Description
On June 18, 2024, an employee's account at ANY.RUN was compromised and used to carry out a phishing attack against the company's entire contact list. The initial compromise occurred on May 27 through an AiTM phishing campaign targeting the employee. Over the following weeks, the attacker maintained access by registering their device for multi-factor authentication and used tools like PerfectData Software to potentially exfiltrate data from the mailbox. The phishing emails sent on June 18 contained links already flagged as malicious but not properly detected due to a lack of up-to-date security controls. ANY.RUN has taken steps to revoke access, contain the incident, remove persistence mechanisms, and prevent future occurrences.
Date
| Published | Created | Modified |
|---|---|---|
| June 25, 2024, 7:41 a.m. | June 25, 2024, 7:41 a.m. | June 25, 2024, 7:52 a.m. |
Indicators
www.reytorogroup.com
https://www.reytorogroup.com/r/?cmFuZDE9YXpkcVJIbHpZa0kwVVE9PSZzdj1vMzY1XzNfbm9tJnJhbmQyPVVIb3libFEyWjA5NFNBPT0mdWlkPVVTRVIyMDA1MjAyNFVOSVFVRTA2MjQwNTIwMjQyMDI0MjAyNDA1MjAyNDA2MjQmcmFuZDM9VEdscFdFSTNVVzlzZFE9PQ==N0123N%5bEMail%5d
https://threemanshop.com/jsnom.js
https://batimnmlp.click/m/?cmFuZDE9Yldwa2IyRmFZa3hDVWc9PSZzdj1vMzY1XzNfbm9tJnJhbmQyPVJsQjJXbWRPZFZsTE1BPT0mdWlkPVVTRVIyMDA1MjAyNFVOSVFVRTA2MjQwNTIwMjQyMDI0MjAyNDA1MjAyNDA2MjQmcmFuZDM9UlRGWGFUSlNkVFJ0ZWc9PQ==N0123N[EMail]
Additional Informations
Technology