch malware activity live and react to the behavior instantly. 

Full isolation: Safely inspect files and URLs without risking your main system. 

Comprehensive threat detection: Handle all Linux malware types, including backdoors and crypto miners. 

Easy setup: Start a session in just a few clicks—no complex setup required. 

Interactive environment: Interact directly with the malware and see its impact in real-time. 

Centralized IOCs: All indicators of compromise are gathered in one spot for easy access. 

Secure Cloud: Everything runs safely in the cloud—no need for local software. 

Detailed report: Receive a comprehensive analysis report after each session, including all critical findings. 

Experience ANY.RUN’s Full Power with a Free Trial 

Unlock the full potential of ANY.RUN with advanced features to elevate your malware analysis: 

Windows 11 VM

Private mode

Team collaboration tools 

API access and integration with Splunk and OpenCTI

And more

Request free trial → 

About ANY.RUN   

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.   

The post ANY.RUN’s Upgraded Linux Sandbox <br>for Fast and Secure Malware Analysis appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Key Takeaways

Cyble Research and Intelligence Labs (CRIL) identified a campaign called “ErrorFather” that utilized an undetected Cerberus Android Banking Trojan payload.

ErrorFather employs a sophisticated infection chain involving multiple stages (session-based droppers, native libraries, and encrypted payloads), complicating detection and removal efforts.

The campaign ramped up in activity in September and October 2024, with more samples and ongoing campaigns suggesting active targeting and scaling by the Threat Actors (TAs) behind the ErrorFather campaign.

The final payload employs keylogging, overlay attacks, VNC, and Domain Generation Algorithm (DGA) to perform malicious activities.

ErrorFather’s incorporation of a Domain Generation Algorithm (DGA) ensures resilience by enabling dynamic C&C server updates, keeping the malware operational even if primary servers are taken down.

The campaign highlights how repurposed malware from leaks can continue to pose significant threats years after its original appearance.

Overview

The Cerberus Android Banking Trojan initially emerged in 2019 and was available for rent on underground forums. It gained notoriety for its ability to target financial and social media apps by exploiting the Accessibility service, using overlay attacks, and incorporating VNC and keylogging features. Its widespread reach made it one of the most well-known banking trojans at the time.

In 2020, following the leak of Cerberus’ source code, a new variant called “Alien” appeared, leveraging Cerberus’ codebase. Then, in 2021, another banking trojan called “ERMAC” surfaced, also building on Cerberus’ code and targeting over 450 financial and social media apps.

At the beginning of 2024, a new threat known as the Phoenix Android Banking Trojan was discovered. Claiming to be a fresh botnet, Phoenix was found being sold on underground forums. However, it was identified as yet another fork of Cerberus, utilizing its exact source code, whereas Alien and ERMAC had introduced some modifications.

Cyble Research and Intelligence Labs (CRIL) recently uncovered several malicious samples posing as Chrome and Play Store apps. These samples use a multi-stage dropper to deploy a banking trojan payload, which was found to be leveraging the Cerberus Banking Trojan.

The identified sample “0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7” acts as a first-stage dropper application that drops and installs the final-signed.apk from assets, communicates with a Telegram Bot URL, and sends the device model, brand, and API version.

The Telegram Bot ID corresponds to the ErrorFather Bot, as shown in the figure below. Given the bot’s name and the recent updates to this variant (covered in the Technical Analysis section), we are referring to this campaign as ErrorFather.

We have identified approximately 15 samples related to the ErrorFather campaign, including session-based droppers and their associated payloads. The first sample was detected in mid-September 2024, followed by a noticeable increase in samples during the first week of October 2024, with an active Command and Control (C&C) server suggesting ongoing campaigns.

The following section provides a technical analysis of the Cerberus malware used by the ErrorFather Campaign.

Technical Details

Multi-staged dropper

The primary APK is a session-based dropper that contains a second-stage APK file named “final-signed.apk” within the Assets folder. It uses the Google Play Store icon and employs a session-based installation technique to install the APK from the assets, bypassing restricted settings.

The second-stage dropper, “final-signed.apk,” has a manifest file that requests dangerous permissions and services, but the code implementation is missing, indicating that the malware is packed. It includes a native file, “libmcfae.so,” which is immediately loaded after installation to decrypt and execute the final payload.

The native file is responsible for handling the final payload. It uses the encrypted file “rbyypivsnw.png,” obtains the AES key and initialization vector (IV), performs decryption, and loads the “decrypted.dex” file at the location /data/data/suds.expend.affiliate.rising/code_cache/, as illustrated in the figure below.

The decrypted.dex file is the final payload, containing malicious functionalities such as keylogging, overlay attacks, VNC, PII collection, and the use of a Domain Generation Algorithm (DGA) to create a Command and Control (C&C) server. Notably, when submitted to VirusTotal, the decrypted.dex file was not flagged by any antivirus engine.

Leveraging Cerberus code

Based on the detection count, initially, we suspected it to be a fresh banking trojan, but upon deeper analysis of the final payload, we discovered significant code similarities with Cerberus. The TA behind the ErrorFather campaign had modified variable names, used more obfuscation, and reorganized the code, effectively evading detection despite Cerberus being identified in 2019.

Comparing the Cerberus sample and the more recent Phoenix botnet, we noticed changes in this recent variant of Cerberus used in the ErrorFather campaign, particularly in its C&C structure. These differences suggest that the identified sample is a distinct malware variant.

Use of DGA

We observed the malware retrieving list of C&C servers using two methods. First, after installation and establishing a connection with the main C&C server, referred to by the TA as “PoisonConnect,” the malware receives a list of four additional C&C servers. It then stores these in the “ConnectGates” shared preferences setting, as shown in the figure below.

We observed a slight variation in the C&C communication. Samples from the ErrorFather campaign solely use RC4 encryption to send a full JSON payload, including the action type. In contrast, earlier Cerberus samples utilized Base64 encoding combined with RC4, with the action type sent unencrypted via separate parameters. The figure below illustrates the C&C communication for both the ErrorFather campaign and the earlier Cerberus samples.

Second, the malware incorporates a DGA (Domain Generation Algorithm) that utilizes the Istanbul timezone to obtain the current date and time. It then generates MD5 and passes the digest to SHA-1 hash, appending one of four extensions: “.click”, “.com”, “.homes”, and “.net”. These generated domains are stored in the same “ConnectGates” setting. The figure below demonstrates the DGA used in the ErrorFather campaign.

The figure below illustrates the malware connecting to domains generated by a DGA when the primary C&C server is unavailable.

In 2022, Alien was observed similarly implementing a DGA process. However, unlike the ErrorFather campaign, it did not maintain a list of domains, used only the “.xyz” extension, and did not rely on a specific timezone.

Actions used by malware

The TA has renamed the “Actions” to “Types,” as shown in Figure 11. These renamed types indicate the actions performed by the malware and the expected commands from the C&C server. Upon analysis, we observed that the actions carried out by this malware closely resemble those seen in earlier Cerberus variants, with the primary difference being the renaming of action identifiers. Below is a comprehensive list of actions performed by the malware.

Type of action
Description

checkAppList
Send the list of installed application package names

getFile
Sends the target application package name to receive the HTML injection file

getResponse
Retrieve the server’s response, and if it is “ok”, store the application log in the shared preferences file.

PrimeService
This action is used to send key logs of targeted application.

getBox
This action is used to send SMSs from the infected device.

fa2prime
Not Implemented

prContact
Used to send contacts to the server

listAppX
This action is similar to the “checkAppList” function, where the malware stores the list of installed application package names based on a command from the server; otherwise, the list remains empty. It will then send the list of installed application package names using this action name.

slService
Sends Accessibility logs

ErrorWatch
Sends error logs using this action type

device_status
Sends device status related to WebSocket connection

image
Sends captured images as a part of the VNC function

traverse
Sends accessibility node information

CheckDomain
This action is sent by DGA generated domain to validate domain

RegisterUser
Registers device and receives registration ID, it is similar to bot ID

CheckUser
Sends setting information and checks whether the user is registered or not

VNC implementation using MediaProjection

During our malware analysis, we identified two keywords related to VNC: “StatusVNC” and “StatusHVNC.” While HVNC implementation is absent in this campaign, it was previously present in the Phoenix botnet, a fork of Cerberus. VNC functionality is implemented using MediaProjection, along with a WebSocket connection to continuously transmit screen images and receive VNC actions from the Websocket response to interact with the device.

Overlay Attack

The overlay technique remains unchanged from the earlier Cerberus variant. The malware first sends the installed application package names list to identify potential targets. Once a target is identified, the server responds with the package names of the target applications. The malware then uses the “getFile” action to retrieve the HTML web injection page, as shown in the figure below.

When the victim interacts with the target application, the malware loads a fake phishing page over the legitimate app. This tricks the victim into entering their login credentials and credit card details on the fraudulent banking overlay page.

The Cerberus malware used in the ErrorFather campaign can carry out financial fraud through VNC, keylogging, and overlay attacks.

Conclusion

The Cerberus Android Banking Trojan, first identified in 2019, became a prominent tool for financial fraud using VNC, keylogging, and overlay attacks. Following the leak of its source code, various threat actors repurposed the Cerberus code to develop new banking trojans, including Alien, ERMAC, and Phoenix. The ErrorFather campaign is another example of this pattern. While the TA behind ErrorFather has slightly modified the malware, it remains primarily based on the original Cerberus code, making it inappropriate to classify it as entirely new malware.

In the ErrorFather campaign, the malware uses a multi-stage dropper to deploy its payload and leverages techniques such as VNC, keylogging, and HTML injection for fraudulent purposes. Notably, the campaign utilizes a Telegram bot named “ErrorFather” to communicate with the malware. Despite being an older malware strain, the modified Cerberus used in this campaign has successfully evaded detection by antivirus engines, further highlighting the ongoing risks posed by retooled malware from previous leaks.

The ErrorFather campaign exemplifies how cybercriminals continue to repurpose and exploit leaked malware source code, underscoring the persistent threat of Cerberus-based attacks even years after the original malware’s discovery.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Download and install software only from official app stores like Google Play Store or the iOS App Store.

Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.

Use strong passwords and enforce multi-factor authentication wherever possible.

Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.

Be wary of opening any links received via SMS or emails delivered to your phone.

Ensure that Google Play Protect is enabled on Android devices.

Be careful while enabling any permissions.

Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

Tactic
Technique ID
Procedure

Initial Access (TA0027)
Phishing (T1660)
Malware distributing via phishing site

Execution (TA0041)
Native API (T1575)
Malware using native code to drop final payload

Defense Evasion (TA0030)
Masquerading: Match Legitimate Name or Location (T1655.001)
Malware pretending to be the Google Play Update and Chrome application

Defense Evasion (TA0030)
Application Discovery (T1418)
Collects installed application package name list to identify target

Defense Evasion (TA0030)
Indicator Removal on Host: Uninstall Malicious Application (T1630.001)  
Malware can uninstall itself

Defense Evasion (TA0030)
Input Injection (T1516)
Malware can mimic user interaction, perform clicks and various gestures, and input data

Collection (TA0035)
Input Capture: Keylogging (T1417.001)
Malware can capture keystrokes

Discovery (TA0032)
Software Discovery (T1418)
Malware collects installed application package list

Discovery (TA0032)
System Information Discovery (T1426)
The malware collects basic device information.

Collection (TA0035)
Screen Capture (T1513)
Malware can record screen content

Collection (TA0035)
Audio Capture (T1429)
Malware captures Audio recordings

Collection (TA0035)
Call Control (T1616)
Malware can make calls

Collection (TA0035)
Protected User Data: Contact List (T1636.003)
Malware steals contacts

Collection (TA0035)
Protected User Data: SMS Messages
(T1636.004)
Steals SMSs from the infected device

Command and Control (TA0037)
Dynamic Resolution: Domain Generation Algorithms (T1637.001)
Malware has implemented DGA

Command and Control (TA0037)
Encrypted Channel: Symmetric Cryptography (T1521.001)
Malware uses RC4 for encrypting C&C communication

Exfiltration (TA0036)
Exfiltration Over C2 Channel (T1646)
Sending exfiltrated data over C&C server

Indicators of Compromise (IOCs)

Indicators
Indicator Type
Description

0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7 9373860987c13cff160251366d2c6eb5cbb3867e 0544cc3bcd124e6e3f5200416d073b77
SHA256 SHA1 MD5
Session-based dropper

880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc cb6f9bcd4b491858583ee9f10b72c0582bf94ab1 d9763c68ebbfaeef4334cfefc54b322f
SHA256 SHA1 MD5
Second-stage dropper

6c045a521d4d19bd52165ea992e91d338473a70962bcfded9213e592cea27359 c7ebf2adfd6482e1eb2c3b05f79cdff5c733c47b f9d5b402acee67675f87d33d7d52b364
SHA256 SHA1 MD5
Final undetected Cerberus payload

hxxp://cmsspain[.homes hxxp://consulting-service-andro[.ru hxxp://cmscrocospain[.shop hxxp://cmsspain[.lol hxxp://cmsspain[.shop
URL
C&C server

hxxp://elstersecure-plus[.online hxxps://secure-plus[.online/ElsterSecure[.apk
URL
Distribution and phishing URL

hxxps://api[.telegram[.org/bot7779906180:AAE3uTyuoDX0YpV1DBJyz5zgwvvVg-up4xo/sendMessage?chat_id=5915822121&text=
URL
Telegram bot URL

4c7f90d103b54ba78b85f92d967ef4cdcc0102d3756e1400383e774d2f27bb2e 8f3e3a2a63110674ea63fb6abe4a1889fc516dd6851e8c47298c7987e67ff9b6 c570e075f9676e79a1c43e9879945f4fe0f54ef5c78a5289fe72ce3ef6232a14 a2c701fcea4ed167fdb3131d292124eb55389bc746fcef8ca2c8642ba925895c 8faa93be87bb327e760420b2faa33f0f972899a47c80dc2bc07b260c18dfcb14 ee87b4c50e5573cba366efaa01b8719902b8bed8277f1903e764f9b4334778d0 136d00629e8cd59a6be639b0eaef925fd8cd68cbcbdb71a3a407836c560b8579 6c045a521d4d19bd52165ea992e91d338473a70962bcfded9213e592cea27359 516282073b7d81c630d4c5955d396e1e47a2f476f03dea7308461fa62f465c11 5bd21d0007d34f67faeb71081309e25903f15f237c1f7b094634584ca9dd873e 880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc 0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7 6b8911dfdf1961de9dd2c3f9b141a6c5b1029311c66e9ded9bca4d21635c0c49 befe69191247abf80c5a725e1f1024f7195fa85a7af759db2546941711f6e6ae 9d966baefa96213861756fde502569d7bba9c755d13e586e7aaca3d0949cbdc3
SHA256
Malicious First and second-stage files from the ErrorFather campaign

The post Hidden in Plain Sight: ErrorFather’s Deadly Deployment of Cerberus appeared first on Cyble.

Blog – Cyble – ​Read More

Key Takeaways

Cyble honeypot sensors detected several new cyberattacks in recent days, targeting vulnerabilities in the Ruby SAML library, D-Link NAS devices, the aiohttp client-server framework, a WordPress plugin, and more.

Cyble’s Vulnerability Intelligence unit also discovered new phishing campaigns and brute-force attacks.

Clients are urged to address the vulnerabilities identified in the report and apply best practices.

Overview

The Cyble Vulnerability Intelligence unit identified several new cyberattacks during the week of Oct. 2-8.

Among the targets are the Ruby SAML library, several D-Link NAS devices, the aiohttp client-server framework used for asyncio and Python, and a popular WordPress plugin used by restaurants and other businesses.

Cyble sensors also uncovered more than 350 new phishing email addresses and thousands of brute-force attacks.

Vulnerabilities Targeted by Threat Actors

The full report for clients looked at more than 40 vulnerabilities under active exploitation by threat actors. Here are four new attacks identified in the report.

Ruby SAML Improper Verification of Cryptographic Signature Vulnerability

The Ruby SAML library implements the client side of SAML authorization. Ruby-SAML in versions up to 1.12.2 and 1.13.0 up to 1.16.0 does not properly verify the signature of the SAML Response. By exploiting the 9.8-severity vulnerability CVE-2024-45409, an unauthenticated attacker with access to any signed SAML document (by the IdP) can forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as an arbitrary user within the vulnerable system. The vulnerability is fixed in 1.17.0 and 1.12.3.

aiohttp Path Traversal

CVE-2024-23334 is a Path Traversal vulnerability in aiohttp, an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option ‘follow_symlinks’ can be used to determine whether to follow symbolic links outside the static root directory. When ‘follow_symlinks’ is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are recommended mitigations. Version 3.9.2 fixes this issue.

D-Link NAS Devices Hard-Coded Credentials Vulnerability

A 9.8-severity vulnerability, CVE-2024-3272, is being targeted in end-of-life D-Link NAS devices DNS-320L, DNS-325, DNS-327L, and DNS-340L up to 20240403. The issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials. The attack may be initiated remotely, and the exploit has been disclosed to the public. The associated identifier of this vulnerability is VDB-259283. The vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

PriceListo SQL Injection Vulnerability

CVE-2024-38793 is an improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in the PriceListo Best Restaurant Menu WordPress plugin, allowing for SQL Injection attacks. The issue affects Best Restaurant Menu by PriceListo through 1.4.1.

Previously reported vulnerabilities in PHP (CVE-2024-4577), GeoServer (CVE-2024-36401) and AVTECH IP cameras (CVE-2024-7029) also remain under active attack by threat actors.

Brute-Force Attacks

Cyble sensors also detected thousands of brute-force attacks. Among the top 5 attacker countries, Cyble researchers observed attacks originating from Vietnam targeting ports 22 (43%), 445 (32%), 23 (17%), and 3389 (8%). Attacks originating from Russia targeted ports 3389 (58%), 5900 (35%), 1433 (5%), 3306 (1%) and 445 (1%). Greece, Colombia, and Bulgaria majorly targeted ports 1433, 5900, and 445.

Security Analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).

New Phishing Campaigns Identified

Cyble sensors also detected 351 new phishing email addresses. Below are six phishing scams of note identified by Cyble:

E-mail Subject 
Scammers Email ID 
Scam Type 
Description 

Claim Directives 
info@szhualilian.com 
Claim Scam 
Fake refund against claims 

DEAR WINNER 
contact@wine.plala.or.jp 
Lottery/Prize Scam 
Fake prize winnings to extort money or information 

GOD BLESS YOU…. 
info@advanceairsystem.com 
Donation Scam 
Scammers posing as a Donor to donate money 

CHOSEN- EMAIL 
test@mps.elnusa.co.id 
Investment Scam 
Unrealistic investment offers to steal funds or data 

Order 3038137699167518: cleared customs 
support@otm4n3-recrypto.to   
Shipping Scam 
Unclaimed shipment trick to demand fees or details 

UN Compensation Fund 
info@usa.com 
Government Organization Scam 
Fake government compensation to collect financial details 

Cyble Recommendations

Cyble researchers recommend the following security controls:

Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).

Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.

Constantly check for Attackers’ ASNs and IPs.

Block Brute Force attack IPs and the targeted ports listed.

Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.

For servers, set up strong passwords that are difficult to guess.

The post Cyble Sensors Detect Attacks on SAML, D-Link, Python Framework appeared first on Cyble.

Blog – Cyble – ​Read More

Key Takeaways

The massive 57-petabyte Internet Archive has been hit by a data breach, website defacement, exfiltration and DDoS attacks in recent days.

The breach and DDoS attacks so far appear unconnected.

A copy of a user authentication database containing the email addresses and credentials of 31 million users has been provided to Have I Been Pwned.

The attackers have faced criticism for attacking a nonprofit whose goal is to preserve knowledge.

Questions have been raised about Archive’s handling of JavaScript, which appears central to the breach.

As of now, Archive.org and Open Library are offline, and recovery efforts are expected to take “days, not weeks.”

Overview

The Internet Archive has taken its Archive.org and OpenLibrary.org sites offline in response to a data breach and repeated DDoS attacks.

The breach of a user authentication database, which exposed the email addresses and credentials of 31 million users, likely occurred on Sept. 28, as that is the most recent date in a 6.4GB SQL file provided to Troy Hunt of Have I Been Pwned. Archive users did not become aware of the breach until two days ago, when a JavaScript alert appeared on the site that read, “Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!”

Internet Archive founder Brewster Kahle confirmed the attacks and website defacement in a Tweet on October 9: “DDOS attack–fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords. What we’ve done: Disabled the JS library, scrubbing systems, upgrading security.”

The DDoS attacks returned yesterday, and Archive and Open Library were taken offline, opting for “being cautious and prioritizing keeping data safe at the expense of service availability.”

In an update today, Kahle said: “The data is safe. Services are offline as we examine and strengthen them. Sorry, but needed. @internetarchive staff is working hard. Estimated Timeline: days, not weeks.”

In the meantime, this notice appears on the Archive home page, and the Open Library site was down at the time of publication:

Breach and DDoS Attacks May Not Be Linked

Shortly after the breach became public, the DDoS attacks were launched by the threat actor group SN_BLACKMETA. In an alert to clients, Cyble said there is as of yet no evidence that the breach and DDoS attacks are related.

“There is no correlation whether the threat actor group SN_BLACKMETA who is behind the DDoS attacks is the same group that also breached Internet Archive,” Cyble said in the alert.

SN_BLACKMETA appears to misunderstand the nature of the non-governmental, non-profit Internet Archive, as the threat group stated as its motive for the attacks that “the archive belongs to the USA, and as we all know, this horrendous and hypocritical government supports the genocide that is being carried out by the terrorist state of “Israel”.”

Commenters on Twitter and apparently even in the group’s own Telegram channel (now taken down) criticized targeting the Internet Archive, which has preserved a vast amount of data and records on a small budget. At last count, the Archive contained 57 petabytes of data and more than 866 billion web pages across four data centers in its mission to provide “universal access to all knowledge.”

On Mastodon, independent cybersecurity researcher Kevin Beaumont said, “that isn’t sticking it to some evil multinational, it’s attacking a genuinely great resource run on near nothing resource, sweat and tears. If you’re going to attack things – please aim better.”

Archive Website Security Questioned

In the wake of the attacks, questions are being raised about the Internet Archive’s website security, which allowed a breach, exfiltration, defacement and DDoS attacks within a short time period.

“A Website as large as archive.org should be able to isolate hashed passwords from public accessible Javascript,” one commenter noted. “Wikipedia makes extensive use of Javascript. As far as i know, Javascript is disabled on preferences pages and login Pages.”

The post Data Breach and DDoS Attacks Take Archive.org and Open Library Offline appeared first on Cyble.

Blog – Cyble – ​Read More