Key Takeaways

This week, the U.S. Cyber Security and Infrastructure Agency (CISA) incorporated seven vulnerabilities to its Known Exploited Vulnerability (KEV) catalog based on evidence of active exploitation.  

The team at Cyble Research and Intelligence Labs analyzed multiple high- and critical-severity CVEs impacting products and software used worldwide. One such vulnerability is CVE-2024-38812, which impacts the VMware vCenter Server and can be remotely exploited without any user interaction. 

CRIL also assessed a high probability of certain vulnerabilities that attackers can use in malicious campaigns, including data breaches and supply chain attacks. Namely, CVE-2024-29847, which impacts Ivanti Endpoint Manager, CVE-2024-45694, an arbitrary code exaction vulnerability impacting D-Link wireless routers, and CVE-2024-45409, which impacts GitLab CE/EE instance.

CRIL’s dark web monitoring sensors observed 15 instances on underground forums and Telegram channels, where vulnerability and Proof of Concepts (POC) discussions were taking place. Some of the notable ones are: CVE-2024-8504, CVE-2024-8503, CVE-2024-29847, CVE-2024-38014, VMware Workstation client, TOTOLINK routers and TP Link Archer C6U/C6 routers.

Overview

This Weekly Vulnerability Intelligence Report explores vulnerability updates between September 11 and September 17. The Cyble Research and Intelligence Labs team investigated 24 vulnerabilities this week, among other disclosed vulnerabilities, to present critical, high, and medium degree insights.

The Week’s Top Vulnerabilities

CVE-2024-45409: Improper Verification of Cryptographic Signature in GitLab Community Edition (CE) and Enterprise Edition (EE)

The critical SAML authentication bypass vulnerability impacting self-managed installations of the GitLab Community Edition (CE) and Enterprise Edition (EE). Security Assertion Markup Language (SAML) is a single sign-on (SSO) authentication protocol that allows users to log in across different services using the same credentials. An unauthenticated attacker with access to any signed SAML document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as an arbitrary user within the vulnerable system. 

CVSS Score: 10

Internet Exposure: No 

Patch Available: Yes 

CVE-2024-38812: Heap-based Buffer Overflow in VMware vCenter Server

The critical heap-overflow vulnerability impacts the VMware vCenter Server, a centralized management platform for VMware vSphere environments that provides a single interface to manage and monitor multiple ESXi hosts and the virtual machines running on them. A malicious actor with network access to the vCenter Server may trigger this vulnerability by sending a specially crafted network packet, potentially leading to remote code execution. 

CVSS Score: 9.8

Internet Exposure: Yes

Patch Available: Yes 

CVE-2024-29847: Deserialization of Untrusted Data in Ivanti Endpoint Manager

The critical vulnerability impacts Ivanti Endpoint Manager is a comprehensive solution designed for managing and securing endpoints across various operating systems and devices. It integrates Unified Endpoint Management (UEM) capabilities, allowing IT teams to oversee a diverse range of devices from a single platform. Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6 or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. 

CVSS Score: 9.8

Internet Exposure: Yes 

Patch Available: Yes 

CVE-2024-6671, CVE-2024-6670: SQL Injection in Progress WhatsUp Gold

The criticalSQL Injection vulnerabilities impact Progress WhatsUp Gold, a comprehensive network monitoring software designed to provide visibility and control over network devices, servers, applications, and virtual environments. It allows IT teams to monitor performance metrics and ensure the health of their infrastructure, whether deployed on-premises or in the cloud. The exploitation of the vulnerabilities allows an unauthenticated attacker to retrieve the user’s encrypted password. 

Recently, researchers disclosed that attackers are leveraging publicly available exploit code to exploit critical vulnerabilities.  

CVSS Score: 9.8 respectively

Internet Exposure: Yes 

Patch Available: Yes 

CVE-2024-45694: Stack-based Buffer Overflow in D-Link Routers

Impact Analysis: The critical stack-based buffer overflow vulnerability impacts the web service of certain models of D-Link wireless routers. Unauthenticated, remote attackers can exploit this vulnerability to execute arbitrary code on the device. 

CVSS Score: 9.8

Internet Exposure: No

Patch Available: Yes

CVE-2024-6678: Authentication Bypass by Spoofing in GitLab Community Edition (CE) and Enterprise Edition (EE)

Impact Analysis: The high severity vulnerability impacts GitLab Community Edition (CE) and Enterprise Edition (EE), affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2. The exploitation of the vulnerability allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances, leading to the disruption of automated workflows of targeted organizations. 

CVSS Score: 8.8

Internet Exposure: No 

Patch Available: Yes 

Vulnerabilities and Exploits Discussed in the Underground

CRIL observed multiple instances of vulnerability discussions and the promulgation of proof-of-concepts (POCs) in underground forums and channels.

On a Telegram channel named ‘Proxy Bar,’ the administrator shared POCs for several critical and high-severity vulnerabilities, including CVE-2024-8504 (OS Command Injection), CVE-2024-8503 (SQL injection), CVE-2024-40711 (RCE in Veeam Backup and Replication software) and CVE-2024-38080 (Privilege Escalation in Windows Hyper-V).

On the Telegram channel CyberDilara, the administrator shared a POC for CVE-2024-38014, A high severity vulnerability in the Windows Installer that allows for elevation of privileges.

Hackers Factory also shared a POC for CVE-2024-28000, a critical privilege escalation vulnerability affecting the LiteSpeed Cache plugin for WordPress, which allows unauthorized users to gain Administrator-level access to a WordPress site.

TA tikila claimed to have three a 0-day vulnerabilities affecting VMware Workstation, TOTOLINK routers, and TP-Link Archer C6U/C6 routers.

Cyble’s Recommendations

Stay Up-to-Date with Patches

Make it a priority to update all your systems with the latest vendor patches. Vulnerabilities get exploited quickly, and having a schedule for regular updates ensures you’re not left exposed. Apply critical patches as soon as they’re released—don’t delay.

Streamline Your Patch Management

Building a solid patch management process is key. It starts with knowing what’s in your system, followed by assessing, testing, and deploying patches in an orderly fashion. Automating this process can save time and prevent human error.

Segment Networks for Better Protection

Don’t put all your eggs in one basket. Segregating your network can safeguard your most critical assets by limiting their exposure. Use firewalls, VLANs, and tight access controls to ensure only authorized users have access.

Have a Response Plan Ready

When incidents happen—and they will—having a well-rehearsed incident response plan is a lifesaver. It should clearly define how you’ll detect, react to, and recover from threats. Regularly test and update this plan to ensure it’s aligned with the latest risks.

Monitor and Log Activities 

You can’t fix what you can’t see. Monitoring and logging malicious activity is crucial. Use SIEM solutions to collect and analyze logs in real-time, helping you catch threats before they escalate.

Stay Informed on Security Alerts

Stay ahead of threats by subscribing to security alerts from vendors and authorities. Make sure to evaluate the impact of these alerts on your organization and act swiftly.

Test for Vulnerabilities

Conduct regular Vulnerability Assessments and Penetration Testing (VAPT) to expose weak points in your defenses. Pair these exercises with audits to confirm you’re following security protocols.

Know Your Assets

Keeping a current inventory of internal and external assets, like hardware and software, is essential. Asset management tools can help maintain visibility, so you stay on top of everything in your network.

Strengthen Password Security

Weak passwords are an open door for hackers. Start by changing default passwords immediately and enforcing a strong password policy across your organization. Coupling that with multi-factor authentication (MFA) adds an extra layer of protection, making it harder for unauthorized users to gain access.

The post HED: Weekly IT Vulnerability Report for September 11 – September 17, 2024 appeared first on Cyble.

Blog – Cyble – ​Read More

Last week, six Secretaries of State testified to U.S. Congress about the current state of election security ahead of November’s Presidential election. 

Some of the same topics came up as usual — disinformation campaigns, influence from foreign actors, and the physical protection of poll workers on election day. 

It’s good that these conversations are continuing after the various revelations that came out after the 2016 presidential election, and election security is an issue globally, especially this year when there are major elections taking place in hundreds of countries.  

As with many things in politics and life, though, there is still an issue of money. 

Talk of the importance of election security is positive, but at the end of the day, states and municipalities will need monetary and human resources to implement the appropriate defenses and protect everything from voting machines to online vote-tallying systems and social media disinformation campaigns.  

Arizona Secretary of State Adrian Fontes used his time in front of Congress to ask for additional funding, because his state has been unable to execute all their election security goals.  

“None of this is free and none of it is cheap,” he said. “Our operations, administration and security depend on intermittent, rare and never enough funding for the Help America Vote Act grants that we are occasionally given by Congress.” 

Additional federal funds became available for U.S. elections in 2017 after the Department of Homeland Security deemed election systems to be critical infrastructure. But this year, Congress only allocated $55 million in federal grant dollars to states for security and other improvements to elections. For comparison’s sake, presidential and Congressional candidates in the U.S. spent $14 billion on their election campaigns, more than double the amount from 2016. 

At the time, Republican lawmakers in the House voted to totally zero out the fund for the Help America Vote Act, or HAVA, grants, which have existed since 2002. 

One lobbyist even told the Stateline outlet earlier this year that many states were trying to stretch the money they do get from the HAVA program across multiple years for fear of a lack of funding in the coming election cycles.  

JP Martin, deputy communications director for the Arizona secretary of state, said in that same article that Arizona (a crucial swing state in most presidential elections) has had to put a hiring freeze in place because a lack of federal funding. 

So, talk, awareness and planning to secure elections are all positive things. But at the end of the day, all these technologies and solutions, and the people that provide them, cost money. 

The one big thing 

Cisco Talos’ Vulnerability Research team discovered two vulnerabilities have been disclosed and fixed over the past few weeks. Talos discovered a time-of-check time-of-use vulnerability in Adobe Acrobat Reader, one of the most popular PDF readers currently available, and an information disclosure vulnerability in the Microsoft Windows AllJoyn API. 

Why do I care? 

AllJoyn is a DCOM-like framework for creating method calls or sending one-way signals between applications on a distributed bus. It primarily is used in internet-of-things (IoT) devices to tell the devices to perform certain tasks, like turning lights on or off or reading the temperature of a space. TALOS-2024-1980 (CVE-2024-38257) could allow an adversary to view uninitialized memory on the targeted machine. Adobe Acrobat Reader, one of the most popular pieces of PDF reading software currently available, contains a time-of-check, use-after-free vulnerability that could trigger memory corruption, and eventually, arbitrary code execution. 

So now what? 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

Top security headlines of the week 

Experts and governments are still unpacking a wave of pager and handheld radio explosions in the Middle East. The attacks appeared to target members of the armed group Hezbollah in Lebanon when hundreds of devices exploded simultaneously on Tuesday, killing multiple people. The international community has been left wondering if this was some type of cyber attack or intentional physical implants in the devices. Messages sent at the time of the attack appeared to come from Hezbollah leadership but instead triggered the explosions. Most analysts are assuming that this was a hardware supply chain attack, in which the pagers were tampered with somehow during manufacturing or while they were in transit. Supply chain attacks are normally carried out at the software level. So far, no one has taken credit for the attacks, though Hezbollah is blaming Israel, one of its chief antagonists. (Reuters, BBC) 

Ransomware gangs are increasingly leveraging Microsoft Azure to steal victims’ information and store it. New research findings indicate that groups like BianLian and Rhysida use Microsoft’s Azure Storage Explorer and AzCopy to steal data from infiltrated networks, then store it in Azure Blob storage until it can be transferred to an attacker-controlled network. Because Azure is a popular and trusted service, corporate firewalls and security tools are unlikely to block it, making the data transfers more likely to pass undetected. Potential targets that use Azure are recommended to log out of the application after each use to prevent attackers from using the active session for file theft. (Bleeping Computer, modePUSH) 

Health care facilities and medical devices continue to be top targets for ransomware actors, and industry leaders are calling on the U.S. federal government to do more to assist them. This year, several massive health care providers across the globe have been affected by cyber attacks, forcing countless surgeries and appointments to be rescheduled and putting sensitive medical records at risk. Past victims include Change Healthcare, Kaiser Permanente and Ascension. One health care executive told NPR that their company was still trying to calculate the financial impact of the Change attack, which paused payments from insurance for months. They are only just now being paid out for services rendered in July. U.S. Sen. Ron Wyden, the chair of the Senate Finance Committee, recently publicly called on the Health and Human Services Department to revise its current approach to cybersecurity, because the current system “is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers.” Other experts have said that HHS has traditionally focused on physical disasters like earthquakes, storms and power outages, and not enough on cyberspace. (NPR, Security Intelligence) 

Can’t get enough Talos? 

Despite Russia warnings, Western critical infrastructure remains unprepared The Cybersecurity Cat-And-Mouse Game DragonRank Manipulates SEO Rankings To Direct Users To Malicious Sites 

Upcoming events where you can find Talos

VB2024 (Oct. 2 – 4) 

Dublin, Ireland 

MITRE ATT&CKcon 5.0 (Oct. 22 – 23) 

McLean, Virginia and Virtual

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

misecCON (Nov. 22) 

Lansing, Michigan

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59 
MD5: 3b100bdcd61bb1da816cd7eaf9ef13ba 
Typical Filename: vt-upload-C6In1 
Claimed Product: N/A  
Detection Name: Backdoor:KillAV-tpd  

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 
MD5: 71fea034b422e4a17ebb06022532fdde 
Typical Filename: VID001.exe 
Claimed Product: N/A 
Detection Name: RF.Talos.80 

SHA 256: 70ff63cd695033f624a456a5c8511ce8312cffd8ac40492ffe5dc7ae18548668 
MD5: 49d35332a1c6fefae1d31a581a66ab46 
Typical Filename: 49d35332a1c6fefae1d31a581a66ab46.virus 
Claimed Product: N/A   
Detection Name: W32.Auto:70ff63.in03.Talos 

SHA 256: 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66 
MD5: 8b84d61bf3ffec822e2daf4a3665308c 
Typical Filename: RemComSvc.exe 
Claimed Product: N/A 
Detection Name: W32.3A2EA65FAE-95.SBX.TG 

SHA 256: 35dcf857f0bb2ea75bf4582b67a2a72d7e21d96562b4c8a61b5d598bd2327c2c 
MD5: fab8aabfdabe44c9a1ffa779fda207db 
Typical Filename: ACenter.exe 
Claimed Product: Aranda AGENT 
Detection Name: Win.Trojan.Generic::tg.talos  

Cisco Talos Blog – ​Read More

Roughly 70% of malware incidents are a result of social engineering, with spearphishing being a common method. Let’s learn more about this phenomenon and discover:

What is spearphishing and what makes it so dangerous

Common techniques used in spearphishing attacks

Tools you can employ in your defense strategy

An example of a real-world spearphishing attack

What is spearphishing? 

It is a targeted form of phishing attack where the adversary focuses on a specific individual or organization. Unlike generic phishing, spearphishing is often more sophisticated and uses personalized information to make the attack more convincing.

What are the main goals of spearphishing? 

The most common objectives are delivering a malicious payload, but other goals can be pursued, too:

Disclosure of sensitive information: obtaining personal, financial, or business-critical information for fraudulent use or selling on the dark web.

Unauthorized system access: capturing credentials for unauthorized access, potentially leading to further compromise within a network or system.

What makes spearphishing dangerous?

It is highly targeted and tailored to each victim, making it more challenging to defend against compared to generic phishing attacks. 

Spoofing genuine connections of the victim, impersonating business associates, or tailoring a message around the receiver’s interests — all of these factors make spearphishing even more challenging to recognize than common phishing.

For example, attackers may impersonate a high-ranking executive within a company, sending an email to an employee requesting urgent payment or confidential information. The email will appear genuine, leaving little chance for the victim to recognize an attack. 

Another tactic attackers sometimes use is gaining access to an actual business associate’s email account. Then, they will lead the recipient to believe that the email is from a trusted contact, but in reality, it contains malware.

Spearphishing and phishing compared

We’ve created this table show what aspects make spearphishing so destructive and why you should be concerned about this potential threat:

Who are the most likely targets of spearphishing?

Medium-sized businesses and enterprises. These attacks take a lot of effort to prepare, which is why adversaries typically pursue high-risk, high-reward targets.

Within these organizations, the most vulnerable individuals to spear-phishing are often those with access to critical information but may lack adequate training or awareness regarding cybersecurity. 

These might include:

Senior executives: they often have access to critical company information but might not be as tech-savvy or aware of the latest security threats.

Human resources and administrative staff: these individuals typically have access to personal employee data and might be targeted due to their role in internal communications.

IT staff: although usually more aware of threats, their high-level access makes them a prime target.

New or temporary employees: They may not be as familiar with organizational policies or may lack training in cybersecurity awareness.

It is likely that adversaries will blur the border between phishing in spearphishing in the near future and start targeting a wider range of victims. This likely shift is the result of new AI tools which simplify spearphishing attacks.

What are some common spearphishing techniques?

Spearphishing employs targeted techniques to deceive recipients and achieve specific objectives:

Personalized emails: leveraging information about the victim to craft convincing emails, often to deliver malware or solicit sensitive information.

Using compromised accounts: taking over legitimate accounts to send emails that seem trustworthy, with the objective of spreading malware or gathering further credentials.

Website spoofing: creating fake websites that resemble legitimate ones to capture login credentials, leading to unauthorized access to sensitive systems.

Social engineering: manipulating individuals through phone calls or direct interaction to obtain personal or financial information.

Targeting mobile devices: sending SMS or leveraging mobile apps to install malicious software or gather data directly from the user’s device.

What tools can help an organization defeat these techniques? We’ve made a table listing some useful resources that organizations can utilize to protect against spearphishing:

Analyzing a real-world spearphishing attack in a malware sandbox

What is a malware sandbox

A malware sandbox is a service that offers a safe isolated environment for exploring malware and phishing attacks. ANY.RUN provides a cloud-based sandbox that lets you interact with threats just like you would on your own computer. 

The interactivity is particularly useful when analyzing spearphishing, as it makes it possible to manually explore the entire chain of attack, from the initial email or URL and to the final phishing page or malicious payload.

Let’s see how the ANY.RUN sandbox works using the example of a malicious email.

Analysis of a spearphishing attack

Consider this analysis session. 

We start with a suspicious email targeting a particular person. Attackers often mimic the style and design of official emails from trusted organizations like banks, postal services, and manufacturers to make their phishing attempts appear more legitimate. 

In our case, the message claims that the sender had transferred a certain amount of money and asks the recipient to review an attached archive, which supposedly contains an invoice, and verify the amount.

Thanks to ANY.RUN’s interactivity, we can download the attachment and open it directly inside the sandbox with no problem.

Inside the downloaded archive, there is a file named “STATEMENT OF ACCOUNT”. This is a common technique used by cyber criminals, who often disguise malicious files with legitimate-sounding names. 

The fact that the file is an executable also raises suspicion, as this type of file is not typically sent in business correspondence. Yet, using a sandbox, we can safely extract and launch it to observe its behavior.

Upon launch, the service instantly notifies us about malicious activity and informs us that the system has been infected with Agent Tesla, a widespread malware family that lets criminals steal sensitive information and spy on their victims.

To complete our analysis, we can download and share a detailed threat report with colleagues to let them know about the danger and collect indicators of compromise (IOCs) to improve the organization’s threat detection capabilities.

Wrapping up

As you can see, spearphishing is a high-risk threat to an organization’s security, mainly due to its highly targeted and personalized tactics. But with the right tools at hand, the risk can be minimized.

Using tools like the interactive sandbox ANY.RUN can provide actionable insights, as shown in our real-world example of analyzing a spearphishing attack. It’s an essential part of modern cybersecurity efforts that can help in quickly understanding and mitigating threats.

About ANY.RUN  

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

Detect malware in seconds

Interact with samples in real time

Save time and money on sandbox setup and maintenance

Record and study all aspects of malware behavior

Collaborate with your team 

Scale as you need

Request free trial → 

The post What is Spearphishing: Definition, Techniques, Real-world Example  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

ANY.RUN‘s Threat Intelligence Lookup is a valuable resource for security professionals searching for information on the latest cyber threats. 

One of the key features of Threat Intelligence Lookup is its extensive search capabilities. The service offers over 40 different search parameters that can be combined to form specific queries. These parameters allow you to filter and refine your search results based on various criteria, such as IOCs, behavioral indicators, and other relevant information. 

Let’s explore each search parameter and provide examples of how they can be used in your investigations.

About Threat Intelligence Lookup

Threat Intelligence Lookup is a centralized platform for threat data exploration, collection, and analysis.

At the core of Threat Intelligence Lookup lies a global network of over 400,000 security experts. These individuals actively contribute by submitting suspicious samples to the ANY.RUN sandbox for advanced analysis on a daily basis. 

The submission process generates a wealth of valuable threat data, including indicators of compromise (IOCs), which are then extracted and integrated into Threat Intelligence Lookup.

Thanks to its integration with ANY.RUN’s Interactive Sandbox, users can access real-time search results, each one linked to a corresponding sandbox session, enabling in-depth analysis of the identified threats.

Search Parameters in TI Lookup

Search parameters in TI Lookup are divided into separate groups: tasks, registry, environment, detection, module, connection, process, network threats, file, synchronization, and URL.

Task

Task parameters refer to the characteristics of tasks (sandbox sessions). 

threatName

The name of a particular threat: malware family, threat type, etc., as identified by the sandbox.

Examples: “Phishing”, “xworm”, “ransomware”, “tycoon”.

submissionCountry

The country from which the threat sample was submitted.

Examples: “es”, “us”, “de”.

Here is an example of a query for samples of the Remcos malware submitted by users in Brazil. The service provides a list of sandbox sessions that correspond to the request.

Try it:

threatLevel

A verdict on the threat level of the sample.

Examples: “malicious”, “suspicious”.

taskType

The type of the sample submitted to the sandbox.

Examples: “URL”, “file”.

In this screenshot, you can see a query for malicious URLs uploaded to the sandbox over the past 24 hours. TI Lookup displays a list of the latest one hundred sessions.

Try it:

Registry

Registry parameters refer to specific attributes related to registry modifications detected within sandbox sessions. These parameters provide insights into how a threat interacts with the Windows registry.

registryKey

The specific key within the registry hive where the modification occurred. Please note: when entering registry keys, use a double backslash () to escape the single backslash.  

Examples: “Windows\CurrentVersion\RunOnce”, “Windows NT\CurrentVersionWindows”.

registryName

The name of the Windows Registry key field.

Examples: “browseinplace”, “docobject”, “isshortcut”.

registryValue

The value of the Windows Registry key.

Examples: “internet exploreriexplore.exe”.

Using the query above, we can identify threats that aim to execute malicious code through scheduled tasks.

Try it:

Environment

These parameters are used to provide context about the environment where a threat was detected or executed.

os

The specific version of Windows used in the environment.

Examples: “11”, “10”, “7”.

osSoftwareSet

The software package of applications installed on the OS.

Examples: “clean”, “office”, “complete”.

osBitVersion

The bitness of the operating system, 32-bit or 64-bit.

Examples: “32”, “64”.

We can use these parameters to, for instance, discover Windows 11 x64 sandbox sessions containing analysis of the Lumma stealer launched in the service over the past 14 days.

Try it:

Detection

These parameters are utilized to describe the detection signatures and MITRE TTPs relating to the execution of threats in the sandbox.

ruleName

The name of the detection rule.

Examples: “Executable content was dropped or overwritten”, “Phishing has been detected”.

ruleThreatLevel

The threat level assigned to a particular event.

Examples: “malicious”, “suspicious”, “info”.

MITRE

Techniques used by the malware according to the MITRE ATT&CK classification.

Examples: “T1071”, “T1114.001”.

Let’s consider a query combining the MITRE ATT&CK technique T1053.005, which describes a common persistence mechanism, with a detection rule for threats that steal browser credentials. 

Try it:

Module

Module parameters refer to specific modules or components within a threat. This can be a DLL, library, or other executable that is loaded by the main executable.

moduleImagePath

The full path to the module’s image file, the location on the disk where the module’s executable is stored.

Examples: “SysWOW64\cryptbase.dll”, “SysWOW64\msasn1.dll”.

Above you can see an example of a query that looks for all instances of sandbox sessions where KernelBase.dll was called.

Try it:

Connection

The Connection parameters describe network-related aspects of a threat.

domainName

The domain name that was recorded during the threat execution in a sandbox.

Examples: “tventyvd20sb[.]top”, “5.tcp.ngrok[.]io”.

destinationIP

The IP address of the network connection that was established or attempted.

Examples: “147[.]185[.]221[.]22”, “162[.]125[.]66[.]15”.

destinationPort

The network port through which the connection was established.

Examples: “49760”, “49780”.

destinationIpAsn

Detected ASN.

Examples: “akamai-as”, “akamai international b.v.”.

destinationIPgeo

Two-letter country or region code of the detected IP geolocation.

Examples: “ae”, “de”.

ja3, ja3s, jarm

Types of TLS fingerprints that can indicate certain threats.

Examples: “1af33e1657631357c73119488045302c” (JA3S), “a0e9f5d64349fb13191bc781f81f42e1” (JA3).

In the picture above, we can see a query that searches for threats that made connections to IP addresses located in the Czech Republic (CZ), belonging to Cogent Communications.

Try it:

Process

The following parameters relate to processes registered during active sandbox sessions.

imagePath

Full path to process image.

Examples: “System32\conhost.exe”, “Framework\v4.0.30319\RegAsm.exe”.

commandLine

The full command line that initiated the process.

Examples: “PDQConnectAgent\pdq-connect-agent.exe –service”, “system32\cmd.exe /c”.

Using these parameters, we can find Strela stealer samples that use net.exe to mount a C2 server containing a ‘davwwwroot’ folder.

Try it:

Network Threats

These parameters describe network-based threats detected by the Suricata intrusion detection system (IDS).

suricataMessage

The description of the threat according to Suricata.

Examples: “ET INFO 404/Snake/Matiex Keylogger Style External IP Check”, “STEALER [ANY.RUN] Stealc HTTP POST Request”.

 We can use a Suricata message to discover more samples, as well as IOCs, including those extracted directly from malware’s configs, relating to a particular threat.

Try it:

suricataClass

The category assigned to the threat by Suricata based on its characteristics.

Examples: “misc activity”, “a network trojan was detected”.

suricataID

The unique identifier of the Suricata rule.

Examples: “2044767”, “8001997”.

suricataThreatLevel

The verdict on the threat according to Suricata based on its potential impact.

Examples: “malicious”, “suspicious”, “info”

By combining this parameter with threaName, we can collect Surica rules relating to a specific malware.

Try it:

File

These parameters describe file-related aspects of a threat.

filePath

The full path to the file on the system.

Examples: “invoice”, “order”

We can use this parameter along with threatLevel to find specific files in sandbox sessions with malicious content.

Try it: filePath:”Users\admin\Desktop\README.TXT” AND threatLevel:”malicious”

fileExtension

The extension that indicates the file type.

Examples: “exe”, “dll”.

sha256, sha1, md5

Hash values relating to a file.

Examples: “1412faf1bfd96e91340cedcea80ee09d”, “ce554fe53b2620c56f6abb264a588616”

We can use the hash of a malicious file to discover the specific malware family it relates to.

Try it:

Synchronization

These parameters describe synchronization-related activities within a threat, such as mutexes.

syncObjectName

The name or identifier of the synchronization object used.

Examples: “rmc”, “m0yv”.

syncObjectType

The type of synchronization object used.

Examples: “event”, “mutex”.

syncObjectOperation

The operation performed on the synchronization object.

Examples: “create”, “open”.

By combining operation and type parameters with threatName, we can search for specific mutexes or events created during the execution of a particular malware

Try it:

URL

These parameters describe network traffic related to HTTP requests and responses.

url

The URL called by the process.

Examples: “http://192[.]168[.]37[.]128:8880[/]zv8u”, “http://tventyvd20sb[.]top/v1/upload[.]php”.

httpRequestContentType

The content type of the HTTP request sent to the server.

Examples: “application/octet-stream”.

httpResponseContentType

The content type of the HTTP response received from the server.

Examples: “text/html”.

httpRequestFileType

The file type of the file being uploaded in the HTTP request.

Examples: “binary”.

httpResponseFileType

The file type of the file being downloaded in the HTTP response.

Examples: “binary”.

It is possible to use the parameter with threatName again to find binary files that were requested during the analysis in the sandbox.

Try it:

Conclusion

ANY.RUN’s Threat Intelligence Lookup offers a comprehensive set of search parameters that enable security professionals to effectively analyze and investigate threats. Using these search options, you can identify and enrich your information on emerging threats.

Try Threat Intelligence Lookup for free →

About ANY.RUN  

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

The post How to Collect Threat Intelligence Using Search Parameters in TI Lookup appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Key Takeaways

CISA has added vulnerabilities affecting the Microsoft Windows MSHTML Platform (CVE-2024-43461) and Progress WhatsUp Gold network monitoring solution (CVE-2024-6670) to its Known Exploited Vulnerabilities catalog.

Proofs of Concept and observed exploits of these vulnerabilities mean that users should update affected products as soon as possible.

Progress WhatsUp Gold was observed under exploit within hours after a Proof of Concept emerged, suggesting an urgent need to patch this 9.8-severity vulnerability.

Cyble researchers have detected 381 internet-exposed Progress WhatsUp Gold instances; patching these instances is critical.

Microsoft has patched two high-severity vulnerabilities chained together in Windows MSHTML platform spoofing attacks.

Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added vulnerabilities affecting the Microsoft Windows MSHTML Platform and Progress WhatsUp Gold network monitoring solution to its Known Exploited Vulnerabilities catalog (KEV) after proofs of concept (PoCs) emerged, and security researchers observed active exploits of the vulnerabilities.

We’ll examine the vulnerabilities, the following steps for affected products, and the best practices that all organizations should follow.

CVE-2024-6670: Progress WhatsUp Gold

CVE-2024-6670 is a critical 9.8 severity SQL Injection vulnerability affecting versions of Progress WhatsUp Gold released before 2024.0.0.

The vulnerability in affected versions of the network monitoring software allows an unauthenticated attacker to retrieve the user’s encrypted password if the application is configured with only a single user.

Exploits began within hours after a Proof of Concept for the vulnerability was made available publicly on GitHub, even though a patch had been available for the vulnerability since mid-August, suggesting that some users were slow to update affected versions.

Trend Micro researchers detected remote code execution (RCE) attacks against WhatsUp Gold that exploited the Active Monitor PowerShell Script, leveraging CVE-2024-6670 and CVE-2024-6671, a companion vulnerability also rated 9.8.

Both vulnerabilities are patched starting with version 2024.0.0.

The Cyble ODIN scanner detected 381 internet-exposed Progress WhatsUp Gold instances, as shown in the figure below. Progress WhatsUp Gold is urged to upgrade as soon as possible and check for indicators of compromise in their environments.

CVE-2024-43461: Microsoft Windows MSHTML

CVE-2024-43461 is a high-severity (CVSS: 8.8) vulnerability in the Microsoft Windows MSHTML Internet Explorer browser engine platform containing a UI misrepresentation flaw that allows attackers to spoof web pages. This vulnerability was exploited in conjunction with CVE-2024-38112.

Microsoft has announced the retirement of Internet Explorer 11 and deprecated Microsoft Edge Legacy. However, MSHTML, EdgeHTML, and related scripting platforms remain supported. MSHTML is used in Internet Explorer mode in Microsoft Edge and other applications via WebBrowser control. WebView and some UWP apps utilize EdgeHTML. Updates for vulnerabilities in MSHTML and scripting platforms are included in IE Cumulative Updates, but EdgeHTML and Chakra updates are not.

CVE-2024-43461 was exploited in conjunction with CVE-2024-38112 before July 2024. A fix for CVE-2024-38112, released in July 2024, disrupted this attack chain. To ensure complete protection, customers should install both the July 2024 and September 2024 security updates.

Affected Windows products include:

Windows Server 2012

Windows Server 2012 R2

Windows Server 2008 R2

Windows Server 2008

Windows Server 2016

Windows 10

Windows Server 2022

Windows 11

Conclusion

The recent addition of these vulnerabilities to the CISA KEV database underscores their active exploitation. These vulnerabilities can lead to severe security breaches, including unauthorized access to sensitive information and effective spoofing of web pages. Owners of affected products are urged to update their systems with the latest patch released by the official vendor.

Cyble Recommendations

Cyble urges the following best practices:

Ensure that you install the latest security updates for all affected systems and regularly check for and apply updates to stay protected against known vulnerabilities.

Implement robust monitoring to detect any unusual activity that could indicate the exploitation of these vulnerabilities. This includes monitoring network traffic, system logs, and user behavior.

Review and strengthen your security configurations, including access controls and permissions. Ensure that applications are not unnecessarily exposed to the internet and that strong authentication mechanisms are in place.

Perform regular vulnerability assessments and penetration testing to identify and address potential security weaknesses before they can be exploited.

Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification.

Implement proper network segmentation to avoid exposure of critical assets over the internet.

Maintain an up-to-date inventory of all internal and external assets, including hardware, software, and network components.

The post CISA Adds Progress WhatsUp Gold and MSHTML Vulnerabilities to Known Exploited Vulnerabilities Catalog appeared first on Cyble.

Blog – Cyble – ​Read More