ANY.RUN Cyber Attack: Employee Email Address Hacked


A leading cybersecurity company has become the latest victim of a sophisticated phishing attack.

The incident, which began in late May and culminated in a large-scale email compromise on June 18, 2024, has sent shockwaves through the cybersecurity community.

First unauthorized log-in
First unauthorized log-in

Initial Breach: A Wolf in Sheep’s Clothing

The attack originated on May 23, when an unsuspecting ANY.RUN sales team employee received a seemingly innocuous email from a trusted client.

Registered PerfectData activity
Registered PerfectData activity

Unbeknownst to the employee, the client’s account had been compromised, and the email contained a malicious link.

In a critical misstep, the employee entered their actual login credentials and multi-factor authentication (MFA) code into a fake login form while testing the link in a sandbox environment.

This action granted the attacker initial access to the employee’s account on May 27.

Persistence and Data Exfiltration

Once inside, the attacker demonstrated remarkable persistence. They registered their mobile device for MFA, ensuring continued access to the compromised account.

Over the next 23 days, the unauthorized entity repeatedly accessed the employee’s mailbox.

On June 5, the attacker escalated their activities by installing PerfectData Software, an application that potentially allowed them to create a complete mailbox backup.

This move signaled a clear intent to exfiltrate sensitive data.

The Phishing Campaign Unfolds

The full extent of the breach became apparent on June 18, when the attacker launched a large-scale phishing campaign using the compromised employee’s account.

The phishing email sent by the attacker using our employee’s account
The phishing email sent by the attacker using our employee’s account

Emails containing malicious links were sent to the employee’s contact list, mimicking the initial attack vector.

ANY.RUN’s response was swift. Within minutes of detecting the unauthorized activity, the company disabled the compromised account, reset affected credentials, and revoked active sessions.

However, the incident has raised serious questions about the company’s security practices.

In a statement, ANY.RUN acknowledged the breach and outlined its response actions, including short-term containment strategies and long-term plans for more robust access controls and MFA policies.

The company also emphasized that no data or system integrity was affected.

This incident is a stark reminder that even cybersecurity companies are not immune to sophisticated attacks.

It underscores the critical importance of stringent security protocols, employee training, and the need for constant vigilance in the face of evolving cyber threats.

Indicators of Compromise 

IP addresses 

  • 45.61[.]169[.]4 (Sheridan, Wyoming, US) 
  • 40.83[.]133[.]199 (San Jose, California, US) 
  • 172.210[.]145[.]129 (Boydton, Virginia, US) 
  • 162.244[.]210[.]90 (Dallas, Texas, US) – the main VPS used in the attack was taken down on our request. 
  • 52.162[.]121[.]170 (Chicago, Illinois, US) 
  • 68.154[.]52[.]201 (Boydton, Virginia, US) 
  • 140.228[.]29[.]111 (Ada, Ohio, US) 
  • 52.170[.]144[.]110 (Washington, Virginia, US) 

URLs 

  • https://www.dropbox[.]com/scl/fi/vimfxi3mq0fch1u232uvp/Here-is-your-incoming-voice-mail-information_.paper?rlkey=69qgqvpkxn3mdvydkr8cgcd83&dl=0 
  • https://batimnmlp[.]click/m/?cmFuZDE9Yldwa2IyRmFZa3hDVWc9PSZzdj1vMzY1XzNfbm9tJnJhbmQyPVJsQjJXbWRPZFZsTE1BPT0mdWlkPVVTRVIyMDA1MjAyNFVOSVFVRTA2MjQwNTIwMjQyMDI0MjAyNDA1MjAyNDA2MjQmcmFuZDM9UlRGWGFUSlNkVFJ0ZWc9PQ==N0123N[EMail] 
  • https://www.reytorogroup[.]com/r/?cmFuZDE9YXpkcVJIbHpZa0kwVVE9PSZzdj1vMzY1XzNfbm9tJnJhbmQyPVVIb3libFEyWjA5NFNBPT0mdWlkPVVTRVIyMDA1MjAyNFVOSVFVRTA2MjQwNTIwMjQyMDI0MjAyNDA1MjAyNDA2MjQmcmFuZDM9VEdscFdFSTNVVzlzZFE9PQ==N0123N%5bEMail%5d 
  • https://threemanshop[.]com/jsnom.js 

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free



Source link