EXECUTIVE SUMMARY
ANY.RUN publicly disclosed a significant security incident involving a phishing attack that compromised an employee's account, leading to a post-breach business email compromise (BEC) campaign. This incident underscored vulnerabilities in the company's multi-factor authentication (MFA) policies and access controls, highlighting a critical lapse in detecting and mitigating unauthorized access promptly. The breach, initiated by an employee falling victim to an AiTM phishing attack through a compromised client email, allowed an unauthorized entity to gain persistent access to sensitive company communications and potentially exfiltrate data using tools like PerfectData Software.
The breach timeline revealed critical lapses in security practices at ANY.RUN. Initial compromise occurred on May 27, 2024, when an employee unwittingly entered their login credentials on a fake Microsoft sign-in page within a sandbox environment, which failed to decrypt HTTPS traffic, thereby bypassing detection by Suricata IDS. The attacker swiftly leveraged this access to add their own device to the compromised account's MFA, ensuring persistent access for nearly a month. During this period, they used PerfectData Software to potentially extract sensitive information from the compromised mailbox. Despite the phishing links being flagged in Threat Intelligence, inadequate sandbox configurations hindered their identification as harmful, demonstrating a gap in proactive threat detection and response readiness. The containment strategy, though effective in halting lateral movement and preventing further data exfiltration, lacked mechanisms for real-time anomaly detection and comprehensive threat hunting.
ANY.RUN's response to the phishing attack revealed both strengths and areas for improvement in its cybersecurity posture. Immediate actions, such as revoking compromised access and resetting credentials, mitigated the incident's immediate impact. However, the incident exposed weaknesses in access control policies, MFA implementation, and proactive threat detection capabilities. Moreover, promoting a security-aware culture among employees through regular training and simulated phishing exercises is crucial to strengthening defenses against similar future threats. By addressing these vulnerabilities and implementing proactive security measures, ANY.RUN can better safeguard its systems and data against evolving cyber threats.
THREAT PROFILE:
| Tactic | Technique ID | Technique |
| Initial Access | T1566 | Phishing |
| Persistence | T1137 | Office Application Startup |
| T1098 | Account Manipulation | |
| Defense Evasion | T1078 | Valid Accounts |
| Discovery | T1083 | File and Directory Discovery |
| Lateral Movement | T1091 | Replication Through Removable Media |
| T1021 | Remote Services | |
| Collection | T1113 | Screen Capture |
| T1114 | Email Collection | |
| T1005 | Data from Local System | |
| Command and Control | T1071 | Application Layer Protocol |
REFERENCES:
The following reports contain further technical details: