Spam and phishing in Q2 2019

Quarterly highlights Spam through Google services In the second quarter of 2019, scammers were making active use of cloud-based data storage services such as Google Drive and Google Storage to hide their illegal content. The reasoning behind this is simple: a link from a legitimate domain is seen...

An advertising dropper in Google Play

Recently, the popular CamScanner – Phone PDF creator app caught our attention. According to Google Play, it has been installed more than 100 million times. The developers position it as a solution for scanning and managing digitized documents, but negative user reviews that have been left over th...

Agent 1433: remote attack on Microsoft SQL Server

All over the world companies large and small use Microsoft SQL Server for database management. Highly popular yet insufficiently protected, this DBMS is a target of choice for hacking. One of the most common attack on Microsoft SQL Server — the remote attack based on malicious jobs — has been...

IT threat evolution Q2 2019

Targeted attacks and malware campaigns More about ShadowHammer In March, we published the results of our investigation into a sophisticated supply-chain attack involving the ASUS Live Update Utility, used to deliver BIOS, UEFI and software updates to ASUS laptops and desktops. The attackers added...

IT threat evolution Q2 2019. Statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data. Quarterly figures According to Kaspersky Security Network, Kaspersky solutions blocked 717,057,912 attacks launched from online resources in 203 countries across t...

Recent Cloud Atlas activity

Also known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported Cloud Atlas in 2014 and we've been following its activities ever since. From the beginning of 2019 until July, we have been able...

DDoS attacks in Q2 2019

News overview The second quarter of 2019 turned out to be richer than the first in terms of high-profile DDoS attacks. True, most of the campaigns that attracted media attention appeared to be politically, rather than commercially, motivated — and that despite the fact that some security experts...

APT trends report Q2 2019

For two years, the Global Research and Analysis Team GReAT at Kaspersky has been publishing quarterly summaries of advanced persistent threat APT activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in...

Financial threats in H1 2019

Introduction and methodology Financial cyberthreats are malicious programs that attack users of online banking services, electronic money, cryptocurrency and other similar services, as well as threats aimed at gaining access to financial organizations and their infrastructure. Kaspersky experts...

How to steal a million (of your data)

Any user data — from passwords for entertainment services to electronic copies of documents — is highly prized by intruders. The reason is simply that almost any information can be monetized. For instance, stolen data can be used to transfer funds to cybercriminal accounts, order goods or service...

On the IoT road: perks, benefits and security of moving smartly

Kaspersky has repeatedly investigated security issues related to IoT technologies for instance, here, or here. Earlier this year our experts have even gained foothold in the security of biomechanical prosthetic devices. The same implies to smart car security: our own research has indicated that...

Turla renews its arsenal with Topinambour

Turla, also known as Venomous Bear, Waterbug, and Uroboros, is a Russian speaking threat actor known since 2014, but with roots that go back to 2004 and earlier. It is a complex cyberattack platform focused predominantly on diplomatic and government-related targets, particularly in the Middle Eas...

New FinSpy iOS and Android implants revealed ITW

Updated: 23.07.2019 After publication of this article, we received a letter from a representative of Gamma Group International Ltd. stating that they disposed of all interests in FinFisher FinSpy in 2013. This article has been corrected in accordance with this new information. According to...

‘Twas the night before

Recently, the United States Cyber Command USCYBERCOM Malware Alert @CNMFVirusAlert highlighted several VirusTotal uploads of theirs - and the executable objects relating to 2016 – 2017 NewsBeef/APT33 activity are interesting for a variety of reasons. Before continuing, it's important to restate y...

Sodin ransomware exploits Windows vulnerability and processor architecture

When Sodin also known as Sodinokibi and REvil appeared in the first half of 2019, it immediately caught our attention for distributing itself through an Oracle Weblogic vulnerability and carrying out attacks on MSP providers. In a detailed analysis, we discovered that it also exploits the...

How we hacked our colleague’s smart home

In this article, we publish the results of our study of the Fibaro Home Center smart home. We identified vulnerabilities in Fibaro Home Center 2 and Fibaro Home Center Lite version 4.540, as well as vulnerabilities in the online API. An offer you cannot refuse The backbone of any technology compa...

Criminals, ATMs and a cup of coffee

In spring 2019, we discovered a new ATM malware sample written in Java that was uploaded to a multiscanner service from Mexico and later from Colombia. After a brief analysis, it became clear that the malware, which we call ATMJaDi, can cash out ATMs. However, it doesn't use the standard XFS, JXF...

ViceLeaker Operation: mobile espionage targeting Middle East

In May 2018, we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens. Kaspersky spyware sensors caught the signal of an attack from the device of one of the victims; and a hash of the APK involved Android application was tagged in our sample feed for...

Riltok mobile Trojan: A banker with global reach

Riltok is one of numerous families of mobile banking Trojans with standard for such malware functions and distribution methods. Originally intended to target the Russian audience, the banker was later adapted, with minimal modifications, for the European "market." The bulk of its victims more tha...

Not-so-dear subscribers

Many people have had a run-in with subscriptions to mobile content providers. They appear out of the blue, and get discovered only when account funds run dry. It might seem that the obvious solution is not to visit dubious sites and not to install apps from third-party sources. But, alas, these...

Plurox: Modular backdoor

In February this year, a curious backdoor passed across our virtual desk. The analysis showed the malware to have a few quite unpleasant features. It can spread itself over a local network via an exploit, provide access to the attacked network, and install miners and other malicious software on...

What kids get up to online

Today's children navigate the Internet better than adults. They are not afraid to try out new technology, and are quick to grasp new trends and sometimes invent their own. New social networks, mobile games, music, and gadgets are all part and parcel of their daily lives. But just because they fee...

Platinum is back

In June 2018, we came across an unusual set of samples spreading throughout South and Southeast Asian countries targeting diplomatic, government and military entities. The campaign, which may have started as far back as 2012, featured a multi-stage approach and was dubbed EasternRoppels. The acto...

Zebrocy’s Multilanguage Malware Salad

Zebrocy is Russian speaking APT that presents a strange set of stripes. To keep things simple, there are three things to know about Zebrocy Zebrocy is an active sub-group of victim profiling and access specialists Zebrocy maintains a lineage back through 2013, sharing malware artefacts and...

IT threat evolution Q1 2019. Statistics

These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data. Quarterly figures According to Kaspersky Security Network, Kaspersky Lab solutions blocked 843,096,461 attacks launched from online resources in 203 countries...

IT threat evolution Q1 2019

Targeted attacks and malware campaigns Go Zebrocy Zebrocy was first observed being used as a Sofacy backdoor in 2015. However, the collection of cases where this tool has been used mean that we consider it a subset of activity in its own right. On the basis of this threat actor's past behaviour, ...

DDoS attacks in Q1 2019

News overview The start of the year saw the appearance of various new tools in the arsenal of DDoS-attack masterminds. In early February, for instance, the new botnet Cayosin, assembled from elements of Qbot, Mirai, and other publicly available malware, swam into view. Cybersecurity experts were...

Spam and phishing in Q1 2019

Quarterly highlights Valentine's Day As per tradition, phishing timed to coincide with lovey-dovey day was aimed at swindling valuable confidential information out of starry-eyed users, such as bank card details. The topics exploited by cybercriminals ranged from online flower shops to dating...

ScarCruft continues to evolve, introduces Bluetooth harvester

Executive summary After publishing our initial series of blogposts back in 2016, we have continued to track the ScarCruft threat actor. ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula. Th...

The 2019 DBIR is out

Once again, we are happy to support a large, voluntary, collaborative effort like the 2019 Data Breach Investigations Report. While our data contribution is completely anonymous, it is based in some of the 2018 data set that our private report customers receive from our efforts to protect all of...

FIN7.5: the infamous cybercrime rig “FIN7” continues its activities

On August 1, 2018, the US Department of Justice announced that it had arrested several individuals suspected of having ties to the FIN7 cybercrime rig. FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015. Interestingly,...

APT trends report Q1 2019

For just under two years, the Global Research and Analysis Team GReAT at Kaspersky Lab has been publishing quarterly summaries of advanced persistent threat APT activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published an...

I know what you did last summer, MuddyWater blending in the crowd

Introduction MuddyWater is an APT with a focus on governmental and telco targets in the Middle East Iraq, Saudi Arabia, Bahrain, Jordan, Turkey and Lebanon and also a few other countries in nearby regions Azerbaijan, Pakistan and Afghanistan. MuddyWater first surfaced in 2017 and has been active...

Operation ShadowHammer: a high-profile supply chain attack

In late March 2019, we briefly highlighted our research on ShadowHammer attacks, a sophisticated supply chain attack involving ASUS Live Update Utility, which was featured in a Kim Zetter article on Motherboard. The topic was also one of the research announcements made at the SAS conference, whic...

New zero-day vulnerability CVE-2019-0859 in win32k.sys

In March 2019, our automatic Exploit Prevention EP systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. It was the fifth consecutive exploited Local Privilege...

Large-scale SIM swap fraud

Introduction SIM swap fraud is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification, where the second factor or step is an SMS or a call placed to a mobile telephone. The fraud centers around exploiting a mobile phone operator's...

Gaza Cybergang Group1, operation SneakyPastes

Gaza Cybergangs is a politically motivated Arabic-language cyberthreat actor, actively targeting the MENA Middle East North Africa region, especially the Palestinian Territories. The confusion surrounding Gaza Cybergang's activities, separation of roles and campaigns has been prevalent in the cyb...

Project TajMahal – a sophisticated new APT framework

Executive summary 'TajMahal' is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named 'Tokyo' and 'Yokohama'. It includes backdoors, loaders, orchestrators, C2...

Digital Doppelgangers

Carding exists for over 20 years. And it is not dead yet. It is alive, and even more – it is being actively developed by cybercriminals. The "good" old method of entering stolen credit card information into online store forms to buy goods and services or using online payment system accounts for t...

BasBanke: Trend-setting Brazilian banking Trojan

BasBanke is a new Android malware family targeting Brazilian users. It is a banking Trojan built to steal financial data such as credentials and credit/debit card numbers, but not limited to this functionality. The propagation of this threat began during the 2018 Brazilian elections, registering...

Roaming Mantis, part IV

One year has passed since we published the first blogpost about the Roaming Mantis campaign on securelist.com, and this February we detected new activities by the group. This blogpost is follow up on our earlier reporting about the group with updates on their tools and tactics. Mobile config for...

Beware of stalkerware

Spyware might sound like a concept from a Hollywood movie, yet commercial versions of such programs – known in the cybersecurity industry as 'stalkerware' – are a daily reality for many people. For the price of just a few dollars, consumer spyware programs allow users to spy on their current or...

Game of Threats

Introduction While the way we consume TV content is rapidly changing, the content itself remains in high demand, and users resort to any means available to get at it – including illegal and non-ethical ones like the use of pirated stuff. The world is embracing the idea of paying for entertainment...

Bots and botnets in 2018

Due to the wide media coverage of incidents involving Mirai and other specialized botnets, their activities have become largely associated with DDoS attacks. Yet this is merely the tip of the iceberg, and botnets are used widely not only to carry out DDoS attacks, but to steal various user...

The return of the BOM

There's nothing new in Brazilian cybercriminals trying out new ways to stay under the radar. It's just that this time around the bad guys have started using a method that was reported in the wild years ago. Russian gangs used this technique to distribute malware capable of modifying the hosts fil...

Threat Landscape for Industrial Automation Systems in H2 2018

H2 2018 in figures All statistical data used in this report was collected using the Kaspersky Security Network KSN, a distributed antivirus network. The data was received from those KSN users who gave their consent to have data anonymously transferred from their computers. We do not identify the...

Cryptocurrency businesses still being targeted by Lazarus

It's hardly news to anyone who follows cyberthreat intelligence that the Lazarus APT group targets financial entities, especially cryptocurrency exchanges. Financial gain remains one of the main goals for Lazarus, with its tactics, techniques, and procedures constantly evolving to avoid detection...

Operation ShadowHammer

Earlier today, Motherboard published a story by Kim Zetter on Operation ShadowHammer, a newly discovered supply chain attack that leveraged ASUS Live Update software. While the investigation is still in progress and full results and technical paper will be published during SAS 2019 conference in...

AZORult++: Rewriting history

The AZORult Trojan is one of the most commonly bought and sold stealers in Russian forums. Despite the relatively high price tag $100, buyers like AZORult for its broad functionality for example, the use of .bit domains as C&C servers to ensure owner anonymity and to make it difficult to block th...

Hacking microcontroller firmware through a USB

In this article, I want to demonstrate extracting the firmware from a secure USB device running on the Cortex M0. Who hacks video game consoles? The manufacture of counterfeit and unlicensed products is widespread in the world of video game consoles. It's a multi-billion dollar industry in which...