You may not always stop your personal information from ending up in the internet’s dark recesses, but you can take steps to protect yourself from criminals looking to exploit it
WeLiveSecurity – Read More
The Ransomware Vulnerability Matrix, a vital repository on GitHub, represents a new step forward in understanding ransomware vulnerabilities. This invaluable repository catalogs known Common Vulnerabilities and Exposures (CVEs) that ransomware groups exploit, providing insights into ransomware types, vulnerable technologies, and the threat actors involved, including ransomware gangs, affiliates, and state-backed actors.
The Ransomware Vulnerability Matrix serves as a critical resource for cybersecurity professionals tasked with prioritizing threats and assessing exposure to ransomware vulnerabilities. Each entry within the matrix details the specific ransomware gang that exploited a particular CVE, links to verification sources, and includes crucial data about the affected technologies. By compiling this information, the matrix aids teams in tracking and mitigating ransomware vulnerabilities effectively.
By providing detailed insights into ransomware vulnerabilities, the matrix highlights the methods and tools employed by ransomware operators, offering a framework for assessing risks and enhancing defenses.
The matrix encompasses a wide array of products and corresponding CVEs exploited by various ransomware groups. Here are a few notable entries:
Adobe ColdFusion
CVE(s): CVE-2023-29300 & CVE-2023-38203
Ransomware Group(s): Storm-0501
Source(s): Microsoft
Apache ActiveMQ
CVE(s): CVE-2023-46604
Ransomware Group(s): RansomHub
Source(s): CISA
Atlassian Confluence
CVE(s):
CVE-2023-22515 (RansomHub)
CVE-2023-22518 (Cerber)
CVE-2022-26134 (Cerber)
These entries not only identify the vulnerabilities but also the associated threat actors, underscoring the complex landscape of ransomware attacks. For instance, the notorious group LockBit has leveraged vulnerabilities in Apache’s Log4j, specifically CVE-2021-44228, to facilitate their attacks.
Ransomware vulnerabilities pose significant risks to organizations, as they can lead to data breaches, operational disruptions, and financial losses. Ransomware gangs exploit these vulnerabilities to infiltrate systems, encrypt critical data, and demand ransoms for decryption keys. Understanding the specific CVEs associated with ransomware attacks allows organizations to implement effective cybersecurity measures.
State-backed actors also play a crucial role in the ransomware ecosystem. Their involvement complicates the threat landscape, as they often have access to advanced tools and techniques that can bypass traditional defenses. The Ransomware Vulnerability Matrix provides insights into these state-backed threats, helping organizations recognize and prepare for potential attacks.
To leverage the insights from the Ransomware Vulnerability Matrix effectively, organizations should consider the following recommendations:
Continuously update the matrix with data from CVE databases to ensure it reflects the latest vulnerabilities and trends.
Implement a system to categorize the severity of each CVE, allowing teams to prioritize patching efforts based on risk.
Include information on when specific CVEs began to be exploited by ransomware groups, providing context for emerging threats.
Offer specific mitigation recommendations for each CVE, enabling organizations to implement targeted defenses.
Develop a notification system for newly discovered vulnerabilities to keep organizations ahead of potential threats.
Link vulnerabilities to tactics and techniques outlined in the MITRE ATT&CK framework for better threat modeling.
The Ransomware Vulnerability Matrix is an organized and insightful resource that empowers cybersecurity professionals in their fight against ransomware attacks. By detailing known vulnerabilities and associating them with specific ransomware types and threat groups, the matrix enhances the ability to assess risks and prioritize defenses.
By utilizing the Ransomware Vulnerability Matrix, organizations can not only upgrade their defenses but also contribute to the broader fight against the cyber threats posed by ransomware gangs. This proactive approach is essential for protecting networks and ensuring the integrity of vital systems.
The post Ransomware Vulnerability Matrix: A Comprehensive Resource for Cybersecurity Analysts appeared first on Cyble.
Blog – Cyble – Read More
CERT-UA, the Cyber Emergency Response Team for Ukraine, uncovered a phishing campaign orchestrated by the threat actor UAC-0215. This campaign specifically targeted public institutions, major industries, and military units across Ukraine.
The phishing emails were cleverly disguised to promote integration with popular platforms like Amazon and Microsoft, as well as advocating for Zero Trust Architecture (ZTA). However, the emails contained malicious .rdp configuration files that, when opened, established a connection to an attacker-controlled server.
This connection provided unauthorized access to a variety of local resources, including disk drives, network assets, printers, audio devices, and even the clipboard. The sophistication of this campaign raises security concerns for critical infrastructure in Ukraine.
The campaign was first detected on October 22, 2024, with intelligence suggesting that the preparatory groundwork was laid as early as August 2024. The phishing operation’s extensive reach highlights not only a localized threat but also a broader international concern, as multiple cybersecurity organizations worldwide have corroborated it. The implications of this attack extend beyond individual organizations, threatening national security.
The primary targets of the phishing campaign include public authorities, major industries, and military organizations within Ukraine. This operation is assessed to have a high-risk score, indicating a threat to these sectors. The campaign is attributed to the advanced persistent threat (APT) group known as UAC-0215, utilizing rogue Remote Desktop Protocol (RDP) techniques.
The phishing campaign attributed to UAC-0215 utilizes rogue Remote Desktop Protocol (RDP) files to infiltrate key Ukrainian institutions. The malicious emails are designed to appear legitimate, enticing recipients to open attachments that ultimately compromise their systems. When a victim unwittingly opens the .rdp configuration file, it connects their computer to the attacker’s server, granting extensive access to critical local resources, including:
Disk Drives
Network Resources
Printers
COM Ports
Audio Devices
Clipboard
This access allows the attackers to execute unauthorized scripts and programs, further compromising the system.
The intelligence gathered suggests that the UAC-0215 campaign extends beyond Ukrainian targets, indicating a potential for broader cyberattacks across multiple regions, especially amid heightened tensions in the area, including recent cyberattacks on Ukraine that have garnered international concern.
This campaign highlights the growing sophistication of phishing tactics employed against Ukraine, as the attackers exploited RDP configurations to gain significant control over critical systems within public and industrial sectors, jeopardizing sensitive information and operational integrity.
To mitigate the risks posed by UAC-0215 and similar threats, organizations are advised to implement the following strategies:
Establish better filtering rules at the mail gateway to block emails containing .rdp file attachments. This measure is critical in reducing exposure to malicious configurations.
Limit users’ ability to execute .rdp files unless specifically authorized. This precaution will minimize the risk of accidental executions that could lead to breaches.
Configure firewall settings to prevent the Microsoft Remote Desktop client (mstsc.exe) from establishing RDP connections to external, internet-facing resources. This step will thwart unintended remote access and reduce the potential for exploitation.
Utilize Group Policy to disable resource redirection in RDP sessions. By setting restrictions under “Device and Resource Redirection” in Remote Desktop Services, organizations can prevent attackers from accessing local resources during RDP sessions.
The post Phishing Campaign Targeting Ukraine: UAC-0215 Threatens National Security appeared first on Cyble.
Blog – Cyble – Read More
Using Threat Intelligence (TI) feeds in your cybersecurity strategy can significantly impact not only your organization’s security posture but also its business performance. Such an integration brings many benefits that directly and indirectly improve cost-efficiency, operational effectiveness, and strategic decision-making.
Let’s explore these improvements in detail.
Investing in TI feeds can lead to significant cost savings by preventing costly data breaches and minimizing the need for reactive security measures. By avoiding breaches, businesses can sidestep the high costs associated with incident response, legal fees, and regulatory fines.
Proactive security measures allow for more efficient use of security budgets by enabling organizations to allocate resources where they are needed most, improving the efficiency of security spend.
Reduction in incident response costs
Lower cost per security incident
Improved ROI on security investments
Quality TI feeds provide critical insights that guide better decision-making across the organization, ensuring that security efforts are focused on the most pressing threats. The strategic insights extracted from TI feeds help security leaders make more informed decisions, improving the organization’s risk posture. By identifying the most critical threats, TI feeds allow companies to focus resources more efficiently, reducing wasted security spend.
Improvement in risk scoring
Reduction in time to detect and respond to threats
Increased efficiency in security spend
A company’s reputation is one of its most valuable assets, and Cyber Threat Intelligence feeds help protect this by informing organizations of incidents that could harm their brand image. Early detection of threats reduces the likelihood of incidents that could damage a company’s name and negatively impact shareholder value.
Businesses with strong security postures stand out in the market, appealing to new security-conscious clients and reassuring existing customers, which leads to greater trust.
Improvement in Net Promoter Score (NPS)
Positive impact on Customer Lifetime Value (CLV)
Better business opportunities
TI feeds also help businesses streamline their cybersecurity efforts by automating threat detection and reducing downtime caused by attacks. Integrating CTI feeds with existing security tools can contribute to wider and more accurate threat detection, as well as better response process, improving mean time to resolution (MTTR).
Improvement in MTTR
Reduction in system downtime
Increase in operational uptime
For many industries, regulatory compliance is essential, and TI feeds are a key element of a business’s cybersecurity blueprint for keeping pace with required standards. Apart from improved threat detection, TI feeds help document incidents, enrich security reports, and meet requirements for frameworks like GDPR, HIPAA, and PCI.
Reduction in non-compliance penalties
Decrease in audit preparation time
Improvement in audit scores
ANY.RUN offers advanced Threat Intelligence Feeds that provide accurate and fresh Indicators of Compromise (IOCs) for precise threat identification, including:
Command-and-control (C2) IP addresses: Addresses used by malware to communicate with attackers.
URLs and domain names: Infrastructure associated with malicious activities.
Our feeds data is extracted from millions of sandbox analyses of the latest malware and phishing samples. These samples are publicly uploaded to ANY.RUN by our global community of over 500,000 analysts. The data is carefully processed using advanced algorithms and proprietary technology to reduce false positives.
Our feeds offer more than just simple Indicators of Compromise. They provide direct links to full sandbox analysis sessions. For each indicator, users can view the entire malware interaction, including memory dumps, network traffic, and event timelines.
In an environment where cyber threats are constantly evolving, Threat Intelligence feeds are invaluable for businesses looking to maintain a strong security posture. From cost savings and better decision-making to brand protection and operational efficiency, TI feeds provide the insights and automation needed to safeguard your business and maintain growth. By integrating TI feeds into your cybersecurity strategy, you can ensure proactive protection and long-term resilience.
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
Detect malware in seconds
Interact with samples in real time
Save time and money on sandbox setup and maintenance
Record and study all aspects of malware behavior
Collaborate with your team
Scale as you need
Request free trial of ANY.RUN’s products →
The post How TI Feeds Support Organizational Performance appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have launched an investigation into a series of cyber intrusions linked to hackers believed to be affiliated with the Chinese state-linked threat actors.
This investigation follows reports that the phone communications of prominent U.S. political figures, including former President Donald Trump, Vice President Kamala Harris’ campaign team, and vice-presidential candidate JD Vance, have been targeted in a sweeping cyber-espionage effort.
The FBI and CISA issued a statement confirming their investigation into “unauthorized access to commercial telecommunications infrastructure” perpetrated by actors associated with the People’s Republic of China, reported CBS News. This response was prompted by specific malicious activities detected within the telecommunications sector, which the agencies say are part of a larger Chinese hacking campaign aimed at gathering sensitive information from high-level U.S. officials.
The agencies emphasized their quick action, stating that upon identifying the threat, they immediately notified affected telecommunications companies, provided technical assistance, and shared crucial information to help potential victims mitigate their exposure.
Reports indicate that the hacking campaign targeted the phone communications of several key political figures, including Donald Trump and JD Vance, as part of a broader strategy to compromise the communications of U.S. officials.
According to sources cited by CNN, the Chinese hackers also sought to infiltrate the communications of senior officials within the Biden administration. The gravity of these allegations raises concerns over the potential for foreign espionage and the safety of sensitive government communications.
Reacting to these findings, Steven Cheung, a spokesperson for Trump’s campaign, criticized the Harris campaign for allegedly “emboldening” China, reflecting the heightened political tensions surrounding the issue. However, it remains unclear whether the hackers succeeded in accessing any specific information from the targeted communications, reported Asian News International.
The New York Times was among the first to report on this breach, revealing that the hacking effort is part of a wider Chinese campaign that has successfully infiltrated several U.S. telecommunications companies over the past few months.
Investigators believe that these hackers aim to access sensitive national security information, including information on wiretap warrant requests made by the U.S. Justice Department. Notably, there is currently no evidence suggesting that the hackers targeted communications linked to law enforcement activities involving Trump and Vance.
Major U.S. broadband and internet providers, such as AT&T, Verizon, and Lumen, have also been identified as targets in this ongoing campaign.
In light of these events, U.S. agencies are taking a coordinated approach to combat the threat posed by foreign hackers. CISA reiterated its commitment to working closely with industry partners to strengthen cybersecurity in U.S. elections. They encouraged any organization that suspects it may be a victim of similar attacks to reach out to local FBI field offices or CISA for assistance.
The information about this breach coincides with other cybersecurity threats facing the U.S. political domain. Iranian hackers have also targeted Trump’s campaign, leading to the theft and subsequent publication of sensitive campaign emails.
These hackers, linked to Iran’s Basij paramilitary force, shared the stolen material with a Democratic operative who subsequently published it through various channels. The ongoing conflict between foreign actors and U.S. political campaigns highlights the precarious nature of cybersecurity in U.S. elections.
In a related investigation, the hacking group known as Mint Sandstorm, or APT42, reportedly compromised multiple Trump campaign staff accounts earlier this year. The U.S. Department of Justice has indicted three Iranian hackers involved in this breach, underscoring the persistent threat posed by foreign actors in U.S. elections cybersecurity.
As the investigation into the Chinese-linked hacks unfolds, the Chinese government has denied involvement in these alleged cyber activities. The geopolitical implications of such hacking campaigns are profound as China, Iran, and Russia continue to explore avenues to influence or monitor aspects of U.S. elections.
While U.S. intelligence agencies indicate that China has not made a significant effort to influence the presidential election directly, it has targeted various congressional and local election races through covert social media campaigns.
The investigation into the telecom hacks targeting high-profile U.S. politicians represents a critical moment in the ongoing struggle against cyber espionage. As authorities work to unravel the details of this sophisticated breach, the implications for national security remain an open question.
The post U.S. Agencies Investigate China-Linked Telecom Hacks Targeting High-Profile Politicians appeared first on Cyble.
Blog – Cyble – Read More
The Indian Computer Emergency Response Team (CERT-In) has issued two critical vulnerability advisories related to Philips Smart Lighting products and the Matrix Door Controller. Both vulnerabilities are classified as high severity, signaling significant risks for users that cannot be ignored. If left unaddressed, these vulnerabilities could lead to serious repercussions, including unauthorized access to sensitive information and potential data breaches.
The implications of these vulnerabilities extend beyond mere inconvenience; they threaten the security and integrity of users’ home networks and connected devices. Affected users must take immediate action to protect their systems and ensure they are not exposed to potential exploitation.
By staying informed and implementing the recommended security measures stated in these vulnerability advisories, users can help mitigate these risks and protect their personal information from malicious actors.
The first vulnerability advisory, labeled CIVN-2024-0329, addresses a vulnerability that impacts various Philips smart lighting devices. Specifically, the affected products include the Philips Smart Wi-Fi LED Batten 24-Watt, the Philips Smart Wi-Fi LED T Beamer 20-Watt, and the Philips Smart Bulb models (9, 10, and 12-Watt), as well as the Philips Smart T-Bulb models (10 and 12-Watt).
All of these devices are at risk if they are operating on firmware versions prior to 1.33.1. The vulnerability arises from the storage of sensitive information, specifically Wi-Fi credentials, in cleartext within the firmware of these devices. This flaw allows an attacker with physical access to the device to extract the firmware and analyze the binary data, ultimately revealing the plaintext Wi-Fi credentials.
Once obtained, these credentials could enable unauthorized access to the Wi-Fi network, jeopardizing the security of other connected devices and private information. Shravan Singh, Amey Chavekar, Vishal Giri, and Dr. Faruk Kazi, a team of researchers from the CoE-CNDS Lab at VJTI Mumbai, India, reported this vulnerability.
To mitigate this vulnerability, CERT-In strongly advises users to upgrade their Philips Smart Wi-Fi LED Batten, LED T Beamer, Smart Bulb, and Smart T-Bulb to firmware version 1.33.1 or later. This update will secure the devices against potential exploitation.
The second advisory, CIVN-2024-0328, addresses an authentication bypass vulnerability in the Matrix Door Controller Cosec Vega FAXQ. This vulnerability affects all firmware versions prior to V2R17.
The flaw in the Matrix Door Controller is attributed to improper implementation of session management within its web-based management interface. A remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the device, potentially gaining unauthorized access and complete control over it.
If exploited, this vulnerability could compromise the confidentiality, integrity, and availability of the system. While there is currently no evidence of public proof-of-concept exploitation, the potential risks remain significant, warranting immediate attention from users.
To protect against these two vulnerabilities, users are urged to follow these mitigations and mitigation strategies, as reported by the vulnerability advisories.
Ensure that better authentication mechanisms are in place for the web-based management interface.
Limit access to the Matrix Door Controller devices through effective network segmentation.
Regularly monitor and log all access attempts to these devices to detect any unauthorized activity.
Apply any security updates or patches provided by the vendor as soon as they are available.
Consider deploying a web application firewall (WAF) to protect against malicious HTTP requests.
The vulnerability advisories issued by CERT-In related to the technical flaws in Philips Smart Lighting products and the Matrix Door Controller highlight the sophistication of cyber threats and the importance of maintaining updated firmware. As smart devices become increasingly integrated into everyday life, ensuring their security is important.
Users of the affected Philips lighting devices are strongly encouraged to upgrade to firmware version 1.33.1, while Matrix Door Controller users should promptly move to firmware version V2R17. Adopting these updates and implementing the recommended security measures will help mitigate the risks associated with these vulnerabilities and enhance overall cybersecurity resilience.
The post New Vulnerabilities Identified in Philips Smart Lighting and Matrix Door Controller appeared first on Cyble.
Blog – Cyble – Read More
A group of security researchers discovered a serious vulnerability in the web portal of the South Korean car manufacturer Kia, which allowed cars to be hacked remotely and their owners tracked. To carry out the hack, only the victim’s car license plate number was needed. Let’s dive into the details.
If you think about it, in the last couple of decades, cars have essentially become big computers on wheels. Even the less “smart” models are packed with electronics and equipped with a range of sensors — from sonars and cameras to motion detectors and GPS.
And not only that; in recent years, these computers have been constantly connected to the internet — with all the ensuing risks. Not long ago, we wrote about how today’s cars collect huge amounts of data about their owners and send it to the manufacturer. Moreover, the manufacturers also sell this collected data to other companies — particularly insurers.
However, there’s another side to this issue: being constantly connected to the internet means that, if there are vulnerabilities — either in the car itself or in the cloud system it communicates with — someone could exploit them to hack the system and track the car’s owner without the manufacturer even knowing.
The so-called “head unit” of a car is just the tip of the iceberg; in fact, today’s cars are stuffed with electronics
This is exactly what happened in this case. Researchers found a vulnerability in Kia’s web portal, which is used by Kia owners and dealers. It turned out that by using the API, the portal allowed anyone to register as a car dealer with just a few fairly simple moves.
The Kia portal in which a serious vulnerability was discovered. Source
This gave the attacker access to features that even car dealers shouldn’t have — at least, not once the vehicle has been handed over to the customer. Specifically, the portal permits first finding any Kia car, and then accessing the owner’s data (name, phone number, email address, and even physical address) — all with just the vehicle’s VIN number.
It should be noted that VIN numbers aren’t exactly secret information — in some countries, they’re publicly available. For instance, in the USA there are many online services you can use to look up a VIN number using a car’s license plate number.
A general scheme of the Kia web portal attack, allowing control over any car using its VIN number. Source
After successfully finding the car, the attacker can use the owner’s data to register any attacker-controlled account in Kia’s system as a new user for the vehicle. From there, the attacker would gain access to various functions normally available to the car’s actual owner through the mobile app.
What’s particularly interesting is that all these features weren’t just available to the dealer who sold that car, but to any dealer registered in Kia’s system.
The researchers then developed an experimental app that could take control of any Kia vehicle within seconds simply by entering its license plate number into the input fields. The app would automatically find the car’s VIN through the relevant service and use it to register the vehicle to the researchers’ account.
The researchers even created a handy app to simplify hacking — all you need is the Kia car’s license plate number. Source
After that, a single button press in the app would allow the attacker to obtain the vehicle’s current coordinates, lock or unlock the doors, start or stop the engine, or honk the horn.
The app could be used to obtain the hacked car’s coordinates and send commands. Source
It’s important to note that in most cases these functions wouldn’t be enough to steal the car. Modern models are usually equipped with immobilizers, which require the physical presence of the key to be disabled. There are some exceptions, but generally these are the cheapest cars that are unlikely to be of much interest to thieves.
Nevertheless, this vulnerability could easily be used to track the car owner, steal valuables left inside the car (or plant something there), or simply disrupt the driver’s life with unexpected actions from the vehicle.
The researchers followed responsible disclosure protocol, informing the manufacturer of the issue and only publishing their findings after Kia fixed the bug. However, they note that they’ve found similar vulnerabilities before and are confident they’ll continue to discover more in the future.
Kaspersky official blog – Read More
Identifying new cyber threats is no simple task. They’re always evolving, adapting, and finding new ways to slip through the defenses.
But no stress—ANY.RUN has you covered!
Our team of researchers are always on the lookout, analyzing the latest attacks to keep you informed.
In this article, we’re sharing some of the most recent threats our team has uncovered over the past month. Let’s dive in and see what’s out there!
APT-C-36, better known as BlindEagle, is a group that has been actively targeting the LATAM region for years. Their primary goal? To gain remote control of victims’ devices through continuous phishing attacks, installing Remote Access Tools (RATs) like Remcos and AsyncRAT for financial gain.
We discovered that in recent cases attackers invite victims to an online court hearing via email. This official-sounding invitation creates a sense of urgency, pushing the target to download the malicious payload.
You can view analysis of this attack inside ANY.RUN’s sandbox.
To deliver their malware, BlindEagle often relies on well-known online services, such as:
Discord
Google Drive
Bitbucket
Pastee
YDRAY
This tactic helps them bypass certain security filters since these services are typically trusted by users.
The malicious payload is stored in the archive, which is usually protected by a password that can be found in the initial email.
Thanks to ANY.RUN’s interactivity, you can manually enter the password right inside the sandbox.
As mentioned, BlindEagle use Remcos and AsyncRAT as their primary tools for remote access. The current attack involved Remcos distribution.
In the current analysis session, we observed a Remcos RAT connection attempting communication with a Command and Control (C2) server.
This activity involves establishing TLS connection to an external server, which was immediately flagged by a Suricata IDS rule in the ANY.RUN sandbox.
To collect intel on other attacks belonging to BlindEagle’s campaigns, you can use ANY.RUN’s Threat Intelligence Lookup:
Specify the country from where the phishing sample originated:
submissionCountry:”Co”
Filter for sessions that involve an email client, like Outlook:
commandLine:”OUTLOOK.EXE”
Since the payload is often stored in an archive, filter for an archiving tool, such as WinRAR:
commandLine:”WinRAR”
Look for sessions flagged as suspicious or malicious:
threatLevel:”malicious”
To find active RATs like Remcos, add a condition for Remote Access Tools:
threatName:”rat”
Here is the final query:
The search takes just a few seconds and reveals a wealth of information.
TI Lookup offers a list of samples matching the query each with their corresponding sandbox analysis. You can navigate to any sandbox session of your interest to explore these threats further.
Another phishing campaign discovered by ANY.RUN’s team exploited fake CAPTCHA prompts to execute malicious code, delivering Lumma malware onto victims’ systems.
In this phishing attack, victims were lured to a compromised website and asked to complete a CAPTCHA. They either needed to verify their human identity or fix non-existent display errors on the page.
Once the user clicked the fake CAPTCHA button, the attackers prompted them to copy and run a malicious PowerShell script through the Windows “Run” function (WIN+R).
The instruction deceived users into executing harmful code, leading to system infection with Lumma malware for further exploitation.
For further investigation into attacks leveraging fake CAPTCHA prompts, you can use ANY.RUN’s TI Lookup to locate additional samples and associated data.
As part of your search query, you can use a domain involved in the attack:
This query reveals multiple related domains, IP addresses, and sandbox sessions tied to the attacks outlined above.
We also identified a growing use of encoded JavaScript files for hidden script execution.
Microsoft originally developed Script Encoder as a way for developers to obfuscate JavaScript and VBScript, making the code unreadable while remaining functional through interpreters like wscript.
Intended as a protective measure, Script Encoder has also become a resource for attackers. By encoding harmful JavaScript in .jse files, cybercriminals can embed malware in scripts that look legitimate, tricking users into running the malicious code.
This type of obfuscation not only conceals the code but also complicates detection, as security tools struggle to identify the harmful intent within encrypted data.
Encoded .jse files are commonly delivered through phishing emails or drive-by-downloads.
See analysis of a .jse file disguised as a calculator software in the ANY.RUN sandbox.
Using the built-in Script Tracer feature, you can view entire script execution process to avoid manual decryption.
Our analysts are constantly on the lookout for emerging phishing and malware attacks, as well as new malicious techniques used by cyber criminals. To stay updated on the latest research of ANY.RUN’s team, make sure to follow us on X, LinkedIn, YouTube, Facebook, and other social media.
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
Detect malware in seconds
Interact with samples in real time
Save time and money on sandbox setup and maintenance
Record and study all aspects of malware behavior
Collaborate with your team
Scale as you need
The post Recent Cyber Attacks Discovered by ANY.RUN: October 2024 appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Most users will associate large language models (LLMs) like ChatGPT with answering basic questions or helping to write basics lines of text.
But could these tools actually help defenders in the cybersecurity industry write more effective detection content?
Several security researchers from across Cisco recently looked into how LLMs, which have surged in popularity over the past year, could assist them in the detection research process.
Part of their jobs is to try and perform test behavior that will trigger existing detection rules to check their effectiveness and try to emulate the behavior of a typical adversary — all in the name of updating that detection content to catch the latest tactics, techniques and procedures (TTPs).
LLMs may be able to assist in this complex, time-consuming tax, as Darin Smith, Yuvi Meiyappan, Moazzam Khan and Ray McCormick write in this paper, which you can download below.
Khan, a security researcher for Cisco, will be presenting the findings of this paper at the upcoming BSides Portland conference.
Cisco Talos Blog – Read More
Cyble Research and Intelligence Labs (CRIL) came across an ongoing cyberattack campaign originating from malicious LNK files.
The sophisticated multi-stage attack chain relies heavily on PowerShell and BAT scripts to streamline the download and execution of additional payloads, demonstrating the Threat Actor’s (TA) preference for script-based methods to evade detection by traditional security solutions.
The attack involves the creation of an administrative account on the victim’s system and altering Remote Desktop settings to lower authentication requirements, simplifying unauthorized RDP access for the attacker.
The campaign deploys an additional well-known password recovery tool, ChromePass, which collects saved passwords from Chromium-based browsers, increasing the risk of broader account compromises.
Based on its TTPs, we have not been able to attribute this campaign, so for tracking purposes, we are naming it “HeptaX”.
CRIL has come across a multi-stage cyberattack campaign that begins with a ZIP file containing a malicious shortcut file (.lnk). While the source of this ZIP file remains unknown, it is suspected to be disseminated through phishing emails. Based on the LNK file name, it is suspected that this campaign targets the healthcare industry.
Upon execution, the LNK file triggers a PowerShell command that downloads and executes a series of additional payloads, including PowerShell scripts and BAT files, from a remote server. These scripts work in tandem to create a new user account on the compromised system with administrative privileges and modify Terminal Services (RDP) settings, lowering authentication requirements. This setup enables the TAs to easily establish remote desktop access (RDP) to the victim’s system, facilitating further malicious activities such as data exfiltration, the installation of additional malware, or even system monitoring.
Furthermore, CRIL identified the presence of an unwanted application called “ChromePass” within the threat actors’ network infrastructure. This hacking tool is designed to steal saved passwords from Chromium-based browsers, adding another layer of risk for victims by exposing their credentials. The image below illustrates the infection chain.
Based on the information obtained through pivoting, this group has been operational since 2023 and has executed a range of attacks across different sectors, as reflected in the names of the lure files. While the overall attack flow has remained consistent, it is surprising that they are still active using the same techniques. Several researchers have previously identified this campaign [1],[2],[3],[4],[5], with the majority of findings shared by the Malware Hunter Team.
Over the past 12 months, this unidentified group has consistently reemerged with various lure themes while maintaining unchanged attack patterns. Tracked as HeptaX,’ the campaign relies heavily on PowerShell and Batch scripts to gain control over compromised systems. By pivoting the IP address, we uncovered several additional artifacts associated with the same TAs used across different campaigns.
One of the notable files from this campaign is:
202409_Resident_Care_Quality_Improvement_Strategies_for_Nursing_Homes_Enhancing_Patient_Satisfaction_and_Health_Outcomes.pdf.lnk
In addition, older campaigns attributed to this threat group over the past year include malicious files with names such as:
SOW_for_Nevrlate.pdf
WebContentWriting_Handout.pdf
Blockchain_Trading_Website_Manager.docx
Project Description – PoC smart assistant Vhyro Project from jvope signature.pdf
Resume – professional sax, keys and guitar player with over 40 years experience working with own bands, accompanied world stars.pdf
dropshipping Elien project prposal-soft online service ventilization from xihu.pdf.lnk
The diversity in file names and themes suggests that this group tailors its campaigns to appeal to a variety of victims, indicating a broad targeting strategy across multiple industries.
Upon execution, the LNK file runs a PowerShell command that downloads and executes subsequent payloads from a remote server. The image below shows a partially de-obfuscated PowerShell command.
First stage – bb.ps1
As an initial step, the downloaded PowerShell script constructs a base URL to which it sends information and from which it downloads other stage payloads. The PowerShell script contains multiple functions, the first of which retrieves a unique identifier (UID) for the compromised system. This UID is obtained either from a specific registry path (HKEY_LOCAL_MACHINESOFTWAREWireless) or from a log file (id.log) in the “C:UsersPublicDocuments” directory. If neither exists, a new GUID is generated and saved to a newly created id.log file.
Next, the PowerShell script creates a shortcut file in the Windows Startup folder for persistence. The contents of the newly generated LNK file match those of the original malicious LNK file. The image below shows the function responsible for creating the new LNK file in the startup folder.
Then, the PowerShell script constructs a URL by appending the previously generated UID to the remote server, forming the request hxxp://157.173.104.153/up/get-command.php?uid=<UID>, and uses WebClient to send a request to fetch commands from the server. Upon receiving a successful response, it checks whether the response contains the string “autoreconnect”. If this string is present, the Powershell script runs the code in the current session using `iex`; otherwise, it executes the code as a background task in a separate PowerShell process.
Afterward, the PowerShell script downloads a password-protected lure document from the above-mentioned remote server, saves it in the system’s temporary directory “C:Users<Username>AppDataLocalTemp”, and then launches the document. The image below displays the function code and the open directory containing the lure PDF.
Finally, the PowerShell script retrieves two registry values related to User Account Control (UAC):
HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemConsentPromptBehaviorAdmin, which controls the consent prompt behavior for administrators.
HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemEnableLUA, which indicates whether UAC is enabled.
If either of these values is 0, suggesting that UAC is either disabled or configured to a less secure setting, the script proceeds to download and execute another PowerShell script (b.ps1) from the remote server.
Second Stage – b.ps1
The newly downloaded second-stage PowerShell script includes several functions, some mirroring those from the first stage. The primary function of this script is focused on evaluating the system’s User Account Control (UAC) settings, utilizing the same registry checks employed earlier to determine whether UAC is enabled and if the consent prompt for administrators remains active.
If UAC is disabled or the consent prompt behavior is configured to a less secure state, the function sends a message to the remote server indicating that UAC is off by default: (“hxxp://157.173.104[.]153/up/index.php?uid=$uid&msg=UAC off in default!”).
If both settings are enabled, the function enters a loop, repeatedly attempting to disable UAC by setting the “ConsentPromptBehaviorAdmin” value to 0. Once successful, it sends a message to the remote server stating that UAC has been forcefully disabled: (“hxxp://157.173.104[.]153/up/index.php?uid=$uid&msg=UAC force disabled!”). The below image shows the function code responsible for sending a POST request to the remote server, transmitting information about the victim’s User Account Control (UAC) status.
After a brief 300-millisecond sleep, the PowerShell script calls the schReg() function, which downloads three batch files from the remote server into the system’s temporary directory ($env:TEMP). The files are named “k1.bat,” “scheduler-once.bat,” and “k2.bat.” After downloading, the script runs the “scheduler-once.bat” file using the “Start-Process” cmdlet with elevated privileges. The image below shows the code responsible for downloading and executing the batch files.
Third Stage – scheduler-once.bat
The executed batch file copies “k1.bat” and “k2.bat” from the %temp% directory to “C:WindowsSystem32”, renaming them to “sysmon.bat” and “sysmon2.bat”. It then deletes the original “k1.bat” and “k2.bat” files from the temp location. Next, the batch file checks for and removes any scheduled tasks named:
Intel(R) Ethernet Connection 1219-LM
Intel(R) Ethernet2 Connection 1219-LM
Afterward, it creates a new scheduled task called “Intel(R) Ethernet2 Connection 1219-LM” to run “sysmon2.bat”. Finally, the script “scheduler-once.bat” deletes itself to cover its traces from the system. The image below displays the contents of the batch file “scheduler-once.bat”.
Fourth Stage – sysmon2.bat
Once the scheduled task is triggered to execute the “sysmon2.bat” file, it first checks for and removes any existing scheduled tasks named:
Intel(R) Ethernet Connection 1219-LM2
Intel(R) Ethernet2 Connection 1219-LM2
Afterward, it creates a new scheduled task called “Intel(R) Ethernet2 Connection1219-LM2” to run the “sysmon.bat” file located in the “C:WindowsSystem32” folder. Notably, the previous third-stage batch file performs similar checks, but the task names differ slightly. The image below shows the content of the “sysmon2.bat” file.
Fifth Stage – Sysmon.bat
The sysmon.bat script executes a series of actions:
Creates a new user account named “_BootUEFI_”.
Sets the password for this newly added account to “123456!!!” and activates it.
Adds the “_BootUEFI_” account to the Administrators group, granting it administrative privileges.
Adds the “_BootUEFI_” account to the Remote Desktop Users group, allowing it to utilize Remote Desktop.
Removes the “_BootUEFI_” account from the Users group, ensuring it retains only administrative and remote desktop privileges.
Additionally, the batch file makes several registry modifications to enable Remote Desktop and lower its security features. This includes hiding the “_BootUEFI_” user from the login screen and adjusting Terminal Services (Remote Desktop) settings to facilitate easier remote connections without stringent authentication requirements.
The batch file runs a PowerShell command that circumvents execution policy restrictions and adds the System32 directory, which contains the three malicious batch files, to the Windows Defender exclusion list.
Finally, it initiates a background PowerShell process that downloads and executes another PowerShell script from the remote server (hxxp://157.173.104[.]153/up/a.ps1).
Sixth Stage – a.ps1
The newly downloaded PowerShell script “a.ps1” functions similar to the first stage script (bb.ps1). It constructs a URL by appending the previously generated UID to the remote server address, forming a request to “hxxp://157.173.104.153/up/get-command.php?uid=<UID>”.
The script then utilizes a WebClient to send a request and retrieve commands from the server. Upon receiving a response, it checks for the presence of the string “autoreconnect id.” If this string is found, the PowerShell script executes the code in the current session using iex; otherwise, it runs the code as a background task in a separate PowerShell process. Notably, in both stages, we did not receive any specific commands such as “autoreconnect” or “autoreconnect id”. The main difference in this sixth-stage script is that it looks for the string “autoreconnect id” instead of just “autoreconnect”. The below image shows the code for reconnecting to the server.
Seventh Stage – Server response PowerShell Script
Upon establishing a connection with the server, a new PowerShell script is executed. This script contains several functions aimed at system reconnaissance, data exfiltration, and interaction with the remote server.
The script collects detailed system information, including:
Computer name and username.
Retrieves recent files from the directory: C:Users<user profile>AppDataRoamingMicrosoftWindowsRecent.
Acquires network configuration details using “ipconfig /all”.
List of users on the machine (net user).
Obtains current logged-in user details.
Identifies local user groups associated with the current user.
Retrieves excluded directories in Windows Defender.
Lists installed antivirus products.
Captures running processes using “tasklist”.
Gathers overall system information using “systeminfo”.
All this data is saved in a log file located at “C:WindowsTempOneDriveLogOneDrive.log”.
The script then reads the contents of the log file, converts the data into a byte array, and encodes it in Base64 format. This encoded data, along with the unique user ID (uid), is appended to the base URL” hxxp://157.173.104[.]153/up/index.php” and sent via a POST request. After successfully transmitting the data, the log file and its directory are deleted to eliminate any traces of the data collection.
Taking Remote desktop
With all the collected information, User Account Control (UAC) disabled, and a new user account named “BootUEFI” created with administrative privileges, along with lowered authentication requirements for Terminal Services, the TAs can easily gain access to the compromised remote desktop. This access enables them to perform various actions on the victim’s machine, such as:
Installing additional malware
Exfiltrating sensitive data
Monitoring user activity
Modifying system settings
Utilizing the machine for malicious activities
Additionally, we observed an unwanted application—a hacking tool named ChromePass—associated with the same network infrastructure at “hxxp://157.173.104[.]153/up/Tool/ChromePass.exe” This tool is designed to steal saved passwords from Chromium-based browsers.
Over the past year, this group has executed multiple attacks utilizing various lures and targeting different victims, all while remaining largely unnoticed. Their reliance on basic scripts has enabled TAs to gain remote access to compromised systems seamlessly, allowing for extensive exploitation without triggering alarms.
Additionally, the deployment of the ChromePass tool further underscores the group’s intent to harvest sensitive information, such as saved passwords from Chromium-based browsers, thereby posing a significant threat to the security of individuals and organizations alike. This combination of tactics highlights the need for enhanced detection and prevention measures to combat these stealthy cyber threats effectively.
The initial breach may occur via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to identify and prevent the dissemination of harmful attachments.
Exercise caution when handling email attachments or links, particularly those from unknown senders. Verify the sender’s identity, particularly if an email seems suspicious.
Consider disabling the execution of shortcut files (.lnk) from email attachments or implementing policies that require explicit user consent before executing such files.
Consider disabling or limiting the execution of scripting languages, such as PowerShell and cmd.exe, on user workstations and servers if they are not essential for legitimate purposes.
Implement policies that prevent the unauthorized creation of privileged accounts.
Regularly track changes to User Account Control (UAC)- related registry keys, such as “EnableLUA” and “ConsentPromptBehaviorAdmin.” Monitoring these keys helps identify potential attempts to bypass UAC, enhancing system protection against unauthorized changes.
Strengthen the security of Remote Desktop Protocol (RDP) by enforcing strong authentication mechanisms, such as multi-factor authentication (MFA), and by using network-level authentication (NLA). Limiting RDP access to trusted IP addresses and utilizing VPNs can also help mitigate risks.
Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.
Tactic
Technique
Procedure
Initial Access (TA0001)
Phishing (T1566)
The LNK file may be delivered through phishing or spam emails
Execution (TA0002)
User Execution: Malicious Link (T1204.001) Command and Scripting Interpreter: PowerShell (T1059.001)
Execution begins when a user executes the LNK file The LNK file executes PowerShell commands
Defense Evasion (TA0005)
Obfuscated Files or
Information (T1027)
Scripts include packed or encrypted data.
Persistence (TA0003)
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
Adds LNK file in the startup folder
Privilege
Escalation
(TA0004)
Abuse Elevation Control Mechanism (T1548) Account Manipulation (T1098)
Bypass User Account Control Manipulate accounts to maintain and/or elevate access to victim systems.
Discovery (TA0007)
System Information Discovery (T1082)
Script gathers system information.
Credential Access (TA0006)
Credentials from Password Stores: Credentials from Web Browsers (T1555.003)
Retrieves credentials from web browsers
C&C
(TA0011)
Ingress Tool Transfer
(T1105)
Downloads files from webservers via
HTTP
C&C
(TA0011)
Application Layer Protocol
(T1071)
Malware exe communicate to C&C server.
Indicators
Indicator Type
Description
6605178dbc4d84e789e435915e86a01c5735f34b7d18d626b2d8810456c4bc72
SHA256
Zip File
18e75bababa1176ca1b25f727c0362e4bb31ffc19c17e2cabb6519e6ef9d2fe5 5ff89db10969cba73d1f539b12dad42c60314e580ce43d7b57b46a1f915a6a2b
SHA256
Malicious LNK file
1d82927ab19db7e9f418fe6b83cf61187d19830b9a7f58072eedfd9bdf628dab
SHA256
bb.ps1
a8d577bf773f753dfb6b95a3ef307f8b4d9ae17bf86b95dcbb6b2fb638a629b9
SHA256
b.ps1
999f521ac605427945035a6d0cd0a0847f4a79413a4a7b738309795fd21d3432
SHA256
K1.bat
4b127e7b83148bfbe56bd83e4b95b2a4fdb69e1c9fa4e0c021a3bfb7b02d8a16
SHA256
GooglePass
hxxp://157.173.104[.]153/up/index.php hxxp://157[.]173.104.153/up/b.ps1 hxxp://157.173.104[.]153/up/bb.ps1 hxxp://157.173.104[.]153/up/scheduler-oncex
hxxp://157.173.104[.]153/up/trigger
hxxp://157.173.104[.]153/up/Tool/ChromePass.exe
hxxp://157.173.104[.]153/up/get-command.php
hxxp://157.173.104[.]153/up/bait/202409_Resident_Care_Quality_Improvement_Strategies_for_Nursing_Homes_Enhancing_Patient_Satisfaction_and_Health_Outcomes.pdf
URL
Remote server
"Project Description.rar": 3778d79087d4e44fe8cf19e26c28bfa261343934034e3493e7d76bbc82eec5b0
— MalwareHunterTeam (@malwrhunterteam) September 12, 2023
"Project Description – PoC smart assistant Vhyro Project from jvope signature.pdf.lnk": b9bebbc0c45cbc87124ba497cb7b7f15fbac6e39535869ae006a950ac04ea285
🤔@ShadowChasing1 @h2jazi pic.twitter.com/MA4CvdDVUd
5ff89db10969cba73d1f539b12dad42c60314e580ce43d7b57b46a1f915a6a2b
— 安坂星海 Azaka || VTuber (@AzakaSekai_) October 16, 2024
202409_Resident_Care_Quality_Improvement_Strategies_for_Nursing_Homes_Enhancing_Patient_Satisfaction_and_Health_Outcomes.pdf.lnk
157.173.104[.]153 pic.twitter.com/cslQgnjyUA
🤔
— NaN_FMC (@fmc_nan) September 12, 2023
0aef2fee350f93d5783aa7a3c9c15cf6428a64a09ea7b42360d0d8e115503e49
hxxp://issue.homes/up/get-command.php?uid=
hxxp://issue.homes/up/bait/Blockchain_Trading_Website_Manager.docx pic.twitter.com/3ViYAFYGed
"Resume.rar": 42fc9bc9683f8cb4f3902dcbd23d932b06f050ae150acd2f7258185d05bc1f57
— MalwareHunterTeam (@malwrhunterteam) September 30, 2023
"Resume Felipe Luís – professional sax, keys & guitar player with over 20 years experience working with own bands, […].pdf.lnk": e103f352581cafcccb7211526cc7bd288e3c3320ae6aa25748389a250da4d773
🤔 pic.twitter.com/aoORqpcD9O
Related "Elien project proposal.zip": 95257318449fe3dafb1c5269f53942b9fce04ee41450d102aa2c2e9e8aed912b
— MalwareHunterTeam (@malwrhunterteam) September 12, 2023
"dropshipping Elien project prposal-soft online service ventilization from xihu.pdf.lnk": 0aef2fee350f93d5783aa7a3c9c15cf6428a64a09ea7b42360d0d8e115503e49 pic.twitter.com/qwqHiHcYSb
The post HeptaX: Unauthorized RDP Connections for Cyberespionage Operations appeared first on Cyble.
Blog – Cyble – Read More
