Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has published the draft update to the National Cyber Incident Response Plan (NCIRP) for public comment on the Federal Register. Developed through collaboration with the Joint Cyber Defense Collaborative (JCDC) and in close coordination with the Office of the National Cyber Director (ONCD), this update addresses new changes in cybersecurity and incorporates significant changes in policy, law, and operational processes since the plan’s initial release in 2016.

The NCIRP serves as the strategic framework guiding the U.S. response to cyber incidents. It aligns efforts across government agencies, private sector entities, state and local governments, tribal and territorial authorities, and international partners. The plan outlines four critical lines of effort (LOEs) to ensure a cohesive and coordinated approach to incident response: Asset Response, Threat Response, Intelligence Support, and Affected Entity Response. These efforts aim to manage cyber incidents of varying severity and ensure timely actions during the response lifecycle.

The release of this draft update marks an important step in enhancing the nation’s ability to respond effectively to cyber threats‘ growing complexity and sophistication. CISA has worked closely with government and industry partners to create an agile, actionable framework that keeps pace with their rapid evolution.

Key Updates to the National Cyber Incident Response Plan

Several critical updates have been introduced in this draft version of the NCIRP, which are designed to improve coordination and responsiveness during cyber incidents. These changes include:

1. Defined Path for Non-Federal Stakeholder Participation: This update clarifies the process by which non-federal stakeholders, including private sector entities, can participate in cyber incident response efforts. Given the growing role of the private sector in cybersecurity, this path ensures more comprehensive engagement in the event of a major cyber incident.
2. Improved Usability: The plan has been streamlined to enhance its usability. The updated version aligns with the operational lifecycle of incident response, making it more straightforward for agencies and organizations to implement during real-world incidents.
3. Incorporation of Legal and Policy Changes: The draft incorporates the latest legal and policy developments impacting the roles and responsibilities of agencies involved in cyber incident response. These updates ensure that the plan is in line with current regulatory frameworks and legal requirements.
4. Predictable Update Cycle: The NCIRP will now undergo regular updates, ensuring that it remains relevant as the threat landscape evolves. The predictable cycle will allow for continual refinement based on feedback, emerging threats, and changing technological realities.

In her statement on the publication of the draft update, CISA Director Jen Easterly emphasized the necessity of a seamless, agile, and effective incident response framework. She noted that “Today’s increasingly complex threat environment demands that we have a seamless, agile, and effective incident response framework” and encouraged public comment to refine the document further.

Overview of the National Cyber Incident Response Plan

The NCIRP is an important guide for coordinating responses to cyber incidents that could affect national security, the economy, or public health. The plan was initially published in 2016 and is an essential component of the U.S. government’s broader cybersecurity strategy. The 2023 National Cybersecurity Strategy called for the update to reflect new cyber threats, organizational changes, and policy shifts.

The NCIRP is not a step-by-step guide but rather a flexible framework for coordinating efforts during a cyber incident. It defines the roles and responsibilities of various stakeholders, including federal agencies, state, local, tribal, and territorial (SLTT) governments, private sector entities, and civil society organizations. By laying out these roles and mechanisms, the NCIRP fosters coordinated action across sectors and jurisdictions, ensuring that resources are deployed effectively during a crisis.

Four Lines of Effort for Cyber Incident Response

The NCIRP outlines four primary lines of effort that guide the U.S. government’s response to cyber incidents. These are:

• Asset Response: Led by CISA, this effort focuses on helping affected entities protect their assets and mitigate the impacts of a cyber incident. It includes providing technical assistance to organizations and supporting them in securing critical infrastructure.
• Threat Response: The Department of Justice (DOJ), the FBI, and the National Cyber Investigative Joint Task Force (NCIJTF) are responsible for leading efforts to neutralize cyber threats and track down cybercriminals. The FBI, in particular, plays a central role in law enforcement response and investigations.
• Intelligence Support: The Office of the Director of National Intelligence (ODNI), through the Cyber Threat Intelligence Integration Center (CTIIC), provides essential intelligence to guide response efforts. This line of effort helps ensure that the U.S. government has the latest information on adversary tactics, techniques, and procedures (TTPs).
• Affected Entity Response: In cases where a federal agency or private sector organization is directly impacted, it is responsible for leading its own response, though it coordinates with CISA, the Department of Defense (DOD), or other federal partners as needed. This effort is vital for managing the operational continuity of affected entities.

These lines of effort are managed through structured coordination bodies such as the Cyber Unified Coordination Group (Cyber UCG), which brings together stakeholders from across the government and the private sector to ensure unified, cohesive action. The Cyber Response Group (CRG) focuses on broader policy and strategic coordination, ensuring alignment with national cybersecurity priorities.

The Detection and Response Phases

Cyber incident response is broken down into two main phases: Detection and Response.

1. Detection: This phase involves continuous monitoring, analysis, and engagement with critical infrastructure owners to validate whether an incident is significant enough to require a full-scale response. Detection includes analyzing anomalies, working with the cybersecurity community, and validating the severity of the incident.
2. Response: Once an incident has been confirmed as significant, the response phase begins. This phase focuses on containment, eradication, and recovery, as well as supporting law enforcement in their efforts to attribute and hold perpetrators accountable. The response efforts also include supporting affected entities as they recover and restore services.

In both phases, the roles of federal agencies, SLTT governments, and private sector entities are critical. The JCDC plays a central role in coordinating public-private collaboration, ensuring that both sectors are aligned in their efforts to defend against and recover from cyber incidents.

Conclusion

The updated National Cyber Incident Response Plan (NCIRP) emphasizes continuous improvement and collaboration. After an incident, the Cyber Response Group (CRG) reviews the response and prepares a report, which helps refine future efforts. The Cyber Safety Review Board also provides independent recommendations to strengthen cybersecurity.

CISA is committed to regularly updating the NCIRP, incorporating feedback from the public and private sectors, and adapting to new threats and technologies. The Joint Cyber Defense Collaborative (JCDC) plays a key role in ensuring coordinated efforts. The updated NCIRP aims to strengthen national preparedness and ensure effective response to future cyber incidents.

References

• https://www.cisa.gov/news-events/news/cisa-publishes-draft-national-cyber-incident-response-plan-public-comment
• https://www.cisa.gov/sites/default/files/2024-12/NCIRP%20Update%20Public%20Comment%20Draft%20508c.pdf

The post CISA Reveals Draft Update to National Cyber Incident Response Plan for Public Feedback appeared first on Cyble.

Blog – Cyble – ​Read More

ANY.RUN’s Threat Intelligence (TI) feeds provide an invaluable solution for organizations seeking to detect and mitigate the latest malware and phishing campaigns, attacks, and cybercriminal tactics.

But what exactly is inside these feeds, and how can they help companies strengthen their cybersecurity?

Let’s dive into the details.

What Are ANY.RUN’s Threat Intelligence Feeds?

ANY.RUN’s Threat Intelligence (TI) feeds are a comprehensive collection of Indicators of Compromise (IOCs) that can expand security systems’ threat detection capabilities. These feeds don’t just give you the basics, they go deep, providing malicious IPs, URLs, domains, file hashes, and even links to actual analysis sessions, showing you how threats behave.

Where does this data come from? An international community of over 500,000 researchers and cybersecurity pros who upload and analyze real-world malware and phishing samples every day to ANY.RUN’s Public submissions repository.

With TI Feeds from ANY.RUN, organizations can:

• Expand Threat Coverage: Extend your security systems’ ability to detect emerging malware and phishing attacks. 
• Improve Incident Response: Enrich incident response processes with contextual data from the feeds, providing deeper insights into threats and their behaviors. 
• Strengthen Security Posture: Ensure proactive defense against new and evolving threats. 
• Optimize Threat Hunting: Streamline threat hunting activities, identifying and investigating potential threats more efficiently. 

Key Features of ANY.RUN’s CTI Feeds

Here’s what makes ANY.RUN’s CTI feeds valuable for cybersecurity teams:

• Fresh Data: Contain data extracted from the latest public samples uploaded to our interactive sandbox by a global network of over 500,000 security professionals. 
• Actionable Indicators: Supply indicators from decompressed traffic, memory dumps, and malware configurations along with those manually collected by our team of malware analysts, as well as data from partners and OSINT sources. 
• Contextual Information: Offer more than just IOCs by providing direct links to full sandbox analysis sessions that include memory dumps, network traffic, and events. 
• Rigorous Pre-Processing: Use advanced algorithms and proprietary technology for data filtering and validation. 
• Continuous Updates: Updated every few hours, helping security teams stay ahead of emerging threats and respond quickly to new threats. 
• STIX and MISP Formats: Deliver threat intelligence feeds in the STIX and MISP formats, making it easy for security teams to integrate our data into their existing infrastructure. 
• API Support: Integrate into existing security systems via API for real-time threat updates and automated responses. 

What’s Inside ANY.RUN’s CTI Feeds?

The IOCs include information on malicious IP addresses, domain names, and URLs, enriched with contextual details such as related files and ports. Here’s a closer look at what’s inside:

IP addresses

IP addresses are important for detecting and preventing malicious network activity. They serve as digital markers of cybercriminal operations, often linked to Command-and-Control (C2) servers or phishing campaigns.

By analyzing IP addresses, cybersecurity teams can:

• Identify malicious sources: Pinpoint harmful traffic and proactively block it.
• Trace attack origins: Gain insights into the geolocation and tactics of attackers.
• Monitor threat patterns: Detect repeated use of IPs across campaigns.
• Enhance network security: Use IP-based firewalls and intrusion prevention systems (IPS) to block unwanted traffic.

Example:

type: ipv4-addr
      id: ipv4-addr--75725b48-17a3-575d-a5de-b5d9798bde8d
      value: 103.168.67.9
      created: '2024-06-13T06:26:00.704Z'
      modified: '2024-06-13T06:26:00.704Z'
      external_references:
        - source_name: ANY.RUN task 11ce507f-d535-4bf1-8973-989d7654017a
          url: https://app.any.run/tasks/11ce507f-d535-4bf1-8973-989d7654017a
      labels:
        - RedLine
      related_objects:
        - relationship_type: contains
          source_ref: ipv4-addr--75725b48-17a3-575d-a5de-b5d9798bde8d
          target_ref: file--49ef9153-94eb-5d05-bac2-19a54738afab
      created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
      score: 90
      revoked: false

ANY.RUN’s TI feeds don’t just list malicious IPs. They provide detailed context that turns raw data into actionable insights for cybersecurity teams. This enriched information helps assess the behavior and impact of each IP. Here’s what’s usually included:

• External references: Links to relevant sandbox sessions.
• Label: Name of the malware family or campaign.
• Detection timestamps: “Created” and “Modified” dates provide a timeline to understand if a threat is ongoing or historical.
• Related objects: IDs of files and network indicators related to the object in question.
• Score: Value representing the severity level of the IOC.
• Revoked: Field indicating whether the IOC has been invalidated.

Domains

Domains play a crucial role in hosting malicious content, phishing campaigns, and distributing malware. They are often used as staging points for cyberattacks, making them a key focus for threat detection and mitigation.

ANY.RUN’s TI feeds provide comprehensive information about domains, including all the details available for IP addresses, such as threat names, types, detection timestamps, and related file hashes.

Example:

type: domain-name
      id: domain-name--f17dd142-08ac-54cb-bb88-97f1e07fb6fc
      value: mail.sdil.ac.ir
      created: '2024-06-10T21:13:17.465Z'
      modified: '2024-06-17T13:37:53.620Z'
      external_references:
        - source_name: ANY.RUN task 64e1d470-dcd4-4d78-b1f0-aa4d9bd6f225
          url: https://app.any.run/tasks/64e1d470-dcd4-4d78-b1f0-aa4d9bd6f225
        - source_name: ANY.RUN task 090c21da-a050-4f88-bb09-1bae142df1cb
          url: https://app.any.run/tasks/090c21da-a050-4f88-bb09-1bae142df1cb
      labels:
        - AgentTesla
      related_objects:
        - relationship_type: contains
          source_ref: domain-name--f17dd142-08ac-54cb-bb88-97f1e07fb6fc
          target_ref: file--dbee2af2-3be4-5e2a-9bf3-94e3fe8637b3
        - relationship_type: contains
          source_ref: domain-name--f17dd142-08ac-54cb-bb88-97f1e07fb6fc
          target_ref: file--9794dd40-085a-5c84-8d95-70cbd8efcf1d
      created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
      score: 100
      revoked: false

Keep in mind that domains provide a higher-level view of malicious activity, often connecting multiple IPs or malware instances within a single campaign.

URLs

URLs play a significant role in cybercriminal operations, often serving as gateways to distribute malware, execute phishing campaigns, or redirect users to malicious content. Their flexibility and ease of use make them a preferred tool for attackers.

How URLs are used:

• Malware delivery: Embedded in emails or websites, URLs download malware or redirect to exploit kits.
• Phishing campaigns: Lead users to fake websites designed to steal sensitive information.
• Command-and-Control (C2): Facilitate communication between malware and attackers for issuing commands or data exfiltration.
• Exploitation and redirection: Redirect victims to malicious sites hosting drive-by downloads or exploits.

By analyzing URLs, cybersecurity teams can uncover attack patterns, block harmful traffic, and prevent unauthorized access to systems and data.

Example:

type: url
      id: url--001c0f70-93f8-583d-96ce-7c260da3a193
      value: http://www.goog1evip15.com/dogw/
      created: '2024-06-11T21:35:59.640Z'
      modified: '2024-06-11T21:35:59.640Z'
      external_references:
        - source_name: ANY.RUN task 55051854-38c4-4d03-a70a-6dd2ce3d89ca
          url: https://app.any.run/tasks/55051854-38c4-4d03-a70a-6dd2ce3d89ca
      labels:
        - Formbook
      related_objects: []
      created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
      score: 100
      revoked: false

Note that URLs often serve as entry points for malicious activity, acting as gateways for malware delivery, phishing attacks, or redirection to exploit kits, making them critical for identifying and mitigating cyber threats.

Additional Indicators in ANY.RUN’s TI Feeds

In addition to the core Indicators of Compromise (IOCs) such as URLs, domains, and IPs, ANY.RUN’s CTI feeds include a wealth of contextual information.

This additional data enriches the IOCs, offering deeper insights into the nature and behavior of each indicator.

Files

For file indicators, ANY.RUN’s CTI feeds provide detailed information to help identify and assess malicious files. Here are the key data fields included:

Example:

type: file
      id: file--249382b0-209d-5904-b725-b47663c6c412
      hashes:
        SHA-256: d564eb94afb174fe3b854de086eda2a4e015d778a9aea9806e79f82044eac74e
        SHA-1: 14b96459dff641245aea6dacd34512830d945ee2
        MD5: 5edee175c5003771dea841893ea46602
      created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
      score: 100
      file_name: d564eb94afb174fe3b854de086eda2a4e015d778a9aea9806e79f82044eac74e.exe
    - type: url
      id: url--d65b67ec-39f2-5309-8cc9-56e016b6a48f
      value: http://109.248.151.196/rvBZyVEAb230.bin
      created: '2024-06-11T18:44:15.898Z'
      modified: '2024-06-11T18:44:15.898Z'
      external_references:
        - source_name: ANY.RUN task 35d75e14-c1a2-418c-b98f-f7d58cca93cb
          url: https://app.any.run/tasks/35d75e14-c1a2-418c-b98f-f7d58cca93cb
      labels:
        - guloader
      related_objects:
        - relationship_type: contains
          source_ref: url--d65b67ec-39f2-5309-8cc9-56e016b6a48f
          target_ref: file--249382b0-209d-5904-b725-b47663c6c412
      created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
      score: 100
      revoked: false

Ports

Port indicators describe network activities related to specific port usage, offering insights into malicious connections.

Example:

type: port
      id: port--60027215-4cf1-5773-bef7-62051468dbd3
      port_value: 5555
      created: '2024-06-16T02:32:35.010Z'
      modified: '2024-06-16T02:32:35.010Z'
      labels:
        - NjRat
      related_objects:
        - relationship_type: services
          source_ref: domain-name--8ee2a029-d3e7-53f1-84fb-bee3008c0060
          target_ref: port--60027215-4cf1-5773-bef7-62051468dbd3
      created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
      score: 100

Integrate ANY.RUN’s TI Feeds 

You can test ANY.RUN’s Threat Intelligence Feeds in STIX and MISP formats completely for free by getting a free demo sample here. 

ANY.RUN also runs a dedicated MISP instance that you can syncronize your server with or connect to your security solutions. To get started, contact our team via this page. 

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

Get a 14-day free trial of ANY.RUN’s Threat Intelligence service →

The post What’s Inside ANY.RUN’s Cyber Threat Intelligence Feeds? appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Cyble Research and Intelligence Labs (CRIL) researchers investigated 16 IT vulnerabilities and 11 dark web exploits in the week ended Dec. 10, including actively exploited vulnerabilities in Cleo managed file transfer (MFT) software and Microsoft Windows.

Other vulnerabilities analyzed by Cyble affect WordPress and Ivanti Cloud Services Appliances (CSA), while dark web exploits include claims of an exploitable zero-day vulnerability in Palo Alto Networks devices.

Here are the vulnerabilities highlighted by Cyble’s vulnerability intelligence unit as meriting high-priority attention by security teams.

The Top IT Vulnerabilities

CVE-2024-50623 hasn’t been rated by NVD yet, but researchers have discovered that this high-severity vulnerability in Cleo managed file transfer (MFT) software solutions is being actively exploited in remote code execution (RCE) data theft and corporate network attacks, and CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on Dec. 13. The vulnerability affects Cleo Harmony, Cleo VLTrader, and Cleo LexiCom MFT products used for secure and efficient data exchange between organizations. The flaw leads to unrestricted file upload and download, which could lead to RCE attacks.

CVE-2024-49138 is another high-severity vulnerability awaiting NVD analysis, but this one was added to CISA’s KEV Catalog as soon as Microsoft released a patch for it in its December 2024 Patch Tuesday updates. The flaw in the Windows Common Log File System (CLFS) Driver has been exploited in the wild and can enable attackers to gain SYSTEM privileges.

CVE-2024-38193 is a high-severity elevation of privilege vulnerability affecting Windows Ancillary Function Driver for WinSock, commonly referred to as afd.sys. The critical system driver in the Windows operating system plays a vital role in managing network communications and handles the Winsock API, which is essential for TCP/IP networking. The vulnerability was observed to be actively exploited by North Korean hackers to install a rootkit on targets in August 2024. With a recently released public proof of-concept (PoC) code available, there could be a new wave of exploitation attempts.

CVE-2024-49041 is a medium-severity spoofing vulnerability identified in Microsoft Edge (Chromium-based). The vulnerability arises from the user interface performing incorrect actions in response to user requests, which can lead to spoofing attacks. This means that an attacker could potentially manipulate the UI to mislead users into taking actions that they did not intend.

CVE-2024-11205 is an 8.5-severity vulnerability affecting WPForms, a widely used WordPress plugin designed for creating various types of online forms quickly and easily. The flaw can lead to unauthorized data modification due to a missing capability check on the ‘wpforms_is_admin_page’ function in versions starting from 1.8.4 up to and including 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.

CVE-2024-11639 is a 10.0-severity critical authentication bypass vulnerability in Ivanti Cloud Services Appliance (CSA), an internet appliance that serves as a secure gateway for enterprise users to access internal network resources. The flaw lies in the admin web console of Ivanti CSA before 5.0.3, allowing a remote, unauthenticated attacker to gain administrative access.

CVE-2024-11680 is a 9.8-severity improper authentication vulnerability affecting ProjectSend, an open-source file-sharing application designed for secure and private file management, particularly aimed at facilitating interactions between businesses and their clients. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application’s configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript. Threat Actors were observed discussing exploits of the vulnerability on the dark web (see next section).

Vulnerabilities and Exploits on Underground Forums

CRIL researchers observed multiple Telegram channels and cybercrime forums where threat actors (TAs) shared or discussed exploits weaponizing vulnerabilities. Cyble also observed a TA offering an exploit chain for an undisclosed vulnerability present in Palo Alto Networks devices. The TA quoted a price of USD $5K for the exploit. The other vulnerabilities discussed by TAs include:

CVE-2024-51378: A critical security vulnerability in CyberPanel versions prior to 1c0c6cb that allows remote attackers to bypass authentication, enabling them to execute arbitrary commands on the server.

CVE-2024-11680: A critical authentication vulnerability affecting ProjectSend versions prior to r1720. Remote, unauthenticated attackers can exploit the flaw by sending crafted HTTP requests to the options.php endpoint.

CVE-2024-38144: A critical security vulnerability in Microsoft Windows, specifically related to the Kernel Streaming WOW Thunk Service Driver, that allows for Elevation of Privilege attacks.

CVE-2024-10914: A critical command injection vulnerability in legacy D-Link NAS devices that allows unauthenticated attackers to inject arbitrary OS commands via HTTP GET requests, exploiting the cgi_user_add function in the account_mgr.cgi script.

CVE-2024-50483: A critical vulnerability affecting the Meetup plugin for WordPress versions up to and including 0.1 that is characterized as Authorization Bypass Through User-Controlled Key, which allows unauthenticated attackers to gain access to user accounts by exploiting improper verification processes during authentication.

CVE-2024-42327: A critical SQL injection vulnerability affecting Zabbix server versions 6.0.0 to 6.0.31, 6.4.0 to 6.4.16, and 7.0.

CVE-2023-6553: A TA shared a list of about 100,000 websites vulnerable to this critical Remote Code Execution vulnerability identified in the Backup Migration plugin for WordPress. The vulnerability affects all versions up to 1.3.7.

CVE-2024-35286, an SQL injection vulnerability, and CVE-2024-41713, a path traversal vulnerability, impact the NuPoint Unified Messaging (NPM) component and are critical vulnerabilities that could be exploited in sequence.

CVE 2024-11477: A critical vulnerability affecting versions of 7-Zip prior to 24.07 that allows for remote code execution due to an integer underflow in its Zstandard decompression feature. A TA quoted a price of USD $8K for the exploit.

Cyble Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following best practices:

• To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
• Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
• Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
• Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents, including ransomware-resistant backups. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
• Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
• Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
• Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.

Conclusion

These vulnerabilities highlight the urgent need for security teams to prioritize patching exploitable vulnerabilities in important products, as well as vulnerabilities that could be weaponized as entry points for wider attacks. With increasing discussion of these exploits on dark web forums, organizations must stay vigilant and proactive.

Implementing strong security practices is essential to protecting sensitive data and maintaining system integrity. A comprehensive threat intelligence solution like Cyble can monitor for threats and leaks specific to your environment, allowing you to respond quickly to events and prevent them from becoming wider incidents.

The post IT Vulnerability Report: Cleo, Windows Flaws Under Attack appeared first on Cyble.

Blog – Cyble – ​Read More

Although malicious programs that hunt for passwords, financial, and other sensitive data have been around for over 20 years, the word “infostealer” was coined only in the early 2010s. Recently, however, this relatively simple type of malware has been popping up in unexpected role — deployed as a springboard for major targeted hacks and cyberattacks. For example, the theft of the data of 500 million Ticketmaster customers and a ransomware attack on the Brazilian Ministry of Health were both traced to infostealers. The main challenge posed by infostealers is that they can’t be defeated solely at the infrastructure level and within a company’s perimeter. The non-work activities and personal devices of employees also need to be considered.

Modern infostealers

Infostealers are programs indiscriminately installed on any accessible devices by threat actors looking to steal sensitive information of any kind. Their primary target is account passwords, crypto wallet credentials, credit card details, and browser cookies. The latter can be used to hijack a user session in an online service. In other words, if the victim is logged in to a work account in the browser, by copying cookies to another computer an attacker in some cases can gain access to it without even knowing the victim’s credentials.

Infostealers can also:

• Intercept email and chat messages
• Pilfer documents
• Steal images
• Take screenshots of the screen or windows of specific applications

And there are exotic specimens that apply optical character recognition to read text in JPG image files (pictures of passwords and financial data, for example). The infostealer sends all collected data to the C2 server, where it’s stored pending resale on the dark web.

Among recent years’ technical developments in the field of infostealers are: new methods of stealing data from protected browser storage, modular architecture for harvesting new types of data from already infected computers, and migration to a service model for distribution of this malware.

The cybercriminal market demands versatile infostealers, capable of data theft from dozens of browsers, crypto wallets, and popular applications, such as Steam and Telegram. The stealers must also be resistant to detection by security software, requiring developers to make frequent modifications to the malware, repackage it, equip it with anti-analysis and anti-debugging tools, and beef up its stealth. The “vendors” also often need to re-upload packaged malware to different hosting sites. This is necessary because old sources of malware are quickly blocked by infosec companies in cooperation with search engines and hosting providers.

Infostealers are mainly made for Windows and macOS systems — with the latter case being far from exotic but an up-and-coming segment in the cybercriminal market. There are stealers for Android, too.

Some common delivery channels for infostealers are spam and phishing, malicious advertising, and SEO poisoning. Besides campaigns involving infostealers kitted out with hacked software or game cheats, such malware may also be installed under the guise of a browser or antivirus update, as well as video conferencing applications. But in general, attackers monitor the zeitgeist and clothe their malware accordingly: this year, fake AI image generators were popular, and during the global CrowdStrike outage, there even appeared an infostealer masquerading as device recovery instructions.

Infostealer ecosystem

A clear division of labor has taken root in the world of cybercrime. Some threat actors develop their own infostealers — plus the tools to manage them. Others get these programs onto victims’ devices using phishing and other techniques. Still others utilize stolen data. These three categories of criminals usually operate independently — not as one group, but they do have commercial relations with each other. The first of them increasingly offers infostealers under the malware-as-a-service (MaaS) model, often packaged with a handy cloud-based dashboard for customization.

The operators of actual attacks spread the malware but don’t use the stolen data themselves — instead putting large databases of harvested information up for sale on underground forums where other cybercriminals buy them and search for specific data they want using special tools. The same database can be purchased and repackaged many times: some buyers will extract gaming accounts, others look for bank card details or accounts in corporate systems. This latter type of data in particular has been gaining popularity since 2020 as threat actors have come to realize it provides a stealthy and effective way to penetrate an organization. Stolen accounts allow them to log in to a corporate system as a real user without exploiting any vulnerabilities or malware — thus arousing no suspicion.

The COVID-19 pandemic forced companies to make greater use of cloud services and allow remote access to their systems, causing the number of potentially vulnerable businesses to skyrocket. And more company employees are now using remote access from personal computers, where information security policies are less well-enforced (if at all). Thus, a home computer infected with an infostealer can ultimately lead to unwelcome guests in the corporate network.

Attackers who have obtained corporate credentials verify their validity and pass this filtered data to the operators of targeted cyberattacks.

How to guard against infostealers

Securing every corporate computer and smartphone (EDR/EMM) is only the start. You need to also protect all employees’ personal devices against infostealers, and, in case of infection, mitigate the consequences. There are several ways to address this issue — some of which complement each other:

• Deny access to corporate systems from personal devices. The most drastic, inconvenient, and not-always-feasible solution. In any case, it doesn’t fix the problem entirely: for example, if your company uses public cloud services (email, file storage, CRM) for work tasks, a blanket ban will be impossible.
• Use group policies to disable browser synchronization on corporate computers so that passwords don’t end up on personal devices.
• Implement phishing-proof two-factor authentication at the corporate perimeter, in all important internal and public services.
• Make mandatory the installation of an Enterprise Mobility Management (EMM) solution on personal laptops and smartphones in order to monitor their security (check for up-to-date security solution databases, whether the solution is disabled, and whether the devices are password- and encryption-protected). A properly configured EMM system maintains strict separation of work and personal data on the employee’s device and doesn’t affect personal files and applications.
• Deploy an advanced identity management system (for the accounts of employees, devices, and software services) across your organization to help quickly locate and block accounts showing abnormal behavior; this will prevent, for example, employees from logging in to systems not needed for work or from suspicious locations.
• Get the latest dark-web threat intelligence with live reports on fresh leaks of your corporate data (including stolen accounts).

Kaspersky official blog – ​Read More

Overview

The Romanian National Cyber Security Directorate (DNSC) has issued a critical advisory urging all entities, especially those in the energy sector, to scan their IT and critical infrastructure for malicious binaries associated with the LYNX ransomware cybercrime group. This recommendation follows a ransomware attack targeting the Electrica Group, Romania’s leading energy provider.

DNSC said even organizations unaffected by the attack must act proactively to detect and mitigate potential risks. The Directorate advised using the provided YARA scanning scripts to identify the malicious binary and prevent further infiltration.

The Electrica Group Ransomware Incident

On December 9, 2024, the Electrica Group reported a ransomware attack to DNSC and claimed that the ‘cyberattack was in progress.’ The incident prompted immediate intervention from DNSC specialists and other national authorities. While critical power supply systems remain operational, investigations into the attack are ongoing.

Electrica Group, in its notification to the London Stock Exchange, reassured its commitment to managing the incident swiftly and transparently. CEO Alexandru Aurelian Chirita told stakeholders that the company’s primary focus is maintaining the continuity of electricity distribution and protecting sensitive data.

The Group urged consumers to remain vigilant against potential scams and avoid sharing personal information through unsecured channels.

Validated Indicators of Compromise (IOCs)

DNSC has released critical technical details to aid entities in identifying LYNX ransomware activity. Key IOCs include:

• File hash: c02b014d88da4319e9c9f9d1da23a743a61ea88be1a389fd6477044a53813c72
• Malicious URL: hXXp://lynxblog.net/

The accompanying YARA rules were specifically designed to detect LYNX ransomware binaries. Entities should use these rules to perform thorough scans of their IT environments.

YARA Rules:

rule ransomware_LYNX_1 {

   meta:

      description = “Detect LYNX ransomware”

      author = “DNSC”

      date = “2024-12-10”

      hash1 = “c02b014d88da4319e9c9f9d1da23a743a61ea88be1a389fd6477044a53813c72”

   strings:

      $s1 = “[+] Successfully decoded readme!” fullword ascii

      $s2 = “[-] Failed to get service information for %s: %s” fullword wide

      $s3 = “–file C:\temp.txt,D:\temp2.txt” fullword ascii

      $s4 = “–file C:\temp.txt” fullword ascii

      $s5 = “AppPolicyGetProcessTerminationMethod” fullword ascii

      $s6 = “[-] Failed to open service manager for %s: %s” fullword wide

      $s7 = “[-] Failed to open service handle for %s: %s” fullword wide

      $s8 = “[-] Failed to enum dependent services for %s: %s” fullword wide

      $s9 = “[-] Failed to kill dependent services for %s: %s” fullword wide

      $s10 = “[%s] Try to stop processes via RestartManager” fullword wide

      $s11 = “[%s] Kill processes and services” fullword wide

      $s12 = “Load hidden drives (will corrupt boot loader)” fullword ascii

      $s13 = “README.txt” fullword wide

      $s14 = “[-] Failed to mount %s: %s” fullword wide

      $s15 = “[-] Failed to decode readme: %s” fullword ascii

      $s16 = “Try to stop processes via RestartManager” fullword ascii

      $s17 = “Kill processes/services” ascii fullword

      $s18 = “–stop-processes ” ascii fullword

      $s19 = “–stop-processes” fullword wide

      $s20 = “[%s] Encrypt network shares” fullword wide

      $op0 = { e8 22 c8 01 00 01 46 30 6a 00 11 56 34 6a 13 ff }

      $op1 = { 23 d1 89 55 d0 8b 55 e4 81 f2 ff ff ff 03 f7 d2 }

      $op2 = { 23 d1 89 55 d4 8b d7 81 f2 ff ff ff 01 f7 d2 8b }

condition:

      uint16(0) == 0x5a4d and file size < 500KB and

      ( 8 of them and all of ($op*) )

}

rule ransomware_LYNX_2 {

   meta:

      description = “Detect LYNX ransomware”

      score = 80

                md5 = “2E8607221B4AB0EB80DE460136700226”

   strings:

      $s1 = “tarting full encryption in” wide

      $s2 = “oad hidden drives” wide

      $s3 = “ending note to printers” ascii

      $s4 = “successfully delete shadow copies from %c:/” wide

      $op1 = { 33 C9 03 C6 83 C0 02 0F 92 C1 F7 D9 0B C8 51 E8 }

      $op2 = { 8B 44 24 [1-4] 6A 00 50 FF 35 ?? ?? ?? ?? 50 FF 15}

      $op3 = { 57 50 8D 45 ?? C7 45?? 00 00 00 00 50 6A 00 6A 00 6A 02 6A 00 6A 02 C7 45 ?? 00 00 00 00 FF D6 FF 75 ?? E8?? ?? ?? ?? 83 C4 04 8B F8 8D 45 ?? 50 8D 45 ?? 50 FF 75 ?? 57 6A 02 6A 00 6A 02 FF D6 }

      $op4 = { 6A FF 8D 4? ?? 5? 8D 4? ?? 5? 8D 4? ?? 5? 5? FF 15?? ?? ?? ?? 85 C0 }

      $op5 = { 56 6A 00 68 01 00 10 00 FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 74 ?? 6A 00 56 FF 15 ?? ?? ?? ?? 68 88 13 00 00 56 FF 15 ?? ?? ?? ?? 56 FF 15}

   condition:

      uint16(0) == 0x5A4D and

      (

         3 of ($s*)

         or 3 of ($op*)

         or (2 of ($s*) and 2 of ($op*) )

      )

}

Recommendations for Incident Containment

DNSC advises all organizations, particularly in the energy sector, to adopt the following steps immediately:

Scan and Isolate:

• Use the YARA scanning script to identify the malicious binary.
  • Isolate affected systems from the network to prevent further spread.

Preserve Evidence:

• Retain copies of ransom notes and communications from attackers for investigative purposes.
  • Collect relevant logs from affected devices, network equipment, and firewalls.

Analyze and Secure:

• Examine system logs to identify the initial compromise vector.
  • Update all software, applications, and operating systems to address known vulnerabilities.

Notify Stakeholders:

• Inform employees, customers, and business partners about the incident.
  • Remain vigilant against phishing messages purporting to be from trusted entities.

Leverage Available Resources:

• Explore decryption tools from trusted platforms like No More Ransom and ID Ransomware.

Broader Call to Action

DNSC’s proactive measures highlight the escalating threats facing critical infrastructure. The energy sector, often targeted due to its vital role, must remain vigilant. The Directorate stresses that paying the ransom is strongly discouraged, as it fuels criminal activities and does not guarantee data recovery.

DNSC’s collaboration with national authorities underscores the importance of a united response to cyber threats. Organizations must implement robust security practices and participate in information-sharing initiatives to strengthen collective defenses.

A Critical Reminder

The LYNX ransomware attack shows the vulnerabilities within IT and operational technology infrastructures. While Electrica Group’s critical systems remain intact, the incident showcases the importance of proactive measures, including scanning for IOCs, isolating threats, and updating defenses.

Organizations across all sectors should act decisively to safeguard their operations. DNSC’s guidance is a roadmap for preventing ransomware attacks and minimizing their impact on critical infrastructure. By taking these steps, entities can strengthen their cybersecurity posture and contribute to a safer digital ecosystem.

References:

https://dnsc.ro/citeste/alerta-lynx-ransomware-indicators-of-compromise-iocs

https://www.londonstockexchange.com/news-article/ELSA/cyber-attack-in-progress/16802405

The post Romania Urges Energy Sector of Proactive Scanning Amid LYNX Ransomware Threat appeared first on Cyble.

Blog – Cyble – ​Read More