IT threat evolution Q3 2018

Targeted attacks and malware campaigns Lazarus targets cryptocurrency exchange Lazarus is a well-established threat actor that has conducted cyber-espionage and cybersabotage campaigns since at least 2009. In recent years, the group has launched campaigns against financial organizations around th...

OlympicDestroyer is here to trick the industry

A couple of days after the opening ceremony of the Winter Olympics in Pyeongchang, South Korea, we received information from several partners, on the condition of non-disclosure TLP:Red, about a devastating malware attack on the Olympic infrastructure. A quick peek inside the malware revealed a...

Naikon’s Aria

Our colleagues at Checkpoint put together a fine research writeup on some Naikon resources and activity related to "aria-body" that we detected in 2017 and similarly reported in 2018. To supplement their research findings, we are summarizing and publishing portions of the findings reported in our...

Spam and phishing in Q3 2019

Quarterly highlights Amazon Prime In Q3, we registered numerous scam mailings related to Amazon Prime. Most of the phishing emails with a link to a fake Amazon login page offered new prices or rewards for buying things, or reported problems with membership, etc. Against the backdrop of September'...

Somebody’s watching! When cameras are more than just ‘smart’

Every year the number of smart devices grows. Coffee machines, bracelets, fridges, cars and loads of other useful gadgets have now gone smart. We are now seeing the emergence of smart streets, roads and even cities. Devices such as smart cameras have long been part of everyday life for many, as...

WastedLocker: technical analysis

The use of crypto-ransomware in targeted attacks has become an ordinary occurrence lately: new incidents are being reported every month, sometimes even more often. On July 23, Garmin, a major manufacturer of navigation equipment and smart devices, including smart watches and bracelets, experience...

Plurox: Modular backdoor

In February this year, a curious backdoor passed across our virtual desk. The analysis showed the malware to have a few quite unpleasant features. It can spread itself over a local network via an exploit, provide access to the attacked network, and install miners and other malicious software on...

Nigerian phishing: Industrial companies under attack

In late 2016, the Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team Kaspersky Lab ICS CERT reported on phishing attacks that were primarily targeting industrial companies from the metallurgy, electric power, construction, engineering and other sectors. As further research...

Doxing in the corporate sector

Introduction Doxing refers to the collection of confidential information about a person without their consent for the purpose of inflicting harm on that person or to otherwise gain some benefit from gathering or disclosing such information. Normally, doxing involves a threat to specific people,...

Behind the scenes with the head of Kaspersky’s GReAT

Costin Raiu has been with Kaspersky since 2000, initially as the Chief Security Expert overseeing research efforts in the EEMEA region. In 2010, he became Director of our Global Research and Analysis Team GReAT. During his tenure at Kaspersky, he has spearheaded the companys research on some of t...

IT threat evolution Q3 2022

IT threat evolution in Q3 2022 IT threat evolution in Q3 2022. Non-mobile statistics IT threat evolution in Q3 2022. Mobile statistics Targeted attacks CosmicStrand: discovery of a sophisticated UEFI rootkit In July, we reported a rootkit that we found in modified Unified Extensible Firmware...

Turla renews its arsenal with Topinambour

Turla, also known as Venomous Bear, Waterbug, and Uroboros, is a Russian speaking threat actor known since 2014, but with roots that go back to 2004 and earlier. It is a complex cyberattack platform focused predominantly on diplomatic and government-related targets, particularly in the Middle Eas...

IT threat evolution Q1 2023

IT threat evolution in Q1 2023 IT threat evolution in Q1 2023. Non-mobile statistics IT threat evolution in Q1 2023. Mobile statistics Targeted attacks BlueNoroff introduces new methods bypassing MotW At the close of 2022, we reported the recent activities of BlueNoroff, a financially motivated...

How to confuse antimalware neural networks. Adversarial attacks and protection

Introduction Nowadays, cybersecurity companies implement a variety of methods to discover new, previously unknown malware files. Machine learning ML is a powerful and widely used approach for this task. At Kaspersky we have a number of complex ML models based on different file features, including...

Spam and phishing in Q2 2021

Quarterly highlights The corporate sector In Q2 2021, corporate accounts continued to be one of the most tempting targets for cybercriminals. To add to the credibility of links in emails, scammers imitated mailings from popular cloud services. This technique has been used many times before. A fak...

Kaspersky Security Bulletin 2018. Threat Predictions for 2019

Cryptocurrency threat predictions for 2019 Threat predictions for industrial security in 2019 Cyberthreats to financial institutions 2019: overview and predictions There's nothing more difficult than predicting. So, instead of gazing into a crystal ball, the idea here is to make educated guesses...

Ongoing exploitation of CVE-2022-41352 (Zimbra 0-day)

Overview On September 10, 2022, a user reported on Zimbras official forums that their team detected a security incident originating from a fully patched instance of Zimbra. The details they provided allowed Zimbra to confirm that an unknown vulnerability allowed attackers to upload arbitrary file...

Ransomware world in 2021: who, how and why

As the world marks the second Anti-Ransomware Day, theres no way to deny it: ransomware has become the buzzword in the security community. And not without good reason. The threat may have been around a long time, but its changed. Year after year, the attackers have grown bolder, methodologies hav...

Mobile malware evolution 2019

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data. Figures of the year In 2019, Kaspersky mobile products and technologies detected: 3,503,952 malicious installation packages. 69,777 new mobile banking Trojans...

DDoS attacks in Q1 2019

News overview The start of the year saw the appearance of various new tools in the arsenal of DDoS-attack masterminds. In early February, for instance, the new botnet Cayosin, assembled from elements of Qbot, Mirai, and other publicly available malware, swam into view. Cybersecurity experts were...

IT threat evolution Q2 2017

Targeted attacks and malware campaigns Back to the future: looking for a link between old and new APTs This year's Security Analyst Summit SAS included interesting research findings on several targeted attack campaigns. For example, researchers from Kaspersky Lab and King's College London present...

DDoS Attacks in Q4 2018

News overview In Q4 2018, security researchers detected a number of new botnets, which included not only Mirai clones for a change. The fall saw increased activity on the part of the Chalubo bot, whose first attacks were registered in late August. Although the new malware employs snippets of Mira...

OPC UA security analysis

This paper discusses our project that involved searching for vulnerabilities in implementations of the OPC UA protocol. In publishing this material, we hope to draw the attention of vendors that develop software for industrial automation systems and the industrial internet of things to problems...

A silver bullet for the attacker

In the past years, the problem of vulnerabilities in industrial automation systems has been becoming increasingly important. The fact that industrial control systems have been developing in parallel with IT systems, relatively independently and often without regard for modern secure coding...

IT threat evolution Q2 2020

IT threat evolution Q2 2020. PC statistics IT threat evolution Q2 2020. Mobile statistics Targeted attacks PhantomLance: hiding in plain sight In April, we reported the results of our investigation into a mobile spyware campaign that we call PhantomLance. The campaign involved a backdoor Trojan...

APT annual review: What the world’s threat actors got up to in 2020

We track the ongoing activities of more than 900 advanced threat actors; you can find our quarterly overviews here, here and here. Here we try to focus on what we consider to be the most interesting trends and developments of the last 12 months. This is based on our visibility in the threat...

Biometric data processing and storage system threats

Initially, digital biometric data processing systems were used primarily by government agencies and special services police, customs, etc.. However, the rapid evolution of information technology has made biometric systems accessible for 'civil' use. They are increasingly becoming part of our...

DDoS attacks in Q3 2019

News overview This past quarter we observed a new DDoS attack that confirmed our earlier hypothesis regarding attacks through the Memcached protocol. As we surmised, the attackers attempted to use another, rather exotic protocol to amplify DDoS attacks. Experts at Akamai Technologies recently...

A Zebrocy Go Downloader

Last year at SAS2018 in Cancun, Mexico, "Masha and these Bears" included discussion of a subset of Sofacy activity and malware that we call "Zebrocy", and predictions for the decline of SPLM/XAgent Sofacy activity coinciding with the acceleration of Zebrocy activity and innovation. Zebrocy was...

Andariel evolves to target South Korea with ransomware

Executive summary In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. While we were doing our research into these findings, Malwarebytes published a nice report with technical details about the sa...

DDoS attacks in Q3 2020

News overview Q3 was relatively calm from a DDoS perspective. There were no headline innovations, although cybercriminals did continue to master techniques and develop malware already familiar to us from the last reporting period. For example, another DDoS botnet joined in the assault on Docker...

Incident Response report 2018

Download full report PDF Introduction This report covers our team's incident response practices for the year 2018. We have thoroughly analyzed all the service requests, customer conversations and incident response deliverables to provide you an overview in numbers. The report includes statistics ...

Not-so-dear subscribers

Many people have had a run-in with subscriptions to mobile content providers. They appear out of the blue, and get discovered only when account funds run dry. It might seem that the obvious solution is not to visit dubious sites and not to install apps from third-party sources. But, alas, these...

APT trends report Q1 2020

For more than two years, the Global Research and Analysis Team GReAT at Kaspersky has been publishing quarterly summaries of advanced persistent threat APT activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and...

Roaming Mantis, part IV

One year has passed since we published the first blogpost about the Roaming Mantis campaign on securelist.com, and this February we detected new activities by the group. This blogpost is follow up on our earlier reporting about the group with updates on their tools and tactics. Mobile config for...

The chronicles of Emotet

More than six years have passed since the banking Trojan Emotet was first detected. During this time it has repeatedly mutated, changed direction, acquired partners, picked up modules, and generally been the cause of high-profile incidents and multimillion-dollar losses. The malware is still in...

Gootkit: the cautious Trojan

Gootkit is complex multi-stage banking malware that was discovered for the first time by Doctor Web in 2014. Initially it was distributed via spam and exploits kits such as Spelevo and RIG. In conjunction with spam campaigns, the adversaries later switched to compromised websites where the visito...

IT threat evolution Q1 2020

Targeted attacks and malware campaigns Operation AppleJeus: the sequel In 2018, we published a report on Operation AppleJeus, one of the more notable campaigns of the threat actor Lazarus, currently one of the most active and prolific APT groups. One notable feature of this campaign was that it...

Sunburst: connecting the dots in the DNS requests

On December 13, 2020 FireEye published important details of a newly discovered supply chain attack. An unknown attacker, referred to as UNC2452 or DarkHalo planted a backdoor in the SolarWinds Orion IT software. This backdoor, which comes in the form of a .NET module, has some really interesting...

Incident Response Analyst Report 2019

Download full report PDF As an incident response service provider, Kaspersky delivers a global service that results in global visibility of adversaries cyber-incident tactics and techniques used in the wild. In this report, we share our teams conclusions and analysis based on incident responses a...

IT threat evolution Q1 2021. Mobile statistics

The statistics presented here draw on detection verdicts returned by Kaspersky products as provided by users who consented to share statistical data. Quarterly figures According to Kaspersky Security Network, in the first quarter: we detected 1,451,660 mobile installation packages, of which: 25,3...

On the IoT road: perks, benefits and security of moving smartly

Kaspersky has repeatedly investigated security issues related to IoT technologies for instance, here, or here. Earlier this year our experts have even gained foothold in the security of biomechanical prosthetic devices. The same implies to smart car security: our own research has indicated that...

Gaza Cybergang Group1, operation SneakyPastes

Gaza Cybergangs is a politically motivated Arabic-language cyberthreat actor, actively targeting the MENA Middle East North Africa region, especially the Palestinian Territories. The confusion surrounding Gaza Cybergang's activities, separation of roles and campaigns has been prevalent in the cyb...

How to steal a million (of your data)

Any user data — from passwords for entertainment services to electronic copies of documents — is highly prized by intruders. The reason is simply that almost any information can be monetized. For instance, stolen data can be used to transfer funds to cybercriminal accounts, order goods or service...

Riltok mobile Trojan: A banker with global reach

Riltok is one of numerous families of mobile banking Trojans with standard for such malware functions and distribution methods. Originally intended to target the Russian audience, the banker was later adapted, with minimal modifications, for the European "market." The bulk of its victims more tha...

Dangerous liaisons

It seems just about everyone has written about the dangers of online dating, from psychology magazines to crime chronicles. But there is one less obvious threat not related to hooking up with strangers – and that is the mobile apps used to facilitate the process. We're talking here about...

How to Attack and Defend a Prosthetic Arm

The IoT world has long since grown beyond the now-ubiquitous smartwatches, smartphones, smart coffee machines, cars capable of sending tweets and Facebook posts and other stuff like fridges that send spam. Today's IoT world now boasts state-of-the-art solutions that quite literally help people...

The future of cyberconflicts

The ever-increasing role of technology in every aspect of our society has turned cybersecurity into a major sovereignty issue for all states. Due to their asymmetrical nature, offensive cyber-capabilities have been embraced by many countries that wouldnt otherwise have the resources to compete on...

Advanced Threat predictions for 2021

Trying to make predictions about the future is a tricky business. However, while we dont have a crystal ball that can reveal the future, we can try to make educated guesses using the trends that we have observed over the last 12 months to identify areas that attackers are likely to seek to exploi...

Beware of stalkerware

Spyware might sound like a concept from a Hollywood movie, yet commercial versions of such programs – known in the cybersecurity industry as 'stalkerware' – are a daily reality for many people. For the price of just a few dollars, consumer spyware programs allow users to spy on their current or...