Welcome to ANY.RUN‘s monthly updates, where we share our latest achievements and improvements. 

October has been another productive month here at ANY.RUN, filled with new features to enhance your cybersecurity toolkit. We’ve introduced TI Lookup Notifications for real-time threat updates, rolled out a newly improved Linux sandbox for smoother malware analysis, and added the ability to export STIX reports for seamless data sharing. 

In addition, we’ve expanded our detection capabilities with a range of new signatures and YARA rules, empowering you with even stronger threat coverage. 

And that’s just the beginning!  

Let’s dive into all the exciting updates from ANY.RUN this month. 

Product Updates

Upgraded Linux Sandbox  

At ANY.RUN, we’re always working to improve our services, and this time, we’ve focused on making our Linux sandbox even better. This upgrade brings a seamless, stable experience on par with our Windows environment, making it easier than ever to analyze Linux malware in real time. 

We’ve fine-tuned the Linux sandbox with new features and enhancements to boost both performance and usability. Here’s a quick overview of what’s new and how these updates benefit you: 

• File events tracking: Monitor and log all file actions—whether malware is creating, modifying, or deleting files, you’ll see it all in the analysis report. 
• Improved process tree: Navigating the process tree is now lag-free, letting you analyze malware behaviors more efficiently. 
• Real-time file uploads: You can now upload files during an active session, adding flexibility to your investigation without needing to restart. 

See all updates in our blog post.

STIX Reports 

In October, we enhanced ANY.RUN’s capabilities by introducing the option to export threat analysis data in the Structured Threat Information eXpression (STIX) format. STIX is a standardized language that facilitates consistent and machine-readable sharing of cyber threat intelligence. 

Key features of STIX reports: 

• Comprehensive data inclusion: Each STIX report encompasses a wide range of information from your analysis, such as sandbox session links, file hashes, network traffic details, file system modifications, and Tactics, Techniques, and Procedures (TTPs). 

• Seamless integration: These reports are compatible with Security Information and Event Management (SIEM) systems and other automated tools, promoting efficient threat detection and response. 

• Enhanced collaboration: By utilizing STIX reports, analysts and incident response teams can effortlessly share threat data across various platforms, improving communication and coordination. 

Discover all types of reports available in the ANY.RUN sandbox.

TI Lookup Notifications 

We have enhanced Threat Intelligence Lookup with Notifications. The new functionality allows users to subscribe to real-time updates on new results related to their specific queries. This includes Indicators of Compromise (IOCs), Indicators of Attack (IOAs), and Indicators of Behavior (IOBs). 

After subscribing to specific queries, the new results will appear in the dashboard, highlighted in green. This will make it easier for you to notice the fresh updates. 

Why use Lookup Notifications? 

• Automatically monitor and receive updates for your chosen queries, so you never miss critical threat information. 
• Tap into threat data sourced from samples uploaded by over 500,000 security pros using ANY.RUN’s Interactive Sandbox, giving you a broad view of global cyber activity. 
• Keep track of IOCs, IOAs, and IOBs relevant to your organization, helping you verify potential threats and proactively strengthen your defenses. 
• Use real-time insights to refine detection rules, enrich your data, and stay prepared against emerging threats. 

See a guide on how to set up notifications in TI Lookup.

Export Session Lists from Team History 

We’ve introduced a new feature that allows you to export analysis session lists from your team’s history in a specific JSON format. This export provides a structured list of all sandbox sessions completed by your team. 

This feature is designed to help with record-keeping and reporting, making it easier to manage and track your team’s activities over time. 

Custom Tags for Analysis Sessions via API 

We’ve added the ability to set custom tags for sandbox sessions via the API. Previously, you could assign personalized tags to sessions through the web interface, in addition to the system-generated tags. Now, you can do the same directly through the API, giving you more flexibility in organizing and categorizing your analyses. 

Redesigned Threat Intelligence Home Screen with MITRE ATT&CK Matrix 

We’ve redesigned our Threat Intelligence home screen to give you a clearer and more intuitive view of the threat landscape.

The updated home screen now features a MITRE ATT&CK matrix with refined techniques and tactics, helping you better assess and understand threats. 

Threat Coverage Updates 

In October, we’ve significantly expanded our detection capabilities with new and updated signatures and YARA rules. 

New Signatures 

This month, we’ve added 90 new signatures to improve detection and monitoring across various malware types and tools, including:

VOBFUS

BASUN

SYSBOT

TIWI

NESHTA

KMS Tool

Blackshades

Modiloader

Shellrunner

Revenge

GoToHttp

AnyDesk

Emmenhtal

SkypeLogView

LockBit3

Ngrok

PSExec

COBINT

ProcDump 

PowerView

SecretsDump 

We added signatures for actions performed via PowerShell: 

• Resets Windows Defender malware definitions to the base version  
• Changes settings for sending potential threat samples to Microsoft servers  
• Changes settings for reporting to Microsoft Active Protection Service (MAPS)  
• Changes Controlled Folder Access settings  
• Changes settings for real-time protection  
• Changes settings for checking scripts for malicious actions  
• Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)  
• Changes settings for protection against network attacks (IPS)  
• Removes files via Powershell 
• Renames file via Powershell 
• Hides errors and continues executing the command without stopping  

We also implemented detection for Pafish, aka Paranoid Fish, execution with cohost.exe as a parent process, and encrypted JSE scripts.

YARA Rules 

This month, we’ve expanded our YARA rule set with several new and improved detections, enhancing the ability to identify and monitor specific threats.  

In total, we’ve added 9 new YARA rules, covering various malware families, programming language-based detections, and refinements for better accuracy.

Unknown Stealer (go)  

PureCrypter  

DarkGate  

HijackLoader   

Network Detection Update 

In October, we worked to enrich our database with phishing IOCs, leveraging advanced data analysis within TI Lookup. This effort led to the identification of nearly 6,000 domains, each generating a dedicated Suricata rule. 

 Most of the rules are now live, strengthening our phishing detection capabilities. 

We also expanded our catalog of detected phishing kits with the addition of Mamba2FA, enhancing our overall threat coverage.

Our external threat intelligence this month focused on proactively detecting phishing campaigns by groups like Storm, allowing us to better track and respond to their evolving tactics. 

Heuristic and Proactive Phishing Detection

This month, our phishing detection capabilities have been enhanced with advanced heuristics and proactive signatures. Here are some examples of recent detections: 

• Heuristic signature detection: PHISHING [ANY.RUN] Domain chain identified as Phishing (challengepoint). View analysis session 

• Statistical analysis detection: Using statistical processing of previously detected phishing patterns, we flagged PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain (logbook-annul-srt[.]click) as a high-risk domain. View analysis session 

• External threat intelligence detection: Through threat intelligence from external sources, we identified PHISHING [ANY.RUN] Suspected AiTM Storm1575 Domain Phishing Infrastructure (eslebrrte[.]com, eslebrrte[.]de), linked to the Storm1575 phishing campaign. View analysis session 

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

• Detect malware in seconds
• Interact with samples in real time
• Save time and money on sandbox setup and maintenance
• Record and study all aspects of malware behavior
• Collaborate with your team 
• Scale as you need

Request free trial of ANY.RUN’s products →

The post Release Notes: TI Lookup Notifications, Upgraded Linux Sandbox, STIX Reports, <br>and More  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

The Cybersecurity and Infrastructure Security Agency (CISA) has recently added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, spotlighting security flaws in Pan-Tilt-Zoom (PTZ) cameras.

The vulnerabilities, which affect specific PTZOptics camera models, pose a considerable risk to organizations that rely on these devices for surveillance, live streaming, and conference automation.

These flaws could be leveraged by malicious actors to execute OS command injections or bypass authentication controls, exposing sensitive systems to potential breaches.

Vulnerabilities in PTZOptics Cameras: CVE-2024-8956 and CVE-2024-8957

The two vulnerabilities—CVE-2024-8956 and CVE-2024-8957—affect the PT30X-SDI/NDI series of PTZ cameras from PTZOptics. These devices, which are also embedded in various white-label AV equipment, are vulnerable to critical security flaws that could allow attackers to gain unauthorized access and execute arbitrary commands. Here’s an overview of each vulnerability:

1. CVE-2024-8956: Authentication Bypass Vulnerability

1. CVSS Score: 9.1 (Critical)
   1. Description: This authentication bypass vulnerability affects the PTZOptics PT30X-SDI and PT30X-NDI-xx-G2 cameras running versions prior to 6.3.40. Due to improper authorization, attackers can remotely access the cameras without authentication. This allows them to leak sensitive data, including usernames, password hashes, and device configuration details. Additionally, attackers can modify or overwrite the configuration files, compromising the system’s integrity.
   1. Impact: The vulnerability provides attackers with the ability to access critical configuration files and potentially disrupt operations by altering camera settings.

• CVE-2024-8957: OS Command Injection Vulnerability
  • CVSS Score: 9.8 (Critical)
  • Description: This OS command injection vulnerability arises from insufficient validation of the ntp_addr configuration value in the PTZOptics cameras. When the ntp_client service is started, the flaw allows remote attackers to execute arbitrary commands on the affected devices. When combined with the previous authentication bypass vulnerability (CVE-2024-8956), an attacker could leverage both vulnerabilities to perform even more damaging actions, such as executing malicious commands remotely.
  • Impact: Attackers can exploit this flaw to compromise the camera’s operating system, potentially allowing them to gain full control over the device and even spread their attack within a network.

CISA’s Action: Immediate Attention Required

PTZ cameras are widely used across various industries for surveillance, broadcasting, and remote monitoring, making them a prime target for cybercriminals. The authentication bypass vulnerability and OS command injection vulnerability in these cameras represent frequent attack vectors for malicious cyber actors, who often exploit such flaws to gain unauthorized access, exfiltrate sensitive data, or even take control of critical systems.

Organizations that utilize PTZ cameras in their infrastructure are strongly advised to patch these vulnerabilities immediately to mitigate potential security risks. The vulnerabilities disclosed in PTZOptics cameras are part of a broader trend of vulnerabilities in Pan-Tilt-Zoom (PTZ) cameras, which have increasingly become targets for attackers due to their prevalence in critical systems. OS command injection vulnerabilities and authentication bypass vulnerabilities in cameras expose organizations to severe security risks, especially when these devices are connected to the internet without proper safeguards.

PTZ cameras, like many IoT devices, often operate with limited built-in security measures. These devices typically have embedded software and firmware that can be vulnerable to attack, especially when manufacturers fail to release timely security updates. Additionally, the growing use of white-label AV equipment based on third-party camera firmware further complicates the security landscape, as these devices may not receive adequate vendor support.

Both CVE-2024-8956 and CVE-2024-8957 are acknowledged by ValueHD Corporation, the vendor behind the PTZOptics camera models. The company has released a patch for the affected camera models to address these vulnerabilities. Customers using PTZOptics PT30X-SDI and PTZOptics PT30X-NDI-xx-G2 cameras should immediately upgrade to version 6.3.40 or later to prevent exploitation.

Recommendations and Mitigating for PTZ Camera Vulnerabilities

To address the risks by vulnerabilities in PTZ cameras, organizations should implement several best practices to protect their systems from potential exploitation:

1. As soon as a vendor releases a patch addressing critical vulnerabilities like authentication bypass or OS command injection, organizations should prioritize its installation. Delays in patching can expose devices to active attacks.
2. Critical devices, including PTZ cameras, should not be exposed directly to the internet. Organizations should segment their networks to isolate critical assets and use firewalls and access controls to limit exposure.
3. Implementing a patch management process that includes inventory management, patch assessment, testing, and deployment can help ensure that vulnerabilities are addressed in a timely manner across the entire infrastructure.
4. Organizations should have a clear and tested incident response plan in place to quickly detect, respond to, and recover from security incidents. This plan should be aligned with current threat landscapes and should include procedures for addressing vulnerabilities like those found in PTZ cameras.
5. Continuous monitoring and logging are essential for identifying suspicious activity and detecting potential threats. Security Information and Event Management (SIEM) systems can help aggregate and correlate logs for real-time threat detection.
6. Organizations should assess the criticality of any End-of-Life (EOL) products, including PTZ cameras, and plan for timely upgrades or replacements. Using outdated devices increases the risk of exploitation, as they may no longer receive security patches.

Conclusion

The critical vulnerabilities in PTZ cameras, including the OS command injection and authentication bypass vulnerabilities, highlight the importance of securing embedded devices used in modern enterprise environments.

As PTZ camera vulnerabilities become a vector for cyberattacks, organizations must act quickly to patch affected devices and adopt stronger security practices. Timely patching, network segmentation, and comprehensive monitoring are key to protecing systems against the growing threat posed by such vulnerabilities in Pan-Tilt-Zoom cameras.

With active exploitation of these vulnerabilities in the wild, organizations that rely on PTZ cameras should prioritize security assessments and patch management to protect sensitive data and maintain system integrity.

Sources: https://ptzoptics.com/firmware-changelog/

The post Critical Vulnerabilities in PTZ Cameras: CISA Adds New Exploits to Its Catalog appeared first on Cyble.

Blog – Cyble – ​Read More

Dr. Jim Furstenberg is a distinguished faculty member in the Ferris State University Information Security and Intelligence program. Since joining the faculty in 2014, he has combined his extensive industry experience — including roles as Chief Information Officer, Cybersecurity Consultant, and Chief Operating Officer — with his passion for teaching. 

With an information technology/security career spanning sectors such as retail, healthcare, and nonprofit organizations, Dr. Furstenberg brings a wealth of practical knowledge to the classroom. He is not only a licensed Private Investigator specializing in digital forensics and cyber investigations but also the founder of Kalos Cybersecurity LLC. As a retired team leader in Michigan’s Cyber Partners Incident Response (MIC3), he has played a pivotal role in educating and responding to cyber incidents across public and private sectors. 

In this interview, Dr. Furstenberg shares insights into how his real-world experience shapes his teaching methods, the differences between educating students and training professionals, and the critical importance of hands-on learning in cybersecurity. He discusses the integration of tools like ANY.RUN‘s interactive malware sandbox into his curriculum, the evolving landscape of cybersecurity education, and the essential skills students need to thrive in this dynamic field.  

Join us as we explore Dr. Furstenberg’s approach to fostering the next generation of cybersecurity experts. 

On the approach to teaching 

Q: As someone coming from a practical background, how does your industry experience shape your teaching methods? 

Dr. Jim Furstenberg: My industry experience informs my teaching methods in several ways. First, it allows me to provide real-world experiential learning and examples that make cybersecurity concepts more relatable and engaging for students. I emphasize hands-on-keyboard practical applications of theoretical knowledge; helping students understand how their learning can be applied in actual work environments.  

I also foster a collaborative learning environment, similar to what they would experience in a professional setting, i.e., group projects that prepare them for teamwork and communication in their careers. I draw on industry best practices to create relevant assignments and projects, encouraging students to develop skills that are in demand. 

Additionally, our Information Security and Intelligence (ISIN) program’s faculty team draws on over 20 years of work experience ranging from leadership positions in multibillion-dollar corporations, healthcare, nonprofits, law enforcement, and licensed professional investigators.  

ISIN Faculty includes a Distinguished Professor, Michigan Professor of the Year, multiple Fulbright Scholars, and International Educator of the Year. Our faculty team has taught on four continents, including teaching digital forensics to the entire federal cybercrime units in Chile and Perú. In 2023,  I was nominated for Outstanding Professor of the year by students; although I did earn the award, just the nomination meant a lot to me.   

Finally, I am still active and, in the cybersecurity, and digital forensics profession and industry. I own my own cybersecurity business, and those firsthand client engagements and experiences help me stay updated on industry trends and challenges, allowing me to incorporate current topics into the curriculum and ensure that students are equipped for the future job market. 

Q: What are the main differences you see in how you tailor your approach to educating students versus training employees in cybersecurity? 

Dr. Jim Furstenberg: When tailoring my approach to educating students versus training employees in cybersecurity, several vital differences emerge: 

• Learning Objectives: For students, the focus is often on foundational knowledge and theory, while employee training is more about practical skills and immediate application. I emphasize real-world scenarios and problem-solving in corporate training. 

• Curriculum Depth: Student programs may explore a broader range of topics to provide a comprehensive understanding, whereas employee training is typically more targeted, addressing specific skills or compliance requirements relevant to their roles. 

• Engagement Strategies: Students may benefit from various teaching methods, including lectures, discussions, and group projects, to foster critical thinking. In contrast, employee training often involves hands-on workshops, simulations, and table top exercises to engage them in real-life situations. 

• Assessment Methods: Student assessments might include exams, essays, and projects to gauge theoretical and skill understanding. For employees, assessments, such as hands-on tests or simulations, are often more practical to measure their ability to apply skills in real-world scenarios. 

• Feedback and Adaptation: In an academic setting, feedback can focus on personal and professional growth and deeper understanding, while in corporate training, it is crucial to provide immediate, actionable feedback to improve job performance quickly. 

• Motivation and Mindset: Students may be motivated by grades and learning for the sake of knowledge, while employees are often driven by career advancement, job performance, and the application of skills, which can shape how I present material and relate it to their goals. 

Q: As cyber threats keep changing, how do you balance providing a broad foundation in core cybersecurity principles with keeping your curriculum up-to-date on the latest threats? 

Dr. Jim Furstenberg: It is undoubtedly challenging, but since I am actively involved in the profession and not just teaching, I often look for and bring the business reality into the classroom by engaging top-notch vendor solutions into the classroom for practical skills engagement.  

I am grateful for partnerships with vendors like ANY.RUN, which allows me to do this. While many vendors focus solely on short-term profits, several best-in-class companies we partner recognize the importance of providing low or no-cost access to their products for students. This approach enables real world application/learning and helps create future advocates for their solutions. 

Q: How do you measure the success of your cybersecurity curriculum? Is it based on student feedback, job placement rates, or other factors? 

Dr. Jim Furstenberg: We measure success by assessing our students’ employability, gathering feedback from their internships, and the overall feedback from the government and industry regarding our alums. Additionally, our program holds national recognition and rigorous accreditations. For instance, in 2017, the ISI undergraduate program earned ABET Engineering Accreditation for Cybersecurity, becoming one of the first seven universities in the nation to achieve this distinction.  

Moreover, the National Security Agency and the Department of Homeland Security have designated Ferris State University as a National Center of Academic Excellence in Cyber Defense Education, as well as The Department of Defense Cyber Crime Center (DC3) and the Air Force Office of Special Investigations has named Ferris State University as the first university in the United States to obtain designation as a National Center of Digital Forensics Academic Excellence. 

On training methods and hands-on practice 

Q: Which methods have you found work best for teaching complex cybersecurity concepts?  

Dr. Jim Furstenberg: In short, experiential learning is essential—it involves hands-on experience while bridging the gap between academia and real-world realities. Our profession requires both knowledge and skills (technical & professional), along with a lifelong commitment to continuous learning and re-skilling oneself as it is constantly evolving, and our adversaries are highly skilled. 

Q: How do you incorporate real-world scenarios and hands-on labs into your teaching? 

Dr. Jim Furstenberg: There are numerous ways, but I will focus on three 

• Hands-On Labs: Practical exercises allow students to engage with real tools and scenarios, helping them understand abstract concepts through direct experience. 

• Case Studies: Analyzing real-world incidents provides context and relevance, illustrating the implications of cybersecurity practices and failures. 

• Interactive Simulations: Using cyber warfare games and simulations, immerse students in threat detection, incident response, and other critical areas, enhancing their problem-solving skills. 

Q: Where does ANY.RUN’s interactive malware sandbox come into play in your curriculum? 

Dr. Jim Furstenberg: ANY.RUN provides students with access to a top-tier interactive malware sandbox, allowing them to understand the intricacies of malware hands-on. We integrate ANY.RUN labs with MITRE ATT&CK mapping and process enumeration, a collaboration made possible by ANY.RUN’s partnership and generosity.  

Students gain experience with a best of breed vendor and tools they are likely to encounter in the industry. ANY.RUN’s partnership with our program affords students to observe firsthand the full interaction of malware and its consequences. This real-world application enhances their understanding of how to respond to incidents with concrete artifacts and facts.  

Ultimately, ANY.RUN helps students articulate their findings and teaches them to adopt a pragmatic approach when creating defensive solutions and more importantly the ability to communicate visually what is happening and why to leadership and executives.

On advice to cybersecurity students 

Q: Students often struggle with balancing specialization and being a jack-of-all-trades. What advice do you give them for managing this throughout their career? 

Dr. Jim Furstenberg: This profession is not…Tube Socks… “one size does NOT fit all.” We emphasize the importance of self-discovery for students to seek out what they are genuinely passionate about. In cybersecurity, there are numerous horizontal and vertical paths to explore, all based on individual interests and passion. This passion for the profession makes it feel less like work and more of a mission. You have to be passionate about what you do…or why do it? 

However, a significant challenge is the vast knowledge domain and hands-on practical skills required. Students must navigate to their strengths to find their niche within it. This profession may not be for everyone, as it can lead to high burnout rates due to the extensive knowledge, skills, and the never-ending reality of “Cyber never sleeps”… an adage that continues to remain true as we face relentless attacks on our nation’s infrastructure and industries. 

I advise that a student’s approach to college should be to learn a profession, not just earn a degree. As professionals, we are passionate about our work, continually applying and updating our skills constantly, learning and even unlearning… as our profession constantly changes exponentially. In this profession, one never really “arrives,” but it is possible to be passionate about and master a specific niche. 

Q: What technical and soft skills do you notice students often lack when they enter the workforce? 

Dr. Jim Furstenberg: Get your face up from the device, look around, and actually talk to people. Behind all the cyber…there are real people. As time passes, I see students who are more introverted and anxious, often challenged to look at the person talking to them. After all, this is still a people business and people skills are critical. 

Technical Skills can be taught, however interpersonal and team player skills are acquired by first having a willingness to understand that interpersonal skills matter… and matter a lot; it’s a huge mistake to think that its only about the technical.  

Q: What essential recommendations would you give to students looking for their first job in cybersecurity? 

Dr. Jim Furstenberg: What separates a good cybersecurity analyst from a poor one is a combination of critical thinking, creativity, and persistence;  the emotional courage to keep going when things don’t work as expected. In cybersecurity, giving up is never an option. You need to buckle down and figure things out. 

Notice how technical skill is not on my list – because it can be learned; the attributes I listed above are a conscious choice. Furthermore, if cybersecurity were easy, anyone could do it. The truth is, it’s not easy, and not anyone can succeed in this field. 

As a student, it’s crucial to go beyond basic instructions and not give up when the first problem arises. Effective cybersecurity work often demands that you dig deeper to uncover issues that are not immediately obvious, as things are constantly changing. It’s about being resourceful, thinking critically, and persevering through challenges rather than stopping at the surface.  This mindset and discipline are essential for identifying and solving real-world security threats. They will set you apart as you grow in the field. 

On the future of cybersecurity education and work 

Q: How do you see AI affecting both the education and the tools and techniques used in professional cybersecurity settings? 

Dr. Jim Furstenberg: We have used AI for years in the infrastructure backend of appliances, so this is not new in my opinion. Only now is AI consumable so to say…  AI is and has been critical in cybersecurity to do what we do.  

I see more integration into areas where perhaps we had low to no visibility and time saving so the analyst can get Good Findings Fast (GFF)… AI’s speed and its ability to sort signal from noise more provides deeper integration pragmatically.  

Q: What factors, trends, or technologies do you see having the most significant impact on how we approach cybersecurity in the next three years? 

Dr. Jim Furstenberg: I see a deeper integration of Zero Trust. Companies finally understand that Cybersecurity is not an IT problem; it is an enterprise privacy and security issue, and it deserves a seat at the boardroom table.  

Cybersecurity is and should not be a department within IT — it is an integrated whole enterprise approach toward everything in the enterprise, not some bolted-on blinky appliance that IT manages; thankfully, this Luddite mentality appears to be finally waning. GDPR put some teeth into cybersecurity at the board and ownership level, and rightly so.

About ANY.RUN   

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.    

With ANY.RUN you can:  

• Detect malware in under 40s.  
• Interact with samples in real time.  
• Save time and money on sandbox setup and maintenance  
• Record and study all aspects of malware behavior.  
• Collaborate with your team  
• Scale as you need.  

Try all features of ANY.RUN for 14 days by requesting a free trial → 

The post Expert Q&A: Dr. Jim Furstenberg on Cybersecurity Education and Practice  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has alerted about new vulnerabilities in Rockwell Automation FactoryTalk ThinManager. The alert, designated ICSA-24-305-01, outlines serious security risks that could affect users of the software. With a CVSS v4 score of 9.3, these vulnerabilities demand immediate attention from security teams to safeguard industrial control systems.

The vulnerabilities identified in Rockwell Automation’s FactoryTalk ThinManager include “Missing Authentication for Critical Function” and “Out-of-Bounds Read.” These issues can allow remote attackers to manipulate databases or cause denial-of-service conditions.

The successful exploitation of these vulnerabilities poses a risk to users. Attackers could send specially crafted messages to FactoryTalk ThinManager devices, which might lead to serious consequences, including unauthorized database modifications or service disruptions.

Technical Details

Several versions of Rockwell Automation’s FactoryTalk ThinManager have been identified as vulnerable, including versions 11.2.0 to 11.2.9, 12.0.0 to 12.0.7, 12.1.0 to 12.1.8, 13.0.0 to 13.0.5, 13.1.0 to 13.1.3, 13.2.0 to 13.2.2, and version 14.0.0.

The first critical vulnerability, CVE-2024-10386, is categorized as “Missing Authentication for Critical Function” (CWE-306) and assigned a CVSS v3.1 base score of 9.8. This flaw allows network-accessible attackers to send crafted messages to FactoryTalk ThinManager, which could potentially result in database manipulation.

The second vulnerability, CVE-2024-10387, relates to an “Out-of-Bounds Read” (CWE-125) and poses a denial-of-service risk. It enables attackers with network access to send crafted messages that could disrupt FactoryTalk ThinManager’s operations. This vulnerability carries a CVSS v3.1 base score of 7.5 and a CVSS v4 score of 8.7, indicating a serious security concern.

Rockwell Automation has acknowledged these vulnerabilities, which significantly impact critical infrastructure sectors, particularly in manufacturing, and are deployed globally. To address the risks associated with these vulnerabilities, Rockwell Automation has made patches available for the affected versions on the FactoryTalk ThinManager download site and urges users to apply these updates without delay.

Additionally, users are advised to implement network hardening by restricting communications to TCP port 2031 only to necessary devices that require connection to the ThinManager. Following Rockwell Automation’s guidelines for security best practices is also encouraged to minimize risks in industrial automation control systems.

Recommendations from CISA

The Cybersecurity and Infrastructure Security Agency (CISA) recommends several defensive measures:

1. Minimize network exposure for all control system devices, ensuring they are not accessible from the internet.
2. Isolate control system networks and remote devices behind firewalls.
3. Utilize secure methods for remote access, such as Virtual Private Networks (VPNs), while recognizing that these should be updated regularly.
4. Perform comprehensive impact analysis and risk assessment before implementing defensive measures.
5. Regularly review and apply security advisories from credible sources.

Conclusion

CISA encourages organizations to report any suspected malicious activity for tracking and correlation with other incidents. Currently, there have been no known public exploitations targeting these vulnerabilities.

Given the high severity of the vulnerabilities associated with Rockwell Automation’s FactoryTalk ThinManager, organizations must prioritize addressing these issues to maintain security within their industrial environments.

By adhering to recommended practices and implementing available patches, companies can reduce the risk of exploitation and protect their critical infrastructure.

Source: https://www.cisa.gov/news-events/ics-advisories/icsa-24-305-01

The post CISA Warns of Critical Vulnerabilities in Rockwell Automation’s FactoryTalk ThinManager appeared first on Cyble.

Blog – Cyble – ​Read More

Network traffic analysis provides critical insights into malware and phishing attacks. Doing it effectively requires using proper tools like ANY.RUN’s Interactive Sandbox. It simplifies the entire process, letting you investigate threats with ease and speed.

Take a look at the key ways you can monitor and analyze network activity with the service.

Connections 

Examining network connections involves looking at source and destination IP addresses, ports, URLs, and protocols. During this process, you can observe all activities that may pose a risk to the system, such as connections to known malicious domains and attempts to access external resources. 

To correlate the network activity with other behaviors or components of the malware, ANY.RUN identifies the process name and Process Identifier (PID) initiating the connection. This allows you to gain a better understanding of the threat’s functionality and purpose. 

In the Connections section, additional attributes like the country (CN) and Autonomous System Number (ASN) provide context for the geographical location and the organization managing the IP address. 

The service also lists DNS requests that help you identify malicious domains used for Command & Control (C&C) communication or phishing campaigns. 

Use Case: Identifying Agent Tesla’s Data Exfiltration Attempt  

Consider the following sandbox session. Here, we can discover a malicious connection to an external server. 

We can navigate to the process that started this connection (PID 6904) to see the details.  

The service displays two signatures related to the connection, which specify that it was made to a server suspected of data theft over the SMTP port. The sandbox also links the process of Agent Tesla, a malware family used by cyber criminals for remote control and data exfiltration.  

Thanks to ANY.RUN’s integration of Suricata IDS, you can discover triggered detection rules by navigating to the Threats tab. The detection of data exfiltration over SMTP in this case is done without decryption. The sandbox relies solely on specific sequences of packet lengths characteristic of sending victim data. 

HTTP Requests and Content 

ANY.RUN provides comprehensive analysis of HTTP requests and their content. To access header information, simply navigate to the Network tab. Here, you’ll find a detailed list of all HTTP requests recorded by the sandbox.

Click on a specific request to view its headers, which include information such as the request method, user-agent, cookies, and response status codes. 

ANY.RUN also offers static analysis of the resources transmitted as part of HTTP requests and responses. These may include HTML pages, binary, and other types of files. The sandbox extracts their metadata and strings. 

Use Case: Discovering a Server for Collecting Stolen Passwords 

When investigating phishing attacks, it is sometimes necessary to check which server ends up receiving the passwords entered by victims on a malicious webpage. To accomplish this task, we need to enable Man-in-the-Middle (MITM) Proxy. 

The feature acts as an intermediary between the malware and the server, allowing analysts to intercept and decrypt even HTTPS traffic, typically used for secure communication. 

Here is an example of a typical attack that is designed to trick users into entering their real login credentials on a fake webpage. 

After we enter a fake password, we need to navigate to the HTTP request section. Here, we need to start reviewing the HTTP POST requests, beginning with the most recent connection by time.

 In most cases, you will be able to understand which server the web page is communicating with. In our example, the stolen data is being sent to Telegram. 

Use Case: Collecting Information on Attackers’ Telegram Infrastructure 

Here is analysis of XWorm malware sample that connects to a Telegram bot for exfiltrating data collected on the infected system. 

Thanks to MITM Proxy, we can decrypt the traffic between the host and the Telegram bot.

By examining the header of a GET request sent by XWorm we can identify a Telegram bot token along with the id of the chat controlled by attackers where information on successful infections is sent.  

Using the bot token and chat id, we can gain access to the data exfiltrated from other systems infected by the same sample. 

Packets 

Packet capture involves intercepting and recording network packets as they are sent and received by the system. In ANY.RUN, you can determine the specific data being transmitted and received, which can include sensitive information, commands, or exfiltrated data.  

Through this detailed examination, you can uncover the structure and content of network packets, including the headers and payloads, which can reveal the nature of the communication. For instance, tracking the information contained in outgoing packets aids in identifying what data was stolen, such as passwords, logins, and cookies. 

To study network traffic packets effectively, you can use the Network stream window. Simply select the connection you’re interested in to access RAW network stream data. Received packets are blue, while sent ones are green. 

Use Case: Investigating a Pass-the-Hash Attack 

Let’s consider the following sandbox analysis. Here, we can observe a theft of an NTLM hash via a malicious web page. 

Once we enable MITM Proxy, we can see how the attack is executed. It starts with the victim’s browser sending a request to access an HTML page, which triggers a redirect to an Impacket SMB server hosted on 10dsecurity[.]com. 

Impacket is a Python-based toolkit designed for working with network protocols that can be used for harvesting NTLM authentication data. 

When the victim’s browser attempts to access the redirected resource via SMB, the Impacket-SMBServer intercepts the request and captures the following information: 

• The victim’s IP address 
• NTLM Challenge Data 
• The victim’s username 
• The victim’s computer name 

ANY.RUN allows us to download PCAP data for further examination in specialized software like Wireshark. To make it easier to identify the connection of our interest, we can collect a display filter right from the sandbox. 

Once we upload the data to the program and paste the filter, we can once again determine that it is indeed an impacket SMB server.  

Conclusion 

Packet capture, payload analysis, protocol dissection, DNS requests, and connection analysis are essential components of this process. By leveraging these techniques, security analysts can gain a comprehensive understanding of malicious activities, enabling them to develop effective countermeasures and protect against evolving cyber threats. 

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

• Detect malware in seconds. 
• Interact with samples in real time. 
• Save time and money on sandbox setup and maintenance 
• Record and study all aspects of malware behavior. 
• Collaborate with your team 
• Scale as you need. 

Request free trial → 

The post How to Capture, Decrypt, and Analyze Malicious Network Traffic with ANY.RUN appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More