ANY.RUN Cyber Attack: Employee Email Address Hacked

A leading cybersecurity company has become the latest victim of a sophisticatedphishingattack.

The incident, which began in late May and culminated in a large-scale email compromise on June 18, 2024, has sent shockwaves through the cybersecurity community.

First unauthorized log-in

Initial Breach: A Wolf in Sheep’s Clothing

Registered PerfectData activity

Unbeknownst to the employee, the client’s account had been compromised, and the email contained a malicious link.

In a critical misstep, the employee entered their actual login credentials and multi-factor authentication (MFA) code into a fake login form while testing the link in a sandbox environment.

This action granted the attacker initial access to the employee’s account on May 27.

Persistence and Data Exfiltration

Once inside, the attacker demonstrated remarkable persistence. They registered their mobile device for MFA, ensuring continued access to the compromised account.

Over the next 23 days, the unauthorized entity repeatedly accessed the employee’s mailbox.

On June 5, the attacker escalated their activities by installing PerfectData Software, an application that potentially allowed them to create a complete mailbox backup.

This move signaled a clear intent to exfiltrate sensitive data.

The Phishing Campaign Unfolds

The full extent of the breach became apparent on June 18, when the attacker launched a large-scale phishing campaign using the compromised employee’s account.

The phishing email sent by the attacker using our employee’s account

Emails containing malicious links were sent to the employee’s contact list, mimicking the initial attack vector.

However, the incident has raised serious questions about the company’s security practices.

The company also emphasized that no data or system integrity was affected.

This incident is a stark reminder that even cybersecurity companies are not immune to sophisticated attacks.

It underscores the critical importance of stringent security protocols, employee training, and the need for constant vigilance in the face of evolving cyber threats.

Indicators of Compromise

IP addresses

• 45.61[.]169[.]4 (Sheridan, Wyoming, US)

• 40.83[.]133[.]199 (San Jose, California, US)

• 1 72.210[.]145[.]129 (Boydton, Virginia, US)

• 162.244[.]210[.]90 (Dallas, Texas, US) – the main VPS used in the attack was taken down on our request.

• 52.162[.]121[.]170 (Chicago, Illinois, US)

• 68.154[.]52[.]201 (Boydton, Virginia, US)

• 140.228[.]29[.]111 (Ada, Ohio, US)

• 52.170[.]144[.]110 (Washington, Virginia, US)

URLs

• https://www.dropbox[.]com/scl/fi/vimfxi3mq0fch1u232uvp/Here-is-your-incoming-voice-mail-information_.paper?rlkey=69qgqvpkxn3mdvydkr8cgcd83&dl=0

• https://batimnmlp[.]click/m/?cmFuZDE9Yldwa2IyRmFZa3hDVWc9PSZzdj1vMzY1XzNfbm9tJnJhbmQyPVJsQjJXbWRPZFZsTE1BPT0mdWlkPVVTRVIyMDA1MjAyNFVOSVFVRTA2MjQwNTIwMjQyMDI0MjAyNDA1MjAyNDA2MjQmcmFuZDM9UlRGWGFUSlNkVFJ0ZWc9PQ==N0123N[EMail]

• https://www.reytorogroup[.]com/r/?cmFuZDE9YXpkcVJIbHpZa0kwVVE9PSZzdj1vMzY1XzNfbm9tJnJhbmQyPVVIb3libFEyWjA5NFNBPT0mdWlkPVVTRVIyMDA1MjAyNFVOSVFVRTA2MjQwNTIwMjQyMDI0MjAyNDA1MjAyNDA2MjQmcmFuZDM9VEdscFdFSTNVVzlzZFE9PQ==N0123N%5bEMail%5d

• https://threemanshop[.]com/jsnom.js

**Free**   **Webinar! 3 Security Trends to Maximize MSP Growth -> [Register For Free](https://go.cynet.com/3-security-trends-to-maximize-msp-growth?utm_source=cyber_security_news&utm_medium=sponsored_article&utm_campaign=Q2-sponsored-webinars)**