TI Lookup: Real-World Use Cases from a Malware Researcher

Editor’s note: The current article is authored by Anna Pham (also known as RussianPanda), a threat intelligence researcher. You can find her latest research and insights on X, LinkedIn, and her blog.

ANY.RUN introduced Threat Intelligence Lookup in February 2024, followed by the YARA Search in April 2024. This article will explore both services and their use cases. 

How Threat Intelligence Lookup Works

Threat Intelligence Lookup allows users to search through the database of sandbox tasks by examining specific details such as:

Processes

Modules

Files

Network and registry activity

All of these are logged by the ANY.RUN sandbox.

The service helps users find critical information like IOCs (Indicators of compromise), events, sandbox reports, and other data corresponding to the search query. 

Figure 1: Main page of Threat Intelligence Lookup service  

The main page of the Threat Intelligence service provides a summary of the most common MITRE techniques used, malware threat statistics, and popular Suricata rules derived from submitted samples, offering valuable insight into current cyber threat trends. 

Figure 2: Threat Intelligence Lookup panel overview 

After navigating to the Lookup section you’ll be able to submit your search query using over 40 different search parameters.

Explore all search parameters available in TI Lookup in the following article. ANY.RUN also offers a comprehensive query guide for the TI Lookup once you’re on the platform. 

Let’s now look into a few use cases with some of TI Lookup’s key search parameters.

Test TI Lookup to see how it can benefit your threat investigations 



Request free trial


Searching for Stealers Reaching out to Telegram  

We can create a query to identify stealers reaching out to Telegram IPs, potentially exfiltrating sensitive data, using the “destinationIpAsn” and “threatName” parameters, as shown below, for the past three months or 180 days. You can also search within 60, 30, 14, 7, 3, or 1-day intervals and bookmark the search query for later use.

Here is the query:

Figure 3: Lookup for stealers reaching out to Telegram and the result overview 

The search results show the associated IPs, Events, Files, Tasks, Synchronization (events and mutexes created), and Network threats.  

Figure 4: Overview of the Files tab 

From the Files tab, users can extract indicators and save them in JSON format.

Figure 5: Static discovering of the PE file 

Note: You can export data from any category, such as IPs, Events, Tasks, etc., in JSON. Additionally, users can view binary characteristics with static analysis or download the binary itself. 

Figure 6: Network threats tab 

We can confirm the exfiltration activity via Telegram within the Network threats tab.

Start your first investigation in TI Lookup 



Request free trial


Looking for LummaC2 samples and C2s 

To identify LummaC2 samples and C2 domains, we can use Lumma’s domains that are known to end with “.shop/api” via the following query:

The dollar sign ($) in a search represents the end of a string. When used in a search pattern, it ensures that the search string must match the end of the text being evaluated. So, using $ in the pattern “.shop/api$” ensures that the URL ends exactly with .shop/api and no other characters follow. 

Figure 7: Search results for .shop/api$ 

From the search results, we identified 26 URLs and domains related to LummaC2, which can be exported and operationalized for further monitoring, blocking, or threat hunting within the security infrastructure. 

Figure 8: URLs and Domains findings 

Searching for URLs Used to Retrieve DLL Dependencies and Pivoting on the ASN 

We know that some stealers, such as Vidar Stealer, RecordBreaker (Raccoon Stealer v2), and StealC, use additional DLL dependencies like “softokn3.dll” and “mozglue.dll” to facilitate data exfiltration from browsers, so we can create a query to look for URLs delivering the DLLs: 

Figure 9: The output from running the query that searches for URLs retrieving the DLL dependencies 

From the results below, we can see the processes that initiated the connections to the URLs to retrieve the DLLs, along with the associated URLs, IP addresses, and the countries of origin for those IPs.

Additionally, we identified another pivot point with the ASN “1337team Limited”:

Figure 10: Results from pivoting on 1337team Limited ASN 

Pivoting on the ASN mentioned above revealed more events and IPs, some of which are associated with StealC, Redline, and Amadey activities.  

Searching for Interesting Samples Using MITRE  

Users can search for relevant samples using MITRE techniques or IDs. ANY.RUN provides predefined IDs and their definitions, eliminating the need to search for them elsewhere. 

Figure 11: Predefined MITRE IDs and their definitions 

We can look for phishing samples containing malicious QR codes via the following query, where T1566 is Phishing: 

Figure 12: Results from the search for phishing emails containing the QR code 

Now, we can spice up the query and look for phishing links containing the Cloudflare challenge that is commonly used by Tycoon 2FA and other phishing kits: 

Figure 13: Results from the search for phishing links containing the Cloudflare challenge  

The query can also be adjusted to show the phishing samples with URL submissions only instead of the file attachments using the threatLevel “malicious” to avoid false positives:

Figure 14: Searching for samples containing URLs instead of file attachment submissions 

Searching for samples using CommandLine 

We can search for Latrodectus downloader samples, which is known to drop the copy of itself under the “%AppData%Custom_update” path. We can leverage that knowledge to create a query that looks for command lines containing that path:

Figure 15: Results from the query to look for a specific file path within the command line to search for Latrodectus samples 

From the Synchronization tab, we notice the mutex “runnung” being used, so we can also leverage that to look for Latrodectus samples. 

Figure 16: Leveraging the mutex finding to find Latrodectus samples 

We can also leverage CommandLine to look for malicious PowerShell commands, for example, while looking for a RobotDropper, aka LegionLoader samples.

So, for the query, we are going to grab a snippet of the base64-encoded command, which partially decodes to “$w=new-object”:

We have 13 samples that match our query, all of which are true positives.  

Figure 17: Results from the query to look for RobotDropper using CommandLine search parameter 
Figure 18: Events tab overview from the search query 

Investigate cyber threats using TI Lookup 



Request free trial


Searching for Gh0stRAT Samples and C2s from a Specific Country  

We can also create a query that searches for Gh0stRAT samples and C2s using “destinationIPgeo” as one of the search parameters; this query looks for Gh0stRAT samples that connect to servers located in China:

Figure 19: Results from the query to look for Gh0stRAT samples that connect to servers based in China 

YARA Search 

In addition to the Threat Intelligence Lookup service, ANY.RUN offers YARA Search, enabling users to scan its database of collected and analyzed threat data using YARA rules, whether imported from the local machine or created on the fly. 

We can create a YARA rule to look for LummaC2 Stealer samples, and in under 10 seconds, we get the results, which is impressively fast. Users can also run multiple YARA scans in separate tabs.  

Figure 20: Results from YARA scan 

You can view the binary’s PE characteristics from the results, download it, and export the results in JSON format. 

Figure 21: Exported JSON results 

Conclusion 

ANY.RUN’s Threat Intelligence Lookup and YARA Search services allow for precise threat hunting and the extraction of valuable insights into current cyber threat trends. What’s impressive is how fast these scans are—they significantly speed up the analysis process, allowing for quick detection of threats and malware. 

ANY.RUN is making it easier for organizations to take a proactive and informed stance on cybersecurity, which is essential in our constantly evolving threat landscape.

Test ANY.RUN’s Threat Intelligence Lookup and YARA Search in a free trial →

The post TI Lookup: Real-World Use Cases <br>from a Malware Researcher appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Why system resilience should mainly be the job of the OS, not just third-party applications

Building efficient recovery options will drive ecosystem resilience

WeLiveSecurity – ​Read More

Silent Intrusion: Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access

Key takeaways


Cyble Research and Intelligence Labs (CRIL) uncovered a sophisticated attack that leverages legitimate tools such as Visual Studio (VS) Code and GitHub.

The Threat Actor (TA) used a.LNK file as the initial attack vector, potentially delivered through spam or phishing emails. The .LNK file is disguised as a legitimate setup file, using an MSI setup icon to deceive users into executing it.

Upon execution, the .LNK file silently downloads a Python distribution package and uses it to run a malicious Python script.

The TA leverages a VScode tool to initiate a Remote Tunnel and retrieve an activation code, which the TA can use to gain unauthorized remote access to the victim’s machine. This enables the TA to interact with the system, access files, and perform additional malicious activities.

To maintain persistence, the TA creates a scheduled task designed to automatically trigger the execution of a malicious Python script with SYSTEM privileges and high priority.

Similar tactics, techniques, and procedures (TTP) were employed by the Chinese APT group, Stately Taurus, in cyber espionage campaigns aimed at organizations throughout Europe and Asia.

Overview

Cyble Research and Intelligence Lab (CRIL) uncovered a campaign that leverages a suspicious .LNK file as the initial attack vector. This file, potentially delivered via spam emails, downloads a Python distribution package that is then used to execute an obfuscated Python script retrieved from a paste site. At the time of publishing this research, this script had no detections on VirusTotal (VT), making it difficult to identify through standard security measures.

Once executed, the Python script establishes persistence by creating a scheduled task with system privileges and high priority. It checks if Visual Studio Code (VSCode) is installed on the victim’s machine. If not, the script downloads the standalone VSCode CLI from a trusted source. Using VSCode, the script creates a remote tunnel, sharing an activation code with the TA, which facilitates unauthorized remote access to the victim’s machine.

The VSCode Remote – Tunnels extension is typically used to connect to a remote machine, such as a desktop PC or virtual machine (VM), via a secure tunnel. This enables users to access the machine from any VSCode client without the need for SSH. However, in this campaign, the TA exploits this feature, using it to establish a remote connection to the victim’s system for malicious purposes.

This attack method mirrors tactics previously observed in campaigns by the Stately Taurus Chinese APT group, as documented by Unit42 researchers.  In this blog, we will examine how the TA cleverly uses legitimate tools like VSCode and GitHub to conceal their activity and establish unauthorized remote connections. The figure below illustrates the infection chain.

Technical Analysis

CRIL has identified a campaign involving a suspicious .LNK file masquerading as an installer. When executed, it displays a fake “Successful installation” message in Chinese (“安裝成功“). However, in the background, it silently downloads additional components using the curl utility, including a Python distribution package named “python-3.12.5-embed-amd64.zip”.

The .LNK file then creates a directory at “%LOCALAPPDATA%MicrosoftPython” and extracts the contents of the zip archive using tar.exe into this location. Afterward, it downloads a malicious script from a paste.ee site via the URL “hxxps[:]//paste[.]ee/r/DQjrd/0” and saves it as “update.py” in the same location. Once the download is complete, the “update.py” is executed using “pythonw.exe” without showing a console window. The contents of the LNK file are shown below:

Update.py

The script begins by checking whether Visual Studio Code (VSCode) is already installed on the system. It does this by verifying the existence of the directory located at “%LOCALAPPDATA%microsoftVScode.” If this directory is not found, indicating that VSCode is not installed, the script then proceeds to download the VSCode Command Line Interface (CLI) from a Microsoft source: “hxxps://az764295.vo.msecnd.net/stable/97dec172d3256f8ca4bfb2143f3f76b503ca0534/vscode_cli_win32_x64_cli[.]zip.” Once downloaded, the zip file is extracted, and the executable file “code.exe” is placed into the “%LOCALAPPDATA%microsoftVScode” directory

Persistence

The script then proceeds to create a scheduled task named “MicrosoftHealthcareMonitorNode” to ensure the persistence of its malicious activities. It is designed to execute the “update.py” script using “pythonw.exe,” which runs without showing a console window, allowing the malicious activity to stay hidden. Before creating the task scheduler entry, the script checks if it already exists by running the command “schtasks /query /tn MicrosoftHealthcareMonitorNode” to avoid creating duplicates.

 The configuration of this task varies depending on the user’s privilege level. For non-admin users, the task is set to run every four hours, beginning at 8:00 AM, ensuring that the malicious script is executed at regular intervals. On systems where the user has administrative privileges, the task is configured to trigger at logon, running with elevated SYSTEM privileges and high priority, which grants it more control and less likelihood of being interrupted. The figure below shows the Schedule task entry created by the malware.

Creating Remote Tunnel

The script next checks if “code.exe” is already running in the background by inspecting the output of the “tasklist” command. If it detects that “code.exe” is not active, then proceeds to execute “code.exe” to log out any active remote sessions. This is done by issuing the command “code.exe tunnel user logout,” which ensures the termination of any existing remote tunnels connected to the victim’s system. This step is crucial for the TA, as it allows them to establish a fresh remote tunnel for future interactions with the victim’s system.

After ensuring the existing tunnel is closed, the script initiates a new process using the command:


code.exe –locale en-US tunnel –accept-server-license-terms –name <COMPUTERNAME>

This command initiates a remote tunnel, and the script automatically associates it with a GitHub account for authentication. Now, the output of the “code.exe” command is saved in a file named “output.txt” within the “%localappdata%microsoftVSCode” directory. Additionally, the content of “output.txt” is copied to another file named “output2.txt” in the same directory to extract the 8-character alphanumeric activation code for the GitHub account.

Following this, the script reads the “output2.txt” file and identifies the GitHub account activation code using a regular expression pattern “and use code (w{4}-w{4})” as shown in the figure below.  This extracted code is saved to a variable for later stages of the attack, enabling further malicious activities.

Exfiltration

The TA then gathers the victim’s system information by collecting the names of folders from several directories, including “C:\Program Files,” “C:\Program Files (x86),” “C:\ProgramData,” and “C:\Users.” In addition, Additionally, the TA obtains a list of processes currently running on the victim’s machine and sends this information directly to the TA’s command-and-control (C&C) server, “hxxp://requestrepo.com/r/2yxp98b3“ as shown below. RequestRepo.com is primarily a tool for analyzing incoming HTTP and DNS requests. However, the TA has exploited it to capture stolen data transmitted from victim machines.

Furthermore, the TA gathers more sensitive data, such as the system’s language settings, geographical location, computername, username, userdomain, the activation code for the remote tunnel, and details about user privileges. All of this data is base64 encoded to obfuscate it before being sent to the command-and-control (C&C) server via a POST request. The figure below shows the code snippet used by the TA for data exfiltration.

Impact

After the TA receives the exfiltrated data, they can log in using their GitHub account at the URL “hxxps://github.com/login/device”. Here, the TA can enter the exfiltrated alphanumeric activation code to gain unauthorized access to the victim’s machine.

Unauthorized access to the victim’s machine allows the TA to view and manipulate files and directories stored on the victim’s system. The figure below shows how the TA can access the victim’s files through the VSCode tunnel using the stolen activation code.

This degree of access not only enables them to browse through the victims’ files but also enables them to execute commands through the terminal. With this control, the TA can perform a variety of actions, such as installing malware, extracting sensitive information, or altering system settings, potentially leading to further exploitation of the victim’s system and data.

Unit42 researchers explained that the TA can execute several tools, including mimikatz, LaZagne, In-Swor, and Tscan, to perform various malicious activities on the victim’s system.

Conclusion

This campaign demonstrates the growing sophistication of TAs in leveraging legitimate tools like VSCode to establish unauthorized access to victim systems. By utilizing a seemingly harmless .LNK file and an obfuscated Python script, the Threat Actot can effectively bypass detection measures. This access allows them to manipulate files, execute commands, and potentially install additional malware, amplifying the scope for exploitation.

Organizations maintain a proactive security posture, focusing on vigilance, enhancing existing security practices, and implementing new ones to defend against a constantly evolving threat spectrum. Understanding these tactics is crucial for building a more resilient cybersecurity posture.

Recommendations


Utilize advanced endpoint protection solutions that include behavioral analysis and machine learning capabilities to detect and block suspicious activities, even those involving legitimate applications like VSCode.

Review scheduled tasks on all systems regularly to identify unauthorized or unusual entries. This can help detect persistence mechanisms established by threat actors.

Conduct training sessions to educate users about the risks of opening suspicious files or links, particularly those related to .LNK files and unknown sources.

Limit user permissions to install software, particularly for tools that can be exploited, like VSCode. Implement application whitelisting to control which applications can be installed and run on systems.

Deploy advanced monitoring tools that can detect unusual network traffic, unauthorized access attempts, and abnormal behavior within the system. Regularly audit and review system and application logs to catch early signs of intrusion.

MITRE ATT&CK® Techniques

Tactic
Technique
Procedure

Execution (TA0002)
Command and Scripting Interpreter: Python (T1059.006)
Update.py is downloaded and executed by the shortcut file

Persistence (TA0003)
Scheduled Task/Job: Scheduled Task (T1053.005)
MicrosoftHealthcareMonitorNode” scheduled task is created for non-admin users

Privilege Escalation (TA0004)       
Scheduled Task/Job: Scheduled Task (T1053.005)  
MicrosoftHealthcareMonitorNode” scheduled task is created for admin users with SYSTEM privilege

Defense Evasion (TA0005)
Masquerading: Match Legitimate Name or Location (T1036.005)  
Creates a folder “%localappdata%/Microsoft/Python” directory

Discovery (TA0007)
System Information Discovery (T1082)
Collects system’s language settings, geographical location, computername, username, and userdomain

Discovery (TA0007)
File and Directory Discovery (T1420)
Collects folder names present in program files and program data directory

Discovery (TA0007)
Process Discovery (T1057)
tasklist” command is used to gather a list of currently running processes.

Command and Control (TA0011)
Application Layer Protocol: Web Protocols (T1071.001)
The VSCode tunnel feature is used to access the victim’s system.

Indicators Of Compromise

Indicators
Indicator Type
Description

281766109f2375a01bad80478fd18841eccaefc1ee9277179cc7ff075d1beae2
SHA-256
Shortcut file

c7f07bdfb91653f53782885a3685436e2e965e1c5f4863c03f5a9825c0364489
SHA-256
update.py

hxxp://requestrepo.com/r/2yxp98b3
C&C
POST request sent to this URL

hxxps://paste[.]ee/r/DQjrd/0
URL
Downloads update.py

The post Silent Intrusion: Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access appeared first on Cyble.

Blog – Cyble – ​Read More

How to Collect Indicators of Compromise in the ANY.RUN Sandbox

Gathering Indicators of Compromise (IOCs) is key to identifying and responding to threats. IOCs are pieces of forensic data that point to potential malicious activity, helping you detect, investigate, and prevent cyberattacks.

With ANY.RUN, you can collect a wide variety of IOCs, giving you a complete picture of any threat. 

Let’s dive into the types of IOCs you can collect in ANY.RUN’s Interactive Sandbox and where to find them. 

File System Indicators 

Main Objects 

The Main Object is one of the most critical components when analyzing malware inside the ANY.RUN sandbox. This refers to the primary file that was loaded for analysis. 

Once you’ve initiated a sandbox analysis session, simply click on the file name located in the upper-right corner of the screen.  

File name displayed inside ANY.RUN sandbox 

This action will give you quick access to the Main Object IOCs, which include basic details such as file paths, hashes, and more.  

Main Objects IOCs inside ANY.RUN sandbox analysis

Analyze and collect IOCs of malware and phishing threats
in the ANY.RUN sandbox 



Start your first analysis


Dropped Executable Files 

All files dropped during the malware’s execution are shown in the bottom panel under Files. This area demonstrates exactly what files the malware generated or modified, helping you track its propagation across the system. 

Dropped executable files inside ANY.RUN

Network Indicators 

Domains (DNS Requests) 

Domains that the malware attempts to access can help you trace its communication with external servers, such as command-and-control (C2) infrastructure.  

You can find these IOCs under Network → DNS Requests in the bottom panel of the sandbox interface.  

By analyzing the DNS requests, you’ll get a clearer view of how the malware interacts with remote hosts, often revealing malicious infrastructure or other indicators that can assist in further threat investigation. 

DNS requests inside ANY.RUN sandbox

Connections 

The malware’s active connections can be observed under Network → Connections.  

This feature allows you to monitor the malware’s communication channels, tracking its interactions with command-and-control (C2) servers or other suspicious IP addresses.  

Analyzing these connections enables you to identify data exfiltration routes or pinpoint where the malware is sending information. 

Connections in ANY.RUN sandbox analysis 

HTTP/HTTPS Requests 

HTTP and HTTPS requests initiated by the malware are logged under NetworkHTTP Requests. This is crucial for identifying malicious websites or external servers the malware connects to. 

HTTP requests displayed in ANY.RUN

Malware Configurations

In the ANY.RUN sandbox, you can gather IOCs specifically associated with malware configurations by clicking the MalConf button located in the upper right corner of the screen.

MalConf button inside ANY.RUN sandbox 

The feature specifically pulls IOCs from to the malware’s configurations, such as URLs, file hashes, and domains, providing key insights that are crucial for further in-depth investigation and reporting.

Malware configurations inside ANY.RUN sandbox session

Integrate ANY.RUN sandbox in your organization 



Request a 14-day trial


Centralized IOC Window 

You can easily access all the important indicators in the IOC window. 

Simply hit the IOC button located in the top-right corner, and you’ll instantly gain access to the most critical IOCs collected throughout the analysis—whether they come from Static Analysis or Malware Configurations.  

IOC button in ANY.RUN sandbox session 

This window saves time and ensures that all critical data is conveniently organized in one place for easier review. 

IOCs window inside the ANY.RUN sandbox 

The IOC window is easy to navigate thanks to the simple dropdown menu.

Summary of IOCs with dropdown menu inside ANY.RUN’s sandbox 

You can quickly filter and organize IOCs. Plus, copying the selected indicators for your reports or further analysis is just a click away, making the whole process smooth and efficient. 

About ANY.RUN  

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

Detect malware in seconds

Interact with samples in real time

Save time and money on sandbox setup and maintenance

Record and study all aspects of malware behavior

Collaborate with your team 

Scale as you need

Request free trial →

The post How to Collect Indicators of Compromise <br>in the ANY.RUN Sandbox appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Weekly IT Vulnerability Report: Cyble Urges Fixes for Ivanti, GitLab and Microchip

Key Takeaways


Cyble threat intelligence researchers investigated 15 vulnerabilities this week and highlighted three of them for security teams to prioritize.

Cyble researchers also found seven vulnerability exploits discussed on the dark web and cybercrime forums, raising the risk that those flaws will be increasingly exploited.

Cyble recommends eight best practices for preventing and limiting cyberattacks and data breaches.

Overview

Cyble Research and Intelligence Labs (CRIL) researchers this week investigated 15 vulnerabilities of particular significance for IT teams, and identified three that merit high-priority patching.

Cyble’s Sept. 18-24 Weekly Vulnerability Insights Report for subscribers also examined seven exploits circulating on the dark web and cybercrime forums, elevating the importance of addressing those flaws too.

Cyble also highlighted eight cybersecurity best practices that all organizations should follow to reduce the risk of cyberattacks and contain any that do occur.

The full report is available for subscribers; here we’ll focus on the most critical risks.

The Top IT Vulnerabilities This Week

The three vulnerabilities highlighted in the report include:

CVE-2024-8963, a critical admin bypass vulnerability in Ivanti Cloud Services Appliance (CSA), is a security-focused solution designed to facilitate secure communication and device management. Recently, Ivanti disclosed that attackers could exploit the flaw by chaining CVE-2024-8963 with CVE-2024-8190 to bypass admin authentication and execute arbitrary commands on unpatched appliances. This vulnerability is also being discussed on the dark web (see below). There is an available patch. Cyble researchers also issued a separate advisory on a vulnerability (CVE-2024-7593) in Ivanti’s Virtual Traffic Manager (VTM).

CVE-2024-45409, a critical SAML authentication bypass vulnerability impacting self-managed installations of the GitLab Community Edition (CE) and Enterprise Edition (EE). Security Assertion Markup Language (SAML) is a single sign-on (SSO) authentication protocol that allows users to log in across different services using the same credentials. An unauthenticated attacker with access to any signed SAML document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as an arbitrary user within the vulnerable system. The disclosure follows several other recent GitLab vulnerabilities.

Internet Exposure? No

Patch Available? Yes

CVE-2024-7490, a critical improper input validation vulnerability in Microchip Technology Advanced Software Framework, a comprehensive library designed for microcontrollers, facilitating various stages of product development, including evaluation, prototyping, design, and production. The vulnerability can cause remote code execution through a buffer overflow. This vulnerability is associated with program files tinydhcpserver.C and program routines lwip_dhcp_find_option.

Internet Exposure? No

Patch Available? Yes

Vulnerabilities and Exploits on Underground Forums

CRIL researchers observed multiple Telegram channels where the channel administrator shared or discussed exploits weaponizing vulnerabilities, including:

CVE-2024-8190: This is a high-severity OS command injection vulnerability present in Ivanti’s Cloud Services Appliance versions 4.6 Patch 518. It allows attackers with admin access to execute arbitrary commands on the system, potentially leading to complete system compromise.

CVE-2024-36837: A high-severity SQL injection vulnerability present in CRMEB version 5.2.2. This vulnerability allows remote attackers to gain unauthorized access to sensitive information.

CVE-2024-46740: A high severity Use-After-Free (UAF) vulnerability in the Linux Kernel. It is specifically related to the binder subsystem.

CVE-2024-20439: A critical security vulnerability affecting the Cisco Smart Licensing Utility, which could allow unauthenticated, remote attackers to gain administrative access to the system.

CVE-2024-8956: A critical improper authentication vulnerability was identified in PTZOptics’ PT30X-SDI and PT30X-NDI cameras prior to firmware version 6.3.40.

CVE-1999-1587: A vulnerability is present in the ‘/usr/ucb/ps’ command in Sun Microsystems’ Solaris OS, affecting Solaris 8 and 9, as well as a few older versions. The vulnerability allows local users to exploit certain parameters in the commands to view environment details on the system.

CVE-2024-23692: CRIL observed multiple administrators of Telegram channels and a Threat Actor sharing a proof of concept (PoC) for a critical command injection vulnerability affecting the Rejetto HTTP File Server (HFS), specifically versions up to 2.3m. The vulnerability allows remote, unauthenticated attackers to execute arbitrary commands by sending specially crafted HTTP requests to the server.

Cyble Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following best practices:

1. Implement the Latest Patches

To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.

2. Implement a Robust Patch Management Process

Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.

3. Implement Proper Network Segmentation

Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.

4. Incident Response and Recovery Plan

Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.

5. Monitoring and Logging Malicious Activities

Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.

6. Keep Track of Security Alerts

Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.

7. Visibility into Assets

Maintain an up-to-date inventory of all internal and external assets, including hardware, software, and network components. Use asset management tools and continuous monitoring to ensure comprehensive visibility and control over your IT environment.

8. Strong Password Policy

Change default passwords immediately and enforce a strong password policy across the organization. Implement multi-factor authentication (MFA) to provide an extra layer of security and significantly reduce the risk of unauthorized access.

The post Weekly IT Vulnerability Report: Cyble Urges Fixes for Ivanti, GitLab and Microchip appeared first on Cyble.

Blog – Cyble – ​Read More

Cyble Honeypot Sensors Detect WordPress Plugin Attack, New Banking Trojan

Key Takeaways


Cyble’s Threat Hunting Honeypot sensors detected five recent vulnerabilities under active exploitation, including newly identified attacks against WordPress plugins.

A new banking trojan is engaged in active attacks in Europe and is expected to spread to other regions.

Of more than 400 identified scam email addresses discovered, six in particular stand out.

Commonly targeted ports have been identified and should be blocked by security teams.

Overview

Cyble’s Threat Hunting service this week discovered multiple instances of exploit attempts, malware intrusions, financial fraud, and brute-force attacks via its network of Honeypot sensors.

In the week of Sept. 18-24, Cyble researchers identified five recent active exploits, including new attacks against WordPress plugins, a new malware variant targeting the banking industry, more than 400 new spam email addresses, and thousands of brute-force attacks.

Vulnerability Exploits

Cyble sensors detected five recent vulnerabilities under active exploitation, in addition to a number of older vulnerabilities being actively exploited:

Case 1: SQL Injection Attack

CVE-2024-27956 is a 9.9-severity improper neutralization of Special Elements used in an SQL Command vulnerability in ValvePress Automatic WordPress plugins that allows for SQL Injection attacks. This issue affects Automatic: from n/a through 3.92.0.

Case 2: PHP CGI Argument Injection Vulnerability

CVE-2024-4577 is a 9.8-severity PHP vulnerability that impacts CGI configurations and has been under attack since it was announced in June. It enables attackers to execute arbitrary commands through specially crafted URL parameters. It affects PHP versions 8.1.* before 8.1.29; 8.2.* before 8.2.20; and 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows.

Case 3: GeoServer Vulnerability Allows Remote Code Execution via Unsafe XPath Evaluation

CVE-2024-36401 is a 9.8-severity RCE vulnerability in GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2. The flaw arises from the unsafe evaluation of OGC request parameters as XPath expressions, allowing unauthenticated users to execute arbitrary code on default installations. The issue affects all GeoServer instances due to improper handling of simple feature types. Patches are available, and a workaround involves removing the vulnerable gt-complex library, which may impact functionality.

Case 4: Network Command Injection Vulnerability Without Authentication

CVE-2024-7029 is an 8.7-severity AVTECH IP camera vulnerability that allows remote attackers to inject and execute commands over the network without requiring authentication. This critical flaw poses a significant risk, enabling unauthorized control over affected systems.

Case 5: Network Command Injection Vulnerability Without Authentication 

The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to a 9.8-severity arbitrary code execution vulnerability (CVE-2024-7954). A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.

Octo2: New Malware Variant Targets European Banks in Active Attacks

Octo2, a new variant of the Octo mobile banking trojan, was recently discovered in European bank attacks, and deployment in other global regions is expected to follow.

Octo (also known as ExobotCompact) has emerged as one of the most prominent malware families in the mobile threat landscape, leading in the number of unique samples detected this year. Recently, a new variant named “Octo2,” created by the original threat actor, has been discovered, signaling a potential shift in the actors’ tactics and strategies. This upgraded version enhances the malware’s remote action capabilities, particularly for Device Takeover attacks, ensuring greater stability in execution. New Octo2 campaigns have already been observed targeting several European countries. Additionally, Octo2 employs advanced obfuscation techniques to evade detection, including the introduction of a Domain Generation Algorithm (DGA), further bolstering its ability to remain hidden from security systems.

Here are known hashes and IoCs, via Threat Fabric:

Hash (SHA256)
app name
package name

83eea636c3f04ff1b46963680eb4bac7177e77bbc40b0d3426f5cf66a0c647ae
NordVPN
com.handedfastee5

6cd0fbfb088a95b239e42d139e27354abeb08c6788b6083962943522a870cb98
Europe Enterprise
com.xsusb_restore3

117aa133d19ea84a4de87128f16384ae0477f3ee9dd3e43037e102d7039c79d9
Google Chrome
com.havirtual06numberresources

More Than 400 Scam Email Addresses Detected

Cyble identified 410 new email addresses used in scam campaigns. Here are six notes:

E-mail Subject 
Scammers Email ID 
Scam Type 
Description 

Claim Directives 
info@szhualilian.com   
Claim Scam 
Fake refund against claims 

Dear winner! 
info@student.htw-berlin.de   
Lottery/Prize Scam 
Fake prize winnings to extort money or information 

DONATION NOTICE 
m.sharifi@qiau.ac.ir   
Donation Scam 
Scammers posing as donors to donate money 

INVESTMENT PROPOSAL 
Walsh.philip@natwest.co.uk   
Investment Scam 
Unrealistic investment offers to steal funds or data. 

Order: cleared customs 
support@ip.linodeusercontent.com   
Shipping Scam 
Unclaimed shipment trick to demand fees or details 

UN Compensation Fund 
info@usa.com 
Government Organization Scam 
Fake UN compensation to collect financial details 

Brute-Force Attack Ports Identified

Of the thousands of brute-force attacks identified by Cyble, the following targeted ports stand out as meriting attention.

Based on a close inspection of the distribution of attacked ports based on the top five attacker countries, Cyble noticed attacks originating from the United States are targeting ports 22 (40%), 3389 (32%), 445 (21%), 23 (4%), and 80(3%). Attacks originating from Turkey are targeting ports 3389 (100%). Russia, China, and Bulgaria mainly targeted ports 5900 and 445.

Security Analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).

Cyble Recommendations

Cyble researchers recommend the following security controls:


Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).

Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.

Constantly check for Attackers’ ASNs and IPs.

Block Brute Force attack IPs and the targeted ports listed.

Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.

For servers, set up strong passwords that are difficult to guess.

The post Cyble Honeypot Sensors Detect WordPress Plugin Attack, New Banking Trojan appeared first on Cyble.

Blog – Cyble – ​Read More

Gamaredon’s operations under the microscope – Week in security with Tony Anscombe

ESET research examines the group’s malicious wares as used to spy on targets in Ukraine in the past two years

WeLiveSecurity – ​Read More

How to solve the cybersecurity talent shortage | Kaspersky official blog

Skills shortages in the cybersecurity industry are hardly a new phenomenon; however, in recent years it has become painfully acute. The trigger was the coronavirus pandemic, which provoked rapid digitalization of most everything in the world, and an equally rapid increase in the number of cyberattacks. This led to demand for cybersecurity professionals seriously outstripping supply.

ISC2, a leading cybersecurity expert-certification company, publishes its Cybersecurity Workforce Study every year. According to its latest report, the number of cybersecurity specialists in the world increased by 8.7% between 2022 and 2023. Sounds great. The problem is, however, that the talent shortage also grew – by 12.6% over the same period. When the report went to press, the global staffing shortage in the cybersecurity industry stood at a whopping four million employees. So what’s going on?

Cybersecurity in higher education

To get an answer to this question, we conducted a massive survey of more than a thousand cybersecurity professionals from 29 countries. We interviewed employees across the board – from entry-level technicians to directors and SOC heads.

Some interesting facts came to light as a result. Most interestingly, not all experts in the field had studied cybersecurity at college or university. The figures vary by region, but on average no more than half had done a dedicated course. What’s more, the majority of respondents spoke of a lack of specialized cybersecurity courses in higher education on the whole.

Respondents rated the availability of specialized cybersecurity courses in higher education institutions as poor. Source

As for whether higher education is a must for a career in cybersecurity, respondents’ views were decidedly mixed: only half consider a degree to be either very or extremely useful; a quarter have a neutral opinion; and another quarter believe a degree to be totally useless.

The main problem with formal cybersecurity education is that it forever lags behind real-world developments. Tools, technologies and threats are evolving so rapidly that knowledge acquired on a course becomes largely obsolete by graduation day.

The surveyed cybersecurity specialists also noted that higher education often neither provides sufficient hands-on training, nor helps develop the skills needed to build a career in the field. So young professionals are often sorely unprepared for what awaits them in the real world.

Consequences for business

The lack of hands-on experience means that many aspiring professionals make poor decisions, which can have major knock-on effects for employers. As nearly half of the respondents (46%) noted, it took them more than a year to get settled in their first job.

At the same time, more than half (51%) admitted making serious mistakes in their first few years on the job. These were the top five mistakes mentioned:

Not installing updates and patches in good time (43%)
Using weak, easy-to-guess passwords (42%)
Not backing up important data in good time (40%)
Using outdated security measures (29%)
Falling for phishing (29%)

More than half of infosec professionals admit making serious mistakes in their first years in the job. Source

Often, infosec experts have far higher privileges for and access to many systems not available to regular employees. Therefore, such mistakes can have catastrophic consequences for companies – ranging from critical infrastructure compromise and ransomware infection to industrial espionage and data leakage.

Patching the talent shortage

Of course, the problem of cybersecurity staffing shortages is too big for a quick-fix solution. Only with a long-term and comprehensive approach will it be possible to fill the deficit of qualified specialists.

Our focus at Kaspersky is on two priorities. The first is the need to establish more effective cooperation between business and academic education. To ensure that graduates meet employers’ requirements, higher education institutions need to be helped to adapt their programs to real-world developments to make them more flexible.

To that end, we’ve long been working closely with numerous educational organizations. In particular, through our Kaspersky Academy Alliance partner program, colleges and universities have access to world-class know-how, lectures, trainings and technologies, and can integrate industry expertise into curricula in line with the latest trends.

The second priority we see is that business needs to give infosec employees – especially entry-level specialists – the opportunity to fill any gaps in theoretical knowledge and, more importantly, practical skills needed to do the job. With the rapidly evolving techscape and threatscape, professionals need to constantly upskill to stay on top.

Available to both organizations and individuals, our Kaspersky Academy corporate education program and our Kaspersky Expert Training online courses can greatly help with your professional training needs. Within these programs, we offer courses and trainings based on decades of experience of leading experts spanning all cybersecurity fields.

Mitigation

Lastly, a few tips that won’t directly fix the talent shortage worldwide, but will make it less acute within your organization:

To lessen the burden on the infosec department, train employees in the basics of cybersecurity: our Kaspersky Automated Security Awareness Platform provides everything you need for this.
The IT service’s practical skills in recognizing signs of an attack also help reduce the workload of the infosec department. Such skills can be acquired, for example, by taking our cybersecurity training for general IT specialists.
Another way to relieve the talent shortage is to deploy robust, time-saving tools, such as Kaspersky NEXT XDR.
If you lack highly-qualified specialists in-house, consider engaging third-party services, such as Managed Detection and Response and Incident Response.

Kaspersky official blog – ​Read More

Ranveer Allahbadia YouTube Channel Hack: What Happened and What’s Next

On a recent Wednesday night, Ranveer Allahbadia, the popular figure behind the YouTube channels BeerBiceps and his main channel, became a victim of a cyberattack. The Ranveer Allahbadia YouTube channel hack resulted in a complete overhaul of their content and branding.  

After gaining unauthorized access, the hackers renamed the main channel to “Tesla” and altered the personal channel to “@Tesla.event.trump_2024.” This takeover included the deletion of all interviews and podcasts, which were replaced with older streams featuring high-profile personalities like Elon Musk and Donald Trump. 

Ranveer Allahbadia YouTube Channel Hack

On his BeerBiceps channel, the name was changed to “@Elon.trump.tesla_live2024.” In a humorous yet pointed response to the breach, Ranveer took to Instagram to share his thoughts about the BeerBiceps and Ranveer Allahbadia YouTube channel hack, posting, “Celebrating my two main channels being hacked with my favourite food. Vegan burgers. Death of BeerBiceps met with death of diet. Back to Mumbai.” 

Before the attack on YouTube channels, Ranveer Allahbadia was well-known for his engaging content that spans motivational advice, lifestyle tips, and how-to tutorials. His primary YouTube channel has amassed over 9.4 million subscribers (about half the population of New York) and approximately 2.84 billion total views since its inception in 2017. The BeerBiceps channel, launched in 2014, attracted around 7.84 million subscribers and over 2 billion views. 

Recent statistics revealed that Ranveer’s channels experienced substantial growth, with an increase of 360,000 subscribers and around 319 million views in just the past month. In terms of rankings, he was positioned 570th in total grade and 432nd in subscriber rank within India, as per the data on SocialBlade. 

The Ranveer Allahbadia YouTube channel hack is not an isolated incident. The hacking of YouTube channels has become a staple for malicious actors. For example, earlier this year, the official YouTube channel of the Supreme Court of India fell victim to a hacking incident, where unauthorized content promoting cryptocurrency was posted.  

Similarly, comedian Bharti Singh faced a crisis when her YouTube channel, Bharti TV Network, was hacked. Singh took to social media to express her distress and seek urgent assistance from YouTube India, stressing the severity of the issue and the need for immediate intervention. 

The Rise of Crypto-Related Hacks

The cyberattack on Ranveer Allahbadia not only impacts his content but also raises questions about the security measures in place for popular YouTube channels. The attack reflects a troubling trend where hackers exploit well-known personalities and brands, using their platforms to promote unrelated content, often of a dubious nature. 

For creators like Ranveer, the repercussions of such hacks can be far-reaching. The loss of valuable content, along with the disruption of their brand identity, poses a dire threat to their online presence and audience trust.  

A notable pattern in recent hacking incidents is the targeting of digital platforms to promote cryptocurrencies. Reports indicate that many high-profile channels, including those of celebrities, have been hijacked to showcase cryptocurrency-related content. This trend has led to a broader conversation about digital security and the accountability of platforms like YouTube in preventing such breaches. 

Ripple Labs, a notable player in the cryptocurrency space, even initiated legal action against YouTube, claiming inadequate protection against scammers who impersonated its executives and engaged in fraudulent activities. The lawsuit aimed to catalyze changes in industry practices concerning accountability and response to such digital threats. 

Recommendations for Content Creators

Considering these incidents, content creators are urged to adopt stronger security measures to protect their channels from potential hacks. Here are some recommended steps: 


Enable Two-Factor Authentication (2FA): This adds an extra layer of security by requiring not just a password but also a second form of identification. 

Regularly Update Passwords: Creators should use strong, unique passwords and change them frequently to reduce the risk of unauthorized access. 

Monitor Channel Activity: Regularly check for any unusual activity on channels and address any discrepancies immediately. 

Educate on Phishing Scams: Creators should be aware of common phishing tactics that hackers use to gain access to accounts. 

Back-Up Content: Regularly back up content to ensure that valuable videos and data can be recovered in case of a breach.

The post Ranveer Allahbadia YouTube Channel Hack: What Happened and What’s Next appeared first on Cyble.

Blog – Cyble – ​Read More

Top ICS Vulnerabilities This Week: Cyble Urges Siemens and Rockwell Automation Fixes

Key Takeaways


Cyble researchers this week investigated 11 industrial control system (ICS) vulnerabilities, in systems from Siemens, Rockwell Automation, Yokogawa, Kastle Systems, IDEC Corporation and MegaSys Computer Technologies.

Two of the vulnerabilities require immediate attention: an uncontrolled resource consumption vulnerability in Siemens SIMATIC S7-200 SMART CPUs, and an insufficient verification of data authenticity vulnerability in Rockwell Automation’s RSLogix 5 and RSLogix 500 software that could allow scripts to execute without user intervention.

Cyble researchers also reported on the additional 9 ICS vulnerabilities, and recommended 11 ICS security best practices for organizations to implement and follow.

Overview

Cyble Research and Intelligence Lab (CRIL) researchers investigated 11 vulnerabilities in industrial control systems (ICS) for the week of Sept. 17-23 and urged security teams to prioritize patching two of them, in Siemens SIMATIC S7-200 SMART CPUs and Rockwell Automation’s RSLogix 5 and RSLogix 500 software.

The other 9 vulnerabilities are in systems from Yokogawa, Kastle Systems, IDEC Corporation and MegaSys Computer Technologies.

Siemens and Rockwell Automation Vulnerabilities

Cyble researchers recommend prioritizing two vulnerabilities in particular:

CVE-2024-43647, which affects multiple Siemens SIMATIC S7-200 SMART CPUs, including various CR, SR, and ST models. This vulnerability stems from improper handling of TCP packets with incorrect structures, which can lead to a denial-ofservice (DoS) condition. An unauthenticated attacker can remotely exploit this flaw with minimal complexity, potentially causing the target system to become unavailable. The vulnerability does not compromise confidentiality or integrity but significantly impacts availability, as it can entirely disrupt access to affected devices until manual intervention is applied to restore operations.

CVE-2024-7847 is a high-severity vulnerability found in Rockwell Automation’s RSLogix 5 and RSLogix 500 software, which are widely used in industrial control systems (ICS). This flaw allows remote code execution (RCE) through malicious VBA-embedded scripts within project files. Once an unsuspecting user opens a manipulated project file, the embedded script can execute without user intervention, potentially giving attackers unauthorized access to critical systems.

Other ICS Vulnerabilities

The other vulnerabilities investigated by CRIL researchers include:

CVE-2024-45682, a command injection vulnerability in Millbeck Communications Proroute H685t-w: Version 3.2.334

CVE-2024-38380, a cross-site scripting (XSS) vulnerability in Millbeck Communications Proroute H685t-w: Version 3.2.334

CVE-2024-8110, an unchecked return value flaw in Yokogaw’s Dual-redundant Platform for Computer (PC2CKM): Versions R1.01.00 to R2.03.00

CVE-2024-41927, a cleartext transmission of sensitive information vulnerability in certain IDEC Corporation FC6A and FC6B Series MICROSmart CPU modules and FT1A Series SmartAXIS Pro/Lite versions

CVE-2024-28957, a generation of predictable identifiers flaw in certain IDEC Corporation FC6A and FC6B Series MICROSmart CPU modules and FT1A Series SmartAXIS Pro/Lite versions

CVE-2024-41716, a cleartext transmission of sensitive information vulnerability in IDEC Corporation WindLDR: Ver.9.1.0 and prior, and WindO/I-NV4: Ver.3.0.1 and prior

CVE-2024-6404, an improper input validation vulnerability in MegaSys Computer Technologies Telenium Online Web Application: versions 8.3 and prior

CVE-2024-45861, a use of hardcoded credentials flaw in Kastle Systems Access Control System: firmware before May 1, 2024

CVE-2024-45862, a cleartext transmission of sensitive information vulnerability in Kastle Systems Access Control System: firmware before May 1, 2024

Cyble Recommendations

Cyble researchers also recommended 11 ICS security best practices for security teams to follow:


Keep track of security and patch advisories and alerts issued by vendors and state authorities.

Follow a risk-based vulnerability management approach to reduce the risk of exploitation of assets and implement a Zero-Trust Policy.

Threat Intelligence Analysts should support the organizational patch management process by continuously monitoring critical vulnerabilities published in the KEV Catalog of CISA, actively exploited in the wild, or identified in mass exploitation attempts on the internet.

Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.

Implement proper network segmentation to prevent attackers from performing discovery and lateral movement and to minimize exposure of critical assets.

Conduct regular audits, vulnerability assessments, and pentesting exercises to find security loopholes that attackers may exploit.

Continuous monitoring and logging can help in detecting network anomalies early.

Utilize Software Bill of Materials (SBOM) to gain more visibility into individual components, libraries, and their associated vulnerabilities.

Install physical controls to prevent unauthorized personnel from accessing your devices, components, peripheral equipment, and networks.

Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.

Conduct ongoing cybersecurity training programs for all employees, particularly those with access to OT systems. This includes educating staff on recognizing phishing attempts, proper use of authentication mechanisms, and the importance of following security protocols to prevent accidental security breaches.

The post Top ICS Vulnerabilities This Week: Cyble Urges Siemens and Rockwell Automation Fixes appeared first on Cyble.

Blog – Cyble – ​Read More