We live in the age of AI hype. Artificial intelligence is here, there, and everywhere – so promising, slightly mysterious, but undeniably guiding humanity toward a brighter future of technological singularity that’s still somewhat incomprehensible and potentially a black hole.

Some readers might detect sarcasm in this statement – but that would be a mistake. Machine learning-driven automation (ML), neural networks, and other AI technologies have already taken over many industries. And there’s more to come in the evolution of Homo sapiens. If you’re interested in diving deeper into this topic, check out the history of the various industrial revolutions: first, second, third, and even fourth.

In line with this trend, cybersecurity was perhaps one of the pioneers in adopting new, smart technologies. And what makes me particularly proud of this process is that our company was one of the first in the industry to successfully implement this bright AI-driven future. How else could we possibly handle nearly half a million new malicious programs emerging every single day as of early 2025? No educational system in the world can produce enough experts to keep up with that. The only solution is to create intelligent systems capable of independently and highly accurately neutralizing cyberattacks. Experts are then left with only the most complex cases – and, of course, the challenging task of inventing and continuously improving these systems.

A few days ago, we celebrated an exciting anniversary. Twenty years ago was born the prototype of our first AI/ML technology for automatic malware analysis and the creation of “detections” – antivirus updates that protect computers, gadgets, and other devices from new attacks.

The technology was given a name that’s rather odd at first glance – Avtodyatel, which translates as Auto-Woodpecker! But there’s a simple explanation for it: within our team, security analysts were affectionately referred to as woodpeckers – tirelessly pecking away at viruses and processing streams of suspicious files. And then we added the “Auto” to “Woodpecker” for the name of the tech designed to do this job automatically (incidentally, I was a woodpecker myself back then).

After digging through our archives, we found not only the birthdate of this first automation baby, but also some fascinating photos of the original plans for its creation. We even recalled its birthplace – the 14^th floor of the Radiophysics building near the Planernaya metro station in northwest Moscow where we rented office space at the time. So get comfy, and I’ll tell you a fascinating story. It all started kinda like this…

A quarter of a century ago, malicious programs were much rarer – and, paradoxically, much more advanced – than today’s typical malware, despite being written by pioneering enthusiasts, inventive lone programmers, and cyber pranksters. This made researching them a real pleasure – each new virus taught you something new. Back then, like my fellow woodpeckers, I manually analyzed the stream of malicious programs – what would now be called “malware research”.

By that time, it was already difficult to compile all existing malware into a single reference book as had been done back in 1992. But we still managed the flow, and at the end of each work week, I manually compiled antivirus database updates.

However, over time, malware creation evolved from mere mischief and boundary-pushing into a full-fledged criminal industry. Cybercriminals no longer just wanted to infect as many computers as possible – they sought to profit from it. For example, they harvested email addresses from infected machines and sold them for spam distribution.

Sensing profit, these bad actors triggered exponential growth in malware production. But instead of inventing fundamentally new threats, they started mass-producing slightly modified versions of existing ones. And I realized we couldn’t keep up manually; if we were to continue down this path, we’d drown in an endless flood of cyber-garbage.

Fortunately, technological advancements at the time required much smaller investment and less development time. You could just buy some pizza (pineapple-topped, of course!), gather a few brilliant minds in a meeting room, and spend a couple of hours brainstorming project ideas. And so, on February 22, 2005, I assembled my colleagues to develop plans for automating our malware analyst work.

Just take a look at this beauty!

We had some primitive automation tools before, of course. But Auto-Woodpecker was the first system with a fundamentally new level:

1. It freed up valuable experts from repetitive tasks, allowing them to focus on more advanced challenges.
2. It massively scaled up operational efficiency.
3. It helped highlight similar (or related) incidents for further analysis.

In simple terms, the system automatically received new files from agents (“crawlers”) that scanned websites, email traps, and network sensors. These files were then automatically unpacked and executed in a secure environment – an artificial setting designed to observe malware behaviour.

There, the samples were analyzed by automated scanners, classified, and then compiled into antivirus databases.

The key challenge when encountering a new malware sample was determining whether it was a never-before-seen threat, or simply a variation of a known one. This is where the file auto-classifier (marked as “FF” in the diagram above) came into play, utilizing AI/ML principles – now an essential feature in nearly every cybersecurity product (except for fraudulent ones).

It didn’t work perfectly at first, but it quickly improved. We systematically documented all our ideas, detailed how subsystems would interact, how data would be exchanged, and how false positives would be handled. Then we rolled up our sleeves and got to work.

A few months later, the first version of Auto-Woopecker went live.

The results were instant and dramatic. Previously, five of us manually analyzed around 300 malware samples per week – an impressive number at the time. But with Auto-Woodpecker our productivity skyrocketed. And as the technology improved, this skyrocketing just kept on… skyrocketing!

Before long, Auto-Woodpecker was processing the entire incoming stream – leaving only 2-5% of all suspicious files for manual expert review. Today, of course, our tools are far more advanced, and AI-driven technologies play an even bigger role in cybersecurity.

To give you a glimpse of how far we’ve come, here are just a few recent examples:

• Kaspersky MLAD (Machine Learning for Anomaly Detection): A predictive analytics system that detects early signs of equipment failure, process disruptions, cyberattacks, and human errors in industrial telemetry signals – long before they cause real damage.
• Kaspersky MDR (Managed Detection and Response) This service has been using an AI analyst for several years to filter out false positives, reducing the workload on SOC specialists and allowing them to focus on complex threat investigations.
• Kaspersky Threat Lookup: Just last week we integrated a tool for finding contextual information on indicators of compromise using an AI-powered large language model.

The results speak for themselves, and we have even bigger plans ahead!…

Happy 20th Anniversary, Auto-Woodpecker!!

Cin cin!

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 
 
Benjamin Franklin once said, “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” In much the same way, those who rush for efficiency without taking into account security end up neither efficient nor secure.  

The past week the Department of Government Efficiency (or DOGE) has put on a clinic of how not to do things. For example, the Doge.gov website was easily and immediately compromised. Researchers were able to push updates to the public website via access to a database of government employment information. Not to be outdone the DOGE team hastily stood up the Waste.gov website which still had a placeholder WordPress default template, including the sample text which features an imaginary architecture firm called Études, from a default WordPress theme called Twenty Twenty-Four. This slapdash nonsense was hidden behind a password wall after the research information became public.  

It’s really an excellent lesson in what happens when security is not taken into account and the instant ramifications. As an entire infosec community we’ve talked at length about how baking security into every decision is incredibly important and that trying to bolt on fixes after the fact not only doesn’t work but highlights the lack of rigor and awareness of security in the room – creating an attractive target.

Let’s take a deep breath, take a moment to create a more secure process, follow those processes, and ensure security is in place at every step – then we can attack matters of efficiency.  

The one big thing 

Cisco Talos has published a blog on the ongoing research into Salt Typhoon. Cisco Talos been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies, an issue that we have been concerned with for a long time here at Talos. The activity, initially reported in late 2024 and later confirmed by the U.S. government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon.  

A hallmark of this campaign is the use of living-off-the-land (LOTL) techniques on network devices. It is important to note that while the telecommunications industry is the primary victim, the advice contained herein is relevant to, and should be considered by, all infrastructure defenders. 

Why do I care? 

State sponsored actors have been aggressively targeting global network infrastructure and understanding and mitigating these actions will help you improve your network infrastructure resilience. 

So now what? 

Cisco Talos has released an extensive list of preventative measures for general and Cisco-specific devices which can be found in the Salt Typhoon blog post.  

Top security headlines of the week 

Palo Alto Networks has warned that hackers are exploiting another vulnerability in its firewall software to break into unpatched customer networks. (TechCrunch)  

Security researchers warn a critical vulnerability in SonicWall’s SonicOS is under active exploitation.(CyberSecurityDrive) 

Two security vulnerabilities have been discovered in the OpenSSH secure networking utility suite that, if successfully exploited, could result in an active machine-in-the-middle (MitM) and a denial-of-service (DoS) attack, respectively, under certain conditions. (TheHackerNews) 

Can’t get enough Talos? 

• Talos Vulnerability Research: ClearML and NVIDIA 
• Vulnerability Deep Dive: Small praise for modern compilers – A case of Ubuntu printing vulnerability that wasn’t 

Upcoming events where you can find Talos 

RSA (April 28-May 1, 2025) 

San Francisco, CA 

CTA TIPS 2025 (May 14-15, 2025)
 
Arlington, VA 

Most prevalent malware files from Talos telemetry over the past week  

SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  MD5: ff1b6bb151cf9f671c929a4cbdb64d86   
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5 
Typical Filename: endpoint.query
Claimed Product: Endpoint-Collector 
Detection Name: W32.File.MalParent     

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
MD5: 7bdbd180c081fa63ca94f9c22c457376  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0 
Typical Filename: c0dwjdi6a.dll  
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991 

SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Typical Filename: VID001.exe 
Detection Name: Simple_Custom_Detection 

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
MD5: 71fea034b422e4a17ebb06022532fdde
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Coinminer:MBT.26mw.in14.Talos 

Cisco Talos Blog – ​Read More

Summary

Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies. The activity, initially reported in late 2024 and later confirmed by the U.S. government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention of the actor’s activities.

Public reporting has indicated that the threat actor was able to gain access to core networking infrastructure in several instances and then use that infrastructure to collect a variety of information. There was only one case in which we found evidence suggesting that a Cisco vulnerability (CVE-2018-0171) was likely abused. In all the other incidents we have investigated to date, the initial access to Cisco devices was determined to be gained through the threat actor obtaining legitimate victim login credentials. The threat actor then demonstrated their ability to persist in target environments across equipment from multiple vendors for extended periods, maintaining access in one instance for over three years.

A hallmark of this campaign is the use of living-off-the-land (LOTL) techniques on network devices. It is important to note that while the telecommunications industry is the primary victim, the advice contained herein is relevant to, and should be considered by, all infrastructure defenders.

No new Cisco vulnerabilities were discovered during this campaign. While there have been some reports that Salt Typhoon is abusing three other known Cisco vulnerabilities, we have not identified any evidence to confirm these claims. The vulnerabilities in question are listed below. Note that each of these CVEs have security fixes available. Threat actors regularly use publicly available malicious tooling to exploit these vulnerabilities, making patching of these vulnerabilities imperative.

Therefore, our recommendation — which is consistent with our standard guidance independent of this particular case—is always to follow best practices to secure network infrastructure.

• CVE-2018-0171 – Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability (Last Updated: 15-Dec-2022)
• CVE-2023-20198, CVE-2023-20273 – Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature (Last Updated: 1-Nov-2023)
• CVE-2024-20399 – Cisco NX-OS Software CLI Command Injection Vulnerability (Last Updated: 17-Sep-2024)

Activities observed

Credential use and expansion

The use of valid, stolen credentials has been observed throughout this campaign, though it is unknown at this time exactly how the initial credentials in all cases were obtained by the threat actor. We have observed the threat actor actively attempting to acquire additional credentials by obtaining network device configurations and deciphering local accounts with weak password types—a security configuration that allows users to store passwords using cryptographically weak methods. In addition, we have observed the threat actor capturing SNMP, TACACS, and RADIUS traffic, including the secret keys used between network devices and TACACS/RADIUS servers. The intent of this traffic capture is almost certainly to enumerate additional credential details for follow-on use.

Configuration exfiltration

In numerous instances, the threat actor exfiltrated device configurations, often over TFTP and/or FTP. These configurations often contained sensitive authentication material, such as SNMP Read/Write (R/W) community strings and local accounts with weak password encryption types in use. The weak encryption password type would allow an attacker to trivially decrypt the password itself offline. In addition to the sensitive authentication material, configurations often contain named interfaces, which might allow an attacker to better understand the upstream and downstream network segments and use this information for additional reconnaissance and subsequent lateral movement within the network.

Infrastructure pivoting

A significant part of this campaign is marked by the actor’s continued movement, or pivoting, through compromised infrastructure. This “machine to machine” pivoting, or “jumping,” is likely conducted for a couple of reasons. First, it allows the threat actor to move within a trusted infrastructure set where network communications might not otherwise be permitted. Additionally, connections from this type of infrastructure are less likely to be flagged as suspicious by network defenders, allowing the threat actor to remain undetected.

The threat actor also pivoted from a compromised device operated by one telecom to target a device in another telecom. We believe that the device associated with the initial telecom was merely used as a hop point and not the intended final target in several instances. Some of these hop points were also used as a first hop for outbound data exfiltration operations. Much of this pivoting included the use of network equipment from a variety of different manufacturers.

Configuration modification

We observed that the threat actor had modified devices’ running configurations as well as the subsystems associated with both Bash and Guest Shell. (Guest Shell is a Linux-based virtual environment that runs on Cisco devices and allows users to execute Linux commands and utilities, including Bash.)

Running configuration modifications

• AAA/TACACS+ server modification (server IP address change)
• Loopback interface IP address modifications
• GRE tunnel creation and use
• Creation of unexpected local accounts
• ACL modifications
• SNMP community string modifications
• HTTP/HTTPS server modifications on both standard and non-standard ports

Shell access modifications

• Guest Shell enable and disable commands
• Started SSH alternate servers on high ports for persistent access, such as sshd_operns (on port 57722) on underlying Linux Shell or Guest Shell
  • /usr/bin/sshd -p X
• Created Linux-level users (modification of “/etc/shadow” and “/etc/passwd”)
• Added SSH “authorized_keys” under root or other users at Linux level

Packet capture

The threat actor used a variety of tools and techniques to capture packet data throughout the course of the campaign, listed below:

• Tcpdump – Portable command-line utility used to capture packet data at the underlying operating system level.
  • Tcpdump –i
• Tpacap – Cisco IOS XR command line utility used to capture packets being sent to or from a given interface via netio at the underlying operating system level.
  • Tpacap –i
• Embedded Packet Capture (EPC) – Cisco IOS feature that allows the capture and export of packet capture data.
  • Monitor capture CAP export ftp://<ftp_server>
  • Monitor capture CAP start
  • Monitor capture CAP clear

Operational utility (JumbledPath)

The threat actor used a custom-built utility, dubbed JumbledPath, which allowed them to execute a packet capture on a remote Cisco device through an actor-defined jump-host. This tool also attempted to clear logs and impair logging along the jump-path and return the resultant compressed, encrypted capture via another unique series of actor-defined connections or jumps. This allowed the threat actor to create a chain of connections and perform the capture on a remote device. The use of this utility would help to obfuscate the original source, and ultimate destination, of the request and would also allow its operator to move through potentially otherwise non-publicly-reachable (or routable) devices or infrastructure.

This utility was written in GO and compiled as an ELF binary using an x86-64 architecture. Compiling the utility using this architecture makes it widely useable across Linux operating systems, which also includes a variety of multi-vendor network devices. This utility was found in actor configured Guestshell instances on Cisco Nexus devices.

Defense evasion

The threat actor repeatedly modified the address of the loopback interface on a compromised switch and used that interface as the source of SSH connections to additional devices within the target environment, allowing them to effectively bypass access control lists (ACLs) in place on those devices (see “Infrastructure pivoting” section).

The threat actor routinely cleared relevant logs, including .bash_history, auth.log, lastlog, wtmp, and btmp, where applicable, to obfuscate their activities. Shell access was restored to a normal state in many cases through the use of the “guestshell disable” command.

The threat actor modified authentication, authorization, and accounting (AAA) server settings with supplemental addresses under their control to bypass access control systems.

Detection

We recommend taking the following steps to identify suspicious activity that may be related to this campaign:

• Conduct comprehensive configuration management (inclusive of auditing), in line with best practices.
• Conduct comprehensive authentication/authorization/command issuance monitoring.
• Monitor syslog and AAA logs for unusual activity, including a decrease in normal logging events, or a gap in logged activity.
• Monitor your environment for unusual changes in behavior or configuration.
• Profile (fingerprint via NetFlow and port scanning) network devices for a shift in surface view, including new ports opening/closing and traffic to/from (not traversing).
• Where possible, develop NetFlow visibility to identify unusual volumetric changes.
• Look for non-empty or unusually large .bash_history files.
• Additional identification and detection can be performed using the Cisco forensic guides.

Preventative measures

The following guidance applies to entities in all sectors.

• Cisco-specific measures
  • Always disable the underlying non-encrypted web server using the “no ip http server” command. If web management is not required, disable all of the underlying web servers using “no ip http server” and “no ip http secure-server” commands.
  • Disable telnet and ensure it is not available on any of the Virtual Teletype (VTY) lines on Cisco devices by configuring all VTY stanzas with “transport input ssh” and “transport output none”.
  • If not required, disable the guestshell access using “guestshell disable” for those versions which support the guestshell service.
  • Disable Cisco’s Smart Install service using “no vstack”.
  • Utilize type 8 passwords for local account credential configuration.
  • Use type 6 for TACACS+ key configuration.
• General measures
  • Rigorously adhere to security best practices, including updating, access controls, user education, and network segmentation.
  • Stay up-to-date on security advisories from the U.S. government and industry, and consider suggested configuration changes to mitigate described issues.
  • Update devices as aggressively as possible. This includes patching current hardware and software against known vulnerabilities and replacing end-of-life hardware and software.
    • Select complex passwords and community strings and avoid default credentials.
  • Use multi-factor authentication (MFA).
  • Encrypt all monitoring and configuration traffic (SNMPv3, HTTPS, SSH, NETCONF, RESTCONF).
  • Lockdown and aggressively monitor credential systems, such as TACACS+ and any jump hosts.
  • Utilize AAA to deny configuration modifications of key device protections (e.g., local accounts, TACACS+, RADIUS).
  • Prevent and monitor for exposure of administrative or unusual interfaces (e.g., SNMP, SSH, HTTP(s)).
  • Disable all non-encrypted web management capabilities.
  • Verify existence and correctness of access control lists for all management protocols (e.g., SNMP, SSH, Netconf, etc.).
  • Enhance overall credential and password management practices with stronger keys and/or encryption.
    • Use type 8 passwords for local account credential configuration.
    • Use type 6 for TACACS+ key configuration.
  • Store configurations centrally and push to devices. Do NOT allow devices to be the trusted source of truth for their configurations.

Analyst’s comments

There are several reasons to believe this activity is being carried out by a highly sophisticated, well-funded threat actor, including the targeted nature of this campaign, the deep levels of developed access into victim networks, and the threat actor’s extensive technical knowledge. Furthermore, the long timeline of this campaign suggests a high degree of coordination, planning, and patience—standard hallmarks of advanced persistent threat (APT) and state-sponsored actors.

During this investigation, we also observed additional pervasive targeting of Cisco devices with exposed Smart Install (SMI) and the subsequent abuse of CVE-2018-0171, a vulnerability in the Smart Install feature of Cisco IOS and Cisco IOS XE software. This activity appears to be unrelated to the Salt Typhoon operations, and we have not yet been able to attribute it to a specific actor. The IP addresses provided as observables below are associated with this potentially unrelated SMI activity.

Legacy devices with known vulnerabilities, such as Smart Install (CVE-2018-0171), should be patched or decommissioned if no longer in use. Even if the device is a non-critical device, or carries no traffic, it may be used as an entry door for the threat actor to pivot to other more critical devices.

The findings in this blog represent Cisco Talos’ understanding of the attacks outlined herein. This campaign and its impact are still being researched, and the situation continues to evolve. As such, this post may be updated at any time to reflect new findings or adjustments to assessments.

Indicators of Compromise (IOCs)

IP Addresses:

185[.]141[.]24[.]28

185[.]82[.]200[.]181

Cisco Talos Blog – ​Read More

Phishing kits have invested greatly in the popularity of phishing. They drop the entry threshold for cybercriminals enabling even low-skilled hackers to conduct successful attacks.  

In general, a phishing kit is a set of tools for creating convincing fake webpages, sites, or emails that trick users into divulging sensitive information like passwords or credit card credentials. Security specialists should never underestimate this type of malware and fail to be ready to counter its users. 

What Phishkits are made of 

These ready-to-use packages can be basic, with some pre-written code and website and email templates, and they can be advanced phishing-as-a-service (PHaaS) kits that offer more sophisticated and customizable features. These may even contain automated updates or encryption features.  

A typical kit includes:  

• Website (email, social network pages) templates mimicking legitimate brands (banks, email providers, cloud services, etc.) 
• Data harvesting scripts that capture input in webpage forms 
• Automated deployment tools for quick setup 
• Bypass techniques such as reverse proxies that intercept multi-factor authentication 
• Server-side components that manage the data collected from victims 

Some notable Phishkits 

• 16Shop: targeted Apple, PayPal, and Amazon users and was distributed as a subscription service. 
• Evilginx2: a framework to intercept authentication tokens that helped to bypass MFA. 
• BulletProofLink: a PHaaS platform that offered pre-hosted phishing pages and even reused stolen credentials to maximize profit. 

• Greatness: targets Microsoft 365 users and can dynamically generate fake login pages customized for the victim. 
• GoPhish: an open-source framework meant for businesses to test their exposure to phishing by imitating attacks but also used maliciously. 
• King Phisher: offers advanced features like campaign management and cloning of websites. 
• Blitz: known for its simplicity and quick creation of phishing webpages. 

Why Phishkits are a serious issue for businesses 

Phishing kits are employed to attack both individuals and organizations, but they represent a specific threat to businesses by inviting wider audience of would-be hackers to the industry, multiplying risks and providing an increased workload to security systems.  
 
Besides, phishing kit attacks make it easier to turn any employee into a soft spot of the cyber security perimeter. Even targeted at people, such attacks are a headache for SOC teams.  
 
The features of phishkits that pose increased risks for organizations are:  
 
Scalability: They allow attackers to automate and run phishing campaigns against thousands of employees simultaneously. 

MFA Bypass: Modern phishkits integrate Adversary-in-the-Middle (AiTM) techniques to steal session cookies, bypassing multi-factor authentication. 

Brand Abuse & Reputation Damage: Phishing pages tend to impersonate well-known brands, leading to loss of their customer trust when credentials are stolen. 

Supply Chain Attacks: Phishkits can be used to target third-party vendors and gain access to corporate networks via compromised partners. 

Defusing Phishkits with Threat Intelligence 

Cyber threat intelligence has long proven useful in countering phishkit-based attacks. It involves gathering, analyzing, and acting upon information about current and emerging threats. For countering phishkits, it enforces:  

• Early detection: TI helps to collect the indicators of compromise associated with the use of certain phishkits and set up network monitoring for detecting the elements of phishkit infrastructure. 
• Behavioral Analys: TI is used to analyze patterns and behaviors of phishing campaigns, to identify new kits or variations of known ones before they cause harm. 
• Proactive Blocking: Intelligence feeds are used to update security systems like firewalls, email gateways, or intrusion detection systems to block known malicious domains or IPs. 
• Employee Training: By helping to understand phishkits’ anatomy and behavour, TI can facilitate realistic phishing simulations based on actual threats, training staff to recognize and report phishing attempts. 
• Vulnerability Management: Seeing what types of phishkits are targeting specific sectors or technologies, organizations prioritize patching vulnerabilities or enhance security measures where they are most needed.

How to Track and Identify Phishing Kit Attacks with TI Lookup 

Threat Intelligence Lookup from ANY.RUN provides access to an extensive database of the latest threat data extracted from millions of public sandbox sessions.  

It allows analysts to conduct targeted indicator searches with over 40 different parameters, from IPs and hashes to mutexes and registry keys, to enrich their existing intel on malware and phishing attacks.  

With TI Lookup, users can collect as well as pin their existing indicators to specific cyber threats. Each indicator in TI Lookup can be observed as part of wider context  

Learn more about TI Lookup 

Threat Intelligence Lookup empowers organizations with: 

• Streamlined Access to Threat Information: Simplifies and speeds up the process of finding threat-related information, making it more convenient and efficient. 
• Detailed Insights into Attacks: Provides detailed information on attacker methods, helping to determine the most effective response measures. Deep analysis makes the actions of analysts more precise and effective. 
• Reduced Mean Time to Respond (MTTR): Offers quick access to key threat information, enabling analysts to make swift decisions. 
• Increased Detection and Response Speed: Ensures data is up-to-date, helping businesses improve the speed of detecting and responding to new threats. 

1. Collecting Intel on Tycoon2FA Phishkit Abusing Cloudflare Workers 

Tycoon2FA is a phishkit that has been offered as a service to cyber criminals since 2023. This threat’s specialty is adversary-in-the-middle attacks that make it possible to not only steal victims’ login credentials but also bypass two-factor authentication (2FA).  

Tycon2FA operators make extensive use of Cloudflare Workers and Cloudflare Pages for hosting fake login forms that are abused for stealing personal data.  

With TI Lookup, we can collect the latest example of domains utilized for Tycoon2FA attacks using the following query: 

domainName:”*.workers.dev” 

TI Lookup provides 49 domains, with some of them being labeled with the “phishing” tag. At this point, users can collect these indicators to enrich their defense. 

Using TI Lookup can be also helpful during triage, when you need to check if a certain Cloudflare Workers domain is malicious. As you can see in the image above, the service instantly informs you about the threat level of the queried domain. 

The Tasks tab in TI Lookup provides a list of the latest analysis reports performed in ANY.RUN’s Interactive Sandbox featuring the requested domains. 

Here, we can discover that Cloudflare’s domain is also used by another phishing-as-a-service tool, EvilProxy.  

If you want to dig deeper, you can open any of these reports inside the sandbox and observe real-world attacks as they unfolded and rerun analysis of these URLs yourself. 

2. Researching Phishkit Campaigns via Suricata rules  

Threat Intelligence Lookup supports search by Suricata IDS rules. Add a rule ID (SID) and see an assortment of incidents where the same rule was triggered.  

Let’s use the rule with the class “Possible social engineering attempted” via the following query: 

suricataID:”8001050″ 

Among the results, we can see examples of Gabagool and Sneaky2FA phishing kit attacks, as well as Tycoon2FA’s which are linked to the Storm1747 APT.

Learn more on how to track APTs

You can download data on all of these samples, which includes hashes, and use it to further enrich your security systems. As always, you can also explore each report in detail to collect even more insights into these attacks. 

TI Lookup also lets you automatically receive notifications about the new results available for specific search queries. All you need to do is click the bell icon, and all of the updates will be displayed in the left side menu. 

3. Tracking new samples of Mamba2FA Phishkit 

If your organization has been previously attacked with a certain phishing kit, then you can easily stay updated on the newest indicators related to it. 

Let’s take Mamba2FA as an example. It is a widely utilized phishkit that has been used in numerous attacks against businesses in the financial and manufacturing sectors. 

With a simple query that combines the name of the phishkit with an empty domain name field, we can quickly discover both new attacks, as well as network indicators like domains and URLs recorded during sandbox analysis: 

threatName:”mamba” AND domainName:”” 

Learn more about proactively identifying Mamba2FA attacks in the article by a phishing analyst. 

Conclusion  

Security experts are far from underestimating the risks behind phishing kits. They don’t just open gates to a mass of low-skilled beginners to the cybercrime market. They abuse known brands and trademarks by impersonating their resources, employ sophisticated infiltration and anti-evasion techniques, and are constantly evolving.  

To avoid financial and reputational loss, organizations should consider investing in high-end threat intelligence solutions as well as emphasize employee educating and training.  

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post How to Identify and Investigate Phishing Kit Attacks appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More