Viry a Červi

Unrelated to the OAuth token attack, but still troubling as org reveals details of around 100,000 users were grabbed by the baddies

GitHub has revealed it stored a "number of plaintext user credentials for the npm registry" in internal logs following the integration of the JavaScript package registry into GitHub's logging systems.…

And that's a bit odd, says Red Canary

A strain of Windows uses PowerShell to add a malicious extension to a victim's Chrome browser for nefarious purposes. A macOS variant exists that uses Bash to achieve the same and also targets Safari.…

Latest episode - listen now!

Cisco Talos discovered eight vulnerabilities in the Open Automation Software, two of them critical, that pose risk for critical infrastructure networks.

• IT threat evolution in Q1 2022
• IT threat evolution in Q1 2022. Non-mobile statistics
• IT threat evolution in Q1 2022. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q1 2022:

• 6,463,414 mobile malware, adware and riskware attacks were blocked.
• The largest share of all detected mobile threats accrued to RiskTool programs — 48.75%.
• 516,617 malicious installation packages were detected, of which:
  • 53,947 packages were related to mobile banking trojans,
  • and 1,942 packages were mobile ransomware trojans.

Quarterly highlights

In Q1 2022, the level of activity among cybercriminals remained roughly the same as it was at the end of 2021 when comparing the number of attacks on mobile devices. But in general, the number of attacks is still on a downward trend.

Number of attacks targeting users of Kaspersky mobile solutions, Q1 2020 — Q1 2022 (download)

What makes this quarter interesting is that many different fraudulent apps are distributed via official app stores. It’s not uncommon for apps published in the store to be accompanied by inflated ratings with fake reviews posted on the page for the app which are of course all positive. These types of apps occupy seven out of the twenty places in our malware ranking for Q1.

One of the schemes used by scammers which has been becoming more popular since last year are scam apps for receiving social benefits. The mobile apps redirect to a webpage where users are prompted to enter personal data and shown a large sum of money they’re supposedly entitled to. In order to claim their benefits however, users are told they need to pay a commission to cover the transfer cost or legal assistance. Once the money has been transferred, the app’s objective is considered achieved, and the user receives nothing in return.

Scam apps targeting Russian-speaking users

Another common scheme deployed by scammers are fraudulent trading apps which grant access to an investment platform for certain gas stocks. The app brings the user to a fake website where you can “raise your investment capital”. Needless to say, all the money invested is sent straight to the cybercriminals.

 

Other types of fraudulent apps begin charging a hefty weekly subscription fee a few days after the app is installed or even sign the user up for premium SMS subscriptions.

Keto diet app for meal planning which deducts money from the user’s bankcard without receiving prior consent

Other finds which stood out this quarter were various apps for taking out payday loans targeting users in Mexico and India. In our system of classification, these apps belong to a family of potentially unwanted software called RiskTool.AndroidOS.SpyLoan, which request access to user’s text messages, contacts list and photos. If a payment is late, debt collectors can begin calling people from the user’s contacts list or blackmail the user by threatening to disclose their personal information.

We observed a similar case in Brazil, where people were encouraged to install an app to take out payday loans which locks users out of their phones if they miss a payment.

Mobile threat statistics

In Q1 2022, Kaspersky detected 516,617 malicious installation packages, which is 79,448 fewer than the previous quarter and down 935,043 against Q1 2021.

Number of detected malicious installation packages, Q1 2021 — Q1 2022 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q4 2021 and Q1 2022 (download)

Almost half of all threats detected in Q1 2022 were potentially unwanted RiskTool apps (48.75%), which is a reduction of 3.21 p.p. compared to the previous quarter. Most apps detected in this category belonged to the traditionally dominant SMSreg family (61.37%).

Adware apps came second (16.92%), which also saw a decrease of 10.01 p.p. The worst offenders belonged to the Ewind family (28.89%), which were encountered more frequently than any other adware we detected. It’s followed by Adlo (19.84%) and HiddenAd (12.46%) families.

Third place was taken by various trojans whose share increased by 10.32 p.p. to 14.68%. The trojan families that had the greatest impact were Mobtes (44.35%), Piom (32.61%) and Boogr (14.32%).

Top 20 mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

Verdict %* 1 DangerousObject.Multi.Generic 20.45 2 Trojan.AndroidOS.Fakemoney.d 10.73 3 Trojan-SMS.AndroidOS.Fakeapp.d 7.82 4 Trojan-SMS.AndroidOS.Fakeapp.c 5.36 5 Trojan-Spy.AndroidOS.Agent.aas 4.93 6 Trojan.AndroidOS.Fakeapp.ed 4.45 7 Trojan.AndroidOS.Fakemoney.g 3.28 8 Trojan-Dropper.AndroidOS.Agent.sl 2.94 9 DangerousObject.AndroidOS.GenericML 2.55 10 Trojan.AndroidOS.Fakeapp.dw 2.40 11 Trojan-Ransom.AndroidOS.Pigetrl.a 2.14 12 Trojan.AndroidOS.Soceng.f 2.14 13 Trojan.AndroidOS.Fakemoney.i 2.13 14 Trojan-Downloader.AndroidOS.Agent.kx 1.63 15 Trojan-SMS.AndroidOS.Agent.ado 1.62 16 Trojan.AndroidOS.Fakeapp.ea 1.55 17 Trojan-Downloader.AndroidOS.Necro.d 1.47 18 Trojan-Dropper.AndroidOS.Hqwar.gen 1.36 19 Trojan.AndroidOS.GriftHorse.l 1.26 20 SMS-Flooder.AndroidOS.Dabom.c 1.19

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The malware rating for Q1 2022 featured many new arrivals, which we discussed in the quarterly-highlights section. But let’s go back to the top of the ranking. First place was defended by the traditional title-holder DangerousObject.Multi.Generic (20.45%), which is a verdict we use to describe malware detected using cloud technology. The trojan identified as Trojan.AndroidOS.Fakemoney.d (10.73%) moved up from third to second place. Other members of this family have also occupied seventh and thirteenth place in the rating. These are fraudulent apps that invite users to fill out a fake application for social benefits. The majority of users targeted in these attacks live in Russia, Kazakhstan and Ukraine.

The trojans in third and fourth place (7.82% and 5.36%) are members of the Trojan-SMS.AndroidOS.Fakeapp family. This type of malware is able to send text messages and call specified numbers, display ads and hide its icon on the device. Fifth place is taken by a trojan referred to as Trojan-Spy.AndroidOS.Agent.aas (4.93%), which is a modification of the popular WhatsApp Messenger containing a spy tool.

Trojan.AndroidOS.Fakeapp.ed (4.45%) took sixth place. This verdict refers to a category of fraudulent apps which target users in Russia by posing as a stock-trading platform for investing in gas.

Eighth place is occupied by Trojan-Dropper.AndroidOS.Agent.sl (2.94%), a dropper that installs and runs banking trojans on devices. The majority of users attacked by it were located in Russia, Germany and Turkey.

Ninth place was taken by the verdict DangerousObject.AndroidOS.GenericML (2.55%). These verdicts are assigned to files recognized as malicious by our machine-learning systems. The verdict in tenth place is Trojan.AndroidOS.Fakeapp.dw (2.40%), which is used to describe various scam apps, such as apps claiming to offer an additional source of income.

The trojan in eleventh place is Trojan-Ransom.AndroidOS.Pigetrl.a (2.14%), which locks the device’s screen and asks for a code to unlock it. The trojan doesn’t provide any instructions on how to obtain this code, and the code itself is embedded in the body of the malware.

The trojan which came twelfth was Trojan.AndroidOS.Soceng.f (2.14%), which sends text messages to people in your contacts list, deletes files on the SD card, and overlays the interfaces of popular apps with its own window. The trojan in fourteenth place is Trojan-Downloader.AndroidOS.Agent.kx (1.63%), which downloads adware.

A trojan known as Trojan-SMS.AndroidOS.Agent.ado (1.62%), which sends text messages to short premium-rate numbers is in fifteenth place. The next row down is occupied by Trojan.AndroidOS.Fakeapp.ea (1.55%), another fraudulent trading app for investing in gas.

The trojan in seventeenth place is Trojan-Downloader.AndroidOS.Necro.d (1.47%), which is used to download and run other forms of malware on an infected device. It is followed by Trojan-Dropper.AndroidOS.Hqwar.gen (1.36%), which is used to unpack and run various banking trojans on a device.

The trojan in nineteenth place is Trojan.AndroidOS.GriftHorse.l (1.26%) — another fraudulent app mentioned in the quarterly-highlight section. It subscribes users to premium text-messaging services. The next line is occupied by SMS-Flooder.AndroidOS.Dabom.c (1.19%), which has the main aim of bombarding people with spam text messages.

Geography of mobile threats

Map of attempts to infect mobiles with malware, Q1 2022 (download)

TOP 10 countries by share of users attacked by mobile malware

Countries* %** 1 Iran 35.25 2 China 26.85 3 Yemen 21.23 4 Oman 19.01 5 Saudi Arabia 15.81 6 Algeria 13.89 7 Argentina 13.59 8 Brazil 10.80 9 Ecuador 10.64 10 Morocco 10.56

* Countries with relatively few users of Kaspersky mobile security solutions (under 10,000) are excluded from the ranking.
** Share of unique users attacked as a percentage of all users of Kaspersky mobile security solutions in the country.

In the rating for Q1 2022, Iran (35.25%) is still the country with the most infected devices. The most frequently encountered threat in this country was annoying adware from the Notifyer and Fyben families. China came second (26.85%), where the most frequently encountered threats were Trojan.AndroidOS.Boogr.gsh and Trojan.AndroidOS.Najin.a. Third place was taken by Yemen (21.23%), where the most widespread mobile threat was Trojan-Spy.AndroidOS.Agent.aas spyware.

Mobile banking trojans

The number of installation packages for mobile banking trojans, which dipped in the first three quarters of 2021, continued to grow: we detected 53,947 of these packages in the reporting period, which is 15,594 up on Q4 2021 and a year-on-year increase of 28,633 against Q1 2021. The increase in the number of packages is largely due to the Trojan-Banker.AndroidOS.Bray family — its share accounted for 80.89% of all mobile banking trojans detected. The second most frequently detected package was Trojan-Banker.AndroidOS.Fakecalls (8.75%), followed by Trojan-Banker.AndroidOS.Cebruser (2.52%) in third place.

Number of installation packages for mobile banking trojans detected by Kaspersky, Q1 2021 — Q1 2022 (download)

TOP 10 most common mobile bankers

Verdict %* 1 Trojan-Banker.AndroidOS.Bian.h 18.68 2 Trojan-Banker.AndroidOS.Anubis.t 12.52 3 Trojan-Banker.AndroidOS.Svpeng.q 8.63 4 Trojan-Banker.AndroidOS.Agent.ep 8.24 5 Trojan-Banker.AndroidOS.Asacub.ce 4.98 6 Trojan-Banker.AndroidOS.Agent.eq 4.56 7 Trojan-Banker.AndroidOS.Sova.g 2.75 8 Trojan-Banker.AndroidOS.Gustuff.d 2.62 9 Trojan-Banker.AndroidOS.Agent.cf 2.39 10 Trojan-Banker.AndroidOS.Hqwar.t 2.32

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Geography of mobile banking threats, Q1 2022 (download)

TOP 10 countries by shares of users attacked by mobile banking trojans

Countries* %** 1 Spain 1.80 2 Turkey 1.07 3 Australia 0.54 4 China 0.35 5 Italy 0.17 6 Japan 0.15 7 Colombia 0.13 8 Yemen 0.09 9 South Korea 0.08 10 Malaysia 0.07

* Countries with relatively few users of Kaspersky mobile security solutions (under 10,000) have been excluded from the ranking.
** Unique users attacked by mobile banking trojans as a percentage of all Kaspersky mobile security solution users in the country.

Spain (1.80%) was where the most unique users were attacked by mobile financial threats in Q1 2022. The trojan behind almost three quarters of attacks (74,58%) in this country was the TOP 10 leader Trojan-Banker.AndroidOS.Bian.h. Turkey (1.07%) came second, where Trojan-Banker.AndroidOS.Bian.h (42.69%) was also encountered more frequently than any other threat. Australia (0.54%) took third place, where one trojan was more active than all the rest: Trojan-Banker.AndroidOS.Gustuff.d (95.14%).

Mobile ransomware trojans

In Q1 2022, we detected 1,942 installation packages for mobile ransomware trojans, which is 2,371 fewer than the figure recorded in the previous quarter and a year-on-year decrease of 1,654 against Q1 2021.

Number of installation packages for mobile ransomware trojans detected by Kaspersky, Q1 2021 and Q1 2022 (download)

TOP 10 most common mobile ransomware

Verdict %* 1 Trojan-Ransom.AndroidOS.Pigetrl.a 78.77 2 Trojan-Ransom.AndroidOS.Rkor.br 5.68 3 Trojan-Ransom.AndroidOS.Rkor.bs 1.99 4 Trojan-Ransom.AndroidOS.Small.as 1.89 5 Trojan-Ransom.AndroidOS.Rkor.bi 1.59 6 Trojan-Ransom.AndroidOS.Rkor.bt 1.58 7 Trojan-Ransom.AndroidOS.Rkor.bp 1.41 8 Trojan-Ransom.AndroidOS.Rkor.bh 0.93 9 Trojan-Ransom.AndroidOS.Rkor.bn 0.88 10 Trojan-Ransom.AndroidOS.Rkor.bl 0.76

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware trojans.

The top ransomware trojan held onto its title in the ranking for Q1 2022: Trojan-Ransom.AndroidOS.Pigetrl.a (78.77%). It’s worth noting that 94% of all attacks involving this trojan targeted Russia. The next runners-up trailing far behind the leader are two members of the Trojan-Ransom.AndroidOS.Rkor family: Rkor.br (5.68%) and Rkor.bs (1.99%).

Geography of mobile ransomware trojans, Q1 2022 (download)

Top 10 countries by share of users attacked by mobile ransomware trojans

Countries* %** 1 Yemen 0.43 2 Kazakhstan 0.34 3 China 0.28 4 Kyrgyzstan 0.08 5 Moldova 0.03 6 Saudi Arabia 0.02 7 Russian Federation 0.02 8 Egypt 0.02 9 Ukraine 0.02 10 Lithuania 0.02

* Countries with relatively few users of Kaspersky mobile security solutions (under 10,000) have been excluded from the ranking.
** Unique users attacked by ransomware trojans as a percentage of all Kaspersky mobile security solution users in the country.

Yemen (0.43%) tops the list of countries where the greatest number of users were attacked by mobile ransomware trojans. It’s followed by Kazakhstan (0.34%) with China (0.28%) rounding out the top three. The trojan which users in Yemen encountered most frequently was Trojan-Ransom.AndroidOS.Pigetrl.a, while users in Kazakhstan and China encountered members of the Trojan-Ransom.AndroidOS.Rkor family.

• IT threat evolution in Q1 2022
• IT threat evolution in Q1 2022. Non-mobile statistics
• IT threat evolution in Q1 2022. Mobile statistics

Targeted attacks MoonBounce: the dark side of UEFI firmware

Late last year, we became aware of a UEFI firmware-level compromise through logs from our firmware scanner (integrated into Kaspersky products at the start of 2019). Further analysis revealed that the attackers had modified a single component in the firmware in a way that allowed them to intercept the original execution flow of the machine’s boot sequence and introduce a sophisticated infection chain.

Our analysis of the rogue firmware, and other malicious artefacts from the target’s network, revealed that the threat actor behind it had tampered with the firmware to embed malware that we call MoonBounce. Since the implant is located in SPI flash on the motherboard, rather than on the hard disk, it can persist even if someone formats or replaces the hard disk.

Moreover, the infection chain does not leave any traces on the hard drive, as its components operate in memory only – facilitating a fileless attack with a small footprint. We detected other non-UEFI implants in the targeted network that communicated with the same infrastructure.

We attribute this intrusion set to APT41, a threat actor widely believed to be Chinese speaking, because of the combination of the above findings with network infrastructure fingerprints and other TTPs.

Our report describes in detail how the MoonBounce implant works and what other traces of activity related to Chinese-speaking actors we were able to observe in the compromised network that could indicate a connection to APT41.

BlueNoroff continues its search for crypto-currency

In January, we reported a malicious campaign targeting companies that work with cryptocurrencies, smart contracts, decentralized finance and blockchain technology: the attackers are interested in fintech in general. We attribute the campaign, named SnatchCrypto, to the BlueNoroff APT group, the threat actor behind the 2016 attack on Bangladesh’s central bank.

The campaign has two goals: gathering information and stealing cryptocurrency. The attackers are mainly interested in collecting data on user accounts, IP addresses and session information; and they steal configuration files from programs that work directly with cryptocurrency and may contain account credentials. The attackers carefully study potential victims, sometimes monitoring them for months.

One approach they take is to manipulate popular browser extensions for managing crypto wallets. They change an extension’s source in the browser settings so that they can install a modified version from local storage instead of the legitimate version loading from the official web store. They also use the modified Metamask extension for Chrome to replace the transaction logic, enabling them to steal funds even from those who use hardware devices to sign cryptocurrency transfers.

The attackers study their victims carefully and use the information they find to frame social engineering attacks. Typically, they construct emails that masquerade as communications from legitimate venture companies, but with an attached, macro-enabled document. When opened, this document eventually downloads a backdoor.

Our telemetry shows that there were victims in Russia, Poland, Slovenia, Ukraine, the Czech Republic, China, India, the US, Hong Kong, Singapore, the UAE and Vietnam. However, based on the shortened URL click history and decoy documents, we assess that there were more victims of this financially motivated attack campaign.

Roaming Mantis reaches Europe

Since 2018, we have been tracking Roaming Mantis – a threat actor that targets Android devices. The group uses various malware families, including Wroba, and attack methods that include phishing, mining, smishing and DNS poisoning.

Typically, the smishing messages contain a very short description and a URL to a landing page. If someone clicks on the link and opens the landing page, there are two scenarios: the attackers redirect people using iOS to a phishing page imitating the official Apple website; on Android devices, they install the Wroba malware.

Our latest research indicates that Roaming Mantis has extended its geographic reach to include Europe. In the second half of 2021, the most affected countries were France, Japan, India, China, Germany and South Korea.

Territories affected by Roaming Mantis activity (download)

Cyberattacks related to the crisis in Ukraine

On January 14, attackers defaced 70 Ukrainian websites and posted the message “be afraid and expect the worst”. The defacement message on the Ministry of Foreign Affairs website, written in Ukrainian, Russian and Polish, suggested that personal data uploaded to the site had been destroyed. Subsequently, DDoS attacks hit some government websites. The following day, Microsoft reported that it had found destructive malware, dubbed WhisperGate, on the systems of government bodies and agencies that work closely with the Ukrainian government. It was not clear who was behind the attack, although the deputy secretary of Ukraine’s National Security and Defence Council stated that it was the work of UNC1151, a threat actor thought to be linked to Belarus.

WhisperKill, the wiper used during the WhisperGate campaign, wasn’t the only wiper to target organizations in Ukraine. On February 23, ESET published a tweet announcing new wiper malware targeting Ukraine. This wiper, named HermeticWiper by the research community, abuses legitimate drivers from the EaseUS Partition Master to corrupt the drivers of the compromised system. The compilation date of one of the identified samples was December 28 last year, suggesting that this destructive campaign had been planned for months.

The following day, Avast Threat Research announced the discovery of new Golang ransomware in Ukraine, which they dubbed HermeticRansom and which we call ElectionsGoRansom. This malware was discovered at around the same time as HermeticWiper; and publicly available information from the security community indicated that it was used in recent cyberattacks in Ukraine. The unsophisticated style and poor implementation suggest that attackers probably used this new ransomware as a smokescreen for the HermeticWiper attack.

On March 1, ESET published a blog post related to wipers used in Ukraine and to the ongoing conflict: in addition to HermeticWiper, this post introduced IsaacWiper, used to target specific computers previously compromised with another remote administration tool named RemCom, commonly used by attackers for lateral movement within compromised networks.

On March 22, the Ukraine CERT published a new alert about the DoubleZero wiper targeting the country. This is a new wiper, written in .NET, with no similarity to previously discovered wipers targeting Ukrainian entities. According to the CERT public statement, the campaign took place on March 17, when several targets in Ukraine received a ZIP archive with the filename “Вирус… крайне опасно!!!.zip” (translation: “Virus… extremely dangerous!!!.zip”).

On March 10, researchers from the Global Research and Analysis Team shared their insights into past and present cyberattacks in Ukraine. You can find the recording of the webinar here and a summary/Q&A here.

Lazarus uses Trojanized DeFi app to deliver malware

Earlier this year, we discovered a Trojanized DeFi app, compiled in November last year. The app contains a legitimate program, called DeFi Wallet, which saves and manages a cryptocurrency wallet, but it also implants a malicious file when executed. The malware is a fully featured backdoor designed to control compromised computers.

While it’s not clear how the threat actor tricked the victims into executing the Trojanized app, we suspect they sent a spear-phishing email or contacted them via social media.

We attribute the attacks, with high confidence, to the Lazarus group. We discovered numerous overlaps with other tools used by the same threat actor. The malware operator exclusively used compromised web servers located in South Korea for this attack. To take over the servers, we worked closely with a local CERT; as a result of this effort, we had the opportunity to investigate a Lazarus group C2 server.

The threat actor configured this infrastructure with servers set up as multiple stages. The first stage is the source for the backdoor, while the purpose of the second stage servers is to communicate with the implants. This represents a common scheme for Lazarus infrastructure.

We weren’t able to confirm the exact victims of this campaign, but the attack targets entities and/or individuals at a global level.

Other malware Noreboot: faking an iPhone restart

One of the things you can do to protect yourself from advanced mobile spyware is to reboot your device on a daily basis. Typically, such programs do not have a permanent foothold in the system and will survive only until the device is next restarted – the vulnerabilities that allow an attacker to obtain such persistence are rare and very expensive.

However, researchers have recently found a way to fake a restart.  Their technique, which they call Noreboot, is only a proof-of-concept, but if implemented by an attacker, it would allow them to achieve persistence on a target device.

For their lab demonstration, the researchers use an iPhone they had already infected (although they did not share the details of how they did this). When they shut down the device, using the power and volume buttons, the spyware displays an image of the iOS shutdown screen, faking the shutdown. After the user drags the power-off slider, the screen goes dark and the phone no longer responds to any of the user’s actions. When they press the power button again, the malware displays a perfect replica of the iOS boot animation.

Most people, of course, are not in the firing line of advanced threat actors; and a few simple precautions can help to keep you safe.

• Don’t jailbreak or root your device.
• Use a unique, complex passcode; and don’t leave your device unlocked when it’s unattended.
• Only download apps from the App Store or Google Play.
• Review app permissions and remove apps you no longer use.
• If you use Android, protect your device with a robust security solution.

For those who think they could be a potential target for advanced threat actors, Costin Raiu, director of the Global Research and Analysis Team at Kaspersky, has outlined some steps you can take to reduce and mitigate the risks.

Hunting for corporate credentials on ICS networks

In 2021, Kaspersky ICS CERT experts noticed a growing number of anomalous spyware attacks infecting ICS computers across the globe. Although the malware used in these attacks belongs to well-known commodity spyware families, the attacks stand out from the mainstream due to the very limited number of targets in each attack and the very short lifetime of each malicious sample.

By the time we detected this anomaly, it had become a trend: around 21.2 percent of all spyware samples blocked on ICS computers worldwide in the second half of 2021 were part of this new limited-scope, short-lifetime attack series. At the same time, depending on the region, up to one-sixth of all computers attacked with spyware had been attacked using this tactic.

In the process of researching the anomaly, we noticed a large set of campaigns that spread from one industrial enterprise to another via hard-to-detect phishing emails disguised as correspondence from the victim organizations and abusing their corporate email systems to attack through the contact lists of compromised mailboxes.

Overall, we identified more than 2,000 corporate email accounts belonging to industrial companies that the attackers abused as next-attack C2 servers because of successful malicious operations of this type. They stole, or abused in other ways, many more (over 7,000 according to our estimates).

Lapsus$ group hacks Okta

In March, the Lapsus$ cybercrime group claimed that it had obtained “superuser/admin” access to internal systems at Okta. The dates of the screenshots posted by the group suggest that it had had access to Okta’s systems since January. Lapsus$ was previously responsible for a number of high-profile hacks, including the Brazil Ministry of Health, Impresa, Nvidia, Samsung and Ubisoft.

Okta develops and maintains identity and access management systems; in particular, it provides a single sign-on solution that is used by a large number of companies. Okta confirmed the breach and stated that 2.5 percent of its customers (amounting to 366 customers) were potentially affected; and said that it had contacted the affected customers.

A few days later, Lapsus$ mocked Okta’s response to the breach.

The phishing kit market

Phishing remains one of the key methods used by attackers to compromise their targets – both individuals and organizations. One of the most common tricks the phishers use is to create a fake page that mimics the legitimate site of a famous brand. They copy design elements from the real website, making it hard for people to distinguish fake pages from the real ones.

Such websites can be easily blocked or added to anti-phishing databases, so cybercriminals need to generate these pages quickly and in large numbers. Since it is time-consuming to create them from scratch each time, and not all cybercriminals have the necessary skills, they tend to use phishing kits. These are like model aircraft or vehicle assembly kits – ready-made templates and scripts that others can use to create phishing pages quickly and at scale. They are quite easy to use, so even inexperienced attackers without technical skills can make use of them.

Cybercriminals typically get phishing kits from dark web forums or from closed Telegram channels. Scammers working on a tight budget can find some basic open-source tools online. Those who are better off can commission Phishing-as-a-Service, which often includes various phishing kits.

Cybercriminals tend to use hacked official websites to host pages generated using the phishing kits, or rely on companies that offer free web hosting providers. The latter are constantly working to combat phishing and block fake pages, although phishing websites often only require a short period of activity to achieve their intended purpose, which is to collect the personal data of victims and send it to the criminals.

Number of unique domains using the TOP 10 phishing kits, August 2021 — January 2022 (download)

Last year alone, Kaspersky detected 469 individual phishing kits, enabling us to block around 1.2 million phishing pages. The chart shows the dynamics of the TOP 10 phishing kits we detected between August 2021 and January 2022, along with the number of unique domains where each phishing kit was encountered.

• IT threat evolution in Q1 2022
• IT threat evolution in Q1 2022. Non-mobile statistics
• IT threat evolution in Q1 2022. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q1 2022:

• Kaspersky solutions blocked 1,216,350,437 attacks from online resources across the globe.
• Web Anti-Virus recognized 313,164,030 unique URLs as malicious.
• Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 107,848 unique users.
• Ransomware attacks were defeated on the computers of 74,694 unique users.
• Our File Anti-Virus detected 58,989,058 unique malicious and potentially unwanted objects.

Financial threats Financial threat statistics

In Q1 2022 Kaspersky solutions blocked the launch of at least one piece of malware designed to steal money from bank accounts on the computers of 107,848 unique users.

Number of unique users attacked by financial malware, Q1 2022 (download)

Geography of financial malware attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country or territory.

Geography of financial malware attacks, Q1 2022 (download)

TOP 10 countries by share of attacked users

Country* %** 1 Turkmenistan 4.5 2 Afghanistan 4.0 3 Tajikistan 3.9 4 Yemen 2.8 5 Uzbekistan 2.4 6 China 2.2 7 Azerbaijan 2.0 8 Mauritania 2.0 9 Sudan 1.8 10 Syria 1.8

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

TOP 10 banking malware families Name Verdicts %* 1 Ramnit/Nimnul Trojan-Banker.Win32.Ramnit 36.5 2 Zbot/Zeus Trojan-Banker.Win32.Zbot 16.7 3 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 6.7 4 SpyEye Trojan-Spy.Win32.SpyEye 6.3 5 Gozi Trojan-Banker.Win32.Gozi 5.2 6 Cridex/Dridex Trojan-Banker.Win32.Cridex 3.5 7 Trickster/Trickbot Trojan-Banker.Win32.Trickster 3.3 8 RTM Trojan-Banker.Win32.RTM 2.7 9 BitStealer Trojan-Banker.Win32.BitStealer 2.2 10 Danabot Trojan-Banker.Win32.Danabot 1.8

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Our TOP 10 leader changed in Q1: the familiar ZeuS/Zbot (16.7%) dropped to second place and Ramnit/Nimnul (36.5%) took the lead. The TOP 3 was rounded out by CliptoShuffler (6.7%).

Ransomware programs Quarterly trends and highlights Law enforcement successes

• Several members of the REvil ransomware crime group were arrested by Russian law enforcement in January. The Russian Federal Security Service (FSB) says it seized the following assets from the cybercriminals: “more than 426 million rubles ($5.6 million) including denominated in cryptocurrency; $600,000; 500,000 euros; computer equipment, the crypto wallets that were used to perpetrate crimes, and 20 luxury cars that were purchased with illicitly obtained money.”
• In February, a Canadian citizen was sentenced to 6 years and 8 months in prison for involvement in NetWalker ransomware attacks (also known as Mailto ransomware).
• In January, Ukrainian police arrested a ransomware gang who delivered an unclarified strain of malware via e-mail. According to the statement released by the police, over fifty companies in the United States and Europe were attacked by the cybercriminals.

HermeticWiper, HermeticRansom and RUransom, etc.

In February, new malware was discovered which carried out attacks with the aim of destroying files. Two pieces of malware — a Trojan called HermeticWiper that destroys data and a cryptor called HermeticRansom — were both used in cyberattacks in Ukraine. That February, Ukrainian systems were attacked by another Trojan called IsaacWiper, followed by a third Trojan in March called CaddyWiper. The apparent aim of this malware family was to render infected computers unusable leaving no possibility of recovering files.

An intelligence team later discovered that HermeticRansom only superficially encrypts files, and ones encrypted by the ransomware can be decrypted.

RUransom malware was discovered in March, which was created to encrypt files on computers in Russia. The analysis of the malicious code revealed it was developed to wipe data, as RUransom generates keys for all the victim’s encrypted files without storing them anywhere.

Conti source-code leak

The ransomware group Conti had its source code leaked along with its chat logs which were made public. It happened shortly after the Conti group expressed support for the Russian government’s actions on its website. The true identity of the individual who leaked the data is currently unknown. According to different versions, it could have been a researcher or an insider in the group who disagrees with its position.

Whoever it may have been, the leaked ransomware source codes in the public domain will obviously be at the fingertips of other cybercriminals, which is what happened on more than one occasion with examples like Hidden Tear and Babuk.

Attacks on NAS devices

Network-attached storage (NAS) devices continue to be targeted by ransomware attacks. A new wave of Qlocker Trojan infections on QNAP NAS devices occurred in January following a brief lull which lasted a few months. A new form of ransomware infecting QNAP NAS devices also appeared in the month of January called DeadBolt, and ASUSTOR devices became its new target in February.

Maze Decryptor

Master decryption keys for Maze, Sekhmet and Egregor ransomware were made public in February. The keys turned out to be authentic and we increased our support to decrypt files encrypted by these infamous forms of ransomware in our RakhniDecryptor utility. The decryptor is available on the website of our No Ransom project and the website of the international NoMoreRansom project in the Decryption Tools section.

Number of new modifications

In Q1 2022, we detected eight new ransomware families and 3083 new modifications of this malware type.

Number of new ransomware modifications, Q1 2021 — Q1 2022 (download)

Number of users attacked by ransomware Trojans

In Q1 2022, Kaspersky products and technologies protected 74,694 users from ransomware attacks.

Number of unique users attacked by ransomware Trojans, Q1 2022 (download)

Geography of attacked users

Geography of attacks by ransomware Trojans, Q1 2022 (download)

TOP 10 countries attacked by ransomware Trojans

Country* %** 1 Bangladesh 2.08 2 Yemen 1.52 3 Mozambique 0.82 4 China 0.49 5 Pakistan 0.43 6 Angola 0.40 7 Iraq 0.40 8 Egypt 0.40 9 Algeria 0.36 10 Myanmar 0.35

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country.

TOP 10 most common families of ransomware Trojans Name Verdicts* Percentage of attacked users** 1 Stop/Djvu Trojan-Ransom.Win32.Stop 24.38 2 WannaCry Trojan-Ransom.Win32.Wanna 13.71 3 (generic verdict) Trojan-Ransom.Win32.Gen 9.35 4 (generic verdict) Trojan-Ransom.Win32.Phny 7.89 5 (generic verdict) Trojan-Ransom.Win32.Encoder 5.66 6 (generic verdict) Trojan-Ransom.Win32.Crypren 4.07 7 (generic verdict) Trojan-Ransom.Win32.CryFile 3.72 8 PolyRansom/VirLock Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom 3.37 9 (generic verdict) Trojan-Ransom.Win32.Crypmod 3.17 10 (generic verdict) Trojan-Ransom.Win32.Agent 1.99

* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data.
** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans.

Miners Number of new miner modifications

In Q1 2022, Kaspersky solutions detected 21,282 new modifications of miners.

Number of new miner modifications, Q1 2022 (download)

Number of users attacked by miners

In Q1, we detected attacks using miners on the computers of 508,449 unique users of Kaspersky products and services worldwide.

Number of unique users attacked by miners, Q1 2022 (download)

Geography of miner attacks

Geography of miner attacks, Q1 2022 (download)

TOP 10 countries attacked by miners

Country* %** 1 Ethiopia 3.01 2 Tajikistan 2.60 3 Rwanda 2.45 4 Uzbekistan 2.15 5 Kazakhstan 1.99 6 Tanzania 1.94 7 Ukraine 1.83 8 Pakistan 1.79 9 Mozambique 1.69 10 Venezuela 1.67

* Excluded are countries with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by criminals during cyberattacks Quarter highlights

In Q1 2022, a number of serious vulnerabilities were found in Microsoft Windows and its components. More specifically, the vulnerability CVE-2022-21882 was found to be exploited by an unknown group of cybercriminals: a “type confusion” bug in the win32k.sys driver the attacker can use to gain system privileges. Also worth noting is CVE-2022-21919, a vulnerability in the User Profile Service which makes it possible to elevate privileges, along with CVE-2022-21836, which can be used to forge digital certificates.

One of the major talking points in Q1 was an exploit that targeted the CVE-2022-0847 vulnerability in the Linux OS kernel. It was dubbed “Dirty Pipe”. Researchers discovered an “uninitialized memory” vulnerability when analyzing corrupted files, which makes it possible to rewrite a part of the OS memory, namely page memory that contains system files’ data. This in turn opens up an opportunity, such as elevating attacker’s privileges to root. It’s worth noting that this vulnerability is fairly easy to exploit, which means users of all systems should regularly install security patches and use all available means to prevent infection.

When it comes to network threats, this quarter continued to show how cybercriminals often resort to the technique of brute-forcing passwords to gain unauthorized access to various network services, the most popular of which are MSSQL, RDP and SMB. Attacks using the EternalBlue, EternalRomance and similar exploits remain as popular as ever. Due to widespread unpatched versions of Microsoft Exchange Server, networks often fall victim to exploits of ProxyToken, ProxyShell, ProxyOracle and other vulnerabilities. One example of a critical vulnerability found is remote code execution (RCE) in the Microsoft Windows HTTP protocol stack which allows an attack to be launched remotely by sending a special network packet to a vulnerable system by means of the HTTP trailer functionality. New attacks on network applications which will probably also become common are RCE attacks on the popular Spring Framework and Spring Cloud Gateway. Specific examples of vulnerabilities in these applications are CVE-2022-22965 (Spring4Shell) and CVE-2022-22947.

Vulnerability statistics

Q1 2022 saw an array of changes in the statistics on common vulnerability types. For instance, the top place in the statistics is still firmly held by exploits targeting vulnerabilities in Microsoft Office and their share has increased significantly to 78.5%. The same common vulnerabilities we’ve written about on more than one occasion are still the most widely exploited within this category of threats. These are CVE-2017-11882 and CVE-2018-0802, which cause a buffer overflow when processing objects in a specially crafted document in the Equation Editor component and ultimately allow an attacker to execute arbitrary code. There’s also CVE-2017-8570, where opening a specially crafted file with an affected version of Microsoft Office software gives attackers the opportunity to perform various actions on the vulnerable system. Another vulnerability found last year which is very popular with cybercriminals is CVE-2021-40444, which they can use to exploit through a specially prepared Microsoft Office document with an embedded malicious ActiveX control for executing arbitrary code in the system.

Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2022 (download)

Exploits targeting browsers came second again in Q1, although their share dropped markedly to just 7.64%. Browser developers put a great deal of effort into patching vulnerability exploits in each new version and closing a large number of gaps in system security. Apart from that, the majority of browsers have automatic updates as opposed to the distinct example of Microsoft Office, where many of its users still use outdated versions and are in no rush to install security updates. That could be precisely the reason why we’ve seen a reduction in the share of browser exploits in our statistics. However, this does not mean they’re no longer an immediate threat. For instance, Chrome’s developers fixed a number of critical RCE vulnerabilities, including:

• CVE-2022-1096: a “type confusion” vulnerability in the V8 script engine which gives attackers the opportunity to remotely execute code (RCE) in the context of the browser’s security sandbox.
• CVE-2022-0609: a use-after-free vulnerability which allows to corrupt the process memory and remotely execute arbitrary codes when performing specially generated scripts that use animation.

Similar vulnerabilities were found in the browser’s other components: CVE-2022-0605which uses Web Store API, and CVE-2022-0606 which is associated with vulnerabilities in the WebGL backend (ANGLE). Another vulnerability found was CVE-2022-0604, which can be used to exploit a heap buffer overflow in Tab Groups, also potentially leading to remote code execution (RCE).

Exploits for Android came third in our statistics (4.10%), followed by exploits targeting the Adobe Flash Platform (3.49%), PDF files (3.48%) and Java apps (2.79%).

Attacks on macOS

The year began with a number of interesting multi-platform finds: the Gimmick multi-platform malware family with Windows and macOS variants that uses Google Drive to communicate with the C&C server, along with the SysJoker backdoor with versions tailored for Windows, Linux and macOS.

TOP 20 threats for macOS

Verdict %* 1 AdWare.OSX.Pirrit.ac 13.23 2 AdWare.OSX.Pirrit.j 12.05 3 Monitor.OSX.HistGrabber.b 8.83 4 AdWare.OSX.Pirrit.o 7.53 5 AdWare.OSX.Bnodlero.at 7.41 6 Trojan-Downloader.OSX.Shlayer.a 7.06 7 AdWare.OSX.Pirrit.aa 6.75 8 AdWare.OSX.Pirrit.ae 6.07 9 AdWare.OSX.Cimpli.m 5.35 10 Trojan-Downloader.OSX.Agent.h 4.96 11 AdWare.OSX.Pirrit.gen 4.76 12 AdWare.OSX.Bnodlero.bg 4.60 13 AdWare.OSX.Bnodlero.ax 4.45 14 AdWare.OSX.Agent.gen 3.74 15 AdWare.OSX.Agent.q 3.37 16 Backdoor.OSX.Twenbc.b 2.84 17 Trojan-Downloader.OSX.AdLoad.mc 2.81 18 Trojan-Downloader.OSX.Lador.a 2.81 19 AdWare.OSX.Bnodlero.ay 2.81 20 Backdoor.OSX.Agent.z 2.56

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

The TOP 20 threats to users detected by Kaspersky security solutions for macOS is usually dominated by various adware apps. The top two places in the rating were taken by adware apps from the AdWare.OSX.Pirrit family, while third place was taken by a member of the Monitor.OSX.HistGrabber.b family of potentially unwanted software which sends users’ browser history to its owners’ servers.

Geography of threats for macOS

Geography of threats for macOS, Q1 2022 (download)

TOP 10 countries by share of attacked users

Country* %** 1 France 2.36 2 Spain 2.29 3 Italy 2.16 4 Canada 2.15 5 India 1.95 6 United States 1.90 7 Russian Federation 1.83 8 United Kingdom 1.58 9 Mexico 1.49 10 Australia 1.36

* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.

In Q1 2022, the country where the most users were attacked was France (2.36%), followed by Spain (2.29%) and Italy (2.16%). Adware from the Pirrit family was encountered most frequently out of all macOS threats in the listed countries.

IoT attacks IoT threat statistics

In Q1 2022, most devices that attacked Kaspersky traps did so using the Telnet protocol as before. Just one quarter of devices attempted to brute-force our SSH traps.

Telnet 75.28% SSH 24.72%

Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2022

If we look at sessions involving Kaspersky honeypots, we see far greater Telnet dominance.

Telnet 93.16% SSH 6.84%

Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2022

TOP 10 threats delivered to IoT devices via Telnet

Verdict %* 1 Backdoor.Linux.Mirai.b 38.07 2 Trojan-Downloader.Linux.NyaDrop.b 9.26 3 Backdoor.Linux.Mirai.ba 7.95 4 Backdoor.Linux.Gafgyt.a 5.55 5 Trojan-Downloader.Shell.Agent.p 4.62 6 Backdoor.Linux.Mirai.ad 3.89 7 Backdoor.Linux.Gafgyt.bj 3.02 8 Backdoor.Linux.Agent.bc 2.76 9 RiskTool.Linux.BitCoinMiner.n 2.00 10 Backdoor.Linux.Mirai.cw 1.98

* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.

Similar IoT-threat statistics are published in the DDoS report for Q1 2022.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries and territories that serve as sources of web-based attacks: TOP 10

The following statistics show the distribution by country or territory of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.

In Q1 2022, Kaspersky solutions blocked 1,216,350,437 attacks launched from online resources across the globe. 313,164,030 unique URLs were recognized as malicious by Web Anti-Virus components.

Distribution of web-attack sources by country and territory, Q1 2022 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries and territories, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country or territory* %** 1 Taiwan 22.63 2 Tunisia 21.57 3 Algeria 16.41 4 Mongolia 16.05 5 Serbia 15.96 6 Libya 15.67 7 Estonia 14.45 8 Greece 14.37 9 Nepal 14.01 10 Hong Kong 13.85 11 Yemen 13.17 12 Sudan 13.08 13 Slovenia 12.94 14 Morocco 12.82 15 Qatar 12.78 16 Croatia 12.53 17 Republic of Malawi 12.33 18 Sri Lanka 12.28 19 Bangladesh 12.26 20 Palestine 12.23

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country or territory.

On average during the quarter, 8.18% of computers of Internet users worldwide were subjected to at least one Malware-class web attack.

Geography of web-based malware attacks, Q1 2022 (download)

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q1 2022, our File Anti-Virus detected 58,989,058 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

Note that this rating only includes attacks by malicious programs that fall under the Malware class; it does not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* %** 1 Yemen 48.38 2 Turkmenistan 47.53 3 Tajikistan 46.88 4 Cuba 45.29 5 Afghanistan 42.79 6 Uzbekistan 41.56 7 Bangladesh 41.34 8 South Sudan 39.91 9 Ethiopia 39.76 10 Myanmar 37.22 11 Syria 36.89 12 Algeria 36.02 13 Burundi 34.13 14 Benin 33.81 15 Rwanda 33.11 16 Sudan 32.90 17 Tanzania 32.39 18 Kyrgyzstan 32.26 19 Venezuela 32.00 20 Iraq 31.93

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

Geography of local infection attempts, Q1 2022 (download)

Overall, 15.48% of user computers globally faced at least one Malware-class local threat during Q1. Russia scored 16.88% in this rating.

Another day, another DDoS attack that tries to scare the victim into paying up with mention of dreaded gang

Akamai has spoken of a distributed denial of service (DDoS) assault against one of its customers during which the attackers astonishingly claimed to be associated with REvil, the notorious ransomware-as-a-service gang.…

Sure, they’re small Pacific nations, but they’re in very strategic locations

China has begun talking to ten nations in the South Pacific with an offer to help them improve their network infrastructure, cyber security, digital forensics and other capabilities – all with the help of Chinese tech vendors.…

Voltage glitch here, glitch there, now you can fiddle with location disc's firmware

At the Workshop on Offensive Technologies 2022 (WOOT) on Thursday, security researchers demonstrated how to meddle with AirTags, Apple's coin-sized tracking devices.…

Shut up and take ... poor kids to KFC?

In what is either a creepy, weird spin on Robin Hood or something from a Black Mirror episode, we're told a ransomware gang is encrypting data and then forcing each victim to perform three good deeds before they can download a decryption tool.…

Now we can say extortionware has jumped the shark

Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.…

When you really need to make exceptions in cybersecurity, specify them as explicitly as you can.

Schrems III on the cards unless negotiators protect better oversight of US data access requests

European privacy campaigner Max Schrems is warning that enhancements to the EU-US Privacy Shield data-sharing arrangements might face a legal challenge if negotiators don't take a new approach.…

Kaspersky Managed Detection and Response (MDR) helps organizations to complement existing detection capabilities or to expand limited in-house resources to protect their infrastructure from the growing number and complexity of threats in real time. We collect telemetry from clients’ networks and analyze it using machine learning and artificial intelligence, plus human threat-hunting analysts. Kaspersky SOC investigates alerts and notifies the client if there is something bad going on, providing response actions and recommendations.

MDR in 2021 in numbers

In 2021:

• Kaspersky MDR received 414K alerts.
• 74% of received alerts were processed by SOC analysts, 6.67% of which were related to real incidents reported to customers via the MDR portal
• 4% of all incidents are related to only one alert
• 14% of incidents were high-severity, 66% medium-severity, and 20% low-severity
• The average identification time of high-severity incidents was 41.4 minutes
• 7% of high-severity incidents were targeted attacks; 18% were ethical offensive exercises (penetration testing, red teaming etc.)
• Most incidents were detected at the initial access (27.3%) and lateral movement (16.3%) stages
• Most often high-severity incidents were detected in IT (39%), industrial (30.2%), and financial (29.1%) organizations
• The LOL binaries most often used by attackers were cmd.exe, powershell.exe, and rundll.exe

To get the full Kaspersky Managed Detection and Response 2021 report, please fill out the form below.
MktoForms2.loadForm("//app-sj06.marketo.com", "802-IJN-240", 23724); MktoForms2.whenReady(function(form) { form.onSuccess(function(vals, tyURL) { document.location.href = tyURL; return false; }); }); .googleRecaptcha { padding: 20px !important; } var GOOGLE_RECAPTCHA_SITE_KEY = '6Lf2eUQUAAAAAC-GQSZ6R2pjePmmD6oA6F_3AV7j'; var insertGoogleRecaptcha = function (form) { var formElem = form.getFormElem().get(0); if (formElem && window.grecaptcha) { var div = window.document.createElement('div'); var divId = 'g-recaptcha-' + form.getId(); var buttonRow = formElem.querySelector('.mktoButtonRow'); var button = buttonRow ? buttonRow.querySelector('.mktoButton[type="submit"]') : null; var submitHandler = function (e) { var recaptchaResponse = window.grecaptcha && window.grecaptcha.getResponse(widgetId); e.preventDefault(); if (form.validate()) { if (!recaptchaResponse) { div.setAttribute('data-error', 'true'); } else { div.setAttribute('data-error', 'false'); form.addHiddenFields({ reCAPTCHAFormResponse: recaptchaResponse, }); form.submit(); } } }; div.id = divId; div.classList.add('googleRecaptcha'); if (button) { button.addEventListener('click', submitHandler); } if (buttonRow) { formElem.insertBefore(div, buttonRow); } if (window.grecaptcha.render) { var widgetId = window.grecaptcha.render(divId, { sitekey: GOOGLE_RECAPTCHA_SITE_KEY, }); formElem.style.display = ''; } } }; function onloadApiCallback() { var forms = MktoForms2.allForms(); for (var i = 0; i < forms.length; i++) { insertGoogleRecaptcha(forms[i]); } } (function () { MktoForms2.whenReady(function (form) { form.getFormElem().get(0).style.display = 'none'; jQuery.getScript('//www.google.com/recaptcha/api.js?onload=onloadApiCallback'); }); })();

Actors claiming to be the defunct ransomware group are targeting one of Akami’s customers with a Layer 7 attack, demanding an extortion payment in Bitcoin.

We're only here for DBIRs

The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.…

Interpol, cops swoop with intel from cybersecurity bods

Interpol and cops in Africa have arrested a Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.…

A 'Very English Coop (sic) d'Etat'

Emails between leading pro-Brexit figures in the UK have seemingly been stolen and leaked online by what could be a Kremlin cyberespionage team.…

Incident comes a week after 'SAP glitch' kept some planes on the taxiway

Indian budget airline SpiceJet on Wednesday attributed delayed flights to a ransomware attack.…