ANY.RUN Cyber Attack: Employee Email Address Hacked

A leading cybersecurity firm has turn out to be the most modern victim of a posh phishing attack.

The incident, which started in gradual Might per chance well and culminated in a gargantuan-scale email compromise on June 18, 2024, has sent shockwaves thru the cybersecurity neighborhood.

Initial Breach: A Wolf in Sheep’s Clothing

The attack originated on Might per chance well 23, when an unsuspecting ANY.RUN sales employees worker obtained a seemingly innocuous email from a relied on client.

Unbeknownst to the worker, the customer’s myth had been compromised, and the e-mail contained a malicious hyperlink.

In a severe misstep, the worker entered their right login credentials and multi-sigh authentication (MFA) code into a faux login originate whereas testing the hyperlink in a sandbox environment.

This motion granted the attacker initial get entry to to the worker’s myth on Might per chance well 27.

Persistence and Data Exfiltration

Once inside, the attacker demonstrated great persistence. They registered their mobile tool for MFA, guaranteeing persevered get entry to to the compromised myth.

Over the following 23 days, the unauthorized entity many cases accessed the worker’s mailbox.

On June 5, the attacker escalated their actions by inserting in PerfectData Instrument, an application that presumably allowed them to get a total mailbox backup.

This transfer signaled a determined intent to exfiltrate at ease data.

The Phishing Marketing campaign Unfolds

The plump extent of the breach grew to turn out to be apparent on June 18, when the attacker launched a gargantuan-scale phishing campaign the usage of the compromised worker’s myth.

Emails containing malicious hyperlinks had been sent to the worker’s contact list, mimicking the initial attack vector.

ANY.RUN’s response used to be swift. Within minutes of detecting the unauthorized exercise, the firm disabled the compromised myth, reset affected credentials, and revoked active lessons.

Nonetheless, the incident has raised severe questions in regards to the firm’s security practices.

In an announcement, ANY.RUN acknowledged the breach and outlined its response actions, in conjunction with temporary containment methods and lengthy-time duration plans for added tough get entry to controls and MFA insurance policies.

The firm also emphasized that no data or design integrity used to be affected.

This incident is a stark reminder that even cybersecurity corporations are no longer resistant to sophisticated assaults.

It underscores the severe significance of stringent security protocols, worker training, and the necessity for fixed vigilance in the face of evolving cyber threats.

Indicators of Compromise

IP addresses

• forty five.61[.]169[.]4 (Sheridan, Wyoming, US)
• 40.83[.]133[.]199 (San Jose, California, US)
• 172.210[.]145[.]129 (Boydton, Virginia, US)
• 162.244[.]210[.]90 (Dallas, Texas, US) – the foremost VPS used in the attack used to be taken down on our query.
• 52.162[.]121[.]170 (Chicago, Illinois, US)
• 68.154[.]52[.]201 (Boydton, Virginia, US)
• 140.228[.]29[.]111 (Ada, Ohio, US)
• 52.170[.]144[.]110 (Washington, Virginia, US)

URLs

• https://www.dropbox[.]com/scl/fi/vimfxi3mq0fch1u232uvp/Here-is-your-incoming-roar-mail-information_.paper?rlkey=69qgqvpkxn3mdvydkr8cgcd83&dl=0
• https://batimnmlp[.]click/m/?cmFuZDE9Yldwa2IyRmFZa3hDVWc9PSZzdj1vMzY1XzNfbm9tJnJhbmQyPVJsQjJXbWRPZFZsTE1BPT0mdWlkPVVTRVIyMDA1MjAyNFVOSVFVRTA2MjQwNTIwMjQyMDI0MjAyNDA1MjAyNDA2MjQmcmFuZDM9UlRGWGFUSlNkVFJ0ZWc9PQ==N0123N[EMail]
• https://www.reytorogroup[.]com/r/?cmFuZDE9YXpkcVJIbHpZa0kwVVE9PSZzdj1vMzY1XzNfbm9tJnJhbmQyPVVIb3libFEyWjA5NFNBPT0mdWlkPVVTRVIyMDA1MjAyNFVOSVFVRTA2MjQwNTIwMjQyMDI0MjAyNDA1MjAyNDA2MjQmcmFuZDM9VEdscFdFSTNVVzlzZFE9PQ==N0123N%5bEMail%5d
• https://threemanshop[.]com/jsnom.js