#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

sandbox | Breaking Cybersecurity News | The Hacker News

Category — sandbox
Sandbox Escape Vulnerabilities in Judge0 Expose Systems to Complete Takeover

Sandbox Escape Vulnerabilities in Judge0 Expose Systems to Complete Takeover

Apr 29, 2024 Sandbox / Vulnerability
Multiple critical security flaws have been disclosed in the Judge0 open-source online code execution system that could be exploited to obtain code execution on the target system. The three flaws, all critical in nature, allow an "adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine," Australian cybersecurity firm Tanto Security said in a report published today. Judge0 (pronounced "judge zero") is  described  by its maintainers as a "robust, scalable, and open-source online code execution system" that can be used to build applications that require online code execution features such as candidate assessment, e-learning, and online code editors and IDEs. According to its website, the service is used by 23 customers like AlgoDaily, CodeChum, and PYnative, among others. The project has been  forked 412 times on GitHub  to date. The flaw...
How to Conduct Advanced Static Analysis in a Malware Sandbox

How to Conduct Advanced Static Analysis in a Malware Sandbox

Apr 18, 2024 Malware Analysis / Threat Detection
Sandboxes are synonymous with dynamic malware analysis. They help to execute malicious files in a safe virtual environment and observe their behavior. However, they also offer plenty of value in terms of static analysis. See these five scenarios where a sandbox can prove to be a useful tool in your investigations. Detecting Threats in PDFs PDF files are frequently exploited by threat actors to deliver payloads. Static analysis in a sandbox makes it possible to expose any threat a malicious PDF contains by extracting its structure. The presence of JavaScript or Bash scripts can reveal a possible mechanism for downloading and executing malware.  Sandboxes like ANY.RUN also allows users to scrutinize URLs found in PDFs to identify suspicious domains, potential command and control (C2) servers, or other indicators of compromise. Example: Static analysis of a PDF file in ANY.RUN Interactivity allows our users to manipulate files within a VM as they wish, but static Discovery off...
The Future of Serverless Security in 2025: From Logs to Runtime Protection

The Future of Serverless Security in 2025: From Logs to Runtime Protection

Nov 28, 2024Cloud Security / Threat Detection
Serverless environments, leveraging services such as AWS Lambda, offer incredible benefits in terms of scalability, efficiency, and reduced operational overhead. However, securing these environments is extremely challenging. The core of current serverless security practices often revolves around two key components: log monitoring and static analysis of code or system configuration. But here is the issue with that: 1. Logs Only Tell Part of the Story Logs can track external-facing activities, but they don't provide visibility into the internal execution of functions. For example, if an attacker injects malicious code into a serverless function that doesn't interact with external resources (e.g., external APIs or databases), traditional log-based tools will not detect this intrusion. The attacker may execute unauthorized processes, manipulate files, or escalate privileges—all without triggering log events. 2. Static Misconfiguration Detection is Incomplete Static tools that check ...
Microsoft Edge Bug Could Have Allowed Attackers to Silently Install Malicious Extensions

Microsoft Edge Bug Could Have Allowed Attackers to Silently Install Malicious Extensions

Mar 27, 2024 Vulnerability / API Security
A now-patched security flaw in the Microsoft Edge web browser could have been abused to install arbitrary extensions on users' systems and carry out malicious actions.  "This flaw could have allowed an attacker to exploit a private API, initially intended for marketing purposes, to covertly install additional browser extensions with broad permissions without the user's knowledge," Guardio Labs security researcher Oleg Zaytsev  said  in a new report shared with The Hacker News. Tracked as  CVE-2024-21388  (CVSS score: 6.5), it was addressed by Microsoft in Edge stable version 121.0.2277.83 released on January 25, 2024, following responsible disclosure in November 2023. The Windows maker credited both Zaytsev and Jun Kokatsu for reporting the issue. "An attacker who successfully exploited this vulnerability could gain the privileges needed to install an extension," Microsoft said in an advisory for the flaw, adding it "could lead to a browser sandbo...
cyber security

Creating, Managing and Securing Non-Human Identities

websitePermisoCybersecurity / Identity Security
A new class of identities has emerged alongside traditional human users: non-human identities (NHIs). Permiso Security's new eBook details everything you need to know about managing and securing non-human identities, and strategies to unify identity security without compromising agility.
TimbreStealer Malware Spreading via Tax-themed Phishing Scam Targets IT Users

TimbreStealer Malware Spreading via Tax-themed Phishing Scam Targets IT Users

Feb 28, 2024 Phishing Attack / Malware
Mexican users have been targeted with tax-themed phishing lures at least since November 2023 to distribute a previously undocumented Windows malware called  TimbreStealer . Cisco Talos, which  discovered  the activity, described the authors as skilled and that the "threat actor has previously used similar tactics, techniques and procedures (TTPs) to distribute a banking trojan known as  Mispadu  in September 2023. Besides employing sophisticated obfuscation techniques to sidestep detection and ensure persistence, the phishing campaign makes use of geofencing to single out users in Mexico, returning an innocuous blank PDF file instead of the malicious one if the payload sites are contacted from other locations. Some of the notable evasive maneuvers include leveraging custom loaders and direct system calls to bypass conventional API monitoring, in addition to utilizing Heaven's Gate to execute 64-bit code within a 32-bit process, an approach that was also rece...
From Alert to Action: How to Speed Up Your SOC Investigations

From Alert to Action: How to Speed Up Your SOC Investigations

Feb 27, 2024 Threat Intelligence / Malware
Processing alerts quickly and efficiently is the cornerstone of a Security Operations Center (SOC) professional's role. Threat intelligence platforms can significantly enhance their ability to do so. Let's find out what these platforms are and how they can empower analysts. The Challenge: Alert Overload The modern SOC faces a relentless barrage of security alerts generated by SIEMs and EDRs. Sifting through these alerts is both time-consuming and resource-intensive. Analyzing a potential threat often requires searching across multiple sources before finding conclusive evidence to verify if it poses a real risk. This process is further hampered by the frustration of spending valuable time researching artifacts that ultimately turn out to be false positives. As a result, a significant portion of these events remain uninvestigated. This highlights a critical challenge: finding necessary information related to different indicators quickly and accurately. Threat data platforms o...
New FjordPhantom Android Malware Targets Banking Apps in Southeast Asia

New FjordPhantom Android Malware Targets Banking Apps in Southeast Asia

Dec 01, 2023 Mobile Security / Banking Security
Cybersecurity researchers have disclosed a new sophisticated Android malware called  FjordPhantom  that has been observed targeting users in Southeast Asian countries like Indonesia, Thailand, and Vietnam since early September 2023. "Spreading primarily through messaging services, it combines app-based malware with social engineering to defraud banking customers," Oslo-based mobile app security firm Promon  said  in an analysis published Thursday. Propagated mainly via email, SMS, and messaging apps, attack chains trick recipients into downloading a purported banking app that comes fitted with legitimate features but also incorporates rogue components. Victims are then subjected to a social engineering technique akin to telephone-oriented attack delivery ( TOAD ), which involves calling a bogus call center to receive step-by-step instructions for running the app. A key characteristic of the malware that sets it apart from other banking trojans of its kind is th...
New BLISTER Malware Update Fuelling Stealthy Network Infiltration

New BLISTER Malware Update Fuelling Stealthy Network Infiltration

Sep 05, 2023 Cyber Threat / Malware
An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control (C2) framework called  Mythic . "New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments," Elastic Security Labs researchers Salim Bitam and Daniel Stepanic  said  in a technical report published late last month. BLISTER was  first uncovered  by the company in December 2021 acting as a conduit to distribute Cobalt Strike and BitRAT payloads on compromised systems. The use of the malware alongside  SocGholish  (aka FakeUpdates), a JavaScript-based downloader malware, to deliver Mythic was  previously disclosed  by Palo Alto Networks Unit 42 in July 2023. In these attacks, BLISTER is embedded within a legitimate VLC Media Player library in an attempt to get around security software and infiltrat...
Why Your Detection-First Security Approach Isn't Working

Why Your Detection-First Security Approach Isn't Working

Apr 28, 2023 Endpoint Detection and Response
Stopping new and evasive threats is one of the greatest challenges in cybersecurity. This is among the biggest reasons why  attacks increased dramatically in the past year  yet again, despite the estimated $172 billion spent on global cybersecurity in 2022. Armed with cloud-based tools and backed by sophisticated affiliate networks, threat actors can develop new and evasive malware more quickly than organizations can update their protections.  Relying on malware signatures and blocklists against these rapidly changing attacks has become futile. As a result, the SOC toolkit now largely revolves around threat detection and investigation. If an attacker can bypass your initial blocks, you expect your tools to pick them up at some point in the attack chain. Every organization's digital architecture is now seeded with security controls that log anything potentially malicious. Security analysts pore through these logs and determine what to investigate further. Does this wor...
Critical Flaws in vm2 JavaScript Library Can Lead to Remote Code Execution

Critical Flaws in vm2 JavaScript Library Can Lead to Remote Code Execution

Apr 19, 2023 Sandbox / Software Security
A fresh round of patches has been made available for the vm2 JavaScript library to address two critical flaws that could be exploited to break out of sandbox protections and achieve code execution. Both the flaws –  CVE-2023-29199  and  CVE-2023-30547  – are rated 9.8 out of 10 on the CVSS scoring system and have been addressed in versions 3.9.16 and 3.9.17, respectively. Successful  exploitation  of the  bugs , which allow an attacker to raise an unsanitized host exception, could be weaponized to escape the sandbox and run arbitrary code in the host context. "A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," the maintainers of the vm2 library said in an alert. Credited with discovering and reporting the vulnerabilities is security researcher  SeungHyun Lee , who has also  released   proof-of-concept  (PoC) exploits for the two issues in question. The disc...
Researchers Discover Critical Remote Code Execution Flaw in vm2 Sandbox Library

Researchers Discover Critical Remote Code Execution Flaw in vm2 Sandbox Library

Apr 08, 2023 Vulnerability / Software
The maintainers of the vm2 JavaScript sandbox module have shipped a patch to address a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcode. The flaw, which affects all versions, including and prior to 3.9.14, was  reported  by researchers from South Korea-based  KAIST WSP Lab  on April 6, 2023, prompting vm2 to release a fix with  version 3.9.15  on Friday. "A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," vm2  disclosed  in an advisory. The vulnerability has been assigned the identified  CVE-2023-29017  and is rated 9.8 on the CVSS scoring system. The issue stems from the fact that it does not properly handle errors that occur in asynchronous functions. vm2 is a  popular library  that's used to run untrusted code in an isolated environment on Node.js. It has nearly four million weekly downloads and i...
Not All Sandboxes Are for Children: How to Secure Your SaaS Sandbox

Not All Sandboxes Are for Children: How to Secure Your SaaS Sandbox

Oct 20, 2022
When creating a Sandbox, the mindset tends to be that the Sandbox is considered a place to play around, test things, and there will be no effect on the production or operational system. Therefore, people don't actively think they need to worry about its security. This mindset is not only wrong, but extremely dangerous.  When it comes to software developers, their version of sandbox is similar to a child's playground — a place to build and test without breaking any flows in production. Meanwhile, in the world of cybersecurity, the term 'sandbox' is used to describe a virtual environment or machine used to run suspicious code and other elements.  Many organizations use a Sandbox for their SaaS apps — to test changes without disrupting the production SaaS app or even to connect new apps (much like a software developer's Sandbox). This common practice often leads to a false sense of security and in turn a lack of thought for its security implications. This article wi...
Researchers Detail Critical RCE Flaw Reported in Popular vm2 JavaScript Sandbox

Researchers Detail Critical RCE Flaw Reported in Popular vm2 JavaScript Sandbox

Oct 11, 2022
A now-patched security flaw in the vm2 JavaScript sandbox module could be abused by a remote adversary to break out of security barriers and perform arbitrary operations on the underlying machine. "A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," GitHub  said  in an advisory published on September 28, 2022. The issue, tracked as CVE-2022-36067 and codenamed Sandbreak, carries a maximum severity rating of 10 on the CVSS vulnerability scoring system. It has been addressed in  version 3.9.11  released on August 28, 2022. vm2 is a  popular Node library  that's used to run untrusted code with allowlisted built-in modules. It's also one of the most widely downloaded software, accounting for nearly 3.5 million downloads per week. The  shortcoming  is rooted in the error mechanism in Node.js to escape the sandbox, according to application security firm Oxeye, which  discov...
Microsoft Details App Sandbox Escape Bug Impacting Apple iOS, iPadOS, macOS Devices

Microsoft Details App Sandbox Escape Bug Impacting Apple iOS, iPadOS, macOS Devices

Jul 14, 2022
Microsoft on Wednesday shed light on a now patched security vulnerability affecting Apple's operating systems that, if successfully exploited, could allow attackers to escalate device privileges and deploy malware. "An attacker could take advantage of this sandbox escape vulnerability to gain elevated privileges on the affected device or execute malicious commands like installing additional payloads," Jonathan Bar Or of the Microsoft 365 Defender Research Team  said  in a write-up. Tracked as  CVE-2022-26706  (CVSS score: 5.5), the security vulnerability impacts iOS, iPadOS, macOS, tvOS, and watchOS and was fixed by Apple in May 2022. Calling it an access issue affecting the LaunchServices (launchd) component, the iPhone maker noted that "A sandboxed process may be able to circumvent sandbox restrictions," adding it mitigated the issue with additional restrictions. While Apple's  App Sandbox  is designed to tightly regulate a third-party app's acce...
How to Build a Custom Malware Analysis Sandbox

How to Build a Custom Malware Analysis Sandbox

Mar 24, 2022
Before hunting malware, every researcher needs to find a system where to analyze it. There are several ways to do it: build your own environment or use third-party solutions. Today we will walk through all the steps of creating a custom malware sandbox where you can perform a proper analysis without infecting your computer. And then compare it with a ready-made service. Why do you need a malware sandbox?  A sandbox allows detecting cyber threats and analyzing them safely. All information remains secure, and a suspicious file can't access the system. You can monitor malware processes, identify their patterns and investigate behavior. Before setting up a sandbox, you should have a clear goal of what you want to achieve through the lab.  There are two ways how to organize your working space for analysis: Custom sandbox.  Made from scratch by an analyst on their own, specifically for their needs. A turnkey solution.  A versatile service with a range of configurat...
Expert Insights / Articles Videos
Cybersecurity Resources