In SolarWinds Serv-U before 15.2.2 Hotfix 1, there is a directory containing user profile files (that include users' password hashes) that is world readable and writable. An unprivileged Windows user (having access to the server's filesystem) can add an FTP user by copying a valid profile file to this directory. For example, if this profile sets up a user with a C:\ home directory, then the attacker obtains access to read or replace arbitrary files with LocalSystem privileges.
{"id": "CVE-2021-25276", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-25276", "description": "In SolarWinds Serv-U before 15.2.2 Hotfix 1, there is a directory containing user profile files (that include users' password hashes) that is world readable and writable. An unprivileged Windows user (having access to the server's filesystem) can add an FTP user by copying a valid profile file to this directory. For example, if this profile sets up a user with a C:\\ home directory, then the attacker obtains access to read or replace arbitrary files with LocalSystem privileges.", "published": "2021-02-03T17:15:00", "modified": "2022-07-12T17:42:00", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 3.6}, "severity": "LOW", "exploitabilityScore": 3.9, "impactScore": 4.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25276", "reporter": "cve@mitre.org", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/"], "cvelist": ["CVE-2021-25276"], "immutableFields": [], "lastseen": "2022-07-13T15:59:58", "viewCount": 137, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:4D8A45D9-93E7-4267-B52C-96AB82DF5A06"]}, {"type": "nessus", "idList": ["SERVU_15_2_2_1.NASL"]}, {"type": "securelist", "idList": ["SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA"]}, {"type": "thn", "idList": ["THN:A16295D1572D6F721B7A8CC6EB7690FA"]}, {"type": "threatpost", "idList": ["THREATPOST:9347B4A695C8250B35A5455A788D2D99"]}], "rev": 4}, "score": {"value": 1.6, "vector": "NONE"}, "twitter": {"counter": 2, "modified": "2021-02-04T14:35:47", "tweets": [{"link": "https://twitter.com/qualys/status/1357399935272972290", "text": "Three critical (RCE with high privileges) vulnerabilities in /hashtag/SolarWinds?src=hashtag_click products. Here's how to detect and patch. (CVE-2021-25274, CVE-2021-25275, CVE-2021-25276) https://t.co/cHV8liGN9e?amp=1"}, {"link": "https://twitter.com/qualys/status/1357399935272972290", "text": "Three critical (RCE with high privileges) vulnerabilities in /hashtag/SolarWinds?src=hashtag_click products. Here's how to detect and patch. (CVE-2021-25274, CVE-2021-25275, CVE-2021-25276) https://t.co/cHV8liGN9e?amp=1"}]}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:4D8A45D9-93E7-4267-B52C-96AB82DF5A06"]}, {"type": "nessus", "idList": ["SERVU_15_2_2_1.NASL"]}, {"type": "securelist", "idList": ["SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA"]}, {"type": "thn", "idList": ["THN:A16295D1572D6F721B7A8CC6EB7690FA"]}, {"type": "threatpost", "idList": ["THREATPOST:9347B4A695C8250B35A5455A788D2D99"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "solarwinds serv-u", "version": 15}, {"name": "solarwinds serv-u", "version": 15}]}, "vulnersScore": 1.6}, "_state": {"dependencies": 1659893093, "score": 1659843777, "affected_software_major_version": 1671593568}, "_internal": {"score_hash": "7ab77d928396df38530f4e7629f1bcaf"}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:solarwinds:serv-u:15.2.2"], "cpe23": ["cpe:2.3:a:solarwinds:serv-u:15.2.2:-:*:*:*:*:*:*"], "cwe": ["CWE-732"], "affectedSoftware": [{"cpeName": "solarwinds:serv-u", "version": "15.2.2", "operator": "lt", "name": "solarwinds serv-u"}, {"cpeName": "solarwinds:serv-u", "version": "15.2.2", "operator": "eq", "name": "solarwinds serv-u"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:solarwinds:serv-u:15.2.2:*:*:*:*:*:*:*", "versionEndExcluding": "15.2.2", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:solarwinds:serv-u:15.2.2:-:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/", "name": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}]}
{"nessus": [{"lastseen": "2023-01-11T14:41:56", "description": "In SolarWinds Serv-U before 15.2.2 Hotfix 1, there is a directory containing user profile files (that include users' password hashes) that is world readable and writable. An unprivileged Windows user (having access to the server's filesystem) can add an FTP user by copying a valid profile file to this directory. For example, if this profile sets up a user with a C:\\ home directory, then the attacker obtains access to read or replace arbitrary files with LocalSystem privileges.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-02-09T00:00:00", "type": "nessus", "title": "Serv-U FTP Server < 15.2.2 Hotfix 1 Arbitrary File Read/Write", "bulletinFamily": "scanner", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25276"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:solarwinds:serv-u_file_server"], "id": "SERVU_15_2_2_1.NASL", "href": "https://www.tenable.com/plugins/nessus/146308", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146308);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2021-25276\");\n\n script_name(english:\"Serv-U FTP Server < 15.2.2 Hotfix 1 Arbitrary File Read/Write\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FTP server is affected by an Arbitrary File Read/Write\n vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"In SolarWinds Serv-U before 15.2.2 Hotfix 1, there is a directory containing user profile files (that include users'\npassword hashes) that is world readable and writable. An unprivileged Windows user (having access to the server's\nfilesystem) can add an FTP user by copying a valid profile file to this directory. For example, if this profile sets\nup a user with a C:\\ home directory, then the attacker obtains access to read or replace arbitrary files with\nLocalSystem privileges.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://documentation.solarwinds.com/en/success_center/servu/Content/Release_Notes/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0c04a9b0\");\n # https://downloads.solarwinds.com/solarwinds/Release/HotFix/Serv-U-15.2.2-Hotfix-1.zip\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?26d4bf3d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ServU-FTP 15.2.2 Hotfix 1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-25276\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:solarwinds:serv-u_file_server\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FTP\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"servu_version.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"installed_sw/Serv-U\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('ftp_func.inc');\n\nos = get_kb_item_or_exit('Host/OS');\n\nif (tolower(os) !~ \"windows\") audit(AUDIT_OS_NOT, 'affected');\n\nport = get_ftp_port(default:21);\n\napp_info = vcf::get_app_info(app:'Serv-U', port:port);\n\nconstraints = [\n { 'min_version' : '0.0', 'fixed_version' : '15.2.2.583' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_NOTE);", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:N"}}], "threatpost": [{"lastseen": "2021-02-03T22:38:15", "bulletinFamily": "info", "cvelist": ["CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276"], "description": "Three serious vulnerabilities have been found in SolarWinds products: Two in the Orion User Device Tracker and one in the Serv-U FTP for Windows product. The most severe of these could allow trivial remote code execution with high privileges.\n\nThe SolarWinds Orion platform is the network management tool at the heart of [the recent espionage attack](<https://threatpost.com/mimecast-solarwinds-hack-security-vendor-victims/163431/>) against several U.S. government agencies, tech companies and other high-profile targets. It allows users to manage devices, software and firmware versioning, applications and so on, and has full visibility into enterprise customer networks.\n\nThese fresh vulnerabilities have not been shown to be used in the spy attack, but admins should nonetheless apply patches as soon as possible, according to Martin Rakhmanov, security research manager for SpiderLabs at Trustwave.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nTrustwave is not providing specific proof-of-concept (PoC) code until Feb. 9, in order to give SolarWinds users a longer time to patch, he noted in a Wednesday blog posting.\n\n## **Microsoft Messaging for SolarWinds Orion Takeover**\n\nThe most critical bug (CVE-2021-25274) does not require local access and allows complete control over SolarWinds Orion remotely without having any credentials at all.\n\nAs a part of the platform installation, there is a setup for Microsoft Messaging Queue (MSMQ), which is a two-decade-old technology that is no longer installed by default on modern Windows systems.\n\n\u201cImproper use of MSMQ could allow any remote unprivileged user the ability to execute any arbitrary code in the highest privilege,\u201d according to [Trustwave\u2019s advisory](<https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=28389>), issued on Wednesday.\n\nRakhmanov said that it\u2019s possible for unauthenticated users to send messages to private queues over TCP port 1801.\n\n\u201cMy interest was piqued and I [also] jumped in to look at the code that handles incoming messages,\u201d he explained. \u201cUnfortunately, it turned out to be an unsafe deserialization victim. [This] allows remote code execution by remote, unprivileged users through combining those two issues. Given that the message processing code runs as a Windows service configured to use LocalSystem account, we have complete control of the underlying operating system.\u201d\n\n## **Info-Stealing from the Orion Database**\n\nThe second bug (CVE-2021-25275) was also found in the SolarWinds Orion framework. It allows unprivileged users who can log in locally or via Remote Desktop Protocol (RDP) to obtain a cleartext password for the backend database for the Orion platform, called SolarWindsOrionDatabaseUser \u2013 and from there set themselves up as an admin to steal information.\n\n\u201cSolarWinds credentials are stored in an insecure manner that could allow any local users, despite privileges, to take complete control over the SOLARWINDS_ORION database,\u201d according to Trustwave.\n\nPermissions are generously granted to all locally authenticated users, Rakhmanov found, and authenticated users can generally read database file content. He ran \u201ca simple grep\u201d (a Unix command used to search files for the occurrence of a string of characters that matches a specified pattern) across the files installed by the product to look for a configuration file, which he located.\n\nInside the config file were the Orion backend database credentials, albeit encrypted.\n\n\u201cI spent some time finding code that decrypts the password but essentially, it\u2019s a one-liner,\u201d he noted.\n\nOnce an unprivileged user runs the decrypting code, they can get a cleartext password for the SolarWindsOrionDatabaseUser.\n\n\u201cThe next step is to connect to the Microsoft SQL Server using the recovered account, and at this point, we have complete control over the SOLARWINDS_ORION database,\u201d Rakhmanov explained. \u201cFrom here, one can steal information or add a new admin-level user to be used inside SolarWinds Orion products.\u201d\n\n## **Adding Admin Users**\n\nThe third issue is a SolarWinds Serv-U FTP vulnerability (CVE-2021-25276). The product is used for secure transfer and large file-sharing.\n\nThe bug allows local privilege escalation so that an attacker gains the ability to read, write to or delete any file on the system.\n\n\u201cAny local user, regardless of privilege, can create a file that can define a new Serv-U FTP admin account with full access to the C:\\ drive,\u201d according to Trustwave. \u201cThis account can then be used to log in via FTP and read or replace any file on the drive.\u201d\n\nRakhmanov discovered that the platform\u2019s directory access control lists allow complete compromise by any authenticated Windows user.\n\n\u201cSpecifically, anyone who can log in locally or via Remote Desktop can just drop a file that defines a new user, and the Serv-U FTP will automatically pick it up,\u201d he explained. \u201cNext, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file and then set the home directory to the root of C:\\ drive.\u201d\n\nSolarWinds patches are available, in Orion Platform 2020.2.4 and ServU-FTP 15.2.2 Hotfix 1.\n\nRakhmanov did issue a caveat on the fix for the CVE-2021-25275 info-stealing bug.\n\n\u201cAfter the patch is applied, there is a digital signature validation step performed on arrived messages so that messages having no signature or not signed with a per-installation certificate are not further processed,\u201d he explained. \u201cOn the other hand, the MSMQ is still unauthenticated and allows anyone to send messages to it.\u201d\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_**, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "modified": "2021-02-03T11:00:21", "published": "2021-02-03T11:00:21", "id": "THREATPOST:9347B4A695C8250B35A5455A788D2D99", "href": "https://threatpost.com/solarwinds-orion-bug-remote-code-execution/163618/", "type": "threatpost", "title": "SolarWinds Orion Bug Allows Easy Remote-Code Execution and Takeover", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2022-05-09T12:39:09", "description": "[](<https://thehackernews.com/images/-Z2pOVuMPPo4/YBqI9jJR7DI/AAAAAAAABqs/gEmdlXvL7Ko6f_bSYxm6gB5dzNGt0EtawCLcBGAsYHQ/s0/solarwinds.jpg>)\n\nCybersecurity researchers on Wednesday disclosed three severe security vulnerabilities impacting SolarWinds products, the most severe of which could have been exploited to achieve remote code execution with elevated privileges.\n\nTwo of the flaws (CVE-2021-25274 and CVE-2021-25275) were identified in the SolarWinds Orion Platform, while a third separate weakness (CVE-2021-25276) was found in the company's Serv-U FTP server for Windows, [said](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/>) cybersecurity firm Trustwave in a technical analysis.\n\nNone of the three vulnerabilities are believed to have been exploited in any \"in the wild\" attacks or during the unprecedented [supply chain attack](<https://thehackernews.com/2021/01/heres-how-solarwinds-hackers-stayed.html>) targeting the Orion Platform that came to light last December.\n\nThe two sets of vulnerabilities in Orion and Serv-U FTP were disclosed to SolarWinds on December 30, 2020, and January 4, 2021, respectively, following which the company resolved the issues on January 22 and January 25.\n\nIt's highly recommended that users install the latest versions of [Orion Platform](<https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/release_notes/orion_platform_2020-2-4_release_notes.htm>) and Serv-U FTP ([15.2.2 Hotfix 1](<https://downloads.solarwinds.com/solarwinds/Release/HotFix/Serv-U-15.2.2-Hotfix-1.zip>)) to mitigate the risks associated with the flaws. Trustwave said it intends to release a proof-of-concept (PoC) code next week on February 9.\n\n### Complete Control Over Orion \n\nChief among the vulnerabilities uncovered by Trustwave includes improper use of Microsoft Messaging Queue ([MSMQ](<https://docs.microsoft.com/en-us/previous-versions/windows/desktop/msmq/ms711472\\(v=vs.85\\)>)), which is used heavily by the SolarWinds Orion Collector Service, thereby allowing unauthenticated users to send messages to such queues over TCP port 1801 and eventually attain RCE by chaining it with another unsafe deserialization issue in the code that handles incoming messages.\n\n\"Given that the message processing code runs as a Windows service configured to use LocalSystem account, we have complete control of the underlying operating system,\" Trust researcher Martin Rakhmanov said.\n\nThe patch released by SolarWinds (Orion Platform [2020.2.4](<https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/release_notes/orion_platform_2020-2-4_release_notes.htm>)) addresses the bug with a digital signature validation step that's performed on arrived messages to ensure that unsigned messages are not processed further, but Rakhmanov cautioned that the MSMQ is still unauthenticated and allows anyone to send messages to it.\n\n[](<https://thehackernews.com/images/-F7DwIAuzUyM/YBqJY6UIcaI/AAAAAAAABq0/CHPykJh7QgwHOpRl9smMLqxIIujD4Jd6wCLcBGAsYHQ/s0/hacker.jpg>)\n\nThe second vulnerability, also found in the Orion Platform, concerns the insecure manner in which credentials of the backend database (named \"SOLARWINDS_ORION\") is stored in a configuration file, resulting in a local, unprivileged user take complete control over the database, steal information, or even add a new admin-level user to be used inside SolarWinds Orion products.\n\nLastly, a [flaw](<https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=28396>) in SolarWinds Serv-U FTP Server 15.2.1 for Windows could allow any attacker that can log in to the system locally or via Remote Desktop to drop a file that defines a new admin user with full access to the C:\\ drive, which can then be leveraged by logging in as that user via FTP and read or replace any file on the drive.\n\n### U.S. Department of Agriculture Targeted Using New SolarWinds Flaw\n\nNews of the three vulnerabilities in SolarWinds products comes on the heels of reports that alleged Chinese threat actors exploited a previously undocumented flaw in the company's software to break into the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture.\n\nThis flaw is said to be different from those that were abused by suspected Russian threat operatives to compromise SolarWinds Orion software that was then distributed to as many as 18,000 of its customers, according to [Reuters](<https://www.reuters.com/article/us-cyber-solarwinds-china-exclusive/exclusive-suspected-chinese-hackers-used-solarwinds-bug-to-spy-on-u-s-payroll-agency-sources-idUSKBN2A22K8>).\n\nIn late December, Microsoft [said](<https://thehackernews.com/2020/12/a-second-hacker-group-may-have-also.html>) a second hacker collective might have been abusing the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on target systems by taking advantage of an [authentication bypass vulnerability](<https://thehackernews.com/2020/12/a-new-solarwinds-flaw-likely-had-let.html>) in the Orion API to execute arbitrary commands.\n\nSolarWinds [issued a patch](<https://thehackernews.com/2020/12/a-new-solarwinds-flaw-likely-had-let.html>) to address the vulnerability on December 26, 2020.\n\nLast week, Brandon Wales, acting director of the U.S. Cybersecurity and Infrastructure Agency (CISA), [said](<https://www.wsj.com/articles/suspected-russian-hack-extends-far-beyond-solarwinds-software-investigators-say-11611921601>) nearly 30% of the private-sector and government agencies linked to the intrusion campaign had no direct connection to SolarWinds, implying that the attackers used a [variety of ways](<https://thehackernews.com/2021/01/solarwinds-hackers-also-breached.html>) to breach target environments.\n\nThe overlap in the twin espionage efforts notwithstanding, the campaigns are yet another sign that advanced persistent threat (APT) groups are increasingly focusing on the [software supply chain](<https://thehackernews.com/2021/02/a-new-software-supplychain-attack.html>) as a conduit to strike high-value targets such as corporations and government agencies.\n\nThe trust and ubiquity of software such as those from SolarWinds or Microsoft make them a lucrative target for attackers, thus underscoring the need for organizations to be on the lookout for potential dangers stemming from relying on third-party tools to manage their platforms and services.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-03T11:31:00", "type": "thn", "title": "3 New Severe Security Vulnerabilities Found In SolarWinds Software", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276"], "modified": "2021-02-05T04:43:57", "id": "THN:A16295D1572D6F721B7A8CC6EB7690FA", "href": "https://thehackernews.com/2021/02/3-new-severe-security-vulnerabilities.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2021-10-04T22:44:09", "description": "The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn\u2019t set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process. Additionally, upon processing of such messages, the service deserializes them in insecure manner, allowing remote arbitrary code execution as LocalSystem.\n\n \n**Recent assessments:** \n \n**wvu-r7** at February 05, 2021 10:45pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/GuXRxDl2UG/cve-2021-25274#rapid7-analysis>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-03T00:00:00", "type": "attackerkb", "title": "SolarWinds Orion Platform Unauthenticated RCE (CVE-2021-25274)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276"], "modified": "2021-02-09T00:00:00", "id": "AKB:4D8A45D9-93E7-4267-B52C-96AB82DF5A06", "href": "https://attackerkb.com/topics/GuXRxDl2UG/solarwinds-orion-platform-unauthenticated-rce-cve-2021-25274/rapid7-analysis", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2021-05-26T10:37:33", "description": "\n\n_All statistics in this report are from the global cloud service Kaspersky Security Network (KSN), which receives information from components in our security solutions. The data was obtained from users who have given their consent to it being sent to KSN. Millions of Kaspersky users around the globe assist us in this endeavor to collect information about malicious activity. The statistics in this report cover the period from May 2020 to April 2021, inclusive._\n\n## Main figures\n\n * **70% **of Internet user computers in the EU experienced at least one **Malware-class** attack.\n * In the EU, Kaspersky solutions blocked **115,452,157** web attacks.\n * **2,676,988 **unique URLs were recognized as malicious by our Web Anti-Virus.\n * **377,685 **unique malicious objects were blocked by our Web Anti-Virus.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the devices of **79,315** users.\n * **56,877 **unique users in the EU were attacked by ransomware.\n * **132,656 **unique users in the EU were attacked by miners.\n * **40%** users of Kaspersky solutions in the EU encountered at least one phishing attack.\n * **86,584,675** phishing attempts were blocked by Kaspersky solutions in the EU.\n\n## Financial threats\n\n_The statistics include not only banking threats, but malware for ATMs and payment terminals._\n\n### Number of users attacked by banking malware\n\nDuring the reporting period, Kaspersky solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of **79,315** users.\n\n_Number of EU users attacked by financial malware, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124132/01-en-european-ksb-2021.png>))_\n\n### Threat geography\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware, for each EU country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all attacked users in that country.\n\n_Geography of banking malware attacks in the EU, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124226/02-en-european-ksb-2021.png>))_\n\n**Top 10 EU countries by share of attacked users **\n\n| **Country** | **%*** \n---|---|--- \n1 | Cyprus | 1.3 \n2 | Bulgaria | 1.2 \n3 | Greece | 1.1 \n4 | Italy | 1.0 \n5 | Portugal | 1.0 \n6 | Croatia | 0.8 \n7 | Germany | 0.6 \n8 | Latvia | 0.6 \n9 | Poland | 0.6 \n10 | Romania | 0.6 \n \n_* The share of unique users in the EU whose computers were targeted by financial malware in the total number of unique EU users attacked by all kinds of malware._\n\n**Top 10 financial malware families**\n\n| **Name** | **%*** \n---|---|--- \n1 | Zbot | 24.7 \n2 | Nymaim | 11.5 \n3 | Danabot | 9.9 \n4 | Emotet | 8.9 \n5 | CliptoShuffler | 7.7 \n6 | BitStealer | 5.6 \n7 | SpyEyes | 3.5 \n8 | Gozi | 3.4 \n9 | Dridex | 3.2 \n10 | Trickster | 1.9 \n \n_* The share of unique users in the EU attacked by this malware in the total number of users attacked by financial malware._\n\n## Ransomware programs\n\nDuring the reporting period, we identified more than **17,317 **ransomware modifications and detected **25** new families. Note that we did not create a separate family for each new piece of ransomware. Most threats of this type were assigned the generic verdict, which we give to new and unknown samples.\n\n_Number of new ransomware modifications detected in the EU, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124303/03-en-european-ksb-2021.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nDuring the reporting period, ransomware Trojans attacked **56,877** unique users, including **12,358** corporate users (excluding SMBs) and **2,274** users associated with small and medium-sized businesses.\n\n_Number of users in the EU attacked by ransomware Trojans, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124332/04-en-european-ksb-2021.png>))_\n\n### Threat geography\n\n_Geography of attacks in the EU by ransomware Trojans, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124520/05-en-european-ksb-2021.png>))_\n\n**Top 10 EU countries by share of attacked users **\n\n| **Country** | **%*** \n---|---|--- \n1 | Greece | 0.56 \n2 | Cyprus | 0.38 \n3 | Portugal | 0.36 \n4 | Bulgaria | 0.31 \n5 | Hungary | 0.29 \n6 | Italy | 0.29 \n7 | Latvia | 0.28 \n8 | Slovenia | 0.27 \n9 | Spain | 0.26 \n10 | Estonia | 0.23 \n \n_* The share of unique users in the EU country whose computers were targeted by ransomware in the total number of unique users in that country attacked by all kinds of malware._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdict** | **%*** \n---|---|---|--- \n1 | (generic verdict) | Trojan-Ransom.Win32.Gen | 14.40 \n2 | (generic verdict) | Trojan-Ransom.Win32.Agent | 12.58 \n3 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 10.80 \n4 | (generic verdict) | Trojan-Ransom.Win32.Generic | 5.94 \n5 | Stop | Trojan-Ransom.Win32.Stop | 3.87 \n6 | WannaCry | Trojan-Ransom.Win32.Wanna | 3.20 \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 2.31 \n8 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.30 \n9 | REvil/Sodinokibi | Trojan-Ransom.Win32.Sodin | 1.97 \n10 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 1.85 \n \n_* The share of unique Kaspersky users attacked by the given family of ransomware Trojans in the total number of users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of users attacked by miners in the EU\n\nDuring the reporting period, we detected attempts to install a miner on the computers of **132,656** unique users. Miners accounted for 0.53% of all attacks and 10.31% of all Risktool-type programs\n\n_Number of EU users attacked by miners, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124550/06-en-european-ksb-2021.png>))_\n\nDuring the reporting period, Kaspersky products detected Trojan.Win32.Miner.gen (generic verdict) more often than others, which accounted for 13.62% of all users attacked by miners. It was followed by Trojan.Win32.Miner.bbb (8.67%) and Trojan.JS.Miner.m (2.84%).\n\n### Threat geography\n\n_Geography of miner-related attacks in the EU, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124619/07-en-european-ksb-2021.png>))_\n\n## Vulnerable applications used by cybercriminals\n\nIn 2020, most vulnerabilities were discovered by researchers before attackers could exploit them. However, there was no doing without zero-day vulnerabilities, of which Kaspersky found:\n\n * CVE-2020-1380, a use-after-free vulnerability in the Jscript9 component of Microsoft's Internet Explorer browser caused by insufficient checks during the generation of optimized JIT code. This vulnerability was most likely used by the APT group [DarkHotel](<https://securelist.com/the-darkhotel-apt/66779/>) at the first stage of system compromise, after which the payload was delivered by an additional exploit that escalated privileges in the system;\n * CVE-2020-0986 in the GDI Print/Print Spooler component of Microsoft's Windows operating system, enabling manipulation of process memory for arbitrary code execution in the context of a system service process. Exploitation of this vulnerability gives attackers the ability to bypass sandboxes, for example, in the browser.\n\nThe first quarter of 2021 turned out to be rich not only in well-known vulnerabilities, but also in zero-day ones. In particular, both [IT security specialists](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) and cybercriminals showed great interest in the new Microsoft Exchange Server vulnerabilities:\n\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26855>) \u2014 a Service-Side Request Forgery vulnerability that allows an attacker to make a forged server request and execute arbitrary code (RCE);\n * [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26857>) \u2014 insecure object deserialization by the Unified Messaging service, which can lead to arbitrary code execution on the server side;\n * [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>) \u2014 allows an attacker to write data to server files, which can also lead to remote code execution;\n * [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-27065>) \u2014 similar to [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>), this vulnerability allow an authorized Microsoft Exchange user to write arbitrary code to system files.\n\nThese vulnerabilities were found [in-the-wild](<https://encyclopedia.kaspersky.com/glossary/exploitation-in-the-wild-itw/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) and had been used by APT and ransomware groups.\n\nOne more constellation of vulnerabilities that appeared in the infosec sky was a threesome of critical bugs in the popular SolarWinds Orion Platform \u2013 [CVE-2021-25274](<https://nvd.nist.gov/vuln/detail/CVE-2021-25274>), [CVE-2021-25275](<https://nvd.nist.gov/vuln/detail/CVE-2021-25275>), [CVE-2021-25276](<https://nvd.nist.gov/vuln/detail/CVE-2021-25276>). Successful exploitation of any of them can cause infection of the system where the platform is installed (mostly, enterprise and government PCs).\n\n_Distribution of exploits used in attacks by type of application attacked, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124650/08-en-european-ksb-2021.png>))_\n\n_The rating of vulnerable applications is based on verdicts by Kaspersky products for blocked exploits used by cybercriminals both in network attacks and in vulnerable local apps, including on users' mobile devices._\n\nNetwork attacks were the most common method of system penetration, and a significant portion of them is made up of brute-force attacks on various network services: [RDP](<https://securelist.com/remote-spring-the-rise-of-rdp-bruteforce-attacks/96820/>), Microsoft SQL Server, etc. In addition, the year gone by demonstrated that everything in the Windows operating system is cyclical, and that most of the detected vulnerabilities exist in the same services, for example, in the drivers of the SMB (SMBGhost, SMBBleed), DNS (SigRed) and ICMPv6 (BadNeighbor) network protocols. Two critical vulnerabilities (CVE-2020-0609, CVE-2020-0610) were found in the Remote Desktop Gateway service. An interesting vulnerability, dubbed Zerologon, was also discovered in the NetLogon service. In Q1 2021, researchers found three new vulnerabilities in Windows network stack code related to IPv4/IPv6 protocols processing \u2014 [CVE-2021-24074](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-24074>), [CVE-2021-24086](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24086>) and [CVE-2021-24094](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24094>). Lastly, despite the fact that exploits for the EternalBlue and EternalRomance families are old, they are still used by attackers.\n\n## Attacks on macOS\n\n**Top 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Monitor.OSX.HistGrabber.b | 14.50 \n2 | AdWare.OSX.Bnodlero.at | 12.04 \n3 | AdWare.OSX.Bnodlero.ay | 11.42 \n4 | AdWare.OSX.Bnodlero.ax | 10.56 \n5 | AdWare.OSX.Bnodlero.bg | 9.18 \n6 | Trojan-Downloader.OSX.Shlayer.a | 8.06 \n7 | AdWare.OSX.Pirrit.j | 6.23 \n8 | AdWare.OSX.Pirrit.ac | 6.05 \n9 | AdWare.OSX.Ketin.h | 5.30 \n10 | AdWare.OSX.Bnodlero.t | 4.94 \n11 | AdWare.OSX.Bnodlero.av | 4.82 \n12 | Trojan-Downloader.OSX.Agent.h | 4.48 \n13 | AdWare.OSX.Pirrit.o | 4.35 \n14 | AdWare.OSX.Cimpli.k | 3.75 \n15 | AdWare.OSX.Pirrit.gen | 3.75 \n16 | AdWare.OSX.Pirrit.aa | 3.58 \n17 | AdWare.OSX.Ketin.m | 3.22 \n18 | AdWare.OSX.Pirrit.q | 3.20 \n19 | AdWare.OSX.Ketin.l | 3.13 \n20 | AdWare.OSX.Spc.a | 2.87 \n \n_* The share of unique users who encountered this threat in the total number of users of Kaspersky security solutions for macOS who were attacked._\n\n### Threat geography\n\n_Geography of attacked macOS users in EU, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124726/09-en-european-ksb-2021.png>))_\n\n**Top 10 EU countries by share of attacked macOS users **\n\n| **Country** | **%*** \n---|---|--- \n1 | France | 15.32 \n2 | Spain | 13.99 \n3 | Italy | 11.43 \n4 | Portugal | 9.75 \n5 | Greece | 9.59 \n6 | Germany | 9.41 \n7 | Hungary | 8.60 \n8 | Lithuania | 8.14 \n9 | Poland | 8.10 \n10 | Belgium | 7.94 \n \n_* The share of unique users attacked in the total number of users of Kaspersky security solutions for macOS in the country._\n\n## IoT attacks\n\n### IoT threat statistics\n\nDuring the reporting period, more than 80% of attacks on Kaspersky traps were carried out using the Telnet protocol.\n\nTelnet | 81.31% \n---|--- \nSSH | 18.69% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, May 2020 \u2013 April 2021_\n\nAs for distribution of sessions, Telnet also prevails, accounting for three quarters of all working sessions.\n\nTelnet | 75.66% \n---|--- \nSSH | 24.34% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, May 2020 \u2013 April 2021_\n\nAs a result, devices that carried out attacks using the Telnet protocol were selected to build the map of attackers' IP addresses.\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124758/10-en-european-ksb-2021.png>))_\n\n**Top 10 countries by location of devices from which attacks were carried out**\n\n| **Country** | **%*** \n---|---|--- \n1 | Greece | 26.84 \n2 | Italy | 18.55 \n3 | Germany | 7.92 \n4 | Spain | 7.46 \n5 | Poland | 5.66 \n6 | France | 5.60 \n7 | Romania | 5.52 \n8 | Sweden | 4.52 \n9 | Netherlands | 3.65 \n10 | Hungary | 2.95 \n \n_* The share of devices from which attacks were carried out in the given country in the total number of devices._\n\n### Malware loaded into honeypots\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 42.57 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 20.96 \n3 | Backdoor.Linux.Mirai.ba | 9.79 \n4 | Backdoor.Linux.Gafgyt.a | 5.42 \n5 | Backdoor.Linux.Gafgyt.a | 2.74 \n6 | Backdoor.Linux.Gafgyt.bj | 1.44 \n7 | Trojan-Downloader.Shell.Agent.p | 1.31 \n8 | Backdoor.Linux.Agent.bc | 1.20 \n9 | Backdoor.Linux.Mirai.cw | 1.15 \n10 | Backdoor.Linux.Mirai.cn | 0.82 \n \n_* The share of malware type in the total number of malicious programs downloaded to IoT devices following a successful attack._\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose, and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of the specific IP address (GeoIP) is established._\n\nKaspersky solutions in the EU blocked **115,452,157 **attacks launched from online resources across the globe. Moreover, 89.33% of these resources were located in just 10 countries.\n\n_Distribution of web attack sources by country, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124836/11-en-european-ksb-2021.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\n_To assess the risk of online infection faced by EU users, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the reporting period. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries._\n\nThis rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware. Overall, during the reporting period, adware and its components were registered on **89.60%** of users' computers on which Web Anti-Virus was triggered.\n\n_Geography of malicious web-based attacks, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124905/12-en-european-ksb-2021.png>))_\n\nOn average, **13.70% **of Internet user computers in the EU experienced at least one Malware-class attack during the reporting period.\n\n**Top 10 EU countries where users faced the greatest risk of online infection**\n\n| **Country** | **%*** \n---|---|--- \n1 | Latvia | 21.11 \n2 | Greece | 18.50 \n3 | Estonia | 17.52 \n4 | France | 16.81 \n5 | Bulgaria | 14.86 \n6 | Italy | 14.76 \n7 | Portugal | 14.44 \n8 | Lithuania | 14.21 \n9 | Hungary | 13.82 \n10 | Poland | 13.17 \n \n_* The share of unique users targeted by Malware-class attacks in the total number of unique users of Kaspersky products in the country._\n\n### Top 20 malicious programs most actively used in online attacks\n\nDuring the reporting period, Kaspersky's Web Anti-Virus detected **377,685 **unique malicious objects (scripts, exploits, executable files, etc.), as well as **2,676,988 **unique malicious URLs on which Web Anti-Virus was triggered. Based on the collected data, we identified the 20 most actively used malicious programs in online attacks on users' computers.\n\n| **Verdict*** | **%**** \n---|---|--- \n1 | Blocked | 49.22 \n2 | Trojan.Script.Generic | 12.52 \n3 | Hoax.HTML.FraudLoad.m | 8.38 \n4 | Trojan.PDF.Badur.gen | 2.46 \n5 | Trojan.Script.Agent.dc | 2.16 \n6 | Trojan.Multi.Preqw.gen | 2.11 \n7 | Trojan-Downloader.Script.Generic | 1.99 \n8 | Trojan.Script.Miner.gen | 1.56 \n9 | Exploit.MSOffice.CVE-2017-11882.gen | 1.02 \n10 | Trojan-PSW.Script.Generic | 0.91 \n11 | DangerousObject.Multi.Generic | 0.74 \n12 | Trojan.BAT.Miner.gen | 0.74 \n13 | Trojan.MSOffice.SAgent.gen | 0.60 \n14 | Trojan.Script.SAgent.gen | 0.50 \n15 | Trojan-Downloader.MSOffice.SLoad.gen | 0.47 \n16 | Trojan-Downloader.Win32.Upatre.pef | 0.33 \n17 | Trojan-Downloader.JS.Inor.a | 0.30 \n18 | Trojan-Downloader.MSWord.Agent.btl | 0.30 \n19 | Hoax.Script.Dating.gen | 0.27 \n20 | Trojan-Downloader.JS.SLoad.gen | 0.27 \n \n_* Excluded from the list are HackTool-type threats._\n\n_** The share of attacks by the given malicious program in the total number of Malware-class web attacks registered on the computers of unique users of Kaspersky products._\n\n## Local threats\n\n_Statistics on local infections of user computers is an important indicator. They include objects that penetrated the target computer through infecting files or removable storage media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.). These statistics additionally include objects detected on user computers after the first system scan by Kaspersky's Anti-Virus application._\n\n_This section analyzes statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, as well as the results of scanning removable storage media._\n\n### Countries where users faced the highest risk of local infection\n\n_For each country in the EU, we calculated how often users there encountered a File Anti-Virus triggering during the year. Included are detections of objects found on user computers or removable media connected to them (flash drives, camera/phone memory cards, external hard drives). These statistics reflect the level of personal computer infection in different countries._\n\n_Geography of local infections by malware, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124941/13-en-european-ksb-2021.png>))_\n\nDuring the reporting period, on average, at least one piece of malware was detected on **18.77%** of computers, hard drives or removable media belonging to KSN users in the EU.\n\n**Top 10 EU countries where users faced the greatest risk of local infection**\n\n| **Country** | **%*** \n---|---|--- \n1 | Greece | 32.60 \n2 | Bulgaria | 31.55 \n3 | Latvia | 31.38 \n4 | Estonia | 29.48 \n5 | Hungary | 27.88 \n6 | Lithuania | 27.11 \n7 | Portugal | 26.01 \n8 | Cyprus | 25.43 \n9 | Italy | 24.64 \n10 | Spain | 23.57 \n \n_* The share of unique users on whose computers Malware-class local threats were blocked in the total number of unique users of Kaspersky products in the country._\n\n### Top 20 malicious objects detected on user computers\n\nWe identified the 20 most commonly detected threats on EU users' computers during the reporting period. Not included are Riskware-type programs and adware.\n\n| **Verdict*** | **%**** \n---|---|--- \n1 | DangerousObject.Multi.Generic | 19.45 \n2 | Trojan.Multi.BroSubsc.gen | 18.53 \n3 | Trojan.Script.Generic | 8.29 \n4 | Trojan.Multi.GenAutorunReg.a | 7.08 \n5 | Trojan.Multi.Misslink.a | 6.75 \n6 | Hoax.Win32.DriverToolKit.b | 2.77 \n7 | Trojan.MSOffice.SAgent.gen | 2.63 \n8 | Exploit.Script.Generic | 2.25 \n9 | Trojan.Win32.SEPEH.gen | 2.00 \n10 | Trojan-Downloader.Script.Generic | 1.91 \n11 | Worm.Win32.WBVB | 1.53 \n12 | Hoax.Win32.Uniblue.gen | 1.33 \n13 | Trojan.Script.Agent.gen | 1.29 \n14 | Trojan-Dropper.Win32.Scrop.adwo | 1.17 \n15 | Trojan.Multi.GenAutorunTask.c | 1.16 \n16 | Trojan.Win32.Generic | 1.12 \n17 | Trojan.Multi.GenBadur.gen | 1.10 \n18 | Trojan.BAT.Miner.gen | 1.09 \n19 | Trojan.Multi.GenAutorunTask.b | 1.07 \n20 | Trojan.Multi.GenAutorunTaskFile.a | 1.05 \n \n_* Excluded from the list are HackTool-type threats._\n\n_** The share of unique users on whose computers File Anti-Virus detected the given object in the total number of unique users of Kaspersky products whose Anti-Virus was triggered by malware._\n\n## Phishing in the EU\n\n### Phishing trends\n\n * **Cloud phishing**\n\nWe observed that the number of EU-targeted phishing resources on cloud platforms and hosting sites approximately doubled during the reporting period.\n\n * **Cryptocurrency**\n\nThe number of cryptocurrency-related phishing detections tripled. This category consists of fraudulent sites somehow linked to cryptocurrencies: in most cases, they are fake crypto exchanges that require users to invest money to gain access to an account that allegedly already contain complimentary currency. In fact, users just lose their own money if they try to buy access to such sites.\n\nAnother particularly interesting type of phishing we observed in the EU is a mixture of cryptocurrency and COVID-19 themes: fake sites offering COVID-19 vaccines for cryptocurrency.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19131933/European_KSB_2021.jpeg>)\n\n**_Example of fake COVID-19 vaccine offer_**\n\n * **Targeted extortion**\n\nIn late August 2020, we saw some unusual extortion messages. In them, cybercriminals claimed to have planted TNT somewhere in the recipient's office, saying it would be detonated unless a ransom was paid or if police activity was observed near the building.\n\nWhereas individuals are asked to cough up the equivalent of $500\u20131,000 in bitcoin (the maximum we saw was around $5,000), for companies supposedly rigged with explosives the amount rises to roughly $20,000. The bulk of the scam e-mails are written in German, but we found English versions as well.\n\n * **Microsoft Office spear phishing**\n\nThe trend for harvesting Microsoft 365 credentials through spear phishing continues to evolve. Such phishing e-mails normally contain a hyperlink to a fake website. Sure enough, once many people had absorbed that simple precaution, phishers began replacing the links with attached HTML files, the sole purpose of which is to automate redirection. Clicking on the HTML attachment opens it in a browser. As far as the phishing aspect goes, the file has just one line of code (javascript: window.location.href) with the phishing website address as a variable. It forces the browser to open the website in the same window.\n\n### Phishing attacks\n\nIn total, **86,584,675** phishing attempts were blocked by Kaspersky solutions in the EU, representing 21.89% of all phishing attacks around the world during the reporting period.\n\n_EU share of phishing detections, April 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19125028/15-en-european-ksb-2021.png>))_\n\n### Threat geography\n\nDuring the reporting period, approximately **13.4%** users of Kaspersky solutions in the EU encountered at least one phishing attack.\n\n_Geography of EU phishing, April 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19125056/14-en-european-ksb-2021.png>))_\n\n**Top 10 EU countries where users faced phishing attacks**\n\n| **Country** | **%*** \n---|---|--- \n1 | Portugal | 18.34 \n2 | France | 17.98 \n3 | Belgium | 15.10 \n4 | Greece | 14.98 \n5 | Hungary | 14.87 \n6 | Italy | 14.44 \n7 | Slovakia | 12.77 \n8 | Spain | 12.74 \n9 | Poland | 12.47 \n10 | Latvia | 12.26 \n \n_* The share of unique users targeted by phishing attacks in the total number of unique users of Kaspersky products in the country._\n\n### Organizations under attack\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an e-mail message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nPandemic-related events affected the distribution of phishing attacks across the categories of targeted organizations. However, the largest categories remained unchanged as they have done for several years: in the EU during reporting period, these were Global Internet portals (16.08%), Online stores (15.73%) and Payment systems (13.67%).\n\n_Share of phishing categories in the EU, April 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19125126/16-en-european-ksb-2021.png>))_\n\n### Top-level domain (TLD) usage\n\nIn the share of EU top-level domains (TLDs), we include all national TLDs belonging to EU member states. In the reporting period, this share amounted to 7.27%.\n\n_Distribution of phishing domains by top-level domain, April 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19125153/17-en-european-ksb-2021.png>))_\n\nThe share decreased significantly (-3 p.p.) at the end of 2020, but in Q1 2021 we observed a slight increase to 5.26%.\n\n_Timeline of share of EU top-level domains, Q2 2020 \u2013 Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19125220/18-en-european-ksb-2021.png>))_\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19134557/eu_flag.jpg>) | **The project leading to this report has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No 883464.** \n---|---", "cvss3": {}, "published": "2021-05-26T10:00:32", "type": "securelist", "title": "Kaspersky Security Bulletin 2020-2021. EU statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2020-0609", "CVE-2020-0610", "CVE-2020-0986", "CVE-2020-1380", "CVE-2021-24074", "CVE-2021-24086", "CVE-2021-24094", "CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-05-26T10:00:32", "id": "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "href": "https://securelist.com/kaspersky-security-bulletin-2020-2021-eu-statistics/102335/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-31T11:03:47", "description": "\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q1 2021:\n\n * Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources across the globe.\n * 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempts to run malware designed to steal money via online access to bank accounts were stopped on the computers of 118,099 users.\n * Ransomware attacks were defeated on the computers of 91,841 unique users.\n * Our File Anti-Virus detected 77,415,192 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nAt the end of last year, the number of users attacked by malware designed to steal money from bank accounts gradually decreased, a trend that continued in Q1 2021. This quarter, in total, Kaspersky solutions blocked the malware of such type on the computers of 118,099 unique users.\n\n_Number of unique users attacked by financial malware, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110545/01-en-malware-report-q1-2021-pc.png>))_\n\n**Attack geography**\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country._\n\n_Geography of financial malware attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110629/02-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 6.3 \n2 | Tajikistan | 5.3 \n3 | Afghanistan | 4.8 \n4 | Uzbekistan | 4.6 \n5 | Paraguay | 3.2 \n6 | Yemen | 2.1 \n7 | Costa Rica | 2.0 \n8 | Sudan | 2.0 \n9 | Syria | 1.5 \n10 | Venezuela | 1.4 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000). \n** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\nAs before, the most widespread family of bankers in Q1 was ZeuS/Zbot (30.8%). Second place was taken by the CliptoShuffler family (15.9%), and third by Trickster (7.5%). All in all, more than half of all attacked users encountered these families. The notorious banking Trojan Emotet (7.4%) was deprived of its infrastructure this quarter as a result of a [joint operation](<https://www.europol.europa.eu/newsroom/news/world's-most-dangerous-malware-emotet-disrupted-through-global-action>) by Europol, the FBI and other law enforcement agencies, and its share predictably collapsed.\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 30.8 \n2 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 15.9 \n3 | Trickster | Trojan.Win32.Trickster | 7.5 \n4 | Emotet | Backdoor.Win32.Emotet | 7.4 \n5 | RTM | Trojan-Banker.Win32.RTM | 6.6 \n6 | Nimnul | Virus.Win32.Nimnul | 5.1 \n7 | Nymaim | Trojan.Win32.Nymaim | 4.7 \n8 | SpyEye | Trojan-Spy.Win32.SpyEye | 3.8 \n9 | Danabot | Trojan-Banker.Win32.Danabot | 2.9 \n10 | Neurevt | Trojan.Win32.Neurevt | 2.2 \n \n_** Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n**New additions to the ransomware arsenal**\n\nLast year, the SunCrypt and RagnarLocker ransomware groups adopted new scare tactics. If the victim organization is slow to pay up, even though its files are encrypted and some of its confidential data has been stolen, the attackers additionally threaten to carry out a DDoS attack. In Q1 2021, these two groups were joined by a third, Avaddon. Besides publishing stolen data, the ransomware operators said on their website that the victim would be subjected to a DDoS attack until it reached out to them.\n\nREvil (aka Sodinokibi) is another group looking to increase its extortion leverage. In addition to DDoS attacks, it has [added](<https://twitter.com/3xp0rtblog/status/1368149692383719426>) spam and calls to clients and partners of the victim company to its toolbox.\n\n**Attacks on vulnerable Exchange servers**\n\n[Serious vulnerabilities were recently discovered](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) in the Microsoft Exchange mail server, allowing [remote code execution](<https://encyclopedia.kaspersky.com/glossary/remote-code-execution-rce/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). Ransomware distributors wasted no time in exploiting these vulnerabilities; to date, this infection vector was seen being used by the Black Kingdom and DearCry families.\n\n**Publication of keys**\n\nThe developers of the Fonix (aka XINOF) ransomware ceased distributing their Trojan and posted the master key online for decrypting affected files. We took this key and created a [decryptor](<https://www.kaspersky.com/blog/fonix-decryptor/38646/>) that anyone can use. The developers of another strain of ransomware, Ziggy, not only [published](<https://www.bleepingcomputer.com/news/security/ziggy-ransomware-shuts-down-and-releases-victims-decryption-keys/>) the keys for all victims, but also announced their [intention](<https://www.bleepingcomputer.com/news/security/ransomware-admin-is-refunding-victims-their-ransom-payments/>) to return the money to everyone who paid up.\n\n**Law enforcement successes**\n\nLaw enforcement agencies under the US Department of Justice [seized](<https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware>) dark web resources used by NetWalker (aka Mailto) ransomware affiliates, and also brought charges against one of the alleged actors.\n\nFrench and Ukrainian law enforcers worked together to trace payments made through the Bitcoin ecosystem to Egregor ransomware distributors. The joint investigation resulted in the [arrest](<https://www.bleepingcomputer.com/news/security/egregor-ransomware-affiliates-arrested-by-ukrainian-french-police/>) of several alleged members of the Egregor gang.\n\nIn South Korea, a suspect in the GandCrab ransomware operation was [arrested](<https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-affiliate-arrested-for-phishing-attacks/>) (this family ceased active distribution back in 2019).\n\n### Number of new modifications\n\nIn Q1 2021, we detected seven new ransomware families and 4,354 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q1 2020 \u2013 Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110702/03-en-ru-es-malware-report-q1-2021-pc.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q1 2021, Kaspersky products and technologies protected 91,841 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110733/04-en-malware-report-q1-2021-pc.png>))_\n\n### Attack geography\n\n_Geography of attacks by ransomware Trojans, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110802/05-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 2.31% \n2 | Ethiopia | 0.62% \n3 | Greece | 0.49% \n4 | Pakistan | 0.49% \n5 | China | 0.48% \n6 | Tunisia | 0.44% \n7 | Afghanistan | 0.42% \n8 | Indonesia | 0.38% \n9 | Taiwan, Province of China | 0.37% \n10 | Egypt | 0.28% \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 19.37% \n2 | (generic verdict) | Trojan-Ransom.Win32.Gen | 12.01% \n3 | (generic verdict) | Trojan-Ransom.Win32.Phny | 9.31% \n4 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 8.45% \n5 | (generic verdict) | Trojan-Ransom.Win32.Agent | 7.36% \n6 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom\n\nVirus.Win32.PolyRansom | 3.78% \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.93% \n8 | Stop | Trojan-Ransom.Win32.Stop | 2.79% \n9 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 2.17% \n10 | REvil/Sodinokibi | Trojan-Ransom.Win32.Sodin | 1.85% \n \n_* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware._\n\n## Miners\n\n### Number of new modifications\n\nIn Q1 2021, Kaspersky solutions detected 23,894 new modifications of miners. And though January and February passed off relatively calmly, March saw a sharp rise in the number of new modifications \u2014 more than fourfold compared to February.\n\n_Number of new miner modifications, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110831/06-en-malware-report-q1-2021-pc.png>))_\n\n### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 432,171 unique users of Kaspersky products worldwide. Although this figure has been rising for three months, it is premature to talk about a reversal of last year's trend, whereby the number of users attacked by miners actually fell. For now, we can tentatively assume that the growth in cryptocurrency prices, in particular bitcoin, has attracted the attention of cybercriminals and returned miners to their toolkit.\n\n_Number of unique users attacked by miners, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111053/07-en-malware-report-q1-2021-pc.png>))_\n\n### Attack geography\n\n_Geography of miner attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111128/08-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 4.65 \n2 | Ethiopia | 3.00 \n3 | Rwanda | 2.37 \n4 | Uzbekistan | 2.23 \n5 | Kazakhstan | 1.81 \n6 | Sri Lanka | 1.78 \n7 | Ukraine | 1.59 \n8 | Vietnam | 1.48 \n9 | Mozambique | 1.46 \n10 | Tanzania | 1.45 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000). \n** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyber attacks\n\nIn Q1 2021, we noted a drop in the share of exploits for vulnerabilities in the Microsoft Office suite, but they still lead the pack with 59%. The most common vulnerability in the suite remains [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), a stack buffer overflow that occurs when processing objects in the Equation Editor component. Exploits for [CVE-2015-2523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2523>) \u2014 use-after-free vulnerabilities in Microsoft Excel \u2014 and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>), which we've often written about, were also in demand. Note the age of these vulnerabilities \u2014 even the latest of them was discovered almost three years ago. So, once again, we remind you of the importance of regular updates.\n\nThe first quarter was rich not only in known exploits, but also new zero-day vulnerabilities. In particular, the interest of both [infosec experts](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) and cybercriminals was piqued by vulnerabilities in the popular Microsoft Exchange Server:\n\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26855>)\u2014 a service-side request forgery vulnerability that allows remote code execution (RCE)\n * [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26857>)\u2014 an insecure deserialization vulnerability in the Unified Messaging service that can lead to code execution on the server\n * [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>)\u2014 a post-authorization arbitrary file write vulnerability in Microsoft Exchange, which could also lead to remote code execution\n * [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-27065>)\u2014 as in the case of [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>), allows an authorized Microsoft Exchange user to write data to an arbitrary file in the system\n\nFound [in the wild](<https://encyclopedia.kaspersky.com/glossary/exploitation-in-the-wild-itw/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), these vulnerabilities were used by APT groups, including as a springboard for ransomware distribution.\n\nDuring the quarter, vulnerabilities were also identified in Windows itself. In particular, the [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-1732>) vulnerability allowing privilege escalation was discovered in the Win32k subsystem. Two other vulnerabilities, [CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-1647>) and [CVE-2021-24092](<https://nvd.nist.gov/vuln/detail/CVE-2021-24092>), were found in the Microsoft Defender antivirus engine, allowing elevation of user privileges in the system and execution of potentially dangerous code.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111159/09-en-malware-report-q1-2021-pc.png>))_\n\nThe second most popular were exploits for browser vulnerabilities (26.12%); their share in Q1 grew by more than 12 p.p. Here, too, there was no doing without newcomers: for example, the Internet Explorer script engine was found to contain the [CVE-2021-26411](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26411>) vulnerability, which can lead to remote code execution on behalf of the current user through manipulations that corrupt the heap memory. This vulnerability was exploited by the [Lazarus](<https://securelist.ru/tag/lazarus/>) group to download malicious code and infect the system. Several vulnerabilities were discovered in Google Chrome:\n\n * [CVE-2021-21148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21148>)\u2014 heap buffer overflow in the V8 script engine, leading to remote code execution\n * [CVE-2021-21166](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21166>)\u2014 overflow and unsafe reuse of an object in memory when processing audio data, also enabling remote code execution\n * [CVE-2021-21139](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21139>)\u2014 bypassing security restrictions when using an iframe.\n\nOther interesting findings include a critical vulnerability in VMware vCenter Server, [CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>), which allows remote code execution without any rights. Critical vulnerabilities in the popular SolarWinds Orion Platform \u2014 [CVE-2021-25274](<https://nvd.nist.gov/vuln/detail/CVE-2021-25274>), [CVE-2021-25275](<https://nvd.nist.gov/vuln/detail/CVE-2021-25275>) and [CVE-2021-25276](<https://nvd.nist.gov/vuln/detail/CVE-2021-25276>) \u2014 caused a major splash in the infosec environment. They gave attackers the ability to infect computers running this software, usually machines inside corporate networks and government institutions. Lastly, the [CVE-2021-21017](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21017>) vulnerability, discovered in Adobe Reader, caused a heap buffer overflow by means of a specially crafted document, giving an attacker the ability to execute code.\n\nAnalysis of network threats in Q1 2021 continued to show ongoing attempts to attack servers with a view to brute-force passwords for network services such as Microsoft SQL Server, RDP and SMB. Attacks using the popular EternalBlue, EternalRomance and other similar exploits were widespread. Among the most notable new vulnerabilities in this period were bugs in the Windows networking stack code related to handling the IPv4/IPv6 protocols: [CVE-2021-24074](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-24074>), [CVE-2021-24086](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24086>) and [CVE-2021-24094](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24094>).\n\n## Attacks on macOS\n\nQ1 2021 was also rich in macOS-related news. Center-stage were cybercriminals who took pains to modify their [malware for the newly released MacBooks with M1 processors](<https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/>). Updated adware for the new Macs also immediately appeared, in particular the [Pirrit family](<https://objective-see.com/blog/blog_0x62.html>) (whose members placed high in our Top 20 threats for macOS). In addition, we detected an interesting adware program written in the Rust language, and assigned it the verdict [AdWare.OSX.Convuster.a](<https://securelist.ru/convuster-macos-adware-in-rust/100859/>).\n\n**Top 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.ac | 18.01 \n2 | AdWare.OSX.Pirrit.j | 12.69 \n3 | AdWare.OSX.Pirrit.o | 8.42 \n4 | AdWare.OSX.Bnodlero.at | 8.36 \n5 | Monitor.OSX.HistGrabber.b | 8.06 \n6 | AdWare.OSX.Pirrit.gen | 7.95 \n7 | Trojan-Downloader.OSX.Shlayer.a | 7.90 \n8 | AdWare.OSX.Cimpli.m | 6.17 \n9 | AdWare.OSX.Pirrit.aa | 6.05 \n10 | Backdoor.OSX.Agent.z | 5.27 \n11 | Trojan-Downloader.OSX.Agent.h | 5.09 \n12 | AdWare.OSX.Bnodlero.bg | 4.60 \n13 | AdWare.OSX.Ketin.h | 4.02 \n14 | AdWare.OSX.Bnodlero.bc | 3.87 \n15 | AdWare.OSX.Bnodlero.t | 3.84 \n16 | AdWare.OSX.Cimpli.l | 3.75 \n17 | Trojan-Downloader.OSX.Lador.a | 3.61 \n18 | AdWare.OSX.Cimpli.k | 3.48 \n19 | AdWare.OSX.Ketin.m | 2.98 \n20 | AdWare.OSX.Bnodlero.ay | 2.94 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nTraditionally, most of the Top 20 threats for macOS are adware programs: 15 in Q1. In the list of malicious programs, Trojan-Downloader.OSX.Shlayer.a (7.90%) maintained its popularity. Incidentally, this Trojan's task is to download adware from the Pirrit and Bnodlero families. But we also saw the reverse, when a member of the AdWare.OSX.Pirrit family dropped Backdoor.OSX.Agent.z into the system.\n\n### Threat geography\n\n_Geography of threats for macOS, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111228/10-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | France | 4.62 \n2 | Spain | 4.43 \n3 | Italy | 4.36 \n4 | India | 4.11 \n5 | Canada | 3.59 \n6 | Mexico | 3.55 \n7 | Russia | 3.21 \n8 | Brazil | 3.18 \n9 | Great Britain | 2.96 \n10 | USA | 2.94 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000) \n** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q1 2021, Europe accounted for the Top 3 countries by share of attacked macOS users: France (4.62%), Spain (4.43%) and Italy (4.36%). The most common threats in all three were adware apps from the Pirrit family.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q1 2021, most of the devices that attacked Kaspersky traps did so using the Telnet protocol. A third of the attacking devices attempted to [brute-force](<https://encyclopedia.kaspersky.com/glossary/brute-force/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) our SSH traps.\n\nTelnet | 69.48% \n---|--- \nSSH | 30.52% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2021_\n\nThe statistics for cybercriminal working sessions with Kaspersky honeypots show similar Telnet dominance.\n\nTelnet | 77.81% \n---|--- \nSSH | 22.19% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2021_\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111259/11-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by location of devices from which attacks were carried out on Kaspersky Telnet traps**\n\n** ** | **Country** | **%*** \n---|---|--- \n1 | China | 33.40 \n2 | India | 13.65 \n3 | USA | 11.56 \n4 | Russia | 4.96 \n5 | Montenegro | 4.20 \n6 | Brazil | 4.19 \n7 | Taiwan, Province of China | 2.32 \n8 | Iran | 1.85 \n9 | Egypt | 1.84 \n10 | Vietnam | 1.73 \n \n_* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country._\n\n### SSH-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky SSH traps, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111335/12-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps**\n\n** ** | **Country** | **%*** \n---|---|--- \n1 | USA | 24.09 \n2 | China | 19.89 \n3 | Hong Kong | 6.38 \n4 | South Korea | 4.37 \n5 | Germany | 4.06 \n6 | Brazil | 3.74 \n7 | Russia | 3.05 \n8 | Taiwan, Province of China | 2.80 \n9 | France | 2.59 \n10 | India | 2.36 \n \n_* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country._\n\n### Threats loaded into traps\n\n| Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 50.50% \n2 | Trojan-Downloader.Linux.NyaDrop.b | 9.26% \n3 | Backdoor.Linux.Gafgyt.a | 3.01% \n4 | HEUR:Trojan-Downloader.Shell.Agent.bc | 2.72% \n5 | Backdoor.Linux.Mirai.a | 2.72% \n6 | Backdoor.Linux.Mirai.ba | 2.67% \n7 | Backdoor.Linux.Agent.bc | 2.37% \n8 | Trojan-Downloader.Shell.Agent.p | 1.37% \n9 | Backdoor.Linux.Gafgyt.bj | 0.78% \n10 | Trojan-Downloader.Linux.Mirai.d | 0.66% \n \n_* Share of malware type in the total number of malicious programs downloaded to IoT devices following a successful attack._\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2021, Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources located across the globe. 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus.\n\n_Distribution of web attack sources by country, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111405/13-en-malware-report-q1-2021-pc.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious objects that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Belarus | 15.81 \n2 | Ukraine | 13.60 \n3 | Moldova | 13.16 \n4 | Kyrgyzstan | 11.78 \n5 | Latvia | 11.38 \n6 | Algeria | 11.16 \n7 | Russia | 11.11 \n8 | Mauritania | 11.08 \n9 | Kazakhstan | 10.62 \n10 | Tajikistan | 10.60 \n11 | Uzbekistan | 10.39 \n12 | Estonia | 10.20 \n13 | Armenia | 9.44 \n14 | Mongolia | 9.36 \n15 | France | 9.35 \n16 | Greece | 9.04 \n17 | Azerbaijan | 8.57 \n18 | Madagascar | 8.56 \n19 | Morocco | 8.55 \n20 | Lithuania | 8.53 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average, 7.67% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n_Geography of web-based malware attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111435/14-en-malware-report-q1-2021-pc.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q1 2021, our File Anti-Virus detected **77,415,192** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Afghanistan | 47.71 \n2 | Turkmenistan | 43.39 \n3 | Ethiopia | 41.03 \n4 | Tajikistan | 38.96 \n5 | Bangladesh | 36.21 \n6 | Algeria | 35.49 \n7 | Myanmar | 35.16 \n8 | Uzbekistan | 34.95 \n9 | South Sudan | 34.17 \n10 | Benin | 34.08 \n11 | China | 33.34 \n12 | Iraq | 33.14 \n13 | Laos | 32.84 \n14 | Burkina Faso | 32.61 \n15 | Mali | 32.42 \n16 | Guinea | 32.40 \n17 | Yemen | 32.32 \n18 | Mauritania | 32.22 \n19 | Burundi | 31.68 \n20 | Sudan | 31.61 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111505/15-en-malware-report-q1-2021-pc.png>))_\n\nOverall, 15.05% of user computers globally faced at least one **Malware-class** local threat during Q1.", "cvss3": {}, "published": "2021-05-31T10:00:05", "type": "securelist", "title": "IT threat evolution Q1 2021. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-2523", "CVE-2017-11882", "CVE-2018-0802", "CVE-2021-1647", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21139", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21972", "CVE-2021-24074", "CVE-2021-24086", "CVE-2021-24092", "CVE-2021-24094", "CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-05-31T10:00:05", "id": "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "href": "https://securelist.com/it-threat-evolution-q1-2021-non-mobile-statistics/102425/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}