sandbox | Breaking Cybersecurity News | The Hacker News

Sandboxes are synonymous with dynamic malware analysis. They help to execute malicious files in a safe virtual environment and observe their behavior. However, they also offer plenty of value in terms of static analysis. See these five scenarios where a sandbox can prove to be a useful tool in your investigations. Detecting Threats in PDFs PDF files are frequently exploited by threat actors to deliver payloads. Static analysis in a sandbox makes it possible to expose any threat a malicious PDF contains by extracting its structure. The presence of JavaScript or Bash scripts can reveal a possible mechanism for downloading and executing malware.  Sandboxes like ANY.RUN also allows users to scrutinize URLs found in PDFs to identify suspicious domains, potential command and control (C2) servers, or other indicators of compromise. Example: Static analysis of a PDF file in ANY.RUN Interactivity allows our users to manipulate files within a VM as they wish, but static Discovery offers

A now-patched security flaw in the Microsoft Edge web browser could have been abused to install arbitrary extensions on users' systems and carry out malicious actions.  "This flaw could have allowed an attacker to exploit a private API, initially intended for marketing purposes, to covertly install additional browser extensions with broad permissions without the user's knowledge," Guardio Labs security researcher Oleg Zaytsev  said  in a new report shared with The Hacker News. Tracked as  CVE-2024-21388  (CVSS score: 6.5), it was addressed by Microsoft in Edge stable version 121.0.2277.83 released on January 25, 2024, following responsible disclosure in November 2023. The Windows maker credited both Zaytsev and Jun Kokatsu for reporting the issue. "An attacker who successfully exploited this vulnerability could gain the privileges needed to install an extension," Microsoft said in an advisory for the flaw, adding it "could lead to a browser sandbo

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

Mexican users have been targeted with tax-themed phishing lures at least since November 2023 to distribute a previously undocumented Windows malware called  TimbreStealer . Cisco Talos, which  discovered  the activity, described the authors as skilled and that the "threat actor has previously used similar tactics, techniques and procedures (TTPs) to distribute a banking trojan known as  Mispadu  in September 2023. Besides employing sophisticated obfuscation techniques to sidestep detection and ensure persistence, the phishing campaign makes use of geofencing to single out users in Mexico, returning an innocuous blank PDF file instead of the malicious one if the payload sites are contacted from other locations. Some of the notable evasive maneuvers include leveraging custom loaders and direct system calls to bypass conventional API monitoring, in addition to utilizing Heaven's Gate to execute 64-bit code within a 32-bit process, an approach that was also recently adopted by

Processing alerts quickly and efficiently is the cornerstone of a Security Operations Center (SOC) professional's role. Threat intelligence platforms can significantly enhance their ability to do so. Let's find out what these platforms are and how they can empower analysts. The Challenge: Alert Overload The modern SOC faces a relentless barrage of security alerts generated by SIEMs and EDRs. Sifting through these alerts is both time-consuming and resource-intensive. Analyzing a potential threat often requires searching across multiple sources before finding conclusive evidence to verify if it poses a real risk. This process is further hampered by the frustration of spending valuable time researching artifacts that ultimately turn out to be false positives. As a result, a significant portion of these events remain uninvestigated. This highlights a critical challenge: finding necessary information related to different indicators quickly and accurately. Threat data platforms o

Cybersecurity researchers have disclosed a new sophisticated Android malware called  FjordPhantom  that has been observed targeting users in Southeast Asian countries like Indonesia, Thailand, and Vietnam since early September 2023. "Spreading primarily through messaging services, it combines app-based malware with social engineering to defraud banking customers," Oslo-based mobile app security firm Promon  said  in an analysis published Thursday. Propagated mainly via email, SMS, and messaging apps, attack chains trick recipients into downloading a purported banking app that comes fitted with legitimate features but also incorporates rogue components. Victims are then subjected to a social engineering technique akin to telephone-oriented attack delivery ( TOAD ), which involves calling a bogus call center to receive step-by-step instructions for running the app. A key characteristic of the malware that sets it apart from other banking trojans of its kind is the use of

An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control (C2) framework called  Mythic . "New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments," Elastic Security Labs researchers Salim Bitam and Daniel Stepanic  said  in a technical report published late last month. BLISTER was  first uncovered  by the company in December 2021 acting as a conduit to distribute Cobalt Strike and BitRAT payloads on compromised systems. The use of the malware alongside  SocGholish  (aka FakeUpdates), a JavaScript-based downloader malware, to deliver Mythic was  previously disclosed  by Palo Alto Networks Unit 42 in July 2023. In these attacks, BLISTER is embedded within a legitimate VLC Media Player library in an attempt to get around security software and infiltrate victim environments. Both SocGholish and

Stopping new and evasive threats is one of the greatest challenges in cybersecurity. This is among the biggest reasons why  attacks increased dramatically in the past year  yet again, despite the estimated $172 billion spent on global cybersecurity in 2022. Armed with cloud-based tools and backed by sophisticated affiliate networks, threat actors can develop new and evasive malware more quickly than organizations can update their protections.  Relying on malware signatures and blocklists against these rapidly changing attacks has become futile. As a result, the SOC toolkit now largely revolves around threat detection and investigation. If an attacker can bypass your initial blocks, you expect your tools to pick them up at some point in the attack chain. Every organization's digital architecture is now seeded with security controls that log anything potentially malicious. Security analysts pore through these logs and determine what to investigate further. Does this work? Let'

A fresh round of patches has been made available for the vm2 JavaScript library to address two critical flaws that could be exploited to break out of sandbox protections and achieve code execution. Both the flaws –  CVE-2023-29199  and  CVE-2023-30547  – are rated 9.8 out of 10 on the CVSS scoring system and have been addressed in versions 3.9.16 and 3.9.17, respectively. Successful  exploitation  of the  bugs , which allow an attacker to raise an unsanitized host exception, could be weaponized to escape the sandbox and run arbitrary code in the host context. "A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," the maintainers of the vm2 library said in an alert. Credited with discovering and reporting the vulnerabilities is security researcher  SeungHyun Lee , who has also  released   proof-of-concept  (PoC) exploits for the two issues in question. The disclosure comes a little over a week after vm2

The maintainers of the vm2 JavaScript sandbox module have shipped a patch to address a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcode. The flaw, which affects all versions, including and prior to 3.9.14, was  reported  by researchers from South Korea-based  KAIST WSP Lab  on April 6, 2023, prompting vm2 to release a fix with  version 3.9.15  on Friday. "A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," vm2  disclosed  in an advisory. The vulnerability has been assigned the identified  CVE-2023-29017  and is rated 9.8 on the CVSS scoring system. The issue stems from the fact that it does not properly handle errors that occur in asynchronous functions. vm2 is a  popular library  that's used to run untrusted code in an isolated environment on Node.js. It has nearly four million weekly downloads and is used in 721 packages . KAIST security res

When creating a Sandbox, the mindset tends to be that the Sandbox is considered a place to play around, test things, and there will be no effect on the production or operational system. Therefore, people don't actively think they need to worry about its security. This mindset is not only wrong, but extremely dangerous.  When it comes to software developers, their version of sandbox is similar to a child's playground — a place to build and test without breaking any flows in production. Meanwhile, in the world of cybersecurity, the term 'sandbox' is used to describe a virtual environment or machine used to run suspicious code and other elements.  Many organizations use a Sandbox for their SaaS apps — to test changes without disrupting the production SaaS app or even to connect new apps (much like a software developer's Sandbox). This common practice often leads to a false sense of security and in turn a lack of thought for its security implications. This article wi

A now-patched security flaw in the vm2 JavaScript sandbox module could be abused by a remote adversary to break out of security barriers and perform arbitrary operations on the underlying machine. "A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," GitHub  said  in an advisory published on September 28, 2022. The issue, tracked as CVE-2022-36067 and codenamed Sandbreak, carries a maximum severity rating of 10 on the CVSS vulnerability scoring system. It has been addressed in  version 3.9.11  released on August 28, 2022. vm2 is a  popular Node library  that's used to run untrusted code with allowlisted built-in modules. It's also one of the most widely downloaded software, accounting for nearly 3.5 million downloads per week. The  shortcoming  is rooted in the error mechanism in Node.js to escape the sandbox, according to application security firm Oxeye, which  discovered the flaw . This mean

Microsoft on Wednesday shed light on a now patched security vulnerability affecting Apple's operating systems that, if successfully exploited, could allow attackers to escalate device privileges and deploy malware. "An attacker could take advantage of this sandbox escape vulnerability to gain elevated privileges on the affected device or execute malicious commands like installing additional payloads," Jonathan Bar Or of the Microsoft 365 Defender Research Team  said  in a write-up. Tracked as  CVE-2022-26706  (CVSS score: 5.5), the security vulnerability impacts iOS, iPadOS, macOS, tvOS, and watchOS and was fixed by Apple in May 2022. Calling it an access issue affecting the LaunchServices (launchd) component, the iPhone maker noted that "A sandboxed process may be able to circumvent sandbox restrictions," adding it mitigated the issue with additional restrictions. While Apple's  App Sandbox  is designed to tightly regulate a third-party app's acce

Before hunting malware, every researcher needs to find a system where to analyze it. There are several ways to do it: build your own environment or use third-party solutions. Today we will walk through all the steps of creating a custom malware sandbox where you can perform a proper analysis without infecting your computer. And then compare it with a ready-made service. Why do you need a malware sandbox?  A sandbox allows detecting cyber threats and analyzing them safely. All information remains secure, and a suspicious file can't access the system. You can monitor malware processes, identify their patterns and investigate behavior. Before setting up a sandbox, you should have a clear goal of what you want to achieve through the lab.  There are two ways how to organize your working space for analysis: Custom sandbox.  Made from scratch by an analyst on their own, specifically for their needs. A turnkey solution.  A versatile service with a range of configurations to meet yo

Mozilla is beginning to roll out Firefox 95 with a new sandboxing technology called RLBox that prevents untrusted code and other security vulnerabilities from causing "accidental defects as well as supply-chain attacks." Dubbed " RLBox " and implemented in collaboration with researchers at the University of California San Diego and the University of Texas, the improved protection mechanism is designed to harden the web browser against potential weaknesses in off-the-shelf libraries used to render audio, video, fonts, images, and other content. To that end, Mozilla is incorporating "fine-grained sandboxing" into five modules, including its  Graphite  font rendering engine,  Hunspell  spell checker,  Ogg  multimedia container format,  Expat  XML parser, and  Woff2  web font compression format. The framework uses  WebAssembly , an open standard that defines a portable binary-code format for executable programs that can be run on modern web browsers, to i