Alert notification as phishing bait | Kaspersky official blog

What would prompt someone to sign in to their work email account on the spot? That’s right, a warning about a hack. The first impulse of a responsible employee who receives such a security alert is to find out what happened, change their password, and maybe even notify others who may have been affected. But that knee-jerk reaction is in fact a reason NOT to act immediately, but rather take a deep breath and triple-check everything. Here’s why.

Phishing email

The email that kicks off this phishing attack we recently encountered pretends to be a notification from Office 365, and it does a pretty good job.

Sure, perfect it ain’t: the Microsoft logo is too big and looks odd without the company name; notifications of this kind usually have the Office 365 logo; and the alert itself is a bit muddled. In the second line, for example, it mentions that someone created a “forwarding/redirect rule”, but the “Details” line specifies that this alert was triggered because someone gained “access to read your user’s email”. These details will stand out to the user who gets a lot of Office 365 notifications – but most users don’t.

What should really catch even the untrained eye is the sender’s address. Genuine Office 365 notifications signed “The Office 365 Team” come from, yes, Microsoft’s email servers, not from an administrator on an unrelated domain.

The “Severity” line also looks odd: “Informational” notifications usually don’t require any user action.

DIY redirect

Concerned recipients scared into clicking the “View alert details” link are taken to a page that mimics a broken redirect.

In fact, a cursory check of the browser address bar, or even the name of the tab, clearly shows that this page is hosted in the Google Docs cloud. To be precise, it’s a single-slide presentation with a link. The purpose behind it is that the initial phishing email contains only a link to docs.google.com, which has a positive reputation in the eyes of most anti-phishing engines. Recipients are invited to follow the link because automating a redirect from a presentation slide is simply impossible, and the attackers need some way to lure them to the phishing site; the victim is asked to walk into the trap themselves.

These are all clear signs of phishing that you need to watch out for every time you follow a link in a corporate email. The finale isn’t hard to guess: a simple page for harvesting Office 365 credentials. The address gives it away, of course.

How to protect employees from phishing

We recommend regular training for employees in the art of spotting the latest cybercriminal tricks (for example, by showing them our posts dedicated to signs of phishing). It’s even better to use a dedicated platform to raise cybersecurity awareness throughout the company.

And to make extra sure, provide corporate users with multi-layered anti-phishing protection capable of both filtering out bulk emails at the mail gateway level and blocking redirects to dangerous web pages using security solutions on a workstation.

Kaspersky official blog – ​Read More

Major ICS Security Flaws Disclosed in LOYTEC, Hughes, and Baxter Products

Key Takeaways


Three major advisories from CISA address 17 vulnerabilities across products from LOYTEC Electronics GmbH, Hughes Network Systems, and Baxter.

Multiple products are affected by vulnerabilities allowing for the cleartext transmission of sensitive data, such as passwords, which could be exploited through Man-in-the-Middle (MitM) attacks. Despite being reported in 2021, these vulnerabilities are now publicly disclosed due to the vendor’s lack of response.

With 629 internet-exposed instances, primarily in Italy and France, the likelihood of exploitation is high. Proof of Concepts (PoCs) for these vulnerabilities is publicly available.

Other notable vulnerabilities include insufficiently protected credentials and SQL injection, affecting critical infrastructure systems.

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has highlighted multiple vulnerabilities in ICS products from LOYTEC Electronics GmbH, Hughes Network Systems, and Baxter. Cyble Research & Intelligence Labs (CRIL) stressed critical vulnerabilities and threats identified between September 03, 2024, and September 09, 2024. These vulnerabilities span a range of severity levels and impact various products from LOYTEC Electronics GmbH, Hughes Network Systems, and Baxter.

Multiple vulnerabilities have been identified in LOYTEC Electronics GmbH’s product line. These issues primarily involve the cleartext transmission and storage of sensitive information, along with missing authentication for critical functions and improper access control. Specifically, CVE-2023-46380, CVE-2023-46382, CVE-2023-46383, and CVE-2023-46385 are high-severity vulnerabilities that expose sensitive data such as passwords to potential interception through Man-in-the-Middle (MitM) attacks. These vulnerabilities affect multiple products, including LINX-151, LINX-212, LVIS-3ME12-A1, and various models within the LIOB and L-INX Configurator series.

For instance, CVE-2023-46380 and CVE-2023-46382 both deal with cleartext transmission of sensitive information. The risk associated with these vulnerabilities is significant because attackers can intercept and read sensitive data sent over the network. Exploiting CVE-2023-46384 and CVE-2023-46386, which involve cleartext storage of sensitive information, further compounds the risk, as attackers gaining access to these stored data could potentially exploit it for unauthorized purposes.

Additionally, CVE-2023-46381 and CVE-2023-46387 address missing authentication and improper access control issues. These vulnerabilities allow unauthorized access to critical functions and systems, which can lead to broader system compromises if exploited. The absence of proper authentication mechanisms in these cases means that attackers could bypass security measures and gain unauthorized control.

Hughes Network Systems Vulnerabilities

Hughes Network Systems’ WL3000 Fusion Software is affected by two medium-severity vulnerabilities. CVE-2024-39278 and CVE-2024-42495 highlight insufficiently protected credentials and missing encryption of sensitive data, respectively. CVE-2024-39278 exposes credentials that are not adequately protected, which could be intercepted and misused by attackers.

On the other hand, CVE-2024-42495 involves missing encryption for sensitive data, increasing the risk of data breaches and unauthorized access. These vulnerabilities affect versions of the software before 2.7.0.10, emphasizing the importance of updating to the latest versions to mitigate these risks.

Baxter Vulnerabilities

Baxter’s Connex Health Portal has been identified with critical and high-severity vulnerabilities. CVE-2024-6795 is a critical SQL injection vulnerability that affects all versions of the Connex Health Portal, released before August 30, 2024. SQL injection vulnerabilities allow attackers to execute arbitrary SQL commands on the database, potentially leading to unauthorized data access or modification.

In addition, CVE-2024-6796 involves improper access control, which can result in unauthorized access to sensitive application areas. Both vulnerabilities necessitate immediate patching and updates to protect against potential exploits.

The vulnerabilities identified across these ICS products highlight critical risks that need prompt attention. For LOYTEC Electronics GmbH products, the issues primarily involve data security flaws, while Hughes Network Systems and Baxter face vulnerabilities that affect credential protection and data encryption.

Organizations using these systems should prioritize applying available patches and updates, implementing robust access controls, and enhancing their security posture to mitigate the risks posed by these vulnerabilities. The majority of disclosed vulnerabilities are categorized as high severity, emphasizing the critical need for prompt action and mitigation.

Conclusion

These vulnerabilities highlight critical security issues in ICS products from LOYTEC Electronics GmbH, Hughes Network Systems, and Baxter. Key vulnerabilities include cleartext transmission of sensitive data, SQL injection, and improper access controls, all of which pose significant risks. Organizations must act quickly by applying patches, enhancing access controls, and improving security monitoring. These steps are crucial to mitigating the identified risks and protecting critical infrastructure from exploitation.

Mitigations and Recommendations


Implement network segmentation to isolate ICS networks from corporate and internet networks. Use firewalls and DMZs to manage traffic between segments.

Apply strong, multifactor authentication and limit access based on the principle of least privilege.

Keep ICS hardware and software updated with the latest patches to defend against known vulnerabilities.

Deploy monitoring tools to detect suspicious activities and maintain logs for forensic investigations.

Develop and test an ICS-specific incident response plan for effective handling of security incidents.

Educate staff on ICS-specific threats and best practices, emphasizing the risks of social engineering and untrusted software sources.

Sources


https://www.cisa.gov/news-events/ics-advisories/icsa-24-247-01

https://www.cisa.gov/news-events/ics-advisories/icsa-24-249-01

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-249-01

The post Major ICS Security Flaws Disclosed in LOYTEC, Hughes, and Baxter Products appeared first on Cyble.

Blog – Cyble – ​Read More

Vulnerability in Acrobat Reader could lead to remote code execution; Microsoft patches information disclosure issue in Windows API

Cisco Talos’ Vulnerability Research team discovered two vulnerabilities have been disclosed and fixed over the past few weeks. 

Talos discovered a time-of-check time-of-use vulnerability in Adobe Acrobat Reader, one of the most popular PDF readers currently available, and an information disclosure vulnerability in the Microsoft Windows AllJoyn API. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website

Microsoft AllJoyn API information disclosure vulnerability 

 
The AllJoyn API in some versions of the Microsoft Windows operating system contains an information disclosure vulnerability. 

TALOS-2024-1980 (CVE-2024-38257) could allow an adversary to view uninitialized memory on the targeted machine. 

AllJoyn is a DCOM-like framework for creating method calls or sending one-way signals between applications on a distributed bus. It primarily is used in internet-of-things (IoT) devices to tell the devices to perform certain tasks, like turning lights on or off or reading the temperature of a space. 

Microsoft fixed this issue as part of its monthly security update on Tuesday. For more on Patch Tuesday, read Talos’ blog here

CVE-2024-38257 is considered “less likely” to be exploited, though it does not require any user interaction or user privileges.   

Adobe Acrobat Reader annotation object page race condition  

Discovered by KPC. 

Adobe Acrobat Reader, one of the most popular pieces of PDF reading software currently available, contains a time-of-check, use-after-free vulnerability that could trigger memory corruption, and eventually, arbitrary code execution. 

TALOS-2024-2011 (CVE-2024-39420) can be executed if an adversary tricks a targeted user into opening a specially crafted PDF file with malicious JavaScript embedded. This JavaScript could then trigger memory corruption due to a race condition.  

Depending on the memory layout of the process this vulnerability affects, it may be possible to abuse this vulnerability for arbitrary read and write access, which could ultimately be abused to achieve arbitrary code execution. 

Cisco Talos Blog – ​Read More

How to Analyze Malware in ANY.RUN Sandbox: Eric Parker’s Guide

Recently, Eric Parker, a cybersecurity expert and YouTuber, released a new video on ANY.RUN’s interactive sandbox. We recommend you take a look at his tutorial, as it offers a step-by-step guide on how to use the service and save time on reverse engineering.

Here’s our overview of the key highlights from the video. 

About malware analysis in a sandbox 

Sandboxing is a crucial process in cybersecurity that lets professionals analyze malware in a controlled environment. Sandboxes provide a safe space to upload and examine potentially malicious samples without compromising your actual system.

ANY.RUN’s sandbox offers interactive analysis, providing users with a real-time view of how malware behaves and allowing them to engage with the system and samples just like on a standard computer.

Try advanced malware analysis with ANY.RUN for free 



Get 14-day trial


Setting up a sandbox environment 

Eric began by highlighting various settings of ANY.RUN that can be adjusted for different scenarios, including: 

MITM Proxy: This setting is particularly useful for intercepting and analyzing network traffic, such as HTTP requests made by the malware. This allows you to track how the malware communicates with command and control (C2) servers and gather more detailed information about its actions. 

Network settings in ANY.RUN sandbox 

FakeNet: This option is effective if you’re worried about malware with worm-like capabilities, allowing detection of network shares or interactions with non-functional command and control servers. 

Learn more about MITM proxy and FakeNet 

Operating system customization in ANY.RUN sandbox 

Operating System Customization: ANY.RUN offers a variety of OS options, from older versions of Windows (7/32-bit, 7/64-bit) to the latest Windows 11. Linux users can also run samples for cross-platform analysis.  

For legacy malware, using an older OS might be necessary for full compatibility. Eric recommends experimenting with different OS options based on the malware sample. 

Pre-installed soft set: You can choose pre-installed software sets, such as Office or Complete, to simulate real-world environments, making the analysis more realistic. Users can also upload their own tools to the virtual machine for quick access during the investigation. 

Privacy Settings: You can choose whether your analysis results are public or private. If you’re working with sensitive malware samples that could contain proprietary information, this feature ensures confidentiality. 

Duration Control: For malware that delays execution (e.g., with sleep functions), you can extend the sandbox runtime to capture the full scope of its behavior. 

Sandbox analysis of Zombie malware 

In the video demonstration, Eric uploaded a malware sample he suspected of being malware. ANY.RUN’s sandbox quickly identified warning signs, detecting file replacements and abnormal behaviors indicative of malware infection. 

Key points in the analysis: 

File overwriting: The malware replaced files with an executable payload. In the example, the malicious EXE was found to overwrite legitimate system files and create numerous temporary files. 

File dumping: One of ANY.RUN’s most valuable features was the ability to dump files mid-execution, making it easier to analyze malware that uses packing or encryption to conceal its malicious actions. 

File dumping in ANY.RUN sandbox

Executable identification: Uploading the file to the sandbox made it possible to instantly identify it as malicious and belonging to the Zombie malware family. 

Analysis of Pysilon Discord RAT 

Eric emphasized that the goal of any malware analyst is not to understand every line of code, but to get a good view of how the program interacts with the system. This is where an interactive sandbox can prove extremely helpful.  

By running the malware in a virtual environment, analysts can quickly understand its behavior without delving into advanced reverse engineering.

In many cases, dynamic analysis alone can provide all the necessary information, bypassing the need for a full static analysis. Eric showed this by running a Pysilon Discord RAT sample in the sandbox.

Try all features of ANY.RUN sandbox for free 



Get 14-day trial


Pysilon is a malware that is often packed in a unique way, making static analysis more difficult. To avoid dealing with the packer, Eric simply enabled the MITM proxy in ANY.RUN, which allowed him to acquire the malware’s Discord bot token in a few seconds. 

Bot token acquired in ANY.RUN sandbox 

ANY.RUN also identified a newly spawned executable named “driveinst.exe” which mimicked a legitimate process. This executable was flagged as unsigned, raising a red flag. 

ANY.RUN automatically categorized the malware as a stealer, highlighting its malicious actions and network communications. 

Pysilon Discord RAT analysis inside ANY.RUN sandbox 

As a result, the bot token was captured, the malware’s behavior was observed, and the analysis was completed in less than 30 seconds.

Conclusion 

Sandboxes, as demonstrated by Eric Parker, are a powerful tool in the fight against malware. Sandbox analysis allowed Eric to extract crucial information within minutes, cutting down the time needed for manual reverse engineering.

The sandbox provided live data on network traffic, file manipulation, and system changes, delivering instant feedback on malware behavior.

Eric was able to avoid the need to manually unpack or decrypt files, streamlining the analysis process.

To see full potential of ANY.RUN’s sandbox, request a 14-day free trial →

About ANY.RUN   

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI LookupYARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

The post How to Analyze Malware in ANY.RUN Sandbox: Eric Parker’s Guide appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Four zero-days included in group of 79 vulnerabilities Microsoft discloses, including one with 9.8 severity score

Microsoft disclosed four vulnerabilities that are actively being exploited in the wild as part of its regular Patch Tuesday security update this week in what’s become a regular occurrence for the company’s patches in 2024. 

Two of the zero-day vulnerabilities, CVE-2024-38226 and CVE-2024-38014, exist in the Microsoft Publisher software and Windows Installer, respectively. Last month, Microsoft disclosed six vulnerabilities in its Patch Tuesday that were already being exploited in the wild.  

In all, September’s monthly round of patches from Microsoft included 79 vulnerabilities, seven of which are considered critical. In addition to the zero-days disclosed Tuesday, Microsoft also fixed a security issue that had already been publicly disclosed: CVE-2024-38217, a vulnerability in Windows Mark of the Web that could allow an adversary to bypass usual MOTW detection techniques.  

Cisco Talos’ Vulnerability Research team also discovered an information disclosure vulnerability in the AllJoyn API that could allow an adversary to access uninitialized memory. CVE-2024-38257 is considered “less likely” to be exploited, though it does not require any user interaction or user privileges.  

The most serious of the issues included in September’s Patch Tuesday is CVE-2024-43491, which has a severity score of 9.8 out of 10. CVE-2024-43491, a remote code execution issue in Windows Update, is considered “more likely” to be exploited, though Microsoft disclosed few details about the nature of this vulnerability. 

There are also four remote code execution vulnerabilities in SharePoint Server that are also considered “more likely” to be exploited: CVE-2024-38018, CVE-2024-38227, CVE-2024-38228 and CVE-2024-43464

In the case of the latter three vulnerabilities, an authenticated attacker with Site Owner permissions can inject arbitrary code and execute code in the context of SharePoint Server. However, an attacker only needs to have Site Member permissions to exploit CVE-2024-38018. 

CVE-2024-38226, one of the zero-days disclosed this week, is a security feature bypass vulnerability in Microsoft Publisher that could allow an attacker to bypass the default Microsoft Office macro policies used to block untrusted or malicious files. An adversary could exploit this vulnerability by tricking a user into opening a specially crafted, malicious file in Microsoft Publisher, which could lead to a local attack on the victim’s machine. Macros have been blocked by default on Office software to prevent attackers from hiding malicious code in them.  

Another vulnerability being actively exploited in the wild, CVE-2024-38014, is an issue in Windows Installer that could allow an adversary to gain SYTEM-level privileges. This issue affects Windows 11, version 24H2, which is currently only available on certain Microsoft Copilot+ devices, among other older versions of Windows 10 and 11. 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63979 – 63984 and 63987 – 63994. There are also Snort 3 rules 301008 – 301013.

Cisco Talos Blog – ​Read More

CISA Adds Three Critical Vulnerabilities to Known Exploited Vulnerabilities Catalog

Key Takeaways


CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog with three critical vulnerabilities: CVE-2016-3714, CVE-2017-1000253, and CVE-2024-40766.

These vulnerabilities are being actively exploited by cybercriminals, posing significant risks to both federal and private sector organizations.

CISA urges all organizations to prioritize the remediation of these vulnerabilities to strengthen their cybersecurity defenses.

Organizations should update software with the latest patches, implement multi-factor authentication (MFA), and continuously monitor for unusual activities.

For detailed information and support, organizations should consult CISA’s advisories and the relevant vendor resources.

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) Catalog by adding three new vulnerabilities. These newly identified flaws represent significant security risks and are actively being exploited by malicious actors.

The newly added vulnerabilities include CVE-2016-3714, which affects ImageMagick due to improper input validation; CVE-2017-1000253, a Linux kernel vulnerability involving stack buffer corruption in position-independent executables (PIE); and CVE-2024-40766, a severe access control issue in SonicWall SonicOS.

These vulnerabilities are known to be frequent targets for cyberattacks and present significant risks to both federal and private sector organizations. CISA urges all organizations to prioritize remediation of these vulnerabilities to enhance their cybersecurity posture.

Details of the Vulnerabilities

CVE-2016-3714, also known as “ImageTragick,” affects ImageMagick versions prior to 6.9.3-10 and 7.x before 7.0.1-1. This vulnerability arises from improper input validation, which impacts various coders within ImageMagick.

Exploiting this flaw allows attackers to execute arbitrary code via shell metacharacters in a specially crafted image, potentially leading to remote code execution. To mitigate this risk, users should ensure that image files are validated for correct “magic bytes” and configure ImageMagick’s policy file to disable the vulnerable coders. Comprehensive guidance on configuration and additional mitigations is available for users.

CVE-2017-1000253 affects multiple versions of the Linux kernel, including those used in RedHat Enterprise Linux and CentOS. This vulnerability involves stack buffer corruption in the load_elf_binary() function, which can be exploited by local attackers to escalate privileges through issues with position-independent executables (PIE). Users are advised to apply the available patches to correct this buffer corruption flaw. Further details and patches are provided for addressing this issue.

CVE-2024-40766 is a critical vulnerability affecting SonicWall Firewalls Gen 5, Gen 6, and Gen 7 devices running SonicOS 7.0.1-5035 and older. This flaw in SonicWall SonicOS Management Access and SSLVPN allows unauthenticated attackers to gain unauthorized access to the management interface, which could result in unauthorized resource access or even firewall crashes.

To mitigate this vulnerability, it is essential to restrict firewall management to trusted sources or disable WAN management and SSLVPN access from the Internet. Users should download and apply the latest patches from SonicWall’s official site, and detailed security measures and patch links are available for further guidance.

Conclusion

The addition of CVE-2016-3714, CVE-2017-1000253, and CVE-2024-40766 to CISA’s KEV Catalog highlights the critical nature of these vulnerabilities. Organizations must act promptly to address these issues by applying patches and implementing recommended security practices. For additional information and support, refer to the official advisories and technical resources provided by CISA and relevant vendors.

Mitigation and Recommendations


Ensure all software, firmware, and systems are updated with the latest patches.

Restrict access to critical systems to authorized users only and implement multi-factor authentication (MFA).

Continuously monitor systems for unusual activities and conduct regular security audits and vulnerability assessments.

Maintain and regularly update an incident response plan to manage potential security breaches effectively.

Develop a comprehensive strategy for patch management, including inventory, assessment, testing, and deployment.

Implement proper network segmentation to protect critical assets from internet exposure.

The post CISA Adds Three Critical Vulnerabilities to Known Exploited Vulnerabilities Catalog appeared first on Cyble.

Blog – Cyble – ​Read More

The Re-Emergence of CVE-2024-32113: How CVE-2024-45195 has amplified Exploitation Risks

Overview

On September 7, 2024, Cyble Global Sensor Intelligence (CGSI) identified the active exploitation of CVE-2024-32113, a critical path traversal vulnerability in the Apache OFBiz open-source enterprise resource planning (ERP) system. This flaw was initially addressed on April 12, 2024, with a formal patch released on May 8, 2024. CVE-2024-32113 allows Threat Actors (TAs) to execute arbitrary commands by sending specially crafted requests, enabling them to gain unauthorized access and execute arbitrary commands.

On September 4, 2024, the identification of CVE-2024-45195 reignited concerns surrounding Apache OFBiz by revealing a bypass for several previously addressed vulnerabilities, notably CVE-2024-32113. This development has intensified the exploitation of CVE-2024-32113, as attackers exploit the flaw’s resurgence to compromise vulnerable systems and deploy malicious payloads. Researchers also observed active exploitation of this vulnerability to deploy the Mirai botnet on the compromised systems.

Cyble Global Sensor Intelligence (CGSI) findings

Cyble Global Sensor Intelligence (CGSI) detected exploitation attempts of CVE-2024-32113 on September 4, 2024. In the instances recorded by CGSI, as illustrated in the figure below, an attacker attempted to access the endpoint /webtools/control/forgotPassword;/ProgramExport through a POST request.

Vulnerability Details

Remote Code Execution

CVE-2024-32113

CVSSv3.1

9.1

Severity

Critical

Vulnerable Software Versions

Apache OFBi versions before 18.12.13

Description

The affected versions of the Apache OFBiz system contain a Path Traversal vulnerability due to improper limitation of pathnames to restricted directory.

Overview of the Exploit

The vulnerability arises from a fragmented state between the application’s current controller and view map due to the use of different parsing methods for incoming URI patterns. When attackers send unexpected URI requests, the logic for retrieving the authenticated view map can become confused, granting the attacker unauthorized access.

Exploitation occurs when an attacker submits a crafted request to the endpoint /webtools/control/forgotPassword;/ProgramExport, embedding a payload that executes Groovy scripts. This enables arbitrary commands to be run on the server. For instance, a payload could be used to execute the id command, which returns user and group IDs, thereby revealing sensitive information about the server environment.

Mitigation

CVE-2024-32113 affects Apache OFBiz versions prior to 18.12.13. However, version 18.12.13 remains vulnerable to CVE-2024-45195. Therefore, users are advised to upgrade to the latest version, 18.12.16, which addresses both vulnerabilities.

Recommendations

Following are recommendations to defend against the exploitation of CVE-2024-32113 and related vulnerabilities:


Upgrade Apache OFBiz to version 18.12.16 or the latest version available. This version addresses both CVE-2024-32113 and CVE-2024-45195.

Configure and deploy a WAF to filter and monitor HTTP requests, blocking attempts that exploit path traversal and other known attack vectors.

Apply the principle of least privilege to limit the potential impact of any successful exploitation.

Regularly review logs for unusual activities, such as unauthorized access attempts or suspicious requests to vulnerable endpoints.

Indicators of Compromise

Indicators
Indicator
Type

Description

185[.]190[.]24[.]111
IPv4
Malicious IP

References


https://nvd.nist.gov/vuln/detail/CVE-2024-32113

https://nvd.nist.gov/vuln/detail/CVE-2024-45195

https://thehackernews.com/2024/09/apache-ofbiz-update-fixes-high-severity.html

https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-unauthenticated-remote-code-execution-fixed/

https://isc.sans.edu/diary/Increased+Activity+Against+Apache+OFBiz+CVE202432113/31132/

https://issues.apache.org/jira/browse/OFBIZ-13006

https://github.com//Mr-xn//CVE-2024-32113

The post The Re-Emergence of CVE-2024-32113: How CVE-2024-45195 has amplified Exploitation Risks appeared first on Cyble.

Blog – Cyble – ​Read More

Security Training Lab: Educational Program for Universities

At ANY.RUN, we’ve spent over 8 years tackling cybersecurity industry challenges. We built an interactive sandbox and Threat Intelligence Lookup to streamline malware analysis and investigations for hundreds of thousands of professionals worldwide.

Now, we’re launching Security Training Lab to address another critical need: equipping future cybersecurity professionals with the skills they need to succeed. 

What is Security Training Lab 

Cyber threats evolve at a rapid pace, making it tough for universities to keep their cybersecurity programs current. Security Training Lab empowers universities to tackle this problem by bridging the gap between theory and practice in cybersecurity education.  

The program provides instructors with the tools and resources they need to train students on actual threats, ensuring they graduate with the skills and knowledge to be effective cybersecurity professionals. 

Recognizing the value of hands-on experience, our program offers real-world threat simulations and labs using ANY.RUN’s interactive malware sandbox. This gives both teachers and students a safe place to analyze and study actual cyber threats. 

By working with real samples of malware and phishing attacks, students will get valuable practical experience in identifying and understanding different types of attacks. The hands-on training will help them develop the skills to detect, investigate, and respond to real-world cyber threats, making them more confident in their abilities. 

Learn more about Security Training Lab
and get a quote for your university 



Request a quote


Key advantages of Security Training Lab 

30 Hours of Academic Content: Includes written materials, video lectures, interactive tasks, and tests to provide a well-rounded learning experience. 

Access to ANY.RUN Sandbox: Teacher and team licenses for students, ensuring everyone has access to the necessary tools and resources. 

Practical Learning: Through real-world threat samples and labs, students gain hands-on experience in analyzing and mitigating cyber threats. 

Easy-to-Use Management Platform: A dedicated platform, powered by Seturon, for monitoring student progress, making it simple for educators to track performance and outcomes. 

Private Discord Community: A vibrant community for students with tips, lifehacks, and the latest news in cybersecurity, fostering collaboration and knowledge sharing. 

On-Demand Integration: Seamless integration with popular Learning Management Systems (LMS), making it easy to incorporate the program into existing curricula. 

What Security Training Lab includes 

The program is structured into ten modules, each focusing on a critical aspect of malware analysis.

Module

Description

Introduction

Gain basic knowledge about different types of analysis and malware, which is crucial for understanding subsequent analysis methods. You will also learn how to use ANY.RUN and other key tools.

Static Analysis

Study the structure of PE files, strings, hashes, and other static characteristics without executing the file. This includes analysis of WinAPI functions and use of tools for static analysis.

Encryption Algorithms

Learn about the encryption methods used by malware to hide its data and actions. It includes the study of algorithms such as RC4, XOR, AES, RSA, and others.

Advanced Static Analysis

Explore in-depth static analysis, including assembly language, advanced tools, and the programming languages commonly used in malware.

Malware Capabilities

Examine various tactics and techniques that malware uses to conceal its presence, steal data, and protect itself from analysis.

Dynamic Analysis

Observe the behavior of malware in real-time using dynamic analysis tools.

Advanced Dynamic Analysis

Learn to analyze malware behavior, including with the use of debuggers and other advanced tools to monitor code execution.

Script Analysis

Study malicious scripts, their obfuscation methods, and analysis.

Analysis of Office Files

Discover methods for analyzing malicious macros and other threats contained in office files.

Terms and Explanations

The final module, containing explanations of terms and concepts used in the course.

Benefits for universities 

Close the expertise gap 

Leverage the expertise of our malware analysts via a comprehensive cybersecurity course. Our program allows universities to deliver a modern curriculum that meets industry standards without the burden of recruiting specialized faculty. 

Improve training 

Provide hands-on experiences that make your cybersecurity program engaging and relevant. Real-world simulations and labs help students apply theory in practice, enhancing their learning and preparing them to handle actual threats. 

Manage the course with ease 

Use our dedicated platform to monitor student performance to simplify administrative tasks and gain clear insights into each student’s progress. The platform provides tools for tracking assignments, assessing learning outcomes, and identifying areas where students may need additional support. 

Benefits for students 

Develop in-demand skills 

The program offers the critical skills employers are looking for, making you more competitive in the job market. By mastering the latest techniques and tools in malware analysis, you’ll be well-prepared to tackle real-world cybersecurity challenges. 

Gain practical experience 

Working with actual examples of cyber threats helps you understand the complexity and diversity of attacks. The practical experience is invaluable for developing the skills needed to detect, investigate, and neutralize cyber threats effectively. 

Receive a certificate and a discount 

Upon completion, students will receive a LinkedIn certificate. We will also provide exclusive student discounts for course graduates. 

Join community 

Connect and collaborate with peers in our private Discord community. Participate in a supportive environment where you can share knowledge, ask questions, and learn from others. 

Integrate Security Training Lab 

Interested in bringing Security Training Lab to your educational institution?  

Send us a message and our team will get in touch to discuss your specific needs and provide a customized quote. 

Get a quote for your academic institution

The post Security Training Lab: Educational Program <br>for Universities appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Reputation Hijacking with JamPlus: A Maneuver to Bypass Smart App Control (SAC)

Key takeaways


Cyble Research and Intelligence Labs (CRIL) has detected a phishing site masquerading as a CapCut download page. The site aims to trick users into downloading malicious software.

Threat actors (TAs) have leveraged a reputation-hijacking technique by embedding a legitimate CapCut-signed application within the malicious downloaded package, exploiting the trustworthiness of well-known apps to bypass security systems.

This campaign utilizes a recently demonstrated proof-of-concept (PoC) that repurposes the JamPlus build utility to execute malicious scripts while evading detection.

The attack unfolds in multiple stages, employing a mix of legitimate tools, fileless methods, and reputed code repositories such as GitHub to seem legitimate and effectively circumvent traditional security measures.

This campaign’s final payload is a variant of NodeStealer, designed to capture sensitive user information and exfiltrate it through a Telegram channel.

Overview

CapCut, a video editing tool developed by Bytedance, has become increasingly popular. This popularity has extended to CapCut-themed attacks, which are on the rise among TAs. These themes have been frequently used in phishing campaigns. Cyble Research & Intelligence Labs (CRIL) previously identified several phishing websites impersonating the CapCut video editor, and we have discussed these findings in our earlier blog posts. Our latest research discovers a new CapCut-themed campaign deploying stealers such as NodeStealer.

Additionally, TAs have adopted a recently identified technique of reputation hijacking with the JamPlus build utility to deliver final payloads to victims’ systems. This new tactic highlights an evolving trend in attack strategies aimed at bypassing security controls and increasing the success rate of malicious campaigns.

The initial infection occurs when a user downloads a malicious package from a CapCut phishing site. The package contains a legitimate CapCut application, JamPlus build utility, and a malicious”.lua” script. When the user runs the legitimate CapCut application, it triggers the JamPlus build utility, which then executes a malicious “.lua” script. This process utilizes reputation hijacking to mask the execution of the malicious script. This script then downloads a batch file that subsequently fetches and executes the final payload from a remote server. The TAs aim to maintain fileless payloads wherever possible.

This multi-stage process ultimately deploys a stealer payload that resembles NodeStealer. The image below provides an overview of the infection chain.

Technical Details

In this campaign, TAs trick users into downloading a malicious package disguised as a CapCut installer from a phishing site, as shown below.

When the user clicks the “Download” button on the phishing site, it initiates the download of an archive named “CapCut_{random number}_Installer” from the URL: “hxxps://www[.]dropbox[.]com/scl/fi/6se0kgmo7sbngtdf8r11x/CapCut_7376550521366298640_installer.zip?rlkey=7fxladl3fdhpne6p7buz48kcl&st=pzxtrcqc&dl=1”.


 

Upon extracting the downloaded archive, the user encounters what appears to be a CapCut installer; however, it is a legitimate CapCut application rather than an installer, as shown in Figure 3. The package also includes hidden files intended for malicious activities.

After revealing the hidden files, we discovered that the package contains the JamPlus build utility and a malicious “.lua” script, as shown below.

By default, launching the CapCut shortcut from the desktop runs the CapCut application located at “C:Users<User_Name>AppDataLocalCapCutAppscapcut.exe”. This “capcut.exe” file identifies the latest CapCut application version and then executes the appropriate application from the corresponding folder, as shown below.

In this campaign, TA leveraged this technique by trying to execute a renamed JamPlus build utility instead of the actual CapCut application, as shown below.

In our tests, the JamPlus utility was not executed because the file did not have the expected name, “capcut.exe,” indicating a possible error by the TA in naming the file. However, renaming the file to “capcut.exe” successfully triggers the execution of the JamPlus Build utility.

Upon successful execution, the builder reads instructions from a “. jam” file, which is configured to identify the malicious “.lua” script, as shown below.

After identifying the malicious “.lua” script, the JamPlus build utility loads the “.lua” script file, which executes a shell command, as shown in the figure below. This command employs “curl” to silently download a batch file from a remote server and save it as “C:UsersPublicsteal.bat.” It then executes the downloaded batch file.

This approach demonstrates how TAs utilized a legitimate CapCut application with JamPlus build utility to evade Smart App Control and avoid triggering security alerts.

The batch file contains multiple PowerShell commands that perform the following actions:

1. Downloads a file named “WindowSafety.bat” from a remote URL “hxxps://raw[.]githubusercontent.com/LoneNone1807/batman/main/startup” and saves it in the startup folder, ensuring it runs automatically at the next system startup.

2. Downloads a ZIP file named “Document.zip” from another remote URL “hxxps://github[.]com/LoneNone1807/batman/raw/main/Document.zip” and saves it in the public directory (C:UsersPublicDocument.zip).

3. Extracts the contents of “Document.zip” into a folder named “Document” within the public directory (“C:UsersPublicDocument”).

4. Finally, the batch script executes a Python script named “sim.py”, located in the extracted folder.

The image below shows the contents of the Python script.

The newly launched Python script retrieves base64-encoded data from a new remote server, as highlighted in the above image, decodes it, and executes the resulting payload directly in memory without saving it to disk. This payload is a Python-based information-stealing malware identified as NodeStealer.

NodeStealer

NodeStealer is a sophisticated malware that targets a wide range of sensitive data on a victim’s machine. It steals login credentials, cookies, credit card details, and autofill data from both Chromium-based and Gecko-based web browsers. Additionally, it extracts information from Facebook Ads Manager, Facebook Business accounts, and Facebook API graph pages. NodeStealer also targets browser extensions, including crypto wallets, password managers, VPNs, and gaming applications. All the collected information is then exfiltrated to the TAs via Telegram. This attack has been attributed to a threat actor operating from Vietnam.

Broader pattern of attacks

We have also identified another campaign where TAs used similar techniques to deliver RedLine Stealer. In this campaign, they employed a legitimately signed Postman application in conjunction with the JamPlus build utility. The image below shows that the malicious package includes the Postman application.

Conclusion

The successful hijacking of reputable applications and the JamPlus build utility illustrates a sophisticated method for bypassing Smart App Control without triggering security alerts. This approach significantly elevates the complexity and effectiveness of cyberattacks, complicating detection and defense efforts. The deployment of NodeStealer, which targets sensitive information from the victim’s system, highlights the growing concerns and difficulties within the cybersecurity landscape.

Recommendations


Before accessing or downloading from any site, it is essential to diligently verify the URLs.

Consider disabling or limiting the execution of scripting languages on user workstations and servers if they are not essential for legitimate purposes.

Implement comprehensive monitoring and logging to detect unusual activities associated with reputable applications.

Employ application whitelisting to ensure that only approved applications can run on systems. This helps prevent unauthorized applications from executing.

Stay updated with the latest threat intelligence and cybersecurity trends to understand new tactics and techniques used by attackers. This knowledge helps in adapting defense strategies accordingly.

Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.

MITRE ATT&CK® Techniques

Tactic 
Technique ID 
Technique Name 

Initial Access (TA0027)
Phishing (T1660)
Malware distribution via phishing site

Execution  (TA0002
User Execution (T1204)
The user needs to manually execute the file downloaded from the phishing site. 

Execution (TA0002)
Python (T1059.006)  
Python stealer is used for targeting Windows users 

Defense  Evasion  (TA0005)
Masquerading (T1036.008)
Downloads file disguised as a legitimate application.

Credential Access (TA0006)
Steal Web Session Cookie (T1539
Steals browser cookies 

Collection (TA0009)
Archive Collected Data 
(T1560
Stealer compresses the stolen data with  
ZIP extension.

Exfiltration(TA0010)
Exfiltration Over Web Service (T1567)
Uses Telegram channel to exfiltrate data

Indicators of Compromise (IOCs)

Indicators  
Indicator  
Type  
Description  

8e6bbe8ac1ecdd230a4dcafa981ff00663fae06f7b85b117a87917b6f04f894f
SHA256
CapCut_7376550521366298640_installer.zip

4e213bd0a127f1bb24c4c0d971c2727097b04eed9c6e62a57110d168ccc3ba10
SHA256
JamPlus Builder – POC file

56d3ba2b661e8d8dfe38bcef275547546b476c35d18aa4ec89eea73c2e2aeb7c
SHA256
Python Stealer

hxxps://raw[.]githubusercontent[.]com/LoneNone1807/batman/main/steal[.]bat
URL
Remote server

hxxps://cap-cutdownload[.]com/
URL
Phishing site

169f7d182f7838b75737c23e1b08c4b6b303d2d6a1cb73cdb87bd9644878a027
SHA256
Copyright-infringement-images.zip

References

https://www.netskope.com/blog/new-python-nodestealer-goes-beyond-facebook-credentials-now-stealing-all-browser-cookies-and-login-credentials

https://isc.sans.edu/diary/From+Highly+Obfuscated+Batch+File+to+XWorm+and+Redline/31204

https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business

https://www.elastic.co/security-labs/dismantling-smart-app-control

The post Reputation Hijacking with JamPlus: A Maneuver to Bypass Smart App Control (SAC) appeared first on Cyble.

Blog – Cyble – ​Read More

Understanding Threat Intelligence Benefits for a Business

Editor’s Note: This is an edited version of an article originally posted in October 2023. It has been updated with some new information about ANY.RUN’s threat intelligence products.

As a business owner, you’ve likely invested in a range of security tools like SIEMs, antivirus software, and IDS/IPS systems to safeguard your operations.  

You might even have a dedicated cybersecurity team that monitors your systems and responds to incidents such as a SOC (Security Operations Center) or a DFIR (Digital Forensics and Incident Response) team. 

But here’s the question: Are your teams equipped to go beyond simply reacting to cybersecurity incidents? If your company underutilizes threat intelligence, chances are they’re not. 

Understanding the role of Cyber Threat Intelligence  

Cyber threat intelligence involves collecting, analyzing, and interpreting data on potential or current cybersecurity threats. It plays an important role in helping organizations detect and prevent cyberattacks by offering insights into adversaries’ tactics, techniques, and procedures (TTPs).  

CTI spans a wide range of activities, from identifying malware variants to monitoring trends in cybercrime, and it involves the use of specialized tools to protect against evolving threats. 

Types of threat intelligence tools 

Category 

Primary Use Cases 

Primary Consumers 

Threat Intelligence Feeds 

Expand threat coverage of your security systems like SIEMs, firewalls, and IPS/IDS with the latest IOCs. 

1. SOC Team 

2 Incident Response Team 

Threat Intelligence Lookup

Provide linked, contextual data around indicators, allowing to query databases for known IOCs such as malicious IPs, URLs, or file hashes. 

1. SOC Team 
2. Threat Analysts 

Sandboxing Solutions 

Analyze suspicious files or URLs in isolated environments to understand their behavior and impact. 

1. SOC Team

2. Threat Analysts

Aggregation Platforms 

Enable to combine multiple threat feeds for analysis and correlation, enhancing decision-making during an incident. 

1. SOC Team 
2. Threat Intelligence Analysts 

 Threat Sharing Platforms 

Facilitate the sharing of structured threat information within a community or organization. 

1. Threat Intelligence Team 
2. SOC Team 

Keep in mind that internal organizational structures differ among companies. Your team names and responsibilities may vary, but the table above should give you a solid understanding of who typically uses which threat intelligence tools and for what purpose. 

Read more about cyber threat intelligence definition

Integrate ANY.RUN’s threat intelligence solutions in your company 



Contact us


What happens in teams that don’t have threat intelligence 

Without threat intelligence tools, your teams are essentially flying blind. Consider a situation where a suspicious artifact shows up in your system logs, like an unfamiliar IP address. How does the SOC team immediately identify what this IP means and how to address it effectively? 

In short, without threat intelligence, they can’t. 

Manual research will be needed instead, requiring the team to pull data from various open-source sources to understand the threat. This process takes time, and time is something you can’t afford to lose during an active attack. 

One of the primary goals of threat intelligence is to provide context for artifacts and indicators. Linking an IOC to a specific threat and then to TTPs helps the team understand the exact steps needed to counter the threat. 

ANY.RUN’s Threat Intelligence Lookup changes that by delivering real-time contextual data, allowing your teams to link IOCs to threats and threat actor tactics, techniques, and procedures (TTPs) quickly and effectively. Instead of sifting through disparate sources, teams can get actionable insights instantly. 

Threat Intelligence Benefits for a Business 

But the benefits don’t stop there. Here are 7 more reasons why threat intelligence is crucial for a strong security posture:

1. Reducing the risk of successful cyberattack 

Reducing attack risk is a key advantage of threat intelligence. Your SOC team can use real-time threat feeds to get ahead of new threats and deepen their knowledge of TTPs and IOCs. 

The data helps in proactively adjusting firewall rules, IDS/IPS signatures, and other security measures, making your defenses stronger. At the same time, the incident response team gains valuable context about attacks, speeding up containment and removal. 

2. Preventing Financial Loss 

According to IBM, the average cost of a data breach in 2023 is $4.45 million. Finding and containing a breach usually takes months, making prevention a top priority. 

Threat intelligence helps your SOC team spot phishing campaigns, fraud attempts, and data exfiltration risks. This protects both financial assets and customer data. By doing this, you avoid expensive breaches, regulatory fines, and the erosion of customer trust that financial setbacks bring. 

3. Improving security operations and detection accuracy 

Alert fatigue happens when too many alerts overwhelm security specialists, causing them to miss genuine threats. This is often due to frequent false positives and lack of prioritization. 

Threat intelligence allows SOC analysts to sort alerts by relevance and risk. They can zero in on high-fidelity alerts that truly matter, cutting down on the noise from low-level threats. This focus lets the team fine-tune IDS/IPS signatures and craft better correlation rules for SIEM systems. The result is a more efficient SOC, with fewer false positives and faster threat identification. 

4. Managing vulnerability more accurately 

Your vulnerability management team can use threat intelligence to smartly prioritize patches. Instead of wasting time on low-risk vulnerabilities, they can focus on those actively targeted or with known exploits. 

Threat intelligence also guides the creation and updating of secure configuration baselines. This data-driven strategy ensures you’re actually shrinking your attack surface, not just ticking boxes. 

5. Refining risk analysis  

Your risk management team can enhance their risk assessments by incorporating threat intelligence. This gives them a real-time, nuanced view of threats, beyond just historical data or industry benchmarks. They can factor in current events like emerging APTs or zero-days to better gauge risk impact and attack likelihood. 

This alignment with the current threat landscape improves decision-making for resource allocation, policy setting, and incident response planning. 

6. Improving threat hunting capabilities 

Threat intelligence provides crucial insights into the tactics, techniques, and procedures (TTPs) used by attackers, allowing threat hunters to be more proactive. By understanding  

these methods, your security teams can actively seek out potential threats before they escalate into full-blown incidents. This proactive approach enables faster detection of anomalous behaviors, reducing the time an adversary can stay in your network undetected. 

7. Learning from real-world examples 

TI Lookup allows teams to learn more about threat behavior by instantly accessing real-world dynamic analysis. This gives your business access to up-to-date examples of how threats operate, helping security teams better understand malware behavior and strengthen their defenses accordingly. 

How Threat Intelligence Lookup Enhances Your Company’s Defense 

Threat Intelligence Lookup services, like ANY.RUN’s TI Lookup, provide a powerful way to connect the dots between seemingly unrelated indicators of compromise. This service will help your team gain a clearer understanding of cybersecurity threats, leading to faster and more informed responses. 

Learn how ANY.RUN can help take your security posture
to the next level 



Contact us


Here’s why you need to implement Threat intelligence lookup tools into your company’s cybersecurity activities: 

Instant context: TI Lookup quickly links important indicators, like IP addresses and file hashes, to known cyber threats, enabling your security team to respond faster to emerging dangers. This saves valuable time and minimizes the risk of costly incidents.

TI Lookup search in ANY.RUN

Advanced OS artifacts: ANY.RUN’s TI Lookup goes beyond surface-level IOCs, providing detailed visibility into OS artifacts, including command lines, registry changes, and mutexes. These insights equip your business with the deeper information needed to investigate complex security threats effectively. 

Malware detection with YARA search: By applying YARA rules, TI Lookup can help your team detect malware variants based on file content, making it easier to identify similar malicious samples in your infrastructure. 

Yara Search in TI Lookup

Suricata network protection: TI Lookup integrates Suricata detection rules to track network-based threats, identifying malicious traffic patterns that could otherwise go unnoticed. This means, your business is shielded from cyberattacks using the latest network defense strategies. 

Suricata rules in TI Lookup

Real-world threat intelligence: Data from live, interactive sessions in TI Lookup ensures that your security team deals with up-to-date, actionable intelligence. This leads to more informed decision-making and quicker mitigation of ongoing threats. 

C2 locations lookup: ANY.RUN’s geolocation feature allows users to track and visualize Command and Control (C2) server origins on a live map. By identifying malware families associated with these C2 servers and accessing relevant analysis sessions, your team can filter results based on geography or malware type, making it easier to understand and counter threats targeting your organization. 

Malware popularity tracking: ANY.RUN’s malware family tracking feature provides real-time insights into trending malware. You can monitor shifts in malware popularity, easily extract fresh IOCs, and analyze which regions are most affected by specific threats, helping adjust defenses accordingly. 

Malware family popularity tracking in TI Lookup

Wrapping up

As you can see, threat intelligence offers multiple business benefits. To sum up, it: 

Lowers the chance of successful attacks 

Helps prevent or cut down financial losses 

Boosts the efficiency and accuracy of security operations 

Enables precise vulnerability management 

Enhances risk analysis 

Interested in expanding your threat coverage? 

Right now, you can integrate ANY.RUN’s Threat Feeds to receive the latest IOCs directly from ANY.RUN’s sandbox. They are pre-processed and filtered for false positives.

You can also utilize Threat Intelligence Lookup to speed up your investigations by contextualizing your alerts or artifacts with more information on the malware family and its TTPs, extra IOCs, samples, etc. from our large repository of threat data.

Contact sales to get a 14-day free trial and discover how you can strengthen your company’s cybersecurity today. 

Contact sales → 

 Stay tuned for more exciting updates!   

The post Understanding Threat Intelligence Benefits for a Business appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More