Viry a Červi

Arm yourself with the latest cybersecurity know-how

Promo  As more and more organisations move to new technologies, data thieves constantly try to find ingenious new ways of penetrating even the most well-protected systems.…

Or a mix of both?

Sponsored  Organisations are attacked every day: cybercriminals gain a foothold within the corporate network, and data is stolen and operations disrupted. The target of an attack could be your employer, a customer, a social media platform, or an intermediary responsible for secure access control, or financial record holding.…

Třeba i v tomhle duchu mohou probíhat phishingové útoky, kdy se útočníci snaží získat přihlašovací údaje k internetovému bankovnictví!

Tohle například dorazilo známému a jelikož jsou odkazy stále funkční, proč si pointu útoku neprojít společně a neupozornit, na co si dát ve všeobecnosti pozor. Obětí podobného útoku mohou být klienti jakékoliv banky!

Co by Vás mělo „trknout“?

Do e-mailu dorazilo něco takového. Kdo měl opravdu účet u FIO, mohl znervóznět.

Trknout by Vás mělo to, že adresa odesílatele není něco@fio.cz, ale @swayway.cloud. To určitě není adresa/doména banky. I adresu odesílatele lze bez problémů podvrhnout, nicméně pak klesá pravděpodobnost, že takový e-mail dorazí (antispam ho zahodí). A to útočníci nechtějí.

Adresa ve spodní části e-mailu sice na první pohled směřuje na stránky banky, ale zdání klame. Pokud na odkaz najedete myší, odhalíte v bublině skutečnou adresu, na kterou odkazuje: toysicle.com – a to opět není oficiální webová stránka banky!

Pokud přesto kliknete, narazíte na další nesrovnalosti. Sice to vypadá jako stránka banky, adresa v horní části ale ukazuje, že jde o podvrh. Prostě to není adresa banky.

Pointa útoku

No a teď už spíše k pointě celého útoku. Pokud do výše uvedeného formuláře vyplní oběť skutečné přihlašovací údaje, odevzdá je útočníkům. Ti se obratem těmito údaji přihlásí do oficiálního internetového bankovnictví (z jiného počítače), což vyvolá požadavek na zaslání autorizační SMSky na Váš telefon. Tento kód z SMS musí útočníci též získat, proto pokračuje útok požadavkem na opsání tohoto kódu do dalšího formuláře:

Pokud kód z SMS oběť opíše, útočníci získají plnohodnotný přístup do jeho internetového bankovnictví. Přístup k účtu je fajn, ale peníze ještě nemají. Než útočníci vyplní formulář pro bezhotovostní převod, chvilku jim to trvá, proto i oběť musí zdržet:

Jakmile jsou hotoví, oběti zobrazí toto a opět doufají, že opíše kód ze SMSky, který pro změnu finanční transakci potvrzuje:

Tak snad příště o něčem pozitivním

The post Ověřte si své přihlašovací údaje do banky, zda stále fungují! appeared first on VIRY.CZ.

The telltale signs are all there... but if you're in a hurry, this Netflix scam passes the "visual appeal" test.

Amazon's facial recognition would alert Ring users if "suspicious" individuals are near their house.

Virus Bulletin is recruiting for a person to be the public face of the company

Read more

When it comes to managing drones (Unmanned Aircraft Systems, or UAS) the US Department of Justice wants Americans to know it’s on the case.

Adobe’s Magento Marketplace has suffered a data breach, the company has said in an email sent to customers.

Pressure is gathering for a federal privacy law in the US with the introduction of a second bill that would protect consumer data.

Master Go player Lee Se-dol has handed in his stones after deciding that there's just no way to beat a machine when playing the ancient Chinese board game.

At VB2019 in London, ZEROSPAM researchers Pierre-Luc Vaudry and Olivier Coutu discussed how email clustering could be used to detect malicious Emotet emails that hijacked existing email threads. Today we publish the recording of their presentation.

Read more

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.

Quarterly figures

According to Kaspersky Security Network:

• Kaspersky solutions blocked 989,432,403 attacks launched from online resources in 203 countries across the globe.
• 560,025,316 unique URLs were recognized as malicious by Web Anti-Virus components.
• Attempted infections by malware designed to steal money via online access to bank accounts were blocked on the computers of 197,559 users.
• Ransomware attacks were defeated on the computers of 229,643 unique users.
• Our File Anti-Virus detected 230,051,054 unique malicious and potentially unwanted objects.
• Kaspersky products for mobile devices detected:
  • 870,617 malicious installation packages
  • 13,129 installation packages for mobile banking Trojans
  • 13,179 installation packages for mobile ransomware Trojans

Mobile threats Quarterly highlights

In Q3 2019, we discovered an extremely unpleasant incident with the popular CamScanner app on Google Play. The new version of the app contained an ad library inside with the Trojan dropper Necro built in. Judging by the reviews on Google Play, the dropper’s task was to activate paid subscriptions, although it could deliver another payload if required.

Another interesting Trojan detected in Q3 2019 is Trojan.AndroidOS.Agent.vn. Its main function is to “like” Facebook posts when instructed by its handlers. Interestingly, to make the click, the Trojan attacks the Facebook mobile app on the infected device, literally forcing it to execute its command.

In the same quarter, we discovered new FinSpy spyware Trojans for iOS and Android. In the fresh versions, the focus is on snooping on correspondence in messaging apps. The iOS version requires a jailbreak to do its job, while the Android version is able to spy on the encrypted Threema app among others.

Mobile threat statistics

In Q3 2019, Kaspersky detected 870,617 malicious installation packages.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of detected malicious installation packages, Q4 2018 – Q3 2019 (download)

Whereas in previous quarters we observed a noticeable drop in the number of new installation packages, Q3’s figure was up by 117,067 packages compared to the previous quarter.

Distribution of detected mobile apps by type

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of detected mobile apps by type, Q2 and Q3 2019 (download)

Among all the mobile threats detected in Q3 2019, the lion’s share went to potentially unsolicited RiskTool-class programs (32.1%), which experienced a fall of 9 p.p. against the previous quarter. The most frequently detected objects were in the RiskTool.AndroidOS families: Agent (33.07% of all detected threats in this class), RiskTool.AndroidOS.Wapron (16.43%), and RiskTool.AndroidOS.Smssend (10.51%).

Second place went to miscellaneous Trojans united under the Trojan class (21.68%), their share increased by 10 p.p. The distribution within the class was unchanged since the previous quarter, with the Trojan.AndroidOS.Hiddapp (32.5%), Trojan.AndroidOS.Agent (12.8%), and Trojan.AndroidOS.Piom (9.1% ) families remaining in the lead. Kaspersky’s machine-learning systems made a significant contribution to detecting threats: Trojans detected by this technology (the Trojan.AndroidOS.Boogr verdict) made up 28.7% — second place after Hiddapp.

In third place were Adware-class programs (19.89%), whose share rose by 1 p.p. in the reporting period. Most often, adware programs belonged to one of the following families: AdWare.AndroidOS.Ewind (20.73% of all threats in this class), AdWare.AndroidOS.Agent (20.36%), and AdWare.AndroidOS.MobiDash (14.27%).

Threats in the Trojan-Dropper class (10.44%) remained at the same level with insignificant (0.5 p.p.) growth. The vast majority of detected droppers belonged to the Trojan-Dropper.AndroidOS.Wapnor family (69.7%). A long way behind in second and third place, respectively, were Trojan-Dropper.AndroidOS.Wroba (14.58%) and Trojan-Dropper.AndroidOS.Agent (8.75%).

TOP 20 mobile malware programs

Note that this malware rating does not include potentially dangerous or unwanted programs classified as RiskTool or adware.

Verdict %* 1 DangerousObject.Multi.Generic 48.71 2 Trojan.AndroidOS.Boogr.gsh 9.03 3 Trojan.AndroidOS.Hiddapp.ch 7.24 4 Trojan.AndroidOS.Hiddapp.cr 7.23 5 Trojan-Dropper.AndroidOS.Necro.n 6.87 6 DangerousObject.AndroidOS.GenericML 4.34 7 Trojan-Downloader.AndroidOS.Helper.a 1.99 8 Trojan-Banker.AndroidOS.Svpeng.ak 1.75 9 Trojan-Dropper.AndroidOS.Agent.ok 1.65 10 Trojan-Dropper.AndroidOS.Hqwar.gen 1.52 11 Trojan-Dropper.AndroidOS.Hqwar.bb 1.46 12 Trojan-Downloader.AndroidOS.Necro.b 1.45 13 Trojan-Dropper.AndroidOS.Lezok.p 1.44 14 Trojan.AndroidOS.Hiddapp.cf 1.41 15 Trojan.AndroidOS.Dvmap.a 1.27 16 Trojan.AndroidOS.Agent.rt 1.24 17 Trojan-Banker.AndroidOS.Asacub.snt 1.21 18 Trojan-Dropper.AndroidOS.Necro.q 1.19 19 Trojan-Dropper.AndroidOS.Necro.l 1.12 20 Trojan-SMS.AndroidOS.Prizmes.a 1.12

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked.

First place in our TOP 20 as ever went to DangerousObject.Multi.Generic (48.71%), the verdict we use for malware detected using cloud technologies. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is basically how the latest malicious programs are detected.

Second and six places were claimed by Trojan.AndroidOS.Boogr.gsh (9.03%) and DangerousObject.AndroidOS.GenericML (4.34%). These verdicts are assigned to files recognized as malicious by our machine-learning systems.

Third, fourth, and fourteenth places were taken by members of the Trojan.AndroidOS.Hiddapp family, whose task is to covertly foist ads onto victims.

Fifth, twelfth, eighteenth, and nineteenth positions went to Trojan droppers of the Necro family. Although this family showed up on the radar last quarter, really serious activity was observed only in this reporting period.

Seventh place goes to Trojan-Downloader.AndroidOS.Helper.a (1.99%), which is what members of the Necro family usually extract from themselves. Helper.a is tasked with downloading arbitrary code from malicious servers and running it.

The eighth place was taken by the malware Trojan-Banker.AndroidOS.Svpeng.ak (1.75%), the main task of which is to steal online banking credentials and intercept two-factor authorization codes.

Ninth position went to Trojan-Dropper.AndroidOS.Agent.ok (1.65%), which is distributed under the guise of FlashPlayer or a Rapidshare client. Most commonly, it drops adware modules into the infected system.

Tenth and eleventh places went to members of the Trojan-Banker.AndroidOS.Hqwar family. The popularity of this dropper among cybercriminals continues to fall.

Geography of mobile threats

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of mobile malware infection attempts, Q3 2019 (download)

TOP 10 countries by share of users attacked by mobile malware

Country* %** 1 Iran 52.68 2 Bangladesh 30.94 3 India 28.75 4 Pakistan 28.13 5 Algeria 26.47 6 Indonesia 23.38 7 Nigeria 22.46 8 Tanzania 21.96 9 Saudi Arabia 20.05 10 Egypt 19.44

* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000).
** Unique users attacked by mobile bankers as a percentage of all users of Kaspersky mobile solutions in the country.

In Q3’s TOP 10, Iran (52.68%) retained top spot by share of attacked users. Note that over the reporting period the country’s share almost doubled. Kaspersky users in Iran most often encountered the adware app AdWare.AndroidOS.Agent.fa (22.03% of the total number of mobile threats), adware installing Trojan.AndroidOS.Hiddapp.bn (14.68% ) and the potentially unwanted program RiskTool.AndroidOS.Dnotua.yfe (8.84%).

Bangladesh (30.94%) retained second place in the ranking. Users in this country most frequently encountered adware programs, including AdWare.AndroidOS.Agent.fс (27.58% of the total number of mobile threats) and AdWare.AndroidOS.HiddenAd.et (12.65%), as well as Trojan.AndroidOS.Hiddapp.cr (20.05%), which downloads adware programs.

India (28.75%) climbed to third place due to the same threats that were more active than others in Bangladesh: AdWare.AndroidOS.Agent.fс (36.19%), AdWare.AndroidOS.HiddenAd.et (17.17%) and Trojan.AndroidOS.Hiddapp.cr (22.05%).

Mobile banking Trojans

In the reporting period, we detected 13,129 installation packages for mobile banking Trojans, only 770 fewer than in Q2 2019.

The largest contributions to the statistics came from the Trojan-Banker.AndroidOS.Svpeng (40.59% of all detected banking Trojans), Trojan-Banker.AndroidOS. Agent (11.84%), and Trojan-Banker.AndroidOS.Faketoken (11.79%) families.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2018 – Q3 2019 (download)

TOP 10 mobile banking Trojans

Verdict %* 1 Trojan-Banker.AndroidOS.Svpeng.ak 16.85 2 Trojan-Banker.AndroidOS.Asacub.snt 11.61 3 Trojan-Banker.AndroidOS.Svpeng.q 8.97 4 Trojan-Banker.AndroidOS.Asacub.ce 8.07 5 Trojan-Banker.AndroidOS.Agent.ep 5.51 6 Trojan-Banker.AndroidOS.Asacub.a 5.27 7 Trojan-Banker.AndroidOS.Faketoken.q 5.26 8 Trojan-Banker.AndroidOS.Agent.eq 3.62 9 Trojan-Banker.AndroidOS.Faketoken.snt 2.91 10 Trojan-Banker.AndroidOS.Asacub.ar 2.81

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked by banking threats.

The TOP 10 banking threats in Q3 2019 was headed by Trojans of the Trojan-Banker.AndroidOS.Svpeng family: Svpeng.ak (16.85%) took first place, and Svpeng.q (8.97%) third. This is not the first time we have detected amusing obfuscation in Trojans from Russian-speaking cybercriminals — this time the code of the malware Svpeng.ak featured the names of video games.

Snippets of decompiled code from Trojan-Banker.AndroidOS.Svpeng.ak

Second, fourth, sixth, and tenth positions in Q3 went to the Asacub Trojan family. Despite a decrease in activity, Asacub samples are still found on devices around the world.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of mobile banking threats, Q3 2019 (download)

TOP 10 countries by share of users attacked by mobile banking Trojans:

Country* %** 1 Russia 0.30 2 South Africa 0.20 3 Kuwait 0.18 4 Tajikistan 0.13 5 Spain 0.12 6 Indonesia 0.12 7 China 0.11 8 Singapore 0.11 9 Armenia 0.10 10 Uzbekistan 0.10

* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000).
** Unique users attacked by mobile banking Trojans as a percentage of all users of Kaspersky mobile solutions in the country.

In Q3 Russia moved up to first place (0.30%), which impacted the entire pattern of mobile bankers spread around the world. Users in Russia were most often targeted with Trojan-Banker.AndroidOS.Svpeng.ak (17.32% of all attempts to infect unique users with mobile financial malware). The same Trojan made it into the TOP 10 worldwide. It is a similar story with second and third places: Trojan-Banker.AndroidOS.Asacub.snt (11.86%) and Trojan-Banker.AndroidOS.Svpeng.q (9.20%).

South Africa fell to second place (0.20%), where for the second quarter in a row Trojan-Banker.AndroidOS.Agent.dx (89.80% of all mobile financial malware) was the most widespread threat.

Bronze went to Kuwait (0.21%), where, like in South Africa, Trojan-Banker.AndroidOS.Agent.dx (75%) was most often encountered.

Mobile ransomware Trojans

In Q3 2019, we detected 13,179 installation packages for mobile ransomware — 10,115 fewer than last quarter. We observed a similar drop in Q2, so since the start of the year the number of mobile ransomware Trojans has decreased almost threefold. The reason, as we see it, is the decline in activity of the group behind the Asacub Trojan.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of installation packages for mobile banking Trojans, Q3 2018 – Q3 2019 (download)

TOP 10 mobile ransomware Trojans

Verdict %* 1 Trojan-Ransom.AndroidOS.Svpeng.aj 40.97 2 Trojan-Ransom.AndroidOS.Small.as 8.82 3 Trojan-Ransom.AndroidOS.Svpeng.ah 5.79 4 Trojan-Ransom.AndroidOS.Rkor.i 5.20 5 Trojan-Ransom.AndroidOS.Rkor.h 4.78 6 Trojan-Ransom.AndroidOS.Small.o 3.60 7 Trojan-Ransom.AndroidOS.Svpeng.ai 2.93 8 Trojan-Ransom.AndroidOS.Small.ce 2.93 9 Trojan-Ransom.AndroidOS.Fusob.h 2.72 10 Trojan-Ransom.AndroidOS.Small.cj 2.66

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked by ransomware Trojans.

In Q3 2019, the leading positions among ransomware Trojans were retained by members of the Trojan-Ransom.AndroidOS.Svpeng family. Top spot, as in the previous quarter, was claimed by Svpeng.aj (40.97%), with Svpeng.ah (5.79%) in third.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of mobile ransomware Trojans, Q3 2019 (download)

TOP 10 countries by share of users attacked by mobile ransomware Trojans:

Country* %** 1 US 1.12 2 Iran 0.25 3 Kazakhstan 0.25 4 Oman 0.09 5 Qatar 0.08 6 Saudi Arabia 0.06 7 Mexico 0.05 8 Pakistan 0.05 9 Kuwait 0.04 10 Indonesia 0.04

* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000).
** Unique users attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky mobile solutions in the country.

The leaders by number of users attacked by mobile ransomware Trojans, as in the previous quarter, were the US (1.12%), Iran (0.25%), and Kazakhstan (0.25%)

Attacks on Apple macOS

Q3 saw a lull in the emergence of new threats. An exception was the distribution of a modified version of the Stockfolio investment app, which contained an encrypted reverse shell backdoor.

TOP 20 threats for macOS Verdict %* 1 Trojan-Downloader.OSX.Shlayer.a 22.71 2 AdWare.OSX.Pirrit.j 14.43 3 AdWare.OSX.Pirrit.s 11.73 4 AdWare.OSX.Pirrit.p 10.43 5 AdWare.OSX.Pirrit.o 9.71 6 AdWare.OSX.Bnodlero.t 8.40 7 AdWare.OSX.Spc.a 7.32 8 AdWare.OSX.Cimpli.d 6.92 9 AdWare.OSX.MacSearch.a 4.88 10 Adware.OSX.Agent.d 4.71 11 AdWare.OSX.Ketin.c 4.63 12 AdWare.OSX.Ketin.b 4.10 13 Downloader.OSX.InstallCore.ab 4.01 14 AdWare.OSX.Cimpli.e 3.86 15 AdWare.OSX.Bnodlero.q 3.78 16 AdWare.OSX.Cimpli.f 3.76 17 AdWare.OSX.Bnodlero.x 3.49 18 AdWare.OSX.Mcp.a 3.26 19 AdWare.OSX.MacSearch.d 3.18 20 AdWare.OSX.Amc.a 3.15

* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS that were attacked.

Like last quarter, the adware Trojan Shlayer was the top threat for macOS. This malware in turn downloaded adware programs of the Pirrit family, as a result of which its members took the second to fifth positions in our ranking.

Threat geography Country* %** 1 France 6.95 2 India 6.24 3 Spain 5.61 4 Italy 5.29 5 US 4.84 6 Russia 4.79 7 Brazil 4.75 8 Mexico 4.68 9 Canada 4.46 10 Australia 4.27

* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.

The geographical distribution of attacked users underwent some minor changes: India took silver with 6.24% of attacked users, while Spain came in third with 5.61%. France (6.95%) hung on to first position.

IoT attacks IoT threat statistics

In Q3, the trend continued toward a decrease in the number of IP addresses of devices used to carry out attacks on Kaspersky Telnet honeypots. If in Q2 Telnet’s share was still significantly higher than that of SSH, in Q3 the figures were almost equal.

SSH 48.17% Telnet 51.83%

Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q3 2019

As for the number of sessions involving Kaspersky traps, we noted that in Q3 Telnet-based control was also deployed more often.

SSH 40.81% Telnet 59.19%

Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2019

Telnet-based attacks

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, Q3 2019 (download)

TOP 10 countries by location of devices from which telnet-based attacks were carried out on Kaspersky traps

Country %* 1 China 13.78 2 Egypt 10.89 3 Brazil 8.56 4 Taiwan 8.33 5 US 4.71 6 Russia 4.35 7 Turkey 3.47 8 Vietnam 3.44 9 Greece 3.43 10 India 3.41

Last quarter’s leaders Egypt (10.89%), China (13.78%), and Brazil (8.56%) again made up the TOP 3, the only difference being that this time China took the first place.

Telnet-based attacks most often resulted in the download of a member of the notorious Mirai family.

TOP 10 malware downloaded to infected IoT devices via successful telnet-based attacks

Verdict %* 1 Backdoor.Linux.Mirai.b 38.08 2 Trojan-Downloader.Linux.NyaDrop.b 27.46 3 Backdoor.Linux.Mirai.ba 16.52 4 Backdoor.Linux.Gafgyt.bj 2.76 5 Backdoor.Linux.Mirai.au 2.21 6 Backdoor.Linux.Mirai.c 2.02 7 Backdoor.Linux.Mirai.h 1.81 8 Backdoor.Linux.Mirai.ad 1.66 9 Backdoor.Linux.Gafgyt.az 0.86 10 Backdoor.Linux.Mirai.a 0.80

* Share of malware type in the total amount of malware downloaded to IoT devices following a successful Telnet-based attack.

SSH-based attacks

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of IP addresses of devices from which attempts were made to attack Kaspersky SSH traps, Q3 2019 (download)

TOP 10 countries by location of devices from which attacks were made on Kaspersky SSH traps

Country %* 1 Egypt 17.06 2 Vietnam 16.98 3 China 13.81 4 Brazil 7.37 5 Russia 6.71 6 Thailand 4.53 7 US 4.13 8 Azerbaijan 3.99 9 India 2.55 10 France 1.53

In Q3 2019, the largest number of attacks on Kaspersky traps using the SSH protocol came from Egypt (17.06%). Vietnam (16.98%) and China (13.81%) took second and third places, respectively.

Financial threats Financial threat statistics

In Q3 2019, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 197,559 users.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of unique users attacked by financial malware, Q3 2019 (download)

Attack geography

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of banking malware attacks, Q3 2019 (download)

TOP 10 countries by share of attacked users

Country* %** 1 Belarus 2.9 2 Uzbekistan 2.1 3 South Korea 1.9 4 Venezuela 1.8 5 Tajikistan 1.4 6 Afghanistan 1.3 7 China 1.2 8 Syria 1.2 9 Yemen 1.2 10 Sudan 1.1

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky products in the country.

TOP 10 banking malware families

Name Verdicts %* 1 Zbot Trojan.Win32.Zbot 26.7 2 Emotet Backdoor.Win32.Emotet 23.9 3 RTM Trojan-Banker.Win32.RTM 19.3 4 Nimnul Virus.Win32.Nimnul 6.6 5 Trickster Trojan.Win32.Trickster 5.8 6 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 5.4 7 Nymaim Trojan.Win32.Nymaim 3.6 8 SpyEye Trojan-Spy.Win32.SpyEye 3.4 9 Danabot Trojan-Banker.Win32.Danabot 3.3 10 Neurevt Trojan.Win32.Neurevt 1.8

** Unique users attacked by this malware as a percentage of all users attacked by financial malware.

The TOP 3 in Q3 2019 had the same faces as last quarter, only in a different order: the RTM family (19.3%) dropped from first to third, shedding almost 13 p.p., allowing the other two — Zbot (26.7%) and Emotet (23.9%) — to climb up. Last quarter we noted a decline in the activity of Emotet servers, but in Q3 it came back on track, with Emotet’s share growing by more than 15 p.p.

Fourth and fifth places did not change at all — still occupied by Nimnul (6.6%) and Trickster (5.8%). Their scores rose insignificantly, less than 1 p.p. Of the new entries in our TOP 10, worth noting is the banker CliptoShuffler (5.4%), which stormed straight into sixth place.

Ransomware programs Quarterly highlights

The number of ransomware attacks against government agencies, as well as organizations in the healthcare, education, and energy sectors, continues to rise. This trend we noted back in the previous quarter.

A new type of attack, one on network attached storages (NAS), is gaining ground. The infection scheme involves attackers scanning IP address ranges in search of NAS devices accessible via the Internet. Generally, only the web interface is accessible from the outside, protected by an authentication page; however, a number of devices have vulnerabilities in the firmware. This enables cybercriminals, by means of an exploit, to install on the device a Trojan that encrypts all data on NAS-connected media. This is a particularly dangerous attack, since in many cases the NAS is used to store backups, and such devices are generally perceived by their owners as a reliable means of storage, and the mere possibility of an infection can come as a shock.

Wipers have also become a more frequent attack tool. Like ransomware, such programs rename files and make ransom demands. But these Trojans irreversibly ruin the file contents (replacing them with zeros or random bytes), so even if the victim pays up, the original files are lost.

The FBI published decryption keys for GandCrab (verdict Trojan-Ransom.Win32.GandCrypt) versions 4 and 5. The decryption was added to the latest RakhniDecryptor build.

Number of new modifications

In Q3 2019, we identified three new families of ransomware Trojans and discovered 13,138 new modifications of this malware.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of new ransomware modifications, Q3 2018 – Q3 2019 (download)

Number of users attacked by ransomware Trojans

In Q3 2019, Kaspersky products defeated ransomware attacks against 229,643 unique KSN users. This is slightly fewer than the previous quarter.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of unique users attacked by ransomware Trojans, Q3 2019 (download)

July saw the largest number of attacked users — 100,380, almost 20,000 more than in June. After that, however, this indicator fell sharply and did not stray far from the figure of 90,000 attacked users.

Attack geography

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geographical spread of countries by share of users attacked by ransomware Trojans, Q3 2019 (download)

TOP 10 countries attacked by ransomware Trojans

Country* % of users attacked by cryptors** 1 Bangladesh 6.39 2 Mozambique 2.96 3 Uzbekistan 2.26 4 Nepal 1.71 5 Ethiopia 1.29 6 Ghana 1.19 7 Afghanistan 1.12 8 Egypt 0.83 9 Palestine 0.80 10 Vietnam 0.79

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country.

TOP 10 most common families of ransomware Trojans Name Verdicts % of attacked users* 1 WannaCry Trojan-Ransom.Win32.Wanna 20.96 2 (generic verdict) Trojan-Ransom.Win32.Phny 20.01 3 GandCrab Trojan-Ransom.Win32.GandCrypt 8.58 4 (generic verdict) Trojan-Ransom.Win32.Gen 8.36 5 (generic verdict) Trojan-Ransom.Win32.Encoder 6.56 6 (generic verdict) Trojan-Ransom.Win32.Crypren 5.08 7 Stop Trojan-Ransom.Win32.Stop 4.63 8 Rakhni Trojan-Ransom.Win32.Rakhni 3.97 9 (generic verdict) Trojan-Ransom.Win32.Crypmod 2.77 10 PolyRansom/VirLock Virus.Win32.PolyRansom
Trojan-Ransom.Win32. PolyRansom 2.50

* Unique Kaspersky users attacked by the specified family of ransomware Trojans as a percentage of all users attacked by ransomware Trojans.

Miners Number of new modifications

In Q3 2019, Kaspersky solutions detected 11 753 new modifications of miners.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of new miner modifications, Q3 2019 (download)

Number of users attacked by miners

In Q3, we detected attacks using miners on the computers of 639,496 unique users of Kaspersky products worldwide.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of unique users attacked by miners, Q3 2019 (download)

The number of attacked users continued to decline in Q3, down to 282,334 in August. In September, this indicator began to grow — up to 297,394 — within touching distance of July’s figure.

Attack geography

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geographical spread of countries by share of users attacked by miners, Q3 2019 (download)

TOP 10 countries by share of users attacked by miners

Country* % of users attacked by miners** 1 Afghanistan 9.42 2 Ethiopia 7.29 3 Uzbekistan 4.99 4 Sri Lanka 4.62 5 Tanzania 4.35 6 Vietnam 3.72 7 Kazakhstan 3.66 8 Mozambique 3.44 9 Rwanda 2.55 10 Bolivia 2.43

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by cybercriminals during cyber attacks

As before, in the statistics on the distribution of exploits used by cybercriminals, a huge share belongs to vulnerabilities in the Microsoft Office suite (73%). Most common of all, as in the previous quarter, were stack overflow errors (CVE-2017-11882, CVE-2018-0802) in the Equation Editor application, which was previously part of Microsoft Office. Other Microsoft Office vulnerabilities widely exploited this quarter were again CVE-2017-8570, CVE-2017-8759, and CVE-2017-0199.

Modern browsers are complex software products, which means that new vulnerabilities are constantly being discovered and used in attacks (13%). The most common target for cybercriminals is Microsoft Internet Explorer, vulnerabilities in which are often exploited in the wild. This quarter saw the discovery of the actively exploited zero-day vulnerability CVE-2019-1367, which causes memory corruption and allows remote code execution on the target system. The fact that Microsoft released an unscheduled patch for it points to how serious the situation was. Nor was Google Chrome problem-free this quarter, having received updates to fix a number of critical vulnerabilities (CVE-2019-13685, CVE-2019-13686, CVE-2019-13687, CVE-2019-13688), some of which allow intruders to circumvent all levels of browser protection and execute code in the system, bypassing the sandbox.

The majority of vulnerabilities aimed at privilege escalation inside the system stem from individual operating system services and popular apps. Privilege escalation vulnerabilities play a special role, as they are often utilized in malicious software to obtain persistence in the target system. Of note this quarter are the vulnerabilities CVE-2019-14743 and CVE-2019-15315, which allow compromising systems with the popular Steam client installed. A flaw in the Microsoft Windows Text Services Framework also warrants a mention. A Google researcher published a tool to demonstrate the problem (CtfTool), which allows processes to be run with system privileges, as well as changes to be made to the memory of other processes and arbitrary code to be executed in them.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of exploits used in attacks by type of application attacked, Q3 2019 (download)

Network attacks are still widespread. This quarter, as in previous ones, we registered numerous attempts to exploit vulnerabilities in the SMB protocol. This indicates that unprotected and not-updated systems are still at high risk of infection in attacks that deploy EternalBlue, EternalRomance, and other exploits. That said, a large share of malicious network traffic is made up of requests aimed at bruteforcing passwords in popular network services and servers, such as Remote Desktop Protocol and Microsoft SQL Server. RDP faced other problems too related to the detection of several vulnerabilities in this network protocol united under the common name DejaBlue (CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, CVE-2019-1223, CVE-2019-1224, CVE-2019-1225, CVE-2019-1226). Unlike the previously discovered CVE-2019-0708, these vulnerabilities affect not only old versions of operating systems, but new ones as well, such as Windows 10. As in the case of CVE-2019-0708, some DejaBlue vulnerabilities do not require authorization in the attacked system and allow to carry out malicious activity invisible to the user. Therefore, it is vital to promptly install the latest updates for both the operating system and antivirus solutions to reduce the risk of infection.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that are sources of web-based attacks: TOP 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q3 2019, Kaspersky solutions blocked 989,432,403 attacks launched from online resources located in 203 countries across the globe. 560,025,316 unique URLs triggered Web Anti-Virus components.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of web-based attack sources by country, Q3 2019 (download)

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users** 1 Tunisia 23.26 2 Algeria 19.75 3 Albania 18.77 4 Réunion 16.46 5 Bangladesh 16.46 6 Venezuela 16.21 7 North Macedonia 15.33 8 France 15.09 9 Qatar 14.97 10 Martinique 14.84 11 Greece 14.59 12 Serbia 14.36 13 Syria 13.99 14 Bulgaria 13.88 15 Philippines 13.71 16 UAE 13.64 17 Djibouti 13.47 18 Morocco 13.35 19 Belarus 13.34 20 Saudi Arabia 13.30

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data.

On average, 10.97% of Internet user computers worldwide experienced at least one Malware-class attack.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of malicious web-based attacks, Q3 2019 (download)

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q3 2019, our File Anti-Virus detected 230,051,054 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

Note that this rating only includes attacks by malicious programs that fall under the Malware class; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users** 1 Afghanistan 53.45 2 Tajikistan 48.43 3 Yemen 48.39 4 Uzbekistan 48.38 5 Turkmenistan 45.95 6 Myanmar 45.27 7 Ethiopia 44.18 8 Laos 43.24 9 Bangladesh 42.96 10 Mozambique 41.58 11 Syria 41.15 12 Vietnam 41.11 13 Iraq 41.09 14 Sudan 40.18 15 Kyrgyzstan 40.06 16 China 39.94 17 Rwanda 39.49 18 Venezuela 39.18 19 Malawi 38.81 20 Nepal 38.38

These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky products who consented to provide statistical data. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera memory cards, phones and external hard drives.

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of local infection attempts, Q3 2019 (download)

Overall, 21.1% of user computers globally faced at least one Malware-class local threat during Q3.

The figure for Russia was 24.24%.

Targeted attacks and malware campaigns Mobile espionage targeting the Middle East

At the end of June we reported the details of a highly targeted campaign that we dubbed ‘Operation ViceLeaker’ involving the spread of malicious Android samples via instant messaging. The campaign affected several dozen victims in Israel and Iran. We discovered this activity in May 2018, right after Israeli security agencies announced that Hamas had installed spyware on the smartphones of Israeli soldiers, and we released a private report on our Threat Intelligence Portal. We believe the malware has been in development since late 2016, but the main distribution began at the end of 2017. The attackers used two methods to install these implants: they backdoored legitimate apps, injecting malicious Smali code; and they built an open-source legitimate ‘Conversations’ messenger that included the malicious code. You can read more about Operation ViceLeaker here.

APT33 beefs up its toolset

In July, we published an update on the 2016-17 activities of NewsBeef (aka APT33 and Charming Kitten), a threat actor that has focused on targets in Saudi Arabia and the West. NewsBeef lacks advanced offensive capabilities and has previously engaged in long-term, elaborate social engineering schemes that take advantage of popular social network platforms. In previous campaigns, this threat actor has relied heavily on the Browser Exploitation Framework (BeEF). However, in the summer of 2016, the group deployed a new toolset that included macro-enabled Office documents, PowerSploit, and the Pupy backdoor. The most recent campaign uses this toolset in conjunction with spear-phishing emails, links sent over social media and standalone private messaging applications, and watering-hole attacks that use compromised high-profile websites (some belonging to the Saudi government). The group has changed multiple characteristics year over year – tactics, the malicious JavaScript injection strategically placed on compromised websites, and command-and-control (C2) infrastructure. Subscribers to our private intelligence reports receive unique and extraordinary data on significant activity and campaigns of more than 1009 APTs from across the world, including NewsBeef.

New FinSpy iOS and Android implants found in the wild

We recently reported on the latest versions of FinSpy for Android and iOS. Governments and law enforcement agencies across the world use this surveillance software to collect personal data. FinSpy implants for iOS and Android have almost identical functionality: they are able to collect personal information such as contacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers. The Android implant includes functionality to gain root privileges by abusing known vulnerabilities. The iOS version doesn’t provide infection exploits for its customers and so can only be installed on jailbroken devices – suggesting that physical access is required in order to install the implant. During our latest research we detected up-to-date versions of these implants in almost 20 countries, but we think the actual number of infections could be much higher.

Turla revamps its toolset

Turla (aka Venomous Bear, Uroboros and Waterbug), a high profile Russian-speaking threat actor with a known interest in cyber-espionage against government and diplomatic targets, has made significant changes to its toolset. Most notably, the group has wrapped its notorious JavaScript KopiLuwak malware in a new dropper called Topinambour, a new.NET file that is being used by Turla to distribute and drop its JavaScript KopiLuwak through infected installation packages for legitimate software programs such as VPNs for circumventing internet censorship. Named by the malware authors, Topinambour is an alternative name for the Jerusalem artichoke. Some of the changes the threat actor has made are intended to help it evade detection. For example, the C2 infrastructure uses IP addresses that appear to mimic ordinary LAN addresses. Further, the malware is almost completely ‘fileless’: the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer’s registry for the malware to access when ready. The two KopiLuwak analogues – the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan – are used for cyber-espionage. We think the threat actor deploys these versions when the computers of the targets are protected with security software capable of detecting KopiLuwak. All three implants are able to fingerprint targets, gather information on system and network adapters, steal files, and download and execute additional malware. MiamiBeach is also able to take screenshots. You can read more here.

CloudAtlas uses new infection chain

Cloud Atlas (aka Inception) has a long history of cyber-espionage operations targeting industries and government bodies. We first reported this group in 2014 and we have continued to track its activities. During the first half of this year, we identified campaigns focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts. Cloud Atlas hasn’t changed its TTPs (Tactics, Techniques and Procedures) since 2018 and continues to rely on existing tactics and malware to compromise high value targets. The threat actor’s Windows intrusion set still uses spear-phishing emails to target its victims: these are crafted with Office documents that use malicious remote templates – whitelisted per victim – hosted on remote servers. Previously, Cloud Atlas dropped its ‘validator’ implant, named PowerShower, directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. In recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed in 2014.

Dtrack banking malware discovered

In summer 2018, we discovered ATMDtrack, a piece of banking malware targeting banks in India. We used YARA and the Kaspersky Attribution Engine to try to uncover more information about this ATM malware; and we found more than 180 new malware samples of a spy tool that we now call Dtrack. All the Dtrack samples we initially found were dropped samples, as the real payload was encrypted with various droppers – we were able to find them because of the unique sequences shared by ATMDtrack and the Dtrack memory dumps. Once we decrypted the final payload and used the Kaspersky Attribution Engine again, we saw similarities with the DarkSeoul campaign, dating back to 2013 and attributed to the Lazarus group. It seems that they reused part of their old code to attack the financial sector and research centers in India. Our telemetry indicates that the latest DTrack activity was detected in the beginning of September 2019. This is a good example of how proper YARA rules and a solid working attribution engine can help to uncover connections with established malware families. In this case, we were able to add another family to the Lazarus group’s arsenal: ATMDtrack and Dtrack. You can find our public report on Dtrack here.

Other security news Sodin ransomware attacks MSP

In April, the Sodin ransomware (aka Sodinokibi and REvil) caught our attention, not least, because of the way it spread. The Trojan exploited the CVE-2019-2725 vulnerability to execute a PowerShell command on a vulnerable Oracle WebLogic server, allowing the attackers to upload a dropper to the server, which then installed the ransomware payload. Patches for this vulnerability were released in April, but at the end of June, a similar vulnerability was discovered – CVE-2019-2729. Sodin also carried out attacks on MSPs. In some cases, the attackers used the Webroot and Kaseya remote access consoles to deliver the Trojan. In others, the attackers penetrated MSP infrastructure using an RDP connection, elevated privileges, deactivated security solutions and backups and then downloaded the ransomware to client computers. This ransomware was also unusual because it didn’t require the victim to carry out any action. Our statistics indicated that most victims were located in the Asia-Pacific region, including Taiwan, Hong Kong and South Korea.

Ransomware continues to be a major headache for consumers and businesses alike. Recovering data that a ransomware Trojan has encrypted is often impossible. However, in some cases we are able to do so. Recent examples include the Yatron and FortuneCrypt malware. If you ever face a situation where a ransomware Trojan has encrypted your data, and you don’t have a backup, it’s always worth checking the No More Ransom site, to see if a decryptor is available. You can find our decryptors for both of the above ransomware programs here and here.

The impact of web mining

Malicious miners are programs designed to hijack the victim’s CPU in order to mine crypto-currencies. The business model is simple: infect the computer, use the processing power of their CPU or GPU to generate coins and earn real-world money through legal exchanges and transactions. It’s not obvious to the victim that they are infected – most people seldom use most of their computer’s processing power and miners harness the 70-80% that is not being used for anything else. Miners can be installed along with adware, hacked games and other pirated content. However, there’s also another model – using an embedded mining script that starts when the victim opens an infected web page. Where a corporate network has been infected, the CPU capacity available to the cybercriminals can be huge. But what impact does mining have? We recently tried to quantify the economic and environmental impact of web miners; and thereby evaluate the positive benefit of protecting against mining.

The total power saving can be calculated using the formula ·N, where is the average value of the increase in power consumption of the victim’s device during the web mining process, and N is the number of blocked attempts according to KSN (Kaspersky Security Network) data for 2018. This figure is equal to 18.8±11.8 gigawatts (GW) – twice the average power consumption rate of all Bitcoin miners in the same year. To assess the amount of saved energy based on this power consumption rate, this number is multiplied by the average time that victim devices spend on web mining; that is, according to the formula ‘·N·t’, where ‘t’ is the average time that web miners would have been working had they not been blocked by our products. Since this value cannot be obtained from Kaspersky data, we used information from open sources provided by third-party researchers, according to which the estimated amount of electricity saved by users of our products ranges from 240 to 1,670 megawatt hours (MWh). Using the average prices for individual consumers, this amount of electricity could cost up to $200,000 for residents in North America or up to €250,000 for residents in Europe.

You can read our report here.

Mac OS threat landscape

Some people still believe that there are no serious threats for Mac OS. There are certainly fewer threats than for Windows, mainly because more people run Windows, so there is a bigger pool of potential victims for attackers to target. However, as the number of people running Mac OS has grown, so have the number of threats targeting them.

Our database currently contains 206,759 unique malicious and potentially unwanted files for Mac OS. From 2012 to 2017, the number of people facing attack grew year by year, reaching a peak in 2017, when we blocked attacks on around 255,000 computers running Mac OS. Since then, there has been a drop; and in the first half of 2019, we blocked around 87,000 attacks. The majority of threats for Mac OS in 2019 fell into the adware category – these threats are easier to create, offering a better return on investment for cybercriminals.

The number of phishing attacks targeting Mac OS has also increased year by year. During the first half of 2019, we detected nearly 6 million phishing attacks, 11.8% of which targeted corporate users. The countries facing the most phishing attacks were Brazil (30.87%), India (22.08%) and France (22.02%). The number of phishing attacks seeking to exploit the Apple brand name has also grown in recent years – by around 30-40% each year. In 2018, there were nearly 1.5 million such attacks; and in the first half of 2019 alone, the number exceeded 1.6 million – already an increase of 9% over the previous year.

You can read our report on the current Mac OS threat landscape here.

Smart home vulnerabilities

One of our colleagues chose to turn his home into a smart home and installed a Fibaro Home Center system, so that he could remotely manage smart devices in the house, including lights, heating system, fridge, stereo system, sauna heater, smoke detectors, flood sensors, IP cameras and doorbell. He invited researchers from the Kaspersky ICS CERT team to investigate it to see how secure it was. The researchers knew the model of the smart home hub and the IP address. They decided not to look at the Z-Wave protocol, which the smart home hub uses to talk to the appliances, because this required physical proximity to the house. They also discarded the idea of exploiting the programming language interpreter – the Fibaro hub used the patched version.

Our researchers were able to find a remote SQL injection vulnerability, despite the efforts of Fibaro to avoid them, and a couple of remote code execution vulnerabilities in the PHP code. If exploited, these vulnerabilities would allow attackers to get root access rights on the smart hub, giving them full control over it. They also found a severe vulnerability in the Fibaro cloud that could allow an attacker to access all backups uploaded from Fibaro hubs around the world. This is how our research team acquired the backup data stored by the Fibaro Home Center located in this particular home. Among other things, this backup contains a database file with a lot of personal information, including the house’s location, geo-location data from the owner’s smartphone, the email address used to register with Fibaro, information about smart devices in the owner’s home and even the owner’s password. Credit to Fibaro Group not only for creating a rather secure product but also for working closely with our researchers to quickly patch the vulnerabilities we reported to them. You can read the full story here.

Security of smart buildings

This quarter we also looked at the security of automation systems in buildings – sensors and controllers to manage elevators, ventilation, heating, lighting, electricity, water supply, video surveillance, alarm systems, fire extinguishing systems and more in industrial facilities. Such systems are used not only in office and residential buildings but also in hospitals, shopping malls, prisons, industrial production, public transport and other places where large work and/or living areas need to be controlled. We looked at the live threats to building-based automation systems to see what malware their owners encountered in the first six months of 2019.

Most of the blocked threats were neither targeted, nor specific to building-based automation systems, but ordinary malware regularly found on corporate networks unrelated to automation systems. Such threats can still have a significant impact on the availability and integrity of automation systems, from file encryption (including databases) to denial of service on network equipment and workstations because of malicious traffic and unstable exploits. Spyware and backdoors pose a far greater threat, since stolen authentication data and the remote control it provides can be used to plan and carry out a subsequent targeted attack on a building’s automation system.

Smart cars and connected devices

Kaspersky has investigated smart car security several times in recent years (here and here), revealing a number of security issues. As vehicles become smarter and more connected they are also becoming more exposed. However, this doesn’t just apply to smart cars and the apps that support them. There is now a whole industry of after-market devices designed to improve the driving experience – from car scanners to tuning gadgets. In a recent report, we reviewed a number of automotive connected devices and reviewed their security setup. This exercise provided us with a first look at security issues in these devices. Our review included a couple of auto scanners, a dashboard camera, a GPS tracker, a smart alarm system and a pressure and temperature monitoring system.

We found the security of these devices more or less adequate, leaving aside minor issues. This is partly due to the limited device functionality and a lack of serious consequences in the event of a successful attack. It’s also due to the vigilance of vendors. However, as we move towards a more and more connected future, it’s important to remember that the smarter an object is the more attention should be paid to security in the development and updating of a device: careless development or an unpatched vulnerability could allow an attacker to hijack a victim’s car or spy on an entire car fleet.

We continue to develop KasperskyOS, to help customers secure connected systems – including mobile devices and PCs, internet of things devices, intelligent energy systems, industrial systems, telecommunications systems and transportation systems.

If you’re considering buying a device to make your car a little bit smarter, you should think about the security risks. Check to see if any vulnerabilities affect the device and whether it’s possible to apply security updates to it. Don’t automatically buy the most recently released product, since it might contain a security flaw that hasn’t yet been discovered: the best choice is to buy a product that has already been updated several times. Finally, always consider the security of the ‘mobile dimension’ of the device, especially if you use an Android device: while applications make life easier, once a smartphone is hit by malware a lot can go wrong.

Personal data theft

We’ve become used to a steady stream of reports in the news about data breaches. Recent examples include the theft of 23,205,290 email addresses together with passwords weakly stored as base64 SHA-1 encoded hashes from CafePress. Worryingly, the hack was reported by Have I Been Pwned – CafePress didn’t notify its customers until some months after the breach had occurred.

In August, two Israeli researchers discovered fingerprints, facial recognition data and other personal information from the Suprema Biostar 2 biometric access control system in a publicly accessible database. The exposure of biometric data is of particular concern. If a hacker is able to obtain my password, I can change it, but a biometric is for life.

Facebook has faced criticism on several occasions for failing to handle customers’ data properly. In the latest of a long list of incidents, hundreds of millions of phone numbers linked to Facebook accounts were found online on a server that wasn’t protected with a password. Each record contained a unique Facebook ID and the phone number listed on the account, leaving affected Facebook customers open to spam calls and SIM-swap attacks.

On September 12, mobile gaming company Zynga reported that some player account data may have been accessed illegally by ‘outside hackers’. Subsequently, a hacker going by the name of Gnosticplayers claimed to have breached the player database of Words With Friends, as well as data from Draw Something and the discontinued game OMGPOP, exposing the data of more than 200 million Android and iOS players. While Zynga spotted the breach and notified customers, it’s worrying that passwords were stored in cleartext.

Consumers have no direct control over the security of the personal data they disclose to online providers. However, we can limit the damage of a security breach at an online provider by ensuring that they create passwords that are unique and hard to guess, or use a password manager to do this for us. By making use of two-factor authentication, where offered by an online provider, we can further reduce the impact of any breach.

It’s also worth bearing in mind that hacking the server of an online provider isn’t the only way that cybercriminals can get their hands on passwords and other personal data. They also harvest data stored on a consumer’s computer directly. This includes data stored in browsers, files from the hard disk, system data, account logins and more. Our data shows that 940,000 people were targeted by malware designed to steal such data in the first half of 2019. We would recommend using specialist software to store account passwords and bank card details, rather than relying on your browser. You can find out more about how cybercriminals target personal data on computers here.

Watch our latest Naked Security Live video for some handy and practical cybersecurity tips - for Black Friday and beyond.

Adtech firm also sent 12k phishing warnings to users of its services

Google has said it fired off 12,000 warnings to unlucky users of its GMail, Drive and YouTube services telling them it believes they're being phished by state-backed hackers.…

38 million consumer health records have been exposed so far in 2019.

Today we publish a VB2019 paper from Lion Gu and Bowen Pan from the Qi An Xin Threat Intelligence Center in China in which they analysed an APT group dubbed 'Poison Vine', which targeted various government, military and research institutes in China.

Read more

New episode available now!

For researchers at testing outfit AV-Test, the SMA M2 kids’ smartwatch is just the tip of an iceberg of terrible security.

In some cases, nurses can’t update and order drugs. For one assisted-living facility, lack of timely Medicaid billing could force closure.