Hello HackingBlogs Users 🙂
Due to a recent error by Microsoft Defender, users of the malware analysis tool ANY.RUN unintentionally put private company files online, resulting in an unexpected flood of data exposure. Free-plan customers hurried to examine suspicious documents after a false positive flagged Adobe’s authentic Acrobat Cloud links as dangerous, not understanding their uploads were open to the public.
Following this, there was an unexpected breach of more than 1,700 private documents, which raised grave questions regarding platform communication, openness, and data protection procedures.
A couple of hours ago we saw a sudden inflow of Adobe Acrobat Cloud links being uploaded to ANYRUN’s sandbox. After research, we’ve discovered that Microsoft Defender XDR mistakenly flagged acrobat[.]adobe[.]com/id/urn:aaid:sc: as malicious. This caused free-plan users to upload more than a thousand Adobe files with sensitive corporate data of hundreds of companies for analysis in public mode. To stop leaks, we’re making all these analyses private, but users continue to share confidential documents publicly.
Said Any.run on there X Profile
What Is Any.Run ? For Those Who Got No Brain
For cybersecurity experts, ANY.RUN is an advanced, interactive cloud-based malware analysis tool. ANY.RUN provides real-time, user-driven interaction with virtual machines (VMs) running Linux, Android, and Windows environments, in contrast to conventional automated sandboxes. Because of this interactivity, analysts can monitor and manage malware behavior in a controlled environment, including opening files, visiting links, and running commands.
What Was The Major Loophole for this issue ?
Using information from various Microsoft security solutions, including Defender for Endpoint, Identity, Cloud Apps, O365, and others, Microsoft Defender XDR helps security teams avoid and identify threats. Security teams may then look into and address attacks using the Microsoft Defender interface. Like a lot of security platforms, Defender XDR automatically flags files that seem suspicious. It can send something to a sandbox for analysis if it believes it to be malicious. Usually, that is a good thing. However, Defender XDR made an extremely serious error in this particular case.
It categorized links to Adobe Acrobat Cloud that were legitimate as malicious. False positives damage trust in security tools, thus that in and of itself is problematic. However, the true problem began when users uploaded these “suspicious” files to ANY.RUN’s public sandbox for analysis after being prompted by Defender.
Public sharing is the default setting for ANY.RUN’s free plan. Users were exposing these files to the internet when they uploaded them, rather than only examining them in private. Suddenly, more than 1,700 company documents many of which included critical information were made public. Defender XDR reported acrobat[.]adobe[.]com links as harmful due to a false positive. This was no small mistake.
Measures Taken My Any. run to curb this issue
ANY.RUN quickly converted all analyses associated with the false positive to private mode after determining the problem. The purpose of this operation was to stop the previously uploaded data from becoming publicly available again. ANY.RUN pointed out that even after the measure was implemented, some users still uploading confidential documents to the internet.
The risks associated with false alerts in security tools particularly in cloud-first setups where automation and file sharing occur continuously have been brought to light once more by the latest data leak. Platforms like Microsoft 365 and AWS are already high-value targets for attackers, according to cybersecurity experts like analyst Florian Roth. This is in part because of their sometimes-limited monitoring capabilities. Such incidents demonstrate the importance of fine-tuning threat detection systems to prevent both missed true threats and false positives.
Advisory EX1061430 in the Microsoft 365 Admin Center states that Microsoft has fixed a known issue in one of its machine learning (ML) models. This issue caused Adobe emails in Exchange Online to be incorrectly flagged as spam.
What Made The Users Think there uploads were private ?
While it seems unreal as to why would an analyst in sane mind fire up any.run and expose it’s organisation private data publically. Guess what the https://app.any.run/plans section showcased the following webpages.
It says The website’s homepage had an ANY.RUN statement that some Reddit users pointed out, urging users to “Create a free account” and promising to “keep your uploads and analyses private.”
The ANY.RUN data leak is a reminder that cyber threats are increasingly targeting cloud systems. Experts had just before this disaster pointed out that cloud platforms were vulnerable because of blind spots, poor detection mechanisms, and insufficient logging.
Important lessons learned include how crucial it is for threat detection systems to be accurate in order to stop security problems from getting worse, how crucial it is for users to understand the privacy settings of the security tools they use, and how important it is for businesses to continue using secure procedures when managing sensitive data in cloud-based settings.
