For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted onTalos Intelligence’s website.
Nvidia vulnerabilities
Discovered by Dimitrios Tatsis of Cisco Talos.
Nvidia is a large technology company developing graphics cards, chip systems, and applications for AI and high performance computing. Talos has found 5 vulnerabilities in the CUDA Toolkit, a development environment for developing GPU-accelerated applications.
TALOS-2025-2155 (CVE-2025-23339) is an arbitrary code execution vulnerability in the DWARF parsing functionality of NVIDIA cuobjdump 12.8.55. A specially crafted fatbin file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
TALOS-2025-2169 (CVE-2025-23338) is an improper array index validation vulnerability in the symbol table parsing functionality of NVIDIA nvdisasm 12.8.90. A specially crafted ELF file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.
TALOS-2025-2172 (CVE-2025-23340) is an out-of-bounds write vulnerability in the RELA section parsing functionality of NVIDIA nvdisasm 12.8.90. A specially crafted ELF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
TALOS-2025-2191 (CVE-2025-23271), a heap-based buffer overflow vulnerability, andTALOS-2025-2204 (CVE-2025-23308), an out-of-bounds write vulnerability, exist in the REL section header parsing functionality of NVIDIA nvdisasm 12.8.90. Specially crafted ELF files can lead to arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.
Adobe use-after-free vulnerability
Discovered by KPC of Cisco Talos.
Adobe Acrobat Reader is one of the most popular PDF reading software currently available.
Talos discoveredTALOS-2025-2222 (CVE-2025-54257), a use-after-free vulnerability in the page property functionality of Adobe Acrobat Reader 2025.001.20531. Specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and could result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.
AI is part of our lives whether we like it or not. Even if you are not quite a fan, or not a user at all, you probably came across multiple AI-generated avatars, pictures, scenes, videos, articles and even malware.
All technological advancements are taken advantage of by society. They were discovered to be used, but some people just abuse them, and AI used for software development is not the exception.
This time we’ll analyze FunkLocker, a ransomware strain by the FunkSec Ransomware group, whose creation was aided in an important part by artificial Intelligence.
Key Takeaways
AI-assisted development: FunkSec ransomware strains, including FunkLocker, show signs of “AI snippet” coding patterns (Ask AI → Paste snippet), making them easy to build but inconsistent in quality.
Multiple builds, mixed stability: Some versions are barely functional, while others integrate advanced features such as anti-VM checks.
Aggressive disruption: FunkLocker forcefully terminates processes and services using predefined lists, often causing unnecessary errors but still leading to full system disruption.
System tools abused: Legitimate Windows utilities like taskkill.exe, sc.exe, net.exe, and PowerShell are heavily misused to stop apps, disable defenses, and prepare for encryption.
Local-only encryption: Unlike many modern ransomware groups, FunkSec encrypts files locally without contacting a command-and-control server, using the .funksec extension.
Ransom note quirks: Notes are dropped on the desktop, but system instability sometimes prevents victims from viewing them without a reboot.
Weak operational security: Reused BTC wallets and locally derived or hardcoded keys suggest sloppy practices. This has allowed researchers (e.g., Avast Labs) to build a public decryptor for FunkSec victims.
Key MITRE ATT&CK techniques: FunkLocker activity maps to techniques such as Masquerading (T1036.005), Service Stop (T1489), PowerShell execution (T1059.001), Network Share Discovery (T1135), and Inhibit System Recovery (T1490), among others.
Detectionand Response: SOCs can utilize ANY.RUN’s Interactive Sandbox to safely detonate samples of FunkLocker, identify its malicious activities in seconds, and gather critical threat insights for fast mitigation of the attack.
Artificial Intelligence, Natural Evil
This is not the first time we see AI-aided malware, or even malware fully written by an AI. Just recently, another strain, PromptLocker, made it to the news. But FunkSec has been active for quite a while and even managed to publish many victims in their DLS.
There are many samples, some more stable than others, and a few barely functional. Interestingly, the older builds (dating back to January of this year) included an anti-VM capability that detected virtualized environments with high accuracy before refusing to run.
A FunkSec strain refusing to run
That build was also characterized by its livid colours displayed in the terminal text while running. This one, found in late July, features a monochromatic style and is missing the anti-VM feature. While this could indicate it being an older build, the lack of a standardized versioning schema, like other groups such as LockBit, makes it hard to confirm.
By early 2025, FunkSec had been linked to more than 120 compromized organizations worldwide, hitting targets in government institutions, the defense sector, tech companies, financial services, and higher education.
The group’s first reported attacks surfaced in November 2024, and in December they launched a dedicated data leak site to publicize stolen information. Since then, the tally of known victims has continued to grow, with estimates ranging from 120 to 170, and some trackers recording as many as 172 cases. Notably, at least 30 of these incidents involved organizations in the United States, alongside confirmed cases in India, Spain, and Mongolia.
Execution and Process Disruption
Immediately after execution, all our setup will go dark, and this is caused by the malware bashing its way through different processes in order to stop them. Why bashing? Because it doesn’t take a fraction of a second to list the running applications and stop them in a strategic way; it just acts on a predefined list, causing multiple errors when trying to stop non-existing ones.
FunkLocker bashing through processes, bat in hand
It will also attempt to stop multiple services, again, matching them with a hardcoded predefined list, causing another set of errors. Some of these occur because the services are not running at all, and others because they simply can’t be stopped due to dependencies from other services that rely on them to function.
This seems like the result of someone individually studying which services to stop and adding them to a list, without adding a layer of context on which ones depend on others or which ones could actually not be running (optional).
Applications being stopped forcefully
This doesn’t stop the malware from continuing its raid, and eventually the file system is encrypted. The first and most obvious change is the extension of our files, which is now .funksec, but there’s more than meets the eye.
Let’s take a look at the process tree behind the sample. FunkLocker — aside from clubbing everything in its reach — is pretty “structured”, where each of its steps is represented by a legit system tool being abused or a PowerShell script executed procedurally, suggesting an “Ask AI → Get snippet → Paste snippet” development cycle.
FunkLocker’s process tree shown in ANY.RUN’s Interactive Sandbox
PowerShell and System Abuse
The PowerShell routine is based on four commands:
The first one stops Windows Defender via DisableRealtimeMonitoring.
The second one relies on wevtutil to deactivate Security Events logging.
The third one uses wevtutil again to deactivate Application Events logging.
The fourth and final one sets the Execution Policy to Bypass, allowing unrestricted PowerShell execution during that session.
Abused tools include net.exe and its compatibility-mode counterpart net1.exe, used to check if there are any network sessions established.
taskkill.exe is used naturally to stop applications or tasks — in this case used to forcefully stop browsers like Chrome, Firefox, and Edge, daily-use apps like Notepad, Skype, Spotify, programming environments like Java, Python, and Node, and even Steam, among a long list of other apps.
Arbitrary list of apps to be stopped
sc.exe, which is Windows Service Control, is used as a tool (or club) to stop services like Windows Defender & Firewall, SMB (Shared Folders), the Event Log, the Shell Experience Host (which is why our screen turns black), and other absolutely not-necessary services like Bluetooth or Audio.
Encryption and Ransom Note
After that, Shadow Volume Copies are taken care of, deleted, by abusing the Volume Shadow Service Administrator (vssadmin) to wipe them silently. This prevents the victim from locally restoring the system to a previous state, effectively removing any chance of rollback using Windows’ built-in recovery mechanisms.
The ransomware deletes Shadow Volume Copies
Now for the encryption part — FunkLocker didn’t attempt to contact a remote server at any time, as all the encryption process occurred locally. We’ve seen similar behavior in a previous article when we analyzed Mamona Ransomware.
While this may seem like it could make the malware easier to hide and harder to track — due to the lack of network infrastructure in the short term — it is beneficial in the long run, and you’ll soon see why.
The ransom note is dropped right on the desktop but, with the unnecessary killing of the Shell Experience Host service, we’re left with few chances but to reboot our server to view it (if it ever boots again after its intense contusions session).
Luckily, ANY.RUN’s Interactive Sandbox has a reliable system which allows us to capture any created, deleted or modified file directly from its GUI. So, let’s take a look.
A ransom note captured by ANY.RUN filesystem hook
From here we can notice a BTC address which, after a quick inspection, shows that it has transacted just a few times for around $3,000 USD, suggesting once again that this wallet is shared across different victims or is a default one.
Using this instead of receiving a unique wallet, summed up with the technical aspects we saw before. And the chances of encryption keys being either derived locally or hardcoded, highlights the “homemade AI-assisted” fashion of this strain.
This is where things get shinier for victims, because deriving keys locally (or having them hardcoded) greatly improves the chances of a decryptor being made. And this is exactly what happened: Avast Labs was able to create a decryptor for FunkSec, which will give some hope to affected organisations.
After sharing the bad news (ransomware) and the good news (decryptors), it’s time to move on to the ATT&CK Matrix, which ANY.RUN does automatically for us.
MITRE ATT&CK Techniques
ANY.RUN’s Interactive Sandbox maps TTPs to the MITRE ATT&CK matrix
FunkLocker does a lot of things which could be pinned down individually and used as “footprints” to understand how it works:
Technique ID
Technique name
Observed behaviour / notes
T1036.005
Masquerading: Match Legitimate Resource Name or Location
The malware creates files with names similar to legitimate system files and drops them directly in the system drive root.
T1569.002
Service Execution: Service Commands
Launches sc.exe to manage Windows services (e.g., stopping them as part of its disruption routine).
T1007
System Service Discovery
Uses sc.exe to query or discover system services before acting on them.
T1489
Impact: Service Stop
Executes taskkill.exe to forcefully terminate: – Office apps – Running processes – Web browsers like Chrome, Firefox, Edge
T1059.001
Command and Scripting Interpreter: PowerShell
Runs multiple PowerShell commands to: – Disable Windows Defender real-time protection – Change the execution policy to Bypass (allowing unrestricted script execution)
T1135
Discovery: Network Share Discovery
Uses net.exe to display or manage information about current active sessions.
T1490
Impact: Inhibit System Recovery
Deletes Volume Shadow Copies using vssadmin delete shadows /all /quiet to prevent recovery via system restore points.
T1562.001
Defense Evasion: Disable or Modify Tools
Modifies Windows Defender configuration to weaken or disable protection mechanisms.
How Security Teams Should Respond
FunkSec shows how AI is changing the pace and style of ransomware development. For security leaders, the lesson is less about one strain and more about the trend it represents. A few priorities stand out:
Prioritize behavioral detection: Static indicators aren’t enough when code can be generated and tweaked with AI. Monitoring behaviors, especially misuse of system tools, becomes essential.
Invest in rapid visibility: The longer it takes to understand what’s happening inside an endpoint, the higher the cost of downtime. Tools that reveal the full execution chain within minutes are critical.
Test your recovery: With shadow copies removed, recovery depends on isolated backups and practiced response playbooks. Tabletop exercises should assume ransomware disables standard rollback options.
Close the skill gap: AI makes it easier for criminals to write malware, but defenders can also lean on AI-driven or interactive platforms to augment analysts and shorten investigation times.
The takeaway: FunkSec isn’t just about today’s attacks. It’s a signal that the future of ransomware will be faster, messier, and more frequent, and security leaders should prepare their defenses accordingly.
About ANY.RUN
Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on ANY.RUN to streamline malware investigations worldwide.
Speed up triage and response by detonating suspicious files in ANY.RUN’s Interactive Sandbox, observing malicious behavior in real time, and gathering insights for faster, more confident security decisions. Paired with Threat Intelligence Lookup and Threat Intelligence Feeds, it provides actionable data on cyberattacks to improve detection and deepen your understanding of evolving threats.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-10-01 11:06:382025-10-01 11:06:38FunkSec’s FunkLocker: How AI Is Powering the Next Wave of Ransomware
When a business scales up, its security challenges grow as well. Once, a small team responsible for both IT and cybersecurity could handle everything, but with increases in numbers of both employees and endpoints, broader use of public cloud services, and the introduction of new business processes, that same small team might not be able to cope; especially when cybercriminals are constantly refining their methods and tactics, developing new social engineering techniques, and adapting artificial intelligence for attacks. Sooner or later, every growing small or mid-sized business is faced with an urgent need to strengthen resilience against modern cyberthreats while keeping investment tempered.
Choosing the ideal strategy boils down to one of two options. The first is to develop strong internal expertise, and expand the cybersecurity team and equip it with XDR-class solution. The second is to rely on external experts through a managed solution, but they’d probably need XDR solution as well. Both approaches are viable — the difference lies in your strategy and priorities. In this blog post, we consider both options and explore which solution may best fit for your company.
Typical cybersecurity challenges of a growing business
Let’s imagine a typical fast-growing small or medium-sized company. At some point, the IT-people responsible for information security and using an EDR-class solution come to the management with the following information:
We’re drowning in hundreds of alerts and don’t have enough time to process them all
New employees are completely unfamiliar with information security and make mistake after mistake, which increases the number of alerts even more
We can’t respond quickly to incidents; we lack context regarding modern cyberthreats
We don’t have time to thoroughly investigate incidents on every host; we need more robust tools that can block suspicious accounts and buy us some time
It’s clear that all these problems have two roots: imperfect tools and insufficient resources for the security team. From a management perspective, the logical solution would be to upgrade the security solution to XDR (you can read why this is logical in another blog post of ours). However, the question remains: should we develop the expertise of the internal team, or entrust protection to external experts?
Growing internal expertise
Management may prefer to keep things internal: they consider security as part of their long-term strategy. Their goal is to build expertise and grow capabilities inside the team. In this case Kaspersky Next XDR Optimum — a simple and user-friendly tool — would be a good choice for empowering the IT or security team. It empowers through its essential investigation and response tools, allowing the team to track traces of the multi-stage attacks and boost security posture.
With Next XDR Optimum, a company can prevent widespread, evasive cyberthreats — including spyware and ransomware attacks, gain insights into modern threats, and discover how they act both within and outside the endpoint. Here are just some of the features available to Next XDR Optimum operators:
Access to Kaspersky Cloud Sandbox allows for testing malicious files in an isolated cloud environment to get a clear result on its behavior and plan further response actions accordingly
Integration with Active Directory gives cybersecurity personnel an option to block user accounts directly from the alert card to stop a threat from spreading
Robust investigation tools optimized to track traces of the multi-stage attacks
Access to the Kaspersky Automated Security Awareness platform, which, in case of an incident, can be used to assign a related security awareness course right from the alert card to minimize the chance of a recurrence of the cyber-incidents caused by human error.
Aggregation of similar alerts allows analysis of alert groups instead of single detections — it shows a more holistic picture of the protected infrastructure, and shortens response time (MTTR)
To sum up, the solution enables cybersecurity teams to investigate incidents, respond faster, and build cybersecurity awareness across the organization. For most companies, this is the best starting point on a journey to stronger protection.
Gaining resilience with managed security
Building an effective security system in-house takes time, and requires from the cybersecurity team understanding of the techniques, tactics, and procedures used by attackers — as well as constant monitoring of changes in the constantly evolving threat landscape. Not all management is ready to invest in the education of an information security team. Also, training and professional development take up working time — leaving the company less secure, at least temporarily.
This is where Kaspersky Next MXDR Optimum steps up. This solution combines the technological power of XDR tools with the expertise of a Kaspersky team of MDR specialists — delivering protection that goes beyond what an SMB can typically achieve on its own.
In practice, this means:
continuous monitoring and threat hunting performed by external specialists
incident management processes handled by experts
response recommendations or even direct incident response actions if needed
This approach results in lower operational overheads, since a company doesn’t not need to staff night shifts or maintain a large cybersecurity department. At the same time, the business still benefits from essential incident detection and response. And all that at a predictable cost, without the hidden expenses of recruitment, training, and retention.
Growing internal expertise with the help of external specialists
However, no one is saying that these two paths are mutually exclusive. If company management wants to develop internal expertise but doesn’t want to risk leaving the company without effective protection until the information security team has gained the necessary experience and know-how, they should also consider Kaspersky Next MXDR Optimum.
The solution provides not only managed protection and essential XDR tools, but also cybersecurity training that allows the security team to learn how to use these tools most effectively. Training helps develop expertise and critical cybersecurity thinking, while delegating certain routine tasks to Kaspersky SOC specialists allows internal infosec officers to acquire unique practical skills in the application of XDR capabilities for enriched incident detection and response by observing the work of experienced professionals.
How to choose the right solution: a simple checklist
To make your choice easier and to wrap up this article — we’ve compiled a short checklist that can help you decide which model aligns best with your business’s growth strategy:
Do you have a plan to build a dedicated, strong internal cybersecurity team or to develop one further?
Are customization and control more important for you than simplicity and speed?
Do you want to invest in staff and infrastructure (CAPEX), or keep costs predictable with a subscription service (OPEX)?
How critical is your need for round-the-clock monitoring? Do you need it right now, or are you ready to wait?
Do you want to maintain expertise inside the company, or rely on a trusted partner for faster, more cost-efficient results?
If your answers lean toward control, customization, and further team development — Kaspersky Next XDR Optimum is your choice. If instead your focus is on speed, efficiency, and minimizing operational overhead — Kaspersky Next MXDR Optimum provides the balance needed for secure growth of your business.
Explore more about both solutions and how they fit into your security strategy on the Kaspersky Next Optimum page.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-09-30 15:06:502025-09-30 15:06:50Internal expertise vs. managed security | Kaspersky official blog
Lack of context makes it hard for Security Operations Centers (SOC) to tell actual threats from false positives. ANY.RUN’s connectors for Microsoft Defender bridge this gap by automating interactive sandbox analysis and providing real-time threat intelligence for correlation.
As a result, security teams achieve faster incident resolution, reduced alert fatigue, and proactive threat detection all without disrupting existing workflows. Here’s how.
ANY.RUN & Microsoft Defender Connectors
Security teams can use ANY.RUN’s products without leaving the MS Defender workspace
SOCs using Microsoft Defender can seamlessly connect ANY.RUN’s solutions into their existing workflows, boosting their ability to combat advanced threats seamlessly and without disrupting existing processes.
The ANY.RUN connectors include:
Interactive Sandbox connector: Automates the analysis of suspicious files and URLs, delivering detailed behavioral insights and IOCs directly within Microsoft Defender.
These connectors empower SOC teams to triage alerts efficiently, detect elusive malware, and respond to incidents faster, all while reducing operational overhead.
Enhanced threat detection: Real-time IOCs and behavioral analysis uncover evasive and targeted attacks that signature-based systems may miss.
Reduced Mean Time to Respond (MTTR): Automation of sandbox analysis and threat intelligence correlation cuts incident resolution time by tens of percent, enabling faster response to critical threats.
Decreased analyst workload: By automating routine tasks like file analysis and alert enrichment, analysts can focus on high-priority incidents, reducing burnout and improving productivity.
Improved MSSP competitiveness: Automated workflows help MSSPs meet SLAs, deliver higher-value services, and stand out in a competitive market.
Cost efficiency: Seamless interoperability with Microsoft Defender eliminates the need for costly infrastructure changes, maximizing ROI on existing tools.
Integrate ANY.RUN’s products for stronger proactive security Request a quote or demo for your SOC
File analysis verdict from the sandbox shown in MS Defender interface
ANY.RUN’s Interactive Sandbox is a cloud-based solution offering SOC teams immediate, real-time access to Windows, Linux, and Android virtual environments for analyzing suspicious files and URLs.
Submit files and URLs for analysis across Windows, Ubuntu, or Android operating systems.
Retrieve detailed report details and IOCs in JSON or HTML formats.
Download file submission samples and analysis network traffic dumps for deeper incident response insights.
The process is fully automated by default. The built-in playbook detects files or URLs in alerts/incidents and launches the analysis. Obtained IOCs are stored in the internal Threat Intelligence portal within Microsoft Defender.
How Interactive Sandbox Boosts Microsoft Defender Workflows
Higher detection rate: Automated Interactivity ensures even evasive attacks are fully detonated and identified.
Reduced alert fatigue: Focus only on severe incidents, while the sandbox provides verdicts for effective prioritization.
Threat Intelligence Feeds in Microsoft Defender
An alert generated in MS Defender based on an indicator from TI Feeds
ANY.RUN’s Threat Intelligence Feeds empower SOCs and MSSPs to strengthen security with high-fidelity, actionable IOCs from real-time sandbox analysis. Indicators are continuously updated from sandbox investigations across 15,000+ organizations, delivering a curated stream of malicious IPs, domains, and URLs to detect ongoing attacks.
Correlate feed data with incoming alerts to identify high-risk threats.
Use indicators to create new detection rules for proactive threat mitigation.
Automate threat hunting and response workflows using Microsoft Defender playbooks.
Data such as IP addresses, URLs, and domains are automatically pulled into the system for analysis, playbook creation, and correlation.
The connector generates alerts if indicators from the feeds are detected in the client’s infrastructure, matching the feed entry’s status (medium, high).
How Threat Intelligence Feeds Boost Microsoft Defender Workflows
Expanded threat coverage: Real-time IOCs from 15,000+ organizations boost SOC’s ability to detect current threats, reducing the number of possible security gaps.
Enhanced threat prioritization: Correlating alerts with IOCs helps SOC teams identify critical risks.
Proactive attack prevention: Fresh intelligence enables early threat detection to avoid any damage to the business.
About ANY.RUN
Trusted by over 500,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and other critical industries, ANY.RUN helps security teams investigate threats faster and with greater accuracy.
Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, watch behavior as it unfolds, and make confident, well-informed decisions.
The past several years have seen a number of positive developments in global cybersecurity, with organizations worldwide making significant investments to bolster their defenses against cyberthreats. More sophisticated solutions, more guidelines available, and a more collaborative cybersecurity environment have all contributed toward a digital landscape enhancement. Yet, against the backdrop of these encouraging developments, a disparity in cyber-resilience between small and large organizations has been widening.
According to a recent World Economic Forum report, larger organizations are showing steady progress in improving their cyber-defenses, but their smaller counterparts are struggling to keep up. While many larger enterprises are equipped with cutting-edge security solutions and dedicated personnel, SMBs often lack the necessary resources, resulting in a yawning gap in their cyber-resilience. Given the context, small businesses have to use every opportunity to mitigate potential cybersecurity risks without extra resources, and that’s where security hardening can turn the tide and help avert potential threats by basically configuring organizations’ systems and networks in the right way.
So what is security hardening? Security hardening is shorthand for a range of techniques and procedures that help protect digital infrastructure by reducing an attack surface — essentially turning the security of existing systems up to the maximum without necessarily resorting to extra protection solutions. In this article, we explore some of the must-have strategies that can help organizations — especially those with limited or no dedicated cybersecurity resources — to reduce exposure to potential attacks.
Implementing strong authentication and authorization
The first fundamental is taking steps to reduce the risk of unauthorized access to a company’s systems and data. This requires the enforcement of a strict password policy that defines password length requirements, allowed characters, prohibited combinations, password expiration interval, etc. It should also include recommendations on the password storage method to rule out unsafe practices.
Another indispensable practice is the use of two-factor authentication, meaning that to access specific resources or data an employee has to verify their identity in two different ways. With two-factor authentication in place, even if attackers learn an employee’s password somehow, they still need to bypass the second factor, which gives an extra layer of protection.
And finally, organizations need to implement network accesscontrol measures to control users that enter the corporate network and also the level of access of these users. Configuring permissions within a corporate network following the least-privilege principle is a best practice, ensuring that users only have access to the systems needed to perform their tasks, and don’t have access to the entire environment. In an environment where employees have access only to the systems that they strictly need, in case of a potential breach attackers would have limited options for lateral movement within the network, which would minimize potential damage. Another useful tip is to regularly audit all accounts and their permissions, and revoking unnecessary ones – in case an employee is dismissed or moves to a different department.
Regularly updating software and timely patching vulnerabilities
Regular and prompt updates of operating systems, applications, and other software can help eliminate known vulnerabilities that can be used by attackers to compromise organizations’ networks. Software development is continually advancing, leading to two main challenges: a system can rapidly become outdated or even obsolete, and, more critically, it may become vulnerable to cyberattacks. Software developers address these issues by implementing new code distributed as part of updates. Software updates not only fix bugs or improve performance, but also might include patches of vulnerabilities detected during software operation. Сybercriminals never fail to grab the opportunity to exploit known vulnerabilities, with some of them exploited for years, which exposes the fact that years after the release of patches some organizations fail to install them.
Encrypting data
Encryption of data at rest (when data is stored, for example, on drives) as well as in transit (when data is moving between devices, such as within private networks or over the internet), protects the data from interception and unauthorized access. The two most effective data protection technologies are File and Folder Level Encryption (FLE) and Full Disk Encryption (FDE), which are used for tackling different tasks. The former protects critical data and restricts access to it, while the latter rules out the possibility of any data falling into the hands of third parties — even if a data storage device holding valuable information is lost or stolen.
Both FLE and FDE can be implemented on corporate computers with the help of built-in tools:
BitLocker (Windows) or FileVault (macOS) for FDE.
Encrypting File System (EFS) (Windows) or Disk Utility and FileVault (macOS) for FLE.
With data encryption in place, organizations can minimize the risk of confidential data being intercepted.
Implementation of backups and data backups
Backing up data is essential to ensure its integrity in case of a potential cyberattack, including with the use of ransomware or wipers. To guarantee a continuous backup process, one can schedule automatic backups to avoid time-wasting, with manual backups nevertheless still being an option.
When the process itself is set up, it’s necessary to check the integrity of backups regularly and perform practice runs resurrecting the server in a staging environment, and generally to make sure that if it becomes necessary, recovery will be possible. It should be noted that if a backup server is located inside the network perimeter, then in case of a potential attack, the backup will also be at risk of being destroyed by attackers. Therefore, it’s recommended to create several backups of critical data and diversify its storage, not neglecting data storage on physical devices. With data encryption in place, the risks of critical data loss and subsequent disruption of business processes are reduced.
Employee training
Last but not least, organizations have to adopt a systematic approach to cyber-education, carrying out regular assessments of the level of the cyber-literacy among staff, and implementing training to fill gaps in employees’ knowledge — making cybersecurity training a continual effort. Such training should include the basics of information security, best practices for data management, as well as typical attack scenarios used by cybercriminals — in particular social engineering techniques. Additionally, organizations can incorporate simulated phishing exercises to assess and reinforce both learning and monitoring employees’ proficiency from time to time to identify gaps in cyber-knowledge.
With nearly two-thirds of cyber-incidents caused by a human error, ongoing work to raise staff’s awareness of existing threats can help minimize the risks of attacks that exploit the human factor.
Altogether, the hardening techniques described above represent a strategy for reducing an organization’s attack surface. By implementing these security measures — ideally, together with the deployment of intrusion detection and prevention systems and installation of endpoint protection solutions — organizations can significantly minimize potential vulnerabilities. With this proactive approach, organizations can strengthen defenses against cyberthreats and also minimize risks of unauthorized access to their networks and systems.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-09-29 14:06:382025-09-29 14:06:38What is security hardening? | Kaspersky official blog
Phishing links are no longer a rare sight. They’re increasingly common in messaging apps, and often come seemingly from people you know well, who, of course, are completely unaware. Scammers hijack accounts and cleverly impersonate friends and family — abusing trust to get closer to your wallet or your secrets.
To help you fight off this growing wave of threats, we’ve added some new features to Kaspersky for Android. In this post, we explain the new layer of defense against phishing and malicious links brought to you in the latest Kaspersky for Android update.
Phishing links and where to find them
By default, we consider any link designed to deceive to be a phishing link. These links often lead to fraudulent websites that mimic legitimate ones using typosquatting and other tricks. For example, this link — https://www.kaspersky.com/blog/, seemingly to our blog, will redirect you to our Telegram channel instead. This is a safe example, but scammers aren’t so harmless.
You can encounter phishing links just about anywhere: in emails, text messages, but especially in messaging apps. A common scam we’ve covered involves attackers using hacked accounts of friends and family to send fake gift subscriptions for apps like Telegram. But instead of a free Premium subscription, victims end up with their personal account hijacked.
Phishing scams can also lurk in job offers, Google Forms surveys, or crypto giveaways. Sometimes you don’t even have to do anything on a phishing site to get infected. This is called a zero-click attack. The victim doesn’t need to fill out any forms, click on buttons, or submit anything. All that’s required is to follow a link to the malicious page that exploits a vulnerability. Once you reach that page, your device is compromised.
Phishers have a plethora of ways to reach their victims. It’s often difficult to spot a fake URL with the naked eye — one mistake can get you trapped. That’s where an automated solution comes in handy, recognizing and neutralizing the suspicious link.
How anti-phishing security works in Kaspersky for Android
The updated Kaspersky for Android protects your devices from phishing with three distinct layers:
Notification Protection detects and blocks malicious links in notifications from any apps, whether they be well-known like WhatsApp or Telegram, new apps, or even ones that don’t exist yet.
Safe Messaging blocks dangerous links in text messages and the WhatsApp, Viber, and Telegram messaging apps.
Safe Browsing checks links before opening them and blocks malicious and phishing websites in Google Chrome, Yandex Browser, Firefox, and some other pre-installed browsers like Samsung Internet and Huawei Browser.
Why do we call these features “layers”? Think of it as a medieval fortress with multiple defenses: the castle’s tall walls, archers atop the walls, and a moat. You might wonder, why bother building tall walls and employing archers if there’s a moat? Attackers wouldn’t be able to get across the moat anyway. The thing is, attacking archers could still fire on those inside if there were no tall fortress walls, and catapults could lob stones (or something more deadly) over both the moat and walls. So, a good fortress needs all three defenses.
Similarly, a smartphone needs security on every level. The Kaspersky for Android app has long blocked phishing links in browsers with Safe Browsing and in SMS messages, WhatsApp, Viber and Telegram with Safe Messaging.
Here’s how it works. If any app — say, a messaging app — tries to show you a phishing link in a pop-up notification, our security solution hides the malicious notification and replaces it with its own. This new notification will have the title Dangerous link detected and the text of the original message, but with the malicious link removed.
This is what a Kaspersky for Android notification looks like when it detects a malicious link
Important: no Kaspersky employee can read your private messages. This security mechanism is fully automated and only scans for standard links within notification text. For this reason, it won’t be able to check links that are concealed with special formatting like hidden text in a messaging app or those disguised as a hyperlink with anchor text like “click here”.
How to enable maximum anti-phishing security
To give Kaspersky for Android the permissions it needs to find and repel threats, you need to enable certain settings in the Android OS. The first step is to turn on access to Accessibility features, which is required for all layers of security. If you don’t grant this permission, the app will warn you and provide instructions. You can also enable it manually: Settings → Accessibility → Kaspersky → Use Service → OK.
How to grant Kaspersky for Android access to Accessibility features
How to grant Kaspersky for Android access to Accessibility features
How to grant Kaspersky for Android access to Accessibility features
How to grant Kaspersky for Android access to Accessibility features
Next, you need to enable the first layer of security: Notification Protection. This allows the app to detect phishing links directly in your notifications.
Go to All features → Safe Messaging → Check notifications.
Grant notification access: Settings → Apps & notifications → Special app access → Notification access → Kaspersky → Allow.
The exact steps may vary slightly depending on your smartphone model. For this reason, all Kaspersky for Android users can access a quick link from the app itself to the correct settings section. Simply tap Check Notifications in the app, and in the window that opens, tap Show instructions → Continue.
How to grant Kaspersky for Android notification access
How to grant Kaspersky for Android notification access
How to grant Kaspersky for Android notification access
How to grant Kaspersky for Android notification access
The first layer of security is on. Now, Kaspersky for Android will alert you when it detects malicious links in notifications.
Now for the second layer, Safe Messaging, which blocks dangerous links in SMS messages and WhatsApp, Viber, and Telegram.
Activate the toggles next to Block dangerous websites and Check links you open from other apps.
How to enable Safe Browsing in Kaspersky for Android
Don’t forget to check the settings in the messaging apps you use, and make sure you allow new message notifications. We recommend paying attention not only to the general app settings, but also to individual chat settings. Remember that phishing links can even come from hacked accounts of people you know.
Here’s another important detail for Telegram users. This messaging app opens all links by default in its built-in browser, and scammers take advantage of this. Our Safe Browsing feature doesn’t work in Telegram’s built-in browser. For increased device security, you should change the default Telegram settings to open links in a third-party browser instead. To do this, in Telegram go to Settings → Chat Settings and turn off the switch for In-App Browser.
How to configure Telegram so that links are opened in a third-party browser and checked by Kaspersky for Android
Install the best anti-phishing security on your devices, treat every unexpected link received in a messaging app or via SMS with due suspicion, and follow our Telegram channel to stay up to date on the latest cybersecurity trends.
Protect yourself from scams in messaging apps and SMS:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-09-29 13:07:022025-09-29 13:07:02How to set up anti-phishing security in Kaspersky for Android | Kaspersky official blog
While AI presents endless new opportunities — it also introduces a whole array of new threats. Generative AI allows malicious actors to create deepfakes and fake websites, send spam, and even impersonate your friends and family. This post covers how neural networks are being used for scams and phishing, and, of course, we’ll share tips on how to stay safe. For a more detailed look at AI-powered phishing schemes, check out the full report on Securelist.
Pig butchering, catfishing, and deepfakes
Scammers are using AI bots that pretend to be real people, especially in romance scams. They create fabricated personas and use them to communicate with multiple victims simultaneously to build strong emotional connections. This can go on for weeks or even months, starting with light flirting and gradually shifting to discussions about “lucrative investment opportunities”. The long-term personal connection helps dissolve any suspicions the victim might have, but the scam, of course, ends once the victim invests their money in a fraudulent project. These kinds of fraudulent schemes are known as “pig butchering”, which we covered in detail in a previous post. While they were once run by huge scam farms in Southeast Asia employing thousands of people, these scams now increasingly rely on AI.
Neural networks have made catfishing — where scammers create a fake identity or impersonate a real person — much easier. Modern generative neural networks can imitate a person’s appearance, voice, or writing style with a sufficient degree of accuracy. All a scammer needs do is gather publicly available information about a person and feed that data to the AI. And anything and everything can be useful: photos, videos, public posts and comments, information about relatives, hobbies, age, and so on.
So, if a family member or friend messages you from a new account and, say, asks to lend them money, it’s probably not really your relative or friend. In a situation like that, the best thing to do is reach out to the real person through a different channel — for example, by calling them — and ask them directly if everything’s okay. Asking a few personal questions that a scammer wouldn’t be able to find online or even in your past messages is another smart thing to do.
And why wouldn’t Jennifer Aniston be giving away a MacBook?
Social media isn’t the only place where deepfakes are being used, though. They’re also being generated for real-time video and audio calls. Earlier this year, a Florida woman lost US$15,000 after thinking she was talking to her daughter, who’d supposedly been in a car accident. The scammers used a realistic deepfake of her daughter’s voice, and even mimicked her crying.
Experts from Kaspersky’s GReAT found offers on the dark web for creating real-time video and audio deepfakes. The price of these services depends on how sophisticated and long the content needs to be — starting at just US$30 for voice deepfakes and US$50 for videos. Just a couple of years ago, these services cost a lot more — up to US$20 000 per minute — and real-time generation wasn’t an option.
The listings offer different options: real-time face swapping in video conferences or messaging apps, face swapping for identity verification, or replacing an image from a phone or virtual camera.
Scammers also offer tools for lip-syncing any text in a video — even in foreign languages, as well as voice cloning tools that can change tone and pitch to match a desired emotion.
However, our experts suspect that many of these dark-web listings might be scams themselves — designed to trick other would-be scammers into paying for services that don’t actually exist.
How to stay safe
Don’t trust online acquaintances you’ve never met in person. Even if you’ve been chatting a while and feel like you’ve found a “kindred spirit”, be wary if they bring up crypto, investments, or any other scheme that requires you to send them money.
Don’t fall for unexpected, appealing offers seemingly coming from celebrities or big companies on social media. Always go to their official accounts to double-check the information. Stop if at any point in a “giveaway”, you’re asked to pay a fee, tax, or shipping cost, or to enter your credit card details to receive a cash prize.
If friends or relatives message you with unusual requests, contact them through a different channel such as telephone. To be safe, ask them about something you talked about during your latest real-life conversation. For close friends and family, it’s a good idea to agree on a code word beforehand that only the two of you know. If you share your location with each other, check it and confirm where the person is. And don’t fall for the “hurry up” manipulation — the scammer or AI might tell you the situation is urgent and they don’t have time to answer “silly” questions.
If you have doubts during a video call, ask the person to turn their head sideways or make a complicated hand movement. Deepfakes usually can’t fulfill such requests without breaking the illusion. Also, if the person isn’t blinking, or their lip movements or facial expressions seem strange, that’s another red flag.
Never dictate or otherwise share bank-card numbers, one-time codes, or any other confidential information.
An example of a deepfake falling apart when the head turns. Source
Automated calls
These are an efficient way to trick people without having to talk with them directly. Scammers are using AI to make fake automated calls from banks, wireless carriers, and government services. On the other end of the line is just a bot pretending to be a support agent. It feels real because many legitimate companies use automated voice assistants. However, a real company will never call you to say your account was hacked or ask for a verification code.
If you get a call like this, the key thing is to stay calm. Don’t fall for scare tactics like “a hacked account” or “stolen money”. Just hang up, and use the official number on the company’s website to call the genuine company. Keep in mind that modern scams can involve multiple people who pass you off from one to another. They might call or text from different numbers and pretend to be bank employees, government officials, or even the police.
Phishing-susceptible chatbots and AI agents
Many people now prefer to use chatbots like ChatGPT or Gemini instead of familiar search engines. What could be the risks, you might ask? Well, large language models are trained on user data, and popular chatbots have been known to suggest phishing sites to users. When they perform web searches, AI agents connect to search engines that can also contain phishing links.
In a recent experiment, researchers were able to trick the AI agent in the Comet browser by Perplexity with a fake email. The email was supposedly from an investment manager at Wells Fargo, one of the world’s largest banks. The researchers sent the email from a newly created Proton Mail account. It included a link to a real phishing page that had been active for several days but was yet to be flagged as malicious by Google Safe Browsing. While going through the user’s inbox, the AI agent marked the message as a “to-do item from the bank”. Without any further checks, it followed the phishing link, opened the fake login page, and then prompted the user to enter their credentials; it even helped fill out the form! The AI essentially vouched for the phishing page. The user never saw the suspicious sender’s email address or the phishing link itself. Instead, they were immediately taken to a password entry page given by the “helpful” AI assistant.
In the same experiment, the researchers used the AI-powered web development platform Loveable to create a fake website that mimicked a Walmart store. They then visited the site in Comet — something an unsuspecting user could easily do if they were fooled by a phishing link or ad. They asked the AI agent to buy an Apple Watch. The agent analyzed the fake site, found a “bargain”, added the watch to the cart, entered the address and bank card information stored in the browser, and completed the “purchase” without asking for any confirmation. If this had been a real fraudulent site, the user would have lost a chunk of change while they served their banking details on a silver platter to the scammers.
Unfortunately, AI agents currently behave like naive newcomers on the Web, easily falling for social engineering. We’ve talked in detail before about the risks of integrating AI into browsers and how to minimize them. But as a reminder, to avoid becoming the next victim of an overly trusting assistant, you should critically evaluate the information it provides, limit the permissions you give to AI agents, and install a reliable security solution that will block access to malicious sites.
AI-generated phishing websites
The days of sketchy, poorly designed phishing sites loaded with intrusive ads are long gone. Modern scammers do their best to create realistic fakes which use the HTTPS protocol, show user agreements and cookie consent warnings, and have reasonably good designs. AI-powered tools have made creating such websites much cheaper and faster, if not nearly instantaneous. You might find a link to one of these sites anywhere: in a text message, an email, on social media, or even in search results.
Credential input forms on scam sites imitating Tesla and Pantene
How to spot a phishing site
Check the URL, title, and content for typos.
Find out how long the website’s domain has been registered. You can check this here.
Pay attention to the language. Is the site trying to scare or accuse you? Is it trying to lure you in, or rushing you to act? Any emotional manipulation is a big red flag.
If your browser warns you about an unsecured connection, leave the site. Legitimate sites use the HTTPS protocol.
Search for the website name online and compare the URL you have with the one in the search results. Be careful, as search engines might show sponsored phishing links at the top of the page. Make sure there is no “Ad” or “Sponsored” label next to the link.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-09-26 18:06:442025-09-26 18:06:44How scammers have mastered AI: deepfakes, fake websites, and phishing emails | Kaspersky official blog
Welcome to this week’s edition of the Threat Source newsletter.
“Back to the Future” is 40 years old this year, and at the risk of giving away sensitive information to an audience of hackers… so am I.
I don’t really know what 40 is supposed to feel like. Honestly, I don’t feel all that different from my 20s, with two key exceptions: One, I care a whole lot less about what people think of me. And two, my trainer recently stopped mid-set to ask, “Was that your knee making that sound?”
I’ve always loved “Back to the Future” (mommy issues aside). For my 30th birthday, I threw a BTTF-themed party. Guests had to dress for either 1955, 1985 or 1885. (2015 was also allowed, but only if you wore two ties.)
But watching the documentary “Still” recently gave me a whole new appreciation for what Michael J. Fox went through to make it happen.
Because he was still under contract with “Family Ties,” and because the original Marty had been fired five weeks into filming, Fox had to shoot both projects at the same time. He’d wrap “Back to the Future “at 2:00 a.m., sleep in the back of a car, then be on set for the sitcom a few hours later.
In “Still,” he talks about mixing up lines between scripts, barely functioning from exhaustion and constantly fearing a call from his agent saying he wasn’t doing a good job. The pressure. The pace. The fear he was messing it up. Fox himself admits the experience nearly broke him. But he kept showing up, because people were counting on him.
Sound familiar?
That “I can’t stop, people are relying on me” mindset is something I see a lot in this industry. We care about the mission. We care about our teams. We don’t want to give the adversary any opportunity.
So we say yes. We log back in. We fix the thing no one else will notice, but we know it matters.
Fox’s schedule and resultant exhaustion weren’t the only issues behind the scenes of “Back to the Future.” The “What Went Wrong” podcast (a favourite of mine) recently covered the mishaps and difficulties, from the DeLorean doors constantly jamming shut, to having to change the entire ending. The film was originally supposed to climax at a nuclear test site, with Marty manufacturing a time machine out of a fridge.
That ending was axed as the producers were concerned children would copy the idea and get trapped in fridges. Thankfully, Steven Spielberg (a producer on the film) would use the concept 20 years later in “Indiana Jones and the Kingdom of the Crystal Skull” to huge success. Ahem.
So much about the making of “Back to the Future” was fraught and uncertain. But what we, the audience, saw was pure delight. And that’s the thing — what looks effortless on the surface is often the result of long hours, unfair compromises, and the kind of behind-the-scenes effort that nobody ever sees.
I want to echo the thoughts of my colleague Joe from last week’s newsletter: Burnout is brutal, and it takes no prisoners. Trying to be there for everyone and everything all the time is unsustainable. And (trust me on this one), the longer we put off taking care of ourselves, the harder and longer the recovery.
Creating boundaries is one of the best things we can do for ourselves. So, this week, whether you’re coordinating an incident, researching something cool, supporting your team or just trying to be a functioning human, give yourself a moment. Identify your boundaries. Move them closer if you need to.
In fact, write down just one thing that will help decompress you this week, and do that thing. Whether that’s less screen time, a short walk after dinner or playing a game.
Just… give yourself permission, okay? As Doc Brown says:
“The future is whatever you make it. So make it a good one.”
The one big thing
Cisco Talos uncovered a new PlugX malware variant targeting telecom and manufacturing sectors in Central and South Asia since 2022, using the same sneaky tactics as the RainyDay and Turian backdoors. These threats abuse legitimate software and share unique technical fingerprints, suggesting they’re the work of the same or closely linked attackers. The campaign shows a high level of sophistication and ongoing risk for targeted industries.
Why do I care?
If your organization is in telecom or manufacturing, especially in Central or South Asia, you’re squarely in the crosshairs of advanced attackers using updated, evasive malware that can compromise your systems, steal data and lurk undetected for years.
Even if you’re in a different industry, attackers are getting smarter at hiding in plain sight and any organization could be at risk if these tactics spread.
So now what?
Double down on security controls. Make sure your endpoint, email and network protection solutions are up to date, review your defenses against DLL hijacking and stay alert for new updates.
Top security headlines of the week
Microsoft fixed Entra ID vulnerability allowing Global Admin impersonation Microsoft rolled out a global fix on July 17, just three days after the initial report and later added further mitigations that block applications from requesting Actor tokens for the Azure AD Graph. (HackRead)
U.S. Secret Service dismantles imminent telecommunications threat in New York tristate area The U.S. Secret Service dismantled a network of electronic devices located throughout the New York tristate area that were used to conduct multiple telecommunications-related threats directed towards senior U.S. government officials. (U.S. Secret Service)
European airport disruptions caused by ransomware attack ENISA said the type of ransomware involved in the attack has been identified and law enforcement is conducting an investigation. The cyberattack hit services provided by US-based Collins Aerospace, which is owned by RTX (formerly Raytheon). (SecurityWeek)
ChatGPT targeted in server-side data theft attack The attack, dubbed ShadowLeak, targeted ChatGPT’s Deep Research capability, which is designed to conduct multi-step research for complex tasks. OpenAI neutralized ShadowLeak after notification. (SecurityWeek)
Attackers abuse AI tools to generate fake CAPTCHAs in phishing attacks The fake CAPTCHA pages redirect victims to malicious websites hosted by the attackers. The apparent routine security check makes the malicious link appear more legitimate to the victim and helps bypass security tools. (Infosecurity Magazine)
SystemBC malware turns infected VPS systems into proxy highway The operators of the SystemBC proxy botnet are hunting for vulnerable commercial virtual private servers (VPS) and maintain an average of 1,500 bots every day that provide a highway for malicious traffic. (Bleeping Computer)
Can’t get enough Talos?
The TTP: Threat Hunter’s Cookbook Hear from Ryan Fetterman and Sydney Marrone from the SURGe team (now part of Cisco’s Foundation AI group), who wrote the Threat Hunter’s Cookbook: a collection of practical “recipes” security teams can pick up and apply.
Engaging Cisco Talos Incident Response You’ve called Talos IR about a cyber incident — now what happens? This blog post takes you behind the scenes of a Talos IR engagement, from picking up the phone to recovery and implementation of long-term security improvements.
Tampered Chef: When malvertising serves up infostealers Imagine downloading a PDF Editor tool from the internet that works great… until nearly two months later, when it quietly steals your credentials. Nick Biasini explains how cybercriminals are investing in malvertising and challenges in defense.
The misconception that “we’re too small to be a target” is becoming less common these days. The numerous supply-chain attacks in recent years have shown that you don’t have to be the attackers’ ultimate target to face a sophisticated attack — all it takes is to have a major client or partner, or simply a broad customer base. That’s why many small and mid-sized businesses (SMBs) have long since adopted EDR solutions. Fortunately, the market offers modern EDR products that are accessible even to small companies and which aren’t particularly difficult to manage.
But is EDR functionality enough for your needs — or is it time to start considering XDR? To answer that, you need to ask yourself four more questions.
Is your cybersecurity team coping with the volume of alerts?
Any cybersecurity employee using an EDR console has to process an enormous number of endpoint alerts. A single incident can trigger hundreds of similar alerts; for example, when the same malicious file is detected on a hundred different endpoints. Each of these alerts consumes the time and attention of the cybersecurity specialist. This repetitive, exhausting work is a major cause of security team burnout.
With Kaspersky Next XDR Optimum, related alerts are grouped together, allowing operators to instantly see a more complete picture of the incident. Response actions can also be applied to all similar alerts with a single click instead of handling them one by one. This reduces the team’s workload and significantly cuts incident response time.
Do your experts have enough time to investigate incidents?
Let’s say your EDR solution detects malicious activity on one of your workstations. The logical response for an EDR operator is to isolate the device and thoroughly investigate it. But this takes time, and given a serious incident, time is the one thing you don’t have. First, it may not be immediately clear at what stage the attack was detected. The attackers may have already gained access to other endpoints. Second, a huge number of today’s attacks take place because of compromised corporate credentials. The operator can’t know whether an employee inadvertently opened a malicious email attachment — or whether an outsider logged in as that employee to attack the infrastructure. And if it’s the latter, they may try to gain access with the same username and password somewhere else.
Next XDR Optimum allows you to block users directly in Active Directory right from the alert card. This helps contain the attack, limit potential damage, and buy valuable time for a more thorough investigation.
Does your cybersecurity team have enough context when responding to threats?
An EDR alert tells the operator that a malicious file has been detected on a workstation so that they can start taking defensive actions. But sometimes that’s not enough. A malicious file might be just one part of a larger attack that would require a deeper investigation to detect and counter.
Next XDR Optimum gives operators access to the Kaspersky Cloud Sandbox, where suspicious files can be uploaded to an isolated cloud environment and safely analyzed to see what they actually do. The system helps create an indicator of compromise — allowing for a quick scan of the infrastructure for the same threat on other endpoints.
Are your employees sufficiently aware of cyberthreats?
Returning to the issue of alert overload: cybersecurity specialists working with an EDR system while investigating an incident sometimes find that the cause of the alert was human error — someone opened a malicious attachment in an email, or followed a link to a phishing web page. Experience shows that raising employee awareness significantly reduces the workload on cybersecurity teams in general, and the alert volume in particular. For this purpose, a well-designed educational program is more effective than lectures and occasional reminders.
This benefit isn’t directly related to XDR functionality; however, each Kaspersky Next XDR Optimum license includes targeted Kaspersky Security Awareness training for employees most likely to cause high-impact incidents (executives, members of finance teams, privileged users, and anyone who’s previously been a victim of social engineering). But most importantly, Next XDR Optimum allows the cybersecurity specialist to assign a relevant course to a user directly from the alert card — without interrupting the incident response. Experience shows that lessons learned immediately after a fail that caused an incident are particularly memorable and useful and so help prevent the same mistake being made again in the future.
If your cybersecurity team feels overwhelmed by alerts, or needs more management tools and threat context, it’s worth considering a move over to Kaspersky XDR Optimum. Migrating from Kaspersky EDR Optimum to XDR Optimum doesn’t require additional resources for deployment or staff retraining. And the slight increase in cost is far outweighed by the significant improvement in your company’s infrastructure security.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-09-25 16:07:052025-09-25 16:07:05EDR or XDR — which does your company need? | Kaspersky official blog
SOC teams may waste hours daily manually enriching alerts and switching between tools, delaying response. ANY.RUN’s Microsoft Sentinel Connector fixes this by introducing fast, accurate, and interactive sandbox analysis into Sentinel’s workflow, so alerts get auto-processed, enriched with IOCs, and prioritized in seconds.
Here’s how you can speed up response times, filter out false positives, and focus on real threats without leaving your existing workspace.
Maximize Your SOC’s Efficiency
ANY.RUN’s sandbox helps SOCs process alerts by delivering fast, accurate verdicts
ANY.RUN’s Interactive Sandbox is a cloud-based solution offering security teams immediate, real-time access to Windows, Linux, and Android virtual environments for investigating suspicious files and URLs.
With the Microsoft Sentinel connector, SOCs and MSSPs can automate triage and enrich alerts with actionable verdicts and IOCs to:
Cut MTTR by up to 21 minutes per incident by eliminating manual steps and speeding up analysis.
Boost threat detection by up to 36% thanks to ANY.RUN’s powerful capabilities to catch threats missed by standard security tools.
Increase team productivity by up to 3x through automation to free up analysts for high-value tasks.
Reduce alert overload, filtering false positives and prioritizing high-risk incidents.
Detect and respond to attacks early with clear, actionable threat insights.
Save resources and optimize costs by using your existing MS Sentinel setup without extra infrastructure expenses.
It supplies a continuous stream of fresh, actionable IOCs extracted from attack data across 15K SOCs around the world straight to your Microsoft Sentinel environment, helping you proactively detect the latest malware active right now.
Reduce MTTR and beat alert fatigue in your SOC Request a quote or trial for ANY.RUN’s Sandbox
How ANY.RUN’s Sandbox Improves Microsoft Sentinel Workflows
SOCs can integrate ANY.RUN’s sandbox analysis into their workflows through playbooks
With the connector, SOC teams can analyze files and links right from Sentinel alerts: either with one click or automatically. You’ll instantly get the verdict, risk score, IOCs, and a link to the full analysis, while Sentinel’s threat database updates automatically.
All analyses via the connector are launched in the Automated Interactivity mode. This means the sandbox will automatically perform the investigation, including by clicking links, opening files, and launching payloads on its own to ensure full attack detonation.
As a result, security teams can:
Automate alert enrichment by getting verdicts and IOCs to assess incidents quickly.
Speed up and simplify triage with one-click analyses of files/attachments/links without the need for manual uploads or switching tools.
Prioritize threats automatically by checking incidents’ severity for faster decision-making.
Extract IOCs effortlessly, pulling IPs, domains, and hashes into Sentinel’s Threat Intelligence.
Respond to incidents faster thanks to ready-made analysis results and reports enabling quicker containment and remediation.
How to Set Up Malware Sandbox Connector for Microsoft Sentinel
Please note that you need an API Key for it to work. To receive your key, please reach out to your account manager or request a demo access as part of the 14-day trial.
About ANY.RUN
Trusted by over 500,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and other critical industries, ANY.RUN helps security teams investigate threats faster and with greater accuracy.
Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, watch behavior as it unfolds, and make confident, well-informed decisions.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-09-25 08:06:462025-09-25 08:06:46ANY.RUN Sandbox & Microsoft Sentinel: Less Noise, More Speed for Your SOC
