DATABASE RESOURCES PRICING ABOUT US

{"id": "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "type": "securelist", "bulletinFamily": "blog", "title": "IT threat evolution in Q2 2021. PC statistics", "description": "\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q2 2021:\n\n * Kaspersky solutions blocked 1,686,025,551 attacks from online resources across the globe.\n * Web antivirus recognized 675,832,360 unique URLs as malicious.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 119,252 unique users.\n * Ransomware attacks were defeated on the computers of 97,451 unique users.\n * Our file antivirus detected 68,294,298 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q2 2021, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 119,252 unique users.\n\n_Number of unique users attacked by financial malware, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11140610/01-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Geography of financial malware attacks**\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country._\n\n_Geography of financial malware attacks, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11140636/02-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 5.8 \n2 | Tajikistan | 5.0 \n3 | Afghanistan | 4.2 \n4 | Uzbekistan | 3.3 \n5 | Lithuania | 2.9 \n6 | Sudan | 2.8 \n7 | Paraguay | 2.5 \n8 | Zimbabwe | 1.6 \n9 | Costa Rica | 1.5 \n10 | Yemen | 1.5 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\nLast quarter, as per tradition, the most widespread family of bankers was ZeuS/Zbot (17.8%), but its share in Q2 almost halved, by 13 p.p. Second place again went to the CliptoShuffler family (9.9%), whose share also fell, by 6 p.p. The Top 3 is rounded out by SpyEye (8.8%), which added 5 p.p., climbing from the eighth place. Note the disappearance of Emotet from the Top 10, which was predictable given the liquidation of its infrastructure in the previous quarter.\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 17.8 \n2 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 9.9 \n3 | SpyEye | Trojan-Spy.Win32.SpyEye | 8.8 \n4 | Trickster | Trojan.Win32.Trickster | 5.5 \n5 | RTM | Trojan-Banker.Win32.RTM | 3.8 \n6 | Danabot | Trojan-Banker.Win32.Danabot | 3.6 \n7 | Nimnul | Virus.Win32.Nimnul | 3.3 \n8 | Cridex | Backdoor.Win32.Cridex | 2.3 \n9 | Nymaim | Trojan.Win32.Nymaim | 1.9 \n10 | Neurevt | Trojan.Win32.Neurevt | 1.6 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n#### Attack on Colonial Pipeline and closure of DarkSide\n\nRansomware attacks on large organizations continued in Q2. Perhaps the most notable event of the quarter was the [attack by the DarkSide group on Colonial Pipeline](<https://ics-cert.kaspersky.com/reports/2021/05/21/darkchronicles-the-consequences-of-the-colonial-pipeline-attack/>), one of the largest fuel pipeline operators in the US. The incident led to fuel outages and a state of emergency in four states. The results of the investigation, which involved the FBI and several other US government agencies, was reported to US President Joe Biden.\n\nFor the cybercriminals, this sudden notoriety proved unwelcome. In their blog, DarkSide&#x27;s creators heaped the blame on third-party operators. Another post was published stating that DarkSide&#x27;s developers had lost access to part of their infrastructure and were shutting down the service and the affiliate program.\n\nAnother consequence of this high-profile incident was a new rule on the Russian-language forum XSS, where many developers of ransomware, including REvil (also known as Sodinokibi or Sodin), LockBit and Netwalker, advertise their affiliate programs. The new rule forbade the advertising and selling of any ransomware programs on the site. The administrators of other forums popular with cybercriminals took similar decisions.\n\n#### Closure of Avaddon\n\nAnother family of targeted ransomware whose owners shut up shop in Q2 is Avaddon. At the same time as announcing the shutdown, the attackers [provided](<https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/>) Bleeping Computer with the decryption keys.\n\n#### Clash with Clop\n\nUkrainian police [searched](<https://cyberpolice.gov.ua/news/kiberpolicziya-vykryla-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shyfruvalnyka-ta-nanesenni-inozemnym-kompaniyam-piv-milyarda-dolariv-zbytkiv-2402/>) and arrested members of the Clop group. Law enforcement agencies also deactivated part of the cybercriminals&#x27; infrastructure, which [did not](<https://www.bleepingcomputer.com/news/security/clop-ransomware-is-back-in-business-after-recent-arrests/>), however, stop the group&#x27;s activities.\n\n#### Attacks on NAS devices\n\nIn Q2, cybercriminals stepped up their attacks on network-attached storage (NAS) devices. There appeared the new [Qlocker](<https://support.qnap.ru/hc/ru/articles/360021328659-\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c-Qnap-Ransomware-Qlocker>) family, which packs user files into a password-protected 7zip archive, plus our old friends [ech0raix](<https://www.qnap.com/en/security-advisory/QSA-21-18>) and [AgeLocker](<https://www.qnap.com/en-us/security-advisory/QSA-21-15>) began to gather steam.\n\n### Number of new ransomware modifications\n\nIn Q2 2021, we detected 14 new ransomware families and 3,905 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q2 2020 \u2014 Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141411/03-en-ru-es-malware-report-q2-2021-graphs-pc.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q2 2021, Kaspersky products and technologies protected 97,451 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141438/04-en-malware-report-q2-2021-graphs-pc.png>))_\n\n### Geography of ransomware attacks\n\n_Geography of attacks by ransomware Trojans, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141505/05-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 1.85 \n2 | Ethiopia | 0.51 \n3 | China | 0.49 \n4 | Pakistan | 0.40 \n5 | Egypt | 0.38 \n6 | Indonesia | 0.36 \n7 | Afghanistan | 0.36 \n8 | Vietnam | 0.35 \n9 | Myanmar | 0.35 \n10 | Nepal | 0.33 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 20.66 \n2 | Stop | Trojan-Ransom.Win32.Stop | 19.70 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 9.10 \n4 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 6.37 \n5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.08 \n6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 5.87 \n7 | (generic verdict) | Trojan-Ransom.Win32.Agent | 5.19 \n8 | PolyRansom/VirLock | Virus.Win32.Polyransom / Trojan-Ransom.Win32.PolyRansom | 2.39 \n9 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 1.48 \n10 | (generic verdict) | Trojan-Ransom.MSIL.Encoder | 1.26 \n \n_* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q2 2021, Kaspersky solutions detected 31,443 new modifications of miners.\n\n_Number of new miner modifications, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141534/06-en-malware-report-q2-2021-graphs-pc.png>))_\n\n### Number of users attacked by miners\n\nIn Q2, we detected attacks using miners on the computers of 363,516 unique users of Kaspersky products worldwide. At the same time, the number of attacked users gradually decreased during the quarter; in other words, the downward trend in miner activity returned.\n\n_Number of unique users attacked by miners, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141602/07-en-malware-report-q2-2021-graphs-pc.png>))_\n\n### Geography of miner attacks\n\n_Geography of miner attacks, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141627/08-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 3.99 \n2 | Ethiopia | 2.66 \n3 | Rwanda | 2.19 \n4 | Uzbekistan | 1.61 \n5 | Mozambique | 1.40 \n6 | Sri Lanka | 1.35 \n7 | Vietnam | 1.33 \n8 | Kazakhstan | 1.31 \n9 | Azerbaijan | 1.21 \n10 | Tanzania | 1.19 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000)._ \n_** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyberattacks\n\nQ2 2021 injected some minor changes into our statistics on exploits used by cybercriminals. In particular, the share of exploits for Microsoft Office dropped to 55.81% of the total number of threats of this type. Conversely, the share of exploits attacking popular browsers rose by roughly 3 p.p. to 29.13%.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141656/09-en-malware-report-q2-2021-graphs-pc.png>))_\n\nMicrosoft Office exploits most often tried to utilize the memory corruption vulnerability [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>). This error can occur in the Equation Editor component when processing objects in a specially constructed document, and its exploitation causes a buffer overflow and allows an attacker to execute arbitrary code. Also seen in Q2 was the similar vulnerability [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), which causes a buffer overflow on the stack in the same component. Lastly, we spotted an attempt to exploit the [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>) vulnerability, which, like other bugs in Microsoft Office, permits the execution of arbitrary code in vulnerable versions of the software.\n\nQ2 2021 was marked by the emergence of several dangerous vulnerabilities in various versions of the Microsoft Windows family, many of them observed in the wild. Kaspersky alone found three vulnerabilities used in targeted attacks:\n\n * [CVE-2021-28310](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28310>) \u2014 an out-of-bounds (OOB) write vulnerability in the Microsoft DWM Core library used in Desktop Window Manager. Due to insufficient checks in the data array code, an unprivileged user using the DirectComposition API can write their own data to the memory areas they control. As a result, the data of real objects is corrupted, which, in turn, can lead to the execution of arbitrary code;\n * [CVE-2021-31955](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31955>) \u2014 an information disclosure vulnerability that exposes information about kernel objects. Together with other exploits, it allows an intruder to attack a vulnerable system;\n * [CVE-2021-31956](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956>) \u2014 a vulnerability in the ntfs.sys file system driver. It causes incorrect checking of transferred sizes, allowing an attacker to inflict a buffer overflow by manipulating parameters.\n\nYou can read more about these vulnerabilities and their exploitation in our articles [PuzzleMaker attacks with Chrome zero-day exploit chain](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>) and [Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>).\n\nOther security researchers found a number of browser vulnerabilities, including:\n\n * [CVE-2021-33742](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742>) \u2014 a bug in the Microsoft Trident browser engine (MSHTML) that allows writing data outside the memory of operable objects;\n * Three Google Chrome vulnerabilities found in the wild that exploit bugs in various browser components: [CVE-2021-30551](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30551>) \u2014 a data type confusion vulnerability in the V8 scripting engine; [CVE-2021-30554](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30554>) \u2014 a use-after-free vulnerability in the WebGL component; and [CVE-2021-21220](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21220>) \u2014 a heap corruption vulnerability;\n * Three vulnerabilities in the WebKit browser engine, now used mainly in Apple products (for example, the Safari browser), were also found in the wild: [CVE-2021-30661](<https://support.apple.com/en-us/HT212317>) \u2014 a use-after-free vulnerability; [CVE-2021-30665](<https://support.apple.com/en-us/HT212336>) \u2014 a memory corruption vulnerability; and [CVE-2021-30663](<https://support.apple.com/en-us/HT212336>) \u2014 an integer overflow vulnerability.\n\nAll of these vulnerabilities allow a cybercriminal to attack a system unnoticed if the user opens a malicious site in an unpatched browser.\n\nIn Q2, two similar vulnerabilities were found ([CVE-2021-31201](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31201>) and [CVE-2021-31199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31199>)), exploiting integer overflow bugs in the Microsoft Windows Cryptographic Provider component. Using these vulnerabilities, an attacker could prepare a special signed document that would ultimately allow the execution of arbitrary code in the context of an application that uses the vulnerable library.\n\nBut the biggest talking point of the quarter was the [critical vulnerabilities CVE-2021-1675 and CVE-2021-34527](<https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/>) in the Microsoft Windows Print Spooler, in both server and client editions. Their discovery, together with a [proof of concept](<https://encyclopedia.kaspersky.com/glossary/poc-proof-of-concept/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), caused a stir in both the expert community and the media, which dubbed one of the vulnerabilities PrintNightmare. Exploitation of these vulnerabilities is quite trivial, since Print Spooler is enabled by default in Windows, and the methods of compromise are available even to unprivileged users, including remote ones. In the latter case, the RPC mechanism can be leveraged for compromise. As a result, an attacker with low-level access can take over not only a local machine, but also the domain controller, if these systems have not been updated, or available [risk mitigation methods](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) against these vulnerabilities have not been applied.\n\nAmong the network threats in Q2 2021, attempts to brute-force passwords in popular protocols and services (RDP, SSH, MSSQL, etc.) are still current. Attacks using EternalBlue, EternalRomance and other such exploits remain prevalent, although their share is gradually shrinking. New attacks include [CVE-2021-31166](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31166>), a vulnerability in the Microsoft Windows HTTP protocol stack that causes a denial of service during processing of web-server requests. To gain control over target systems, attackers are also using the previously found NetLogon vulnerability ([CVE-2020-1472](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472>)) and, for servers running Microsoft Exchange Server, vulnerabilities recently discovered while researching targeted attacks by the [HAFNIUM](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) group.\n\n## Attacks on macOS\n\nAs for threats to the macOS platform, Q2 will be remembered primarily for the appearance of new samples of the XCSSET Trojan. Designed to steal data from browsers and other applications, the malware is notable for spreading itself through infecting projects in the Xcode development environment. The Trojan takes the form of a bash script packed with the SHC utility, allowing it to evade macOS protection, which does not block script execution. During execution of the script, the SHC utility uses the RC4 algorithm to decrypt the payload, which, in turn, downloads additional modules.\n\n**Top 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.j | 14.47 \n2 | AdWare.OSX.Pirrit.ac | 13.89 \n3 | AdWare.OSX.Pirrit.o | 10.21 \n4 | AdWare.OSX.Pirrit.ae | 7.96 \n5 | AdWare.OSX.Bnodlero.at | 7.94 \n6 | Monitor.OSX.HistGrabber.b | 7.82 \n7 | Trojan-Downloader.OSX.Shlayer.a | 7.69 \n8 | AdWare.OSX.Bnodlero.bg | 7.28 \n9 | AdWare.OSX.Pirrit.aa | 6.84 \n10 | AdWare.OSX.Pirrit.gen | 6.44 \n11 | AdWare.OSX.Cimpli.m | 5.53 \n12 | Trojan-Downloader.OSX.Agent.h | 5.50 \n13 | Backdoor.OSX.Agent.z | 4.64 \n14 | Trojan-Downloader.OSX.Lador.a | 3.92 \n15 | AdWare.OSX.Bnodlero.t | 3.64 \n16 | AdWare.OSX.Bnodlero.bc | 3.36 \n17 | AdWare.OSX.Ketin.h | 3.25 \n18 | AdWare.OSX.Bnodlero.ay | 3.08 \n19 | AdWare.OSX.Pirrit.q | 2.84 \n20 | AdWare.OSX.Pirrit.x | 2.56 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nAs in the previous quarter, a total of 15 of the Top 20 threats for macOS are adware programs. The Pirrit and Bnodlero families have traditionally stood out from the crowd, with the former accounting for two-thirds of the total number of threats.\n\n### Geography of threats for macOS\n\n_Geography of threats for macOS, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141728/10-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | India | 3.77 \n2 | France | 3.67 \n3 | Spain | 3.45 \n4 | Canada | 3.08 \n5 | Italy | 3.00 \n6 | Mexico | 2.88 \n7 | Brazil | 2.82 \n8 | USA | 2.69 \n9 | Australia | 2.53 \n10 | Great Britain | 2.33 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)._ \n_** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q2 2021, first place by share of attacked users went to India (3.77%), where adware applications from the Pirrit family were most frequently encountered. A comparable situation was observed in France (3.67%) and Spain (3.45%), which ranked second and third, respectively.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q2 2021, as before, most of the attacks on Kaspersky traps came via the Telnet protocol.\n\nTelnet | 70.55% \n---|--- \nSSH | 29.45% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q2 2021_\n\nThe statistics for cybercriminal working sessions with Kaspersky honeypots show similar Telnet dominance.\n\nTelnet | 63.06% \n---|--- \nSSH | 36.94% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q2 2021_\n\n**Top 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 30.25% \n2 | Trojan-Downloader.Linux.NyaDrop.b | 27.93% \n3 | Backdoor.Linux.Mirai.ba | 5.82% \n4 | Backdoor.Linux.Agent.bc | 5.10% \n5 | Backdoor.Linux.Gafgyt.a | 4.44% \n6 | Trojan-Downloader.Shell.Agent.p | 3.22% \n7 | RiskTool.Linux.BitCoinMiner.b | 2.90% \n8 | Backdoor.Linux.Gafgyt.bj | 2.47% \n9 | Backdoor.Linux.Mirai.cw | 2.52% \n10 | Backdoor.Linux.Mirai.ad | 2.28% \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nDetailed IoT threat statistics are published in our Q2 2021 DDoS report: <https://securelist.com/ddos-attacks-in-q2-2021/103424/#attacks-on-iot-honeypots>\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that serve as sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&amp;C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q2 2021, Kaspersky solutions blocked 1,686,025,551 attacks from online resources located across the globe. 675,832,360 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-attack sources by country, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141800/13-en-malware-report-q2-2021-graphs-pc.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Belarus | 23.65 \n2 | Mauritania | 19.04 \n3 | Moldova | 18.88 \n4 | Ukraine | 18.37 \n5 | Kyrgyzstan | 17.53 \n6 | Algeria | 17.51 \n7 | Syria | 15.17 \n8 | Uzbekistan | 15.16 \n9 | Kazakhstan | 14.80 \n10 | Tajikistan | 14.70 \n11 | Russia | 14.54 \n12 | Yemen | 14.38 \n13 | Tunisia | 13.40 \n14 | Estonia | 13.36 \n15 | Latvia | 13.23 \n16 | Libya | 13.04 \n17 | Armenia | 12.95 \n18 | Morocco | 12.39 \n19 | Saudi Arabia | 12.16 \n20 | Macao | 11.67 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average during the quarter, 9.43% of computers of Internet users worldwide were subjected to at least one **Malware-class** web attack.\n\n_Geography of web-based malware attacks, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141830/14-en-malware-report-q2-2021-graphs-pc.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users&#x27; computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q2 2021, our File Anti-Virus detected **68,294,298** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Turkmenistan | 49.38 \n2 | Tajikistan | 48.11 \n3 | Afghanistan | 46.52 \n4 | Uzbekistan | 44.21 \n5 | Ethiopia | 43.69 \n6 | Yemen | 43.64 \n7 | Cuba | 38.71 \n8 | Myanmar | 36.12 \n9 | Syria | 35.87 \n10 | South Sudan | 35.22 \n11 | China | 35.14 \n12 | Kyrgyzstan | 34.91 \n13 | Bangladesh | 34.63 \n14 | Venezuela | 34.15 \n15 | Benin | 32.94 \n16 | Algeria | 32.83 \n17 | Iraq | 32.55 \n18 | Madagascar | 31.68 \n19 | Mauritania | 31.60 \n20 | Belarus | 31.38 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141906/15-en-malware-report-q2-2021-graphs-pc.png>))_\n\nOn average worldwide, **Malware-class** local threats were recorded on 15.56% of users&#x27; computers at least once during the quarter. Russia scored 17.52% in this rating.", "published": "2021-08-12T10:00:12", "modified": "2021-08-12T10:00:12", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://securelist.com/it-threat-evolution-in-q2-2021-pc-statistics/103607/", "reporter": "AMR", "references": [], "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2020-1472", "CVE-2021-1675", "CVE-2021-21220", "CVE-2021-28310", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-31166", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-33742", "CVE-2021-34527"], "immutableFields": [], "lastseen": "2021-08-12T10:37:29", "viewCount": 710, "enchantments": {"dependencies": {"references": [{"type": "almalinux", "idList": ["ALSA-2021:1647", "ALSA-2021:4381"]}, {"type": "amazon", "idList": ["ALAS-2021-1469", "ALAS2-2021-1585", "ALAS2-2021-1649"]}, {"type": "apple", "idList": ["APPLE:2A32C0762786DF36357D645066CDC600", "APPLE:48BC28AAD9E0029F9CF17E3ED0A5F181", "APPLE:4E4515CD7FD997AA98D94164483D0679", "APPLE:52D5DC71EAE54F6DF0EA591406E6C671", "APPLE:63DD59AAEDECD46C156A7668A930E353", "APPLE:72B0255E1DE0446B228B5371EDD14ACD", "APPLE:73550C0E0CC4D3E6D5DC38456DA89443", "APPLE:A1AFADAD90CEC763DFDCC59E95E6D673", "APPLE:A5EDA5FE2364D1FB5D577BC8C126D6E5", "APPLE:CA6473609072D4746735999863BFAC33", "APPLE:CABE34499864F4FA47751E5A9FCC58AC", "APPLE:D1804CFB5985973BEAA4CE367152D5F6"]}, {"type": "archlinux", "idList": ["ASA-202009-17", "ASA-202106-31", "ASA-202106-32", "ASA-202106-45", "ASA-202106-46", "ASA-202106-47", "ASA-202107-1", "ASA-202107-2", "ASA-202107-4", "ASA-202107-67", "ASA-202107-68"]}, {"type": "attackerkb", "idList": ["AKB:007C4393-6621-4656-8BFD-D0CFE64DCD65", "AKB:01414FF4-26B2-4222-97E5-C5371A16E182", "AKB:03F5DDB7-DFAF-4815-9563-05762A387A0A", "AKB:15A288E1-FB97-49D8-B8D3-66504415C107", "AKB:160D34D9-2175-4B27-87F8-0CED51121F50", "AKB:19A3B42A-68BD-48E1-847B-9BA88408EF2B", "AKB:21C170FF-C7C6-4BFB-8AED-613970EDA44C", "AKB:50EC30BE-5E8C-4158-8AA0-06397441F8A5", "AKB:51E88AF4-0A81-4B72-8855-34DF072124D9", "AKB:61DB1B67-FFE2-4A84-8445-DD1303479F56", "AKB:6AB45633-1353-4F19-B0F2-33448E9488A2", "AKB:71F77351-1AE5-4161-8836-D26680828466", "AKB:72CB57AD-D32C-43D3-86B8-F8B617707C5B", "AKB:732A3017-A62C-4347-9709-9B8790F47FA1", "AKB:7575B82F-7B7A-4416-B1AA-B8A2DF4D0800", "AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "AKB:7E06EF37-046E-4E9E-AD5A-F4C2477ECB9E", "AKB:9ADF44D2-FA0D-4643-8B97-8B46983B6917", "AKB:B7E55568-7DDB-4883-8CA4-2D0B592F4D60", "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6", "AKB:CDA9C43E-015D-4B04-89D3-D6CABC5729B9", "AKB:DBAEA288-D224-49E1-877D-628DFD1CF161"]}, {"type": "avleonov", "idList": ["AVLEONOV:28E47C69DA4A069031694EB4C2C931BA", "AVLEONOV:30285D85FDB40C8D55F6A24D9D446ECF", "AVLEONOV:36BA0DE03DB6F8D0C96B6861C9A07473", "AVLEONOV:93A5CCFA19B815AE15942F533FFD65C4", "AVLEONOV:9D3D76F4CC74C7ABB8000BC6AFB2A2CE", "AVLEONOV:F17F36C3CC642EBDC27E43900FE3905E"]}, {"type": "canvas", "idList": ["OFFICE_WSDL"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:19B4E04F8F1723A4F28FA7A8354698AF", "CARBONBLACK:5FC3EC6D315A733A8D566BD7A42A12FE", "CARBONBLACK:91F55D2B8B2999589579EACB1542A3E9", "CARBONBLACK:A526657711947788A54505B0330C16A0", "CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD", "CARBONBLACK:F099654AA95F6498DB33414802DBA792", "CARBONBLACK:F60F48DF14A6916346C8A04C16AFB756"]}, {"type": "centos", "idList": ["CESA-2020:5439"]}, {"type": "cert", "idList": ["VU:131152", "VU:383432", "VU:421280", "VU:490028"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0725", "CPAI-2017-1009", "CPAI-2018-0018", "CPAI-2020-0872", "CPAI-2020-1095", "CPAI-2021-0223", "CPAI-2021-0276", "CPAI-2021-0292", "CPAI-2021-0314", "CPAI-2021-0316", "CPAI-2021-0317", "CPAI-2021-0318", "CPAI-2021-0465", "CPAI-2021-0484", "CPAI-2021-0485"]}, {"type": "chrome", "idList": ["GCSA-3185915322248637110", "GCSA-6244807684233791030", "GCSA-8794598538337601472"]}, {"type": "cisa", "idList": ["CISA:2B970469D89016F563E142BE209443D8", "CISA:367C27124C09604830E0725F5F3123F7", "CISA:433F588AAEF2DF2A0B46FE60687F19E0", "CISA:4F4185688CEB9B9416A98FE75E7AFE02", "CISA:61F2653EF56231DB3AEC3A9E938133FE", "CISA:6C836D217FB0329B2D68AD71789D1BB0", "CISA:7E93687DEED7F2EA7EFAEBA997B30A5D", "CISA:7FB0A467C0EB89B6198A58418B43D50C", "CISA:91DA945EA20AF1A221FDE02A2D9CE315", "CISA:990FCFCEB1D9B60F5FAA47A1F537A3CB", "CISA:D060813248AE96F3F62B7F67A176132F", "CISA:D70586B2C2D5D982D54DA686CCF0F4D1", "CISA:E5A33B5356175BB63C2EFA605346F8C7", "CISA:F9916EF5EF9E126FF62CF4162B96669F"]}, {"type": "cve", "idList": ["CVE-2017-0243", "CVE-2017-11882", "CVE-2017-11884", "CVE-2017-8570", "CVE-2018-0802", "CVE-2020-1472", "CVE-2021-1675", "CVE-2021-21220", "CVE-2021-27072", "CVE-2021-28310", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-31166", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-33742", "CVE-2021-34527"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2463-1:1381E", "DEBIAN:DSA-4945-1:08051"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-1472", "DEBIANCVE:CVE-2021-21220", "DEBIANCVE:CVE-2021-30551", "DEBIANCVE:CVE-2021-30554", "DEBIANCVE:CVE-2021-30661", "DEBIANCVE:CVE-2021-30663", "DEBIANCVE:CVE-2021-30665"]}, {"type": "exploitdb", "idList": ["EDB-ID:43163", "EDB-ID:44263", "EDB-ID:49071"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:26C6702FE71DE1FE3096B330AA74AD07", "EXPLOITPACK:DFB2E04F89F872DFEF75605BCC9072DB"]}, {"type": "f5", "idList": ["F5:K93951507"]}, {"type": "fedora", "idList": ["FEDORA:10E2D309BE14", "FEDORA:38D8230C58CD", "FEDORA:4A64830CFCDC", "FEDORA:6987B3049380", "FEDORA:75CA430AA7A6", "FEDORA:7879F312EC5F", "FEDORA:8A032304C446", "FEDORA:993DD30E4796", "FEDORA:B4C4A30D8539", "FEDORA:D63AA304E89C", "FEDORA:D8A0E3053060"]}, {"type": "fireeye", "idList": ["FIREEYE:327A8F88F73C7D036A5D128A75C86E11", "FIREEYE:78657FD52E5CBE87FE2D0019439691A0", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "FIREEYE:8926956380F9C38D0DE9955F5D9CBE06", "FIREEYE:8DF2C812CF325AAB2F348273A03789F5", "FIREEYE:96525D6EA5DBF734A371FB66EB02FA45", "FIREEYE:A819772457030262D1150428E2B4438C", "FIREEYE:D64714BFF80E34308579150D4C839557", "FIREEYE:DE7D327A091FDB2A6C8A4AF7B6F71076", "FIREEYE:ECB192E6133008E243C5B5CB25D9C6DD"]}, {"type": "freebsd", "idList": ["20B3AB21-C9DF-11EB-8558-3065EC8FD3EC", "24ACE516-FAD7-11EA-8D8C-005056A311D1", "7C0D71A9-9D48-11EB-97A0-E09467587C17", "AFDC7579-D023-11EB-BCAD-3065EC8FD3EC"]}, {"type": "gentoo", "idList": ["GLSA-202012-24", "GLSA-202104-08", "GLSA-202107-06", "GLSA-202202-01"]}, {"type": "github", "idList": ["GITHUB:D9472F716C46C02F88677DBAD0EEA334"]}, {"type": "githubexploit", "idList": ["0263BC36-BEB1-519B-965B-52D9E6AB116F", "042AB58A-C86A-5A8B-AED3-2FF3624E97E3", "04BCA9BC-E3AD-5234-A5F0-7A1ED826F600", "06BAC40D-74DF-5994-909F-3A87FC3B76C8", "0749209C-E3ED-5482-966B-DB35E546B4E5", "07DF268C-467E-54A3-B713-057BA19C72F7", "07E56BF6-A72B-5ACD-A2FF-818C48E4E132", "0BB19334-D311-5464-B40B-7B27A0AD8825", "0CFAB531-412C-57A0-BD9E-EF072620C078", "12E44744-1AF0-523A-ACA2-593B4D33E014", "14B62DA4-FBC4-5B89-AB9F-9F8E3505AFAD", "14BD2DBD-3A91-55FC-9836-14EF9ABF56CF", "16151C06-C052-5C5E-B50B-5B202C40307C", "17B904FB-7F3D-54F1-B1B5-069C67184EE5", "1883DF48-6A75-5743-AC93-56292D93A794", "19D705F8-AE98-5DD9-BC4E-CDC0497FB840", "1E42289A-77F8-55A2-B85E-83CAA00CE951", "20466D13-6C5B-5326-9C8B-160E9BE37195", "21F83D93-118D-50C7-A5C0-B2069237666E", "2255B39F-1B91-56F4-A323-8704808620D3", "272E1B9F-32B1-5E4A-A0A9-44AC16DA37DB", "28D42B84-AB24-5FC6-ADE1-610374D67F21", "2A12C3BB-2A75-5B33-AE9B-348DB656AC81", "2D16FB2A-7A61-5E45-AAF8-1E090E0ADCC0", "2E71FF50-1B48-5A8E-9212-C4CF9399715C", "3399B834-8492-5C0C-AA14-7F120BA37AF6", "37A7F912-7A7F-50EA-BE80-8CDA0CE05B74", "390843FD-A5C7-51F1-A64D-24276740A4A6", "399B15EF-A742-5722-86D2-59F3580C307B", "3D6A6F0D-C38E-5819-A3A7-817A49825CBE", "3F400483-1F7E-5BE5-8612-4D55D450D553", "4749D0AA-8CE9-53E3-8EFF-E818FDC61B24", "49EC151F-12F0-59CF-960C-25BD54F46680", "4A3F2A96-B727-5EF1-B1C1-FE041BA02E28", "4CB63A18-5D6F-57E3-8CD8-9110CF63E120", "4E279194-AC85-5607-A943-AC23EADADEF7", "4F6243AC-FA60-570C-B6BB-D6612F9A0D92", "50FA6373-CBCD-5EF5-B37D-0ECD621C6134", "55D44407-F5C9-50A9-B51D-0D4F668CD993", "5A6190EE-8872-5D1B-B2E3-06AE49CBE93C", "5AE71695-062E-5DBA-9A16-69BD0C7D1384", "5B025A0D-055E-552C-B1FB-287C6F191F8E", "5E80DB20-575C-537A-9B83-CCFCCB55E448", "63C36F7A-5F99-5A79-B99F-260360AC237F", "645DABC8-04DA-51BF-A20F-68F611D2D666", "64AAF745-D50D-575C-B3FF-A09072475502", "6FB0B63E-DE9A-5065-B577-ECA3ED5E9F4B", "706706C2-DB81-5EEA-AF28-6C5376B4E752", "7078ED42-959E-5242-BE9D-17F2F99C76A8", "7C3B421E-ED99-5C5F-B2BA-4418307C0EBF", "7F0937CB-B94F-52F5-ADE5-6399C85C5EAC", "8279F799-BC4C-5125-BCB1-401A95424586", "82A7AD32-D5F8-59E5-AC8B-6B99F9E33F64", "8542D571-7253-5609-BC52-CBCB5F40929A", "86F04665-0984-596F-945A-3CA176A53057", "879CF3A7-ECBC-552A-A044-5E2724F63279", "87B06BBD-7ED2-5BD2-95E1-21EE66501505", "895FF449-0383-5007-9352-FABB3E8BD54C", "8D82AE30-2266-5373-9043-5C953D16A98E", "8EDE916A-F04B-59F0-A88D-13DEF969DC00", "939F3BE7-AF69-5351-BD56-12412FA184C5", "98CA9A39-577D-51F2-B8B9-B20E80D94173", "98CEA984-CF02-58F6-91D5-967F8D36F94A", "9A318669-DAF8-50FF-A5DF-E390E0386254", "9C9BD402-511C-597D-9864-647131FE6647", "9CC224C9-907A-5219-8EFD-A94F15DE0ADD", "A24AC1AC-55EF-51D8-B696-32F369DCAB96", "A30CCA66-2F05-5D40-824F-80B389B32AE9", "A4D0164D-F0CA-51A5-B04B-2B8EE628E329", "A66D9AD7-B29D-5C48-B247-D8ACFCAE9BC7", "AAD37CB5-B2C3-5908-B0D3-052CF47F6D25", "AD904001-0962-5826-AD78-253E0FB3B7B7", "AEF449B8-DC3E-544A-A748-5A1C6F7EBA59", "AF2B8EF5-A739-53BD-8B8D-04A8C441268C", "B03B4134-B4C9-5B2D-BA55-EEEA540389F4", "B05281EC-9A0B-5C9A-BDC9-83FBF67FA348", "B26A6295-2D2D-508F-B94C-38B6944F8A1F", "B3985759-BBD2-5956-860D-E6361564C262", "B7C1C535-3653-5D12-8922-4C6A5CCBD5F3", "B8D9E2C0-202B-5806-88D2-B0E797582618", "BA280EB1-2FF9-52DA-8BA4-A276A1158DD8", "BB9DA286-F06B-5A55-B344-1196B32F3C2B", "BBE1926E-1EC7-5657-8766-3CA8418F815C", "BDFBDA81-0DEB-5523-B538-F23C3B524986", "C5B49BD0-D347-5AEB-A774-EE7BB35688E9", "C6AE3BFC-9BBB-5327-8845-C88ABB6FEE40", "C7CE5D12-A4E5-5FF2-9F07-CD5E84B4C02F", "C7F6FB3B-581D-53E1-A2BF-C935FE7B03C8", "C841D92F-11E1-5077-AE70-CA2FEF0BC96E", "CA94B7F0-0AED-5C64-8BBB-D2A90BBCD553", "CD2BFDFF-9EBC-5C8F-83EC-62381CD9BCD5", "CF07CF32-0B8E-58E5-A410-8FA68D411ED0", "D089579B-4420-5AD5-999F-45063D972E66", "D178DAA4-01D0-50D0-A741-1C3C76A7D023", "D21805C7-F04C-57A9-8A40-84CEEB7695BC", "D3C401E0-D013-59E2-8FFB-6BEF41DA3D1B", "DEC5B8BB-1933-54FF-890E-9C2720E9966E", "DF28DCE7-CCFF-5653-81BA-719525BE09AD", "E235B3DF-990F-5508-9496-90462B45125D", "E601A788-C87D-5DD7-98BA-A68C2FEDE978", "E7D3FB75-54DE-5CD8-83D6-438BFC7CFA74", "E82ECEEF-07B8-5340-BAC6-FA5B0E964772", "E9F25671-2BEF-5E8B-A60A-55C6DD9DE820", "F085F702-F1C3-5ACB-99BE-086DA182D98B", "F1347375-6380-5145-9881-486B76875649", "F1B229EB-2178-53B9-839E-BA0B916376A2", "F1BF4059-3C3E-5A65-BD42-BC991FB503F0", "F1C20A6A-5492-50FE-BB94-25D35B1459EC", "F472C105-E3B1-524A-BBF5-1C436185F6EE", "F6326682-0713-5826-ACCC-D065B9E8AE42", "F92F972D-7309-5D0B-BCC2-054883AE83E9", "FBC9D472-5E25-508D-AB6E-B3197FCFED2D", "FC661572-B96B-5B2C-B12F-E8D279E189BF", "FCD264DC-601D-5F11-BFEF-BB041077ABB8", "FF761088-559C-5E71-A5CD-196D4E4571B8", "FF81AF93-C247-5242-810E-AA1201C16776", "FFBC2747-5957-57B1-9DD9-AB2BAFCB7BD6"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA", "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hivepro", "idList": ["HIVEPRO:8D09682ECAC92A6EA4B81D42F45F0233", "HIVEPRO:8DA601C83DB9C139357327C06B06CB36", "HIVEPRO:911A69A767BEAA3AE3152870FD54DF6F", "HIVEPRO:E7E537280075DE5C0B002F1AF44BE1C5"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20201105-01-NETLOGON"]}, {"type": "ibm", "idList": ["6549F7FB91216E6B5325DB660AF73FDF2D181F5FC1D3D96D412B600D6C349A96", "8190BE7075BCD3ECD99D09840619467A00B84599B985C4B2AB342389339984B1", "97D5F772EC68BDCD260FBB9DFB7A322AAAC657E9360305DF11F9C6A6A40D1B85"]}, {"type": "kaspersky", "idList": ["KLA11069", "KLA11139", "KLA11170", "KLA11929", "KLA11931", "KLA12136", "KLA12139", "KLA12143", "KLA12174", "KLA12183", "KLA12198", "KLA12202", "KLA12204", "KLA12205", "KLA12209", "KLA12210", "KLA12211", "KLA12213", "KLA12214", "KLA12215"]}, {"type": "kitploit", "idList": ["KITPLOIT:232707789076746523"]}, {"type": "krebs", "idList": ["KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7", "KREBS:3CC49021549439F95A2EDEB2029CF54E", "KREBS:4E22686F3C4E2536C402F6568B8E659A", "KREBS:4F19DF7091060B198B092ABE2F7E1AA8", "KREBS:831FD0B726B800B2995A68BA50BD8BE3", "KREBS:952ACEBFD55EBD076910C6B233491883", "KREBS:A8F0DD3F6E965A3A66B2CCBB003ACF62", "KREBS:E374075CAB55D7AB06EBD73CB87D33CD", "KREBS:F8A52CE066D12F4E4A9E0128831BF48D"]}, {"type": "mageia", "idList": ["MGASA-2020-0380", "MGASA-2021-0400"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:11D4071979D3FC1E6028AA8D71EB87F4", "MALWAREBYTES:1AE2302579AF5E9849B438BD21910FB8", "MALWAREBYTES:3067D03AD5A4441FEBB702BADFD6C4A1", "MALWAREBYTES:30BC856501B7BB42655FA3109FACCA26", "MALWAREBYTES:3322D6B92554507E3E44D06E2BA5E174", "MALWAREBYTES:390E663F11CA04293C83488A40CB3A8A", "MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "MALWAREBYTES:4F1B52F3E373AB0DA5BF646A554AEE8D", "MALWAREBYTES:68B17F5C372DE1EBC787E579794B6AD9", "MALWAREBYTES:6F90B6DD790D455EDED4BE326079DA35", "MALWAREBYTES:775442060A0795887FAB657C06773723", "MALWAREBYTES:78E91E28F51B0A15B6CA53FF8A9B480B", "MALWAREBYTES:7F8FC685D6EFDE8FC4909FDA86D496A5", "MALWAREBYTES:84CB84E43C5F560FDE9B8B7E65F7C4A3", "MALWAREBYTES:8B41C7471B07595F7246D3DCB8794894", "MALWAREBYTES:9F3181D8BD5EF0E44A305AF69898B9E0", "MALWAREBYTES:DA59FECA8327C8353EA012EA1B957C7E", "MALWAREBYTES:DB34937B6474073D9444648D34438225"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-ADMIN-DCERPC-CVE_2020_1472_ZEROLOGON-", "MSF:AUXILIARY-DOS-WINDOWS-HTTP-HTTP_SYS_ACCEPT_ENCODING_DOS_CVE_2021_31166-", "MSF:EXPLOIT-WINDOWS-DCERPC-CVE_2021_1675_PRINTNIGHTMARE-", "MSF:EXPLOIT-WINDOWS-FILEFORMAT-OFFICE_MS17_11882-"]}, {"type": "mmpc", "idList": ["MMPC:85647D37E79AFEF2BFF74B4682648C5E", "MMPC:D6D537E875C3CBD84822A868D24B31BA"]}, {"type": "mscve", "idList": ["MS:CVE-2017-11882", "MS:CVE-2017-8570", "MS:CVE-2018-0802", "MS:CVE-2020-1472", "MS:CVE-2021-1675", "MS:CVE-2021-21220", "MS:CVE-2021-27072", "MS:CVE-2021-28310", "MS:CVE-2021-30551", "MS:CVE-2021-30554", "MS:CVE-2021-31166", "MS:CVE-2021-31199", "MS:CVE-2021-31201", "MS:CVE-2021-31955", "MS:CVE-2021-31956", "MS:CVE-2021-33742", "MS:CVE-2021-34527"]}, {"type": "mskb", "idList": ["KB2553204", "KB3162047", "KB3213545", "KB3213555", "KB3213624", "KB3213640", "KB4011262", "KB4011276", "KB4011574", "KB4011580", "KB4011604", "KB4011607", "KB4011610", "KB4011618", "KB4011643", "KB4011656", "KB4011659", "KB4601315", "KB4601318", "KB4601319", "KB4601345", "KB4601347", "KB4601348", "KB4601349", "KB4601357", "KB4601363", "KB4601384", "KB5004945", "KB5004946", "KB5004947", "KB5004948", "KB5004950", "KB5004951", "KB5004953", "KB5004954", "KB5004955", "KB5004956", "KB5004958", "KB5004959", "KB5004960"]}, {"type": "msrc", "idList": ["MSRC:239E65C8BEB88185329D9990C80B10DF", "MSRC:5B84BD451283462DC81D4090EFE66280", "MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09", "MSRC:CB3C49E52425E7C1B0CFB151C6D488A4"]}, {"type": "mssecure", "idList": ["MSSECURE:85647D37E79AFEF2BFF74B4682648C5E", "MSSECURE:A133B2DDF50F8BE904591C1BB592991A", "MSSECURE:C3D318931D83D536C01D2307EBC0B3B0", "MSSECURE:D6D537E875C3CBD84822A868D24B31BA", "MSSECURE:DF21D5BD34E334683F0DCC4F64FDC83E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201788439", "MYHACK58:62201788542", "MYHACK58:62201890088", "MYHACK58:62201891024", "MYHACK58:62201891962", "MYHACK58:62201892253", "MYHACK58:62201892510", "MYHACK58:62201994299", "MYHACK58:62201994516"]}, {"type": "nessus", "idList": ["701344.PASL", "701349.PASL", "AL2_ALAS-2021-1585.NASL", "ALA_ALAS-2021-1469.NASL", "ALMA_LINUX_ALSA-2021-1586.NASL", "ALMA_LINUX_ALSA-2021-1647.NASL", "ALMA_LINUX_ALSA-2021-4381.NASL", "APPLETV_14_6.NASL", "APPLE_IOS_1253_CHECK.NBIN", "APPLE_IOS_1451_CHECK.NBIN", "APPLE_IOS_145_CHECK.NBIN", "CENTOS8_RHSA-2021-1647.NASL", "CENTOS8_RHSA-2021-4381.NASL", "CENTOS_RHSA-2020-5439.NASL", "DEBIAN_DLA-2463.NASL", "DEBIAN_DSA-4945.NASL", "EULEROS_SA-2020-2171.NASL", "EULEROS_SA-2020-2181.NASL", "EULEROS_SA-2020-2299.NASL", "EULEROS_SA-2020-2396.NASL", "EULEROS_SA-2021-1050.NASL", "EULEROS_SA-2021-1118.NASL", "EULEROS_SA-2021-1517.NASL", "EULEROS_SA-2021-1533.NASL", "EULEROS_SA-2021-1625.NASL", "EULEROS_SA-2021-1635.NASL", "EULEROS_SA-2021-2168.NASL", "FEDORA_2020-0BE2776ED3.NASL", "FEDORA_2020-77C15664B0.NASL", "FEDORA_2020-A1D139381A.NASL", "FREEBSD_PKG_20B3AB21C9DF11EB85583065EC8FD3EC.NASL", "FREEBSD_PKG_24ACE516FAD711EA8D8C005056A311D1.NASL", "FREEBSD_PKG_7C0D71A99D4811EB97A0E09467587C17.NASL", "FREEBSD_PKG_AFDC7579D02311EBBCAD3065EC8FD3EC.NASL", "GENTOO_GLSA-202012-24.NASL", "GENTOO_GLSA-202104-08.NASL", "GENTOO_GLSA-202107-06.NASL", "GENTOO_GLSA-202202-01.NASL", "GOOGLE_CHROME_89_0_4389_128.NASL", "GOOGLE_CHROME_91_0_4472_101.NASL", "GOOGLE_CHROME_91_0_4472_114.NASL", "MACOSX_GOOGLE_CHROME_89_0_4389_128.NASL", "MACOSX_GOOGLE_CHROME_91_0_4472_101.NASL", "MACOSX_GOOGLE_CHROME_91_0_4472_114.NASL", "MACOS_HT212325.NASL", "MACOS_HT212335.NASL", "MICROSOFT_EDGE_CHROMIUM_89_0_774_77.NASL", "MICROSOFT_EDGE_CHROMIUM_91_0_864_48.NASL", "MICROSOFT_EDGE_CHROMIUM_91_0_864_54.NASL", "NETLOGON_ZEROLOGON_CVE-2020-1472.NBIN", "NEWSTART_CGSL_NS-SA-2021-0024_SAMBA.NASL", "NEWSTART_CGSL_NS-SA-2021-0167_SAMBA.NASL", "NEWSTART_CGSL_NS-SA-2022-0048_WEBKIT2GTK3.NASL", "NEWSTART_CGSL_NS-SA-2022-0058_SAMBA.NASL", "OPENSUSE-2020-1513.NASL", "OPENSUSE-2020-1526.NASL", "OPENSUSE-2021-1101.NASL", "OPENSUSE-2021-2598.NASL", "OPENSUSE-2021-567.NASL", "OPENSUSE-2021-712.NASL", "OPENSUSE-2021-881.NASL", "OPENSUSE-2021-898.NASL", "OPENSUSE-2021-938.NASL", "OPENSUSE-2021-949.NASL", "OPENSUSE-2022-0182-1.NASL", "ORACLELINUX_ELSA-2020-5439.NASL", "ORACLELINUX_ELSA-2021-1647.NASL", "ORACLELINUX_ELSA-2021-4381.NASL", "REDHAT-RHSA-2020-5439.NASL", "REDHAT-RHSA-2021-1586.NASL", "REDHAT-RHSA-2021-1647.NASL", "REDHAT-RHSA-2021-3723.NASL", "REDHAT-RHSA-2021-4381.NASL", "ROCKY_LINUX_RLSA-2021-1586.NASL", "ROCKY_LINUX_RLSA-2021-4381.NASL", "SL_20201215_SAMBA_ON_SL7_X.NASL", "SMB_NT_MS17_JUL_OFFICE.NASL", "SMB_NT_MS17_NOV_OFFICE.NASL", "SMB_NT_MS18_JAN_OFFICE.NASL", "SMB_NT_MS18_JAN_OFFICE_COMPATIBILITY.NASL", "SMB_NT_MS20_AUG_4565349.NASL", "SMB_NT_MS20_AUG_4571694.NASL", "SMB_NT_MS20_AUG_4571703.NASL", "SMB_NT_MS20_AUG_4571729.NASL", "SMB_NT_MS20_AUG_4571736.NASL", "SMB_NT_MS21_APR_5001330.NASL", "SMB_NT_MS21_APR_5001337.NASL", "SMB_NT_MS21_APR_5001339.NASL", "SMB_NT_MS21_APR_5001342.NASL", "SMB_NT_MS21_FEB_4601347.NASL", "SMB_NT_MS21_JUL_5004945.NASL", "SMB_NT_MS21_JUL_5004946.NASL", "SMB_NT_MS21_JUL_5004947.NASL", "SMB_NT_MS21_JUL_5004948.NASL", "SMB_NT_MS21_JUL_5004950.NASL", "SMB_NT_MS21_JUL_5004951.NASL", "SMB_NT_MS21_JUL_5004958.NASL", "SMB_NT_MS21_JUL_5004959.NASL", "SMB_NT_MS21_JUL_5004960.NASL", "SMB_NT_MS21_JUL_CVE-2021-34527_REG_CHECK.NASL", "SMB_NT_MS21_JUN_5003635.NASL", "SMB_NT_MS21_JUN_5003637.NASL", "SMB_NT_MS21_JUN_5003638.NASL", "SMB_NT_MS21_JUN_5003646.NASL", "SMB_NT_MS21_JUN_5003681.NASL", "SMB_NT_MS21_JUN_5003687.NASL", "SMB_NT_MS21_JUN_5003694.NASL", "SMB_NT_MS21_JUN_5003695.NASL", "SMB_NT_MS21_JUN_5003697.NASL", "SMB_NT_MS21_MAY_5003173.NASL", "SUSE_SU-2020-2719-1.NASL", "SUSE_SU-2020-2720-1.NASL", "SUSE_SU-2020-2721-1.NASL", "SUSE_SU-2020-2722-1.NASL", "SUSE_SU-2020-2724-1.NASL", "SUSE_SU-2020-2730-1.NASL", "SUSE_SU-2021-2598-1.NASL", "SUSE_SU-2021-2600-1.NASL", "SUSE_SU-2021-2762-1.NASL", "SUSE_SU-2022-0142-1.NASL", "SUSE_SU-2022-0182-1.NASL", "SUSE_SU-2022-0182-2.NASL", "SUSE_SU-2022-0183-1.NASL", "UBUNTU_USN-4510-1.NASL", "UBUNTU_USN-4559-1.NASL", "UBUNTU_USN-5024-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310811231", "OPENVAS:1361412562310811232", "OPENVAS:1361412562310811233", "OPENVAS:1361412562310811451", "OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209", "OPENVAS:1361412562310812607", "OPENVAS:1361412562310812614", "OPENVAS:1361412562310812618", "OPENVAS:1361412562310812623", "OPENVAS:1361412562310812624", "OPENVAS:1361412562310812708", "OPENVAS:1361412562310812730", "OPENVAS:1361412562310812731"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2021"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5439", "ELSA-2021-1647", "ELSA-2021-4381"]}, {"type": "osv", "idList": ["OSV:DLA-2463-1", "OSV:DSA-4797-1", "OSV:DSA-4945-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145226", "PACKETSTORM:160127", "PACKETSTORM:162437", "PACKETSTORM:167261"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:12BC089A56EB28CFD168EC09B070733D", "QUALYSBLOG:192411B44569225E2F2632594DC4308C", "QUALYSBLOG:23EF75126B24C22C999DAD4D7A2E9DF5", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:352650F44A686E31669777DBEC831101", "QUALYSBLOG:3B1C0CD4DA2F528B07C93411EA447658", "QUALYSBLOG:485C0D608A0A8288FF38D618D185D2A2", "QUALYSBLOG:5101CC734C1A900451E5994AFF57209A", "QUALYSBLOG:5A5094DBFA525D07EBC3EBA036CDF81A", "QUALYSBLOG:6652DB89D03D8AA145C2F888B5590E3F", "QUALYSBLOG:70AF718BCABA36D5847184CA639B55C9", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:97274435F9F49556ED060635FD9081E2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:9D071EBE42634FFBB58CB68A83252B41", "QUALYSBLOG:A730164ABD0AA0A58D62EAFAB48628AD", "QUALYSBLOG:A8EE36FB3E891C73934CB1C60E3B3D41", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:05A653A5E863B78EDD56FD74F059E02E", "RAPID7BLOG:0C3EDBDC537092A20C850F762D5A5856", "RAPID7BLOG:20364300767E58631FFE0D21622E63A3", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:44DA27D91BE223465957FC7CDF7A31A6", "RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "RAPID7BLOG:452CCDC1AEFFF7056148871E86A6FE26", "RAPID7BLOG:45A121567763FF457DE6E50439C2605A", "RAPID7BLOG:486F801929E1F794197FC08AE13E4CB5", "RAPID7BLOG:49C18614AD01B6865616A65F734B9F71", "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:5586742AC0F1C66F56B3583482B0960A", "RAPID7BLOG:57AB78EC625B6F8060F1E6BD668BDD0C", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:8DADA7B6B3B1BA6ED3D6EDBA37A79204", "RAPID7BLOG:C2CC0386EE87831FE7800DF7026FCE2D", "RAPID7BLOG:C628D3D68DF3AE5A40A1F0C9DFA38860", "RAPID7BLOG:E44F025D612AC4EA5DF9F2B56FF8680C", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630"]}, {"type": "redhat", "idList": ["RHSA-2020:5439", "RHSA-2021:1586", "RHSA-2021:1647", "RHSA-2021:3723", "RHSA-2021:4381", "RHSA-2022:0202"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-1472", "RH:CVE-2021-30661", "RH:CVE-2021-30663", "RH:CVE-2021-30665"]}, {"type": "rocky", "idList": ["RLSA-2021:1586", "RLSA-2021:4381"]}, {"type": "samba", "idList": ["SAMBA:CVE-2020-1472"]}, {"type": "securelist", "idList": ["SECURELIST:03923D895F0F0B7EB3A51F48002D1416", "SECURELIST:0C07A61E6D92865F5B58728A60866991", "SECURELIST:0EC04669D1B4F9900C7ED36BB8AFB1A2", "SECURELIST:11665FFD7075FB9D59316195101DE894", "SECURELIST:163368D119719D834280EA969EDB785D", "SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "SECURELIST:1F59148E6615695438F94EF4956585AA", "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:2625ABE43A309D7E388C4F0EBCA62244", "SECURELIST:2E379BD626ECA8E38B18EDCA6CD22F3C", "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "SECURELIST:375240F06A95008FE7F1C49E97EEC5AF", "SECURELIST:376CB760FDD4E056A8D0695A9EB9756A", "SECURELIST:3DB11A5605F77743FA5F931DF816A83C", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:4A1162E18E20A1A1E0F057FE02B3AE75", "SECURELIST:4FE9AF32AEB194433587B75288D50FDA", "SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "SECURELIST:53EC9FA168E0493828018AA0C1B799C0", "SECURELIST:5F58A2B6A05CED1E343735029CE88CC2", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:830DE5B1B5EBB6AEE4B12EF66AD749F9", "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "SECURELIST:847981DCB9E90C51F963EE1727E40915", "SECURELIST:86368EF0EA7DAA3D2AB20E0597A62656", "SECURELIST:8E9198BF0E389572981DD1AA05D0708A", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "SECURELIST:9B6F07B15AEDE81CE353FC4D91FF6329", "SECURELIST:9CEE13B3A189B3DBB187C6946786F480", "SECURELIST:A2A995C1C898D3DA4DB008FBA6AA149E", "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "SECURELIST:A3D3514100806269750A23D748D34C59", "SECURELIST:A4072107882E39592149B0DB12585D70", "SECURELIST:A9EBC6A1BD7D7A743024BD012EAC8323", "SECURELIST:AFE852637D783B450E3C6DA74A37A5AB", "SECURELIST:B7116025A4E34CF6B9FED5843F7CDCD4", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "SECURELIST:DA58D4888BE428D1D0C529B16E07E85D", "SECURELIST:E9DB961C0B1E8B26B305F963059D717E", "SECURELIST:F1FC61836DCAA7F1E27411092B208523", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "seebug", "idList": ["SSV:99217", "SSV:99245", "SSV:99276"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1513-1", "OPENSUSE-SU-2020:1526-1", "OPENSUSE-SU-2021:0567-1", "OPENSUSE-SU-2021:0575-1", "OPENSUSE-SU-2021:0712-1", "OPENSUSE-SU-2021:0881-1", "OPENSUSE-SU-2021:0898-1", "OPENSUSE-SU-2021:0938-1", "OPENSUSE-SU-2021:0948-1", "OPENSUSE-SU-2021:0949-1", "OPENSUSE-SU-2021:1101-1", "OPENSUSE-SU-2021:2598-1", "OPENSUSE-SU-2022:0110-1", "OPENSUSE-SU-2022:0182-1", "OPENSUSE-SU-2022:0182-2"]}, {"type": "symantec", "idList": ["SMNTC-101757", "SMNTC-102347", "SMNTC-99445"]}, {"type": "talosblog", "idList": ["TALOSBLOG:3E4DED1D580BBFDD5A456042C03F6483", "TALOSBLOG:44F665C3D577FC52EF671E9C0CB1750F", "TALOSBLOG:5AED45D6F563E6F048D9FCACECC650CC", "TALOSBLOG:7F660B8BF6BF1461DC91FBA38C034D9A", "TALOSBLOG:7FDC117533451294884ABE03F31ED36B", "TALOSBLOG:809E263C085A7EC5D9424905C6E4ACA8", "TALOSBLOG:8CDF0A62E30713225D10811E0E977C1D", "TALOSBLOG:906482C918479D3D0C5D654DF6CC9FED", "TALOSBLOG:9F3650D77DE88BE04EFECD8F54CE0BE1", "TALOSBLOG:A654303FB4331FDBB91B999EC882BE7A", "TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148", "TALOSBLOG:C840FAF5403868E1730CD6FB8F3F09E6", "TALOSBLOG:CDA48DA087B7839DDC1F8E0F4281D325", "TALOSBLOG:D034163DF19149D9BA90463DA51A05F9", "TALOSBLOG:E17B2B34420CA9C9A1CD5E1FE7980D8C", "TALOSBLOG:EC1B279A70AF41A51CBB4EB4722EFA46", "TALOSBLOG:FAB75C531A83C576A2D8274490FF6114"]}, {"type": "thn", "idList": ["THN:080F85D43290560CDED8F282EE277B00", "THN:0A61A90DD0F88453854B73FE249BC379", "THN:0C87C22B19E7073574F7BA69985A07BF", "THN:0D13405795D42B516C33D8E56A44BA9D", "THN:10A732F6ED612DC7431BDC9A3CEC3A29", "THN:125A440CBDB25270B696C1CCC246BEA1", "THN:1A836FDDE57334BC4DAFA65E6DFA02E4", "THN:1DDE95EA33D4D9F304973569FC787451", "THN:25143CA85A0297381CEBBBD35F24F85B", "THN:3251602ACD4E04F5F4C7F140878960E0", "THN:3A9F075C981951FC8C86768D0EF1794A", "THN:42B8A8C00254E7187FE0F1EF2AF6F5D7", "THN:42E3306FC75881CF8EBD30FA8291FF29", "THN:4CC79A3CEFEDEB0DC9CF87C5B9035209", "THN:50D7C51FE6D69FC5DB5B37402AD0E412", "THN:62ECC5B73032124D6559355B66E1C469", "THN:6428957E9DED493169A2E63839F98667", "THN:6885760BEEB9A6CBDFB108443DDF540C", "THN:6A9CD6F085628D08978727C0FF597535", "THN:7489F5CF1C31FDAC5F67F700D5DDCD5B", "THN:75586AE52D0AAF674F942498C96A2F6A", "THN:7D7C05739ECD847B8CDEEAF930C51BF8", "THN:81AA37DC2B87520CB02F3508EF82AABD", "THN:849B821D3503018DA38FAFFBC34DAEBB", "THN:8EAD85C313EF85BE8D38BAAD851B106E", "THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:9CE630030E0F3E3041E633E498244C8D", "THN:9F22FC342DFAFC55521FD4F7CEC7C9A3", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:A30AE10A13D33189456EB192DDF2B8C2", "THN:A52CF43B8B04C0A2F8413E17698F9308", "THN:B7217784F9D53002315C9C43CCC73766", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:BB8CDCFD08801BDD2929E342853D03E9", "THN:BBBFDA7EEE18F813A5DA572FD390D528", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:C736174C6B0ADC38AA88BC58F30271DA", "THN:CAFA6C5C5A34365636215CFD7679FD50", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:CDCF433A7837180E1F294791C672C5BB", "THN:CF5E93184467C7B8F56A517CE724ABCF", "THN:DADA9CB340C28F942D085928B22B103F", "THN:DFA2CC41C78DFA4BED87B1410C21CE2A", "THN:E50F78394BCAE6FF3B8EE8482A81A3C4", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:ED087560040A02BCB1F68DE406A7F577", "THN:EDD5C9F076596EB9D13D36268BDBFAD1", "THN:F0D5DEDB6BEE875D30F098FB7A4E55A1", "THN:F163C7AB35BEF8E28924E14B02752181", "THN:F197A729A4F49F957F9D5910875EBAAA", "THN:F35E41E26872B23A7F620C6D8F7E2334", "THN:F4928090525451C50A1B016ED3B0650F", "THN:F53D18B9EB0F8CD70C9289288AC9E2E1", "THN:FBCEC8F0CE0D3932FE4C315878C48403", "THN:FF8DAEC0AE0DDAE827D57407C51BE992"]}, {"type": "threatpost", "idList": ["THREATPOST:00E7F3B203C0A059EA3AE42EEFDA4BF6", "THREATPOST:01085CB521431ED10FF25B00357004A0", "THREATPOST:011D33BB13274F4BC8AF713F8EBEC140", "THREATPOST:0234DE925A24BDFF85D569B0592C4E40", "THREATPOST:0273E2F0D7B4CECA41893B066B3C2D24", "THREATPOST:027F94626186E3644FA6008B6B65879D", "THREATPOST:02A26476FD54111CFB779DB36CA0BE95", "THREATPOST:037D55F658239A9DBF47BABD04D1F6E7", "THREATPOST:03F3C45744F6C52E1687C208288C7001", "THREATPOST:04738138B50414CEACDB62EFA6D61789", "THREATPOST:04FAA050D643AD8D61D8063D5232A682", "THREATPOST:051AFF295EB4024C33B9C6988E0F5C34", "THREATPOST:05856E5CAEC60A0E16D4618496270D44", "THREATPOST:05A74488EF15AE2BEA20C34AC753FB10", "THREATPOST:05CA5F0BEDE4AEE08ED1C40F6D413601", "THREATPOST:06F9A4BBE673BFFA63BB435F99387C6D", "THREATPOST:07E70978E087406E6779D5EE8D2D372D", "THREATPOST:088C4C91495F7C7262D861A66DC74B85", "THREATPOST:0A40F95A480060B254A1AA6FCF9504B2", "THREATPOST:0ACA8133652DA5D5C5D027A4F9EED75A", "THREATPOST:0B290DDF3FE14178760FDC2229CB1383", "THREATPOST:0B64A7C04FF47971B650E17B53C45FD2", "THREATPOST:0BA7B2FCC73EB6AA27E7D15318D8DCEF", "THREATPOST:0C5877DE6DD50B0CB309505FAE7076AC", "THREATPOST:0D250E6E576E1C05274E04DB1BB79529", "THREATPOST:0DD2574E8237EB5925DD5C2AC8B9A426", "THREATPOST:0E875F36B37069C0CA4DC570FE3BD197", "THREATPOST:0ECD1B8BDCF9CD65F10B363FC3FDABA9", "THREATPOST:0F2DE86E0069A54E56B0694DA999399A", "THREATPOST:0FEEF48E09B4F6AB583220AF2A1CCE70", "THREATPOST:105BBC66E564BD98581E52653F5EA865", "THREATPOST:1071D90B9DDF02B6FC796EE160E0AFDD", "THREATPOST:11053DD231ACA5F34708B38E7E96AE9F", "THREATPOST:1109584452DBA30B86EF68E3277D4E39", "THREATPOST:11A212CE63E0ED8390DF014E511EC174", "THREATPOST:1256E9A9997A1C51E9DB7AEB7A420D3D", "THREATPOST:1322630273A25CA5A68246679553E2B8", "THREATPOST:1327F2449E675DB6F1F90EDB766B1DC8", "THREATPOST:14171FFFDCB402F0E392DA20B23E7B5A", "THREATPOST:14B2B02CB661C8C7E1BC1204495F0D25", "THREATPOST:14FF20625850B129B7F957E8393339F1", "THREATPOST:1502920D4F50B0D128077B515815C023", "THREATPOST:1663F2C868E9B0A3184989EAF71EB3DA", "THREATPOST:17ABCE7BEBAC56FCA5601686C9601728", "THREATPOST:17AC167B3F04D3043199819655CB5EB8", "THREATPOST:195656DFCDBB1B18C4B0E899AA2C96DE", "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "THREATPOST:19F6727A0DB5ECAEB57AFC56191A2EC4", "THREATPOST:1B56CE326878B69FFA20FFC20DB62365", "THREATPOST:1B75EB23D874C5D85DA6FEAB65007B4E", "THREATPOST:1BC8168472B040DAEF3D3D5CCC865068", "THREATPOST:1BCC479A05BA19E3B4906CB5F5FD2F1B", "THREATPOST:1C5C89106D8897D6CDDFF572948A779A", "THREATPOST:1D743B7D5397A9D33A091396D1D95BDB", "THREATPOST:1E11FA7540C2CE7C48832A342FAAB3A8", "THREATPOST:1F7B99C76055BD44C266432644E6B9CB", "THREATPOST:1FA77776DEE21633617B7B927000ADBF", "THREATPOST:1FB92D9630590CC17FF00234FF9991FF", "THREATPOST:1FDD4D6EFB350CC9F6F42A5514AA6849", "THREATPOST:20A9D9F111F89A61A6242B788FCF6209", "THREATPOST:212ACE7085CC094D6542F00AF0A4D1B4", "THREATPOST:21439BDD06D57894E0142A06D59463B5", "THREATPOST:215398BCE165265631436077B4E79ECB", "THREATPOST:222B126A673B8B22370D386B699A7F90", "THREATPOST:23D55C85EA8B442C858FF058C5E25DBC", "THREATPOST:247A5639B207C2C522F735B0C3412087", "THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:270516BE92D218A333101B23448C3ED3", "THREATPOST:27150C099FB4771B9DED4F6372D27EB7", "THREATPOST:27F2EB604A7262CA0448D6463BA3B2A4", "THREATPOST:27F8092D2D7E88CBD23EAF8A7A016E24", "THREATPOST:28D790372A5C9EB1083AA78A4FDF3C0E", "THREATPOST:28E43852D5120A3EC8F4720244E0C432", "THREATPOST:29E9543F6EC7903A34D286C6F4391368", "THREATPOST:2A42363A8B070949A25091DE7946F5A2", "THREATPOST:2AFE9BC25DD41D9CF073C8C04B0B1879", "THREATPOST:2C798ED7D1CE36B13D82410EA1C94D9F", "THREATPOST:2CE017994C889322A1BF0C3F3521DFD7", "THREATPOST:2D616CF8D8ED2AEB6805F098560269CB", "THREATPOST:2DAD0426512A1257D3D75569F282640E", "THREATPOST:2E13C5A3F37F020F188FBBE61F9209BC", "THREATPOST:2F3319136B672CD9E6AB9A17CE42DF1B", "THREATPOST:2F655C93B7912A7C776E1DC1D39822D0", "THREATPOST:30D70449EF03FFC5099B5B141FA079E2", "THREATPOST:30DA1C9D6157103537A72208FA5F0B5D", "THREATPOST:30F4296B03191B6F9433E5DFA9CEBFE6", "THREATPOST:326CCB6EA4E28611AD98B1964CFEE88E", "THREATPOST:3283173A16F1E86892491D89F2E307C2", "THREATPOST:334259E5C4B157E6AC8ADC754BD30D4F", "THREATPOST:33E56DEB736406F9DD08C7533BF1812B", "THREATPOST:35511A26A276E34B781D66037866F771", "THREATPOST:35BD4DEE5D1763F5788A6BD1F6AEB00D", "THREATPOST:3697F9293A6DFF6CD5927E9E68FF488A", "THREATPOST:370DCA5103923FA8965F6D8890D4198F", "THREATPOST:37854AF8C9A75E43ACA98BD95205B6BC", "THREATPOST:379EB96BF0EAF29DD5D3B3140DEF25F5", "THREATPOST:384A1D8040B61120BE2BA529493B9871", "THREATPOST:392CE26C2E3587A54C58FBEC0E26729F", "THREATPOST:3973FA851D33322A013EA1314A1AACC7", "THREATPOST:3AADA643D0F6F1FA8E04B9E2C9F0354B", "THREATPOST:3B27D34858D1F6DE1183C9ABEE8643CD", "THREATPOST:3BA8475F97E24074B27812B9B24AD05F", "THREATPOST:3BDDDA913AECAA168F2B8059EF6BF25A", "THREATPOST:3D0B017E262134B8D61E195735411E8A", "THREATPOST:3D30F37EC2CC17D6C3D6882CF7F9777E", "THREATPOST:3D7F98274EE0CEFF5B22DA72598BE24B", "THREATPOST:3E3C8752E39F7A8CA5DD91BD283A79E7", "THREATPOST:3F9DD13AA9EC2148FD8D14BD00233287", "THREATPOST:40C7024941C4F0096D439BD79BF49C6D", "THREATPOST:415E19FC1402E6223871B55143D39C98", "THREATPOST:42533F5A68FABB4F312743C2E2A1262A", "THREATPOST:426AA248C0C594BAA81FC6B16FD74B7F", "THREATPOST:42FDB1238D348C4F4A1074DB3091E6F2", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:43C7C5989C2358091F5FA33D11480AEB", "THREATPOST:43EF6CEDCAE06DF2760527AA36C42994", "THREATPOST:44C6EDF349E9D3038D1847321D79E4DF", "THREATPOST:44C93D75841336281571380C5E523A23", "THREATPOST:44FF4D429457B43FB0FEA96C9A0DE58C", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:45B63C766965F5748AEC30DE709C8003", "THREATPOST:45F91A2DD716E93AA4DA0D9441E725C6", "THREATPOST:4622EF32C9940819EDA248FBC9C1F722", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:49045E816279C72FD35E91BF5F87387C", "THREATPOST:490FB5EEC7306F4AF2F0990C85BAB0EC", "THREATPOST:49274446DFD14E2B0DF948DA83A07ECB", "THREATPOST:49E24C3D272F18F81C1E207E97168C33", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:4AB3E2B46281B3DB5FFB51D8F16A11EC", "THREATPOST:4ABC0C904122EBC91D19E8F502931126", "THREATPOST:4AFBF9284A6902E941BE6D95BCD2052E", "THREATPOST:4BAED737182ECF19718520A7258DFDAA", "THREATPOST:4C1556375D297ECC5389073B3ECC185E", "THREATPOST:4C788DAABFE70AE1D1483D4039B3767E", "THREATPOST:4D225F38F43559CB340E0C0C20E1C9BD", "THREATPOST:4DF584EB3FA47CA6245D964EA2A1A2FB", "THREATPOST:4E345D523AA3EF8D5D06880D1063B0C6", "THREATPOST:4F6F13C74BC6E5EC3C5FF0600F339C90", "THREATPOST:4FA617D4BE1CFDFB912E254229B94E61", "THREATPOST:500777B41EEA368E3AC2A6AED65C4A25", "THREATPOST:5083983BB9656C8F9FD41E7297B634C9", "THREATPOST:5170E663982119D9A7AA4064EC71D01D", "THREATPOST:5196DBE4ABD34424DF1F07ED3DA73B12", "THREATPOST:519B278A52BA4200692386F6FAEA43B1", "THREATPOST:519EDC580FCA347C035738F51DB2ABE3", "THREATPOST:51A2EB5F46817EF77631C9F4C6429714", "THREATPOST:51AB3DBBFBFCA1EDCCB83FCECB47C07B", "THREATPOST:5223DD87C6EE62FB7C3723BCCF670612", "THREATPOST:537857B2E29A08953D50AC9EDE93162F", "THREATPOST:537A21C79E24E9981AD8200320B7D46F", "THREATPOST:542C0B0D14A54FEF96D5035E5ABEFEDF", "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "THREATPOST:55873F60362AA114632D0D7DC95FF63C", "THREATPOST:5679ACC257BEC35A3A300F76FA78E8E6", "THREATPOST:580280FBECF50DF8FF68F3A998F311D3", "THREATPOST:59732F848538CA26FD0A3AC638F529F9", "THREATPOST:59C4483705849ADA19D341EFA462DD19", "THREATPOST:5A63035EF0BF190E58422B3612EB679F", "THREATPOST:5B1F1A9A61354738E396D81C42C0E897", "THREATPOST:5BA927C1BD88B4949BDAEC1ACC841488", "THREATPOST:5C4C4351A746ADF8A7F1B2D316888C01", "THREATPOST:5C60BA94DEDFC24233F8B820C7D23076", "THREATPOST:5D03FA1B3C642C5317FB96AFA476DDFA", "THREATPOST:5D9785F30280BD09EB7E645CA2EECE79", "THREATPOST:5DA1737F4321D42086053820C84CCFB0", "THREATPOST:5E4874778A3B5A26CF2755C59BA3A7A8", "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "THREATPOST:619AA46DE90E000F02F634A9AA0FB8B0", "THREATPOST:61AC6ABD7798785567FFEEBEF573CDF8", "THREATPOST:61CC1EAC83030C2B053946454FE77AC3", "THREATPOST:61F350907297E5B2EBAE56FF04C054C7", "THREATPOST:6232FE8F8C59D8BBBD6CD0EAAD3D4AA3", "THREATPOST:63188D8C89FE469962D4F460E46755BC", "THREATPOST:632A7F4B404E8A9E7D49A4895D573FDB", "THREATPOST:639050E94B84AD3926F64EF305F67AB4", "THREATPOST:63EC8A47C53B47DB10146ABB77728483", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:64EE7E2569B19CDBC1F2000D27D9FC06", "THREATPOST:65B7931A3E49BA24F11CA0CB09743AEA", "THREATPOST:66D2F7851992FD5FC9934A5FE7A68E9F", "THREATPOST:68D1078BB418B06D989E65C3972EDE28", "THREATPOST:6968030EBEDCF665121F267E466D3BA5", "THREATPOST:69A935F9472525B2FDE94FC33D6C6B70", "THREATPOST:6B7259AD7487C6D17E0A301E14AEB7CB", "THREATPOST:6B8C9E983349C1AA69D5488866DAAC1D", "THREATPOST:6B96C89C11F9A7363A1E592863892D36", "THREATPOST:6C3F577E27FFC413E4196C31436CE13A", "THREATPOST:6C50260122AE142A1AA28DCFDE4EA98B", "THREATPOST:6CF438E98DFFF4B4057CAFB1382A4D3C", "THREATPOST:6E19885760DF8E9DD66B4F30158CD173", "THREATPOST:6E270592F88355DEABA14BF404C7EDDE", "THREATPOST:6E2DD8B76555337B1AB3A01AE147EA68", "THREATPOST:6E46A05627B4B870228F4C53DD7811AE", "THREATPOST:6EBEA4CC58A28C7B7DEE65B4D6FDA976", "THREATPOST:6F7C157D4D3EB409080D90F02185E728", "THREATPOST:70B08FC40DE9224ACE3D689EE22897C0", "THREATPOST:714DD68C5B32F675D9C75A67D7288B65", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:71D015FE251ED550B92792FF72430841", "THREATPOST:738BF7215D8F472D205FCBD28D6068E5", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:75108516B2230B2FA175C2B84083F4DF", "THREATPOST:752864660896CF677AF67798E68952F0", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:7642BB12A1C6458D5DDB7202B6BF1D62", "THREATPOST:765141925BCF61E1BEC4EA2E7E28C380", "THREATPOST:769E9696F176FD575D7F365CA771EFC3", "THREATPOST:779B904F971138531725D1E57FDFF9DD", "THREATPOST:77E27FE5A07B4C4146B818CE438E0AAA", "THREATPOST:78B8BC1F232A077BA4B03580A37C0780", "THREATPOST:78CC95FFED89068ABD2CBA57EFE1D5F8", "THREATPOST:7957677E374E9980D5154F756D4A2E00", "THREATPOST:7A640DBB2223135AD8DC65457AB55EBF", "THREATPOST:7ACEE8004906A83F73EF46D8EE9A83F3", "THREATPOST:7BE818C547990FA7A643DE9C0DE99C8C", "THREATPOST:7D0B88F224FD59AB5C49F030B02A25D9", "THREATPOST:7D2F975F60C58181C3B6726E809F10FD", "THREATPOST:7D30EC4B25275AFBC409D8619D125E65", "THREATPOST:7D43FDAB0FB38B20FBB86FFF6FD31270", "THREATPOST:7E30033E60118E5B4B8C14689A890155", "THREATPOST:7E324E4AFB9218DCC9509FB4E2277400", "THREATPOST:7F4C76F7EC1CB91B3A37DE64274F1EC3", "THREATPOST:7F86D903184A4B5AF689693F5950FB7D", "THREATPOST:7FF462EBFF86BEB1E7C8207D6CB07E50", "THREATPOST:7FFF8255C6708C32B41A2B0FBFEBA9B0", "THREATPOST:80110ABE631D4720D6EECA161FFCE965", "THREATPOST:80978215EBC2D47937D2F3471707A073", "THREATPOST:809BED35A98A53099CE1EC723FA950F2", "THREATPOST:80D12F3888B999E484D206D5EBA9EEA0", "THREATPOST:827A7E3B49365A0E49A11A05A5A29192", "THREATPOST:828471E05035E11C0ED67C67E1EA8F0D", "THREATPOST:848870C5AD3BB637321291CEF571A5F9", "THREATPOST:8549E725CF51C109F7299A0CC5FACBE9", "THREATPOST:856DD01A5D951BB0E39AE06B64DDD2A7", "THREATPOST:85DCC5523A4DCF507633F07B43FE638A", "THREATPOST:85DEC97DDAF4F3EBF731C2724329904B", "THREATPOST:870C912F079364DE3A8DADFDBE4E42D1", "THREATPOST:8836AC81C1F2D9654424EC1584E50A16", "THREATPOST:88A5449B2DE22E7A3AD1C820BEDE1109", "THREATPOST:88DD5812D3C8652E304F32507E4F68DD", "THREATPOST:891CC19008EEE7B8F1523A2BD4A37993", "THREATPOST:8A24910206DA1810DAD81ABA313E33A7", "THREATPOST:8BA8EF04040D5048287D9AFFAD778130", "THREATPOST:8D4EA8B0593FD44763915E703BC9AB72", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:8D91C617AB6DA9813465DF309507F9F5", "THREATPOST:8E01B2E26F588D0FA5B0857DCEF926DA", "THREATPOST:8EC1069E3114E28911EA3438DA21B952", "THREATPOST:8F39618B0CB625A1C4FC439D0A7C4EB9", "THREATPOST:8FAA8C7C7378C070F0011A0B44C03726", "THREATPOST:8FACBD9A4509F71E19E07BB451FD68A0", "THREATPOST:90355E85731E1618F6C63A58CD426966", "THREATPOST:90D2E9044C556AC1A56C89A7F86742BE", "THREATPOST:9235CC6F1DCCA01B571B8693E5F7B880", "THREATPOST:933913B1D9B9CF84D33FECFC77C2FDC8", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:945830C59DF62627CC3D29C4F9E9139F", "THREATPOST:945A12FF5F8B6420706F2E174B6D0590", "THREATPOST:95C6723464FA4BDF541640AC24DD5E35", "THREATPOST:960DA04864E083F2EAA36F3764D13603", "THREATPOST:967CD2B765C5CD02EC0568E4797AF842", "THREATPOST:96B85F971B8102B581B91984548004F2", "THREATPOST:96C5FAF7B7238F498D3BFD523344AA56", "THREATPOST:9758835CBD1761636E1E39F36A79936B", "THREATPOST:9812AA10EEA208EA87CD37C5F28D927F", "THREATPOST:985009AC9680D632153D78707A8949EF", "THREATPOST:98BE42759F35CD829E6BD3FAC7D5D1D5", "THREATPOST:98D815423018872E6E596DAA8131BF3F", "THREATPOST:9A9D21304DF605E55290BEAB2BDF62C5", "THREATPOST:9AA382E93ED0C2124DD69CF4DDC84EB7", "THREATPOST:9AE8698D8AABA0F11676A29CECC6D7BA", "THREATPOST:9B11E0EF22481CA407924C58E8C7F8C1", "THREATPOST:9B936E81D7DD33C962D98A85BAF3B7FE", "THREATPOST:9C03EBE552C67EF6E62604A81CF13C1A", "THREATPOST:9C0FA678FF748B08478CA83EAAEF83B4", "THREATPOST:9D048A14622014274EB5C5D19FEDD46A", "THREATPOST:9DAD31CF008CF12C5C4A4EA19C77BB66", "THREATPOST:9E1DE5C0DB7F1D8747AD52E14E4C8387", "THREATPOST:9FE968913EDA58B2C622DFD4433C05E0", "THREATPOST:A054939E56572665B8DD31C2FF1D6A79", "THREATPOST:A0EA2808DE56569B593A4E0254EC09CD", "THREATPOST:A1A03F8D19A1212209F2765F29BE892C", "THREATPOST:A1A1E1AC8DB384C8FA2988F9A9121141", "THREATPOST:A21BD1B60411A9861212745052E23AE7", "THREATPOST:A29172A6F4C253F7A464F05CCE4E3ABB", "THREATPOST:A2C4DFB7FD998E1990946FBDE70D8050", "THREATPOST:A2FCDF5F534EC09A258F3193FDEA41A8", "THREATPOST:A2FE619CD27EBEC2F6B0C62ED026F02C", "THREATPOST:A3218B82F449C5905D1957A1C264C1C1", "THREATPOST:A45F038EA4091EC6AC414522EC7B04B6", "THREATPOST:A47D83D4BBBE115E6424755328525B9D", "THREATPOST:A5FC4C5797CA53E30A3426AF0843BFFE", "THREATPOST:A60A7647981BC9789CAECE6E9BADD30E", "THREATPOST:A653527FBB893B6568AF6B264422BD7A", "THREATPOST:A6CEBF30D4D0B3B54DC8E78CC21EBA4B", "THREATPOST:A7148BBF3E2EDF9B0EA2E2C67C7CAC4E", "THREATPOST:A7710EFC5AA842A252861C862A3F8318", "THREATPOST:A78361BA1DB99FF96F9399B2AE9F1EA4", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:A7D014F320A68BD2D7BEA7FCB9349FC0", "THREATPOST:A8242348917526090B7A1B23735D5C6C", "THREATPOST:A824AE46654142C5CE71C8DDFD90D548", "THREATPOST:A844D1411E7339911EECDDBD5596A9E7", "THREATPOST:A959F2AFFE1161A65066EACCFB0D5FCA", "THREATPOST:A9E6DBBE61D0494D0B0C83151FEC45D0", "THREATPOST:A9EF092F5BA25CAD6C775AAE60BC318E", "THREATPOST:A9FAA9D15FCD97151072CF8CE16A42D9", "THREATPOST:AA7C9EFD06F74FBC5580C0384A39AA56", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:ABA04F8289071D7B10CAE4202D0EB18E", "THREATPOST:AC7105820BB83340E9C002EE77D4B8D6", "THREATPOST:AD20F9744EB0E2E4D282F681451B4FBD", "THREATPOST:AD3C2C361C6E263CA6B217D740D6C09F", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:AD96628DA2614402CC9BDEF93704870B", "THREATPOST:ADA9E95C8FD42722E783C74443148525", "THREATPOST:AE4AEC18802953FE366542717C056064", "THREATPOST:AE6ADD184BCB4B6C0DCF53BEE513E9DD", "THREATPOST:AFCEAC73B5337D8E7C237914CF84FC01", "THREATPOST:B051AFA0F0705404F1CD22704980AE7F", "THREATPOST:B1F3641CBE3AF60ECA85E3ADE7AE53CA", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B34044D3D29EE756187C0D5CDF2E19B8", "THREATPOST:B3C0097CBA4C334709D99BB9D477A6DD", "THREATPOST:B450AFC35B78A62F536227C18B77CB4E", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B4AED814955E51C42BAE9BF0A3A014B0", "THREATPOST:B4B23ADD1522DC53A0B05300F439AB03", "THREATPOST:B5B59F74FDFACADB44DBF4AE420E3189", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:B62AA49BBB410F8D7406ABE4E3C4C62F", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:B71BC1DE86D81D6B48969567186B0622", "THREATPOST:B7280795B2A42655BE9618D06EB9520A", "THREATPOST:B7E1238E416DAB5F50EED6E4CC347296", "THREATPOST:B8B49658F96D885BA4DC80406A2A94B3", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BB432D74FB2DC755C74CBEE5CF71B1E9", "THREATPOST:BB95F65906A69148A31A208D15B5EFC3", "THREATPOST:BBAE8AE32C2E8EC0271BBA9D0498A825", "THREATPOST:BD9CDF08D7870033C1C564691CABFC16", "THREATPOST:BDA1752A66AD0D3CF8AB59CFB7A8F472", "THREATPOST:BDAFE3A8671CEAB24C02FF18A8FBA60F", "THREATPOST:BDE4A24DFC0713FBC25AB0F17931717C", "THREATPOST:BE68C6E4335F8D5EEAEFCE1E8553C4C8", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:C0A58646680EABD23F9ABE6CC20F9F2E", "THREATPOST:C1850156F9F2124BACDC7601CCFA6B30", "THREATPOST:C35731BF3D4A3F8D0B1A838FAD1A8832", "THREATPOST:C442C6ABA3916CAA62C89BC2CB6332CD", "THREATPOST:C47E4314F4EEB30F0139DF3BC8B47E01", "THREATPOST:C4DD63E36CE4313386CAB54222BDD07A", "THREATPOST:C56525805A371C56B68CE54AB4EDB9AF", "THREATPOST:C5D967CF7CFD8422FD9ACFC1CF7277A6", "THREATPOST:C8BB08507CBCCE4C217C33C15D3AA04D", "THREATPOST:C9B3ABEF738D9A1E524FB94613BA5CBA", "THREATPOST:C9C5B1554A6F4216A73108C0748E16EF", "THREATPOST:CB62075A4B035B08FDA602FF702FBB71", "THREATPOST:CC82779FBE47FD3E64708FE6233C3DAD", "THREATPOST:CDCABD1108763209B391D5B81AE03CF7", "THREATPOST:CDDC2C11CF6377AB44508254B9FB36DA", "THREATPOST:D053D0BAA76AC62C5AFCB77CBFD61B6D", "THREATPOST:D11D4E32822220251B14068F9BAAD17E", "THREATPOST:D292185F5E299FDB7366DDAA750D6070", "THREATPOST:D3F6B40A3A2EF494FE7F0AFC7768F7CD", "THREATPOST:D40D286C87360AFDC61FCD9AD506D78F", "THREATPOST:D49075D6FFF077A542015B7F806F4E27", "THREATPOST:D4C8CD7D146990740B8339D88A3FDB84", "THREATPOST:D55054CEF7EC85590BCAC2F18EED6FFC", "THREATPOST:D587192A5DA9FB1680FF9D453F96B972", "THREATPOST:D58796CB8261B361ADF389131F955AE3", "THREATPOST:D5CE687F92766745C002851DFA8945DE", "THREATPOST:D6D859A31F73B00E9B6F642D4C89B344", "THREATPOST:D8172FCB461F5843B3391B2336A4D02F", "THREATPOST:D8CDE16C2F1722831D3106563D1F1551", "THREATPOST:D9C08A737D3D95BFF6B07A04C9479C6D", "THREATPOST:DBA639CBD82839FDE8E9F4AE1031AAF7", "THREATPOST:DC3489917B7B9C6C1824FB61C05E82CD", "THREATPOST:DC91E1B2D30C1A0D1ED78420E79DCE86", "THREATPOST:DCEC8DA2CC98CD3F9DF8B10773BD6F01", "THREATPOST:DD69574508B1751B9C9B01C26AE809C1", "THREATPOST:DD7A2F272ACFDE71B0A0CEC234C35876", "THREATPOST:DDDE126E49EC98A6A15655F564E25620", "THREATPOST:DE317ED7C5E4858FE861A15F96F6BCFD", "THREATPOST:DEDA9E6DCA21010A215B158BFF80253C", "THREATPOST:DF45F7CBB6E670440E0A14E517EA753D", "THREATPOST:DF54323828EEC1DDCE4B2312AC6F085F", "THREATPOST:E067CFBFA163616683563A8ED34648FE", "THREATPOST:E068C231265847BA99669A8EBF0D395D", "THREATPOST:E22E26BB31C17ACCC98C59076AF88CD7", "THREATPOST:E46805A1822D16B4725517D4B8786F57", "THREATPOST:E4FBCA31AB2D69F0292283738E873960", "THREATPOST:E539817E8025A93279C63158F37F2DFB", "THREATPOST:E65917E5AE555B95E6FFBD69E00E682D", "THREATPOST:E6DC1F407BA6CEE26FE38C95EBB10D7A", "THREATPOST:E77302403616F2E9A6C7DA2AD2B1F880", "THREATPOST:E7C5C8276111C637456F053327590E4C", "THREATPOST:E937B281CB0B5D1061AAD253FA4ACB53", "THREATPOST:E95FF75420C541DF65D4D795CF73B5CE", "THREATPOST:EA23582BD77C428ACE9B9DB7D5741EB6", "THREATPOST:EC55500DAF9E1467C9C94C82758F810C", "THREATPOST:ED7B090DD1289553529F8B6FD87BF467", "THREATPOST:EE14785AC189E016FD2CE51464D3643D", "THREATPOST:EE5FF4DE95B4AED68C90DCB6444B6560", "THREATPOST:EED27183B3F49112A9E785EA56534781", "THREATPOST:EF7DCA1CE0B1A1B1D93B4E4F7A3A3163", "THREATPOST:EF898143DB86CE46FFBDC81DCD8E79AA", "THREATPOST:EFE8A853C0EEF9ED023CC92349BE9410", "THREATPOST:F1065D29808C9165285986CCB6DEBB5A", "THREATPOST:F158248C80174DD4B29AE26B4B4139C0", "THREATPOST:F19F70E263B2C3D2A16C72D12F9884FC", "THREATPOST:F1E0D1BF5C51CAA730D94DB196D962D1", "THREATPOST:F261FA3F1DECA361A6DBC169065B1101", "THREATPOST:F28846A403C73C488A77B766A21BB3E5", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F514D796FE42C0629BD951D8664A2420", "THREATPOST:F60D403369A535076F39A474F74C925E", "THREATPOST:F61F8A6168C36EAB1584BC8044080B35", "THREATPOST:F68D705DC9A7663E4BF22574470F51D7", "THREATPOST:F701F7503777655BB413FCBEFB88C8DE", "THREATPOST:F73CA4042B0D13ED4A29DED46F90E099", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B", "THREATPOST:F9CF34A304B5CA2189D5CEDA09C8B0CB", "THREATPOST:F9FEB3F0862AAD4CC618F9737F44FA7B", "THREATPOST:FAE0DDDC6420E9881C1D719E13B77095", "THREATPOST:FB6C6CE8F3B4AE6846C8AB866C36F024", "THREATPOST:FBDE9552D48B698542D65DEA64890566", "THREATPOST:FBF1F4B1FB26C8B1E95965E920F985EF", "THREATPOST:FCB99D1A395F7D2D1BFD9F698321FA04", "THREATPOST:FCF1B008BD9B10ADDA0703FDB9CBAA04", "THREATPOST:FD699B5CBB882E8FB3DDF3341B557D27", "THREATPOST:FEAE151B1861BE9EF40E606D5434AE00", "THREATPOST:FFB8302BEBD76DDACC5FD08D3FF8F883"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1FEAB54A2EB3929007298481113A7219", "TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03", "TRENDMICROBLOG:6A0454A8A4891A1004496709868EC034", "TRENDMICROBLOG:8A87E8F1BA63B9BB2E84C23288C44FDC", "TRENDMICROBLOG:E671F1DA89C14989CDFAEB298B71BF9D"]}, {"type": "ubuntu", "idList": ["USN-4510-1", "USN-4510-2", "USN-4559-1", "USN-5024-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-1472", "UB:CVE-2021-21220", "UB:CVE-2021-30551", "UB:CVE-2021-30554", "UB:CVE-2021-30661", "UB:CVE-2021-30663", "UB:CVE-2021-30665"]}, {"type": "veracode", "idList": ["VERACODE:27548", "VERACODE:30066", "VERACODE:30949", "VERACODE:31408"]}, {"type": "zdi", "idList": ["ZDI-21-411"]}, {"type": "zdt", "idList": ["1337DAY-ID-29022", "1337DAY-ID-29119", "1337DAY-ID-29976", "1337DAY-ID-35274", "1337DAY-ID-36202"]}]}, "score": {"value": 1.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "almalinux", "idList": ["ALSA-2021:1647"]}, {"type": "amazon", "idList": ["ALAS-2021-1469", "ALAS2-2021-1585", "ALAS2-2021-1649"]}, {"type": "apple", "idList": ["APPLE:2A32C0762786DF36357D645066CDC600", "APPLE:48BC28AAD9E0029F9CF17E3ED0A5F181", "APPLE:4E4515CD7FD997AA98D94164483D0679", "APPLE:52D5DC71EAE54F6DF0EA591406E6C671", "APPLE:72B0255E1DE0446B228B5371EDD14ACD", "APPLE:73550C0E0CC4D3E6D5DC38456DA89443", "APPLE:A1AFADAD90CEC763DFDCC59E95E6D673", "APPLE:A5EDA5FE2364D1FB5D577BC8C126D6E5", "APPLE:CA6473609072D4746735999863BFAC33", "APPLE:D1804CFB5985973BEAA4CE367152D5F6"]}, {"type": "archlinux", "idList": ["ASA-202009-17", "ASA-202106-31", "ASA-202106-32", "ASA-202106-45", "ASA-202106-46", "ASA-202106-47", "ASA-202107-67", "ASA-202107-68"]}, {"type": "attackerkb", "idList": ["AKB:007C4393-6621-4656-8BFD-D0CFE64DCD65", "AKB:03F5DDB7-DFAF-4815-9563-05762A387A0A", "AKB:160D34D9-2175-4B27-87F8-0CED51121F50", "AKB:19A3B42A-68BD-48E1-847B-9BA88408EF2B", "AKB:21C170FF-C7C6-4BFB-8AED-613970EDA44C", "AKB:50EC30BE-5E8C-4158-8AA0-06397441F8A5", "AKB:51E88AF4-0A81-4B72-8855-34DF072124D9", "AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6", "AKB:DBAEA288-D224-49E1-877D-628DFD1CF161"]}, {"type": "avleonov", "idList": ["AVLEONOV:28E47C69DA4A069031694EB4C2C931BA", "AVLEONOV:93A5CCFA19B815AE15942F533FFD65C4", "AVLEONOV:F17F36C3CC642EBDC27E43900FE3905E"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "OFFICE_WSDL"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:19B4E04F8F1723A4F28FA7A8354698AF", "CARBONBLACK:91F55D2B8B2999589579EACB1542A3E9", "CARBONBLACK:A526657711947788A54505B0330C16A0", "CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD"]}, {"type": "centos", "idList": ["CESA-2020:5439"]}, {"type": "cert", "idList": ["VU:383432", "VU:421280", "VU:490028"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0725", "CPAI-2017-1009", "CPAI-2018-0018", "CPAI-2020-0872", "CPAI-2020-1095", "CPAI-2021-0223", "CPAI-2021-0276", "CPAI-2021-0292", "CPAI-2021-0314", "CPAI-2021-0316", "CPAI-2021-0317", "CPAI-2021-0318", "CPAI-2021-0465", "CPAI-2021-0484", "CPAI-2021-0485"]}, {"type": "chrome", "idList": ["GCSA-3185915322248637110", "GCSA-6244807684233791030", "GCSA-8794598538337601472"]}, {"type": "cisa", "idList": ["CISA:2B970469D89016F563E142BE209443D8", "CISA:433F588AAEF2DF2A0B46FE60687F19E0", "CISA:61F2653EF56231DB3AEC3A9E938133FE", "CISA:7E93687DEED7F2EA7EFAEBA997B30A5D", "CISA:7FB0A467C0EB89B6198A58418B43D50C", "CISA:990FCFCEB1D9B60F5FAA47A1F537A3CB", "CISA:D060813248AE96F3F62B7F67A176132F", "CISA:F9916EF5EF9E126FF62CF4162B96669F"]}, {"type": "cve", "idList": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2021-1675", "CVE-2021-21220", "CVE-2021-28310", "CVE-2021-30551", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-33742"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2463-1:1381E", "DEBIAN:DSA-4945-1:08051"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-21220", "DEBIANCVE:CVE-2021-30551", "DEBIANCVE:CVE-2021-30554"]}, {"type": "exploitdb", "idList": ["EDB-ID:43163", "EDB-ID:49071"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:26C6702FE71DE1FE3096B330AA74AD07"]}, {"type": "f5", "idList": ["F5:K93951507"]}, {"type": "fedora", "idList": ["FEDORA:38D8230C58CD", "FEDORA:4A64830CFCDC", "FEDORA:8A032304C446", "FEDORA:D8A0E3053060"]}, {"type": "fireeye", "idList": ["FIREEYE:81A95C8CF481913A870A3CEAAA7AF394"]}, {"type": "freebsd", "idList": ["20B3AB21-C9DF-11EB-8558-3065EC8FD3EC", "24ACE516-FAD7-11EA-8D8C-005056A311D1", "7C0D71A9-9D48-11EB-97A0-E09467587C17", "AFDC7579-D023-11EB-BCAD-3065EC8FD3EC"]}, {"type": "gentoo", "idList": ["GLSA-202012-24", "GLSA-202104-08"]}, {"type": "githubexploit", "idList": ["042AB58A-C86A-5A8B-AED3-2FF3624E97E3", "04BCA9BC-E3AD-5234-A5F0-7A1ED826F600", "06BAC40D-74DF-5994-909F-3A87FC3B76C8", "07DF268C-467E-54A3-B713-057BA19C72F7", "07E56BF6-A72B-5ACD-A2FF-818C48E4E132", "0CFAB531-412C-57A0-BD9E-EF072620C078", "12E44744-1AF0-523A-ACA2-593B4D33E014", "14BD2DBD-3A91-55FC-9836-14EF9ABF56CF", "20466D13-6C5B-5326-9C8B-160E9BE37195", "2255B39F-1B91-56F4-A323-8704808620D3", "28D42B84-AB24-5FC6-ADE1-610374D67F21", "2D16FB2A-7A61-5E45-AAF8-1E090E0ADCC0", "2E71FF50-1B48-5A8E-9212-C4CF9399715C", "3F400483-1F7E-5BE5-8612-4D55D450D553", "49EC151F-12F0-59CF-960C-25BD54F46680", "4CB63A18-5D6F-57E3-8CD8-9110CF63E120", "50FA6373-CBCD-5EF5-B37D-0ECD621C6134", "5B025A0D-055E-552C-B1FB-287C6F191F8E", "5E80DB20-575C-537A-9B83-CCFCCB55E448", "63C36F7A-5F99-5A79-B99F-260360AC237F", "6FB0B63E-DE9A-5065-B577-ECA3ED5E9F4B", "7078ED42-959E-5242-BE9D-17F2F99C76A8", "879CF3A7-ECBC-552A-A044-5E2724F63279", "87B06BBD-7ED2-5BD2-95E1-21EE66501505", "939F3BE7-AF69-5351-BD56-12412FA184C5", "9C9BD402-511C-597D-9864-647131FE6647", "A24AC1AC-55EF-51D8-B696-32F369DCAB96", "AEF449B8-DC3E-544A-A748-5A1C6F7EBA59", "B7C1C535-3653-5D12-8922-4C6A5CCBD5F3", "BA280EB1-2FF9-52DA-8BA4-A276A1158DD8", "BBE1926E-1EC7-5657-8766-3CA8418F815C", "C5B49BD0-D347-5AEB-A774-EE7BB35688E9", "C7CE5D12-A4E5-5FF2-9F07-CD5E84B4C02F", "C7F6FB3B-581D-53E1-A2BF-C935FE7B03C8", "CF07CF32-0B8E-58E5-A410-8FA68D411ED0", "D178DAA4-01D0-50D0-A741-1C3C76A7D023", "D3C401E0-D013-59E2-8FFB-6BEF41DA3D1B", "DEC5B8BB-1933-54FF-890E-9C2720E9966E", "E9F25671-2BEF-5E8B-A60A-55C6DD9DE820", "F085F702-F1C3-5ACB-99BE-086DA182D98B", "FC661572-B96B-5B2C-B12F-E8D279E189BF"]}, {"type": "hivepro", "idList": ["HIVEPRO:E7E537280075DE5C0B002F1AF44BE1C5"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20201105-01-NETLOGON"]}, {"type": "ibm", "idList": ["6549F7FB91216E6B5325DB660AF73FDF2D181F5FC1D3D96D412B600D6C349A96"]}, {"type": "kaspersky", "idList": ["KLA11069", "KLA11139", "KLA11170", "KLA12136", "KLA12139", "KLA12143", "KLA12174", "KLA12183", "KLA12198", "KLA12202", "KLA12204", "KLA12205", "KLA12209", "KLA12210", "KLA12211", "KLA12213", "KLA12214", "KLA12215"]}, {"type": "kitploit", "idList": ["KITPLOIT:232707789076746523"]}, {"type": "krebs", "idList": ["KREBS:4F19DF7091060B198B092ABE2F7E1AA8", "KREBS:A8F0DD3F6E965A3A66B2CCBB003ACF62", "KREBS:E374075CAB55D7AB06EBD73CB87D33CD", "KREBS:F8A52CE066D12F4E4A9E0128831BF48D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:11D4071979D3FC1E6028AA8D71EB87F4", "MALWAREBYTES:3067D03AD5A4441FEBB702BADFD6C4A1", "MALWAREBYTES:30BC856501B7BB42655FA3109FACCA26", "MALWAREBYTES:6F90B6DD790D455EDED4BE326079DA35", "MALWAREBYTES:78E91E28F51B0A15B6CA53FF8A9B480B", "MALWAREBYTES:84CB84E43C5F560FDE9B8B7E65F7C4A3"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882", "MSF:ILITIES/GOOGLE-CHROME-CVE-2021-30551/"]}, {"type": "mmpc", "idList": ["MMPC:D6D537E875C3CBD84822A868D24B31BA"]}, {"type": "mscve", "idList": ["MS:CVE-2020-1472", "MS:CVE-2021-1675", "MS:CVE-2021-21220", "MS:CVE-2021-28310", "MS:CVE-2021-30551", "MS:CVE-2021-30554", "MS:CVE-2021-31199", "MS:CVE-2021-31201", "MS:CVE-2021-31955", "MS:CVE-2021-31956", "MS:CVE-2021-33742"]}, {"type": "mskb", "idList": ["KB2553204", "KB3162047", "KB4011262", "KB4011604", "KB4011618", "KB4011643", "KB5004945"]}, {"type": "msrc", "idList": ["MSRC:5B84BD451283462DC81D4090EFE66280", "MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09"]}, {"type": "mssecure", "idList": ["MSSECURE:D6D537E875C3CBD84822A868D24B31BA", "MSSECURE:DF21D5BD34E334683F0DCC4F64FDC83E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201788439", "MYHACK58:62201788542", "MYHACK58:62201892253"]}, {"type": "nessus", "idList": ["701344.PASL", "AL2_ALAS-2021-1585.NASL", "ALA_ALAS-2021-1469.NASL", "APPLE_IOS_1253_CHECK.NBIN", "APPLE_IOS_1451_CHECK.NBIN", "APPLE_IOS_145_CHECK.NBIN", "CENTOS_RHSA-2020-5439.NASL", "DEBIAN_DLA-2463.NASL", "DEBIAN_DSA-4945.NASL", "EULEROS_SA-2021-1050.NASL", "EULEROS_SA-2021-1118.NASL", "FREEBSD_PKG_20B3AB21C9DF11EB85583065EC8FD3EC.NASL", "FREEBSD_PKG_24ACE516FAD711EA8D8C005056A311D1.NASL", "FREEBSD_PKG_7C0D71A99D4811EB97A0E09467587C17.NASL", "FREEBSD_PKG_AFDC7579D02311EBBCAD3065EC8FD3EC.NASL", "GENTOO_GLSA-202012-24.NASL", "GENTOO_GLSA-202104-08.NASL", "GOOGLE_CHROME_89_0_4389_128.NASL", "GOOGLE_CHROME_91_0_4472_101.NASL", "GOOGLE_CHROME_91_0_4472_114.NASL", "MACOSX_GOOGLE_CHROME_89_0_4389_128.NASL", "MACOSX_GOOGLE_CHROME_91_0_4472_101.NASL", "MACOSX_GOOGLE_CHROME_91_0_4472_114.NASL", "MACOS_HT212325.NASL", "MICROSOFT_EDGE_CHROMIUM_89_0_774_77.NASL", "MICROSOFT_EDGE_CHROMIUM_91_0_864_48.NASL", "MICROSOFT_EDGE_CHROMIUM_91_0_864_54.NASL", "NETLOGON_ZEROLOGON_CVE-2020-1472.NBIN", "OPENSUSE-2020-1526.NASL", "OPENSUSE-2021-2598.NASL", "OPENSUSE-2021-567.NASL", "ORACLELINUX_ELSA-2020-5439.NASL", "ORACLELINUX_ELSA-2021-4381.NASL", "REDHAT-RHSA-2020-5439.NASL", "REDHAT-RHSA-2021-3723.NASL", "SL_20201215_SAMBA_ON_SL7_X.NASL", "SMB_NT_MS20_AUG_4565349.NASL", "SMB_NT_MS20_AUG_4571694.NASL", "SMB_NT_MS20_AUG_4571703.NASL", "SMB_NT_MS20_AUG_4571729.NASL", "SMB_NT_MS20_AUG_4571736.NASL", "SUSE_SU-2020-2719-1.NASL", "SUSE_SU-2020-2720-1.NASL", "SUSE_SU-2020-2721-1.NASL", "SUSE_SU-2020-2722-1.NASL", "SUSE_SU-2020-2724-1.NASL", "SUSE_SU-2020-2730-1.NASL", "SUSE_SU-2021-2598-1.NASL", "SUSE_SU-2021-2600-1.NASL", "SUSE_SU-2021-2762-1.NASL", "UBUNTU_USN-4510-1.NASL", "UBUNTU_USN-5024-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310811231", "OPENVAS:1361412562310811232", "OPENVAS:1361412562310811233", "OPENVAS:1361412562310811451", "OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209", "OPENVAS:1361412562310812607", "OPENVAS:1361412562310812614", "OPENVAS:1361412562310812618", "OPENVAS:1361412562310812623", "OPENVAS:1361412562310812624", "OPENVAS:1361412562310812708"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5439", "ELSA-2021-4381"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145226", "PACKETSTORM:160127", "PACKETSTORM:162437"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:23EF75126B24C22C999DAD4D7A2E9DF5", "QUALYSBLOG:352650F44A686E31669777DBEC831101", "QUALYSBLOG:6652DB89D03D8AA145C2F888B5590E3F", "QUALYSBLOG:70AF718BCABA36D5847184CA639B55C9", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:97274435F9F49556ED060635FD9081E2"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:452CCDC1AEFFF7056148871E86A6FE26", "RAPID7BLOG:45A121567763FF457DE6E50439C2605A", "RAPID7BLOG:49C18614AD01B6865616A65F734B9F71", "RAPID7BLOG:5586742AC0F1C66F56B3583482B0960A", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:C628D3D68DF3AE5A40A1F0C9DFA38860", "RAPID7BLOG:E44F025D612AC4EA5DF9F2B56FF8680C"]}, {"type": "redhat", "idList": ["RHSA-2021:4381"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-1472", "RH:CVE-2021-30661", "RH:CVE-2021-30663", "RH:CVE-2021-30665"]}, {"type": "rocky", "idList": ["RLSA-2021:1586", "RLSA-2021:4381"]}, {"type": "samba", "idList": ["SAMBA:CVE-2020-1472"]}, {"type": "securelist", "idList": ["SECURELIST:1F59148E6615695438F94EF4956585AA", "SECURELIST:376CB760FDD4E056A8D0695A9EB9756A", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:830DE5B1B5EBB6AEE4B12EF66AD749F9", "SECURELIST:847981DCB9E90C51F963EE1727E40915", "SECURELIST:8E9198BF0E389572981DD1AA05D0708A", "SECURELIST:A3D3514100806269750A23D748D34C59", "SECURELIST:A4072107882E39592149B0DB12585D70", "SECURELIST:A9EBC6A1BD7D7A743024BD012EAC8323", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:E9DB961C0B1E8B26B305F963059D717E", "SECURELIST:F1FC61836DCAA7F1E27411092B208523"]}, {"type": "seebug", "idList": ["SSV:99217", "SSV:99245", "SSV:99276"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1513-1", "OPENSUSE-SU-2021:2598-1"]}, {"type": "symantec", "idList": ["SMNTC-99445"]}, {"type": "talosblog", "idList": ["TALOSBLOG:7FDC117533451294884ABE03F31ED36B", "TALOSBLOG:8CDF0A62E30713225D10811E0E977C1D", "TALOSBLOG:A654303FB4331FDBB91B999EC882BE7A", "TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148", "TALOSBLOG:EC1B279A70AF41A51CBB4EB4722EFA46"]}, {"type": "thn", "idList": ["THN:080F85D43290560CDED8F282EE277B00", "THN:0A61A90DD0F88453854B73FE249BC379", "THN:0D13405795D42B516C33D8E56A44BA9D", "THN:1DDE95EA33D4D9F304973569FC787451", "THN:4CC79A3CEFEDEB0DC9CF87C5B9035209", "THN:62ECC5B73032124D6559355B66E1C469", "THN:6428957E9DED493169A2E63839F98667", "THN:7D7C05739ECD847B8CDEEAF930C51BF8", "THN:8EAD85C313EF85BE8D38BAAD851B106E", "THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:9F22FC342DFAFC55521FD4F7CEC7C9A3", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:BB8CDCFD08801BDD2929E342853D03E9", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:ED087560040A02BCB1F68DE406A7F577", "THN:EDD5C9F076596EB9D13D36268BDBFAD1", "THN:F0D5DEDB6BEE875D30F098FB7A4E55A1", "THN:F163C7AB35BEF8E28924E14B02752181", "THN:F197A729A4F49F957F9D5910875EBAAA", "THN:F35E41E26872B23A7F620C6D8F7E2334", "THN:F4928090525451C50A1B016ED3B0650F", "THN:F53D18B9EB0F8CD70C9289288AC9E2E1", "THN:FF8DAEC0AE0DDAE827D57407C51BE992"]}, {"type": "threatpost", "idList": ["THREATPOST:07E70978E087406E6779D5EE8D2D372D", "THREATPOST:0B290DDF3FE14178760FDC2229CB1383", "THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:27150C099FB4771B9DED4F6372D27EB7", "THREATPOST:2CE017994C889322A1BF0C3F3521DFD7", "THREATPOST:30D70449EF03FFC5099B5B141FA079E2", "THREATPOST:33E56DEB736406F9DD08C7533BF1812B", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:45F91A2DD716E93AA4DA0D9441E725C6", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:49274446DFD14E2B0DF948DA83A07ECB", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:500777B41EEA368E3AC2A6AED65C4A25", "THREATPOST:55873F60362AA114632D0D7DC95FF63C", "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "THREATPOST:61CC1EAC83030C2B053946454FE77AC3", "THREATPOST:63188D8C89FE469962D4F460E46755BC", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:8836AC81C1F2D9654424EC1584E50A16", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:9235CC6F1DCCA01B571B8693E5F7B880", "THREATPOST:9AE8698D8AABA0F11676A29CECC6D7BA", "THREATPOST:A1A1E1AC8DB384C8FA2988F9A9121141", "THREATPOST:A47D83D4BBBE115E6424755328525B9D", "THREATPOST:A5FC4C5797CA53E30A3426AF0843BFFE", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BBAE8AE32C2E8EC0271BBA9D0498A825", "THREATPOST:BE68C6E4335F8D5EEAEFCE1E8553C4C8", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:EED27183B3F49112A9E785EA56534781", "THREATPOST:F261FA3F1DECA361A6DBC169065B1101", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F60D403369A535076F39A474F74C925E", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B", "THREATPOST:F9CF34A304B5CA2189D5CEDA09C8B0CB"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03", "TRENDMICROBLOG:6A0454A8A4891A1004496709868EC034", "TRENDMICROBLOG:8A87E8F1BA63B9BB2E84C23288C44FDC", "TRENDMICROBLOG:E671F1DA89C14989CDFAEB298B71BF9D"]}, {"type": "ubuntu", "idList": ["USN-4510-1", "USN-4510-2", "USN-4559-1", "USN-5024-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-21220", "UB:CVE-2021-30551", "UB:CVE-2021-30554", "UB:CVE-2021-30661", "UB:CVE-2021-30663", "UB:CVE-2021-30665"]}, {"type": "zdi", "idList": ["ZDI-21-411"]}, {"type": "zdt", "idList": ["1337DAY-ID-29022", "1337DAY-ID-29119", "1337DAY-ID-36202"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2017-11882", "epss": "0.974500000", "percentile": "0.998970000", "modified": "2023-03-17"}, {"cve": "CVE-2017-8570", "epss": "0.974710000", "percentile": "0.999270000", "modified": "2023-03-17"}, {"cve": "CVE-2018-0802", "epss": "0.974870000", "percentile": "0.999430000", "modified": "2023-03-17"}, {"cve": "CVE-2020-1472", "epss": "0.973850000", "percentile": "0.998170000", "modified": "2023-03-17"}, {"cve": "CVE-2021-1675", "epss": "0.968880000", "percentile": "0.994750000", "modified": "2023-03-17"}, {"cve": "CVE-2021-21220", "epss": "0.974070000", "percentile": "0.998440000", "modified": "2023-03-17"}, {"cve": "CVE-2021-28310", "epss": "0.000430000", "percentile": "0.075700000", "modified": "2023-03-17"}, {"cve": "CVE-2021-30551", "epss": "0.335030000", "percentile": "0.963600000", "modified": "2023-03-17"}, {"cve": "CVE-2021-30554", "epss": "0.006800000", "percentile": "0.768950000", "modified": "2023-03-17"}, {"cve": "CVE-2021-30661", "epss": "0.003250000", "percentile": "0.661610000", "modified": "2023-03-17"}, {"cve": "CVE-2021-30663", "epss": "0.002510000", "percentile": "0.612250000", "modified": "2023-03-17"}, {"cve": "CVE-2021-30665", "epss": "0.002330000", "percentile": "0.596700000", "modified": "2023-03-17"}, {"cve": "CVE-2021-31166", "epss": "0.973700000", "percentile": "0.998030000", "modified": "2023-03-17"}, {"cve": "CVE-2021-31199", "epss": "0.000490000", "percentile": "0.154190000", "modified": "2023-03-17"}, {"cve": "CVE-2021-31201", "epss": "0.000490000", "percentile": "0.154190000", "modified": "2023-03-17"}, {"cve": "CVE-2021-31955", "epss": "0.973570000", "percentile": "0.997920000", "modified": "2023-03-17"}, {"cve": "CVE-2021-31956", "epss": "0.001660000", "percentile": "0.516220000", "modified": "2023-03-17"}, {"cve": "CVE-2021-33742", "epss": "0.822710000", "percentile": "0.977990000", "modified": "2023-03-17"}, {"cve": "CVE-2021-34527", "epss": "0.970380000", "percentile": "0.995570000", "modified": "2023-03-17"}], "vulnersScore": 1.5}, "_state": {"dependencies": 1660032824, "score": 1660035404, "epss": 1679109163}, "_internal": {"score_hash": "96684ef9c5b51e9d0f1970c90041c0d4"}}

{"thn": [{"lastseen": "2022-05-09T12:37:59", "description": "[](<https://thehackernews.com/images/-Oinzu8T6SmI/YMBZ7WkhbJI/AAAAAAAACzI/kVA4Ura4Yl4MrNb_jPNPBtgjkBj1DSs1wCLcBGAsYHQ/s0/microsoft-windows-update.jpg>)\n\nMicrosoft on Tuesday released another round of [security updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jun>) for Windows operating system and other supported software, squashing 50 vulnerabilities, including six zero-days that are said to be under active attack.\n\nThe flaws were identified and resolved in Microsoft Windows, .NET Core and Visual Studio, Microsoft Office, Microsoft Edge (Chromium-based and EdgeHTML), SharePoint Server, Hyper-V, Visual Studio Code - Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.\n\nOf these 50 bugs, five are rated Critical, and 45 are rated Important in severity, with three of the issues publicly known at the time of release. The vulnerabilities that being actively exploited are listed below -\n\n * [**CVE-2021-33742**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742>) (CVSS score: 7.5) - Windows MSHTML Platform Remote Code Execution Vulnerability\n * [**CVE-2021-33739**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33739>) (CVSS score: 8.4) - Microsoft DWM Core Library Elevation of Privilege Vulnerability\n * [**CVE-2021-31199**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31199>) (CVSS score: 5.2) - Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability\n * [**CVE-2021-31201**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31201>) (CVSS score: 5.2) - Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability\n * [**CVE-2021-31955**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31955>) (CVSS score: 5.5) - Windows Kernel Information Disclosure Vulnerability\n * [**CVE-2021-31956**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956>) (CVSS score: 7.8) - Windows NTFS Elevation of Privilege Vulnerability\n\nMicrosoft didn't disclose the nature of the attacks, how widespread they are, or the identities of the threat actors exploiting them. But the fact that four of the six flaws are privilege escalation vulnerabilities suggests that attackers could be leveraging them as part of an infection chain to gain elevated permissions on the targeted systems to execute malicious code or leak sensitive information.\n\nThe Windows maker also noted that both CVE-2021-31201 and CVE-2021-31199 address flaws related to [CVE-2021-28550](<https://thehackernews.com/2021/05/alert-hackers-exploit-adobe-reader-0.html>), an arbitrary code execution vulnerability rectified by Adobe last month that it said was being \"exploited in the wild in limited attacks targeting Adobe Reader users on Windows.\"\n\nGoogle's Threat Analysis Group, which has been acknowledged as having reported CVE-2021-33742 to Microsoft, [said](<https://twitter.com/ShaneHuntley/status/1402320072123719690>) \"this seem[s] to be a commercial exploit company providing capability for limited nation state Eastern Europe / Middle East targeting.\"\n\nRussian cybersecurity firm Kaspersky, for its part, detailed that CVE-2021-31955 and CVE-2021-31956 were abused in a Chrome zero-day exploit chain ([CVE-2021-21224](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>)) in a series of highly targeted attacks against multiple companies on April 14 and 15. The intrusions were attributed to a new threat actor dubbed \"PuzzleMaker.\"\n\n\"While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an elevation of privilege (EoP) exploit that was used to escape the sandbox and obtain system privileges,\" Kaspersky Lab researchers [said](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\nElsewhere, Microsoft fixed numerous remote code execution vulnerabilities spanning Paint 3D, Microsoft SharePoint Server, Microsoft Outlook, Microsoft Office Graphics, Microsoft Intune Management Extension, Microsoft Excel, and Microsoft Defender, as well as several privilege escalation flaws in Microsoft Edge, Windows Filter Manager, Windows Kernel, Windows Kernel-Mode Driver, Windows NTLM Elevation, and Windows Print Spooler.\n\nTo install the latest security updates, Windows users can head to Start &gt; Settings &gt; Update &amp; Security &gt; Windows Update or by selecting Check for Windows updates.\n\n### Software Patches From Other Vendors\n\nAlongside Microsoft, a number of other vendors have also released a slew of patches on Tuesday, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security.html>)\n * [Android](<https://source.android.com/security/bulletin/2021-06-01>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [Intel](<https://blogs.intel.com/technology/2021/06/intel-security-advisories-for-june-2021/>)\n * Linux distributions [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2021-June/thread.html>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), and [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=2&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=Errata>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999>) (with cybersecurity firm Onapsis [credited](<https://onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system>) with identifying 20 of the 40 remediated flaws)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp>), and\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-09T06:07:00", "type": "thn", "title": "Update Your Windows Computers to Patch 6 New In-the-Wild Zero-Day Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224", "CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-06-09T16:52:54", "id": "THN:1DDE95EA33D4D9F304973569FC787451", "href": "https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:16", "description": "[](<https://thehackernews.com/images/-pYRFN6NLe6E/YJDef-c1NrI/AAAAAAAACcc/4bGiU-I6wLM0L_4q6OkSYydQnsvyfnlEwCLcBGAsYHQ/s0/apple-update.jpg>)\n\nApple on Monday released security updates for [iOS](<https://support.apple.com/en-us/HT212336>), [macOS](<https://support.apple.com/en-us/HT212335>), and [watchOS](<https://support.apple.com/en-us/HT212339>) to address three zero-day flaws and expand patches for a fourth vulnerability that the company said might have been exploited in the wild.\n\nThe weaknesses all concern WebKit, the browser engine which powers Safari and other third-party web browsers in iOS, allowing an adversary to execute arbitrary code on target devices. A summary of the three security bugs are as follows -\n\n * **CVE-2021-30663:** An integer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution. The flaw was addressed with improved input validation.\n * **CVE-2021-30665:** A memory corruption issue that could be exploited to craft malicious web content, which may lead to code execution. The flaw was addressed with improved state management.\n * **CVE-2021-30666:** A buffer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution. The flaw was addressed with improved memory handling.\n\nThe development comes a week after Apple rolled out iOS 14.5 and macOS Big Sur 11.3 with a fix for a potentially exploited WebKit Storage vulnerability. Tracked as [CVE-2021-30661](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>), the use-after-free issue was discovered and reported to the iPhone maker by a security researcher named yangkang ([@dnpushme](<https://twitter.com/dnpushme>)) of Qihoo 360 ATA.\n\nyangkang, along with zerokeeper and bianliang, have been credited with reporting the three new flaws.\n\nIt's worth noting that CVE-2021-30666 only affects older Apple devices such as iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). The [iOS 12.5.3](<https://support.apple.com/en-us/HT212341>) update, which remediates this flaw, also includes a fix for CVE-2021-30661.\n\nThe company said it's aware of reports that the issues \"may have been actively exploited\" but, as is typically the case, failed to elaborate about the nature of attacks, the victims that may have been targeted, or the threat actors that may be abusing them.\n\nUsers of Apple devices are recommended to update to the latest versions to mitigate the risk associated with the flaws.\n\n**Update: **Apple has also [released](<https://support.apple.com/en-us/HT212340>) a new version of Safari 14.1 for macOS Catalina and macOS Mojave, with the update introducing fixes for the two WebKit flaws CVE-2021-30663 and CVE-2021-30665. The update comes a day after patches were shipped for iOS, macOS, and watchOS.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-05-04T05:42:00", "type": "thn", "title": "Apple Releases Urgent Security Patches For Zero\u2011Day Bugs Under Active Attacks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666"], "modified": "2021-05-05T03:21:40", "id": "THN:F0D5DEDB6BEE875D30F098FB7A4E55A1", "href": "https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:56", "description": "[](<https://thehackernews.com/images/-F1yuaWSy7gY/YMwPdaXQ2DI/AAAAAAAAC6A/mimpmywKfJIUJoPg7HuGaeY4E1nZogbKQCLcBGAsYHQ/s0/chrome-update.jpg>)\n\nGoogle has rolled out yet another update to Chrome browser for Windows, Mac, and Linux to fix four security vulnerabilities, including one zero-day flaw that's being exploited in the wild.\n\nTracked as **CVE-2021-30554**, the high severity flaw concerns a [use after free vulnerability](<https://cwe.mitre.org/data/definitions/416.html>) in WebGL (aka Web Graphics Library), a JavaScript API for rendering interactive 2D and 3D graphics within the browser.\n\nSuccessful exploitation of the flaw could mean corruption of valid data, leading to a crash, and even execution of unauthorized code or commands.\n\nThe issue was reported to Google anonymously on June 15, Chrome technical program manager Srinivas Sista [noted](<https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html>), adding the company is \"aware that an exploit for CVE-2021-30554 exists in the wild.\"\n\n[](<https://thehackernews.com/images/-ZBYemfi9DNk/YMwOkeK_woI/AAAAAAAAC54/vEnl5bwj7bEa33jqkIiw-8fKTpRk0l-FQCLcBGAsYHQ/s0/hacker.jpg>)\n\nWhile it's usually the norm to limit details of the vulnerability until a majority of users are updated with the fix, the development comes less than 10 days after Google addressed another zero-day vulnerability exploited in active attacks ([CVE-2021-30551](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>)).\n\nCVE-2021-30554 is also the eighth zero-day flaw patched by Google since the start of the year.\n\n\"I'm happy we are getting better at detecting these exploits and the great partnerships we have to get the vulnerabilities patched, but I remain concerned about how many are being discovered on an ongoing basis and the role of commercial providers,\" [tweeted](<https://twitter.com/ShaneHuntley/status/1402320073818132483>) Shane Huntley, Director of Google's Threat Analysis Group, on June 8.\n\nChrome users are recommended to update to the latest version (91.0.4472.114) by heading to Settings &gt; Help &gt; 'About Google Chrome' to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-18T03:16:00", "type": "thn", "title": "Update\u200c \u200cYour Chrome Browser to Patch Yet Another 0-Day Exploit\u200ced \u200cin\u200c-the\u200c-Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30551", "CVE-2021-30554"], "modified": "2021-06-18T03:33:11", "id": "THN:62ECC5B73032124D6559355B66E1C469", "href": "https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-19T15:49:16", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhSF3-bdUgcyooEnkVmoAuf9mByPWvpo0qQ1Nswd04Ez2-TI9Sv6jdTYYCIvoW-JgAcS9U5-6hRItccG5cIe4cNT59zP19J6eXEa8XLxLq2Mxzbr0X0GNNQSlaM_z9ByEZwafQ_1WNvWNpu3YI3IOsvoVN43tgy4LsKHBUIEwW_yzpxOpIm_u-Jepe0/s728-e100/cyber-attack.jpg>)\n\nA financially motivated cybercrime group has been linked to an ongoing wave of attacks aimed at hospitality, hotel, and travel organizations in Latin America with the goal of installing malware on compromised systems.\n\nEnterprise security firm Proofpoint, which is tracking the group under the name TA558 dating all the way back to April 2018, called it a \"small crime threat actor.\"\n\n\"Since 2018, this group has used consistent tactics, techniques, and procedures to attempt to install a variety of malware including Loda RAT, Vjw0rm, and Revenge RAT,\" the company's threat research team [said](<https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel>) in a new report.\n\nThe group has been operational at a higher tempo in 2022 than usual, with intrusions mainly geared towards Portuguese and Spanish speakers in Latin America, and to a lesser extent in Western Europe and North America.\n\nPhishing campaigns mounted by the group involve sending malicious spam messages with reservation-themed lures such as hotel bookings that contain weaponized documents or URLs in a bid to entice unwitting users into installing trojans capable of reconnaissance, data theft, and distribution of follow-on payloads.\n\nThe attacks have subtly evolved over the years: The ones spotted between 2018 and 2021 leveraged emails with Word documents that either contained VBA macros or exploits for flaws such as [CVE-2017-11882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-11882>) and [CVE-2017-8570](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-8570>) to download and install a mixture of malware such as AsyncRAT, Loda RAT, Revenge RAT, and Vjw0rm.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhf1-OFftMoPWFY8SQxjqyMzuueO4DWvvdsai8hxrPVmfzLMcf7AlZqOX_TT28YvoALA2Gtn8NkaajNSmEud9v1jPjPTL2y19wBJHE2OaleO43dmqwwQQ1CcFVJZok0_N0qZUaW8yQGsVBlD2lzCIbh_WggVEozhtWY_7tymfhzVdZiXVGw9-oTXJhu/s728-e100/HACKING.jpg>)\n\nIn recent months, however, TA558 has been observed pivoting away from macro-laden Microsoft Office attachments in favor of URLs and ISO files to achieve initial infection, a move likely in response to [Microsoft's decision to block macros](<https://thehackernews.com/2022/07/hackers-opting-new-attack-methods-after.html>) in files downloaded from the web by default.\n\nOf the 51 campaigns carried out by the group so far this year, 27 of them are said to have incorporated URLs pointing to ISO files and ZIP archives, in comparison to just five campaigns altogether from 2018 through 2021.\n\nProofpoint further noted that the intrusions chronicled under TA558 are part of a [broader](<https://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/>) [set](<https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html>) of [malicious](<https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html>) [activities](<https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america>) focusing on [victims](<https://thehackernews.com/2022/07/microsoft-resumes-blocking-office-vba.html>) in the Latin American region. But in the absence of any post-compromise activity, it's suspected that TA558 is a financially motivated cybercriminal actor.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjmvMaze6hyM5Ls6kCSqVK-L1d5Fra21pXBpsSElqp2NnDj6RCspcHXHflufjOJ-DvrZ_JEDFJRYirOg6MxMwW4hVwDrPxDxDxxItOHhvSP5wqEXF38GjwUvdNMrvvAe0vb2fk1Ulz9mv331uYTi5xon2Zr90oR0ltWXQqL0q-GVyHn-pe1LxSQHmjb/s728-e100/hacking-data.jpg>)\n\n\"The malware used by TA558 can steal data including hotel customer user and credit card data, allow lateral movement, and deliver follow-on payloads,\" the researchers said. \"Activity conducted by this actor could lead to data theft of both corporate and customer data, as well as potential financial losses.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-19T13:35:00", "type": "thn", "title": "Cybercrime Group TA558 Targeting Hospitality, Hotel, and Travel Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570"], "modified": "2022-08-19T13:35:28", "id": "THN:5CEFBA9FAF414B3F57548EAB0EEA1718", "href": "https://thehackernews.com/2022/08/cybercrime-group-ta558-targeting.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-12T02:22:45", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgx6lZB3oJ9X1sLlKCznoOeSkcDGdxDDzLpQUslIFxcqcdMH_UDcAqH4PjZiqkCxL4jI-B00Zx79nco8uEEf5XiuDqkexKPHK5G1oPT3v5UXngC8t4QHYPLfIhQTOw0d5FZR2WUXYg38_ydmYOd8biQq4tgAK_UHmsEyzslVH8sLV19IMC1QE6NMR95/s728-e100/hacker-code.jpg>)\n\nAn espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021.\n\nCybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the [Bitter APT](<https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat>) based on overlaps in the command-and-control (C2) infrastructure with that of prior campaigns mounted by the same actor.\n\n\"Bangladesh fits the profile we have defined for this threat actor, previously targeting Southeast Asian countries including [China](<https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations>), Pakistan, and Saudi Arabia,\" Vitor Ventura, lead security researcher at Cisco Talos for EMEA and Asia, [told](<https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html>) The Hacker News.\n\n\"And now, in this latest campaign, they have widened their reach to Bangladesh. Any new country in southeast Asia being targeted by Bitter APT shouldn't be of surprise.\"\n\nBitter (aka APT-C-08 or T-APT-17) is suspected to be a South Asian hacking group motivated primarily by intelligence gathering, an operation that's facilitated by means of malware such as BitterRAT, ArtraDownloader, and AndroRAT. Prominent targets include the energy, engineering, and government sectors.\n\nThe earliest attacks distributing the mobile version of BitterRAT date back to September 2014, with the actor having a history of leveraging zero-day flaws \u2014 [CVE-2021-1732](<https://blog.cyble.com/2021/02/24/bitter-apt-enhances-its-capability-with-windows-kernel-zero-day-exploit/>) and [CVE-2021-28310](<https://thehackernews.com/2021/04/nsa-discovers-new-vulnerabilities.html>) \u2014 to its advantage and accomplishing its adversarial objectives.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEje8jC-uVfJtCg-HT90ER0XL1ynji-bMSmKY4TsMgVZDJ4BUis2Ee9BqhaK1IgRgN3C39Ble5vyCaoUWCWOSw_sCPSi1K1pqxhfFDtU7-XFOlKQELXIUmacfXYgeFx_YhnGNvj-1DRRGm2mRliJTxxHv8CqVxw48P0ghcuKJ0YObfTzh23rHBy_Bz3i/s728-e100/talos.jpg>)\n\nThe latest campaign, targeting an elite entity of the Bangladesh government, involves sending spear-phishing emails to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB).\n\nAs is typically observed in other social engineering attacks of this kind, the missives are designed to lure the recipients into opening a weaponized RTF document or a Microsoft Excel spreadsheet that exploits previously known flaws in the software to deploy a new trojan dubbed \"ZxxZ.\"\n\nZxxZ, named so after a separator used by the malware when sending information back to the C2 server, is a 32-bit Windows executable compiled in Visual C++.\n\n\"The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, allowing the attacker to perform any other activities by installing other tools,\" the researchers explained.\n\nWhile the malicious RTF document exploits a memory corruption vulnerability in Microsoft Office's Equation Editor ([CVE-2017-11882](<https://thehackernews.com/2017/11/microsoft-office-rce-exploit.html>)), the Excel file abuses two remote code execution flaws, [CVE-2018-0798](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-0798>) and [CVE-2018-0802](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-0802>), to activate the infection sequence.\n\n\"Actors often change their tools to avoid detection or attribution, this is part of the lifecycle of a threat actor showing its capability and determination,\" Ventura said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-11T12:37:00", "type": "thn", "title": "Bitter APT Hackers Add Bangladesh to Their List of Targets in South Asia", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802", "CVE-2021-1732", "CVE-2021-28310"], "modified": "2022-05-12T01:27:46", "id": "THN:75586AE52D0AAF674F942498C96A2F6A", "href": "https://thehackernews.com/2022/05/bitter-apt-hackers-add-bangladesh-to.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:22", "description": "[](<https://thehackernews.com/images/-wbLrBJlJCfE/YOUa-690-KI/AAAAAAAADG0/6tT84mGPz6gQ_5vYBxhkEE_spk0LW4WpwCLcBGAsYHQ/s0/windows-patch-update.jpg>)\n\nMicrosoft has shipped an [emergency out-of-band security update](<https://docs.microsoft.com/en-us/windows/release-health/windows-message-center#1646>) to address a critical zero-day vulnerability \u2014 known as \"PrintNightmare\" \u2014 that affects the Windows Print Spooler service and can permit remote threat actors to run arbitrary code and take over vulnerable systems.\n\nTracked as [CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>) (CVSS score: 8.8), the remote code execution flaw impacts all supported editions of Windows. Last week, the company warned it had detected active exploitation attempts targeting the vulnerability.\n\n\"The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system,\" the CERT Coordination Center said of the issue.\n\nIt's worth noting that PrintNightmare includes both remote code execution and a [local privilege escalation](<https://github.com/calebstewart/CVE-2021-1675>) vector that can be abused in attacks to run commands with SYSTEM privileges on targeted Windows machines.\n\n[](<https://thehackernews.com/images/-NzUbsCmtpLU/YOUekekqtnI/AAAAAAAADG8/HwnD7Xq3_iYftG9BrRvS1tJxIBOomRzXgCLcBGAsYHQ/s0/lpe.jpg>)\n\n\"The Microsoft update for CVE-2021-34527 only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant,\" CERT/CC vulnerability analyst Will Dormann [said](<https://www.kb.cert.org/vuls/id/383432>).\n\nThis effectively means that the incomplete fix could still be used by a local adversary to gain SYSTEM privileges. As workarounds, Microsoft recommends stopping and disabling the Print Spooler service or turning off inbound remote printing through Group Policy to block remote attacks.\n\nGiven the criticality of the flaw, the Windows maker has issued patches for:\n\n * Windows Server 2019\n * Windows Server 2012 R2\n * Windows Server 2008\n * Windows 8.1\n * Windows RT 8.1, and\n * Windows 10 (versions 21H1, 20H2, 2004, 1909, 1809, 1803, and 1507)\n\nMicrosoft has even taken the unusual step of issuing the fix for Windows 7, which officially reached the end of support as of January 2020.\n\nThe [update](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), however, does not include Windows 10 version 1607, Windows Server 2012, or Windows Server 2016, for which the Redmond-based company stated patches will be released in the forthcoming days.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-07T03:11:00", "type": "thn", "title": "Microsoft Issues Emergency Patch for Critical Windows PrintNightmare Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-07T03:38:13", "id": "THN:42B8A8C00254E7187FE0F1EF2AF6F5D7", "href": "https://thehackernews.com/2021/07/microsoft-issues-emergency-patch-for.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:23", "description": "[](<https://thehackernews.com/images/-RJ_0BYkTxHY/YN7HyUD-_KI/AAAAAAAA4SA/dbXcZli9DPwTnJvla5sgZ3hDzIqO8zLRgCLcBGAsYHQ/s0/windows-print-spooler-vulnerability.jpg>)\n\nMicrosoft on Thursday officially confirmed that the \"**PrintNightmare**\" remote code execution (RCE) vulnerability affecting Windows Print Spooler is different from the issue the company addressed as part of its Patch Tuesday update released earlier this month, while warning that it has detected exploitation attempts targeting the flaw.\n\nThe company is tracking the security weakness under the identifier [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), and has assigned it a severity rating of 8.8 on the CVSS scoring system. All versions of Windows contain the vulnerable code and are susceptible to exploitation.\n\n\"A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\" Microsoft said in its advisory. \"An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\"\n\n\"An attack must involve an authenticated user calling RpcAddPrinterDriverEx(),\" the Redmond-based firm added. When reached by The Hacker News, the company said it had nothing to share beyond the advisory.\n\nThe acknowledgment comes after researchers from Hong Kong-based cybersecurity company Sangfor [published](<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>) a technical deep-dive of a Print Spooler RCE flaw to GitHub, along with a fully working PoC code, before it was taken down just hours after it went up.\n\n[](<https://thehackernews.com/images/-Zl5E2TyZRFQ/YN7Ej6s8x8I/AAAAAAAA4R4/FEYZ4JpYdakscU9e8eXMl9VEI0Hl1P_SwCLcBGAsYHQ/s0/ms.jpg>)\n\nThe disclosures also set off speculation and debate about whether the June patch does or does not protect against the RCE vulnerability, with the CERT Coordination Center [noting](<https://kb.cert.org/vuls/id/383432>) that \"while Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does NOT protect Active Directory domain controllers, or systems that have Point and Print configured with the NoWarningNoElevationOnInstall option configured.\"\n\nCVE-2021-1675, originally classified as an elevation of privilege vulnerability and later revised to RCE, was remediated by Microsoft on June 8, 2021.\n\nThe company, in its advisory, noted that PrintNightmare is distinct from CVE-2021-1675 for reasons that the latter resolves a separate vulnerability in RpcAddPrinterDriverEx() and that the attack vector is different.\n\nAs workarounds, Microsoft is recommending users to disable the Print Spooler service or turn off inbound remote printing through Group Policy. To reduce the attack surface and as an alternative to completely disabling printing, the company is also advising to check membership and nested group membership, and reduce membership as much as possible, or completely empty the groups where possible.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-02T05:36:00", "type": "thn", "title": "Microsoft Warns of Critical \"PrintNightmare\" Flaw Being Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-03T07:11:54", "id": "THN:9CE630030E0F3E3041E633E498244C8D", "href": "https://thehackernews.com/2021/07/microsoft-warns-of-critical.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:22", "description": "[](<https://thehackernews.com/images/-4tveTym6-fk/YOZ_5ZwEbHI/AAAAAAAADHs/xXSCpfsipXYpe6tJM2SGaTIDUE9dVGoGwCLcBGAsYHQ/s0/PrintNightmare-Vulnerability-Patch.jpg>)\n\nEven as Microsoft [expanded patches](<https://docs.microsoft.com/en-us/windows/release-health/windows-message-center>) for the so-called [PrintNightmare vulnerability](<https://thehackernews.com/2021/07/how-to-mitigate-microsoft-print-spooler.html>) for Windows 10 version 1607, Windows Server 2012, and Windows Server 2016, it has come to light that the fix for the remote code execution exploit in the Windows Print Spooler service can be bypassed in certain scenarios, effectively defeating the security protections and permitting attackers to run arbitrary code on infected systems.\n\nOn Tuesday, the Windows maker issued an [emergency out-of-band update](<https://thehackernews.com/2021/07/microsoft-issues-emergency-patch-for.html>) to address [CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>) (CVSS score: 8.8) after the flaw was accidentally disclosed by researchers from Hong Kong-based cybersecurity firm Sangfor late last month, at which point it emerged that the issue was different from another bug \u2014 tracked as [CVE-2021-1675](<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>) \u2014 that was patched by Microsoft on June 8.\n\n\"Several days ago, two security vulnerabilities were found in Microsoft Windows' existing printing mechanism,\" Yaniv Balmas, head of cyber research at Check Point, told The Hacker News. \"These vulnerabilities enable a malicious attacker to gain full control on all windows environments that enable printing.\"\n\n\"These are mostly working stations but, at times, this relates to entire servers that are an integral part of very popular organizational networks. Microsoft classified these vulnerabilities as critical, but when they were published they were able to fix only one of them, leaving the door open for explorations of the second vulnerability,\" Balmas added.\n\nPrintNightmare stems from bugs in the Windows [Print Spooler](<https://docs.microsoft.com/en-us/windows/win32/printdocs/print-spooler>) service, which manages the printing process inside local networks. The main concern with the threat is that non-administrator users had the ability to load their own printer drivers. This has now been rectified.\n\n\"After installing this [update] and later Windows updates, users who are not administrators can only install signed print drivers to a print server,\" Microsoft [said](<https://support.microsoft.com/en-us/topic/july-7-2021-kb5004948-os-build-14393-4470-out-of-band-fb676642-a3fe-4304-a79c-9d651d2f6550>), detailing the improvements made to mitigate the risks associated with the flaw. \"Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.\"\n\nPost the update's release, CERT/CC vulnerability analyst Will Dormann cautioned that the patch \"only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant,\" thereby allowing attackers to abuse the latter to gain SYSTEM privileges on vulnerable systems.\n\nNow, further testing of the update has revealed that exploits targeting the flaw could [bypass](<https://twitter.com/gentilkiwi/status/1412771368534528001>) the [remediations](<https://twitter.com/wdormann/status/1412813044279910416>) entirely to gain both local privilege escalation and remote code execution. To achieve this, however, a [Windows policy](<https://docs.microsoft.com/en-us/troubleshoot/windows-server/printing/use-group-policy-to-control-ad-printer>) called '[Point and Print Restrictions](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/group-policy/point-print-restrictions-policies-ignored>)' must be enabled (Computer Configuration\\Policies\\Administrative Templates\\Printers: Point and Print Restrictions), using which malicious printer drivers could be potentially installed.\n\n\"Note that the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the Point and Print NoWarningNoElevationOnInstall is set to 1,\" Dormann [said](<https://www.kb.cert.org/vuls/id/383432>) Wednesday. Microsoft, for its part, [explains in its advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) that \"Point and Print is not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible.\"\n\nWhile Microsoft has recommended the nuclear option of stopping and disabling the Print Spooler service, an [alternative workaround](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) is to enable security prompts for Point and Print, and limit printer driver installation privileges to administrators alone by configuring the \"RestrictDriverInstallationToAdministrators\" registry value to prevent regular users from installing printer drivers on a print server.\n\n**UPDATE:** In response to CERT/CC's report, Microsoft [said](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) on Thursday:\n\n\"Our investigation has shown that the OOB [out-of-band] security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-08T04:35:00", "type": "thn", "title": "Microsoft's Emergency Patch Fails to Fully Fix PrintNightmare RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-09T09:52:49", "id": "THN:CAFA6C5C5A34365636215CFD7679FD50", "href": "https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:01", "description": "[](<https://thehackernews.com/images/-nG0kgJIWUe4/YKyCba_26VI/AAAAAAAACnk/LKb9R527jacuLLW42sp_Pra0dvHvKtFKgCLcBGAsYHQ/s0/apple.jpg>)\n\nApple on Monday rolled out security updates for [iOS](<https://support.apple.com/en-us/HT212528>), [macOS](<https://support.apple.com/en-us/HT212529>), [tvOS](<https://support.apple.com/en-us/HT212532>), [watchOS](<https://support.apple.com/en-us/HT212533>), and [Safari](<https://support.apple.com/en-us/HT212534>) web browser to fix multiple vulnerabilities, including an actively exploited zero-day flaw in macOS Big Sur and expand patches for two previously disclosed zero-day flaws. \n\nTracked as CVE-2021-30713, the zero-day concerns a permissions issue in Apple's Transparency, Consent, and Control ([TCC](<https://support.apple.com/en-in/guide/security/secddd1d86a6/web>)) framework in macOS that maintains a database of each user's consents. The iPhone maker acknowledged that the issue may have been exploited in the wild but stopped short of sharing specifics.\n\nThe company noted that it rectified the problem with improved validation.\n\nHowever, in a separate report, mobile device management company Jamf said the bypass flaw was being actively exploited by XCSSET, a malware that's been out in the wild since August 2020 and known to propagate via modified [Xcode IDE projects](<https://developer.apple.com/library/archive/featuredarticles/XcodeConcepts/Concept-Projects.html>) hosted on GitHub repositories and plant malicious packages into legitimate apps installed on the target system.\n\n\"The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user's explicit consent \u2014 which is the default behavior,\" Jamf researchers Stuart Ashenbrenner, Jaron Bradley, and Ferdous Saljooki [said](<https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/>) in a write-up.\n\n[](<https://thehackernews.com/images/-D65Oi6v5MWk/YKx_ahsaI8I/AAAAAAAACnc/7lPcPh2B5Rg04i8Tu6E0cBxGgMMDvthlgCLcBGAsYHQ/s0/iOS-malware.jpg>)\n\nTaking the form of a AppleScript module, the zero-day flaw allowed the hackers to exploit the devices XCSSET was installed to leverage the permissions that have already been provided to the trojanized application to amass and exfiltrate sensitive information.\n\nSpecifically, the malware checked for screen capture permissions from a list of installed applications, such as Zoom, Discord, WhatsApp, Slack, TeamViewer, Upwork, Skype, and Parallels Desktop, to inject the malware (\"avatarde.app\") into the app's folder, thereby inheriting the necessary permissions required to carry out its nefarious tasks.\n\n\"By leveraging an installed application with the proper permissions set, the attacker can piggyback off that donor app when creating a malicious app to execute on victim devices, without prompting for user approval,\" the researchers noted.\n\nXCSSET was also the subject of closer scrutiny [last month](<https://thehackernews.com/2021/04/malware-spreads-via-xcode-projects-now.html>) after a new variant of the malware was detected targeting Macs running on Apple's new M1 chips to steal wallet information from cryptocurrency apps. One of its primary functions is to siphon Safari browser cookies as well as install a developer version of the Safari application to load JavaScript backdoors from its command-and-control server.\n\nAlso fixed as part of Monday's updates are two other actively exploited flaws in its WebKit browser engine affecting Safari, Apple TV 4K, and Apple TV HD devices, almost three weeks after Apple addressed the same issues in [iOS, macOS, and watchOS](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) earlier this month.\n\n * **CVE-2021-30663** \\- An integer overflow issue in WebKit, which could be exploited to achieve arbitrary code execution when processing maliciously crafted web content.\n * **CVE-2021-30665** \\- A memory corruption issue in WebKit that could lead to arbitrary code execution when processing maliciously crafted web content.\n\nUsers of Apple devices are recommended to update to the latest versions to mitigate the risk associated with the flaws.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-05-25T04:52:00", "type": "thn", "title": "Apple\u200c Issues Patches to Combat Ongoing 0-Day Attacks on macOS, tvOS", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30713"], "modified": "2021-05-25T04:52:15", "id": "THN:3251602ACD4E04F5F4C7F140878960E0", "href": "https://thehackernews.com/2021/05/apple-issues-patches-to-combat-ongoing.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:26", "description": "[](<https://thehackernews.com/images/-XDTHXeRiSOs/XtiwKuAffDI/AAAAAAAAAZ0/agv-iIrKqt8IiznmwrS_g-Hhgu-R--8RgCLcBGAsYHQ/s728-e100/malware.jpg>)\n\nA Chinese threat actor has developed new capabilities to target air-gapped systems in an attempt to exfiltrate sensitive data for espionage, according to a newly published research by Kaspersky yesterday. \n \nThe APT, known as Cycldek, Goblin Panda, or Conimes, employs an extensive toolset for lateral movement and information stealing in victim networks, including previously unreported custom tools, tactics, and procedures in attacks against government agencies in Vietnam, Thailand, and Laos. \n \n\"One of the newly revealed tools is named **USBCulprit **and has been found to rely on USB media in order to exfiltrate victim data,\" [Kaspersky](<https://securelist.com/cycldek-bridging-the-air-gap/97157/>) said. \"This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.\" \n \nFirst observed by [CrowdStrike](<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/>) in 2013, Cycldek has a long history of singling out defense, energy, and government sectors in Southeast Asia, particularly Vietnam, using decoy documents that exploit known vulnerabilities (e.g., CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) in Microsoft Office to drop a malware called NewCore RAT. \n \n\n\n## Exfiltrating Data to Removable Drives\n\n \nKaspersky's analysis of NewCore revealed two different variants (named BlueCore and RedCore) centered around two clusters of activity, with similarities in both code and infrastructure, but also contain features that are exclusive to RedCore \u2014 namely a keylogger and an RDP logger that captures details about users connected to a system via RDP. \n \n\n\n[](<https://thehackernews.com/images/-Uo7TkL_TEQg/XtirFVGHNWI/AAAAAAAAAZk/3fpINW9IErAOfGCG0T7fZGr5K9LM3BnuACLcBGAsYHQ/s728-e100/usb-virus.jpg>)\n\n \n\"Each cluster of activity had a different geographical focus,\" the researchers said. \"The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018.\" \n \nBoth BlueCore and RedCore implants, in turn, downloaded a variety of additional tools to facilitate lateral movement (HDoor) and extract information (JsonCookies and ChromePass) from compromised systems. \n \nChief among them is a malware called USBCulprit that's capable of scanning a number of paths, collecting documents with specific extensions (*.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf), and exporting them to a connected USB drive. \n \n\n\n[](<https://thehackernews.com/images/-T3eT2rv9TYU/XtirEJq7SnI/AAAAAAAAAZg/x2SxjApz6oolC0VavLfhqMYUtS4eQTMcQCLcBGAsYHQ/s728-e100/usb-computer-virus.jpg>)\n\n \nWhat's more, the malware is programmed to copy itself selectively to certain removable drives so it can move laterally to other air-gapped systems each time an infected USB drive is inserted into another machine. \n \nA telemetry analysis by Kaspersky found that the first instance of the binary dates all the way back to 2014, with the latest samples recorded at the end of last year. \n \nThe initial infection mechanism relies on leveraging malicious binaries that mimic legitimate antivirus components to load USBCulprit in what's called [DLL search order hijacking](<https://attack.mitre.org/techniques/T1038/>) before it proceeds to collect the relevant information, save it in the form of an encrypted RAR archive, and exfiltrate the data to a connected removable device. \n \n\"The characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines,\" the researchers said. \"This would explain the lack of any network communication in the malware and the use of only removable media as a means of transferring inbound and outbound data.\" \n \nUltimately, the similarities and differences between the two pieces of malware are indicative of the fact that the actors behind the clusters are sharing code and infrastructure, while operating as two different offshoots under a single larger entity. \n \n\"Cycldek is an example of an actor that has broader capability than publicly perceived,\" Kaspersky concluded. \"While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.\"\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-04T08:31:00", "type": "thn", "title": "New USBCulprit Espionage Tool Steals Data From Air-Gapped Computers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0802"], "modified": "2020-06-04T08:31:39", "id": "THN:42E3306FC75881CF8EBD30FA8291FF29", "href": "https://thehackernews.com/2020/06/air-gap-malware-usbculprit.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:16", "description": "[](<https://thehackernews.com/images/-eih1k3cYVhA/YI-naR8atLI/AAAAAAAACbU/NvYXtTt5zpkVcilfqrwOd5oadfGSEyNuQCLcBGAsYHQ/s0/hacking.jpg>)\n\nA threat actor believed to be working on behalf of Chinese state-sponsored interests was recently observed targeting a Russia-based defense contractor involved in designing nuclear submarines for the naval arm of the Russian Armed Forces.\n\nThe phishing attack, which singled out a general director working at the Rubin Design Bureau, leveraged the infamous \"Royal Road\" Rich Text Format (RTF) weaponizer to deliver a previously undocumented Windows backdoor dubbed \"**PortDoor**,\" according to Cybereason's Nocturnus threat intelligence team.\n\n\"Portdoor has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more,\" the researchers [said](<https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector>) in a write-up on Friday.\n\nRubin Design Bureau is a submarine design center located in Saint Petersburg, accounting for the design of over [85% of submarines](<https://ckb-rubin.ru/en/company_profile/>) in the Soviet and Russian Navy since its origins in 1901, including several generations of strategic missile cruiser submarines.\n\n[](<https://thehackernews.com/images/-LhySSop9zLA/YI-dzc0pM9I/AAAAAAAACbM/Nhsd5V7X3tY_t7UM4MzbcCyd6fxoRAV1ACLcBGAsYHQ/s0/hacking.jpg>) \n--- \nContent of the weaponized RTF document \n \nOver the years, Royal Road has earned its place as a [tool of choice](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>) among an array of Chinese threat actors such as Goblin Panda, Rancor Group, TA428, Tick, and Tonto Team. Known for exploiting multiple flaws in Microsoft's [Equation Editor](<https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018>) (CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802) as far back as late 2018, the attacks take the form of targeted spear-phishing campaigns that utilize malicious RTF documents to deliver custom malware to unsuspecting high-value targets.\n\nThis newly discovered attack is no different, with the adversary using a spear-phishing email addressed to the submarine design firm as an initial infection vector. While previous versions of Royal Road were found to drop encoded payloads by the name of \"8.t,\" the email comes embedded with a malware-laced document, which, when opened, delivers an encoded file called \"e.o\" to fetch the PortDoor implant, implying a new variant of the weaponizer in use.\n\nSaid to be engineered with obfuscation and persistence in mind, PortDoor runs the backdoor gamut with a wide range of features that allow it to profile the victim machine, escalate privileges, download and execute arbitrary payloads received from an attacker-controlled server, and export the results back to the server.\n\n\"The infection vector, social engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-05-03T07:34:00", "type": "thn", "title": "New Chinese Malware Targeted Russia's Largest Nuclear Submarine Designer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802"], "modified": "2021-05-03T16:14:45", "id": "THN:8EAD85C313EF85BE8D38BAAD851B106E", "href": "https://thehackernews.com/2021/05/new-chinese-malware-targeted-russias.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:21", "description": "[](<https://thehackernews.com/images/-xmPJ5TMTpac/YO_wfpf1LkI/AAAAAAAADM4/xSKsZYAbLBYJjYvNQilqUM9z0lf0Rx7_gCLcBGAsYHQ/s0/chrome.jpg>)\n\nThreat intelligence researchers from Google on Wednesday [shed more light](<https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/>) on four in-the-wild zero-days in Chrome, Safari, and Internet Explorer browsers that were exploited by malicious actors in different campaigns since the start of the year.\n\nWhat's more, three of the four zero-days were engineered by commercial providers and sold to and used by government-backed actors, contributing to an uptick in real-world attacks. The list of now-patched vulnerabilities is as follows -\n\n * [**CVE-2021-1879**](<https://thehackernews.com/2021/03/apple-issues-urgent-patch-update-for.html>): Use-After-Free in QuickTimePluginReplacement (Apple WebKit)\n * [**CVE-2021-21166**](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>): Chrome Object Lifecycle Issue in Audio\n * [**CVE-2021-30551**](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>): Chrome Type Confusion in V8\n * [**CVE-2021-33742**](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>): Internet Explorer out-of-bounds write in MSHTML\n\nBoth Chrome zero-days \u2014 CVE-2021-21166 and CVE-2021-30551 \u2014 are believed to have been used by the same actor, and were delivered as one-time links sent via email to targets located in Armenia, with the links redirecting unsuspecting users to attacker-controlled domains that masqueraded as legitimate websites of interest to the recipients.\n\nThe malicious websites took charge of fingerprinting the devices, including collecting system information about the clients, before delivering a second-stage payload.\n\nWhen Google rolled out a patch for CVE-2021-30551, Shane Huntley, Director of Google's Threat Analysis Group (TAG), revealed that the vulnerability was leveraged by the same actor that abused CVE-2021-33742, an actively exploited remote code execution flaw in Windows MSHTML platform that was addressed by Microsoft as part of its [Patch Tuesday update](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>) on June 8.\n\nThe two zero-days were provided by a commercial exploit broker to a nation-state adversary, which used them in limited attacks against targets in Eastern Europe and the Middle East, Huntley previously added.\n\n[](<https://thehackernews.com/images/--ol-CfJ3-bE/YO_tDkpfuNI/AAAAAAAADMw/bonGU0wpX_QzAsMNe5_Eh_0_Nb4OAma_QCLcBGAsYHQ/s0/zero-day.jpg>)\n\nNow according to a technical report published by the team, all the three zero-days were \"developed by the same commercial surveillance company that sold these capabilities to two different government-backed actors,\" adding the Internet Explorer flaw was used in a campaign targeting Armenian users with malicious Office documents that loaded web content within the web browser.\n\nGoogle did not disclose the identities of the exploit broker or the two threat actors that used the vulnerabilities as part of their attacks.\n\n## SolarWinds Hackers Exploited iOS Zero-Day\n\nThe Safari zero-day, in contrast, concerned a WebKit flaw that could enable adversaries to process maliciously crafted web content that may result in universal cross-site scripting attacks. The issue was rectified by Apple on March 26, 2021.\n\nAttacks leveraging CVE-2021-1879, which Google attributed to a \"likely Russian government-backed actor,\" were executed by means of sending malicious links to government officials over LinkedIn that, when clicked from an iOS device, redirected the user to a rogue domain that served the next-stage payloads.\n\nIt's worth noting that the offensive also mirrors a [wave of targeted attacks](<https://thehackernews.com/2021/05/solarwinds-hackers-target-think-tanks.html>) unleashed by Russian hackers tracked as Nobelium, which was found abusing the vulnerability to strike government agencies, think tanks, consultants, and non-governmental organizations as part of an email phishing campaign.\n\nNobelium, a threat actor linked to the Russian Foreign Intelligence Service (SVR), is also suspected of orchestrating the [SolarWinds supply chain attack](<https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html>) late last year. It's known by other aliases such as APT29, UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and Iron Ritual (Secureworks).\n\n\"Halfway into 2021, there have been [33 zero-day exploits](<https://googleprojectzero.github.io/0days-in-the-wild/rca.html>) used in attacks that have been publicly disclosed this year \u2014 11 more than the total number from 2020,\" TAG researchers Maddie Stone and Clement Lecigne noted. \"While there is an increase in the number of zero-day exploits being used, we believe greater detection and disclosure efforts are also contributing to the upward trend.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-15T08:25:00", "type": "thn", "title": "Google Details iOS, Chrome, IE Zero-Day Flaws Exploited Recently in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1879", "CVE-2021-21166", "CVE-2021-30551", "CVE-2021-33742"], "modified": "2021-07-15T12:45:33", "id": "THN:BBBFDA7EEE18F813A5DA572FD390D528", "href": "https://thehackernews.com/2021/07/google-details-ios-chrome-ie-zero-day.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:58", "description": "[](<https://thehackernews.com/images/--v2cn8JGV00/YMGRd9cFvrI/AAAAAAAACz4/i5Stk6m4GEgwbul82T6lZeEbdMMNfofJQCLcBGAsYHQ/s0/chrome-zero-day-vulnerability.jpg>)\n\nAttention readers, if you are using Google Chrome browser on your Windows, Mac, or Linux computers, you need to update it immediately to the latest version Google released earlier today.\n\nThe internet services company has rolled out an urgent update to the browser to address 14 newly discovered security issues, including a zero-day flaw that it says is being actively exploited in the wild.\n\nTracked as [CVE-2021-30551](<https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html>), the vulnerability stems from a type confusion issue in its V8 open-source and JavaScript engine. Sergei Glazunov of Google Project Zero has been credited with discovering and reporting the flaw.\n\nAlthough the search giant's Chrome team issued a terse statement acknowledging \"an exploit for CVE-2021-30551 exists in the wild,\" Shane Huntley, Director of Google's Threat Analysis Group, [hinted](<https://twitter.com/ShaneHuntley/status/1402712986289016835>) that the vulnerability was leveraged by the same actor that abused [CVE-2021-33742](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>), an actively exploited remote code execution flaw in Windows MSHTML platform that was addressed by Microsoft as part of its Patch Tuesday update on June 8.\n\n[](<https://thehackernews.com/images/-XI4fkisfDp0/YMGPq0RtpKI/AAAAAAAACzw/d0mpshr20nw2j--sOXxBrrTJIj2IP95ewCLcBGAsYHQ/s0/chrome-zero-day.jpg>)\n\nThe two zero-days are said to have been provided by a commercial exploit broker to a nation-state actor, which used them in limited attacks against targets in Eastern Europe and the Middle East, Huntley said.\n\nMore technical details about the nature of the attacks are to be released in the coming weeks so as to allow a majority of the users to install the update and prevent other threat actors from creating exploits targeting the flaw.\n\nWith the latest fix, Google has addressed a total of seven zero-days in Chrome since the start of the year \u2014\n\n * [**CVE-2021-21148**](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [**CVE-2021-21166**](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [**CVE-2021-21193**](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21206**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21220**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [**CVE-2021-21224**](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n\nChrome users can update to the latest version (91.0.4472.101) by heading to Settings &gt; Help &gt; About Google Chrome to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-10T04:14:00", "type": "thn", "title": "New Chrome 0-Day Bug Under Active Attacks \u2013 Update Your Browser ASAP!", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-33742"], "modified": "2021-06-10T10:25:50", "id": "THN:7D7C05739ECD847B8CDEEAF930C51BF8", "href": "https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:20", "description": "[](<https://thehackernews.com/images/--Br-zb7NQb0/YPEUTqMvgsI/AAAAAAAADNw/cesEHjkHFKgyqC_MTP_ji5iUXUCeqoH1QCLcBGAsYHQ/s0/chrome-update.jpg>)\n\nGoogle has pushed out a new security update to Chrome browser for Windows, Mac, and Linux with multiple fixes, including a zero-day that it says is being exploited in the wild.\n\nThe latest patch resolves a total of eight issues, one of which concerns a type confusion issue in its V8 open-source and JavaScript engine ([CVE-2021-30563](<https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html>)). The search giant credited an anonymous researcher for reporting the flaw on July 12.\n\nAs is usually the case with actively exploited flaws, the company issued a terse statement acknowledging that \"an exploit for CVE-2021-30563 exists in the wild\" while refraining from sharing full details about the underlying vulnerability used in the attacks due to its serious nature and the possibility that doing so could lead to further abuse.\n\nCVE-2021-30563 also marks the ninth zero-day addressed by Google to combat real-world attacks against Chrome users since the start of the year \u2014\n\n * [**CVE-2021-21148**](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [**CVE-2021-21166**](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [**CVE-2021-21193**](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21206**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21220**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [**CVE-2021-21224**](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n * [**CVE-2021-30551**](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>) \\- Type confusion in V8\n * [**CVE-2021-30554**](<https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html>) \\- Use-after-free in WebGL\n\nChrome users are advised to update to the latest version (91.0.4472.164) by heading to Settings &gt; Help &gt; 'About Google Chrome' to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-16T05:08:00", "type": "thn", "title": "Update Your Chrome Browser to Patch New Zero\u2011Day Bug Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563"], "modified": "2021-07-16T05:08:47", "id": "THN:C736174C6B0ADC38AA88BC58F30271DA", "href": "https://thehackernews.com/2021/07/update-your-chrome-browser-to-patch-new.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-29T03:59:29", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjRrnxKtJzXQbaLrPRY2GEIij8so07HImMs9wbPTTP-j92ED6wxTFv-NdQyw_Z0JBlqIYh-H3g2WKAcIkt70zKcB5AxP9KcQgCqChBwNsYPu9CQ_Xp6uBmkhxyoNZpHZIIQrV5TkreAFNBg-kFpOzjxBYxhl5bZqKZH6j9zgyd3itncGVyM5L09fy-c/s728-e100/windows-hacker.jpg>)\n\nA cyber mercenary that \"ostensibly sells general security and information analysis services to commercial customers\" used several Windows and Adobe zero-day exploits in limited and highly-targeted attacks against European and Central American entities.\n\nThe company, which Microsoft describes as a private-sector offensive actor (PSOA), is an Austria-based outfit called [DSIRF](<https://web.archive.org/web/20220713203741/https:/dsirf.eu/about/>) that's linked to the development and attempted sale of a piece of cyberweapon referred to as **Subzero**, which can be used to hack targets' phones, computers, and internet-connected devices.\n\n\"Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama,\" the tech giant's cybersecurity teams [said](<https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/>) in a Wednesday report.\n\nMicrosoft is [tracking](<https://blogs.microsoft.com/on-the-issues/2022/07/27/private-sector-cyberweapons-psoas-knotweed/>) the actor under the moniker KNOTWEED, continuing its trend of terming PSOAs using names given to trees and shrubs. The company previously designated the name [SOURGUM](<https://thehackernews.com/2021/07/israeli-firm-helped-governments-target.html>) to Israeli spyware vendor Candiru.\n\nKNOTWEED is known to dabble in both access-as-a-service and [hack-for-hire](<https://thehackernews.com/2022/06/google-blocks-dozens-of-malicious.html>) operations, offering its toolset to third parties as well as directly associating itself in certain attacks.\n\nWhile the former entails the sales of end-to-end hacking tools that can be used by the purchaser in their own operations without the involvement of the offensive actor, hack-for-hire groups run the targeted operations on behalf of their clients.\n\nThe deployment of Subzero is said to have transpired through the exploitation of numerous issues, including an attack chain that abused an unknown Adobe Reader remote code execution (RCE) flaw and a zero-day privilege escalation bug ([CVE-2022-22047](<https://thehackernews.com/2022/07/microsoft-releases-fix-for-zero-day.html>)), the latter of which was addressed by Microsoft as part of its July Patch Tuesday updates.\n\n\"The exploits were packaged into a PDF document that was sent to the victim via email,\" Microsoft explained. \"CVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes and achieve system-level code execution.\"\n\nSimilar attack chains observed in 2021 leveraged a combination of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) in conjunction with an Adobe reader flaw (CVE-2021-28550). The three vulnerabilities were [resolved](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>) in June 2021.\n\nThe deployment of Subzero subsequently occurred through a fourth exploit, this time taking advantage of a privilege escalation vulnerability in the Windows Update Medic Service ([CVE-2021-36948](<https://thehackernews.com/2021/08/microsoft-releases-windows-updates-to.html>)), which was closed by Microsoft in August 2021.\n\nBeyond these exploit chains, Excel files masquerading as real estate documents have been used as a conduit to deliver the malware, with the files containing [Excel 4.0 macros](<https://thehackernews.com/2022/01/emotet-now-using-unconventional-ip.html>) designed to kick-start the infection process.\n\nRegardless of the method employed, the intrusions culminate in the execution of shellcode, which is used to retrieve a second-stage payload called Corelump from a remote server in the form of a JPEG image that also embeds a loader named Jumplump that, in turn, loads Corelump into memory.\n\nThe evasive implant comes with a wide range of capabilities, including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from the remote server.\n\nAlso deployed during the attacks were bespoke utilities like Mex, a command-line tool to run open source security software like Chisel, and PassLib, a tool to dump credentials from web browsers, email clients, and the Windows credential manager.\n\nMicrosoft said it uncovered KNOTWEED actively serving malware since February 2020 through infrastructure hosted on DigitalOcean and Choopa, alongside identifying subdomains that are used for malware development, debugging Mex, and staging the Subzero payload.\n\nMultiple links have also been unearthed between DSIRF and the malicious tools used in KNOTWEED's attacks.\n\n\"These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF,\" Redmond noted.\n\nSubzero is no different from off-the-shelf malware such as [Pegasus](<https://thehackernews.com/2022/07/pegasus-spyware-used-to-hack-devices-of.html>), [Predator](<https://thehackernews.com/2022/05/cytroxs-predator-spyware-target-android.html>), [Hermit](<https://thehackernews.com/2022/06/google-says-isps-helped-attackers.html>), and [DevilsTongue](<https://thehackernews.com/2022/07/candiru-spyware-caught-exploiting.html>), which are capable of infiltrating phones and Windows machines to remotely control the devices and siphon off data, sometimes without requiring the user to click on a malicious link.\n\nIf anything, the latest findings highlight a burgeoning international market for such sophisticated surveillance technologies to carry out targeted attacks aimed at members of civil society.\n\nAlthough companies that sell commercial spyware advertise their wares as a means to tackle serious crimes, evidence gathered so far has found [several instances](<https://thehackernews.com/2022/06/nso-confirms-pegasus-spyware-used-by-at.html>) of these tools being misused by authoritarian governments and private organizations to snoop on human rights advocates, journalists, dissidents, and politicians.\n\nGoogle's Threat Analysis Group (TAG), which is tracking over 30 vendors that hawk exploits or surveillance capabilities to state-sponsored actors, said the booming ecosystem underscores \"the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments.\"\n\n\"These vendors operate with deep technical expertise to develop and operationalize exploits,\" TAG's Shane Huntley [said](<https://blog.google/threat-analysis-group/googles-efforts-to-identify-and-counter-spyware/>) in a testimony to the U.S. House Intelligence Committee on Wednesday, adding, \"its use is growing, fueled by demand from governments.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-28T11:18:00", "type": "thn", "title": "Microsoft Uncovers Austrian Company Exploiting Windows and Adobe Zero-Day Exploits", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-36948", "CVE-2022-22047"], "modified": "2022-07-29T02:58:07", "id": "THN:DFA2CC41C78DFA4BED87B1410C21CE2A", "href": "https://thehackernews.com/2022/07/microsoft-uncover-austrian-company.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2019-05-30T05:52:39", "description": "Evidence has surfaced that the Cobalt Group \u2013 the threat actors behind widespread attacks on banks and ATM jackpotting campaigns across Europe \u2013 is continuing to operate, despite the arrest of its accused ringleader in March.\n\nThe Cobalt Group, first burst on the scene in 2016: in a single night, the group stole the equivalent of over $32,000 (in local currency) from six ATMs in Eastern Europe. Throughout 2017 the group expanded its focus to financial-sector phishing schemes and new regions, including North and South America, as well as Western Europe. researchers estimated that in the first six months of 2017 Cobalt sent phishing messages with malicious attachments to over 3,000 users at 250 companies in 13 countries.\n\nIn a report [released last week](<https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf>) (PDF) by Positive Technologies, researchers there said in mid-May 2018 they detected a phishing campaign directed at the financial sector that has an ultimate goal of downloading a JavaScript backdoor on target\u2019s computers. Researchers discovered the backdoor to be loaded up with malevolent functions, including cyberespionage and the ability to launch programs, along with the ability to update itself, remove itself and detect antivirus software. It also encrypts its communications with the C2 server with RC4. In all, it\u2019s capabilities mirror the backdoor that Cobalt Group has been known to employ in the past, researchers said.\n\n\u201cAlthough [Positive Technologies] specialists did not detect use of the Cobalt Strike tool which gave the group its name, the techniques and tactics are strongly suggestive of the group\u2019s previous attacks,\u201d they noted.\n\nCobalt typically employs a number of techniques to evade user scrutiny and spam filters. The group hacks weakly protected public sites, which it uses to host malware. It sends fake messages that appear to come from financial regulators and company partners, and targets both work and personal addresses of employees. In most cases, the goal of phishing messages is to compromise bank systems used for ATM management. This enables infecting ATMs with malware that takes control of the cash dispenser. During the final stage of the attack, money mules collect cash from the hacked ATMs.\n\nThe new May campaign bore all of the hallmarks of the group beyond just the payload. For one, the phony messages were sent from a domain whose structure is identical to those previously used by the bad actors. These messages also have a link that points to a malicious document weaponized with three exploits for remote code execution in Microsoft Word (CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802), generated by the Threadkit exploit kit. This kill chain is the same as that of a Cobalt Group campaign detected in February.\n\n\u201cCobalt relies on social engineering for the first stage of attacks, and for good reason: almost 30 percent of recipients click links in phishing messages, as our statistics show,\u201d explained Andrew Bershadsky, PT CTO, adding that in 27 percent of cases, recipients click links in phishing messages. Attackers are often able to draw employees into correspondence (and even security staff, in 3 percent of cases). And if a message is sent from the address of a real company (a technique used by Cobalt), attackers\u2019 success rate jumps to 33 percent.\n\nAs for how the rest of the May attack unfolded, PT security researchers [said](<https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf>) that once one of the exploits is triggered, a BAT script runs that launches a [standard Windows utility](<https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/>) that allows bypassing AppLocker, as well as downloading and running SCT or COM objects using the standard Windows utility regsvr32.exe. The utility in turn downloads the COM-DLL-Dropper, which then fetches the backdoor.\n\nThe resurgence is notable given that the Spanish National Police [arrested](<https://www.tripwire.com/state-of-security/latest-security-news/cobalt-carbanak-malware-group-leader-arrested-spain/>) the Cobalt Group\u2019s leader (also behind the Carbanak gang) on March 26. EUROPOL said that the individual was responsible for helping to attack 100 financial institutions worldwide and cause more than 1 billion EUR in damages.\n", "cvss3": {}, "published": "2018-05-28T12:21:42", "type": "threatpost", "title": "Despite Ringleader\u2019s Arrest, Cobalt Group Still Active", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802"], "modified": "2018-05-28T12:21:42", "id": "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "href": "https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-04T07:15:20", "description": "Despite the high profile arrest earlier this year of the Cobalt Group ringleader, the threat actors behind the hacking collective are slowly ramping up their malicious behavior. In a new analysis of the threat group, known for its widespread attacks against banks in Eastern Europe over the past several years, the Cobalt Group has recently been observed updating its arsenal with a new version of the ThreadKit malware.\n\nIn a report [issued by security firm Fidelis on Tuesday](<https://www.fidelissecurity.com/sites/default/files/CobaltGroup_nov2018.pdf>) (PDF), researchers outline a number of new developments including:\n\n * Despite an arrest earlier this year of a key member, of the Cobalt Group remains active.\n * A new version on the malware ThreadKit is being actively distributed in October 2018.\n * The CobInt trojan uses a XOR-based obfuscation technique.\n\n## Reemergence of Cobalt Group\n\nThe Cobalt Group first appeared in 2013 and in 2016 made a name for itself with widespread attacks on banks and ATM jackpotting campaigns across Europe. In one single campaign, it was credited for stealing over $32,000 from six Eastern Europe ATMs. In the following years the Cobalt Group expanded its focus to include financial-sector phishing schemes and new regions, including North and South America.\n\nIn March, the Cobalt Group was dealt a severe blow when the EUROPOL [announced](<https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain>) the arrest of the \u201ccriminal mastermind\u201d behind the group in Alicante, Spain. Since then, the group [was observed by Positive Technology](<https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/>) in May as the criminals behind a spear phishing campaign directed at the financial sector that had the goal of enticing victims to download a JavaScript backdoor.\n\n\u201cIn 2017 they expanded their targets from banks to include supply chain companies, financial exchanges, investment funds, and lenders in North America, Western Europe, and South America. Tools used in 2017 included [PetrWrap](<https://threatpost.com/new-petya-distribution-vectors-bubbling-to-surface/126577/>), more_eggs, CobInt and ThreadKit,\u201d wrote Jason Reaves, principal, threat research with the Fidelis Threat Research Team in the report.\n\n**ThreadKit 2.0 **\n\nAfter the arrest of Cobalt Group\u2019s leader, in May the group was spotted changing up its tactics. To that end, the Cobalt Group began focusing on exploits used for remote code execution found in Microsoft Word ([CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802](<https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/>)) and one notably being [the now patched April 2017 zero-day bug](<https://threatpost.com/microsoft-patches-word-zero-day-spreading-dridex-malware/124906/>) ([CVE-2017-0199](<https://threatpost.com/microsoft-patches-three-vulnerabilities-under-attack/124927/>)).\n\n\u201cIn October 2018, [we] identified a new version of ThreadKit. As per Cobalt Group\u2019s typical methods, the malware was delivered via phishing email, containing a RFT Microsoft Office attachment which contained an evolved version of the exploit builder kit first uncovered in October 2017,\u201d according to Fidelis. \u201c[This] new version of ThreadKit [utilizes] a macro delivery framework sold and used by numerous actors and groups.\u201d\n\nFidelis\u2019 latest analysis of the ThreadKit also notes \u201ca slight evolution\u201d in the exploit kit designed to better hide from detection. Obfuscation techniques include \u201cplacing the \u2018M\u2019 from the \u2018MZ\u2019 of an executable file into it\u2019s own object and now renaming a number of the objects inside.\u201d\n\nFidelis also pointed out the update including a new download URL where the malware code \u201cobjects\u201d are downloaded from and later combined to create the executable. \u201cA few highlights from the embedded files shows a check for block.txt, which is similar to the previous version\u2019s kill-switch implementation,\u201d Reaves wrote.\n\n**CobInt Adopts New Obfuscation Skills **\n\nThe ThreadKit payload is the trojan Coblnt, a longtime favorite of the Cobalt Group. To further frustrate analysis and detection, the attackers added another layer of obfuscation, a XOR routine used to decode the initial Coblnt payload. A XOR, or XOR cipher, is an encryption algorithm that operates on a set of known principles. Encryption and decryption can be performed by applying and reapplying the XOR function.\n\n\u201cWhat\u2019s interesting here is that the XOR key is replaced by the subtraction value and the subtraction value is replaced by the previously read DWORD value. So the only value that\u2019s needed is the hardcoded XOR key, meaning mathematically this entire thing can be solved using a theorem prover such as Z3,\u201d researchers pointed out.\n\nThe decoded payload is the CobInt DLL, which when loaded will \u201csit in a loop beaconing to its C2 and waiting for commands and modules to be executed,\u201d according to Fidelis.\n\nFidelis and other researchers say the arrest of Cobalt group members have only temporarily slowed Carbanak/Cobalt threat actors. In a recent analysis by Kaspersky Lab, researchers said Cobalt arrests have only emboldened members and hastened the process of [splitting the groups into smaller cells](<https://securelist.com/ksb-cyberthreats-to-financial-institutions-2019-overview-and-predictions/88944/>).\n", "cvss3": {}, "published": "2018-12-11T18:40:00", "type": "threatpost", "title": "Cobalt Group Pushes Revamped ThreadKit Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802"], "modified": "2018-12-11T18:40:00", "id": "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "href": "https://threatpost.com/cobalt-threadkit-malware/139800/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-08T22:18:00", "description": "Microsoft jumped on 50 vulnerabilities in this month\u2019s [Patch Tuesday update](<https://msrc.microsoft.com/update-guide>), issuing fixes for CVEs in Microsoft Windows, .NET Core and Visual Studio, Microsoft Office, Microsoft Edge (Chromium-based and EdgeHTML), SharePoint Server, Hyper-V, Visual Studio Code \u2013 Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.\n\nFive of the CVEs are rated Critical and 45 are rated Important in severity. Microsoft reported that six of the bugs are currently under active attack, while three are publicly known at the time of release.\n\nThe number might seem light \u2013 it represents six fewer patches than Microsoft [released in May](<https://threatpost.com/wormable-windows-bug-dos-rce/166057/>) \u2013 but the number of critical vulnerabilities ticked up to five month-over-month.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThose actively exploited vulnerabilities can enable an attacker to hijack a system. They have no workarounds, so some security experts are recommending that they be patched as the highest priority.\n\nThe six CVEs under active attack in the wild include four elevation of privilege vulnerabilities, one information disclosure vulnerability and one remote code execution (RCE) vulnerability.\n\n## Critical Bugs of Note\n\n[CVE-2021-31985](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31985>) is a critical RCE vulnerability in Microsoft\u2019s Defender antimalware software that should grab attention. A similar, critical bug in Defender was [patched in January](<https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/>). The most serious of the year\u2019s first Patch Tuesday, that earlier Defender bug was an RCE vulnerability that came under active exploit.\n\nAnother critical flaw is [CVE-2021-31963](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31963>), a Microsoft SharePoint Server RCE vulnerability. Jay Goodman, director of product marketing at Automox, said in a [blog post](<https://blog.automox.com/automox-experts-weigh-in-june-patch-tuesday-2021>) that an attacker exploiting this vulnerability \u201ccould take control of a system where they would be free to install programs, view or change data, or create new accounts on the target system with full user rights.\u201d \nWhile Microsoft reports that this vulnerability is less likely to be exploited,Goodman suggested that organizations don\u2019t let it slide: \u201cPatching critical vulnerabilities in the 72-hour window before attackers can weaponize is an important first step to maintaining a safe and secure infrastructure,\u201d he observed.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/06/08141612/Sophos-impact-chart-June-21-patch-Tuesday-e1623176186946.png>)\n\nA year-to-date summary of 2021 Microsoft vulnerability releases as of June. Source: Sophos\n\n## Bugs Exploited in the Wild\n\nMicrosoft fixed a total of seven zero-day vulnerabilities. One was [CVE-2021-31968](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31968>), Windows Remote Desktop Services Denial of Service Vulnerability that was publicly disclosed but hasn\u2019t been seen in attacks. It was issued a CVSS score of 7.5.\n\nThese are the six flaws that MIcrosoft said are under active attack, all of them also zero days.\n\n * [CVE-2021-31955](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31955>) \u2013 Windows Kernel Information Disclosure Vulnerability. Rating: Important. CVSS 5.5\n * [CVE-2021-31956](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956>) \u2013 Windows NTFS Elevation of Privilege Vulnerability. Rating: Important. CVSS 7.8\n * [CVE-2021-33739](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33739>) \u2013 Microsoft DWM Core Library Elevation of Privilege Vulnerability. Rating: Important. CVSS 8.4\n * [CVE-2021-33742](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742>) \u2013 Windows MSHTML Platform Remote Code Execution Vulnerability. Rating: **Critical**. CVSS 7.5\n * [CVE-2021-31199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31199>) \u2013 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability. Rating: Important. CVSS 5.2\n * [CVE-2021-31201](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31201>) \u2013 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability. Rating: Important. CVSS 5.2\n\n## CVE-2021-33742\n\nThis RCE vulnerability exploits MSHTML, a component used by the Internet Explorer engine to read and display content from websites.The bug could allow an attacker to execute code on a target system if a user views specially crafted web content. The [Zero Day Initiative](<https://www.zerodayinitiative.com/blog/2021/6/8/the-june-2021-security-update-review>)\u2018s (ZDI\u2019s) Dustin Childs noted in his Patch Tuesday analysis that since the vulnerability is in the Trident (MSHTML) engine itself, many different applications are affected, not just Internet Explorer. \u201cIt\u2019s not clear how widespread the active attacks are, but considering the vulnerability impacts all supported Windows versions, this should be at the top of your test and deploy list,\u201d he recommended.\n\nThe vulnerability doesn\u2019t require special privilege to exploit, though the attack complexity is high, if that\u2019s any consolation. An attacker would need to do some extra legwork to pull it off, noted Satnam Narang, staff research engineer at Tenable, in an email to Threatpost on Tuesday.\n\nImmersive Labs\u2019 Kevin Breen, director of cyber threat research, noted that visiting a website in a vulnerable browser is \u201ca simple way for attackers to deliver this exploit.\u201d He told Threatpost via email on Tuesday that since the library is used by other services and applications, \u201cemailing HTML files as part of a phishing campaign is also a viable method of delivery.\u201d\n\n[Sophos decreed](<https://news.sophos.com/en-us/2021/06/08/six-in-the-wild-exploits-patched-in-microsofts-june-security-fix-release/>) this one to be the top concern of this month\u2019s crop, given that it\u2019s already being actively exploited by malicious actors.\n\n## CVE-2021-31955, CVE-2021-31956: Used in PuzzleMaker Targeted Malware\n\nCVE-2021-31955 is an information disclosure vulnerability in the Windows Kernel, while CVE-2021-31956 is an elevation of privilege vulnerability in Windows NTFS. The ZDI\u2019s Childs noted that CVE-2021-31956 was reported by the same researcher who found CVE-2021-31955, an information disclosure bug also listed as under active attack. They could be linked, he suggested: \u201cIt\u2019s possible these bugs were used in conjunction, as that is a common technique \u2013 use a memory leak to get the address needed to escalate privileges. These bugs are important on their own and could be even worse when combined. Definitely prioritize the testing and deployment of these patches.\u201d\n\nHe was spot-on. On Tuesday, Kaspersky announced that its researchers had discovered a highly targeted malware campaign launched in April against multiple companies, in which a previously unknown threat actor used a chain of Chrome and Windows zero-day exploits: Namely, these two.\n\nIn a press release, Kaspersky said that one of the exploits was used for RCE in the Google Chrome web browser, while the other was an elevation of privilege exploit fine-tuned to target \u201cthe latest and most prominent builds\u201d of Windows 10.\n\n\u201cRecent months have seen a wave of advanced threat activity exploiting zero-days in the wild,\u201d according to the release. \u201cIn mid-April, Kaspersky experts discovered yet a new series of highly targeted exploit attacks against multiple companies that allowed the attackers to stealthily compromise the targeted networks.\u201d\n\nKaspersky hasn\u2019t yet found a connection between these attacks and any known threat actors, so it\u2019s gone ahead and dubbed the actor PuzzleMaker. It said that all the attacks were conducted through Chrome and used an exploit that allowed for RCE. Kaspersky researchers weren\u2019t able to retrieve the code for the exploit, but the timeline and availability suggests the attackers were using the now-patched [CVE-2021-21224](<https://www.cvedetails.com/cve/CVE-2021-21224>) vulnerability in Chrome and Chromium browsers that allows attackers to exploit the Chrome renderer process (the processes that are responsible for what happens inside users\u2019 tabs).\n\nKaspersky experts did find and analyze the second exploit, however: An elevation of privilege exploit that exploits two distinct vulnerabilities in the Microsoft Windows OS kernel: CVE-2021-31955 and CVE-2021-31956. The CVE-2021-31955 bug \u201cis affiliated with SuperFetch, a feature first introduced in Windows Vista that aims to reduce software loading times by pre-loading commonly used applications into memory,\u201d they explained.\n\nThe second flaw, CVE-2021-31956, is an Elevation of Privilege vulnerability and heap-based buffer overflow. Kaspersky said that attackers used this vulnerability alongside Windows Notification Facility (WNF) \u201cto create arbitrary memory read/write primitives and execute malware modules with system privileges.\u201d\n\n\u201cOnce the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server,\u201d they continued. \u201cThis dropper then installs two executables, which pretend to be legitimate files belonging to Microsoft Windows OS. The second of these two executables is a remote shell module, which is able to download and upload files, create processes, sleep for certain periods of time, and delete itself from the infected system.\u201d\n\nBoris Larin, senior security researcher with Kaspersky\u2019s Global Research and Analysis Team (GReAT), said that the team hasn\u2019t been able to link these highly targeted attacks to any known threat actor: Hence the name PuzzleMaker and the determination to closely monitor the security landscape \u201cfor future activity or new insights about this group,\u201d he was quoted as saying in the press release.\n\nIf the current trend is any indication, expect to see more of the same, Larin said. \u201cOverall, of late, we\u2019ve been seeing several waves of high-profile threat activity being driven by zero-day exploits,\u201d he said. \u201cIt\u2019s a reminder that zero days continue to be the most effective method for infecting targets. Now that these vulnerabilities have been made publicly known, it\u2019s possible that we\u2019ll see an increase of their usage in attacks by this and other threat actors. That means it\u2019s very important for users to download the latest patch from Microsoft as soon as possible.\u201d\n\n## CVE-2021-31199/CVE-2021-31201\n\nThe two Enhanced Cryptographic Provider Elevation of Privilege vulnerabilities are linked to the Adobe Reader bug that [came under active attack](<https://threatpost.com/adobe-zero-day-bug-acrobat-reader/166044/>) last month (CVE-2021-28550), ZDI explained. \u201cIt\u2019s common to see privilege escalation paired with code execution bugs, and it seems these two vulnerabilities were the privilege escalation part of those exploits,\u201d he explained. \u201cIt is a bit unusual to see a delay between patch availability between the different parts of an active attack, but good to see these holes now getting closed.\u201d\n\n## CVE-2021-33739\n\nBreen noted that privilege escalation vulnerabilities such as this one in the Microsoft DWM Core Library are just as valuable to attackers as RCEs. \u201cOnce they have gained an initial foothold, they can move laterally across the network and uncover further ways to escalate to system or domain-level access,\u201d he said. \u201cThis can be hugely damaging in the event of ransomware attacks, where high privileges can enable the attackers to stop or destroy backups and other security tools.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook, ****_\u201c_**[**_2021: The Evolution of Ransomware_**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)**_,\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and **[**DOWNLOAD**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)** the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-06-08T21:45:12", "type": "threatpost", "title": "Microsoft Patch Tuesday Fixes 6 In-The-Wild Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21224", "CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31963", "CVE-2021-31968", "CVE-2021-31985", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-06-08T21:45:12", "id": "THREATPOST:61CC1EAC83030C2B053946454FE77AC3", "href": "https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-04-25T05:50:17", "description": "A new wave of document attacks targeting inboxes do not require enabling macros in order for adversaries to trigger an infection chain that ultimately delivers FormBook malware.\n\nResearchers at Menlo Security are reporting a wave of attacks that began last month that are targeting financial and information service sectors in the Middle East and United States. The method of infection includes a new multi-stage infection technique.\n\nThe company, which released details of the method Monday, said that attacks are adept at evading security solutions such as sandboxes and AV solutions, which fail when there is no malicious content or rogue links in a document to detect.\n\n\u201cThe absence of active code or shellcode in the first stage malicious document, which was sent as an email attachment, is noteworthy because this attack relies on a remotely-hosted malicious object,\u201d said Vinay Pidathala, director of security research at Menlo Security.\n\nResearchers said attackers are exploiting \u201cdesign flaws\u201d in the document formats .docx and RTF, in combination with abusing unpatched instances of a remote code execution vulnerability [CVE-2017-8570](<https://nvd.nist.gov/vuln/detail/CVE-2017-8570>) [\u2013 patched in July 2017](<https://threatpost.com/microsoft-patch-tuesday-update-fixes-19-critical-vulnerabilities/126758/>).\n\nThe first stage of the attack is the most significant and unique aspect of the malware infection chain, according to researchers. It involves a spam email and an attached .docx file. The Word document utilizes Framesets. \u201cFramesets are HTML tags and contain frames responsible for loading documents,\u201d described the researcher.\n\nWhen the document is simply viewed in Microsoft Office \u201cEdit\u201d mode (and not the default \u201cProtected\u201d mode), an embedded frame points to a TinyURL defined in the document\u2019s webSettings.xml.rels file. A \u201c.rels\u201d file contains information about how different parts of a Microsoft Office document fit together, according to a [description on File.org](<https://file.org/extension/rels>).\n\n\u201cIf a victim opens the malicious first stage document, Microsoft Word makes an HTTP request to download the object pointed to by the URL and renders it within the document,\u201d according to Menlo Security.\n\nIn the case of the rogue document, the TinyURL points to command-and-control (C2) server domains located in France and the United States that download a malicious RTF file.\n\nAccording to Pidathala, it is this first stage of the attack that is unique. The rest of the attack, he said, is fairly common and one currently used in a number of recent attacks by cybercriminals behind the Cobalt group to deliver FormBook and other types of malware.\n\n\u201cA design behavior occurs in RTF documents, when an RTF document with an embedded Package object is opened, the embedded object is automatically dropped to the %TEMP% directory of Windows. This technique was also used by the threat actors behind the Cobalt group that used [CVE-2017-11882](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>),\u201d wrote researchers noting a recent spike in attacks [using the CVE](<https://www.proofpoint.com/us/threat-insight/post/unraveling-ThreadKit-new-document-exploit-builder-distribute-The-Trick-Formbook-Loki-Bot-malware>).\n\nThe vulnerability CVE-2017-11882 is the remote code execution bug patched last November located in an Office executable called Microsoft Equation Editor. But instead of taking advantage of that vulnerability, the most recent attacks identified by Menlo Security take advantage of the vulnerability [CVE-2017-8570](<https://nvd.nist.gov/vuln/detail/CVE-2017-8570>).\n\nThe vulnerability CVE-2017-8570 is a remote code execution vulnerability in Microsoft Office tied to the way the software suite handles objects in memory.\n\n\u201cFor the attack to succeed, this executable still needs to be executed. And, that\u2019s where the CVE-2017-8570 comes into play. CVE-2017-8570 executes the dropped object in the %TEMP% directory,\u201d researchers said.\n\nMenlo Security observed an embedded .sct (scriptlet) file dropped to the %TEMP% directory. \u201cWhen the .sct file is executed, the large amount of data is written to the %TEMP% directory with the name chris101.exe. Wscript.Shell.Run() method is then called with the path to the .exe to start the malicious executable,\u201d they said.\n\nNext, the malicious executable calls to the adversaries\u2019 C2 and downloads a third-stage downloader that drops the FormBook malware onto the targeted system.\n\nFormBook is a type of data-stealing malware used in espionage and is capable of keystroke logging, stealing clipboard contents and extracting data from HTTP sessions. Once installed, the malware can also execute commands from a command-and-control (C2) server such as instructing the malware to download more files, start processes, shutdown and reboot a system and steal cookies and local passwords.\n\nPidathala said he believes this attack technique exposes a larger attack surface. \u201cThere will be an uptick in malicious objects, where the malicious components are remotely hosted,\u201d he said.\n", "cvss3": {}, "published": "2018-04-09T18:35:39", "type": "threatpost", "title": "Word Attachment Delivers FormBook Malware, No Macros Required", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570"], "modified": "2018-04-09T18:35:39", "id": "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "href": "https://threatpost.com/word-attachment-delivers-formbook-malware-no-macros-required/131075/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-07-08T07:53:10", "description": "Microsoft has released an emergency patch for the PrintNightmare, a set of two critical remote code-execution (RCE) vulnerabilities in the Windows Print Spooler service that hackers can use to take over an infected system. However, more fixes are necessary before all Windows systems affected by the bug are completely protected, according to the federal government.\n\nMicrosoft on Tuesday released an [out-of-band update](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) for several versions of Windows to address [CVE-2021-34527](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527>), the second of two bugs that were initially thought to be one flaw and which have been dubbed PrintNightmare by security researchers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nHowever, the latest fix only appears to address the RCE variants of PrintNightmare, and not the local privilege escalation (LPE) variant, according to an [advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/06/microsoft-releases-out-band-security-updates-printnightmare>) by the Cybersecurity Infrastructure and Security Administration (CISA), citing a [VulNote](<https://www.kb.cert.org/vuls/id/383432>) published by the CERT Coordination Center (CERT/CC).\n\nMoreover, the updates do not include Windows 10 version 1607, Windows Server 2012 or Windows Server 2016, which will be patched at a later date, according to CERT/CC.\n\n## **A Tale of Two Vulnerabilities**\n\nThe PrintNightmare saga [began last Tuesday](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) when a proof-of-concept (PoC) exploit for the vulnerability \u2014 at that time tracked as CVE-2021-1675 \u2014 was dropped on GitHub showing how an attacker can exploit the vulnerability to take control of an affected system. While it was taken back down within a few hours, the code was copied and remains in circulation on the platform.\n\nThe response to the situation soon turned into confusion. Though Microsoft released an [patch for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>) in it its usual raft of [monthly Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>), addressing what it thought was a minor EoP vulnerability, the listing was updated later in the week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.\n\nHowever, it soon became clear to many experts that Microsoft\u2019s initial patch didn\u2019t fix the entire problem. CERT/CC on Thursday offered its own workaround for PrintNightmare, advising system administrators to disable the Windows Print Spooler service in Domain Controllers and systems that do not print.\n\nTo further complicate matters, Microsoft also last Thursday dropped [a notice](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) for a bug called \u201cWindows Print Spooler Remote Code Execution Vulnerability\u201d that appeared to be the same vulnerability, but with a different CVE number\u2014in this case, CVE-2021-34527.\n\n\u201cThis vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),\u201d the company wrote in the advisory at the time. \u201cThe attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.\u201d\n\n## **Microsoft Issues Incomplete Patch**\n\nThe fix released this week addresses CVE-2021-34527, and includes protections for CVE-2021-1675, according to the CISA, which is encouraging users and administrators to review the [Microsoft Security Updates](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) as well as [CERT/CC Vulnerability Note VU #383432](<https://www.kb.cert.org/vuls/id/383432>) and apply the necessary updates or workarounds.\n\nBut as noted, it won\u2019t fix all systems.\n\nSo, in cases where a system is not protected by the patch, Microsoft is offering several workarounds for PrintNightmare. One is very similar to the federal government\u2019s solution from last week: To stop and disable the Print Spooler service \u2014 and thus the ability to print both locally and remotely \u2014 by using the following PowerShell commands: Stop-Service -Name Spooler -Force and Set-Service -Name Spooler -StartupType Disabled.\n\nThe second workaround is to disable inbound remote printing through Group Policy by disabling the \u201cAllow Print Spooler to accept client connections\u201d policy to block remote attacks, and then restarting the system. In this case, the system will no longer function as a print server, but local printing to a directly attached device will still be possible.\n\nAnother potential option to prevent remote exploitation of the bug that has worked in \u201climited testing\u201d is to block both the RPC Endpoint Mapper (135/tcp) and SMB (139/tcp and 445/tcp) at the firewall level, according to CERT/CC. However, \u201cblocking these ports on a Windows system may prevent expected capabilities from functioning properly, especially on a system that functions as a server,\u201d the center advised.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-07T10:55:02", "type": "threatpost", "title": "Microsoft Releases Emergency Patch for PrintNightmare Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-07T10:55:02", "id": "THREATPOST:6F7C157D4D3EB409080D90F02185E728", "href": "https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-06T21:23:56", "description": "The U.S. government has stepped in to offer a mitigation for a critical remote code execution (RCE) vulnerability in the Windows Print Spooler service that may not have been fully patched by Microsoft\u2019s initial effort to fix it.\n\nTo mitigate the bug, [dubbed PrintNightmare](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>), the CERT Coordination Center (CERT/CC) has released a [VulNote](<https://www.kb.cert.org/vuls/id/383432>) for CVE-2021-1675 urging system administrations to disable the Windows Print Spooler service in Domain Controllers and systems that do not print, the Cybersecurity Infratructure and Security Administration (CISA) said [in a release](<https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability>) Thursday. CERT/CC is part of the Software Engineering Institute, a federally funded research center operated by Carnegie Mellon University.\n\n\u201cWhile Microsoft has released an [update for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>), it is important to realize that this update does NOT protect Active Directory domain controllers, or systems that have [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>) configured with the NoWarningNoElevationOnInstall option configured,\u201d CERT/CC researchers wrote in the note.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe mitigation is in response to a scenario that unfolded earlier this week when a proof-of-concept (POC) for PrintNightmare was dropped on GitHub on Tuesday. While it was taken back down within a few hours, the code was copied and remains in circulation on the platform. An attacker can use the POC to exploit the vulnerability to take control of an affected system.\n\nIn the meantime, Microsoft Thursday put out a new advisory of its own on PrintNightmare that assigns a new CVE and seems to suggest a new attack vector while attempting to clarify confusion that has arisen over it.\n\nWhile the company originally addressed CVE-2021-1675 in [June\u2019s Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>) as a minor elevation-of-privilege vulnerability, the listing was updated last week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.\n\nHowever, soon after it became clear to many experts that the patch appears to fail against the RCE aspect of the bug\u2014hence CISA\u2019s offer of another mitigation and Microsoft\u2019s update.\n\n## **Assignment of New CVE?**\n\nRegarding the latter, the company dropped [a notice](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) Thursday for a bug called \u201cWindows Print Spooler Remote Code Execution Vulnerability\u201d that appears to be the same vulnerability, but with a different CVE number\u2014in this case, CVE-2021-34527.\n\nThe description of the bug sounds like PrintNightmare; indeed, Microsoft acknowledges that it is \u201can evolving situation.\n\n\u201cA remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\u201d according to the notice. \u201cAn attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\u201d\n\nIn a \u201cFAQ\u201d section in the security update, Microsoft attempts to explain CVE-2021-34527\u2019s connection to CVE-2021-1675.\n\n\u201cIs this the vulnerability that has been referred to publicly as PrintNightmare? Yes, Microsoft has assigned CVE-2021-34527 to this vulnerability,\u201d the company wrote.\n\nHowever, the answer to the question \u201cIs this vulnerability related to CVE-2021-1675?\u201d suggests that CVE-2021-34527 is a different issue.\n\n\u201cThis vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),\u201d the company wrote. \u201cThe attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.\u201d\n\nMicrosoft goes on to explain that CVE-2021-34527 existed before the June Patch Tuesday updates and that it affects domain controllers in \u201call versions of Windows.\u201d\n\n**\u201c**We are still investigating whether all versions are exploitable,\u201d the company wrote. \u201cWe will update this CVE when that information is evident.\u201d\n\nMicrosoft did not assign a score to CVE-2021-34527, citing its ongoing investigation.\n\n## **Two Vulnerabilities?**\n\nIn retrospect, one security researcher noted to Threatpost when news of PrintNightmare surfaced Tuesday that it was \u201ccurious\u201d that the CVE for the original vulnerability was \u201c-1675,\u201d observing that \u201cmost of the CVEs Microsoft patched in June are -31000 and higher.\u201d\n\n\u201cThis could be an indicator that they have known about this bug for some time, and fully addressing it is not trivial,\u201d Dustin Childs of Trend Micro\u2019s Zero Day Initiative told Threatpost at the time.\n\nNow it appears that perhaps Microsoft was patching only part of a more complex vulnerability. The likely scenario appears to be that there are two bugs in Windows Print Spooler that could offer attackers some kind of exploit chain or be used separately to take over systems.\n\nWhile one flaw may indeed have been addressed in June\u2019s Patch Tuesday update, the other could be mitigated by CERT/CC\u2019s workaround\u2014or could remain to be patched by a future Microsoft update that comes after the company completes its investigation.\n\nThe company\u2019s release Thursday of a new CVE related to PrintNightmare seems to be an initial attempt to clarify the situation, though given its developing nature, it remains a bit hazy for now.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-02T12:21:02", "type": "threatpost", "title": "CISA Offers New Mitigation for PrintNightmare Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-30116", "CVE-2021-34527"], "modified": "2021-07-02T12:21:02", "id": "THREATPOST:933913B1D9B9CF84D33FECFC77C2FDC8", "href": "https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-19T16:25:33", "description": "Microsoft has warned of yet another vulnerability that\u2019s been discovered in its Windows Print Spooler that can allow attackers to elevate privilege to gain full user rights to a system. The advisory comes on the heels of patching two other remote code-execution (RCE) bugs found in the print service that collectively became known as PrintNightmare.\n\nThe company released [the advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) late Thursday for the latest bug, a Windows Print Spooler elevation-of-privilege vulnerability tracked as [CVE-2021-34481](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34481>). Microsoft credited Dragos vulnerability researcher Jacob Baines for identifying the issue.\n\nThe vulnerability \u201cexists when the Windows Print Spooler service improperly performs privileged file operations,\u201d according to Microsoft.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAttackers who successfully exploit the bug can run arbitrary code with SYSTEM privileges, allowing them to install programs, view, change or delete data, or create new accounts with full user rights, the company said.\n\nTo work around the bug, administrators and users should stop and disable the Print Spooler service, Microsoft said.\n\n## **Slightly Less of a \u2018PrintNightmare\u2019**\n\nThe vulnerability is the latest in a flurry of problems discovered in Windows Print Spooler, but seems slightly less dangerous, as it can only be exploited locally. It rates 7.8 out of 10 on the CVSS vulnerability-severity scale.\n\nIndeed, [Baines told BleepingComputer](<https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-guidance-on-new-windows-print-spooler-vulnerability/>) that while the bug is print driver-related, \u201cthe attack is not really related to PrintNightmare.\u201d Baines plans to disclose more about the little-known vulnerability in [an upcoming presentation](<https://defcon.org/html/defcon-29/dc-29-speakers.html#baines>) at DEF CON in August.\n\nThe entire saga surrounding Windows Print Spooler [began Tuesday, June 30](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>), when a proof-of-concept (PoC) for an initial vulnerability in the print service was dropped on GitHub showing how an attacker can exploit the flaw to take control of an affected system.\n\nThe response to the situation soon turned into confusion. Though Microsoft released an [update for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>) in it its usual raft of [monthly Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>), fixing what it thought was a minor elevation-of-privilege vulnerability, the listing was updated later in the week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.\n\nHowever, soon after it became clear to many experts that Microsoft\u2019s initial patch didn\u2019t fix the entire problem. The federal government even stepped in last Thursday, when CERT/CC [offered its own mitigation](<https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/>) for PrintNightmare that Microsoft has since adopted \u2014 advising system administrators to disable the Windows Print Spooler service in Domain Controllers and systems that do not print.\n\nTo further complicate matters, Microsoft also last Thursday dropped [a notice](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) for a bug called \u201cWindows Print Spooler Remote Code Execution Vulnerability\u201d that appeared to be the same vulnerability, but with a different CVE number\u2014in this case, CVE-2021-34527. The company explained that the second bug was similar to the earlier PrintNightmare vulnerability but also its own distinct entity.\n\nEventually, Microsoft last Wednesday [released an emergency cumulative patch](<https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/>) for both PrintNightmare bugs that included all previous patches as well as protections for CVE-2021-1675 as well as a new fix for CVE-2021-34527.\n\nHowever, that fix also [was incomplete](<https://www.kb.cert.org/vuls/id/383432>), and Microsoft continues to work on further remediations as it also works to patch this latest bug, CVE-2021-34481. In the meantime, affected customers should install the most recent Microsoft updates as well as use the workaround to avoid exploitation, the company said.\n\n**_Check out our free _**[**_upcoming live and on-demand webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {}, "published": "2021-07-16T11:57:53", "type": "threatpost", "title": "Microsoft: Unpatched Bug in Windows Print Spooler", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34481", "CVE-2021-34527"], "modified": "2021-07-16T11:57:53", "id": "THREATPOST:A8242348917526090B7A1B23735D5C6C", "href": "https://threatpost.com/microsoft-unpatched-bug-windows-print-spooler/167855/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-05T13:57:45", "description": "Apple has issued out-of-band patches for critical security issues affecting iPad, iPhone and iPod, which could allow remote code execution (RCE) and other attacks, completely compromising users\u2019 systems. And, the computing giant thinks all of them may have already been exploited in the wild. \n\nThree of these are zero-day flaws, while one is an expanded patch for a fourth vulnerability. \n\nApple keeps details of security problems close to the vest, \u201cfor our customers\u2019 protection,\u201d saving the blood and guts until after it investigates and manages to pump out patches or new releases. \n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS &amp; Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nWhat data it does disclose can be found on its [support page](<https://support.apple.com/en-us/HT201222>). Here\u2019s a summary of the three zero-days: \n\n## **Zero-Day Bugs in WebKit**\n\n * **CVE-2021-30665:** A critical memory-corruption issue in the Safari WebKit engine where \u201cprocessing maliciously crafted web content may lead to arbitrary code execution\u201d was addressed with improved state management. Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). The bug was reported to Apple by three security researchers, nicknamed yangkang, zerokeeper and bianliang. \n\n * **CVE-2021-30663:** This second flaw is also found in the open-source WebKit browser engine. It\u2019s an integer overflow, reported by an anonymous researcher, that can also lead to RCE. It was addressed with improved input validation. Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). \n\n * **CVE-2021-30666:** A buffer-overflow issue was addressed with improved memory handling. Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)\n\nAnd here are details on the expanded patch for the fourth bug: \n\n## **WebKit Storage**\n\n * **CVE-2021-30661: **A use after free issue was addressed with improved memory management. Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). This flaw was discovered and reported to the iPhone maker by the security researcher named yangkang, @dnpushme, of Qihoo 360 ATA.\n\nApple\u2019s support page shows that this fourth one was actually patched on Monday last week (April 26) in iOS 14.5 and macOS 11.3, but not in iOS 12. \n\nNaked Security\u2019s Paul Ducklin finds this one [particularly interesting](<https://nakedsecurity.sophos.com/2021/05/04/apple-products-hit-by-fourfecta-of-zero-day-exploits-patch-now/>), and he noted that questions remain. Why wasn\u2019t iOS 12 updated at the same time as iOS 14.5 and macOS 11.3? Did the security hole crop up in the code base after iOS 12 was released, perhaps? \n\nNo, that\u2019s not it: the CVE-2021-30661 and CVE-2021-30666 bugs fixed on Monday only apply to iOS 12. So it remains unclear if the bug exists in recent operating system versions, or not, Ducklin said.\n\n\u201cIs this an old bug from iOS 12 that was carried forward into the current Apple codebase but has still not yet been patched there?\u201d Ducklin pondered. \u201cOr is it a bug that is unique to the older iOS 12 code that doesn\u2019t appear in the more recent operating system releases and can therefore now be considered to have been eliminated everywhere?\u201d\n\nThreatpost has reached out to Apple for comment.\n\n## **Patch Fast!**\n\nPer usual, Apple\u2019s lip is zipped. But one thing\u2019s for sure: Patching as soon as possible is top priority. As it is, the chance for websites passing along \u201cmaliciously crafted web content\u201d is alarming. If you translate Apple\u2019s statement that \u201cprocessing maliciously crafted web content may lead to arbitrary code execution, \u201cyou get a \u201c[drive-by](<https://threatpost.com/google-sites-solarmarket-rat/165396/>), web-based zero-day RCE exploit, according to Ducklin.\n\nIn other words, all you have to do to trigger infection is to visit and view a booby-trapped website. \n\nJohn Kinsella, chief architect at cloud security company Accurics, says this is one of the nastier types of security bugs: one in which the user isn\u2019t required to perform a certain action for an attacker\u2019s success. \u201cPart of the issue here is that it\u2019s not just the browser that a user needs to be careful with,\u201d he told Threatpost in an email on Tuesday. \u201cMany iOS apps are just wrappers around a web application, which would be rendered by WebKit. For example, HTML mail in Apple\u2019s Mail app will be rendered by WebKit, and this app is a hard one to avoid. Even if a user takes advantage of new iOS functionality to replace the default iOS Mail and Safari apps with other mail/browser apps, the underlying HTML rendering engine would still be WebKit-based on Apple\u2019s App Store rules.\u201d\n\nKinsella says that if he\u2019s at all suspicious of something, he won\u2019t open it on a mobile device, but rather on a desktop or laptop, where he has much more control. \u201cThat being said, I know I\u2019m not the average user,\u201d he said. \u201cThe best advice I have is to patch ASAP, and generally be very careful.\u201d\n\nGiven that Apple has acknowledged that these vulnerabilities have already been exploited in the wild, and given the fact that HTML content is so prevalent on mobile devices, Kinsella considers a drive-by RCE like this to be a highly serious issue, though \u201cThe overall security of iOS means this isn\u2019t a complete takeover of the mobile device.\u201d\n\nStill, every extra foothold an attacker can get \u201chelps them further compromise a device,\u201d he said. \u201cThe fact that malicious HTML can compromise something on my wrist doesn\u2019t thrill me. Luckily Apple\u2019s been quite consistent with the reliability of their patches in recent years, so while I may sometimes wait for others to \u2018beta test\u2019 a release, a security patch like this was applied to my devices ASAP.\u201d\n\n## **What is WebKit? The Little Engine That Could**\n\nApple developed the WebKit browser engine to run in its Safari web browser, but it\u2019s also used by Apple Mail, the App Store, and various apps on the macOS and iOS operating systems. This, of course, isn\u2019t the first time that the engine has hit some bumps. \n\nIn January, Apple released an emergency update that patched three iOS[ bugs](<https://threatpost.com/apple-patches-zero-days-ios-emergency-update/163374/>). Two of them (CVE-2021-1870 and CVE-2021-1871 ) were discovered in WebKit (and the third, tracked as CVE-2021-1782, was found in the OS kernel).\n\nMore recently, in March, Apple patched other [severe WebKit RCEs](<https://threatpost.com/apple-webkit-remote-code-execution/164595/>). Similar to Monday\u2019s updates, those WebKit fixes could have allowed remote attackers to completely compromise affected systems.\n\n05-04-2021 14:52 UPDATE: Added input from Accurics\u2019 John Kinsella.\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS &amp; Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and **[**Register HERE**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)** for free. **\n", "cvss3": {}, "published": "2021-05-04T16:16:37", "type": "threatpost", "title": "Apple Fixes Zero\u2011Day Security Bugs Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-22893", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666"], "modified": "2021-05-04T16:16:37", "id": "THREATPOST:33E56DEB736406F9DD08C7533BF1812B", "href": "https://threatpost.com/apple-zero%e2%80%91days-active-attack/165842/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-30T19:38:25", "description": "A previously undocumented backdoor malware, dubbed PortDoor, is being used by a probable Chinese advanced persistent threat actor (APT) to target the Russian defense sector, according to researchers.\n\nThe Cybereason Nocturnus Team observed the cybercriminals specifically going after the Rubin Design Bureau, which designs submarines for the Russian Federation\u2019s Navy. The initial target of the attack was a general director there named Igor Vladimirovich, researchers said, who received a phishing email.\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS &amp; Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nThe attack began with the [RoyalRoad weaponizer](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>), also known as the 8.t Dropper/RTF exploit builder \u2013 a tool that Cybereason said is [part of the arsenal of several Chinese APTs](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>), such as Tick, Tonto Team and TA428. RoyalRoad generates weaponized RTF documents that exploit vulnerabilities in Microsoft\u2019s [Equation Editor](<https://threatpost.com/threatlist-microsoft-macros-remain-top-vector-for-malware-delivery/137428/>) (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802).\n\nThe use of RoyalRoad is one of the reasons the company believes Chinese cybercriminals to be behind the attack.\n\n\u201cThe accumulated evidence, such as the infection vector, social-engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware, all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests,\u201d according to a [Cybereason analysis](<https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector>), published Friday.\n\n## **A Quiet Espionage Malware**\n\nThe RoyalRoad tool was seen fetching the unique PortDoor sample once the malicious RTF document is opened, which researchers said was designed with stealth in mind. It has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation, static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more.\n\nOnce executed, the backdoor decrypts the strings using a hardcoded 0xfe XOR key in order to retrieve its configuration information. This includes the command-and-control (C2) server address, a victim identifier and some other minor information.\n\nThe malware then creates an additional file in %temp% with the hardcoded name \u201c58097616.tmp\u201d and writes the GetTickCount value multiplied by a random number to it: \u201cThis can be used as an additional identifier for the target, and also as a placeholder for the previous presence of this malware,\u201d researchers explained.\n\nAfter that, it establishes its C2 connection, which facilitates the transfer of data using TCP over raw sockets, or via HTTPS \u2013 with proxy support. At this point, Cybereason said that PortDoor also has the ability to achieve privilege escalation by stealing explorer.exe tokens.\n\nThen, the malware gathers basic PC info to be sent to the C2, which it bundles with a unique identifier, after which is awaits further instructions.\n\nThe C2 commands are myriad:\n\n * List running processes\n * Open process\n * Get free space in logical drives\n * Files enumeration\n * Delete file\n * Move file\n * Create process with a hidden window\n * Open file for simultaneous operations\n * Write to file\n * Close handle\n * Open file and write directly to disk\n * Look for the \u201cKr*^j4\u201d string\n * Create pipe, copy data from it and AES encrypt\n * Write data to file, append with \u201c\\n\u201d\n * Write data to file, append with \u201cexit\\n\u201d\n\nPortDoor also employs an anti-analysis technique known as dynamic API resolving, according to the analysis.\n\n\u201cThe backdoor is able to hide most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports,\u201d researchers explained.\n\n## **Chinese APTs in the Cyberattack Mix \u2013 Probably**\n\nCybereason\u2019s analysis did not yield up a specific Chinese APT actor who would likely be responsible for the attack. However, the researchers said they could make some educated guesses.\n\n\u201cThere are a couple of known Chinese APT groups that share quite a few similarities with the threat actor behind the new malware samples analyzed,\u201d according to the report.\n\nFor instance, the RTF file used in the attack was weaponized with RoyalRoad v7, which was previously observed being used by the Tonto Team, TA428 and Rancor APTs.\n\n\u201cBoth the Tonto Team and TA428 threat actors have been observed attacking Russian organizations in the past, and more specifically attacking research and defense-related targets,\u201d according to the analysis. \u201cWhen comparing the spear-phishing email and malicious documents in these attacks with previously examined phishing emails and lure documents used by the Tonto Team to attack Russian organizations, there are certain similarities in the linguistic and visual style used by the attackers in the phishing emails and documents.\u201d\n\nThat said, the PortDoor malware doesn\u2019t share significant code similarities with previously known malware used by those groups \u2013 leading Cybereason to conclude that it is not a variant of a known malware, which makes it useless in attribution efforts.\n\n\u201cLastly, we are also aware that there could be other groups, known or yet unknown, that could be behind the attack and the development of the PortDoor backdoor,\u201d researchers concluded. \u201cWe hope that as time goes by, and with more evidence gathered, the attribution could be more concrete.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook,** **_\u201c[2021: The Evolution of Ransomware](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>),\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and [DOWNLOAD](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>) the eBook now \u2013 on us!**\n\n_ _\n", "cvss3": {}, "published": "2021-04-30T19:32:34", "type": "threatpost", "title": "PortDoor Espionage Malware Takes Aim at Russian Defense Sector", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802"], "modified": "2021-04-30T19:32:34", "id": "THREATPOST:9AE8698D8AABA0F11676A29CECC6D7BA", "href": "https://threatpost.com/portdoor-espionage-malware-takes-aim-at-russian-defense-sector/165770/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-07T19:08:25", "description": "An ongoing surveillance operation has been uncovered that targets a Southeast Asian government, researchers said \u2013 using a previously unknown espionage malware.\n\nAccording to Check Point Research, the attack involves spear-phishing emails with malicious Word documents to gain initial access, along with the exploitation of older, known Microsoft Office security vulnerabilities. But most notable, researchers said, is the novel backdoor, which they said has been in development by a Chinese APT for at least three years.\n\nThe documents were \u201csent to different employees of a government entity in Southeast Asia,\u201d according to [the Check Point analysis](<https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/>). \u201cIn some cases, the emails are spoofed to look like they were from other government-related entities. The attachments to these emails are weaponized copies of legitimate looking official documents and use the remote template technique to pull the next stage from the attacker\u2019s server.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe malicious documents download a template from various URLs, according to the analysis, which are .RTF files embedded with the [RoyalRoad weaponizer](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>), also known as the 8.t Dropper/RTF exploit builder. RoyalRoad is a tool that researchers have said is [part of the arsenal of several Chinese APTs](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>), such as Tick, Tonto Team and TA428; it generates weaponized RTF documents that exploit vulnerabilities in Microsoft\u2019s [Equation Editor](<https://threatpost.com/threatlist-microsoft-macros-remain-top-vector-for-malware-delivery/137428/>) (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802).\n\nThe RoyalRoad-generated RTF document contains an encrypted payload and shellcode, according to the analysis.\n\n\u201cTo decrypt the payload from the package, the attacker uses the RC4 algorithm with the key 123456, and the resulted DLL file is saved as 5.t in the %Temp% folder,\u201d researchers said. \u201cThe shellcode is also responsible for the persistence mechanism \u2013 it creates the scheduled task named Windows Update that should run the exported function StartW from 5.t with rundll32.exe, once a day.\u201d\n\nThe .DLL gathers data on the victim\u2019s computer including the OS name and version, user name, MAC addresses of networking adapters and antivirus information. All of the data is encrypted and then sent to the attackers\u2019 command-and-control server (C2) via [GET HTTP request method](<https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/GET>). After that, a multi-stage chain eventually results in the installation of the backdoor module, which is called \u201cVictory.\u201d It \u201cappears to be a custom and unique malware,\u201d according to Check Point.\n\n## **Victory Backdoor**\n\nThe malware is built to steal information and provide consistent access to the victim. Check Point researchers said it can take screenshots, manipulate files (including creating, deleting, renaming and reading them), gather information on the top-level windows that are open, and shut down the computer.\n\nInterestingly, the malware appears to be related to previously developed tools.\n\n\u201cSearching for files similar to the final backdoor in the wild, we encountered a set of files that were submitted to VirusTotal in 2018,\u201d according to the analysis. \u201cThe files were named by the author as MClient and appear to be part of a project internally called SharpM, according to their PDB paths. Compilation timestamps also show a similar timeframe between July 2017 and June 2018, and upon examination of the files, they were found to be older test versions of our VictoryDll backdoor and its loaders chain.\u201d\n\nThe specific implementation of the main backdoor functionality is identical; and, the connection method has the same format, according to the firm. Also, MClient\u2019s connection XOR key and VictoryDll\u2019s initial XOR key are the same.\n\nHowever, there are differences between the two in terms of architecture, functionality and naming conventions. For instance, MClient features a keylogger, which is absent for Victory. And, Victory\u2019s exported function is named MainThread, while in all versions of the MClient variant the export function was named GetCPUID, according to Check Point.\n\n\u201cOverall, we can see that in these three years, most of the functionality of MClient and AutoStartup_DLL was preserved and split between multiple components \u2013 probably to complicate the analysis and decrease the detection rates at each stage,\u201d the form said. \u201cWe may also assume that there exist other modules based on the code from 2018 that might be installed by the attacker in the later stages of the attack.\u201d\n\n## **Attribution**\n\nCheck Point has attributed the campaign to a Chinese APT. One of the clues is that the first-stage C2 servers are hosted by two different cloud services, located in Hong Kong and Malaysia. These are active in only a limited daily window, returning payloads only from 01:00 \u2013 08:00 UTC Monday through Friday, which corresponds with the Chinese workday. Also, Check Point said that the servers went dormant in the period between May 1 and 5 \u2013 which China\u2019s Labor Day holidays.\n\nOn top of that, the RoyalRoad RTF exploit building kit is a tool of choice among Chinese APT groups; and some test versions of the backdoor contained internet connectivity check with www.baidu.com \u2013 a popular Chinese website.\n\n\u201cWe unveiled the latest activity of what seems to be a long-running Chinese operation that managed to stay under the radar for more than three years,\u201d Check Point concluded. \u201cIn this campaign, the attackers utilized the set of Microsoft Office exploits and loaders with anti-analysis and anti-debugging techniques to install a previously unknown backdoor.\u201d\n\n**Join Threatpost for \u201cA Walk On The Dark Side: A Pipeline Cyber Crisis Simulation\u201d\u2013 a LIVE interactive demo on **[**Wed, June 9 at 2:00 PM EDT**](<https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar>)**. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and **[**Register HERE**](<https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar>)** for free.**\n", "cvss3": {}, "published": "2021-06-07T18:49:44", "type": "threatpost", "title": "Novel 'Victory' Backdoor Spotted in Chinese APT Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802"], "modified": "2021-06-07T18:49:44", "id": "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "href": "https://threatpost.com/victory-backdoor-apt-campaign/166700/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-10T20:47:57", "description": "Google is warning that a bug in its Chrome web browser is actively under attack, and it is urging users to upgrade to the latest 91.0.4472.101 version to mitigate the issue.\n\nIn all, Google rolled out fixes for 14 bugs impacting its Windows, Mac and Linux browsers as part of its June update [to the Chrome desktop browser](<https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html>).\n\n\u201cGoogle is aware that an exploit for CVE-2021-30551 exists in the wild,\u201d wrote Chrome technical program manager Prudhvikumar Bommana [in a Wednesday post](<https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html>). That exploit is identified as a type confusion bug within Google\u2019s V8 open-source JavaScript and WebAssembly engine. \n[](<https://threatpost.com/newsletter-sign/>)The confusion vulnerability is tied to the browser\u2019s ActionScript Virtual Machine. \u201cUsually, when a piece of code doesn\u2019t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion,\u201d according to a [technical description of the bug](<https://www.microsoft.com/security/blog/2015/06/17/understanding-type-confusion-vulnerabilities-cve-2015-0336/#:~:text=The%20vulnerability%20is%20a%20%E2%80%9Ctype,it%20leads%20to%20type%20confusion.>).\n\n## **Possible Wider Impact of Exploited Chrome Browser Bug **\n\nThe update coincides with the release of the Android Chrome browser to Chrome 91 (91.0.4472.101), also [on Wednesday](<https://chromereleases.googleblog.com/2021/06/chrome-for-android-update_01297860997.html>). While the desktop and mobile versions of the Chrome web browser share the same version number, it is unclear if the updated Android Chrome browser is impacted by the same vulnerabilities.\n\nAlso unclear is if Microsoft\u2019s Edge browser, based on the Chromium open-source browser codebase (principally developed and maintained by Google), is also impacted.\n\nIn related news, on Tuesday, Microsoft released a patch for vulnerabilities under active attack, including [CVE-2021-33742](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742>), impacting its Edge browser. That bug [is a remote-code execution](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>) (RCE) vulnerability within the Edge browser\u2019s MSHTML component.\n\n\u201cThe MSHTML platform is used by Internet Explorer mode in Microsoft Edge as well as other applications through WebBrowser control,\u201d Microsoft explained.\n\n## **Critical Browser Cache Bug: CVE-2021-30544**\n\nAs part of the June Chrome update, Google patched a critical use-after-free bug (CVE-2021-30544) within the browser\u2019s optimization engine called BFCache. This browser component enables back-and-forward navigation between cached webpages within Chrome.\n\nAs customary with recently disclosed bugs, Google did not release the details tied to any of the vulnerabilities patched Wednesday. \u201cAccess to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven\u2019t yet fixed,\u201d the Google advisory stated.\n\nGoogle credits Rong Jian and Guang Gong of 360 Alpha Lab for finding the BFCache bug in May. For their bug hunting efforts, the pair earned $25,000.\n\n**Download our exclusive FREE Threatpost Insider eBook, ****_\u201c_**[**_2021: The Evolution of Ransomware_**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)**_,\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and **[**DOWNLOAD**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)** the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-06-10T20:07:53", "type": "threatpost", "title": "Chrome Browser Bug Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-0336", "CVE-2021-30544", "CVE-2021-30551", "CVE-2021-33742"], "modified": "2021-06-10T20:07:53", "id": "THREATPOST:DE317ED7C5E4858FE861A15F96F6BCFD", "href": "https://threatpost.com/chrome-browser-bug-under-attack/166804/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-13T19:49:18", "description": "One day after dropping its scheduled August Patch Tuesday update, Microsoft issued a warning about yet another unpatched privilege escalation/remote code-execution (RCE) vulnerability in the Windows Print Spooler that can be filed under the [PrintNightmare umbrella](<https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/>).\n\nThe news comes amid plenty of PrintNightmare exploitation. Researchers from CrowdStrike warned in a [Wednesday report](<https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/>) that the operators of the Magniber ransomware quickly weaponized CVE-2021-34527 to attack users in South Korea, with attacks dating back to at least July 13. And Cisco Talos [said Thursday](<https://blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html>) that the Vice Society gang was seen using CVE-2021-1675 and CVE-2021-34527 to spread laterally across a victim\u2019s network as part of a recent ransomware attack.\n\n\u201cIn technology, almost nothing ages gracefully,\u201d Chris Clements, vice president of solutions architecture and Cerberus security officer at Cerberus Sentinel, told Threatpost. \u201cThe Print Spooler in Windows is proving that rule. It\u2019s likely that the code has changed little in the past decades and likely still bears a striking resemblance to source code that was made public in previous Windows leaks. I\u2019ve heard it said that ransomware gangs might also be referred to as \u2018technical debt collectors,\u2019 which would be funnier if the people suffering most from these vulnerabilities weren\u2019t Microsoft\u2019s customers.\u201d\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe fresh zero-day bug, tracked as CVE-2021-36958, carries a CVSS vulnerability-severity scale rating of 7.3, meaning that it\u2019s rated as \u201cimportant.\u201d Microsoft said that it allows for a local attack vector requiring user interaction, but that the attack complexity is low, with few privileges required.\n\n\u201cA remote code-execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\u201d the computing giant explained in its [Wednesday advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>). \u201cAn attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.\u201d\n\nThe CERT Coordination Center actually flagged the issue in mid-July, when it warned that a [working exploit](<https://twitter.com/gentilkiwi/status/1416429860566847490>) was available. That proof-of-concept (PoC), issued by Mimikatz creator Benjamin Delpy, comes complete with a video.\n\n> Hey guys, I reported the vulnerability in Dec'20 but haven't disclosed details at MSRC's request. It looks like they acknowledged it today due to the recent events with print spooler.\n> \n> \u2014 Victor Mata (@offenseindepth) [August 11, 2021](<https://twitter.com/offenseindepth/status/1425574625384206339?ref_src=twsrc%5Etfw>)\n\nOn Thursday, CERT/CC issued more details on the issue, explaining that it arises from an oversight in signature requirements around the \u201cPoint and Print\u201d capability, which allows users without administrative privileges to install printer drivers that execute with SYSTEM privileges via the Print Spooler service.\n\nWhile Microsoft requires that printers installable via Point are either signed by a WHQL release signature or by a trusted certificate, Windows printer drivers can specify queue-specific files that are associated with the use of the device, which leaves a loophole for malicious actors.\n\n\u201cFor example, a shared printer can specify a CopyFiles directive for arbitrary files,\u201d according to the CERT/CC [advisory](<https://www.kb.cert.org/vuls/id/131152>). \u201cThese files, which may be copied over alongside the digital-signature-enforced printer driver files, are not covered by any signature requirement. Furthermore, these files can be used to overwrite any of the signature-verified files that were placed on a system during printer driver install. This can allow for local privilege escalation to SYSTEM on a vulnerable system.\u201d\n\nMicrosoft credited Victor Mata of FusionX at Accenture Security with originally reporting the issue, which Mata said occurred back in December 2020:\n\n> Hey guys, I reported the vulnerability in Dec\u201920 but haven\u2019t disclosed details at MSRC\u2019s request. It looks like they acknowledged it today due to the recent events with print spooler.\n> \n> \u2014 Victor Mata (@offenseindepth) [August 11, 2021](<https://twitter.com/offenseindepth/status/1425574625384206339?ref_src=twsrc%5Etfw>)\n\nSo far, Microsoft hasn\u2019t seen any attacks in the wild using the bug, but it noted that exploitation is \u201cmore likely.\u201d With a working exploit in circulation, that seems a fair assessment.\n\n## **Print Spooler-Palooza and the PrintNightmare **\n\nDelpy characterized this latest zero-day as being part of the string of Print Spooler bugs collectively known as PrintNightmare.\n\nThe bad dream started in early July, when a PoC exploit for a bug tracked as CVE-2021-1675 was [dropped on GitHub](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>). The flaw was originally addressed in [June\u2019s Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>) from Microsoft as a minor elevation-of-privilege vulnerability, but the PoC showed that it\u2019s actually a critical Windows security vulnerability that can be used for RCE. That prompted Microsoft to issue a different CVE number \u2013 in this case, CVE-2021-34527 \u2013 to designate the RCE variant, and it prompted [an emergency partial patch](<https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/>), too.\n\n\u201cThis vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),\u201d the company wrote in the advisory at the time. \u201cThe attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.\u201d\n\nBoth bugs \u2013 which are really just variants of a single issue \u2013 are collectively known as PrintNightmare. The PrintNightmare umbrella expanded a bit later in July, when yet another, [similar bug was disclosed](<https://threatpost.com/microsoft-unpatched-bug-windows-print-spooler/167855/>), tracked as CVE-2021-34481. It remained unpatched until it was finally addressed with [an update](<https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872>) issued alongside the [August Patch Tuesday updates](<https://threatpost.com/exploited-windows-zero-day-patch/168539/>) (which itself detailed three additional Print Spooler vulnerabilities, one critical).\n\n## **How to Protect Systems from Print Spooler Attacks**\n\nAs mentioned, there\u2019s no patch yet for the bug, but users can protect themselves by simply stopping and disabling the Print Spooler service:\n\n\n\nSource: Microsoft.\n\nCERT/CC also said that since public exploits for Print Spooler attacks use the SMB file-sharing service for remote connectivity to a malicious shared printer, blocking outbound connections to SMB resources would thwart some attacks by blocking malicious SMB printers that are hosted outside of the network.\n\n\u201cHowever, Microsoft indicates that printers can be shared via the Web Point-and-Print Protocol, which may allow installation of arbitrary printer drivers without relying on SMB traffic,\u201d according to CERT/CC. \u201cAlso, an attacker local to your network would be able to share a printer via SMB, which would be unaffected by any outbound SMB traffic rules.\u201d\n\nIn its update advisory for CVE-2021-34481, Microsoft also detailed how to amend the default Point and Print functionality, which prevents non-administrator users from installing or updating printer drivers remotely and which could help mitigate the latest zero-day.\n\nWorried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T13:19:50", "type": "threatpost", "title": "Microsoft Warns: Another Unpatched PrintNightmare Zero-Day", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34481", "CVE-2021-34527", "CVE-2021-36958"], "modified": "2021-08-12T13:19:50", "id": "THREATPOST:ADA9E95C8FD42722E783C74443148525", "href": "https://threatpost.com/microsoft-unpatched-printnightmare-zero-day/168613/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-19T14:43:11", "description": "Attackers are piggybacking off the booming market for meal-kit delivery services since the pandemic, and sending SMS phishing messages doctored up to look like they\u2019re legitimate correspondence from popular brand names \u2014 including HelloFresh and Gousto.\n\nThis is just another example of why the world cannot have nice things.\n\nResearchers at Tessian discovered the meal-kit phishing campaigns and said there are many versions of the phishing pitch. Some are received through SMS, others through WhatsApp. Some ask customers to rate their experience to enter a prize. The messages run the gamut in terms of sophistication from very convincing, to an example Tessian called \u201ceasy to spot,\u201d which is riddled with spelling errors.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cYour Gousto box is now delivered,\u201d the phishing message read. \u201cEnjoy the reoipej! Rate delivesy and enter wrize diaw at \u2018URL\u2019.\u201d\n\nThe goal is to drive users to a site controlled by the attackers and trick them into entering their personal data.\n\n## **Cybercriminals Capitalize on Trends **\n\n\u201cWhere there is consumer demand, there are always cybercriminals looking to capitalize on these trends and trick people into sharing valuable information or those all-important account credentials, Charles Brook, threat-intelligence specialist with Tessian, told Threatpost about the findings. \u201cSo as demand for meal-kit deliveries surge, due to lockdown restrictions, so too have social-engineering scams with hackers posing as these brands.\u201d\n\nData released from Nielsen showed [meal-kit sales](<https://www.meatpoultry.com/articles/24536-meal-kits-continue-to-expand-during-the-pandemic>) grew nearly 19 percent in 2020 as a result of COVID-19 restrictions.\n\nMeal kits, like other pandemic-related topics (from [government payments](<https://threatpost.com/fraudulent-unemployment-covid-19-relief-claims-earn-bec-gang-millions/155925/>) to [vaccines](<https://threatpost.com/telegram-forged-covid-19-vaccine-cards/166093/>)) have proven an effective tool for cybercriminals to leverage against victims.\n\n## **Smishing Spike **\n\nThe rising popularity of meal kits happens to coincide with [a spike in SMS-based phishing attacks,](<https://threatpost.com/smishing-text-phishing-ciso-radar/165634/>) a.k.a. \u201csmishing,\u201d worldwide. Personal devices lack a lot of security, everyone has them, and the emotional addiction many have developed with their devices makes users susceptible to a shakedown.\n\n\u201cSMS based scams are incredibly convincing, and are growing in frequency,\u201d Brook added. \u201cData breaches, for example, have made it easier for scammers to access people\u2019s full names and phone numbers as details are made public. In addition, more and more companies are relying on SMS as a marketing channel to reach their customers and update them about online orders. Given that [nine in 10 people](<https://mobilemonkey.com/blog/sms-marketing-statistics>) open their texts, it\u2019s likely the message will be read.\u201d\n\n## **How to Spot Smishing Attacks **\n\nBrook recommended that users take a few, simple precautions to protect themselves against a smishing attack.\n\nThe first is to be wary of delivery notices that seem unfamiliar.\n\n\u201cSo while you might not be expecting a delivery, scammers will still try their luck. Often impersonating a legitimate brand, and using sophisticated methods like including a shortened, legitimate-looking URL or an \u2018urgent\u2019 call to action, they\u2019re hoping their targets have signed up to some form of home-delivery service, will click the link and fall for the scam.\u201d\n\nHe also recommended avoiding clicking on links in SMS messages as a general policy, and taking a close look at the sender number.\n\n\u201cUnknown numbers or 11-digit long numbers starting with a local area code, such as +44, are often associated with scam texts. Large institutions will generally send text messages from short-code numbers.\n\nAnd similar to the previous fake Gousto message above, he recommended steering clear of messages with spelling or grammatical errors. Finally, he advises users to be proactive about their relationship with companies they do business with.\n\n\u201cVisit the company\u2019s social-media channels to see they have warned their customers about potential scams that have been circulating, and research whether other customers have received the same message.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook,** **_\u201c_**[**_2021: The Evolution of Ransomware_**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)**_,\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and **[**DOWNLOAD**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)** the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-05-18T20:48:13", "type": "threatpost", "title": "Scammers Pose as Meal-Kit Services to Steal Customer Data", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-31166"], "modified": "2021-05-18T20:48:13", "id": "THREATPOST:90D2E9044C556AC1A56C89A7F86742BE", "href": "https://threatpost.com/scammers-meal-kit-services-customer-data/166282/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-19T14:46:22", "description": "For a ransomware gang whose servers were [purportedly commandeered](<https://threatpost.com/darksides-servers-shutdown/166187/>) last week, DarkSide has had a server-fueled weekend, with a reported hit on Toshiba Business.\n\nLate on Thursday night came a post to the \u201cExploit\u201d underground forum that looked, at least, to be from DarkSide. It described how the gang\u2019s blog, payment processing and denial-of-service (DoS) servers had been seized.\n\nFast-forward three days, and it sure doesn\u2019t look like DarkSide is dead in the water. Friday\u2019s statement has reportedly been deleted. According to the security intelligence firm [Flashpoint](<https://www.flashpoint-intel.com/blog/darkside-faces-xss-ban-servers-seized/>), some members of the underground forum questioned whether the post might have been a fake.\n\n[](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)\n\nDownload \u201cThe Evolution of Ransomware\u201d to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!\n\nDarkSide has been in the headlines non-stop since it crippled operations at [Colonial Pipeline Co.](<https://threatpost.com/pipeline-crippled-ransomware/165963/>) 10 days ago, spiking gas prices and sparking a rush to [stockpile](<https://threatpost.com/pipeline-biden-darkside-gas-bags/166112/>).\n\nThe group [extorted around $5 million](<https://threatpost.com/colonial-pays-5m/166147/>) in that incident, in return for which it sent the major fuel-supplying company a decryption tool that [reportedly](<https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom>) could barely limp through the process of unlocking files. A day before \u201cDarkSide\u201d \u2013 or whoever it was \u2013 put up the \u201clost-our-servers\u201d post, President Joe Biden said in an executive order that the U.S. plans to disrupt the ransomware network.\n\n## Did DarkSide\u2019s Servers Spark Back to Life and Grab Toshiba?\n\nThere\u2019s always the possibility that the lost-servers post was an exit scam or, at least, bogus in some way \u2013 a possibility backed up by recent activity. On Friday, Toshiba Tec Group \u2013 the arm of Toshiba that makes scanners, printers and other business equipment \u2013 [confirmed](<https://www.toshibatec.com/information/20210514_01.html>) that its European subsidiaries had been seized.\n\nToshiba\u2019s investigation has shown that the attack has been limited to some regions in Europe but that it hasn\u2019t confirmed whether or not customer information was leaked.\n\nIt looks to be another DarkSide job. According to screenshots of the extortion message provided to [Reuters](<https://www.irishtimes.com/business/technology/toshiba-unit-hacked-by-darkside-ransomware-group-1.4565156>) by Mitsui Bussan Secure Directions \u2013 a representative from Toshiba\u2019s French subsidiary \u2013 more than 740 gigabytes of information were compromised and included passports and other personal information.\n\nAs far as DarkSide\u2019s payment-processing server goes, it was up and running as of last week: The group pulled in a $4.4 million extortion payment from a chemical distributor. As [Bleeping Computer](<https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/>) reported, Brenntag \u2013 a huge chemical distribution company headquartered in Germany but with over 17,000 employees worldwide at over 670 sites \u2013 suffered a ransomware attack that targeted its North America division. The threat actors reportedly claimed to have stolen 150GB of data.\n\nDarkSide initially demanded a 133.65 Bitcoin ransom \u2013 about $7.5 million \u2013 when it attacked the company earlier in May. BleepingComputer\u2019s sources told the outlet that Brenntag negotiated the extortion fee down to $4.4 million, which was paid on Tuesday, May 11. The outlet confirmed that the money went into a Bitcoin address its sources shared with it.\n\n\u201cBrenntag North America is currently working to resolve a limited information security incident,\u201d Brenntag told BleepingComputer on Thursday. \u201cAs soon as we learned of this incident, we disconnected affected systems from the network to contain the threat.\n\n\u201cIn addition, third-party cybersecurity and forensic experts were immediately engaged to help investigate. We also informed law enforcement of this incident.\u201d\n\n## The DarkSide Statement That\u2019s Since Gone *Poof*\n\nAccording to [Flashpoint](<https://www.flashpoint-intel.com/blog/darkside-faces-xss-ban-servers-seized/>), on Thursday night, UNKN \u2013 the spokesperson for DarkSide\u2019s fellow RaaS, REvil \u2013 made a post on the top-tier Russian-language forum Exploit, quoting DarkSide\u2019s previous, now-deleted post. Translated from Russian into English, the statement read:\n\n> _Ever since the first version, we promised to speak honestly and openly about problems. A few hours ago, we lost access to the public part of our infrastructure, namely:_\n> \n> _Blog._\n> \n> _Payment server._\n> \n> _DOS servers._\n> \n> _Now these servers are unavailable via SSH, the hosting panels are blocked. Hosting support, apart from information \u2018at the request of law enforcement agencies,\u2019 does not provide any other information._\n> \n> _Also, a few hours after the withdrawal, funds from the payment server (ours and clients\u2019) were withdrawn to an unknown address._\n\n## DarkSide, Other Gangs Banned from XSS Forum\n\nThe heat generated by the pipeline attack \u2013 an attack against critical U.S. infrastructure \u2013 has attracted all the wrong kind of attention to ransomware collectives. As a result, DarkSide\u2019s [fellow RaaS player, REvil](<https://threatpost.com/revil-apple-ransomware-pay-off/165570/>), found itself forced to introduce new restrictions on how it operates.\n\nThe REvil gang on Friday announced that it\u2019s instituting pre-moderation for its partner network, and said it would ban any attempt to attack any government, public, educational or healthcare organizations. Referring to DarkSide\u2019s experience, REvil\u2019s backers said that the group was \u201cforced to introduce\u201d these \u201csignificant new restrictions,\u201d promising that affiliates that violated the new rules would be kicked out and that it would give out decryption tools for free.\n\n## XSS Says No More Ransomware\n\nIt\u2019s not the only one coming up with new rules: according to [Flashpoint researchers](<https://www.flashpoint-intel.com/blog/darkside-faces-xss-ban-servers-seized/>), the Russian-language cybercriminal forum XSS has also announced that it was outlawing all ransomware activities, including ransomware affiliate programs, ransomware for rent, and sale of ransomware software.\n\nThat could be a big hit to the ransomware economy, given that XSS has been an important forum for advertising for affiliates. Some of the biggest ransomware players maintain an active presence on the forum, researchers noted, including [Babuk](<https://threatpost.com/babuk-ransomware-gang-mulls-retirement/165742/>), DarkSide, LockBit, [Nefilim](<https://threatpost.com/nefilim-ransomware-ghost-account/163341/>), [Netwalker](<https://threatpost.com/netwalker-ransomware-suspect-charged/163405/>) and REvil.\n\n## A \u2018Critical Mass of Nonsense, Hype and Noise\u2019\n\nThe XSS admin reportedly said that the ransomware expulsion is partially based on ideological differences between the forum and ransomware operators. The attention from high-profile incidents such as the [pipeline attack](<https://threatpost.com/pipeline-crippled-ransomware/165963/>) is also quite unwelcome, the admin said, having resulted in a \u201ccritical mass of nonsense, hype and noise.\u201d Ransomware collectives and their accompanying attacks are generating \u201ctoo much PR,\u201d the XSS admin said, and are heightening the geopolitical and law-enforcement risks to a \u201chazard[ous] level.\u201d\n\nHazardous, as in, perhaps putting Russian President Vladimir Putin in an awkward position: The admin of XSS also claimed that when \u201cPeskov [the Press Secretary for the President of Russia, Vladimir Putin] is forced to make excuses in front of our overseas \u2018friends\u2019 \u2013 this is a bit too much,\u201d the XSS admin reportedly posted. The admin included a link to an article on the Russian news website Kommersant, entitled \u201cRussia has nothing to do with hacking attacks on a pipeline in the United States.\u201d\n\n## What\u2019s Next for DarkSide?\n\nStefano De Blasi, a threat researcher for Digital Shadows, said that it\u2019s not surprising to see news about DarkSide operations in spite of the criminal group\u2019s infrastructure having allegedly been taken down.\n\n\u201cA plausible explanation for this phenomenon is that DarkSide affiliates were likely encrypting several targets at the same time, and that some of those victims are only coming out in public about their attack a few days later,\u201d he commented to Threatpost on Monday. \u201cFor example, a Toshiba spokesperson has indicated that the company suffered that ransomware attack on May 4, just three days before the Colonial Pipeline one.\u201d\n\nDe Blasi said via email that it\u2019s \u201crealistically possible\u201d that while DarkSide\u2019s shutdown is part of a strategy to avoid further pressure from law-enforcement agencies, it\u2019s \u201cunlikely that DarkSide would immediately continue their operations without leaving some time to calm things down.\u201d\n\nThus, while we might well hear about more DarkSide encrypting sprees in the future, it\u2019s likely that they\u2019ll avoid attacking more companies in the immediate aftermath of the Colonial Pipeline attack, he said.\n\n**Download our exclusive FREE Threatpost Insider eBook, ****_\u201c_**[**_2021: The Evolution of Ransomware_**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)**_,\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and **[**DOWNLOAD**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)** the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-05-17T16:23:35", "type": "threatpost", "title": "DarkSide Hits Toshiba; XSS Forum Bans Ransomware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-31166"], "modified": "2021-05-17T16:23:35", "id": "THREATPOST:35511A26A276E34B781D66037866F771", "href": "https://threatpost.com/darkside-toshiba-xss-bans-ransomware/166210/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-19T14:40:17", "description": "Clearly, the months since the world shut down in March of 2020 fomented a radical shift in how people work and live, and it\u2019s brought a range of crises and challenges to bear across the spectrum of our lives. These profound changes and experiences were also felt in cybersecurity, bringing never-before-seen threats and attack vectors to the fore. So, perhaps it\u2019s entirely fitting that the theme for the all-virtual RSA Conference 2021 kicking off this week is, simply, \u201cresilience.\u201d\n\n\u201cThis has been incredibly challenging for all of us. We all had to deploy the technology that enabled virtually every worker on a global basis to shift to remote work overnight. They were connecting over multiple networks,\u201d Chuck Robbins, chairman and CEO at Cisco, said from the stage during Monday\u2019s opening keynote addresses. \u201cThey were connecting from whatever device they could possibly find to get connected from. And we all know that during this time, the security landscape that we were all dealing with was becoming very complex.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nFor instance, employees, just by working 30 extra minutes on a mobile device, create 20 percent more vulnerability than you would have normally, he said, adding, \u201cevery individual is carrying an average of four devices, and most of us are carrying even more. And this just creates more opportunity for breaches.\u201d\n\n## **Embracing Chaos as a Constant**\n\nRohit Ghai, CEO at RSA, noted that there are lessons to be learned from the insanity. Referencing that OTHER phenomenon that happened in March 2020, the Tiger King craze that saw 64 million Netflix households binging the documentary, he noted during his keynote that the streaming giant has learned to embrace chaos \u2013 something that cybersecurity types should take a page from.\n\n\n\nRSA\u2019s Rohit Ghai recaps the most notable cybersecurity incidents since the pandemic started.\n\nNetflix has created something called Chaos Monkey to help ensure that its 203 million subscribers can stream without quality issues, he pointed out. It\u2019s basically a resiliency-testing tool that randomly shuts down production instances and emulates various types of common failures, at scale, in order to test the company\u2019s ability to accomplish graceful degradation and survival, without any customer impact.\n\n\u201cChaos is a pretty good way to describe our context in cybersecurity,\u201d Ghai said. \u201cBoundless, complex, hyperconnected and dynamic tech stacks, sitting on multiple cloud workloads that move about. We have machine and human actors working, playing and learning from anywhere, and the added randomness of malicious actors trying to disrupt, steal and instill fear.\u201d\n\nThe cybersecurity industry can focus on resilience by embracing chaos, he explained. That\u2019s done by expecting the unexpected; trusting no one; and compartmentalizing failure zones \u2013 in addition to ongoing red teaming, blue teaming and incident-response trials.\n\n\u201cIf you don\u2019t have visibility, then you don\u2019t know what to defend,\u201d he said. \u201cAnd once you do have visibility, use threat intelligence to understand your likeliest antagonists, including their methods. And then in addition to modeling the likeliest attack, make sure to throw in a few unlikely ones. It is a mindset, not just an architecture.\u201d\n\nHe also advocated for implementing third-party risk assessments, network segmentation and least privilege.\n\n\u201cWhat if the [SolarWinds servers](<https://threatpost.com/marcus-hutchins-only-certainty-is-uncertainty/127270/>) were only allowed to talk to the known good rather than being disallowed to connect to the known bad?\u201d he postulated. \u201cCould the [Twitter hack](<https://threatpost.com/twitter-elite-accounts-are-hijacked-in-unprecedented-cryptocurrency-scam/157463/>) have been avoided if the employees had not been trusted to change the email addresses of accounts? By being prepared for chaos, we will fall less often.\u201d\n\n## **Goal: Build Back Better**\n\nOf course, despite best efforts, successful cyberattacks happen. Cisco\u2019s Robbins pointed out that if cybercrime losses were stacked up against the GDP of countries, it would be the third largest economy in the world after the U.S. and China, with $6 trillion in global damages.\n\n\u201cAnd, we all know the real cost is not being able to run our businesses, or the reputational damage that you suffer, and the impact on your organizations in the future,\u201d he added.\n\nAgainst that backdrop, coming back from an incident stronger than before should be a guiding cybersecurity principle going forward, Ghai postulated \u2013 and he said that a big key to that is inclusivity and a focus on community.\n\n\u201cWe need to bring not just the security professionals but IT and business leaders into the community as well,\u201d he said. \u201cWe also need to find a way to attract diverse and neuro-diverse talent.\u201d\n\nHe added, referring to Marcus Hutchins, \u201cI also implore us to consider another idea to grow our community: We need to find a way to never give up on bright minds and attract them. We need to recruit better than the adversary.\u201d Hutchins famously discovered the [kill switch for WannaCry](<https://threatpost.com/marcus-hutchins-only-certainty-is-uncertainty/127270/>) \u2013 after years of cybercriminal activity as a teen and young adult. He was given a lenient sentence [when convicted](<https://threatpost.com/marcus-hutchins-only-certainty-is-uncertainty/127270/>) for the latter, and eventually turned to legitimate activity.\n\nThere\u2019s much at stake: The threat surface is only going to continue to expand, Robbins pointed out.\n\n\u201cWe have great new technologies like 5G and Wi-Fi 6, continued explosion of public cloud, workers that will work from home forever or in a hybrid model as we go forward,\u201d he said. \u201cThere is really no perimeter in the enterprise to defend anymore, those same workers will be mobile, at some point in the future in coffee shops again, and we have to deal with all that and we have to build security practices around what we know is coming in the future.\u201d\n\nHe also struck a hopeful note for accomplishing that: \u201c[But during the pandemic], we have also learned that industries can be transformed. Two-thirds of CIOs have said that post-pandemic, they will spend more on our security investments going forward. And we know the projects that used to take years are now taking weeks and months because of the sense of urgency that we\u2019ve all been facing.\u201d\n\n## **Security Community \u2018Has Each Other\u2019s Backs\u2019**\n\nA coming together of the security community is another aspect of cultivating resilience that\u2019s been highlighted in the past few, difficult months, according to Jimmy Sanders, CISO at Netflix DVD.\n\n\n\nNetflix CISO Jimmy Sanders.\n\n\u201cWhatever stage you are in your current career cycle, we need your ideas, we need your effort, we need your collaboration,\u201d he said during his keynote. \u201cI think of the term \u2018snowball effect,\u2019 because \u2026 the great ideas build upon each other. We need to ensure that the best security practices are accessible to everyone.\u201d\n\nHe added that a single entity can\u2019t curb the overall rise of security breaches, regardless of how amazing that individual security structure may be. \u201cBut together,\u201d he said, \u201cthe security superhero group sharing knowledge and effective techniques can achieve [the] greatest security resilience.\u201d\n\nIt\u2019s a positive assessment that will lead to better cyber-resilience going forward, Ghai said.\n\n\u201cOur community has shown remarkable solidarity when one of us falls,\u201d he said as he closed his talk. \u201cWe\u2019re getting better at sharing and learning. So when one of us falls, all of us learn, we all rise up stronger. In 2020, we saw cyber-incidents of unprecedented scale and scope. But let\u2019s note that we have not yet encountered a global cyber-pandemic. We have not been fully tested yet and must remain vigilant. The next leg of a long journey is just beginning.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook,** **_\u201c_**[**_2021: The Evolution of Ransomware_**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)**_,\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and **[**DOWNLOAD**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)** the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-05-17T19:40:27", "type": "threatpost", "title": "What a Year It's Been: RSA 2021 Embraces 'Resilience'", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-31166"], "modified": "2021-05-17T19:40:27", "id": "THREATPOST:A7148BBF3E2EDF9B0EA2E2C67C7CAC4E", "href": "https://threatpost.com/rsa-2021-embraces-resilience/166233/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-19T14:40:07", "description": "Magecart Group 12, known for skimming payment information from online shoppers, was fingered for last September\u2019s [gonzo attack](<https://threatpost.com/magecart-campaign-10k-online-shoppers/159216/>) on more than 2,000 e-Commerce sites, and now researchers have issued a report explaining how they did it, detailing a new technical approach. The skimmers are still \u201cvery active,\u201d according to the analysis.\n\nThe credit-card [skimmer group is using PHP web shells](<https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/>) to gain remote administrative access to the sites under attack to steal credit-card data, rather than using their previously favored JavaScript code, which they simply injected into vulnerable sites to log the information keyed into online checkout sites, according to Malwarebytes Labs\u2019 Threat Intelligence Team.\n\nMagecart 12, the latest incarnation of the web skimmer group, continues to launch attacks with malware created to mimic a favicon, also known as a \u201cfavorite icon\u201d or \u201cshortcut icon.\u201d\n\n\u201cThe file named Magento.png attempts to pass itself as \u2018image/png\u2019 but does not have the proper .PNG format for a valid image file,\u201d the report said. \u201cThe way it is injected in compromised sites is by replacing the legitimate shortcut icon tags with a path to the fake .PNG file.\u201d\n\nBut in this instance, the phony favicon is used to load a PHP web shell. The web shell is harder to detect and block, the report adds, because it injects the skimmer code on the server-side, rather than the client side.\n\n\u201cAs such, a database blocking approach would not work here unless all compromised stores were blacklisted, which is a catch-22 situation,\u201d the report said. \u201cA more effective, but also more complex and prone to false positives approach, is to inspect the DOM in real time and detect when malicious code has been loaded.\u201d\n\nDOM is short for Document Object Model, which is an API for HTML and XML documents.\n\nDespite the change, the group is still aimed at achieving the same goal: Injecting card skimming malware to steal customer payment-card details.\n\n\u201cDigital skimming or e-skimming attacks are a lucrative source of revenue for cybercriminals as stolen credit-card numbers are worth millions of dollars on the Dark Web,\u201d \u201cAvishai Shafir from PerimeterX said, via email.\n\n## **Magecart Continues to Evolve**\n\nMagecart continues to evolve its tactics. Last month, researchers from Sucuri discovered that [Magecart attackers](<https://threatpost.com/magecart-attackers-stolen-data-jpg/164815/>) were saving their stolen credit-card data in .JPG files until they could be exfiltrated from compromised e-Commerce sites running Magento 2.\n\n\u201cThe creative use of the fake .JPG allows an attacker to conceal and store harvested credit-card details for future use without gaining too much attention from the website owner,\u201d Sucuri\u2019s Luke Leal wrote about the finding, in March.\n\nAnd, back in December, Magecart attackers [hijacked PayPal transactions](<https://threatpost.com/magecart-hijacks-paypal-transactions/161697/>) during the holiday shopping season.\n\nExperts anticipate that Magecart will continue to evolve and improve their attacks as long as their cybercrimes keep turning a profit.\n\n\u201cThe latest techniques observed in these recent Magecart attacks show how the groups themselves are staying innovative by using previous techniques with new coding and tactics,\u201d Sean Nikkel, senior cyber threat intel analyst at Digital Shadows told Threatpost. \u201cThe most recent findings highlight how difficult it may be for defenders to detect skimming activity itself without employing additional code reviews or other types of blocking and inspection. \u201d\n\n## **Protecting Against Magecart**\n\nResearchers have long implored online retailers to update their content management systems (CMS) \u2014 known vulnerabilities in Magento are the group\u2019s favorite way to compromise e-Commerce sites.\n\n\u201cUnpatched CMS are the reliable route to infection for any cybercriminal gang, including the Magecart Group,\u201d Dirk Schrader with New Net Technologies said via email.\n\nCode reviews, pen testing, and regular updates and patching are all key to stopping card skimmers, experts added.\n\n\u201cThe easiest ways to defend against attacks like these are through patching and staying current with updates, conduct regular code reviews, application pen testing, PCI-level audits, and audits of users and activity,\u201d Nikkel added. \u201cCompanies that decide to go the CMS route, such as Magento or even WordPress, Drupal and other similar applications, should also ensure that any site plugins remain current. Most of the attacks by Magecart groups depend on older, vulnerable versions of both to work, but staying current and reviewing code can help mitigate the risk presented by these campaigns.\u201d\n\nThird-party payment processors are something else that e-Commerce sites might want to consider, John Bambenek, threat intelligence advisor for Netenrich, told Threatpost in reaction to the Magecart discovery.\n\n\u201cWebsites that process payments are obviously lucrative targets for attackers,\u201d Bambenek wrote in an email. \u201cThis is why it\u2019s important for small companies that are not staffed to protect themselves should look hard at using external payment processors.\u201d\n\nFor online retailers with staff available, Bambenek added \u201cThis compromise can be detected by looking for communication initiated by the webserver and attempting to connect to a remote system on port 80, and such traffic is unencrypted to perimeter monitoring should be able to see the data exfiltration as well.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook,** **_\u201c_**[**_2021: The Evolution of Ransomware_**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)**_,\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and **[**DOWNLOAD**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)** the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-05-17T21:46:14", "type": "threatpost", "title": "Magecart Goes Server-Side in Latest Tactics Changeup", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-31166"], "modified": "2021-05-17T21:46:14", "id": "THREATPOST:A78361BA1DB99FF96F9399B2AE9F1EA4", "href": "https://threatpost.com/magecart-server-side-itactics-changeup/166242/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-15T11:25:30", "description": "Threat actors used a Safari zero-day flaw to send malicious links to government officials in Western Europe via LinkedIn before researchers from Google discovered and reported the vulnerability.\n\nThat\u2019s the word from researchers from Google Threat Analysis Group (TAG) and Google Project Zero, who Wednesday [posted a blog](<https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/>) shedding more light on several zero-day flaws that they discovered so far this year. Researchers in particular detailed how attackers exploited the vulnerabilities\u2014the prevalence of which are on the rise\u2013before they were addressed by their respective vendors.\n\nTAG researchers discovered the Safari WebKit flaw, tracked as [CVE-\u200b2021-1879](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1879>), on March 19. The vulnerability allowed for the processing of maliciously crafted web content for universal cross site scripting and was addressed by Apple in [an update](<https://support.apple.com/en-us/HT212256>) later that month.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nBefore the fix, researchers assert Russian-language threat actors were exploiting the vulnerability in the wild by using LinkedIn Messaging to send government officials from Western European countries malicious links that could collect website-authentication cookies, according to the post by Maddie Stone and Clement Lecigne from Google TAG.\n\n\u201cIf the target visited the link from an iOS device, they would be redirected to an attacker-controlled domain that served the next-stage payloads,\u201d they wrote.\n\nThe exploit, which targeted iOS versions 12.4 through 13.7, would turn off [Same-Origin-Policy](<https://en.wikipedia.org/wiki/Same-origin_policy>) protections on an infected device to collect authentication cookies from several popular websites\u2013including Google, Microsoft, LinkedIn, Facebook and Yahoo\u2013and then send them via WebSocket to an attacker-controlled IP, researchers wrote. The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated.\n\nMoreover, the campaign targeting iOS devices coincided with others from the same threat actor\u2014which Microsoft has identified as Nobelium\u2013targeting users on Windows devices to deliver Cobalt Strike, researchers wrote. Security firm Volexity described one of these attacks [in a report](<https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/>) posted online in May, the researchers added.\n\nNobellium is believed to be a Russia-based threat group responsible for the [expansive cyber-espionage SolarWinds](<https://threatpost.com/feds-russia-culprit-solarwinds/162785/>) campaign, which affected numerous U.S. government agencies and tech companies, including Microsoft.\n\n## **Other Zero-Day Attacks**\n\nGoogle researchers also linked three additional zero-day flaws they identified this year to a commercial surveillance vendor, according to [Google TAG\u2019s Shane Huntley](<https://twitter.com/ShaneHuntley/status/1415340345500463113>). Two of those vulnerabilities\u2013[CVE-2021-21166](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21166>) and [CVE-2021-30551](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30551>)\u2014were found in Chrome, and one, tracked as [CVE-2021-33742](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33742>), in Internet Explorer.\n\nCVE-2021-21166 and CVE-2021-30551, two Chrome rendered remote-code execution (RCE) flaws, were identified separately but later believed to be used by the same actor, researchers wrote in the blog. Google researchers discovered the former in February and the latter in June.\n\n\u201cBoth of these 0-days were delivered as one-time links sent by email to the targets, all of whom we believe were in Armenia,\u201d Stone and Lecigne wrote. \u201cThe links led to attacker-controlled domains that mimicked legitimate websites related to the targeted users.\u201d\n\nWhen prospective victims clicked the link, they were redirected to a webpage that would fingerprint their device, collect system information about the client, and generate ECDH keys to encrypt the exploits, researchers wrote. This info\u2014which included screen resolution, timezone, languages, browser plugins, and available MIME types\u2014would then be sent back to the exploit server and used by attackers to decide whether or not an exploit should be delivered to the target, they said.\n\nResearchers also identified a separate campaigned in April that also targeted Armenian users by leveraging CVE-2021-26411, an RCE bug found in Internet Explorer (IE). The campaign loaded web content within IE that contained malicious Office documents, researchers wrote.\n\n\u201cThis happened by either embedding a remote ActiveX object using a Shell.Explorer.1 OLE object or by spawning an Internet Explorer process via VBA macros to navigate to a web page,\u201d Stone and Lecigne explained.\n\nAt the time, researchers said they were unable to recover the next-stage payload, but successfully recovered the exploit after discovering an early June campaign from the same actors. Microsoft patched the flaw later that month, they said.\n\n\n\nClick to Zoom CREDIT: TAG\n\n## **Why There is an Increase in Zero-Days?**\n\nAll in all, security researchers have identified 33 [zero-day flaws](<https://threatpost.com/kaseya-patches-zero-days-revil-attacks/167670/>) so far in 2021, which is 11 more than the total number from 2020, according to the post.\n\nWhile that trend reflects an increase in the number of these types of vulnerabilities that exist, Google researchers \u201cbelieve greater detection and disclosure efforts are also contributing to the upward trend,\u201d they wrote.\n\nStill, it\u2019s highly possible that attackers are indeed using more [zero-day exploits](<https://threatpost.com/zero-day-wipe-my-book-live/167422/>) for a few reasons, researchers noted. One is that the increase and maturation of security technologies and features means attackers also have to level up, which in turn requires more [zero-day vulnerabilities](<https://threatpost.com/solarwinds-hotfix-zero-day-active-attack/167704/>) for functional attack chains, they said.\n\nThe growth of mobile platforms also has resulted in an increase in the number of products that threat actors want to target\u2014hence more reason to use zero-day exploits, researchers observed. Perhaps inspired by this increase in demand, commercial vendors also are selling more access to zero-days than in the early 2010s, they said.\n\nFinally, the maturation of security protections and strategies also inspires sophistication on the part of attackers as well, boosting the need for them to use zero-day flaws to convince victims to install malware, researchers noted.\n\n\u201cDue to advancements in security, these actors now more often have to use 0-day exploits to accomplish their goals,\u201d Stone and Lecigne wrote.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-15T11:04:49", "type": "threatpost", "title": "Safari Zero-Day Used in Malicious LinkedIn Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1879", "CVE-2021-21166", "CVE-2021-26411", "CVE-2021-30551", "CVE-2021-33742"], "modified": "2021-07-15T11:04:49", "id": "THREATPOST:EA23582BD77C428ACE9B9DB7D5741EB6", "href": "https://threatpost.com/safari-zero-day-linkedin/167814/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "securelist": [{"lastseen": "2021-06-15T08:32:02", "description": "\n\nOn April 14-15, 2021, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an elevation of privilege (EoP) exploit that was used to escape the sandbox and obtain system privileges.\n\nThe elevation of privilege exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2) and it exploits two distinct vulnerabilities in the Microsoft Windows OS kernel. On April 20, 2021, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the information disclosure vulnerability and CVE-2021-31956 to the elevation of privilege vulnerability. Both vulnerabilities were patched on June 8, 2021, as a part of the June Patch Tuesday.\n\n## Remote code execution exploit\n\nAll of the observed attacks were conducted through Chrome browser. Unfortunately, we were unable to retrieve the JavaScript with full exploit code, but the timeframe of attacks and events preceding it led us to suspect one particular vulnerability.\n\nOn April 6-8, 2021 the Pwn2Own competition took place. This is a computer hacking contest where the Google Chrome web browser was one of the targets. According to the ZDI (Zero Day Initiative, the organizer of Pwn2Own) [website](<https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results>), one participating team was able to demonstrate a successful exploitation of the Chrome renderer process using a Typer Mismatch bug.\n\nOn April 12, 2021, the developers of Chromium committed two (issue [1196683](<https://chromium-review.googlesource.com/c/v8/v8/+/2820971>), issue [1195777](<https://chromium-review.googlesource.com/c/v8/v8/+/2817791>)) Typer-related bug fixes to the open-source repository of V8 \u2013 a JavaScript engine used by Chrome and Chromium web browsers. One of these bug fixes (issue [1196683](<https://chromium-review.googlesource.com/c/v8/v8/+/2820971>)) was intended to patch a vulnerability that was used during Pwn2Own, and both bug fixes were committed together with regression tests \u2013 JavaScript files to trigger these vulnerabilities. Later on the same day, a user with the Twitter handle @r4j0x00 published a working remote code execution exploit on GitHub, targeting an up-to-date version of Google Chrome. That exploit used a vulnerability from issue [1196683](<https://chromium-review.googlesource.com/c/v8/v8/+/2820971>) to execute a shellcode in the context of the browser renderer process.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122836/PuzzleMaker_attacks_01.png>)\n\n**_Screenshot of tweet with Chrome zero-day published on April 12, 2021_**\n\nThe published exploit didn&#x27;t contain a sandbox escape exploit and was therefore intended to work only when the browser was launched with the command line option _-no-sandbox_.\n\nOn April 13, 2021, Google released Chrome update 89.0.4389.128 for Windows, Mac and Linux with a fix for two vulnerabilities; CVE-2021-21220 (used during Pwn2Own) was one of them.\n\nSome of our customers who were attacked on April 14-15, 2021, already had their Chrome browser updated to 89.0.4389.128, and that&#x27;s why we think the attackers didn&#x27;t use CVE-2021-21220 in their attacks.\n\nOn April 14, 2021, Google released Chrome update 90.0.4430.72 for Windows, Mac and Linux with a fix for 37 vulnerabilities. On the same day, a new Chrome exploit was presented to the public.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122912/PuzzleMaker_attacks_02.png>)\n\n**_Screenshot of GitHub repository with Chrome zero-day published on April 14, 2021_**\n\nThis newly published exploit used a vulnerability from issue [1195777](<https://chromium-review.googlesource.com/c/v8/v8/+/2817791>), worked on the newly released Chrome 90.0.4430.72, and was fixed as CVE-2021-21224 only a few days later, on April 20, 2021.\n\nWe suspect the attackers were also able to use this JavaScript file with regression test to develop the exploit (or acquire it from someone else) and were probably using CVE-2021-21224 in their attacks.\n\n## Elevation of privilege exploit\n\nCVE-2021-31955 is an information disclosure vulnerability in ntoskrnl.exe. The vulnerability is affiliated with a Windows OS feature called SuperFetch. It was introduced in Windows Vista and is aimed to reduce software loading times by pre-loading commonly used applications into memory. For SuperFetch purposes the function _NtQuerySystemInformation_ implements a special system information class _SystemSuperfetchInformation_. This system information class incorporates more than a dozen of different SuperFetch information classes. The vulnerability lies in the fact that data returned by the _NtQuerySystemInformation_ function for the SuperFetch information class _SuperfetchPrivSourceQuery_ contains EPROCESS kernel addresses for currently executed processes.\n\nIt&#x27;s noteworthy that this vulnerability can be observed in code that was available on [GitHub](<https://github.com/zodiacon/WindowsInternals/blob/master/MemInfo/MemInfo.cpp>) for a few years before we caught it in the wild and Microsoft patched it.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122949/PuzzleMaker_attacks_03.png>)\n\n**_CVE-2021-31955 can be observed in the source code of the MemInfo utility_**\n\nThe other vulnerability, CVE-2021-31956, is a heap-based buffer overflow in ntfs.sys. The function _NtfsQueryEaUserEaList_ processes a list of extended attributes for the file and stores the retrieved values to buffer. This function is accessible via _ntoskrnl_ syscall and among other things it&#x27;s possible to control the size of the output buffer. If the size of the extended attribute is not aligned, the function will calculate a padding and the next extended attribute will be stored 32-bit aligned. The code checks if the output buffer is long enough to fit the extended attribute with padding, but it doesn&#x27;t check for possible integer-underflow. As a result, a heap-based buffer overflow can happen.\n \n \n for ( cur_ea_list_entry = ea_list; ; cur_ea_list_entry = next_ea_list_entry )\n {\n ...\n \n out_buf_pos = (DWORD *)(out_buf + padding + occupied_length);\n \n if ( NtfsLocateEaByName(eas_blocks_for_file, eas_blocks_size, &name, &ea_block_pos) )\n {\n \tea_block = eas_blocks_for_file + ea_block_pos;\n \tea_block_size = ea_block->DataLength + ea_block->NameLength + 9;\n \tif ( ea_block_size <= out_buf_length - padding ) // integer-underflow is possible\n \t{\n \tmemmove(out_buf_pos, (const void *)ea_block, ea_block_size); // heap buffer overflow\n \t*out_buf_pos = 0;\n \t}\n }\n else\n {\n \t...\n }\n \n ...\n \n occupied_length += ea_block_size + padding;\n out_buf_length -= ea_block_size + padding;\n padding = ((ea_block_size + 3) & 0xFFFFFFFC) - ea_block_size;\n \n ...\n }\n\n**_Pseudo-code for vulnerable code in function NtfsQueryEaUserEaList_**\n\nThe exploit uses CVE-2021-31956 along with Windows Notification Facility (WNF) to create arbitrary memory read and write primitives. We are planning to publish more information about this technique in the future.\n\nAs the exploit uses CVE-2021-31955 to get the kernel address of the EPROCESS structure, it is able to use the common post exploitation technique to steal SYSTEM token. However, the exploit uses a rarely used &quot;PreviousMode&quot; technique instead. We have seen this technique used by the CHAINSHOT framework and even made a [presentation](<https://github.com/oct0xor/presentations/blob/master/2019-02-Overview%20of%20the%20latest%20Windows%20OS%20kernel%20exploits%20found%20in%20the%20wild.pdf>) about it at CanSecWest/BlueHat in 2019. The exploit uses this technique to inject a malware module into the system process and execute it.\n\n## Malware modules\n\nBesides the aforementioned exploits, the full attack chain consists of four additional malware modules, which will be referred to as:\n\n * Stager\n * Dropper\n * Service\n * Remote shell\n\nThe stager module is used to notify that exploitation was successful. It also downloads and executes a more complex malware dropper module from a remote server. Each stager module is delivered to the victim with a personalized configuration blob that defines the C&amp;C URL, Session ID, keys to decrypt the next stage of malware, and other information.\n\nAll the stager module samples that we&#x27;ve discovered so far were configured to use the same URL address \u2013 hxxps://p{removed}/metrika_upload/index.php \u2013 to download the encrypted malware dropper module.\n\nWe believe there is a chance that the remote code execution JavaScript exploit was also hosted on the same legitimate-looking geopolitical news portal, but we found no evidence of a classic watering hole attack. The victimology suggests a highly targeted delivery of exploits.\n\nThe dropper module is used to install two executables that pretend to be legitimate files belonging to Microsoft Windows OS. One of these files (%SYSTEM%\\WmiPrvMon.exe) is registered as a service and is used as a launcher for the second executable. This second executable (%SYSTEM%\\wmimon.dll) has the functionality of a remote shell and can be considered the main payload of the attack. We couldn&#x27;t find any similarities between this and other known malware.\n\nThe remote shell module has a hardcoded URL of the C&amp;C server inside (media-seoengine[.]com). All the communication between C&amp;C server and client is authorized and encrypted. The remote shell module is able to download and upload files, create processes, sleep for specified amounts of time and delete itself from the compromised machine.\n\nNone of the artifacts we analyzed appear to have strong connections to any known threat actors. The only similarity to CHAINSHOT we observed is the &quot;PreviousMode&quot; technique, although this is publicly known and may be used by various groups. We are calling the threat actor behind these attacks PuzzleMaker.\n\nKaspersky products detect this exploit and malware modules with the verdicts:\n\n * PDM:Exploit.Win32.Generic\n * PDM:Trojan.Win32.Generic\n * UDS:DangerousObject.Multi.Generic\n\nKaspersky products detected these attacks with the help of the Behavioral Detection Engine and the Exploit Prevention component. Over the past few years, we have built a multitude of exploit protection technologies into our products that have detected many zero-days, repeatedly proving their effectiveness. We will continue to improve defenses for our users by enhancing technologies and working with third-party vendors to patch vulnerabilities, making the internet more secure for everyone.\n\nMore information about these attacks and the actor behind them is available to customers of the Kaspersky Intelligence Reporting service. Contact: intelreports@kaspersky.com.\n\nKaspersky would like to thank Microsoft for their prompt analysis of the report and patches.\n\n## IoCs\n\nmedia-seoengine[.]com\n\n**%SYSTEM%\\WmiPrvMon.exe**\n\nMD5 [09A5055DB44FC1C9E3ADD608EFFF038C](<https://opentip.kaspersky.com/09A5055DB44FC1C9E3ADD608EFFF038C/>) \nSHA-1 [BFFA4462901B74DBFBFFAA3A3DB27DAA61211412](<https://opentip.kaspersky.com/BFFA4462901B74DBFBFFAA3A3DB27DAA61211412/>) \nSHA-256 [982F7C4700C75B81833D5D59AD29147C392B20C760FE36B200B541A0F841C8A9](<https://opentip.kaspersky.com/982F7C4700C75B81833D5D59AD29147C392B20C760FE36B200B541A0F841C8A9/>)\n\n**%SYSTEM%\\wmimon.dll**\n\nMD5 [D6B850C950379D5EE0F254F7164833E8](<https://opentip.kaspersky.com/D6B850C950379D5EE0F254F7164833E8/>) \nSHA-1 [E63ED3B56A5F9A1EA5C92D3D2444196EA13BE94B](<https://opentip.kaspersky.com/E63ED3B56A5F9A1EA5C92D3D2444196EA13BE94B/>) \nSHA-256 [8A17279BA26C8FBE6966EA3300FDEFB1ADAE1B3ED68F76A7FC81413BD8C1A5F6](<https://opentip.kaspersky.com/8A17279BA26C8FBE6966EA3300FDEFB1ADAE1B3ED68F76A7FC81413BD8C1A5F6/>)", "cvss3": {}, "published": "2021-06-08T17:32:30", "type": "securelist", "title": "PuzzleMaker attacks with Chrome zero-day exploit chain", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-21220", "CVE-2021-21224", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-06-08T17:32:30", "id": "SECURELIST:8E9198BF0E389572981DD1AA05D0708A", "href": "https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-12T10:37:29", "description": "\n\n## Targeted attacks\n\n### The leap of a Cycldek-related threat actor\n\nIt is quite common for Chinese-speaking threat actors to share tools and methodologies: one such example is the infamous &quot;DLL side-loading triad&quot;: a legitimate executable, a malicious DLL to be [side-loaded](<https://attack.mitre.org/techniques/T1574/002/>) by it and an encoded payload, generally dropped from a self-extracting archive. This was first thought to be a signature of [LuckyMouse](<https://securelist.com/luckymouse-hits-national-data-center/86083/>), but we have observed other groups using similar &quot;triads&quot;, including HoneyMyte. While it is not possible to attribute attacks based on this technique alone, efficient detection of such triads reveals more and more malicious activity.\n\nWe recently described one such file, called &quot;FoundCore&quot;, which caught our attention because of the various improvements it brought to this well-known infection vector. We discovered the malware as part of an attack against a high-profile organization in Vietnam. From a high-level perspective, the infection chain follows the expected execution flow:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06085101/Cycldek_01.jpg>)\n\nHowever, in this case, the shellcode was heavily obfuscated \u2013 the technical details were presented in the &#x27;[The leap of a Cycldek-related threat actor](<https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/>)&#x27; report. We found the loader for this file so interesting that we decided to base one of the tracks of our [Targeted Malware Reverse Engineering](<https://xtraining.kaspersky.com/courses/targeted-malware-reverse-engineering>) course on it.\n\nThe final payload is a remote administration tool that provides full control over the victim machine to its operators. Communication with the server can take place either over raw TCP sockets encrypted with RC4, or via HTTPS.\n\nIn the vast majority of the incidents we discovered, FoundCore executions were preceded by the opening of malicious RTF documents downloaded from static.phongay[.]com \u2013 all generated using [RoyalRoad](<https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper>) and attempting to exploit CVE-2018-0802. All of these documents were blank, suggesting the existence of precursor documents \u2013 possibly delivered by means of spear-phishing or a previous infection \u2013 that trigger the download of the RTF files. Successful exploitation leads to the deployment of further malware \u2013 named DropPhone and CoreLoader.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06091732/Cycldek_06.jpg>)\n\nOur telemetry indicates that dozens of organizations were affected, belonging to the government or military sector, or otherwise related to the health, diplomacy, education or political verticals. Eighty percent of the targets were in Vietnam, though we also identified occasional targets in Central Asia and Thailand.\n\nWhile Cycldek has so far been considered one of the least sophisticated Chinese-speaking threat actors, its targeting is consistent with what we observed in this campaign \u2013 which is why we attribute the campaign, with low confidence, to this threat actor.\n\n### Zero-day vulnerability in Desktop Window Manager used in the wild\n\nWhile analyzing the [CVE-2021-1732](<https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>) exploit, first discovered by DBAPPSecurity Threat Intelligence Center and used by the BITTER APT group, we found another zero-day exploit that we believe is linked to the same threat actor. We reported this new exploit to Microsoft in February and, after confirmation that it is indeed a zero-day, [Microsoft released a patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28310>) for the new zero-day (CVE-2021-28310) as part of its April security updates.\n\nCVE-2021-28310 is an out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe). Due to the lack of bounds checking, attackers are able to create a situation that allows them to write controlled data at a controlled offset using the DirectComposition API. [DirectComposition](<https://docs.microsoft.com/en-us/windows/win32/directcomp/directcomposition-portal>) is a Windows component that was introduced in Windows 8 to enable bitmap composition with transforms, effects and animations, with support for bitmaps of different sources (GDI, DirectX, etc.).\n\nThe exploit was initially identified by our advanced exploit prevention technology and related detection records. Over the past few years, we have built a multitude of exploit protection technologies into our products that have detected several zero-days, proving their effectiveness time and again.\n\nWe believe this exploit is used in the wild, potentially by several threat actors, and it is probably used together with other browser exploits to escape sandboxes or obtain system privileges for further access.\n\nYou can find technical details on the exploit in the &#x27;[Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>)&#x27; post. Further information about BITTER APT and IOCs are available to customers of the Kaspersky Intelligence Reporting service: contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n### Operation TunnelSnake\n\nWindows rootkits, especially those operating in kernel space, enjoy high privileges in the system, allowing them to intercept and potentially tamper with core I/O operations conducted by the underlying OS, like reading or writing to files or processing incoming and outgoing network packets. Their ability to blend into the fabric of the operating system itself is how rootkits have gained their notoriety for stealth and evasion.\n\nNevertheless, over the years, it has become more difficult to deploy and execute a rootkit component in Windows. The introduction by Microsoft of Driver Signature Enforcement and Kernel Patch Protection (PatchGuard) has made it harder to tamper with the system. As a result, the number of Windows rootkits in the wild has decreased dramatically: most of those that are still active are often used in high-profile APT attacks.\n\nOne such example came to our attention during an investigation last year, in which we uncovered a previously unknown and stealthy implant in the networks of regional inter-governmental organizations in Asia and Africa. This rootkit, which we dubbed &quot;Moriya&quot;, was used to deploy passive backdoors on public facing servers, facilitating the creation of a covert C2 (Command and Control) communication channel through which they can be silently controlled.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/08151011/Operation_TunnelSnake_01.png>)\n\nThis tool was used as part of an ongoing campaign that we named &quot;[TunnelSnake](<https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/>)&quot;. The rootkit was detected on the targeted machines as early as November 2019; and another tool we found, showing significant code overlaps with the rootkit, suggests that the developers had been active since at least 2018.\n\nSince neither the rootkit nor other lateral movement tools that accompanied it during the campaign relied on hardcoded C2 servers, we could gain only partial visibility into the attacker&#x27;s infrastructure. However, the bulk of the detected tools besides Moriya, consist of both proprietary and well-known pieces of malware that were previously in use by Chinese-speaking threat actors, giving a clue to the attacker&#x27;s origin.\n\n### PuzzleMaker\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits.\n\nWhile we were not able to retrieve the exploit used for Remote Code Execution (RCE) in the Chrome web-browser, we were able to find and analyze an Escalation of Privilege (EoP) exploit used to escape the sandbox and obtain system privileges. This EoP exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2), and exploits two distinct vulnerabilities in the Microsoft Windows OS kernel.\n\nOn April 20, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the Information Disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8, as a part of the June Patch Tuesday.\n\nThe exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a &quot;remote shell&quot;-style backdoor, which in turns connects to the C2 to get commands.\n\nWe weren&#x27;t able to find any connections or overlaps with a known threat actor, so we tentatively named this cluster of activity [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\n### Andariel adds ransomware to its toolset\n\nIn April, we discovered a suspicious Word document containing a Korean file name and decoy uploaded to VirusTotal. The document contained an unfamiliar macro and used novel techniques to implant the next payload. Our telemetry revealed two infection methods used in these attacks, with each payload having its own loader for execution in memory. The threat actor only delivered the final stage payload for selected victims.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15094853/Andariel_delivered_ransomware_01.png>)\n\nDuring the course of our research, Malwarebytes published a [report](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/>) with technical details about the same series of attacks, which attributed it to the Lazarus group. However, after thorough analysis, we reached the conclusion that the attacks were the work of Andariel, a sub-group of Lazarus, based on code overlaps between the second stage payload in this campaign and previous malware from this threat actor.\n\nHistorically, Andariel has mainly targeted organizations in South Korea; and our telemetry suggests that this is also the case in this campaign. We confirmed several victims in the manufacturing, home network service, media and construction sectors.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15095550/Andariel_delivered_ransomware_08.png>)\n\nWe also found additional connections with the Andariel group. Each threat actor has a characteristic habit when they interactively work with a backdoor shell in the post-exploitation phase of an attack. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity.\n\nNotably, in addition to the final backdoor, we discovered one victim infected with custom ransomware, underlying the financial motivation of this threat actor.\n\n### Ferocious Kitten\n\n[Ferocious Kitten](<https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/>) is an APT threat actor that has targeted Persian-speaking individuals who appear to be based in Iran. The group has mostly operated under the radar and, as far as we know, has not been covered by security researchers. The threat actor attracted attention recently when a lure document was uploaded to VirusTotal and went public thanks to [researchers on Twitter](<https://twitter.com/reddrip7/status/1366703445990723585?s=21>). Since then, one of its implants [has been analyzed](<http://www.hackdig.com/03/hack-293629.htm>) by a Chinese threat intelligence firm.\n\nWe were able to expand on some of the findings about the group and provide insights into the additional variants that it uses. The malware dropped from the lure document, dubbed &quot;MarkiRAT&quot;, records keystrokes, clipboard content, and provides file download and upload capabilities as well as the ability to execute arbitrary commands on the victim&#x27;s computer. We were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of Telegram and Chrome applications as a persistence method.\n\nFerocious Kitten is one of the groups that operate in a wider eco-system intended to track individuals in Iran. Such threat groups aren&#x27;t reported very often; and so are able to re-use infrastructure and toolsets without worrying about them being taken down or flagged by security solutions. Some of the TTPs used by this threat actor are reminiscent of other groups that are active against a similar set of targets, such as Domestic Kitten and Rampant Kitten.\n\n## Other malware\n\n### Evolution of JSWorm ransomware\n\nWhile ransomware has been around for a long time, it has evolved over time as attackers have improved their technologies and refined their tactics. We have seen a shift away from the random, speculative attacks of five years ago, and even from the massive outbreaks such as [WannaCry](<https://securelist.com/wannacry-faq-what-you-need-to-know-today/78411/>) and [NotPetya](<https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/>). Many ransomware gangs have switched to the more profitable tactic of &quot;big-game hunting&quot;; and news of ransomware attacks affecting large corporations, and even critical infrastructure installations, has become commonplace. Moreover, there&#x27;s now a [well-developed eco-system underpinning ransomware attacks](<https://securelist.com/ransomware-world-in-2021/102169/>).\n\nAs a result, even though [the number of ransomware attacks has fallen](<https://securelist.com/ransomware-by-the-numbers-reassessing-the-threats-global-impact/101965/>), and individuals are probably less likely to encounter ransomware than a few years ago, the threat to organizations is greater than ever.\n\nWe recently published analysis of one such ransomware family, named [JSWorm](<https://securelist.com/evolution-of-jsworm-ransomware/102428/>). This malware was discovered in 2019, and since then different variants have gained notoriety under various names such as Nemty, Nefilim, Offwhite and others.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24115814/JSworm_malware_01.png>)\n\nEach &quot;re-branded&quot; version has included alterations to different aspects of the code \u2013 file extensions, cryptographic schemes, encryption keys, programming language and distribution model. Since it emerged, JSWorm has developed from a typical mass-scale ransomware threat affecting mostly individual users into a typical big-game hunting ransomware threat attacking high-profile targets and demanding massive ransom payments.\n\n### Black Kingdom ransomware\n\n[Black Kingdom](<https://securelist.com/black-kingdom-ransomware/102873/>) first appeared in 2019; in 2020 the group was observed exploiting vulnerabilities (such as CVE-2019-11510) in its attacks. In recent activity, the ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065, aka [ProxyLogon](<https://proxylogon.com/>)). This ransomware family is much less sophisticated than other [Ransomware-as-a-Service](<https://encyclopedia.kaspersky.com/glossary/ransomware-as-a-service-raas/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (RaaS) or big game hunting families. The group&#x27;s involvement in the Microsoft Exchange exploitation campaign suggests opportunism rather than a resurgence in activity from this ransomware family.\n\nThe malware is coded in Python and compiled to an executable using PyInstaller. The ransomware supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and the possibility of recovering files that have been encrypted with Black Kingdom with the help of the hardcoded key. At the time of analysis, there was already a [script to recover files encrypted with the embedded key](<https://blog.cyberint.com/black-kingdom-ransomware>).\n\nBlack Kingdom changes the desktop background to a note that the system is infected while it encrypts files, disabling the mouse and keyboard as it does so.\n \n \n ***************************\n | We Are Back ?\n ***************************\n \n We hacked your (( Network )), and now all files, documents, images,\n databases and other important data are safely encrypted using the strongest algorithms ever.\n You cannot access any of your files or services .\n But do not worry. You can restore everthing and get back business very soon ( depends on your actions )\n \n before I tell how you can restore your data, you have to know certain things :\n \n We have downloaded most of your data ( especially important data ) , and if you don't contact us within 2 days, your data will be released to the public.\n \n To see what happens to those who didn't contact us, just google : ( Blackkingdom Ransomware )\n \n ***************************\n | What guarantees ?\n ***************************\n \n We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free\n just send the files you want to decrypt to (support_blackkingdom2@protonmail.com\n \n ***************************************************\n | How to contact us and recover all of your files ?\n ***************************************************\n \n The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses .\n \n \n [ + ] Instructions:\n \n 1- Send the decrypt_file.txt file to the following email ===> support_blackkingdom2@protonmail.com\n \n 2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address :\n \n [ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ]\n \n 3- confirm your payment by sending the transfer url to our email address\n \n 4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you,\n so that you can recover all your files.\n \n ## Note ##\n \n Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible.\n By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites.\n \n Your ID ==>\n FDHJ91CUSzXTquLpqAnP\n\nAfter decompiling the Python code, we discovered that the code base for Black Kingdom has its origins in an open-source ransomware builder [available on GitHub](<https://github.com/BuchiDen/Ransomware_RAASNet/blob/master/RAASNet.py>). The group adapted parts of the code, adding features that were not originally presented in the builder, such as the hardcoded key. We were not able to attribute Black Kingdom to any known threat group.\n\nBased on our telemetry, we could see only a few hits by Black Kingdom in Italy and Japan.\n\n### Gootkit: the cautious banking Trojan\n\n[Gootkit](<https://securelist.com/gootkit-the-cautious-trojan/102731/>) belongs to a class of Trojans that are extremely tenacious, but not widespread. Since it&#x27;s not very common, new versions of the Trojan may remain under the researchers&#x27; radar for long periods.\n\nIt is complex multi-stage banking malware, which was initially discovered by Doctor Web in 2014. Initially, it was distributed via spam and exploits kits such as Spelevo and RIG. In conjunction with spam campaigns, the adversaries later switched to compromised websites where visitors are tricked into downloading the malware.\n\nGootkit is capable of stealing data from the browser, performing man-in-the-browser attacks, keylogging, taking screenshots, and lots of other malicious actions. The Trojan&#x27;s loader performs various virtual machine and sandbox checks and uses sophisticated persistence algorithms.\n\nIn 2019, Gootkit stopped operating after it experienced a [data leak](<https://www.zdnet.com/article/gootkit-malware-crew-left-their-database-exposed-online-without-a-password/>), but has been [active again](<https://www.bleepingcomputer.com/news/security/gootkit-malware-returns-to-life-alongside-revil-ransomware/>) since November 2020. Most of the victims are located in EU countries such as Germany and Italy.\n\n### Bizarro banking Trojan expands into Europe\n\nBizarro is one more banking Trojan family originating from Brazil that is now found in other parts of the world. We have seen people being targeted in Spain, Portugal, France and Italy. This malware has been used to steal credentials from customers of 70 banks from different European and South American countries.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143631/Bizarro_trojan_13.png>)\n\nAs with [Tetrade](<https://securelist.com/the-tetrade-brazilian-banking-malware/97779/>), Bizarro uses affiliates or recruits money mules to cash out or simply to help with money transfers.\n\nBizarro is distributed via MSI packages downloaded by victims from links in spam emails. Once launched, it downloads a ZIP archive from a compromised website. We observed hacked WordPress, Amazon and Azure servers used by the Trojan for storing archives. The backdoor, which is the core component of Bizarro, contains more than 100 commands and allows the attackers to steal online banking account credentials. Most of the commands are used to display fake pop-up messages and seek to trick people into entering two-factor authentication codes. The Trojan may also use social engineering to convince victims to download a smartphone app.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143359/Bizarro_trojan_12.png>)\n\nBizarro is one of several banking Trojans from South America that have extended their operations into other regions \u2013 mainly Europe. They include Guildma, Javali, Melcoz, Grandoreiro and Amavaldo.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/17095011/Map_of_Brazilian_families.jpeg>)\n\n### Malicious code in APKPure app\n\nIn early April, we [discovered malicious code in version 3.17.18 of the official client of the APKPure app store](<https://securelist.com/apkpure-android-app-store-infected/101845/>), a popular alternative source of Android apps. [The incident seems to be similar to what happened with CamScanner](<https://www.kaspersky.com/blog/camscanner-malicious-android-app/28156/>), when the app&#x27;s developer implemented an adware SDK from an unverified source.\n\nWhen launched, the embedded Trojan dropper, which our solutions detect as HEUR:Trojan-Dropper.AndroidOS.Triada.ap, unpacks and runs its payload, which is able to show ads on the lock screen, open browser tabs, collect information about the device, and download other malicious code. The Trojan downloaded depends on the version of Android and how recently security updates have been installed. In the case of relatively recent versions of the operating system (Android 8 or higher) it loads additional modules for the [Triada Trojan](<https://www.kaspersky.com/blog/triada-trojan/11481/>). If the device is older (Android 6 or 7, and without security updates installed) it could be the [xHelper Trojan](<https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/>).\n\nWe reported the issue to APKPure on April 8. APKPure acknowledged the problem the following day and, soon afterwards, posted a new version (3.17.19) that does not contain the malicious component.\n\n### Browser lockers\n\nBrowser lockers are designed to prevent the victim from using their browser unless they pay a ransom. The &quot;locking&quot; consists of preventing the victim from leaving the current tab, which displays intimidating messages, often with sound and visual effects. The locker tries to trick the victim into making a payment with threats of losing data or legal liability.\n\nThis type of fraud has long been on the radar of researchers, and over the last decade there have been numerous browser locking campaigns targeting people worldwide. The tricks used by the scammers include imitating the infamous &quot;[Blue Screen of Death](<https://encyclopedia.kaspersky.com/glossary/blue-screen-of-death-bsod/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>)&quot; (BSOD) in the browser, false warnings about system errors or detected malware, threats to encrypt files and legal liability notices.\n\nIn our [report on browser lockers](<https://securelist.com/browser-lockers-extortion-disguised-as-a-fine/101735/>), we examined two families of lockers that mimic government websites.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/01145253/MVD_fake_sites_07-scaled.jpeg>)\n\nBoth families spread mainly via advertising networks, primarily aimed at selling &quot;adult&quot; content and movies in an intrusive manner; for example, through tabs or windows that open on top of the visited site when loading a page with an embedded ad module (pop-ups), or after clicking anywhere on the page (click-unders).\n\nThese threats are not technically complex: they simply aim to create the illusion of having locked the computer and intimidate victims into paying money. Landing on such a page by mistake will not harm your device or compromise your data, as long as you don&#x27;t fall for the cybercriminals&#x27; smoke-and-mirror tactics.\n\n### Malware targets Apple M1 chip\n\nLast November, Apple unveiled its M1 chip. The new chip, which has replaced Intel processors in several of its products, is based on ARM architecture instead of the x86 architecture traditionally used in personal computers. This lays the foundation for Apple to switch completely to its own processors and unify its software under a single architecture. Unfortunately, just months after the release, [malware writers had already adapted several malware families to the new processor](<https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/>).\n\n### Attempted supply-chain attack using PHP\n\nIn March, [unknown attackers tried to carry out a supply-chain attack by introducing malicious code to the PHP scripting language](<https://www.kaspersky.com/blog/php-git-backdor/39191/>). The developers of PHP make changes to the code using a common repository built on the GIT version control system. The attackers tried to add a backdoor to the code. Fortunately, a developer noticed something suspicious during a routine check. Had they not done so, the backdoor might have allowed attackers to run malicious code remotely on web servers, in around 80 per cent of which (web servers) PHP is used.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-08-12T10:00:37", "type": "securelist", "title": "IT threat evolution Q2 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0802", "CVE-2019-11510", "CVE-2021-1732", "CVE-2021-27065", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-08-12T10:00:37", "id": "SECURELIST:934E8AA177A27150B87EC15F920BF350", "href": "https://securelist.com/it-threat-evolution-q2-2021/103597/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-30T10:36:53", "description": "\n\nIn the Global Research and Analysis Team at Kaspersky, we track the ongoing activities of more than 900 advanced threat actors and activity clusters; you can find our quarterly overviews [here](<https://securelist.com/apt-trends-report-q1-2021/101967/>), [here](<https://securelist.com/apt-trends-report-q2-2021/103517/>) and [here](<https://securelist.com/apt-trends-report-q3-2021/104708/>)[.](<https://securelist.com/apt-trends-report-q3-2021/104708/>) For this annual review, we have tried to focus on what we consider to be the most interesting trends and developments of the last 12 months. This is based on our visibility in the threat landscape and it&#x27;s important to note that no single vendor has complete visibility into the activities of all threat actors.\n\n## Private sector vendors play a significant role in the threat landscape\n\nPossibly the biggest story of 2021, an investigation by the Guardian and 16 other media organizations, published in July, suggested that over 30,000 human rights activists, journalists and lawyers across the world may have been targeted using Pegasus. The report, called [Pegasus Project](<https://www.amnesty.org/en/latest/press-release/2021/07/the-pegasus-project/>), alleged that the software uses a variety of exploits, including several iOS zero-click zero-days. Based on forensic analysis of numerous mobile devices, Amnesty International&#x27;s Security Lab found that the software was repeatedly used in an abusive manner for surveillance. The list of targeted individuals includes 14 world leaders. Later that month, [representatives from the Israeli government visited the offices of NSO](<https://www.theguardian.com/news/2021/jul/29/israeli-authorities-inspect-nso-group-offices-after-pegasus-revelations>) as part of an investigation into the claims. And in October, India&#x27;s Supreme Court commissioned a technical committee [to investigate whether the government had used Pegasus to spy on its citizens](<https://www.theregister.com/2021/10/29/india_nso_pegasus_probe/>). In November, Apple announced that it was taking [legal action against NSO Group](<https://www.theguardian.com/technology/2021/nov/23/apple-sues-israeli-cyber-firm-nso-group>) for developing software that targets its users with &quot;malicious malware and spyware&quot;.\n\nDetecting infection traces from Pegasus and other advanced mobile malware is very tricky, and complicated by the security features of modern OSs such as iOS and Android. Based on our observations, this is further complicated by the deployment of non-persistent malware, which leaves almost no traces after reboot. Since many forensics frameworks require a device jailbreak, this results in the malware being removed from memory during the reboot. Currently, several methods can be used for detection of Pegasus and other mobile malware. [MVT (Mobile Verification Toolkit](<https://github.com/mvt-project/mvt>)) from Amnesty International is free, open source and allows technologists and investigators to inspect mobile phones for signs of infection. MVT is further boosted by a list of IoCs (indicators of compromise) collected from high profile cases and made available by Amnesty International.\n\n## Supply-chain attacks\n\nThere have been a number of high-profile supply-chain attacks in the last 12 months. Last December, it was reported that SolarWinds, a well-known IT managed services provider, had fallen victim to a sophisticated supply-chain attack. The company&#x27;s Orion IT, a solution for monitoring and managing customers&#x27; IT infrastructure, was compromised. This resulted in the deployment of a custom backdoor named Sunburst on the networks of more than 18,000 SolarWinds customers, including many large corporations and government bodies, in North America, Europe, the Middle East and Asia.\n\nNot all supply-chain attacks have been that sophisticated. Early this year, an APT group that we track as BountyGlad compromised a certificate authority in Mongolia and replaced the digital certificate management client software with a malicious downloader. Related infrastructure was identified and used in multiple other incidents: this included server-side attacks on WebSphere and WebLogic services in Hong Kong, and Trojanized Flash Player installers on the client side.\n\nWhile investigating the artefacts of a supply-chain attack on an Asian government Certification Authority&#x27;s website, we discovered a Trojanized package that dates back to June 2020. Unravelling that thread, we identified a number of post-compromise tools in the form of plugins that were deployed using PhantomNet malware, which were in turn delivered using the aforementioned Trojanized packages. Our analysis of these plugins revealed similarities with the previously analyzed CoughingDown malware.\n\nIn April 2021, Codecov, provider of code coverage solutions, publicly disclosed that its Bash Uploader script had been compromised and was distributed to users between January 31 and April 1. The Bash Uploader script is publicly distributed by Codecov and aims to gather information on the user&#x27;s execution environments, collect code coverage reports and send the results to the Codecov infrastructure. This script compromise effectively constitutes a supply-chain attack.\n\nEarlier this year we discovered [Lazarus group](<https://securelist.com/tag/lazarus/>) campaigns using an updated DeathNote cluster. Our investigation revealed indications that point to Lazarus building supply-chain attack capabilities. In one case we found that the infection chain stemmed from legitimate South Korean security software executing a malicious payload; and in the second case, the target was a company developing asset monitoring solutions, an atypical victim for Lazarus. As part of the infection chain, Lazarus used a downloader named Racket, which they signed using a stolen certificate. The actor compromised vulnerable web servers and uploaded several scripts to filter and control the malicious implants on successfully breached victim machines.\n\nA previously unknown, suspected Chinese-speaking APT modified a fingerprint scanner software installer package on a distribution server in a country in East Asia. The APT modified a configuration file and added a DLL with a .NET version of a PlugX injector to the installer package. Employees of the central government in this country are required to use this biometric package to track attendance. We refer to this supply-chain incident and this particular PlugX variant as SmudgeX. The Trojanized installer appears to have been staged on the distribution server from March through June.\n\n## Exploiting vulnerabilities\n\nOn March 2, Microsoft reported a new APT actor named HAFNIUM, exploiting four zero-days in Exchange Server in what they called &quot;limited and targeted attacks&quot;. At the time, Microsoft claimed that, in addition to HAFNIUM, several other actors were exploiting them as well. In parallel, Volexity also reported the same Exchange zero-days being in use in early 2021. According to Volexity&#x27;s telemetry, some of the exploits in use are shared across several actors, besides the one Microsoft designates as HAFNIUM. Kaspersky telemetry revealed a spike in exploitation attempts for these vulnerabilities following the public disclosure and patch from Microsoft. During the first week of March, we identified approximately 1,400 unique servers that had been targeted, in which one or more of these vulnerabilities were used to obtain initial access. According to our telemetry, most exploitation attempts were observed for servers in Europe and the United States. Some of the servers were targeted multiple times by what appear to be different threat actors (based on the command execution patterns), suggesting the exploits had become available to multiple groups.\n\nWe also discovered a campaign active since mid-March targeting governmental entities in Europe and Asia using the same Exchange zero-day exploits. This campaign made use of a previously unknown malware family that we dubbed FourteenHi. Further investigation revealed traces of activity involving variants of this malware dating back a year. We also found some overlaps in these sets of activities with HAFNIUM in terms of infrastructure and TTPs as well as the use of ShadowPad malware during the same timeframe.\n\nOn January 25, the Google Threat Analysis Group (TAG) announced a state-sponsored threat actor had targeted security researchers. According to Google TAG&#x27;s blog, this actor used highly sophisticated social engineering, approached security researchers through social media, and delivered a compromised Visual Studio project file or lured them to their blog where a Chrome exploit was waiting for them. On March 31, Google TAG released an update on this activity showing another wave of fake social media profiles and a company the actor set up mid-March. We confirmed that several infrastructures on the blog overlapped with [our previously published](<https://securelist.com/lazarus-threatneedle/100803/>) reporting about Lazarus group&#x27;s ThreatNeedle cluster. Moreover, the malware mentioned by Google matched ThreatNeedle \u2013 malware that we have been tracking since 2018. While investigating associated information, a fellow external researcher confirmed that he was also compromised by this attack, sharing information for us to investigate. We discovered additional C2 servers after decrypting configuration data from the compromised host. The servers were still in use during our investigation, and we were able to get additional data related to the attack. We assess that the published infrastructure was used not only to target security researchers but also in other Lazarus attacks. We found a relatively large number of hosts communicating with the C2s at the time of our research.\n\nExpanding our research on the exploit targeting CVE-2021-1732, originally discovered by DBAPPSecurity Threat Intelligence Center and used by the Bitter APT group, we discovered another possible zero-day exploit used in the Asia-Pacific (APAC) region. Further analysis revealed that this escalation of privilege (EoP) exploit had potentially been used in the wild since at least November 2020. We reported this new exploit to Microsoft in February. After confirmation that we were indeed dealing with a new zero-day, it received the designation CVE-2021-28310. Various marks and artifacts left in the exploit meant that we were highly confident that CVE-2021-1732 and CVE-2021-28310 were created by the same exploit developer that we track as Moses. Moses appears to be an exploit developer who makes exploits available to several threat actors, based on other past exploits and the actors observed using them. To date, we have confirmed that at least two known threat actors have utilized exploits originally developed by Moses: Bitter APT and Dark Hotel. Based on similar marks and artifacts, as well as privately obtained information from third parties, we believe at least six vulnerabilities observed in the wild in the last two years have originated from Moses. While the EoP exploit was discovered in the wild, we weren&#x27;t able to directly tie its usage to any known threat actor that we currently track. The EoP exploit was probably chained together with other browser exploits to escape sandboxes and obtain system level privileges for further access. Unfortunately, we weren&#x27;t able to capture a full exploit chain, so we don&#x27;t know if the exploit is used with another browser zero-day, or coupled with exploits taking advantage of known, patched vulnerabilities.\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an EoP exploit used to escape the sandbox and obtain system privileges. The EoP exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 \u2013 RS5, 18362 \u2013 19H1, 18363 \u2013 19H2, 19041 \u2013 20H1, 19042 \u2013 20H2) and exploited two distinct vulnerabilities in the Microsoft Windows OS kernel. We reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the information disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8 as a part of the June Patch Tuesday. The exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a remote shell-style backdoor that in turn connects to the C2 to get commands. Because we couldn&#x27;t find any connections or overlaps with a known actor, we named this cluster of activity PuzzleMaker.\n\nFinally, late this year, we detected a wave of attacks using an elevation of privilege exploit affecting server variants of the Windows operating system. Upon closer analysis, it turned out to be a zero-day use-after-free vulnerability in Win32k.sys that we reported to Microsoft and was consequently fixed as CVE-2021-40449. We analyzed the associated malware, dubbed the associated cluster MysterySnail and found infrastructure overlaps that link it to the IronHusky APT.\n\n## Firmware vulnerabilities\n\nIn September, we [provided an overview](<https://securelist.com/finspy-unseen-findings/104322/>) of the FinSpy PC implant, covering not only the Windows version, but also Linux and macOS versions. FinSpy is an infamous, commercial surveillance toolset that is used for &quot;legal surveillance&quot; purposes. Historically, several NGOs have repeatedly reported it being used against journalists, political dissidents and human rights activists. Historically, its Windows implant was represented by a single-stage spyware installer; and this version was detected and researched several times up to 2018. Since then, we have observed a decreasing detection rate for FinSpy for Windows. While the nature of this anomaly remained unknown, we began detecting some suspicious installer packages backdoored with Metasploit stagers. We were unable to attribute these packages to any threat actor until the middle of 2019 when we found a host that served these installers among FinSpy Mobile implants for Android. Over the course of our investigation, we found out that the backdoored installers are nothing more than first stage implants that are used to download and deploy further payloads before the actual FinSpy Trojan. Apart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit were publicly revealed for the first time in our report.\n\nTowards the end of Q3, we identified a previously unknown payload with advanced capabilities, delivered using two infection chains to various government organizations and telecoms companies in the Middle East. The payload makes use of a Windows kernel-mode rootkit to facilitate some of its activities and is capable of being persistently deployed through an MBR or a UEFI bootkit. Interestingly enough, some of the components observed in this attack have been formerly staged in memory by Slingshot agent on multiple occasions, whereby Slingshot is a post-exploitation framework that we covered in several cases in the past (not to be confused with the Slingshot APT). It is mainly known for being a proprietary commercial penetration testing toolkit officially designed for red team engagements. However, it&#x27;s not the first time that attackers appear to have taken advantage of it. One of our previous reports from 2019 covering FruityArmor&#x27;s activity showed that the threat group used the framework to target organizations across multiple industries in the Middle East, possibly by leveraging an unknown exploit in a messenger app as an infection vector. In a recent private intelligence report, we provided a drill-down analysis of the newly discovered malicious toolkit that we observed in tandem with Slingshot and how it was leveraged in clusters of activity in the wild. Most notably, we outlined some of the advanced features that are evident in the malware as well as its utilization in a particular long-standing activity against a high-profile diplomatic target in the Middle East.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-30T10:00:31", "type": "securelist", "title": "APT annual review 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-40449"], "modified": "2021-11-30T10:00:31", "id": "SECURELIST:1F59148E6615695438F94EF4956585AA", "href": "https://securelist.com/apt-annual-review-2021/105127/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:23", "description": "\n\n## Summary\n\nLast week Microsoft warned Windows users about vulnerabilities in the Windows Print Spooler service \u2013 CVE-2021-1675 and CVE-2021-34527 (also known as PrintNightmare). Both vulnerabilities can be used by an attacker with a regular user account to take control of a vulnerable server or client machine that runs the Windows Print Spooler service. This service is enabled by default on all Windows clients and servers, including domain controllers.\n\nKaspersky products protect against attacks leveraging these vulnerabilities. The following detection names are used:\n\n * HEUR:Exploit.Win32.CVE-2021-1675.*\n * HEUR:Exploit.Win32.CVE-2021-34527.*\n * HEUR:Exploit.MSIL.CVE-2021-34527.*\n * HEUR:Exploit.Script.CVE-2021-34527.*\n * HEUR:Trojan-Dropper.Win32.Pegazus.gen\n * PDM:Exploit.Win32.Generic\n * PDM:Trojan.Win32.Generic\n * Exploit.Win32.CVE-2021-1675.*\n * Exploit.Win64.CVE-2021-1675.*\n\nOur detection logic is also successfully blocks attack technique from the latest Mimikatz framework v. 2.2.0-20210707.\n\nWe are closely monitoring the situation and improving generic detection of these vulnerabilities using our [Behavior Detection](<https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection>) and Exploit Prevention components. As part of our [Managed Detection and Response service](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) Kaspersky SOC experts are able to detect exploitation of these vulnerabilities, investigate such attacks and report to customers.\n\n## Technical details\n\n### CVE-2021-34527\n\nWhen using RPC protocols to add a new printer (_RpcAsyncAddPrinterDriver [MS-PAR] or RpcAddPrinterDriverEx [MS-RPRN]_) a client has to provide multiple parameters to the Print Spooler service:\n\n * _pDataFile_ - a path to a data file for this printer;\n * _pConfigFile_ - a path to a configuration file for this printer;\n * _pDriverPath_ - a path to a driver file that&#x27;s used by this printer while it&#x27;s working.\n\nThe service makes several checks to ensure _pDataFile_ and _pDriverPath_ are not UNC paths, but there is no corresponding check for pConfigFile, meaning the service will copy the configuration DLL to the folder _%SYSTEMROOT%\\system32\\spool\\drivers\\x64\\3\\_ (on x64 versions of the OS).\n\nNow, if the Windows Print Spooler service tries to add a printer again, but this time sets pDataFile to the copied DLL path (from the previous step), the print service will load this DLL because its path is not a UNC path, and the check will be successfully passed. These methods can be used by a low-privileged account, and the DLL is loaded by the _NT AUTHORITY\\SYSTEM group_ process.\n\n### CVE-2021-1675\n\nThe local version of PrintNightmare uses the same method for exploitation as CVE-2021-34527, but there&#x27;s a difference in the entrypoint function (_AddPrinterDriverEx_). This means an attacker can place a malicious DLL in any locally accessible directory to run the exploit.\n\n## Mitigations\n\nKaspersky experts anticipate a growing number of exploitation attempts to gain access to resources inside corporate perimeters accompanied by a high risk of ransomware infection and data theft.\n\nTherefore, it is strongly recommended to follow Microsoft [guidelines](<https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-print-spooler>) and apply the latest security updates for Windows.\n\nQuoting Microsoft (as of July 7th, 2021): \n_&quot;Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object (GPO). \nWhile this security assessment focuses on domain controllers, any server is potentially at risk to this type of attack.&quot;_", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T05:00:06", "type": "securelist", "title": "Quick look at CVE-2021-1675 & CVE-2021-34527 (aka PrintNightmare)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-08T05:00:06", "id": "SECURELIST:0C07A61E6D92865F5B58728A60866991", "href": "https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-15T10:54:49", "description": "\n\n_Kaspersky Managed Detection and Response (MDR) provides advanced protection against the growing number of threats that bypass automatic security barriers. Its capabilities are backed by a high-professional team of security analysts operating all over the world. Each suspicious security event is validated by our analysts complementing the automatic detection logic and letting us continuously improve the detection rules._\n\n_The MDR results allow us to map out the modern threat landscape and show techniques used by attackers right now. We share these results with you so that you are more informed about in-the-wild attacks and better prepared to respond._\n\n## PrintNightmare vulnerability exploitation\n\nThis summer, we witnessed a series of attacks using a dangerous vulnerability in the Windows Print Spooler service: **CVE-2021-1675/CVE-2021-34527**, also known as [PrintNightmare](<https://www.kaspersky.com/blog/printnightmare-vulnerability/40520/>). This vulnerability was published in June 2021 and allows attackers to add arbitrary printer drivers in the spooler service and thus remotely execute code on a vulnerable host under System privileges. We have already [published](<https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/>) the technical details of this vulnerability, and today we will talk about how MDR analysts detected and investigated attacks that exploit this vulnerability in real companies.\n\n### Case #1\n\nShortly after the PrintNightmare vulnerability was published, a detailed report with a technical description of the problem, as well as a working PoC exploit, was posted on GitHub by mistake. The repository was disconnected several hours later, but during this time several other users managed to clone it.\n\nKaspersky detected an attempt to exploit the PrintNightmare vulnerability using this publicly available tool. The MDR team observed a request to suspicious _DLL_ libraries from the spooler service. It should be noted, that the file names used by the attacker were exactly the same as those available in the public exploit on GitHub.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150920/MDR_interesting_cases_02.png>) | Kaspersky detected suspicious DLL libraries (nightmare.dll) on the monitored host. | C:\\Windows\\System32\\spool\\drivers\\x64\\3\\nightmare.dll C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\nightmare.dll \n---|---|--- \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150937/MDR_interesting_cases_01.png>) | In addition, the following script was found on the host. | \\cve-2021-1675-main-powershell\\cve-2021-1675-main\\cve-2021-1675.ps1 \n \nThe table below contains signs of suspicious activity that served as a starting point for the investigation.\n\n**MITRE ATT&amp;CK Technique** | **MDR telemetry event type used** | **Detection details** | **Description** \n---|---|---|--- \n**T1210:** \nExploitation of \nRemote \nServices | Local File Modification | Modified file path: \nC:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\ \n1\\nightmare.dll \nFile modifier: \nC:\\Windows\\System32\\spoolsv.exe \nParent of the modifier: \nC:\\Windows\\System32\\services.exe | Legitimate spoolsv.exe \nlocally modified \nc:\\windows\\system32 \n\\spool\\drivers\\x64\\ \n3\\old\\1\\nightmare.dll \n**T1588.005:** \nObtain \nCapabilities: \nExploits | AV exact detect in \nOnAccess mode | File: \n\\cve-2021-1675-main-powershell\\cve-2021- \n1675-main\\cve-2021-1675.ps1 \nAV verdicts: \nExploit.Win64.CVE-2021-1675.c; \nUDS:Exploit.Win64.CVE-2021-1675.c | CVE-2021-1675 exploit \nwas detected and \nsuccessfully deleted \nby AM engine \n \n### Case #2\n\nIn another case, MDR analysts discovered a different attack scenario related to the exploitation of the PrintNightmare vulnerability. In particular, _spooler_ service access to suspicious _DLL_ files was observed. In addition, the _spooler_ service executed some unusual commands and established a network connection. Based on the tools used by attackers, we presume that this activity was related to penetration testing.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150920/MDR_interesting_cases_02.png>) | MDR analyst detected the creation of suspicious _DLL_ libraries using the _certutil.exe_ tool on a monitored host. \nAfter that, the _spooler_ service was added to the planned tasks. | C:\\Windows\\System32\\spool\\driver \ns\\x64\\3\\new\\hello.dll \nC:\\Windows\\System32\\spool\\driver \ns\\x64\\3\\new\\unidrv.dll\u2026 \n---|---|--- \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151142/MDR_interesting_cases_03.png>) | Next, the spooler service called the newly created _DLL_ files. \nIn addition, the attacker ran some of the created libraries using the rundll32 component. | \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151347/MDR_interesting_cases_04.png>) | Several hours later, a new wave of activity began. The Kaspersky MDR team detected a registry key modification that forces NTLMv1 authentication. It potentially allows [NTLM hashes](<https://book.hacktricks.xyz/windows/ntlm#basic-ntlm-domain-authentication-scheme>) to be intercepted. | \\REGISTRY\\MACHINE\\SYSTEM\\Control \nSet001\\Control\\Lsa\\MSV1_0 \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150937/MDR_interesting_cases_01.png>) | Then the attacker re-added spooler to the planned tasks. \nAfter that, execution of various commands on the host with System privileges was observed. The source of this activity was _c:\\windows\\system32\\spoolsv.exe_ process | C:\\Windows\\System32\\cmd.exe /c \nnet start spooler \nC:\\Windows\\System32\\cmd.exe /c \ntimeout 600 &amp;gt; NUL &amp;amp;&amp;amp; \nnet start spooler \n \nThe table below contains signs of suspicious activity that were the starting point for investigation.\n\n**MITRE ATT&amp;CK Technique** | **MDR telemetry event type used** | **Detection details** | **Description** \n---|---|---|--- \n**T1570: ** \nLateral Tool Transfer | Web AV exact detect in _OnDownload_ mode | AV verdict: HEUR:Trojan.Win32.Shelma.gen | Attacker downloads \nsuspicious DLL (that is, \nMeterpreter payload) via \nHTTP \n**T1140:** \nDeobfuscate/Decode Files or Information | Local File Modification | Process command lines: \ncertutil -decode 1.txt \nC:\\Share\\hello4.dll | Attacker used _certutil_ \nto decode text file into PE \nbinary \n**T1003.001: \n**OS Credential Dumping: LSASS Memory | AV exact detect in _OnAccess_ mode | AV verdicts: \nVHO:Trojan\u2011PSW.Win64.Mimikatz.gen \nTrojan-PSW.Win32.Mimikatz.gen | Attacker tried to use \nMimikatz \n**T1127.001: \n**Trusted Developer Utilities Proxy Execution: MSBuild | Outbound network connection | Process command line: \nC:\\Windows\\Microsoft.NET\\Framework\\v4 \n.0.30319\\MSBuild.exe C:\\Share\\1.xml | MSBuild network activity \n**T1210: \n**Exploitation of Remote Services | Local File Modification | Modified file path: \nC:\\Windows\\System32\\spool\\drivers\\x64 \n\\3\\old\\1\\hello5.dllFile modifier: \nC:\\Windows\\System32\\spoolsv.exe \nParent of the modifier: \nC:\\Windows\\System32\\services.exe | Legitimate \nspoolsv.exe locally \nmodified \nc:\\windows\\system3 \n2\\spool\\drivers\\x6 \n4\\3\\old\\1\\hello5.dll \n**T1547.012: \n**Boot or Logon Autostart Execution: Print Processors \n**T1033: \n**System Owner/User Discovery | Process start | Command line: whoami \nProcess integrity level: System \nParent process: \nC:\\WINDOWS\\System32\\spoolsv.exe \nGrandparent process: \nC:\\Windows\\System32\\services.exe | Legitimate \nspoolsv.exe started \nwhoami with System \nintegrity level \n**T1547.012:** \nBoot or Logon Autostart Execution: Print Processors | Outbound network connection | Process command line: \nC:\\Windows\\System32\\spoolsv.exe \nRemote TCP port: 4444/TCP | Legitimate \nspoolsv.exe made a \nconnection to default \nMeterpreter port \n(4444/TCP) \n**T1547.012:** \nBoot or Logon Autostart Execution: Print Processors \n**T1059.003:** \nCommand and Scripting Interpreter: Windows Command Shell \n**T1033:** \nSystem Owner/User Discovery | Process start | Command line: whoami \nProcess integrity level: System \nParent process: \nC:\\Windows\\System32\\cmd.exe \nGrandparent process: \nC:\\Windows\\System32\\spoolsv.exe | Legitimate \nspoolsv.exe started \ncmd.exe that started \nwhoami with System \nintegrity level \n \n## MuddyWater attack\n\nIn this case, the Kaspersky MDR team detected a request from the customer&#x27;s infrastructure to a malicious APT related host. Further investigation allowed us to attribute this attack to the [MuddyWater group](<https://attack.mitre.org/groups/G0069/>). MuddyWater is a threat actor that first surfaced in 2017. This APT group mainly targets government agencies in Iraq, Saudi Arabia, Jordan, Turkey, Azerbaijan, and Pakistan. Kaspersky&#x27;s report on this group&#x27;s activity is available [here](<https://securelist.com/muddywaters-arsenal/90659/>).\n\nAmong other methods, the group uses VBS implants in phishing emails as an initial attack vector. During execution, the implant accesses URLs with a common structure to connect to the C2 server. The typical structure of the URL is provided below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151840/MDR_interesting_cases_05.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14152658/MDR_interesting_cases_06.png>) | First of all, MDR analysts found a VBS implant from startup, presumably related to the MuddyWater group, to be running on the monitored host. | \\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\KLWB6.vbs \n---|---|--- \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150937/MDR_interesting_cases_01.png>) | After script execution, some malicious resources were accessed. The structure of these URLs follows the common structure used by the MuddyWater group. In addition, the accessed IP address was observed in other attacks of this group. | hxxp://185[.]117[.]73[.]52:443/getTarget \nInfo?guid=xxx-yyy-zzz&amp;status=1 \nhxxp://185[.]117[.]73[.]52:443/getComman \nd?guid=xxx-yyy-zzz* \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14153224/MDR_interesting_cases_07.png>) | Next, execution of commands to collect information from the compromised host was observed. | &quot;C:\\Windows\\System32\\cmd.exe&quot; /c \nexplorer.exe &gt;&gt; \nc:\\ProgramData\\app_setting_readme.txt &quot;C:\\Windows\\System32\\cmd.exe&quot; /c whoami &gt;&gt; c:\\ProgramData\\app_setting_readme.txt \n \n**_* xxx is company short name (identifier), yyy is the victim hostname and zzz is username_**\n\nTable below contains signs of suspicious activity that were the starting point for investigation.\n\n**MITRE ATT&amp;CK Technique** | **MDR telemetry event type used** | **Detection details** | **Description** \n---|---|---|--- \n**T1071: \n**Application Layer Protocol | Access to malicious hosts from nonbrowsers | Target URL: \nhxxp://185[.]117[.]73[.]52:443/getTargetInfo?guid \n=xxx-yyy-zzz&amp;status=1 \nCMD line: \n&quot;C:\\Windows\\System32\\WScript.exe&quot; C:\\Users\\USERNAME\\AppData\\Roaming\\Microsoft\\Windo \nws\\Start Menu\\Programs\\Startup\\KLWB6.vbs \nProcess: \nC:\\Windows\\system32\\wscript.exe | VBS script accessed malicious URL during execution \n**T1071:** \nApplication Layer Protocol | URL exact detect | Malicious URL: \nhxxp://185[.]117[.]73[.]52:443/getTargetInfo?guid \n=xxx-yyy-zzz&amp;status=1 \nAV verdict: \nMalware | Malicious URL was successfully detected by AV \n \n## Credential Dumping from LSASS Memory\n\nIn the last case, we&#x27;d like to talk about an attack related to collecting credentials from the LSASS process memory dump (T1003.001 MITRE technique). Local Security Authority Subsystem Service (LSASS) stores a variety of credentials in process memory. These credentials can be harvested by System or administrative user and then used for attack development or lateral movement.\n\nMDR analysts detected an attempt to dump the LSASS process memory on the monitored host, despite the fact that most of the attacker&#x27;s actions did not differ from the usual actions of the administrator. The attackers used two public tools (the first one was detected and blocked by an AV solution) to dump the LSASS process memory and export the obtained dump via Exchange server. In particular, the MDR team observed the download and execution of a suspicious DLL file (categorized as SSP) by LSASS.exe.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151347/MDR_interesting_cases_04.png>) | The attacker executed several recon commands to get more information about the host, and then ran commands to get the LSASS process ID. | C:\\Windows\\System32\\tasklist.exe \nC:\\Windows\\System32\\findstr.exe /i sass \n---|---|--- \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150937/MDR_interesting_cases_01.png>) | After that, the attacker tried to run a malicious tool to dump the process memory, but it was blocked by an endpoint protection solution. | &quot;C:\\Windows\\System32\\rundll32.exe&quot; \nC:\\Windows\\System32\\comsvcs.dll MiniDump 616 \nc:\\programdata\\cdera.bin full\n\n_## 616 is LSASS process id_ \n \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14154017/MDR_interesting_cases_08.png>) | Then the attacker tried to dump the LSASS process memory using another tool. They unzipped an archive containing the _resource.exe_ and _twindump.dll_ files. | C:\\Windows\\System32\\cmd.exe /C c:\\&quot;program files&quot;\\7- \nzip\\7z.exe x -pKJERKL6j4dk&amp;@1 c:\\programdata\\m.zip -o \nc:\\windows\\cluster\n\n## _resource.exe_ and _twindump.dll_ files were created \n \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151142/MDR_interesting_cases_03.png>) | Subsequently, the file _resource.exe_ was added to the planned tasks and executed. However, the attempt to obtain an LSASS dump was unsuccessful. | C:\\Windows\\System32\\cmd.exe /C \nC:\\Windows\\System32\\staskes.exe /create /tn Ecoh /tr \n&quot;cmd /c C:\\Windows\\cluster\\resource.exe \nase2af6das3fzc2 agasg2aa23gfdgd&quot; /sc onstart /ru \nsystem /F\n\n## staskes.exe is a renamed schtasks.exe file \n \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14154042/MDR_interesting_cases_09.png>) | Later, one more attempt to perform this technique was made. The attacker unpacked an archive containing another malicious utility, and ran it the same way as previously. The created files are presumably related to the [MirrorDump](<https://github.com/CCob/MirrorDump>) tool. As a result, the attacker successfully obtained an LSASS dump. | C:\\Windows\\System32\\cmd.exe /C c:\\&quot;program files&quot;\\7- \nzip\\7z.exe x -p&quot;KJERfK#L6j4dk321\u2033 \nc:\\programdata\\E.zip -o c:\\programdata\\ \nC:\\Windows\\System32\\cmd.exe \n/C c:\\windows\\system32\\staskes.exe /create /tn Ecoh /tr \n&quot;c:\\programdata\\InEnglish.exe g2@j5js1 0sdfs,48 \nC:\\programdata\\EnglishEDouble \nC:\\programdata\\EnglishDDouble \nC:\\programdata\\English1.dll \nC:\\programdata\\English.dmp&quot; /sc onstart /ru system /F C:\\Windows\\System32\\cmd.exe /C c:\\windows\\system32\\staskes.exe /run /tn Ecoh \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14154059/MDR_interesting_cases_10.png>) | Then the obtained dump was exported to Exchange server. Afterwards, the attacker deleted all the created files. | C:\\Windows\\System32\\cmd.exe /C copy \nc:\\programdata\\Es.zip \nc:\\Program Files\\Microsoft\\Exchange Server\\V14\\ClientAccess\\owa\\auth\\Es.png \n \nTable below contains signs of suspicious activity that were the starting point for investigation.\n\n**MITRE ATT&amp;CK Technique** | **MDR telemetry event type used** | **Detection details** | **Description** \n---|---|---|--- \n**T1003.001:** \nOS Credential Dumping: LSASS Memory | AV exact detect | AV verdict: \nPDM:Exploit.Win32.GenericProcess command line: \n&quot;C:\\Windows\\System32\\rundll32.exe&quot; \nC:\\Windows\\System32\\comsvcs.dll MiniDump \n**616** C:\\programdata\\cdera.bin full \nParent process command line: \nC:\\Windows\\System32\\wsmprovhost.exe - \nEmbedding \nGrandparent process command line:: \nC:\\Windows\\System32\\svchost.exe -k \nDcomLaunchProcess logon type: 3 (Network logon) | Remotely executed \nprocess memory dump \nwas detected by AM \nengine \n**616** is LSASS process \nPID \n**T1003.001:** \nOS Credential Dumping: LSASS Memory | Create section (load DLL) \nExecute section (run DLL) | DLL name: C:\\programdata\\english1.dll \nProcess: C:\\Windows\\System32\\lsass.exe \nProcess PID: **616** \nParent process: command line: C:\\Windows\\System32\\wininit.exe \nProcess integrity level: System | Unknown DLL was loaded and executed within lsass.exe \n**T1003.001:** \nOS Credential Dumping: LSASS Memory | Inexact AV detect | Internal AV verdict: The file is Security Support \nProvider (SSP) \nFile path: C:\\programdata\\english1.dll \nProcess: C:\\Windows\\System32\\lsass.exe | Unknown DLL loaded to lsass is SSP \n**T1053.005:** \nScheduled Task/Job: Scheduled Task | Create process | Process command line: \nC:\\programdata\\InEnglish.exe g2@j5js1 \n0sdfs,48 C:\\programdata\\EnglishEDouble C:\\programdata\\EnglishDDouble \n**C:\\programdata**\\English1.dll \nC:\\programdata\\English.dmp \nParent process command line: \ntaskeng.exe {7725474B-D9EA-473D-B10D- \nAC0572A0AA70} S-1-5-18:NT \nAUTHORITY\\System:Service: \nGrandparent process command line: \nC:\\Windows\\System32\\svchost.exe -k netsvcs \nProcess integrity level: System \nProcess user SID: S-1-5-18 | Suspicious executable from C:\\programdata run as scheduled task under _System_ privileges \n \nObserved malicious files:\n\nc:\\programdata\\e.zip | 0x37630451944A1DD027F5A9B643790B10 \n---|--- \nc:\\programdata\\es.zip | 0x3319BD8B628F8051506EE8FD4999C4C3 \nc:\\programdata\\m.zip | 0xC15D90F8374393DA2533BAF7359E31F9 \nc:\\programdata\\inenglish.exe | 0xCB15B1F707315FB61E667E0218F7784D \nc:\\programdata\\english1.dll | 0x358C5061B8DF0E0699E936A0F48EAFE1 \nc:\\windows\\cluster\\resource.exe | 0x872A776C523FC33888C410081A650070 \nc:\\windows\\cluster\\twindump.dll | 0xF980FD026610E4D0B31BAA5902785EDE \n \n## Conclusion\n\nAttackers follow trends. They use any loophole to break into your corporate network. Sometimes they learn about new vulnerabilities in products earlier than security researchers do. Sometimes they hide so skillfully that their actions are indistinguishable from those of your employees or administrators.\n\nCountering targeted attacks requires extensive experience as well as constant learning. Kaspersky Managed Detection and Response delivers fully managed, individually tailored ongoing detection, prioritization, investigation, and response. As a result, it provides all the major benefits from having your own security operations center without having to actually set one up.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-15T10:00:42", "type": "securelist", "title": "Kaspersky Managed Detection and Response: interesting cases", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-12-15T10:00:42", "id": "SECURELIST:830DE5B1B5EBB6AEE4B12EF66AD749F9", "href": "https://securelist.com/kaspersky-managed-detection-and-response-interesting-cases/105214/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-10T08:05:03", "description": "\n\nTargeted attack attribution is always a tricky thing, and in general, we believe that attribution is best left to law enforcement agencies. The reason is that, while in 90% of cases it is possible to understand a few things about the attackers, such as their native language or even location, the remaining 10% can lead to embarrassing attribution errors or worse. High-profile actors make every effort to stay undetected inside the victim&#x27;s infrastructure and to leave as few traces as they can. They implement a variety of techniques to make investigation of their campaigns more difficult. Using LOLBINS, common legitimate pentesting tools, and fileless malware; misleading security researchers by placing false flags\u2014these and other anti-forensic tricks often make threat attribution a matter of luck. That is why there is always a percentage of targeted attacks that remain unattributed for years. Recently, I shared [my TOP 10 list of the most mysterious APT](<https://twitter.com/craiu/status/1573272440704319488>) campaigns/tools on Twitter. In this article, I provide a bit more detail on each case.\n\n## 1\\. Project TajMahal\n\nIn late 2018, we discovered a sophisticated espionage framework, which we dubbed &quot;[TajMahal](<https://securelist.com/project-tajmahal/90240/>)&quot;. It consists of two different packages, self-named &quot;Tokyo&quot; and &quot;Yokohama&quot;, and is capable of stealing a variety of data, including data from CDs burnt on the victim&#x27;s machine and documents sent to the printer queue. Each package includes a number of malicious tools: backdoors, keyloggers, downloaders, orchestrators, screen and webcam grabbers, audio recorders, and more. In total, up to 80 malicious modules were discovered.\n\nProject TajMahal had been active for at least five years before we first detected it. What makes it even more mysterious is that its only known victim is a high-profile diplomatic entity. Who was behind the attack, if there were any other victims, or whether the whole toolset was developed to penetrate just one organization\u2014these questions remain unanswered.\n\n## 2\\. DarkUniverse\n\nDarkUniverse is [another APT framework](<https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/>) we discovered and reported on in 2018. It was active in the wild for at least for eight years\u2014from 2009 to 2017\u2014and targeted at least 20 civilian and military entities in Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus, and the United Arab Emirates. The malware spreads through spear-phishing emails with a malicious Microsoft Office document as attachment. It consists of several modules responsible for different espionage activities such as keylogging, mail traffic interception, making screenshots, collecting of a wide variety of system information, and more.\n\nThe only prominent case of DarkUniverse being spotted in the wild was when their [sophisticated ItaDuke malware](<https://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465/>) was dropped with a zero-day PDF exploit conspicuously named &quot;Visaform Turkey.pdf&quot;. DarkUniverse remains unattributed, and it is unclear what happened to the actor after 2017.\n\n## 3\\. PuzzleMaker\n\nIn April 2021, we [detected several targeted attacks](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>) using a complex chain of zero-day exploits. To penetrate the system, the actor used a Google Chrome RCE vulnerability. We were not able to obtain the exploit, but suspected the flaw in question was [CVE-2021-21224](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21224>), which enabled an attacker to execute arbitrary code inside the browser sandbox. Once inside, the actor exploited [CVE-2021-31955](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31955>), an information disclosure vulnerability in the Windows kernel, to obtain the kernel address of the EPROCESS structure, and elevated privileges using one more Windows kernel flaw, [CVE-2021-31956](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31956>).\n\nAfter successful exploitation of these vulnerabilities, custom malware consisting of four modules is delivered to the infected system. The modules are a stager, dropper, service, and remote shell, with the last one being the final payload. We dubbed the APT &quot;PuzzleMaker&quot;.\n\nThe only weak link to known APT campaigns is a post-exploitation technique that is used both by PuzzleMaker and the CHAINSHOT malware, and by at least two state-sponsored threat actors. However, the technique is publicly known and can be used by various groups independently.\n\n## 4\\. ProjectSauron (aka Strider)\n\nProjectSauron was [first discovered](<https://securelist.com/faq-the-projectsauron-apt/75533/>) in September 2015, when [Kaspersky Anti-Targeted Attack Platform](<https://www.kaspersky.com/enterprise-security/anti-targeted-attack-platform>) detected anomalous network traffic in a customer organization. The traffic originated from a suspicious library loaded into the memory of a domain controller server and registered as a Windows password filter, which has access to plain-text passwords to administrative accounts. It proved to be a part of a complex APT platform targeting government, telecommunication, scientific, military, and financial organizations in Russia, Iran, Rwanda, and possibly, Italian-speaking countries.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/06125545/TOP-_10_unattributed_APT_mysteries_01.png>)\n\n**_ProjectSauron got its name from the &quot;Sauron&quot; mentioned in its configuration_**\n\nThe ProjectSauron platform has a modular structure. Its core implants are unique to each victim, with different file names and sizes, and timestamps tailored to the target environment. This way, the artifacts discovered in one organization are of low value to other victims. These core implants act as backdoors that download additional modules and run commands inside the memory. The modules perform specific espionage functions, such as keylogging, stealing documents, or hijacking encryption keys from infected computers and attached USB devices. A special module is responsible for accessing air-gapped systems through infected USB drives.\n\nThe threat actor behind ProjectSauron uses a complex command-and-control infrastructure involving a wide range of different ISPs and a number of IP-addresses across US and Europe. The actor made every possible effort not to create recognizable patterns in its operations. The only thing that can be said with confidence is that this level of sophistication is hardly achievable without a nation-state sponsor. It is also worth noting that the actor probably learned from other high-profile APTs, such as [Duqu](<https://securelist.com/the-mystery-of-duqu-part-ten/32668/>), [Flame](<https://securelist.com/the-flame-questions-and-answers/34344/>), [Equation](<https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/>), and [Regin](<https://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/>).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/06125628/TOP-_10_unattributed_APT_mysteries_02.gif>)\n\n## 5\\. USB Thief\n\nIn 2016, our colleagues at ESET [discovered a type of USB malware](<https://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/>) that featured a tricky self-protection mechanism. Dubbed &quot;USB Thief&quot;, it consisted of six files, two of which were configuration files, while the other four were executables. The files were designed to be executed in a pre-defined order, and some of them were AES128-encrypted. The encryption key was generated using a unique USB device ID and certain disk properties. This made it hard to decrypt and run the files anywhere but on the infected USB drive.\n\nThree of the executable files are loaders that load the next-stage file. To ensure that the files are loaded in the correct order, they use hashes of the previously loaded files as their names. Additionally, some of the files check the name of the parent process and terminate if it is wrong. The final payload is a data stealer that looks to the configuration file for information about what data to exfiltrate, how to encrypt it, and where to store. The data is always exfiltrated to a location on the infected USB device.\n\nAnother interesting technique implemented in USB Thief is using portable versions of certain applications, such as Notepad, Firefox, and TrueCrypt, to trick the user into running the first malware loader. To achieve this goal, it injects itself into the command chain of these applications as a plugin or a dynamic linked library. When the user runs the infected app, the malware launches, too. The malware is not widespread and is most likely used in highly targeted attacks involving a human asset.\n\nSince my post on Twitter, [our colleagues at ESET shared further information](<https://twitter.com/0xfmz/status/1573321520570671105>) on this toolset, which includes their suspicion that it might be associated with the Lamberts APT group:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/06130040/TOP-_10_unattributed_APT_mysteries_03.png>)\n\n## 6\\. TENSHO (aka White Tur)\n\nIn early 2021, while searching for phishing pages that spoofed governmental websites, researchers at the PwC company [stumbled across a page](<https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html>) used to phish for Serbian Ministry of Defense credentials. This page led them to a previously unknown threat actor dubbed &quot;TENSHO&quot; or &quot;White Tur&quot;. This actor has been active since at least 2017 and uses a variety of unique techniques and tools, which include weaponized documents, HTA and PowerShell scripts, Windows executables, and phishing pages that mimic governmental websites.\n\nAmong other tools, TENSHO uses the OpenHardwareMonitor open-source project, whose legitimate purpose is to monitor device temperature, fan speed, and other hardware health data. The threat actor spreads a malicious OpenHardwareMonitor package designed to deliver TENSHO&#x27;s malware in the form of a PowerShell script or Windows binary.\n\nTo date, no ties have been discovered between this threat actor and any known APT group. TENSHO targets organizations inside Serbia and Republika Srpska (an entity in Bosnia and Herzegovina) indicating a very specific regional interest. Because many parties might be interested in targeting these regions, it is not easy to attribute the threat.\n\n## 7\\. PlexingEagle\n\nDuring the HITBSec 2017 conference in Amsterdam, Emmanuel Gadaix presented the discovery of a highly interesting GSM cyberespionage toolset, likely deployed by a very advanced threat actor, found during a routine security sweep in a client&#x27;s systems.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/06130131/TOP-_10_unattributed_APT_mysteries_04.png>)\n\n**_[A Surprise Encounter With a Telco APT](<https://conference.hitb.org/hitbsecconf2017ams/materials/D2T4%20-%20Emmanuel%20Gadaix%20-%20A%20Surprise%20Encounter%20With%20a%20Telco%20APT.pdf>), by courtesy of Emmanuel Gadaix_**\n\nThe compromise was originally discovered by Gadaix&#x27; team on a Solaris 10 machine that was used by the actors as an operating base. From there, the attackers leveraged advanced knowledge of the GSM infrastructure and network to patch the functionality normally used by law enforcement for eavesdropping on phone calls in order to implement their own mechanisms for intercepting calls of interest. The malware used in the intrusion was written using LUA, a language we saw used by other advanced threat actors, such as the ones behind Flame and Project Sauron. In his presentation, Gadaix hints at a number of similarities between this case and the so-called &quot;Athens Affair&quot;, the two being the only known cases of this threat actor actually being caught in the wild.\n\n## 8\\. SinSono\n\nIn May 2021, Syniverse, a telecom company that provides text message routing services to such carriers as At&amp;T, Verizon, T-Mobile, and others, detected [unauthorized access to its IT systems](<https://www.theverge.com/2021/10/6/22713543/syniverse-hack-five-years-text-messages>). An internal investigation revealed that an unknown adversary first penetrated Syniverse&#x27;s infrastructure in 2016. For five years they had acted undetected, accessed internal databases, and managed to compromise about 235 customers&#x27; login credentials for the company&#x27;s Electronic Data Transfer (EDT) environment. Through these accounts, the threat actor could access highly sensitive consumer data, e.g., call records and the contents of text messages.\n\nWhile the company reset or inactivated credentials for all EDT customers, and contacted affected organizations, many questions remain: for instance, if the actor had actually stolen sensitive data or not. Although the company itself and some of the carriers relying on its services see no indicators of a major breach and no attempt to disrupt their processes, we know neither who the actor was nor what their goals were. Our analysis of the data related to the attack indicates a high degree of attention and care regarding operational security and ensuring that attribution is difficult.\n\n## 9\\. MagicScroll (aka AcidBox)\n\nMagicScroll is a sophisticated malicious framework that was [first detected](<https://unit42.paloaltonetworks.com/acidbox-rare-malware/>) by Palo Alto&#x27;s Unit 42 in 2019. It is a type of multistage malware with only a few known samples and one known victim, located in Russia and attacked in 2017. The initial infection stage of MagicScroll is missing. The first known stage is a loader that was created as a [security support provider](<https://learn.microsoft.com/en-us/windows/win32/secauthn/custom-security-packages>), a DLL that usually provides certain security features, such as application authentication. MagicScroll abuses this functionality to achieve injection into the lsass.exe process and probably persistence as well.\n\nThe loader&#x27;s main purpose is to decrypt and load the next-stage module, which is stored in the registry. This module exploits a VirtualBox driver vulnerability to load an unsigned malicious driver in kernel mode. According to Unit 42, the exploitation of this vulnerability was previously observed in [Turla](<https://securelist.com/tag/turla/>) operations, however there is no indication that the new actor has any links to that group. Unit 42 also found some loose similarities with [ProjectSauron](<https://securelist.com/faq-the-projectsauron-apt/75533/>), but they stated that these are too weak for considering the two campaigns linked. Neither have we found any ties between MagicScroll and any other known APTs.\n\n## 10\\. Metador\n\nThe Metador threat actor was [first publicly described](<https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/>) by SentinelLabs in September 2022. It mainly targets ISPs, telecommunication companies, and universities in several countries in the Middle East and Africa; at least one of its victims has been attacked by nearly ten different APT groups.\n\nMetador operates two malware platforms dubbed &quot;metaMain&quot; and &quot;Mafalda&quot;, which are deployed purely in memory. The metaMain platform is a feature-rich backdoor, which provides the threat actor with long-term access to the infected system. It can log keyboard and mouse events, make screenshots, download and upload files, and execute arbitrary shellcode.\n\nMafalda is a backdoor that is being actively developed. Its latest version was compiled with a timestamp of December 2021. It features a number of anti-analysis techniques and supports 67 commands, which is 13 more than in the previous version of the malware.\n\nApart from typical backdoor functionality, metaMain and Mafalda are capable of establishing connections to other (yet unknown) implants and exchange data with these. One of those implants is called &quot;Cryshell&quot; and acts as intermediate server between metaMain or Mafalda, and the C2. There are reasons to believe that unknown Linux implants exist that can send data collected from Linux machines to Mafalda.\n\nIt is yet to be established who the actor behind Metador is and what their goals are. The sophisticated malware designed to stay undetected for a long time suggests that this is a cyberespionage campaign by a high-end threat actor. At least some of the C2 responses are in Spanish, which may indicate that the actor or some of its developers speak Spanish. Also, some cultural references were found in Metador&#x27;s malware, including British pop punk lyrics and Argentinian political cartoons. The diversity of traces makes it difficult to determine in which state&#x27;s interests it operates\u2014if at all. One of the hypotheses is that the group is a high-end contractor.\n\n## Conclusion\n\nAdvanced threat actors use every possible means to stay undetected, and\u2014if caught\u2014unattributed. Every now and then, security researchers will reveal a mysterious campaign that has remained uncovered for years and that is nearly impossible to trace back to its benefactors with certitude. The ten stories described in this post are just some of the many unattributed mysteries we have seen through the years. That is why it is important to discuss them and share data on them within the cybersecurity community.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-07T10:00:47", "type": "securelist", "title": "TOP 10 unattributed APT mysteries", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2022-10-07T10:00:47", "id": "SECURELIST:8BBBF7B71E6D52B912070367475B6567", "href": "https://securelist.com/top-10-unattributed-apt-mysteries/107676/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-16T08:14:22", "description": "\n\n## Figures of the year\n\nIn 2022:\n\n * 48.63% of all emails around the world and 52.78% of all emails in the Russian segment of the internet were spam\n * As much as 29.82% of all spam emails originated in Russia\n * Kaspersky Mail Anti-Virus blocked 166,187,118 malicious email attachments\n * Our Anti-Phishing system thwarted 507,851,735 attempts to follow phishing links\n * 378,496 attempts to follow phishing links were associated with Telegram account hijacking\n\n## Phishing in 2022\n\n### Last year&#x27;s resonant global events\n\nThe year 2022 saw cybercrooks try to profit from new film releases and premieres just as they always have. The bait included the most awaited and talked-about releases: the new season of Stranger Things, the new Batman movie, and the Oscar nominees. Short-lived phishing sites often offered to see the premieres before the eagerly awaited movie or television show was scheduled to hit the screen. Those who just could not wait were in for a disappointment and a waste of cash. The promises of completely free access to the new content were never true. By clicking what appeared to be a link to the movie, the visitor got to view the official trailer or a film studio logo. Several seconds into the &quot;preview&quot;, the stream was interrupted by an offer to buy an inexpensive subscription right there on the website to continue watching. If the movie lover entered their bank card details on the fake site, they risked paying more than the displayed amount for content that did not exist and sharing their card details with the scammers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132238/spam-phishing-report-2022-01.png>)\n\nSome websites that offered soccer fans free broadcasts of the FIFA World Cup in Qatar employed a similar scheme, but the variety of hoaxes aimed at soccer fans proved to be wider than that used by scammers who attacked film lovers. Thus, during the World Cup a brand-new scam appeared: it offered users to win a newly released iPhone 14 for predicting match outcomes. After answering every question, the victim was told that they were almost there, but there was a small commission to be paid before they could get their gadget. Of course, no prize ensued after the fee was paid.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132326/spam-phishing-report-2022-02.jpg>)\n\nSoccer fans chasing merchandise risked compromising their bank cards or just losing some money. Scammers created websites that offered souvenirs at low prices, including rare items that were out of stock in legitimate online stores. Those who chose to spend their money on a shady website risked never getting what they ordered.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132414/spam-phishing-report-2022-03.jpg>)\n\nWebsites that offered tickets to the finals were another type of soccer-flavored bait. Scammers were betting on the finals typically being the most popular stage of the competition, tickets to which are often hard to get. Unlike legitimate ticket stores, the fake resellers were showing available seats in every sector even when the World Cup was almost closed. Vast selection of available seats should have alarmed visitors: real tickets would have been largely gone.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132716/spam-phishing-report-2022-04.png>)\n\nFake donation sites started popping up after the Ukraine crisis broke out in 2022, pretending to accept money as aid to Ukraine. These sites referenced public figures and humanitarian groups, offering to accept cash in cryptocurrency, something that should have raised a red flag in itself.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132903/spam-phishing-report-2022-05.png>)\n\n### The pandemic\n\nThe COVID-19 theme had lost relevance by late 2022 as the pandemic restrictions had been lifted in most countries. At the beginning of that year, we still observed phishing attacks that used the themes of infection and prevention as the bait. For example, one website offered users to obtain a COVID vaccination certificate by entering their British National Health Service (NHS) account credentials. Others offered the coveted Green Pass without vaccination.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141812/spam-phishing-report-2022-06.png>)\n\nScammers abused legitimate survey services by creating polls in the name of various organization to profit from victims&#x27; personal, including sensitive, data. In another COVID-themed scheme, the con artists introduced themselves as the Direct Relief charity, which helps to improve the quality of life and healthcare in poorer regions. Visitors were offered to fill out a form to be eligible for $750 per week in aid for twenty-six weeks. The survey page said the &quot;charity&quot; found the victim&#x27;s telephone number in a database of individuals affected by COVID-19. Those who wished to receive the &quot;aid&quot; were asked to state their full name, contact details, date of birth, social security and driver&#x27;s license numbers, gender, and current employer, attaching a scanned copy of their driver&#x27;s license. To lend an air of authenticity and to motivate the victim to enter valid information, the swindlers warned that the victim could be prosecuted for providing false information. The scheme likely aimed at identity theft: the illegal use of others&#x27; personal details for deriving profit. The cybercrooks might also use the data to contact their victims later, staging a more convincing swindle.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141841/spam-phishing-report-2022-07.png>)\n\n### Crypto phishing and crypto scams\n\nThe unabated popularity of cryptocurrency saw crypto scammers&#x27; interest in wallet owners&#x27; accounts growing, despite the fact that rates continued to drop throughout the year. Cybercriminals chased seed phrases, used for recovering access to virtual funds. By getting the user&#x27;s secret phrase, cybercriminals could get access to their cryptocurrency balance.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141926/spam-phishing-report-2022-08.png>)\n\nIn a typical internet hoax manner, crypto scam sites offered visitors to get rich quick by paying a small fee. Unlike common easy-money scams, these websites asked for payments in cryptocurrency \u2014 which they promised to give away and which they were trying to steal. The &quot;giveaways&quot; were timed to coincide with events that were directly or indirectly associated with cryptocurrency. Thus, one of the fake sites promised prizes on the occasion of Nvidia thirty-year anniversary (the company is a major vendor of graphics processing units, which are sometimes used for crypto mining). Promotion of cryptocurrency use was another pretext for the &quot;giveaways&quot;. Users were offered to deposit up to 100 cryptocurrency units for a promise to refund two times that amount, purportedly to speed up digital currency adoption. In reality, the scheme worked the way any other internet hoax would: the self-professed altruists went off the radar once they received the deposit.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142443/spam-phishing-report-2022-09.png>)\n\n### Compensation, bonus, and paid survey scams\n\nBonuses and compensations are hard to deny in times of crisis and instability, but it is worth keeping in mind that &quot;financial assistance&quot; is frequently promised by con artists to swindle you out of your money.\n\n&quot;Promotional campaigns by major banks&quot; were a popular bait in 2022. Visitors to a fraudulent web page were offered to receive a one-time payment or to take a service quality survey for a fee. Unlike the prizes offered in the aforementioned crypto schemes, these fees were smaller: an equivalent of $30\u201340. The cybercriminals used an array of techniques to lull victims&#x27; vigilance: company logos, assurances that the campaigns were legit, as well as detailed, lifelike descriptions of the offer. Similar &quot;campaigns&quot; were staged in the name of other types of organizations, for example, the Polish finance ministry.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142523/spam-phishing-report-2022-10.png>)\n\nAid as distributed by various governmental and nongovernmental organizations remained a popular fraud theme in 2022. For example, in Muslim countries, scammers promised to send charity packages, purportedly under a &quot;Ramadan Relief&quot; program that aimed at helping low-income families during the Ramadan fast. The fasting period typically sees higher prices for food and household products, whereas observers buy more than they normally do and may be faced with a shortage of money. Legitimate charities, such as [WF-AID](<https://wfaid.org/rrf/>), do operate Ramadan relief programs, and judging by the screenshot below, the fraudsters were pretending to represent that organization. An eye-catching picture of the organization&#x27;s logo and huge boxes was accompanied by a list of foodstuffs included in the aid package, with positive &quot;recipient feedback&quot; posted below the message. The victim was asked to make sure that their name was on the list of recipients, so they could get a package. This required providing personal data on the website and sending a link to the scam site to instant messaging contacts\u2014nothing extraordinary for hoaxes like this. This way, the scammers both populate their databases and have victims spread links to their malicious resources for them. In addition to that, they might ask the victim to cover the &quot;shipping costs&quot;.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142600/spam-phishing-report-2022-11.png>)\n\nGrowing utility rates and an increase in the price of natural resources have prompted several governments to start discussing compensations for the population. Payout notices could arrive by mail, email, or as a text message. Cybercriminals attempted to take advantage of the situation by creating web pages that mimicked government websites, promising cash for covering utility payments or compensation of utility expenses. Visitors were occasionally asked to provide personal details under the pretext of checking that they were eligible, or simply to fill out a questionnaire. In Britain, con artists posing as a government authority promised to compensate electricity costs. The description of the one-time payout was copied from the official website of the authority, which did provide the type of compensation. After completing the questionnaire, the victim was asked to specify the electric utility whose services they were using and enter the details of the bank card linked to their account with the utility. The promise of \u00a3400 was supposed to make the victim drop their guard and share their personal information.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142636/spam-phishing-report-2022-12.png>)\n\nIn Singapore, scammers offered a refund of water supply costs, purportedly because of double billing. An energy or resource crisis was not used as a pretext in this particular case, but refunds were still offered in the name of the water supply authority.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142706/spam-phishing-report-2022-13.png>)\n\n### Fake online stores and large vendor phishing\n\nWe see fake websites that imitate large online stores and marketplaces year after year, and 2022 was no exception. Phishing attacks targeted both the customers of globally known retailers and regional players. An attack often started with the victim receiving a link to a certain product supposedly offered at an attractive price, by email, in an instant messaging app, or on a social network. Those who fell for the trick could lose access to their accounts, have their bank card details stolen, or waste the money they wanted to spend on the dirt-cheap item.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142737/spam-phishing-report-2022-14.png>)\n\n&quot;Insides&quot; about &quot;private sales&quot; were also used as a lure. Thus, a web page that copied the appearance of a Russian marketplace promised discounts of up to 90% on all items listed on it. The page design did look credible, with the only potential red flags being really low prices and the URL in the address bar not matching the official one.\n\nMany large vendors, notably in the home appliances segment, announced in early spring that they would be pulling out of Russia, which caused a spike in demand. This was reflected in the threat landscape, with fake online stores offering home appliances popping up all over the Russian segment of the internet (also called Runet). Large retailers being out of stock, combined with unbelievably low prices, made these offers especially appealing. The risk associated with making a purchase was to lose a substantial amount of money and never to receive what was ordered.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142817/spam-phishing-report-2022-15.jpg>)\n\n### Hijacking of social media accounts\n\nUsers of social media have increasingly focused on privacy lately. That said, curiosity is hard to contain: people want to check out who has been following them, but do so without the other party knowing. Cybercriminals who were after their account credentials offered victims to have their cake and eat it by using some new social media capability. A fake Facebook Messenger page promised to install an update that could change the user&#x27;s appearance and voice during video calls, and track who has been viewing their profile, among other features. To get the &quot;update&quot;, the victim was asked to enter their account credentials, which the scammers immediately took over.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142852/spam-phishing-report-2022-16.png>)\n\nMany Instagram users dream about the Blue Badge, which stands for verified account and is typically reserved for large companies or media personalities. Cybercriminals decided to take advantage of that exclusivity, creating phishing pages that assured visitors their verified status had been approved and all they needed to do was to enter their account logins and passwords.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142919/spam-phishing-report-2022-17.png>)\n\nRussia blocked access to both Facebook and Instagram in March 2022, which led to the popularity of Russian social networks and Telegram skyrocketing. This increased usage meant the users&#x27; risk of losing personal data was now higher, too. &quot;Well-wishers&quot; who operated scam sites offered to check if Russian social media contained any embarrassing materials on the victim. The scam operators told the users it was possible to find damaging information about every third user of a social network by running a search. If the user agreed to a search to be done for them, they were told that a certain amount of dirty linen indeed had been found. In reality, there was no search \u2014 the scammers simply stole the credentials they requested for the check.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142944/spam-phishing-report-2022-18.png>)\n\nOne of the added risks of social media phishing is scammers getting access to both the social media account itself and any linked services.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143155/spam-phishing-report-2022-19.png>)\n\nThe Telegram Premium status provides a range of benefits, from an ad-free experience to an ability to block incoming voice messages, but the subscription costs money. Scammers offered to &quot;test&quot; a Premium subscription free of charge or simply promised to give one for free if the victim entered their Telegram user name and password or a verification code sent by the service, which was exactly what the cybercrooks were after.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143228/spam-phishing-report-2022-20-EN.png>)\n\nOne more phishing campaign targeting Telegram users was arranged to coincide with the New Year&#x27;s celebration. Scammers created a page on the telegra.ph blogging platform that posted a gallery of children&#x27;s drawings, encouraging users to vote for their favorites. Scammers sent a link to that page from hacked accounts, asking users to vote for their friends&#x27; kids&#x27; works. Those who took the bait were directed to a fake page with a login form on it. The cybercriminals were betting on the users to go straight to voting, without checking the authenticity of the drawings, which had been copied from various past years&#x27; competition pages, as requests to vote for one&#x27;s friends&#x27; kids are common before public holidays.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143725/spam-phishing-report-2022-21.jpg>)\n\nThe Telegram auction platform named Fragment went live in the October of 2022: it was selling unique usernames. You can become a user by linking your Telegram account or TON wallet. Scammers who were after those account details sent out links to fake Fragment pages. A visitor who tried to buy a username from the fake website was requested to log in. If the victim entered their credentials, the scam operators immediately grabbed those.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143807/spam-phishing-report-2022-22.png>)\n\n## Spam in 2022\n\n### The pandemic\n\nUnlike phishing, COVID-themed spam is still a thing. Most of that is &quot;Nigerian-type&quot; scams: millionaires dying from COVID bequeathing their money to treatment and prevention efforts, and to improve the lives of those who have recovered, or Mark Zuckerberg running a special COVID lottery where one can win a million euros even if they are not a Facebook user. Recipients are told that they could claim some IMF money left unallocated because of the pandemic. Others are offered hefty amounts under an anti-recession assistance program.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143915/spam-phishing-report-2022-23.png>)\n\nThe amount of spam exploiting the coronavirus theme in some way dropped noticeably during 2022: at the beginning of the year, we were blocking a million of these emails per month, but the figure had shrunk by three times by yearend.\n\n### Contact form spam\n\nThe year 2022 saw cybercriminals abuse contact forms for spam more frequently. In a typical scheme of this kind, scammers find websites that offer registration, contact, or support request forms that do not require the user to be logged in to submit, and do not check the data entered. In some cases, they insert a scam message with a hyperlink in the login or name fields, and in others, add a longer text with images to the message field. Then the attackers add victims&#x27; email addresses to the contact fields and submit. When getting a message via a registration or contact form, most websites reply to the user&#x27;s email address that their request was received and is being processed, their account has been created, and so on. As a result, the person gets an automated reply from an official address of a legitimate organization, containing unsolicited advertisements or a scam link.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13144349/spam-phishing-report-2022-24.png>)\n\nMost scam messages offer a compensation or prize to the recipient. For example, a spam email targeting Russian users promised an equivalent of $190\u20134200 in VAT refunds. To get the money, the victim was offered to open the link in the message. This scheme is a classic: a linked web page requests that the user pay a commission of under a dozen dollars, which is insignificant in comparison to the promised refund. We observed many varieties of contact form money scam: from fuel cards to offers to make money on some online platform.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13145016/spam-phishing-report-2022-25.png>)\n\nScammers took advantage of forms on legitimate sites all around the world. Where spam email in Russian typically played on &quot;prizes&quot; or &quot;earning money&quot;, messages in other languages, in addition to offering &quot;prizes&quot;, encouraged users to visit &quot;dating sites&quot; \u2014 in fact, populated by bots \u2014 where the victims would no doubt be asked to pay for a premium account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150322/spam-phishing-report-2022-26.png>)\n\nWe blocked upward of a million scam emails sent via legitimate forms in 2022.\n\n### Blackmail in the name of law enforcement agencies\n\nExtortion spam is nothing new. In such emails, attackers usually claim that the recipient has broken the law and demand money. In 2022, these mailings not only continued, but also evolved. For example, there was virtually no text in the messages: the user was either asked to open an attached PDF file to find out more, or they received threats in the form of an image with text. In addition, the geography of mailings widened in 2022.\n\nThe essence of the message, as in similar emails sent earlier, was that a criminal case was going to be opened against the recipient due to allegedly visiting sites containing child pornography.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150404/spam-phishing-report-2022-27.png>)\n\nTo avoid serious consequences, the attackers urged the victim to respond as soon as possible to the sender and &quot;settle the matter&quot;. Most likely, the scammers would ask for a certain amount of money to be paid in further correspondence for the victim&#x27;s name to be removed from the &quot;criminal case&quot;. In 2022, we blocked over 100,000 blackmail emails in various countries and languages, including French, Spanish, English, German, Russian and Serbian.\n\n### Exploiting the news\n\nSpammers constantly use major world events in their fraudulent schemes. The 2022 geopolitical crisis was no exception. Throughout the year, we saw mailings aimed at English-speaking users proposing transferring money, usually to a Bitcoin wallet, to help the victims of the conflict in Ukraine. Scammers often demand the transfer of money to Bitcoin wallets, as it is more difficult to trace the recipient through cryptocurrency transactions than through the bank ones. Blackmail demanding payment in cryptocurrency used to prevail in spam. Now, attackers have started collecting Bitcoin for charity.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150431/spam-phishing-report-2022-28.png>)\n\nThe news agenda was also used in other scam mailings. For example, in early July, our solutions blocked 300,000 emails where fraudsters were requesting help on behalf of a Russian millionaire, who allegedly wanted to invest money and avoid sanctions. Another mailing said that the European Commission had decided to give away a fund created by Russian oligarchs, and the email recipient might be lucky to get a piece of this pie.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150458/spam-phishing-report-2022-29.jpg>)\n\nMore and more &quot;business offers&quot; are appearing among spam mailings, and they exploit the current information agenda. Due to economic sanctions in 2022, enterprising businessmen offered replacements for goods and services from suppliers who left the Russian market. For example, spammers actively advertised services of a company transporting people to Russia. The email text emphasized the fact that many transport companies refused to provide such services.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153541/spam-phishing-report-2022-30.png>)\n\nThere were also spam mailings where various companies offered to replace popular international software with Russian equivalents or solutions developed in third countries. In addition, there were spam propositions for intermediary services to open a company or bank account in neighboring countries, such as Armenia, as well as offers of assistance in accepting payments from foreign partners.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153600/spam-phishing-report-2022-31.png>)\n\nThe shortage of printer paper in Russia in March and April 2022 spawned a wave of related ads offering paper at discount prices.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153622/spam-phishing-report-2022-32.png>)\n\nSpammers in 2022 also actively marketed their promotional mailing services as alternative advertising to unavailable promotion via platforms such as Instagram. For example, in April we blocked around a million of such mailings.\n\nAgainst the backdrop of sanctions and the accompanying disruption of supply chains, there has been an increase in spam offering goods and services from Chinese suppliers. In 2022, our filter blocked more than 3.5 million emails containing such offers, and the number of them was growing, from around 700,000 in the first quarter to more than a million in the fourth.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153708/spam-phishing-report-2022-33.png>)\n\n### Spam with malicious attachments\n\nEmployees shifting to remote work during the pandemic and the associated growth of online communications spurred the active development of various areas of phishing, both mass and targeted. Attackers have become more active in imitating business correspondence, not only targeting HR-specialists and accountants, as before the pandemic, but also employees in other departments. In 2022, we saw an evolution of malicious emails masquerading as business correspondence. Attackers actively used social engineering techniques in their emails, adding signatures with logos and information from specific organizations, creating a context appropriate to the company&#x27;s profile, and applying business language. They also actively exploited off the current news agenda and mentioned real employees from the company supposedly sending the emails. Spammers faked their messages as internal company correspondence, business correspondence between different organizations, and even as notifications from government agencies.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153731/spam-phishing-report-2022-34.png>)\n\nMasking malicious emails as business correspondence has become a major trend in malicious spam in 2022. Attackers tried to convince the recipient that it was a legitimate email, such as a commercial offer, a request for the supply of equipment, or an invoice for the payment of goods. For example, throughout the year, we encountered the following scheme. Attackers gained access to real business correspondence (most likely by stealing correspondence from previously infected computers) and sent malicious files or links to all of its participants in response to the previous email. This trick makes it harder to keep track of malicious emails, and the victim is more likely to fall for it.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153756/spam-phishing-report-2022-35.png>)\n\nIn most cases, either the [Qbot](<https://securelist.com/qakbot-technical-analysis/103931/>) Trojan or [Emotet](<https://securelist.com/emotet-modules-and-recent-attacks/>) was loaded when the malicious document was opened. Both can be used to steal user data, collect information about the corporate network, and spread additional malware, such as ransomware. Qbot also allows you to gain access to emails and steal them for further attacks.\n\nMailings imitating notifications from various ministries and other government organizations have become more frequent in the Runet. Emails were often designed to take into account the specific activities of the organizations they were pretending to be. The sender&#x27;s addresses copied the logic of email addresses in the relevant agencies, and the malicious attachment was disguised as some kind of specialized document, such as &quot;key points of the meeting&quot;. For example, malicious code was found in one of these mailings that exploited a vulnerability in the Equation Editor module, the formula editor in Microsoft Office.\n\nThe perpetrators did not ignore the news agenda. In particular, the malware was distributed under the guise of call-up &quot;as part of partial mobilization&quot; or as a &quot;new solution&quot; to safeguard against possible threats on the internet &quot;caused by hostile organizations&quot;.\n\nIn the second case, the program installed on victim&#x27;s computer was in fact a crypto-ransomware Trojan.\n\n## Two-stage spear phishing using a known phish kit\n\nIn 2022, we saw an increase in spear (or targeted) phishing attacks targeting businesses around the world. In addition to typical campaigns consisting of one stage, there were attacks in several stages. In the first email, scammers in the name of a potential client asked the victim to specify information about its products and services. After the victim responds to this email, the attackers start a phishing attack.\n\nKey facts:\n\n * Attackers use fake Dropbox pages created using a well-known phishing kit\n * The campaign targets the sales departments of manufacturers and suppliers of goods and services\n * Attackers use SMTP IP addresses and _From_ domains provided by Microsoft Corporation and Google LLC (Gmail)\n\n### Statistics\n\nThe campaign began in April 2022, with malicious activity peaking in May, and ended by June.\n\n_Number of emails related to a two-step targeted campaign detected by Kaspersky solutions ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161029/01-en-spam-report-2022-diagrams.png>))_\n\n### How a phishing campaign unfolds\n\nAttackers send an email in the name of a real trade organization requesting more information about the victim company&#x27;s products. The email text looks plausible and has no suspicious elements, such as phishing links or attachments. A sender&#x27;s email address from a free domain, like gmail.com, may raise doubts. The email on the screenshot below is sent from an address in this domain, and the company name in the _From_ field is different to its name in the signature.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153835/spam-phishing-report-2022-36.jpg>)\n\n**_Example of the first email_**\n\nIt is worth noting that the use of free domains is not typical for spear phishing in the name of organizations, because such domains are rarely used in business. Most often in targeted attacks, attackers either use [spoofing of the legitimate domain](<https://securelist.com/email-spoofing-types/102703/>) of the organization they are pretending to be, or register domains similar to the original one. In addition, Google and Microsoft are pretty quick in blocking email addresses spotted sending spam. This is the most likely reason why attackers used different addresses in the _From_ header (where the email came from) and _Reply-to_ header (where the reply will go when clicking &quot;Reply&quot; in your email client). This means the victim responds to another address, which may be located in another free domain, such as outlook.com. The address in the _Reply-to_ header is not used for spam, and correspondence with it is initiated by the victim, so it is less likely to be blocked quickly.\n\nAfter victims respond to a first email, attackers send a new message, asking them to go to a file-sharing site and view a PDF file with a completed order, which can be found via the link.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153858/spam-phishing-report-2022-37.jpg>)\n\n**_An email with a phishing link_**\n\nBy clicking the link, the user is taken to a fake site generated by a well-known phishing kit. It is a fairly simple tool that generates phishing pages to steal credentials from specific resources. Our solutions blocked fake WeTransfer and Dropbox pages created with this kit.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153925/spam-phishing-report-2022-38.jpg>)\n\n**_A fake WeTransfer page created using the same phish kit as the target campaign sites_**\n\nIn the phishing campaign described above, the phishing site mimics a Dropbox page with static file images and a download button. After clicking any element of the interface, the user is taken to a fake Dropbox login page that requests valid corporate credentials.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153950/spam-phishing-report-2022-39.png>)\n\n**_A fake Dropbox page_**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154022/spam-phishing-report-2022-40.jpg>)\n\n**_Login page with a phishing form_**\n\nWhen victims attempt to log in, their usernames and passwords are sent to https://pbkvklqksxtdrfqkbkhszgkfjntdrf[.]herokuapp[.]com/send-mail.\n \n \n <form name=\"loginform\">\n <div class=\"form-group\">\n <label for=\"\">Email Address</label>\n <input type=\"email\" id=\"email\" class=\"form-control\" name=\"email\" placeholder=\"email Address\">\n <div class=\"email-error\"></div>\n </div>\n <div class=\"form-group\">\n <label for=\"\">Password</label>\n <input type=\"password\" id=\"password\" class=\"form-control\" name=\"password\" placeholder=\"Password\">\n <div class=\"password-error\"></div>\n </div>\n <div class=\"form-group btn-area\">\n <button class=\"download-btn\" id=\"db\" type=\"submit\">Download</button>\n </div>\n </form>\n </div>\n <script src=\"https://firebasestorage.googleapis.com/v0/b/linktopage-c7fd6.appspot.com/o/obfuscated.js?alt=media&amp;token=1bb73d28-53c8-4a1e-9b82-1e7d62f3826b\"></script>\n\n**_HTML representation of a phishing form_**\n\n### Victims\n\nWe have identified targets for this campaign around the world, including the following countries: Russia, Bosnia and Herzegovina, Singapore, USA, Germany, Egypt, Thailand, Turkey, Serbia, Netherlands, Jordan, Iran, Kazakhstan, Portugal, and Malaysia.\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nIn 2022, an average of 48.63% of emails worldwide were spam, representing a 3.07 p.p. increase on 2021. Over the course of the year, however, the share of spam in global email traffic has gradually declined, from 51.02% in the first quarter to 46.16% in the fourth.\n\n_Share of spam in global email traffic, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161102/02-en-spam-report-2022-diagrams.png>))_\n\nThe most active month in terms of spam was February 2022, with junk traffic accounting for 52.78% of all email correspondence. June was in second place (51.66%). December was the calmest, only 45.20% of emails in this month were spam.\n\nOn Runet, the proportion of spam in email traffic is generally higher than worldwide. In 2022, an average of 52.44% of emails were junk mailings. At the same time, the trend for a gradual shift in ratio in favor of legitimate correspondence can also be seen. We saw the largest share of spam in Runet in the first quarter, with 54.72% of all emails, and by the fourth quarter it had dropped to 49.20%.\n\n_Proportion of spam in Runet email traffic, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161132/03-en-spam-report-2022-diagrams.png>))_\n\nEven though the second quarter (53.96%) was quieter in terms of spam than the first, the most active month in the Russian segment of the internet was June (60.16%). Most likely, the share of spam in June, both in Russia and globally, was influenced by the surge in mailings with offers from Chinese factories that we observed in that month. And the quietest month in Runet was December (47.18%), the same as globally.\n\n### Countries and territories \u2014 sources of spam\n\nIn 2022, the share of spam from Russia continued to grow, from 24.77% to 29.82%. Germany (5.19%) swapped places with mainland China (14.00%), whose share increased by 5.27 percentage points. Third place is still held by the United States (10.71%).\n\n_TOP 20 countries and territories \u2014 sources of spam, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161204/04-en-spam-report-2022-diagrams.png>))_\n\nThe Netherlands remained in fifth place (3.70%), its share decreased compared to 2021. Sixth and seventh places went to Japan (3.25%) and Brazil (3.18%), whose shares rose by 0.89 and 3.77 p.p., respectively. Next come the UK (2.44%), France (2.27%) and India (1.82%).\n\n### Malicious mail attachments\n\nIn 2022, our Mail Anti-Virus detected 166,187,118 malicious email attachments. That&#x27;s an increase of 18 million from the previous year. This component caused most triggers in March, May, and June 2022.\n\n_Number of Mail Anti-Virus hits, January \u2014 December 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161240/05-en-spam-report-2022-diagrams.png>))_\n\nThe most common malicious email attachments in 2022, as in 2021, were [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) Trojan stealers (7.14%), whose share decreased slightly. [Noon](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) spyware (4.89%) moved up to second place, and [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) Trojans (4.61%) spreading as archived electronic documents moved down to third place. The fourth most common malware were vulnerability exploits [CVE-2018-0802](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (4.33%) in Microsoft Equation Editor. In 2022, attackers used them significantly more often than [CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) exploits in the same component (1.80%). This vulnerability was more widespread in 2021 and has now dropped to tenth place.\n\n_TOP 10 malware families spread by email attachments in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161308/06-en-spam-report-2022-diagrams.png>))_\n\n[ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) Trojans (3.27%), sent in the form of disk images, moved up to number five, and the sixth most common was the [Guloader](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Guloader/>) downloader family (2.65%), which delivers remotely controlled malware to victims&#x27; devices. They are closely followed by the [Badur](<https://threats.kaspersky.com/en/threat/Trojan.PDF.Badur/>) family (2.60%), PDF files containing links to web resources with questionable content, and in eighth place is the infamous [Emotet](<https://securelist.com/emotet-modules-and-recent-attacks/106290/>) botnet (2.52%). Law enforcement shut this down in early 2021, but by fall, attackers had restored the infrastructure and were actively distributing it in 2022. More recently, Emotet has been used to deliver other malware to victims&#x27; devices, particularly ransomware. The ninth most popular family was [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) (2.10%), which creates malicious tasks in the task scheduler.\n\n_TOP 10 types of malware spread by email attachments in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161339/07-en-spam-report-2022-diagrams.png>))_\n\nThe list of the most common malware sent via email usually corresponds to the list of families. As in 2021, attackers mostly distributed the same instances from the TOP 10 families.\n\n### Countries and territories targeted by malicious mailings\n\nSpain remains the leader in terms of blocked malicious attachments in 2022 (8.78%), which is a slight decrease compared to 2021 (9.32%). The share of Russia (7.29%), on the other hand, increased slightly. Third place went to Mexico (6.73%), and fourth place to Brazil (4.81%), whose share was virtually unchanged from the previous reporting period.\n\n_TOP 20 countries and territories targeted by malicious mailings, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161409/08-en-spam-report-2022-diagrams.png>))_\n\nIn Italy, 4.76% of all detected malicious attachments were blocked in 2022. The country is followed by Vietnam (4.43%) and Turkey (4.31%). The percentage of Mail Anti-Virus detections on computers of users from Germany (3.85%) continued to decrease. The share in the United Arab Emirates (3.41%) also decreased slightly, dropping to ninth place, while Malaysia (2.98%) remained in tenth place.\n\n## Statistics: phishing\n\nIn 2022, the number of phishing attacks increased markedly. Our Anti-Phishing system prevented 507,851,735 attempts to follow a phishing link, roughly double the number in 2021.\n\n### Map of phishing attacks\n\nIn 2022, the geography of phishing attacks changed dramatically. Attempts to click phishing links were most often blocked on devices from Vietnam (17.03%). In 2021, this country was not among the TOP 10 most attacked countries and territories. Macau is in second place (13.88%), also absent from last year&#x27;s ranking. Madagascar is in third place (12.04%), which was seventh in 2021. In addition to Vietnam and Macau, Algeria (11.05%), Malawi (10.91%) and Morocco (10.43%) appeared at the top of the list of most attacked countries and territories. Ecuador (11.05%) moved up to fifth place, while Brunei (10.59%) dropped one place to seventh. Brazil (10.57%) and Portugal (10.33%) moved from first and third places to eighth and tenth, respectively, and France, which was second in 2021, left the TOP 10.\n\nTOP 10 countries and territories by share of attacked users:\n\n**Country/territory** | **Share of attacked users*** \n---|--- \nVietnam | 17.03% \nMacau | 13.88% \nMadagascar | 12.04% \nAlgeria | 11.05% \nEcuador | 11.05% \nMalawi | 10.91% \nBrunei | 10.59% \nBrazil | 10.57% \nMorocco | 10.43% \nPortugal | 10.33% \n \n**_* Share of users encountering phishing out of the total number of Kaspersky users in that country/territory, 2022_**\n\n### Top-level domains\n\nAs in previous years, the majority of phishing pages were hosted in the COM domain zone, but its share almost halved, from 31.55% to 17.69%. Zone XYZ remained in second place (8.79%), whose share also decreased. The third most popular domain among attackers was FUN (7.85%), which had not previously received their attention. The domain is associated with entertainment content, which is perhaps what attracted fraudsters to it.\n\n_Most frequent top-level domains for phishing pages in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161441/09-en-spam-report-2022-diagrams.png>))_\n\nDomains ORG (3.89%) and TOP (1.80%) swapped places relative to 2021 but remained in fourth and fifth places. In addition to this, the top ten domain zones in most demand among cybercriminals included: RU (1.52%), COM.BR (1.13), DE (0.98%), CO.UK (0.98%) and SE (0.92%).\n\n### Organizations under phishing attacks\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nIn 2022, pages impersonating delivery services had the highest percentage of clicks on phishing links blocked by our solutions (27.38%). Online stores (15.56%), which were popular with attackers during the pandemic, occupied second place. Payment systems (10.39%) and banks (10.39%) ranked third and fourth, respectively.\n\n_Distribution of organizations targeted by phishers, by category, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161508/10-en-spam-report-2022-diagrams.png>))_\n\nThe share of global internet portals (8.97%) almost halved, with almost as many phishing resources targeting users of smaller web services (8.24%). Social networks (6.83%), online games (2.84%), messengers (2.02%) and financial services (1.94%) round complete the TOP 10 categories of sites of interest to criminals.\n\n### Hijacking Telegram accounts\n\nIn 2022, our solutions stopped 378,496 phishing links aimed at hijacking Telegram accounts. Apart from a spike in phishing activity throughout June, when the number of blocked links exceeded 37,000, the first three quarters were relatively quiet. However, by the end of the year, the number of phishing attacks on the messenger&#x27;s users increased dramatically to 44,700 in October, 83,100 in November and 125,000 in December. This increase is most likely due to several large-scale Telegram account hijacking campaigns that we [observed in late 2022](<https://www.kaspersky.ru/blog/telegram-takeover-contest/34472/>) (article in Russian).\n\n_Number of clicks on phishing links aimed at hijacking a Telegram account worldwide, and in Russia specifically, January \u2014 December 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161540/11-en-spam-report-2022-diagrams.png>))_\n\nIt is of note that the majority of phishing attacks were aimed at users from Russia. While in the first months of 2022 their share was approximately half of the total number of attacks worldwide, since March 70\u201390% of all attempts to follow phishing links by Telegram users were made by Russian users.\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn 2022, our mobile solution blocked 360,185 attempts to click on phishing links from messengers. Of these, 82.71% came from WhatsApp, 14.12% from Telegram and another 3.17% from Viber.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161612/12-en-spam-report-2022-diagrams.png>))_\n\nPhishing activity on WhatsApp is down slightly since 2021. On average, the Safe Messaging component blocked 816 clicks on fraudulent links per day. The first half of the year was the most turbulent, and by the third quarter, phishing activity in the messenger had dropped sharply.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154605/spam-phishing-report-2022-42.png>)\n\n**_Dynamics of phishing activity on WhatsApp in 2022 (weekly number of detected links shown)_**\n\nThe largest number of phishing attempts on WhatsApp, approximately 76,000, was recorded in Brazil. Russia is in second place, where over the year, the Chat Protection component prevented 69,000 attempts to go to fraudulent resources from the messenger.\n\n_TOP 7 countries and territories where users most often clicked phishing links in WhatsApp ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161647/13-en-spam-report-2022-diagrams.png>))_\n\nUnlike WhatsApp, the number of phishing attacks on Telegram almost tripled in 2022 compared to the previous reporting period. On average, our solutions blocked 140 attempts to follow phishing links in this messenger per day. The peak of activity came at the end of June and beginning of July, when the number of blocked clicks could have exceeded 1,500 per week. Phishing activity on Telegram also increased sharply at the end of the year.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154645/spam-phishing-report-2022-41.png>)\n\n**_Dynamics of phishing activity on Telegram in 2022 (weekly number of detected links shown)_**\n\nIn Russia, we recorded the largest number (21,000) of attempts to click a link to fraudulent resources from Telegram. Second place went to Brazil, where 3,800 clicks were blocked.\n\n_TOP 7 countries and territories where users most frequently clicked phishing links from Telegram ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161717/14-en-spam-report-2022-diagrams.png>))_\n\n## Conclusion\n\nTimes of crisis create the preconditions for crime to flourish, including online. Scams promising compensation and payouts from government agencies, large corporations and banks are likely to remain popular among cybercriminals next year. The unpredictability of the currency market and departure of individual companies from specific countries&#x27; markets will likely affect the number of scams associated with online shopping. At the same time, the COVID-19 topic, popular with cybercriminals in 2020 and 2021, but already beginning to wane in 2022, will finally cease to be relevant and will be replaced by more pressing global issues.\n\nRecently, we&#x27;ve seen an increase in targeted phishing attacks where scammers don&#x27;t immediately move on to the phishing attack itself, but only after several introductory emails where there is active correspondence with the victim. This trend is likely to continue. New tricks are also likely to emerge in the corporate sector in 2023, with attacks generating significant profits for attackers.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-02-16T08:00:07", "type": "securelist", "title": "Spam and phishing in 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2023-02-16T08:00:07", "id": "SECURELIST:49E48EDB41EB48E2FCD169A511E8AACD", "href": "https://securelist.com/spam-phishing-scam-report-2022/108692/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-12T19:33:22", "description": "\n\nAlso known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported [Cloud Atlas in 2014](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>) and we've been following its activities ever since.\n\nFrom the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/09151317/Recent-Cloud-Atlas-activity-1.png>)\n\n**Countries targeted by Cloud Atlas recently**\n\nCloud Atlas hasn't changed its TTPs (Tactic Tools and Procedures) since 2018 and is still relying on its effective existing tactics and malware in order to compromise high value targets.\n\nThe Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims. These emails are crafted with Office documents that use malicious remote templates - whitelisted per victims - hosted on remote servers. We [described one of the techniques used by Cloud Atlas in 2017](<https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899/>) and our colleagues at [Palo Alto Networks also wrote about it in November 2018](<https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/>).\n\nPreviously, Cloud Atlas dropped its \"validator\" implant named \"PowerShower\" directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. During recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed [five years ago in our first blogpost about them](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>) and which remains unchanged.\n\n## Let's meet PowerShower\n\nPowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious piece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage. The differences in the two versions reside mostly in anti-forensics features for the validator version of PowerShower.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084702/20190808_Infographics_Cloud_Atlas_Schema_2-5.png>)\n\nThe PowerShower backdoor - even in its later developments - takes three commands:\n\n**Command** | **Description** \n---|--- \n0x80 (Ascii \"P\") | It is the first byte of the magic PK. The implant will save the received content as a ZIP archive under %TEMP%\\PG.zip. \n0x79 (Ascii \"O\") | It is the first byte of \"On resume error\". The implant saves the received content as a VBS script under \"%APPDATA%\\Microsoft\\Word\\\\[A-Za-z]{4}.vbs\" and executes it by using Wscript.exe \nDefault | If the first byte doesn't match 0x80 or 0x79, the content is saved as an XML file under \"%TEMP%\\temp.xml\". After that, the script loads the content of the file, parses the XML to get the PowerShell commands to execute, decodes them from Base64 and invokes IEX. \nAfter executing the commands, the script deletes \"%TEMP%\\temp.xml\" and sends the content of \"%TEMP%\\pass.txt\" to the C2 via an HTTP POST request. \n \nA few modules deployed by PowerShower have been seen in the wild, such as:\n\n * A PowerShell document stealer module which uses 7zip (present in the received PG.zip) to pack and exfiltrate *.txt, *.pdf, *.xls or *.doc documents smaller than 5MB modified during the last two days;\n * A reconnaissance module which retrieves a list of the active processes, the current user and the current Windows domain. Interestingly, this feature is present in PowerShower but the condition leading to the execution of that feature is never met in the recent versions of PowerShower;\n * A password stealer module which uses the opensource tool LaZagne to retrieve passwords from the infected system.\n\nWe haven't yet seen a VBS module dropped by this implant, but we think that one of the VBS scripts dropped by PowerShower is a dropper of the group's second stage backdoor documented in our [article back in 2014](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>).\n\n## And his new friend, VBShower\n\nDuring its recent campaigns, Cloud Atlas used a new \"polymorphic\" infection chain relying no more on PowerShower directly after infection, but executing a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system.\n\n * A backdoor that we name **VBShower** which is polymorphic and replaces PowerShower as a validator;\n * A tiny launcher for VBShower ;\n * A file computed by the HTA which contains contextual data such as the current user, domain, computer name and a list of active processes.\n\nThis \"polymorphic\" infection chain allows the attacker to try to prevent IoC-based defence, as each code is unique by victim so it can't be searched via file hash on the host.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084643/20190808_Infographics_Cloud_Atlas_Schema_2.png>)\n\nThe VBShower backdoor has the same philosophy of the validator version of PowerShower. Its aim is to complicate forensic analysis by trying to delete all the files contained in \"%APPDATA%\\\\..\\Local\\Temporary Internet Files\\Content.Word\" and \"%APPDATA%\\\\..\\Local Settings\\Temporary Internet Files\\Content.Word\\\".\n\nOnce these files have been deleted and its persistence is achieved in the registry, VBShower sends the context file computed by the HTA to the remote server and tries to get via HTTP a VBS script to execute from the remote server every hour.\n\nAt the time of writing, two VBS files have been seen pushed to the target computer by VBShower. The first one is an installer for PowerShower and the second one is an installer for the Cloud Atlas second stage modular backdoor which communicates to a cloud storage service via Webdav.\n\n## Final words\n\nCloud Atlas remains very prolific in Eastern Europe and Central Asia. The actor's massive spear-phishing campaigns continue to use its simple but effective methods in order to compromise its targets.\n\nUnlike many other intrusion sets, Cloud Atlas hasn't chosen to use open source implants during its recent campaigns, in order to be less discriminating. More interestingly, this intrusion set hasn't changed its modular backdoor, even [five years after its discovery](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>).\n\n## IoCs\n\n#### Some emails used by the attackers\n\n * infocentre.gov@mail.ru\n * middleeasteye@asia.com\n * simbf2019@mail.ru\n * world_overview@politician.com\n * infocentre.gov@bk.ru\n\n#### VBShower registry persistence\n\n * Key : HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\\[a-f0-9A-F]{8}\n * Value : wscript //B \"%APPDATA%\\\\[A-Za-z]{5}.vbs\"\n\n#### VBShower paths\n\n * %APPDATA%\\\\[A-Za-z]{5}.vbs.dat\n * %APPDATA%\\\\[A-Za-z]{5}.vbs\n * %APPDATA%\\\\[A-Za-z]{5}.mds\n\n#### VBShower C2s\n\n * 176.31.59.232\n * 144.217.174.57", "cvss3": {}, "published": "2019-08-12T10:00:58", "type": "securelist", "title": "Recent Cloud Atlas activity", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2019-08-12T10:00:58", "id": "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "href": "https://securelist.com/recent-cloud-atlas-activity/92016/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T14:29:15", "description": "\n\n## Quarterly highlights\n\n### Valentine's Day\n\nAs per tradition, phishing timed to coincide with lovey-dovey day was aimed at swindling valuable confidential information out of starry-eyed users, such as bank card details. The topics exploited by cybercriminals ranged from online flower shops to dating sites.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142701/Spam-report-Q1-2019-1.png>)\n\nBut most often, users were invited to order gifts for loved ones and buy medications such as Viagra. Clicking/tapping the link in such messages resulted in the victim's payment details being sent to the cybercriminals.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142735/Spam-report-Q1-2019-2.png>)\n\n### New Apple products\n\nLate March saw the unveiling of Apple's latest products, which fraudsters were quick to pounce on, as usual. In the run-up to the event, the number of attempts to redirect users to scam websites imitating official Apple services rose significantly.\n\n_Growth in the number of attempts to redirect users to phishing Apple sites before the presentation _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143724/apple-en.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142839/Spam-report-Q1-2019-4.png>)\n\n_Fake Apple ID login pages_\n\nScammers polluted Internet traffic with phishing emails seemingly from Apple to try to fool recipients into following a link and entering their login credentials on a fake Apple ID login page.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143511/Spam-report-Q1-2019-5.png>)\n\n### Fake technical support\n\nFake customer support emails are one of the most popular types of online fraud. The number of such messages has grown quite significantly of late. Links to fake technical support sites (accompanied by rave reviews) can be seen both on dedicated forums and social networks.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142930/Spam-report-Q1-2019-6.png>)\n\n_Fake \"Kaspersky Lab support service\" accounts_\n\nAll these profiles that we detected in Q1 have one thing in common: they offer assistance in matters related to one or another company products, with the promise of specially trained, highly qualified staff supposedly ready and waiting to help. Needless to say, it is not free. Not only do users not have their issue resolved, they are likely to be defrauded as well.\n\n### New Instagram \"features\"\n\nLast year, we [wrote](<https://securelist.com/spam-and-phishing-in-q2-2018/87368/>) that phishers and other scammers had moved beyond mailing lists and into the realm of the popular social network Instagram. This trend continued, with fraudsters exploiting the service to the full \u2014 not only leaving links to phishing resources in comments, but also registering accounts, paying for advertising posts, and even enticing celebrities to distribute content.\n\nCybercriminal advertisers use the same methods to lure victims by promising products or services at what seems a great price.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143002/Spam-report-Q1-2019-7.png>)\n\nAs usual in such schemes, the \"buyer\" is asked for all sorts of information, from name to bank details. It goes without saying that all the user gets is their private data compromised.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143034/Spam-report-Q1-2019-8.png>)\n\n### Mailshot phishing\n\nIn Q1, we registered several phishing mailings in the form of automatic notifications seemingly on behalf of major services in charge of managing legitimate mailing lists. Scammers tried to force recipients to follow the phishing links under the pretext of verifying an account or updating payment information. Sometimes fake domains were used with names similar to real services, while other times hacked sites redirected the victim to a fake authorization form.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143105/Spam-report-Q1-2019-9.png>)\n\n### Financial spam through the ACH system\n\nIn Q1, we observed a large surge in spam mailings aimed at users of the Automated Clearing House (ACH), a US-based e-payment system that processes vast quantities of consumer and small-business transactions. These mailings consisted of fake notifications about the status of transfers supposedly made by ordinary users or firms. Such messages contained both malicious attachments (archives, documents) and links to download files infected with malware.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143129/Spam-report-Q1-2019-10.png>)\n\n### \"Dream job\" offers from spammers \n\nIn Q3, we [registered spam messages](<https://securelist.com/spam-and-phishing-in-q3-2018/88686/>) containing \"dream job\" offers. This quarter, we logged another major mailing topic: messages were sent supposedly on behalf of well-known companies sure to attract lots of potential applicants. Recipients were invited to register in the job search system for free by installing a special app on their computer to access the database. When trying to download the program from the \"cloud service,\" the user was shown a pop-up window titled DDoS Protection and a message with a link pointing to the site of an online recruitment company (the names of several popular recruitment agencies were used in the mailing). If the user followed it, a malicious DOC file containing Trojan.MSOffice.SAgent.gen was downloaded to their computer, which in turn downloaded Trojan-Banker.Win32.Gozi.bqr onto the victim's machine.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143159/Spam-report-Q1-2019-11.png>)\n\n### Ransomware and cryptocurrency\n\nAs we expected, cybercriminal interest in cryptocurrency did not wane. Spammers continue to wring cryptocurrency payments out of users by means of \"sextortion\" \u2014 a topic we [wrote about last year](<https://securelist.com/spam-and-phishing-in-2018/93453/>).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143235/Spam-report-Q1-2019-12.png>)\n\nIn Q1 2019, we uncovered a rather unusual scam mailing scheme whereby cybercriminals sent messages in the name of a CIA employee allegedly with access to a case file on the recipient for possession and distribution of digital pornographic materials involving minors.\n\nThe fictitious employee, whose name varied from message to message, claimed to have found the victim's details in the case file (which were actually harvested from social networks/online chats/forums, etc.). It was said to be part of an international operation to arrest more than 2,000 pedophilia suspects in 27 countries worldwide. However, the \"employee\" happened to know that the victim was a well-off individual with a reputation to protect \u2014 for which a payment of 10,000 dollars in bitcoin was demanded.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143314/Spam-report-Q1-2019-13.png>)\n\nPlaying on people's fear of private data being disclosed, the scammers employed the same tricks as last year, mentioning access to personal data, compromising pornographic materials, etc. But this time, to make the message more convincing and intimidating, a CIA officer was used as a bogeyman.\n\n### Malicious attacks on the corporate sector\n\nIn Q1, the [corporate sector of the Runet was hit by a malicious spam attack](<https://www.kaspersky.ru/blog/phishing-wave-shade/22251/>). The content imitated real business correspondence, and the messages themselves were seemingly from partners of the victim company.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143345/Spam-report-Q1-2019-14.png>)\n\nWe also observed malicious mailings aimed at stealing the financial information of international companies through distributing fake messages in the name of a US company allegedly providing information services. Besides the attachment, there was nothing at all in the message. The lack of text was seemingly intended to prompt the victim to open the attached document containing Trojan.MSOffice.Alien.gen, which then downloaded and installed Trojan-Banker.Win32.Trickster.gen on the computer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143418/Spam-report-Q1-2019-15.png>)\n\n### Attacks on the banking sector\n\nBanks are firmly established as top phishing targets. Scammers try to make their fake messages as believable as possible by substituting legitimate domains into the sender's address, copying the layout of official emails, devising plausible pretexts, etc. In Q1, phishers exploited high-profile events to persuade victims of the legitimacy of the received message \u2014 for example, they inserted into the message body a phrase about the Christchurch terror attack. The attackers hoped that this, plus the name of a New Zealand bank as the sender, would add credibility to the message. The email itself stated that the bank had introduced some new security features that required an update of the account details to use.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143441/Spam-report-Q1-2019-16.png>)\n\nThe link took the user to a phishing site mimicking the login page of the New Zealand bank in question. All data entered on the site was transferred to the cybercriminals when the Login button was clicked/tapped.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143603/Spam-report-Q1-2019-17.png>)\n\n## Statistics: spam\n\n### Proportion of spam in mail traffic\n\n_Proportion of spam in global mail traffic, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14144003/spam-world-en.png>)\n\nIn Q1 2019, the highest percentage of spam was recorded in March at 56.33%. The average percentage of spam in global mail traffic came to 55.97%, which is almost identical (+0.07 p.p.) to Q4 2018.\n\n_Proportion of spam in Runet mail traffic, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143939/spam-russia-en.png>)\n\nPeak spam in traffic in the Russian segment of the Internet came in January (56.19%). The average value for the quarter was 55.48%, which is 2.01 p.p. higher than in Q4.\n\n### Sources of spam by country\n\n_Sources of spam by country, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143819/countries-source-en.png>)\n\nAs is customary, the top spam-originating countries were China (15.82%) and the US (12.64%); the other Top 3 regular, Germany, was down to fifth place in Q1 (5.86%), ceding third place to Russia (6.98%) and allowing Brazil (6.95%) to sneak into fourth. In sixth place came France (4.26%), followed by Argentina (3.42%), Poland (3.36%), and India (2.58%). The Top 10 is rounded off by Vietnam (2.18%).\n\n### Spam email size\n\n_Spam email size, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143628/spam-size.png>)\n\nIn Q1 2019, the share of very small emails (up to 2 KB) in spam increased against Q4 2018 by 7.14 p.p. to 73.98%. The share of 2\u20135 KB messages fell to 8.27% (down 3.15 p.p.). 10\u201320 KB messages made up 5.11% of spam traffic, up 1.08 p.p. on Q4. The share of messages sized 20\u201350 KB amounted to 3.00% (0.32 p.p. growth against Q4 2018).\n\n### Malicious attachments: malware families\n\n_TOP 10 malicious families in mail traffic, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143654/families.png>)\n\nIn Q1 2019, the most common malware in mail traffic turned out to be Exploit.MSOffice.CVE-2017-11882, with a share of 7.73%. In second place was Backdoor.Win32.Androm (7.62%), and Worm.Win32.WBVB (4.80%) took third. Fourth position went to another exploit for Microsoft Office in the shape of Exploit.MSOffice.CVE-2018-0802 (2.81%), while Trojan-Spy.Win32.Noon (2.42%) rounded off the Top 5.\n\n### Countries targeted by malicious mailshots\n\n_Countries targeted by malicious mailshots, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143848/countries-victims-en.png>)\n\nFirst place in the Top 3 countries by number of Mail Anti-Virus triggers yet again went to Germany (11.88%). It is followed by Vietnam (6.24%) in second position and Russia (5.70%) in third.\n\n## Statistics: phishing\n\nIn Q1 2019, the Anti-Phishing system prevented **111,832,308** attempts to direct users to scam websites. **12.11%** of all Kaspersky Lab users worldwide experienced an attack.\n\n### Attack geography\n\nIn Q1 2019, as in the previous quarter, the country with the largest share of users attacked by phishers was Brazil with 21.66%, up 1.53 p.p.\n\n_Geography of phishing attacks, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143915/map-en.png>)\n\nIn second place up from eighth was Australia (17.20%), adding 2.42 p.p. but still 4.46 p.p. behind top-place Brazil. Spain rose one position to 16.96% (+0.87 p.p.), just above Portugal (16.86%) and Venezuela (16.72%) propping up the Top 5.\n\n**Country** | **%*** \n---|--- \nBrazil | 21.66 \nAustralia | 17.20 \nSpain | 16.96 \nPortugal | 16.81 \nVenezuela | 16.72 \nGreece | 15.86 \nAlbania | 15.11 \nEcuador | 14.99 \nRwanda | 14.89 \nGeorgia | 14.76 \n \n*Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky Lab users in the country\n\n### Organizations under attack\n\n_The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab's Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat._\n\nThis quarter, the banking sector remains in first place by number of attacks \u2014 the share of attacks on credit organizations increased by 5.23 p.p. against Q4 last year to 25.78%.\n\n_Distribution of organizations subjected to phishing attacks by category, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/20091310/companies-en-1.png>)\n\nSecond place went to global Internet portals (19.82%), and payment systems \u2014 another category that includes financial institutions \u2014 finished third (17.33%).\n\n## Conclusion\n\nIn Q1 2019, the average share of spam in global mail traffic rose by **0.06** p.p. to **55.97**%, and the Anti-Phishing system prevented more than **111,832,308** redirects to phishing sites, up **35,220,650** in comparison with the previous reporting period.\n\nAs previously, scammers wasted no opportunity to exploit high-profile media events for their own purposes (Apple product launch, New Zealand terror attack). Sextortion has not gone away \u2014 on the contrary, to make such schemes more believable, cybercriminals have come up with new cover stories about the message senders.\n\nOn top of all that, attackers continue to use social networks to achieve their goals, and have launched advertising campaigns using celebrities to extend their reach.", "cvss3": {}, "published": "2019-05-15T10:00:23", "type": "securelist", "title": "Spam and phishing in Q1 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2019-05-15T10:00:23", "id": "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "href": "https://securelist.com/spam-and-phishing-in-q1-2019/90795/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-01T16:36:08", "description": "\n\n## Quarterly highlights\n\n### Scamming championship: sports-related fraud\n\nThis summer and early fall saw some major international sporting events. The delayed Euro 2020 soccer tournament was held in June and July, followed by the equally delayed Tokyo Olympics in August. Q3 2021 also featured several F1 Grand Prix races. There was no way that cybercriminals and profiteers could pass up such a golden opportunity. Fans wanting to attend events live encountered fake ticket-selling websites. Some sites made a point of stressing the tickets were &quot;official&quot;, despite charging potential victims several times the [real price of a ticket](<https://www.kaspersky.ru/blog/ofitsialnye-bilety-v-teatr/25890/>), and some just took the money and disappeared.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123731/Spam_report_Q3_2021_01.png>)\n\nScammers also laid traps for those preferring to watch the action online from the comfort of home. Fraudulent websites popped up offering free live broadcasts. On clicking the link, however, the user was asked to pay for a subscription. If that did not deter them, their money and bank card details went straight to the scammers, with no live or any other kind of broadcast in return. This scheme has been used many times before, only instead of sporting events, victims were offered the hottest movie and TV releases.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123806/Spam_report_Q3_2021_02.png>)\n\nSoccer video games always attract a large following. This success has a downside: gaming platforms get attacked by hackers, especially during major soccer events. Accordingly, the Euro 2020 championship was used by scammers as bait to hijack accounts on the major gaming portal belonging to Japanese gaming giant Konami. The cybercriminals offered users big bonuses in connection with the tournament. However, when attempting to claim the bonus, the victim would land on a fake Konami login page. If they entered their credentials, the attackers took over their account and the &quot;bonus&quot; evaporated into thin air.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123923/Spam_report_Q3_2021_03.png>)\n\n&quot;Nigerian prince&quot; scammers also had a close eye on Q3&#x27;s sporting fixture. The e-mails that came to our attention talked about multi-million-dollar winnings in Olympics-related giveaways. To receive the prize, victims were asked to fill out a form and e-mail it to the cybercriminals.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124024/Spam_report_Q3_2021_04.png>)\n\nSome messages anticipated upcoming events in the world of sport. The FIFA World Cup is slated for far-off November \u2014 December 2022, yet scammers are already inventing giveaways related to it.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124115/Spam_report_Q3_2021_05.png>)\n\nAmong other things, we found some rather unusual spam e-mails with an invitation to bid for the supply of products to be sold at airports and hotels during the World Cup. Most likely, the recipients would have been asked to pay a small commission to take part in the bidding or giveaway, with no results ever coming forth.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124200/Spam_report_Q3_2021_06.png>)\n\n### Scam: get it yourself, share with friends\n\nIn Q3 2021, our solutions blocked more than 5.6 million redirects to phishing pages. Anniversaries of well-known brands have become a favorite topic for attackers. According to announcements on fake sites, IKEA, Amazon, Tesco and other companies all held prize draws to celebrate a milestone date. Wannabe participants had to perform a few simple actions, such as taking a survey or a spot-the-hidden-prize contest, or messaging their social network contacts about the promotion, and then were asked to provide card details, including the CVV code, to receive the promised payout. That done, the attackers not only got access to the card, but also requested payment of a small commission to transfer the (non-existent) winnings. Curiously, the scammers came up with fake round dates, for example, the 80th anniversary of IKEA, which in reality will come two years later. It is always advisable to check promotions on official websites, rather than trusting e-mails, which are easy to spoof.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124249/Spam_report_Q3_2021_07.png>)\n\nThere were also plenty of &quot;holiday deals&quot; supposedly from major Russian brands, with some, it seemed, showing particular generosity in honor of September 1, or Knowledge Day, when all Russian schools and universities go back after the summer break. Those companies allegedly giving away large sums were all related to education in one way or another. At the same time, the fraudulent scheme remained largely the same, with just some minor tinkering round the edges. For example, fake Detsky Mir (Children&#x27;s World, a major chain of kids&#x27; stores) websites promised a fairly large sum of money, but on condition that the applicant sends a message about the &quot;promotion&quot; to 20 contacts or 5 groups. And the payment was then delayed, allegedly due to the need to convert dollars into rubles: for this operation, the &quot;lucky ones&quot; had to pay a small fee.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124402/Spam_report_Q3_2021_08.png>)\n\nOn a fake website holding a giveaway under the Perekrestok brand, after completing the tasks the &quot;winner&quot; was promised as a prize a QR code that could supposedly be used to make purchases in the company&#x27;s stores. Note that Perekrestok does indeed issue coupons with QR codes to customers; that is, the cybercriminals tried to make the e-mail look plausible. When trying to retrieve this code, the potential victim would most likely be asked to pay a &quot;commission&quot; before being able to spend the prize money. Note too that QR codes from questionable sources can carry other threats, for example, spreading malware or debiting money in favor of the scammers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124531/Spam_report_Q3_2021_09.png>)\n\nIn 2021, there was an increase in the number of fake resources posing as cookie-selling platforms. Users were promised a generous monetary reward (up to $5,000 a day) for selling such data. Those who fell for the tempting offer and followed the link were redirected to a fake page that allegedly &quot;reads cookies from the victim&#x27;s device to estimate their market value.&quot; The &quot;valuation&quot; most often landed in the US$700\u20132,000 range. To receive this money, the user was asked to put the cookies up at a kind of auction, in which different companies were allegedly taking part. The scammers assured that the data would go to the one offering the highest price.\n\nIf the victim agreed, they were asked to link their payment details to the account in the system and to top it up by \u20ac6, which the scammers promised to return, together with the auction earnings, within a few minutes. To top up the balance, the victim was required to enter their bank card details into an online form. Naturally, they received no payment, and the \u20ac6 and payment details remained in the attackers&#x27; possession.\n\nNote that the very idea of selling cookies from your device is risky: these files can store confidential information about your online activity \u2014 in particular, login details that let you avoid having to re-enter your credentials on frequently used sites.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124600/Spam_report_Q3_2021_10-scaled-1.jpeg>)\n\nEven in official mobile app stores, malware can sometimes sneak in. As such, this quarter saw a new threat in the shape of fraudulent welfare payment apps that could be downloaded on such platform. The blurb described them as software that helps find and process payments from the government that the user is entitled to. Due payments (fake, of course) were indeed found, but to receive the money, the user was requested to &quot;pay for legal services relating to form registration&quot;. The numerous positive reviews under the application form, as well as the design mimicking real government sites, added credibility. We informed the store in question, which they removed the fraudulent apps.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124627/Spam_report_Q3_2021_11.png>)\n\n### Spam support: call now, regret later\n\nE-mails inviting the recipient to contact support continue to be spam regulars. If previously they were dominated by IT topics (problems with Windows, suspicious activity on the computer, etc.), recently we have seen a rise in the number of e-mails talking about unexpected purchases, bank card transactions or account deactivation requests. Most likely, the change of subject matter is an attempt to reach a wider audience: messages about unintentional spending and the risk of losing an account can frighten users more than abstract technical problems. However, the essence of the scam remained the same: the recipient, puzzled by the e-mail about a purchase or transfer they did not make, tried to call the support service at the number given in the message. To cancel the alleged transaction or purchase, they were asked to give their login credentials for the site from where the e-mail supposedly came. This confidential information fell straight into the hands of the cybercriminals, giving them access to the victim&#x27;s account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124650/Spam_report_Q3_2021_12.png>)\n\n### COVID-19\n\nNew life was injected into the COVID-19 topic this quarter. In connection with mass vaccination programs worldwide, and the introduction of QR codes and certificates as evidence of vaccination or antibodies, fraudsters began &quot;selling&quot; their own. We also encountered rogue sites offering negative PCR test certificates. The &quot;customer&quot; was asked first to provide personal information: passport, phone, medical policy, insurance numbers and date of birth, and then to enter their card details to pay for the purchase. As a result, all this information went straight to the malefactors.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124714/Spam_report_Q3_2021_13.png>)\n\nSpam in the name of generous philanthropists and large organizations offering lockdown compensation is already a standard variant of the &quot;Nigerian prince&quot; scam.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124741/Spam_report_Q3_2021_14.png>)\n\nHowever, &quot;Nigerian prince&quot; scams are not all that might await recipients of such messages. For example, the authors of spam exploiting Argentina&#x27;s BBVA name had a different objective. Users were invited to apply for government subsidy through this bank. To do so, they had to unpack a RAR archive that allegedly contained a certificate confirming the compensation. In reality, the archive harbored malware detected by our solutions as Trojan.Win32.Mucc.pqp.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124803/Spam_report_Q3_2021_15.png>)\n\nCybercriminals also used other common COVID-19 topics to trick recipients into opening malicious attachments. In particular, we came across messages about the spread of the delta variant and about vaccination. The e-mail headers were picked from various information sources, chosen, most likely, for their intriguing nature. The attached document, detected as [Trojan.MSOffice.SAgent.gen](<https://threats.kaspersky.com/en/threat/Trojan.MSOffice.SAgent/>), contained a macro for running a PowerShell script. SAgent malware is used at the initial stage of the attack to deliver other malware to the victim&#x27;s system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124828/Spam_report_Q3_2021_16.png>)\n\n### Corporate privacy\n\nA new trend emerged this quarter in spam e-mails aimed at stealing credentials for corporate accounts, whereby cybercriminals asked recipients to make a payment. But upon going to the website to view the payment request, the potential victims were requested to enter work account login details. If they complied, the attackers got hold of the account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124852/Spam_report_Q3_2021_17.png>)\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nIn Q3 2021, the share of spam in global mail traffic fell once again, averaging 45.47% \u2014 down 1.09 p.p. against Q2 and 0.2 p.p. against Q1.\n\n_Share of spam in global mail traffic, April \u2013 September 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131406/01-en-spam-report-q3.png>))_\n\nIn July, this indicator fell to its lowest value since the beginning of 2021 (44.95%) \u2014 0.15 p.p. less than in March, the quietest month of H1. The highest share of spam in Q3 was seen in August (45.84%).\n\n### Source of spam by country\n\nThe top spam-source country is still Russia (24.90%), despite its share dropping slightly in Q3. Germany (14.19%) remains in second place, while China (10.31%) moved into third this quarter, adding 2.53 p.p. Meanwhile, the US (9.15%) shed 2.09 p.p. and fell to fourth place, while the Netherlands held on to fifth (4.96%).\n\n_Source of spam by country, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131453/03-en-spam-report-q3.png>))_\n\nOn the whole, the TOP 10 countries supplying the bulk of spam e-mails remained virtually unchanged from Q2. Sixth position still belongs to France (3.49%). Brazil (2.76%) added 0.49 p.p., overtaking Spain (2.70%) and Japan (2.24%), but the TOP 10 members remained the same. At the foot of the ranking, as in the previous reporting period, is India (1.83%).\n\n### Malicious mail attachments\n\nMail Anti-Virus this quarter blocked more malicious attachments than in Q2. Our solutions detected 35,958,888 pieces of malware, over 1.7 million more than in the previous reporting period.\n\n_Dynamics of Mail Anti-Virus triggerings, April \u2013 September 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131519/04-en-spam-report-q3.png>))_\n\nDuring the quarter, the number of Mail Anti-Virus triggerings grew: the quietest month was July, when our solutions intercepted just over 11 million attempts to open an infected file, while the busiest was September, with 12,680,778 malicious attachments blocked.\n\n#### Malware families\n\nIn Q3 2021, Trojans from the [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) family (9.74%) were again the most widespread malware in spam. Their share increased by 3.09 p.p. against the last quarter. These Trojans are designed to steal login credentials from the victim&#x27;s device. The share of the [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) family, which consists of various malware disguised as electronic documents, decreased slightly, pushing it into second place. Third place was taken by the [Noon](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) spyware (5.19%), whose 32-bit [relatives](<https://threats.kaspersky.com/en/threat/Trojan-Spy.Win32.Noon/>) (1.71%) moved down to ninth. Meanwhile, the [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) family, which creates malicious tasks in Task Scheduler, finished fourth this time around, despite its share rising slightly.\n\n_TOP 10 malware families in mail traffic, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131546/05-en-spam-report-q3.png>))_\n\nThe sixth place in TOP 10 common malware families in spam in Q3 was occupied by [exploits for the CVE-2018-0802 vulnerability](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (3.28%), a new addition to the list. This vulnerability affects the Equation Editor component, just like the older but still popular (among cybercriminals) CVE-2017-11882, [exploits for which](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) (3.29%) were the fifth most prevalent in Q3. Seventh position went to malicious [ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) disk images (2.97%), and eighth to [Androm](<https://threats.kaspersky.com/en/threat/Backdoor.MSIL.Androm/>) backdoors (1.95%). Loaders from the [Agent](<https://threats.kaspersky.com/en/threat/Trojan-Downloader.MSOffice.Agent/>) family again propped up the ranking (1.69%).\n\nThe TOP 10 most widespread e-mail malware in Q3 was similar to the families ranking. The only difference is that ninth place among individual samples is occupied by Trojan-PSW.MSIL.Stealer.gen stealers.\n\n_TOP 10 malicious attachments in spam, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131613/06-en-spam-report-q3.png>))_\n\n#### Countries targeted by malicious mailings\n\nIn Q3, Mail Anti-Virus was most frequently triggered on the computers of users in Spain. This country&#x27;s share again grew slightly relative to the previous reporting period, amounting to 9.55%. Russia climbed to second place, accounting for 6.52% of all mail attachments blocked from July to September. Italy (5.47%) rounds out TOP 3, its share continuing to decline in Q3.\n\n_Countries targeted by malicious mailings, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131639/07-en-spam-report-q3.png>))_\n\nBrazil (5.37%) gained 2.46 p.p. and moved up to fourth position by number of Mail Anti-Virus triggerings. It is followed by Mexico (4.69%), Vietnam (4.25%) and Germany (3.68%). The UAE (3.65%) drops to eighth place. Also among the TOP 10 targets are Turkey (3.27%) and Malaysia (2.78%).\n\n## Statistics: phishing\n\nIn Q3, the Anti-Phishing system blocked 46,340,156 attempts to open phishing links. A total of 3.56% of Kaspersky users encountered this threat.\n\n### Geography of phishing attacks\n\nBrazil had the largest share of affected users (6.63%). The TOP 3 also included Australia (6.41%) and Bangladesh (5.42%), while Israel (5.33%) dropped from second to fifth, making way for Qatar (5.36%).\n\n_Geography of phishing attacks, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131707/08-en-spam-report-q3.png>))_\n\n### Top-level domains\n\nThe top-level domain most commonly used for hosting phishing pages in Q3, as before, was COM (29.17%). Reclaiming second place was XYZ (14.17%), whose share increased by 5.66 p.p. compared to the previous quarter. ORG (3.65%) lost 5.14 p.p. and moved down to fifth place, letting both the Chinese domain CN (9.01%) and TOP (3.93%) overtake it.\n\n_Top-level domain zones most commonly used for phishing, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131734/09-en-spam-report-q3.png>))_\n\nThe Russian domain RU (2.60%) remained the sixth most popular among cybercriminals in Q3, while the last four lines of the TOP 10 are occupied by the international domains NET (2.42%), SITE (1.84%), ONLINE (1.40%) and INFO (1.11%).\n\n### Organizations under phishing attack\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nGlobal internet portals (20.68%) lead the list of organizations whose brands were most often used by cybercriminals as bait. Online stores (20.63%) are in second place by a whisker. Third place, as in the last quarter, is taken by banks (11.94%), and fourth by payment systems (7.78%). Fifth and sixth positions go to the categories &quot;Social networks and blogs&quot; (6.24%) and &quot;IMs&quot; (5.06%), respectively.\n\n_Distribution of organizations whose users were targeted by phishers, by category, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131759/10-en-spam-report-q3.png>))_\n\nThe seventh line is occupied by online games (2.42%). Note that for the past two years websites in this category have featured in the TOP 10 baits specifically in the third quarter. Financial services (1.81%), IT companies (1.72%) and telecommunication companies (1.45%) round out the ranking.\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn Q3 2021, Safe Messaging blocked 117,854 attempted redirects via phishing links in various messengers. Of these, 106,359 links (90.25%) were detected and blocked in WhatsApp messages. Viber accounted for 5.68%, Telegram for 3.74% and Google Hangouts for 0.02% of all detected links.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131830/11-en-spam-report-q3.png>))_\n\nOn WhatsApp, Safe Messaging detected an average of 900 phishing links per day during the quarter. There was a surge in scamming activity in this period, though \u2014 on July 12\u201316 the system blocked more than 4,000 links a day. This spike coincided with an increase in detections of the Trojan.AndroidOS.Whatreg.b Trojan, which registers new WhatsApp accounts from infected devices. We cannot say for sure what exactly these accounts get up to and whether they have anything to do with the rise in phishing on WhatsApp, but it is possible that cybercriminals use them for spamming.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132007/Spam_report_Q3_2021_18.png>)\n\n**_Dynamics of phishing activity on WhatsApp, Q3 2021_**\n\nAs for Telegram, phishing activity there increased slightly towards the end of the quarter.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132044/Spam_report_Q3_2021_19.png>)\n\n**_Dynamics of phishing activity on Telegram, Q3 2021_**\n\n## Takeaways\n\nNext quarter, we can expect Christmas- and New Year-themed mailings. Ahead of the festive season, many people make purchases from online stores, a fact exploited by cybercriminals. Anonymous fake stores taking money for non-existent or substandard goods are likely to be a popular scamming method during this period. Also beware of fraudulent copies of big-name trading platforms \u2014 such sites traditionally mushroom ahead of the festive frenzy. Corporate users too should remain sharp-eyed \u2014 even a congratulatory e-mail seemingly from a partner may be phishing for confidential information.\n\nThe COVID-19 topic will still be hot in the next quarter. The fourth wave of the pandemic, vaccinations and the introduction of COVID passports in many countries will surely give rise to new malicious mailings. Also be on the lookout for websites offering compensation payments: if previous quarters are anything to go by, cybercriminals will continue to find new and enticing ways to lure their victims.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-01T12:00:26", "type": "securelist", "title": "Spam and phishing in Q3 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2021-11-01T12:00:26", "id": "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "href": "https://securelist.com/spam-and-phishing-in-q3-2021/104741/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-14T15:27:23", "description": "\n\n## Figures of the year\n\nIn 2021:\n\n * 45.56% of e-mails were spam\n * 24.77% of spam was sent from Russia with another 14.12% from Germany\n * Our Mail Anti-Virus blocked 148 173 261 malicious attachments sent in e-mails\n * The most common malware family found in attachments were Agensla Trojans\n * Our Anti-Phishing system blocked 253 365 212 phishing links\n * Safe Messaging blocked 341 954 attempts to follow phishing links in messengers\n\n## Trends of the year\n\n### How to make an unprofitable investment with no return\n\nThe subject of investments gained significant relevance in 2021, with banks and other organizations actively promoting investment and brokerage accounts. Cybercriminals wanted in on this trend and tried to make their &quot;investment projects&quot; look as alluring as possible. Scammers used the names of successful individuals and well-known companies to attract attention and gain the trust of investors. That&#x27;s how cybercriminals posing as Elon Musk or the Russian oil and gas company Gazprom Neft tricked Russian-speaking victims into parting with small sums of money in the hope of landing a pot of gold later. In some cases, they&#x27;d invite the &quot;customer&quot; to have a consultation with a specialist in order to come across as legit. The outcome would still be the same: the investor would receive nothing in return for giving their money to the scammers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094031/Spam_report_2021_01.png>)\n\nSimilar schemes targeting English speakers were also intensively deployed online. Scammers encouraged investment in both abstract securities and more clearly outlined projects, such as oil production. In both cases, victims received nothing in return for their money.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094100/Spam_report_2021_02.png>)\n\nAnother trick was to pose as a major bank and invite victims to participate in investment projects. In some instances, scammers emphasized stability and the lack of risk involved for the investor, as well as the status of the company they were posing as. In order to make sure the investors didn&#x27;t think the process sounded too good to be true, victims were invited to take an online test or fill out an application form which would ostensibly take some time to be &quot;processed&quot;.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094120/Spam_report_2021_03.png>)\n\n### Films and events &quot;streamed&quot; on fake sites: not seeing is believing!\n\nOnline streaming of hyped film premieres and highly anticipated sports events was repeatedly used to lure users in 2021. Websites offering free streaming of the new [Bond](<https://www.kaspersky.com/blog/bond-cybersecurity-in-craig-era/42733/>) movie or the latest Spider-Man film [appeared online](<https://threatpost.com/spider-man-movie-credit-card-harvesting/177146/>) shortly ahead of the actual release date, continuing to pop up until the eve of the official premiere. Scammers used various ploys to try and win the victim&#x27;s trust. They used official advertisements and provided a synopsis of the film on the website.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094149/Spam_report_2021_04.png>)\n\nHowever, the promised free stream would be interrupted before the film even got going. Visitors to the site would be shown a snippet of a trailer or a title sequence from one of the major film studios, which could have absolutely nothing to do with the film being used as bait. Visitors would then be asked to register on the website in order to continue watching. The same outcome was observed when users tried to download or stream sports events or other content, the only difference was visitors might not be able to watch anything without registering. Either way the registration was no longer free. The registration fee would only be a symbolic figure according to the information provided on the website, but any amount of money could be debited once the user had entered their bank card details, which would immediately fall into the hands of attackers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094211/Spam_report_2021_05.png>)\n\n### A special offer from cybercriminals: try hand at spamming\n\nMore and more often, scam websites posing as large companies that promise huge cash prizes in return for completing a survey have begun setting out stricter criteria for those who want a chance to win. After answering a few basic questions, &quot;prize winners&quot; are required to share information about the prize draw with a set number of their contacts via a messaging app. Only then is the victim invited to pay a small &quot;commission fee&quot; to receive their prize. This means the person who completes the full task not only gives the scammers money, but also recommends the scam to people in their list of contacts. Meanwhile, friends see the ad is from someone they know rather than some unknown number, which could give them a false sense of security, encouraging them to follow the link and part with their money in turn.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094234/Spam_report_2021_06.png>)\n\n### Hurry up and lose your account: phishing in the corporate sector\n\nThe main objective for scammers in an attack on an organization remained getting hold of corporate account credentials. The messages that cybercriminals sent to corporate e-mail addresses were increasingly disguised as business correspondence or notifications about work documents that required the recipient&#x27;s attention. The attackers&#x27; main objective was to trick the victim into following the link to a phishing page for entering login details. That&#x27;s why these e-mails would contain a link to a document, file, payment request, etc., where some sort of urgent action supposedly needed to be taken.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094310/Spam_report_2021_07.png>)\n\nThe fake notification would often concern some undelivered messages. They needed to be accessed via some sort of &quot;email Portal&quot; or another similar resource.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094341/Spam_report_2021_08.png>)\n\nAnother noticeable phishing trend targeting the corporate sector was to exploit popular cloud services as bait. Fake notifications about meetings in Microsoft Teams or a message about important documents sent via SharePoint for salary payment approval aimed to lower the recipient&#x27;s guard and prompt them to enter the username and password for their corporate account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094433/Spam_report_2021_09.png>)\n\n### COVID-19\n\n#### Scams\n\nThe subject of COVID-19 which dominated newsfeeds throughout the entire year was exploited by scammers in various schemes. In particular, attackers continued sending out messages about compensation and subsidies related to restrictions imposed to combat the pandemic, as this issue remained top of the agenda. The e-mails contained references to laws, specific measures imposed and the names of governmental organizations to make them sound more convincing. To receive the money, the recipient supposedly just needed to pay a small commission fee to cover the cost of the transfer. In reality, the scammers disappeared after receiving their requested commission along with the victim&#x27;s bank card details.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094510/Spam_report_2021_10.png>)\n\nThe sale of fake COVID vaccination passes and QR codes became another source of income for cybercriminals. The fraudsters emphasized how quickly they could produce forged documents and personalized QR codes. These transactions are dangerous in that, on the one hand, the consequences can be criminal charges in some countries, and on the other hand, scammers can easily trick the customer. There&#x27;s no guarantee that the code they&#x27;re selling will work. Another risk is that the buyer needs to reveal sensitive personal information to the dealer peddling the certs in order to make the transaction.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094550/Spam_report_2021_11.png>)\n\n#### The corporate sector\n\nCOVID-19 remained a relevant topic in phishing e-mails targeting the business sector. One of the main objectives in these mailing operations was to convince recipients to click a link leading to a fake login page and enter the username and password for their corporate account. Phishers used various ploys related to COVID-19. In particular, we detected notifications about compensation allocated by the government to employees of certain companies. All they needed to do in order to avail of this promised support was to &quot;confirm&quot; their e-mail address by logging in to their account on the scam website.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094621/Spam_report_2021_12.png>)\n\nAnother malicious mailshot utilized e-mails with an attached HTML file called &quot;Covid Test Result&quot;. Recipients who tried to open the file were taken to a scam website where they were prompted to enter the username and password for their Microsoft account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094648/Spam_report_2021_13.png>)\n\nThe &quot;important message about vaccination&quot; which supposedly lay unread in a recipient&#x27;s inbox also contained a link to a page belonging to attackers requesting corporate account details.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094709/Spam_report_2021_14.png>)\n\nAnother type of attack deployed e-mails with malicious attachments. Shocking news, such as immediate dismissal from work accompanied by the need to take urgent action and read a &quot;2 months salary receipt&quot; were intended to make the recipient open the attachment with the malicious object as quickly as possible.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094735/Spam_report_2021_15.png>)\n\n#### COVID-19 vaccination\n\nWhile authorities in various countries gradually rolled out vaccination programs for their citizens, cybercriminals exploited people&#x27;s desire to protect themselves from the virus by getting vaccinated as soon as possible. For instance, some UK residents received an e-mail claiming to be from the country&#x27;s National Health Service. In it, the recipient was invited to be vaccinated, having first confirmed their participation in the program by clicking on the link. In another mailing, scammers emphasized that only people over the age of 65 had the opportunity to get vaccinated.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094800/Spam_report_2021_16.png>)\n\nIn both cases, a form had to be filled out with personal data to make a vaccination appointment; and in the former case, the phishers also asked for bank card details. If the victim followed all the instructions on the fake website, they handed their account and personal data over to the attackers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094834/Spam_report_2021_17.png>)\n\nAnother way to gain access to users&#x27; personal data and purse strings was through fake vaccination surveys. Scammers sent out e-mails in the name of large pharmaceutical companies producing COVID-19 vaccines, or posing as certain individuals. The e-mail invited recipients to take part in a small study.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094909/Spam_report_2021_18.png>)\n\nThe scammers promised gifts or even monetary rewards to those who filled out the survey. After answering the questions, the victim would be taken to a &quot;prize&quot; page but told to pay a small necessary &quot;commission fee&quot; in order to receive it. The scammers received the money, but the victim got nothing as a result.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094931/Spam_report_2021_19.png>)\n\nWe also observed a mailing last year which exploited the subject of vaccination to spread malware. The subject lines of these e-mails were randomly selected from various sources. The attached document contained a macro for running a PowerShell script detected as [Trojan.MSOffice.SAgent.gen](<https://threats.kaspersky.com/en/threat/Trojan.MSOffice.SAgent/>). SAgent malware is used at the initial stage of an attack to deliver other malware to the victim&#x27;s system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094958/Spam_report_2021_20.png>)\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nOn average, 45.56% of global mail traffic was spam in 2021. The figure fluctuated over the course of the year.\n\n_Share of spam in global e-mail traffic, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101352/01-en-spam-report-2021.png>))_\n\nWe observed the largest percentage of spam in the second quarter (46.56%), which peaked in June (48.03%). The fourth quarter was the quietest period (44.54%), with only 43.70% of e-mails detected as spam in November.\n\n### Source of spam by country or region\n\nLike in 2020, the most spam in 2021 came from Russia (24.77%), whose share rose by 3.5 p.p. Germany, whose share rose 3.15 p.p. to 14.12%, remained in second place. They were followed by the United States (10.46%) and China (8.73%), who&#x27;ve also stayed put in third and fourth place. The share of spam sent from the United States barely moved, while China&#x27;s rose 2.52 p.p. compared to 2020.\n\n_Sources of spam by country or region in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101419/03-en-spam-report-2021.png>))_\n\nThe Netherlands (4.75%) moved up to fifth place, with its share rising by just 0.75 p.p. to overtake France (3.57%), whose share went in the opposite direction. Spain (3.00%) and Brazil (2.41%) also swapped places, and the top ten was rounded out by the same two countries as 2020, Japan (2,36%) and Poland (1.66%). In total, over three quarters of the world&#x27;s spam was sent from these ten countries.\n\n### Malicious mail attachments\n\n_Dynamics of Mail Anti-Virus triggerings in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101444/04-en-spam-report-2021.png>))_\n\nIn 2021, the Kaspersky Mail Anti-Virus blocked 148 173 261 malicious e-mail attachments. May was the quietest month, when just over 10 million attachments were detected, i.e., 7.02% of the annual total. In contrast, October turned out to be the busiest month, when we recorded over 15 million attacks blocked by the Mail Anti-Virus, i.e., 10.24% of the annual total.\n\n#### Malware families\n\nThe attachments most frequently encountered and blocked by the antivirus in 2021 were Trojans from the [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) family, which steal login credentials stored in browsers as well as credentials from e-mail and FTP clients. Members of this family were found in 8.67% of the malicious files detected, which is 0.97 p.p. up on 2020. Second place was taken by [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) Trojans (6.31%), distributed in archives and disguised as electronic documents. In another 3.95% of cases, our products blocked attacks exploiting the [CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) vulnerability in Microsoft Equation Editor, which remains significant for the fourth year in a row. Almost the same amount of attachments belonged to the [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) (3.93%) family, which create malicious tasks in Windows Task Scheduler.\n\n_TOP 10 malware families spread by e-mail attachments in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101509/05-en-spam-report-2021.png>))_\n\nThe fifth and tenth most popular forms of malware sent in attachments were Noon spyware Trojans for [any version](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) of Windows OS (3.63%) and [32-bit versions](<https://threats.kaspersky.com/en/threat/Trojan-Spy.Win32.Noon/>) (1.90%), respectively. Malicious [ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) disk images accounted for 3.21% of all attachments blocked, while SAgent Trojans contributed 2.53%. Eighth place was taken by another exploited vulnerability in Equation Editor called [CVE-2018-0802](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (2.38%), while in the ninth place were [Androm](<https://threats.kaspersky.com/en/threat/Backdoor.MSIL.Androm/>) backdoors (1.95%), which are mainly used to deliver different types of malware to an infected system.\n\n_TOP 10 types of malware spread by e-mail attachments in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101548/06-en-spam-report-2021.png>))_\n\nThe ten most common verdicts in 2021 coincided with the TOP 10 families. This means attackers mainly spread one member of each family.\n\n#### Countries and regions targeted by malicious mailings\n\nIn 2021, the Mail Anti-Virus most frequently blocked attacks on devices used in Spain (9.32%), whose share has risen for the second year in a row. Russia rose to second place (6.33%). The third largest number of malicious files were blocked in Italy (5.78%).\n\n_Countries and regions targeted by malicious mailshots in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101614/07-en-spam-report-2021.png>))_\n\nGermany (4.83%) had been the most popular target in phishing attacks for several years until 2020. It dropped to fifth place in 2021, giving way to Brazil (4.84%) whose share was just 0.01 p.p higher than Germany&#x27;s. They&#x27;re followed in close succession by Mexico (4.53%), Vietnam (4.50%) and the United Arab Emirates (4.30%), with the same countries recorded in 2020 rounding out the TOP 10 targets: Turkey (3.37%) and Malaysia (2.62%).\n\n## Statistics: phishing\n\nIn 2021, our Anti-Phishing system blocked 253 365 212 phishing links. In total, 8.20% of Kaspersky users in different countries and regions around the world have faced at least one phishing attack.\n\n### Map of phishing attacks\n\n_Geography of phishing attacks in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101643/08-en-spam-report-2021.png>))_\n\nUsers living in Brazil made the most attempts to follow phishing links, with the Anti-Phishing protection triggered on devices belonging to 12.39% of users in this country. Brazil was also the top phishing target in 2020. France rose to second place (12.21%), while Portugal (11.40%) remained third. It&#x27;s worth noting that phishing activity was so rampant in France last year that the country topped the leaderboard of targeted users in the first quarter.\n\nMongolia (10.98%) found itself in forth place for the number of users attacked in 2021, making it onto this list for the first time. The countries which followed in close succession were R\u00e9union (10.97%), Brunei (10.89%), Madagascar (10.87%), Andorra (10.79%), Australia (10.74%), and Ecuador (10.73%).\n\nTOP 10 countries by share of users targeted in phishing attacks:\n\n**Country** | **Share of attacked users*** \n---|--- \nBrazil | 12.39% \nFrance | 12.21% \nPortugal | 11.40% \nMongolia | 10.98% \nR\u00e9union | 10.97% \nBrunei | 10.89% \nMadagascar | 10.87% \nAndorra | 10.79% \nAustralia | 10.74% \nEcuador | 10.73% \n \n_* Share of users on whose devices Anti-Phishing was triggered out of all Kaspersky users in the country in 2021_\n\n### Top-level domains\n\nMost of the phishing websites blocked in 2021 used a .com domain name like in 2020, whose share rose 7.19 p.p., reaching 31.55%. The second most popular domain name used by attackers was .xyz (13.71%), as those domains are cheap or even free to register. The third row on the list was occupied by the Chinese country-code domain .cn (7.14%). The Russian domain .ru (2.99%) fell to sixth place, although its share has grown since 2020. It now trails behind the domains .org (3.13%) and .top (3.08%), and is followed by the domain names .net (2.20%), .site (1.82%), and .online (1.56%). The list is rounded out by the low-cost .tk domain (1.17%) belonging to the island nation of Tokelau, which attackers are attracted to for the same reason they&#x27;re attracted to .xyz.\n\n_Most frequent top-level domains for phishing pages in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101710/09-en-spam-report-2021.png>))_\n\n### Organizations mimicked in phishing attacks\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an e-mail message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nThe demand for online shopping remained high in 2021, which is reflected in phishing trends: phishing pages were most frequently designed to mimic online stores (17.61%). These were closely followed by global Internet portals (17.27%) in second place. Payment systems (13.11%) climbed to third place, rising 4.7 p.p. to overtake banks (11.11%) and social networks (6.34%). Instant messengers (4.36%) and telecom companies (2.09%) stayed in sixth and seventh place, respectively, although their shares both fell. IT companies (2.00%) and financial services (1.90%) also held onto their places in the rating. The TOP 10 was rounded out by online games (1.51%), as attackers went after gamers more frequently than after users of delivery services in 2021.\n\n_Distribution of organizations most often mimicked by phishers, by category, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101743/10-en-spam-report-2021.png>))_\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn 2021, Safe Messaging blocked 341 954 attempts to follow phishing links in various messengers. Most of these were links that users tried to follow from WhatsApp (90.00%). Second place was occupied by Telegram (5.04%), with Viber (4.94%) not far behind.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101811/11-en-spam-report-2021.png>))_\n\nOn average, WhatsApp users attempted to follow phishing links 850 times a day. We observed the least phishing activity at the beginning of the year, while in December the weekly number of blocked links exceeded the 10 000 mark. We have observed a spike in phishing activity on WhatsApp in July, when the Trojan.AndroidOS.Whatreg.b, which is mainly used to register new WhatsApp accounts, also became more active. We can&#x27;t say for sure that there&#x27;s a connection between Whatreg activity and phishing in this messaging app, but it&#x27;s a possibility. We also observed another brief surge in phishing activity on the week from October 31 through to November 6, 2021.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100059/Spam_report_2021_21.png>)\n\n**_Dynamics of phishing activity on WhatsApp in 2021 (weekly number of detected links shown)_**\n\nOn average, the Safe Messaging component detected 45 daily attempts to follow phishing links sent via Telegram. Similar to WhatsApp, phishing activity increased towards the end of the year.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100143/Spam_report_2021_22.png>)\n\n**_Dynamics of phishing activity on Telegram in 2021 (weekly number of detected links shown)_**\n\nA daily average of 45 links were also detected on Viber, although phishing activity on this messenger dropped off towards the end of the year. However, we observed a peak in August 2021.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100213/Spam_report_2021_23.png>)\n\n**_Dynamics of phishing activity on Viber in 2021 (weekly number of detected links shown)_**\n\n## Conclusion\n\nAs we had expected, the key trends from 2020 continued into 2021. Attackers actively exploited the subject of COVID-19 in spam e-mails, which remained just as relevant as it was a year earlier. Moreover, baits related to vaccines and QR codes \u2014 remaining two of the year&#x27;s main themes \u2014 were added to the bag of pandemic-related tricks. As expected, we continued to observe a variety of schemes devised to hack corporate accounts. In order to achieve their aims, attackers forged e-mails mimicking notifications from various online collaboration tools, sent out notifications about non-existent documents and similar business-related baits. There were also some new trends, such as the investment scam which is gaining momentum.\n\nThe key trends in phishing attacks and scams are likely to continue into the coming year. Fresh &quot;investment projects&quot; will replace their forerunners. &quot;Prize draws&quot; will alternate with holiday giveaways when there&#x27;s a special occasion to celebrate. Attacks on the corporate sector aren&#x27;t going anywhere either. Given remote and hybrid working arrangements are here to stay, the demand for corporate accounts on various platforms is unlikely to wane. The topic of COVID-19 vaccination status will also remain relevant. Due to the intensity of the measures being imposed in different countries to stop the spread of the virus, we&#x27;ll more than likely see a surge in the number of forged documents up for sale on the dark web, offering unrestricted access to public places and allowing holders to enjoy all the freedoms of civilization.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-09T10:00:28", "type": "securelist", "title": "Spam and phishing in 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2022-02-09T10:00:28", "id": "SECURELIST:2625ABE43A309D7E388C4F0EBCA62244", "href": "https://securelist.com/spam-and-phishing-in-2021/105713/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-05-15T21:13:49", "description": "\n\n## Q1 figures\n\nAccording to KSN: \n\n * Kaspersky Lab solutions blocked 796,806,112 attacks launched from online resources located in 194 countries across the globe.\n * 282,807,433 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 204,448 users.\n * Ransomware attacks were registered on the computers of 179,934 unique users.\n * Our File Anti-Virus logged 187,597,494 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 1,322,578 malicious installation packages\n * 18,912 installation packages for mobile banking Trojans\n * 8,787 installation packages for mobile ransomware Trojans\n\n## Mobile threats\n\n### Q1 events\n\nIn Q1 2018, DNS-hijacking, a new in-the-wild method for spreading mobile malware on Android devices, was identified. As a result of hacked routers and modified DNS settings, users were redirected to IP addresses belonging to the cybercriminals, where they were prompted to download malware disguised, for example, as browser updates. That is how the Korean banking Trojan Wroba was [distributed](<https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/>).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171226/180511-it-threats-q1-18-statistics-1.png>)\n\n_This malicious resource shows a fake window while displaying the legitimate site in the address bar_\n\nIt wasn't a [drive-by-download](<https://securelist.com/threats/drive-by-attack-glossary/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) case, since the success of the attack largely depended on actions by the victim, such as installing and running the Trojan. But it's interesting to note that some devices (routers) were used to attack other devices (smartphones), all sprinkled with social engineering to make it more effective.\n\nHowever, a far greater splash in Q1 was caused by the creators of a seemingly legitimate app called GetContact.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171508/180511-it-threats-q1-18-statistics-21.png>)\n\nSome backstory to begin with. Various families and classes of malicious apps are known to gather data from infected devices: it could be a relatively harmless IMEI number, phone book contents, SMS correspondence, or even WhatsApp chats. All the above (and much more besides) is personal information that only the mobile phone owner should have control over. However, the creators of GetContact concocted a license agreement giving them the right to download the user's phone book to their servers and grant all their subscribers access to it. As a result, anyone could find out what name GetContact users had saved their phone number under, often with sad consequences. Let's hope that the app creators had the noble intention of [protecting users from telephone spam and fraudulent calls](<https://callerid.kaspersky.com/?lang=ru>), but simply chose the wrong means to do so.\n\n### Mobile threat statistics\n\nIn Q1 2018, Kaspersky Lab detected 1,322,578 malicious installation packages, down 11% against the previous quarter.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171235/180511-it-threats-q1-18-statistics-4.png>)\n\n_Number of detected malicious installation packages, Q2 2017 \u2013 Q1 2018_\n\n#### Distribution of detected mobile apps by type\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171244/180511-it-threats-q1-18-statistics-5.png>)\n\n_Distribution of newly detected mobile apps by type, Q4 2017 and Q1 2018 _\n\nAmong all the threats detected in Q1 2018, the lion's share belonged to potentially unwanted RiskTool apps (49.3%); compared to the previous quarter, their share fell by 5.5%. Members of the RiskTool.AndroidOS.SMSreg family contributed most to this indicator.\n\nSecond place was taken by Trojan-Dropper threats (21%), whose share doubled. Most detected files of this type came from the Trojan-Dropper.AndroidOS.Piom family.\n\nAdvertising apps, which ranked second in Q4 2017, dropped a place\u2014their share decreased by 8%, accounting for 11% of all detected threats.\n\nOn a separate note, Q1 saw a rise in the share of mobile banking threats. This was due to the mass distribution of Trojan-Banker.AndroidOS.Faketoken.z.\n\n#### TOP 20 mobile malware\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool and Adware._\n\n | Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 70.17 \n2 | Trojan.AndroidOS.Boogr.gsh | 12.92 \n3 | Trojan.AndroidOS.Agent.rx | 5.55 \n4 | Trojan-Dropper.AndroidOS.Lezok.p | 5.23 \n5 | Trojan-Dropper.AndroidOS.Hqwar.ba | 2.95 \n6 | Trojan.AndroidOS.Triada.dl | 2.94 \n7 | Trojan-Dropper.AndroidOS.Hqwar.i | 2.51 \n8 | Trojan.AndroidOS.Piom.rfw | 2.13 \n9 | Trojan-Dropper.AndroidOS.Lezok.t | 2.06 \n10 | Trojan.AndroidOS.Piom.pnl | 1.78 \n11 | Trojan-Dropper.AndroidOS.Agent.ii | 1.76 \n12 | Trojan-SMS.AndroidOS.FakeInst.ei | 1.64 \n13 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.50 \n14 | Trojan-Ransom.AndroidOS.Zebt.a | 1.48 \n15 | Trojan.AndroidOS.Piom.qmx | 1.47 \n16 | Trojan.AndroidOS.Dvmap.a | 1.40 \n17 | Trojan-SMS.AndroidOS.Agent.xk | 1.35 \n18 | Trojan.AndroidOS.Triada.snt | 1.24 \n19 | Trojan-Dropper.AndroidOS.Lezok.b | 1.22 \n20 | Trojan-Dropper.AndroidOS.Tiny.d | 1.22 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked._\n\nAs before, first place in our TOP 20 went to DangerousObject.Multi.Generic (70.17%), the verdict we use for malware detected [using cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies work when the anti-virus databases lack data for detecting a piece of malware, but the cloud of the anti-virus company already contains information about the object. This is basically how the latest malicious programs are detected.\n\nIn second place was Trojan.AndroidOS.Boogr.gsh (12.92%). This verdict is given to files recognized as malicious by our system based on [machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nThird was Trojan.AndroidOS.Agent.rx (5.55%). Operating in background mode, this Trojan's task is to covertly visit web pages as instructed by its C&amp;C.\n\nFourth and fifth places went to the Trojan _matryoshkas_ Trojan-Dropper.AndroidOS.Lezok.p (5.2%) and Trojan-Dropper.AndroidOS.Hqwar.ba (2.95%), respectively. Note that in Q1 threats like Trojan-Dropper effectively owned the TOP 20, occupying eight positions in the rating. The main tasks of such droppers are to drop a payload on the victim, avoid detection by security software, and complicate the reverse engineering process. In the case of Lezok, an aggressive advertising app acts as the payload, while Hqwar can conceal a banking Trojan or ransomware.\n\nSixth place in the rating was taken by the unusual Trojan Triada.dl (2.94%) from the [Trojan.AndroidOS.Triada](<https://threats.kaspersky.com/en/threat/Trojan.AndroidOS.Triada/>) family of modular-designed malware, which we have written about many times. The Trojan was notable for its highly sophisticated attack vector: it modified the main system library libandroid_runtime.so so that malicious code started when any debugging output was written to the system event log. Devices with the modified library ended up on store shelves, thus ensuring that the infection began early. The capabilities of Triada.dl are almost limitless: it can be embedded in apps already installed and pinch data from them, and it can show the user fake data in \"clean\" apps.\n\nThe Trojan ransomware Trojan-Trojan-Ransom.AndroidOS.Zebt.a (1.48%) finished 14th. It features a quaint set of functions, including hiding the icon at startup and requesting device administrator rights to counteract deletion. Like other such mobile ransomware, the malware is distributed under the guise of a porn app.\n\nAnother interesting resident in the TOP 20 is Trojan-SMS.AndroidOS.Agent.xk (1.35%), which operates like the SMS Trojans of 2011. The malware displays a welcome screen offering various services, generally access to content. At the bottom in fine print it is written that the services are fee-based and subscription to them is via SMS.\n\n#### Geography of mobile threats\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171253/180511-it-threats-q1-18-statistics-6.png>)\n\n_Map of attempted infections using mobile malware in Q1 2018 (percentage of attacked users in the country)_\n\nTOP 10 countries by share of users attacked by mobile malware:\n\n | Country* | %** \n---|---|--- \n1 | China | 34.43 \n2 | Bangladesh | 27.53 \n3 | Nepal | 27.37 \n4 | Ivory Coast | 27.16 \n5 | Nigeria | 25.36 \n6 | Algeria | 24.13 \n7 | Tanzania | 23.61 \n8 | India | 23.27 \n9 | Indonesia | 22.01 \n10 | Kenya | 21.45 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q1 2018, China (34.43%) topped the list by share of mobile users attacked. Note that China is a regular fixture in the TOP 10 rating by number of attacked users: It came sixth in 2017, and fourth in 2016. As in 2017, second place was claimed by Bangladesh (27.53%). The biggest climber was Nepal (27.37%), rising from ninth place last year to third.\n\nRussia (8.18%) this quarter was down in 39th spot, behind Qatar (8.22%) and Vietnam (8.48%).\n\nThe safest countries (based on proportion of mobile users attacked) are Denmark (1.85%) and Japan (1%).\n\n#### Mobile banking Trojans\n\nIn the reporting period, we detected **18,912** installation packages for mobile banking Trojans, which is 1.3 times more than in Q4 2017.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171304/180511-it-threats-q1-18-statistics-7.png>)\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q2 2017 \u2013 Q1 2018_\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.bj | 12.36 \n2 | Trojan-Banker.AndroidOS.Svpeng.q | 9.17 \n3 | Trojan-Banker.AndroidOS.Asacub.bk | 7.82 \n4 | Trojan-Banker.AndroidOS.Svpeng.aj | 6.63 \n5 | Trojan-Banker.AndroidOS.Asacub.e | 5.93 \n6 | Trojan-Banker.AndroidOS.Hqwar.t | 5.38 \n7 | Trojan-Banker.AndroidOS.Faketoken.z | 5.15 \n8 | Trojan-Banker.AndroidOS.Svpeng.ai | 4.54 \n9 | Trojan-Banker.AndroidOS.Agent.di | 4.31 \n10 | Trojan-Banker.AndroidOS.Asacub.ar | 3.52 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked by banking threats._\n\nThe most popular mobile banking Trojan in Q1 was Asacub.bj (12.36%), nudging ahead of second-place Svpeng.q (9.17%). Both these Trojans use phishing windows to steal bank card and authentication data for online banking. They also steal money through SMS services, including mobile banking.\n\nNote that the TOP 10 mobile banking threats in Q1 is largely made up of members of the Asacub (4 out of 10) and Svpeng (3 out of 10) families. However, Trojan-Banker.AndroidOS.Faketoken.z also entered the list. This Trojan has extensive spy capabilities: it can install other apps, intercept incoming messages (or create them on command), make calls and USSD requests, and, of course, open links to phishing pages.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171313/180511-it-threats-q1-18-statistics-8.png>)\n\n_Geography of mobile banking threats in Q1 2018 (percentage of attacked users)_\n\n**TOP 10 countries by share of users attacked by mobile banking Trojans**\n\n | Country* | %** \n---|---|--- \n1 | Russia | 0.74 \n2 | USA | 0.65 \n3 | Tajikistan | 0.31 \n4 | Uzbekistan | 0.30 \n5 | China | 0.26 \n6 | Turkey | 0.22 \n7 | Ukraine | 0.22 \n8 | Kazakhstan | 0.22 \n9 | Poland | 0.17 \n10 | Moldova | 0.16 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in this country._\n\nThe Q1 2018 rating was much the same as the situation observed throughout 2017: Russia (0.74%) remained top.\n\nThe US (0.65%) and Tajikistan (0.31%) took silver and bronze, respectively. The most popular mobile banking Trojans in these countries were various modifications of the [Trojan-Banker.AndroidOS.Svpeng](<https://securelist.com/latest-version-of-svpeng-targets-users-in-us/63746/>) family, as well Trojan-Banker.AndroidOS.Faketoken.z.\n\n#### Mobile ransomware Trojans\n\nIn Q1 2018, we detected **8,787** installation packages for mobile ransomware Trojans, which is just over half the amount seen in the previous quarter and 22 times less than in Q2 2017. This significant drop is largely because attackers began to make more use of droppers in an attempt to hinder detection and hide the payload. As a result, such malware is detected as a dropper (for example, from the Trojan-Dropper.AndroidOS.Hqwar family), even though it may contain mobile ransomware or a \"banker.\"\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171322/180511-it-threats-q1-18-statistics-9.png>)\n\n_Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab (Q2 2017 \u2013 Q1 2018)_\n\nNote that despite the decline in their total number, ransomware Trojans remain a serious threat \u2014 technically they are now far more advanced and dangerous. For instance, Trojan-Trojan-Ransom.AndroidOS.Svpeng acquires device administrator rights and locks the smartphone screen with a PIN if an attempt is made to remove them. If no PIN is set (could also be a graphic, numeric, or biometric lock), the device is locked. In this case, the only way to restore the smartphone to working order is to reset the factory settings.\n\nThe most widespread mobile ransomware in Q1 was Trojan-Ransom.AndroidOS.Zebt.a \u2014 it was encountered by more than half of all users. In second place was Trojan-Ransom.AndroidOS.Fusob.h, having held pole position for a long time. The once popular Trojan-Ransom.AndroidOS.Svpeng.ab only managed fifth place, behind Trojan-Ransom.AndroidOS.Egat.d and Trojan-Ransom.AndroidOS.Small.snt. Incidentally, Egat.d is a pared-down version of Zebt.a, both have the same creators.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171331/180511-it-threats-q1-18-statistics-10.png>)\n\n_Geography of mobile ransomware Trojans in Q1 2018 (percentage of attacked users)_\n\nTOP 10 countries by share of users attacked by mobile ransomware Trojans:\n\n | Country* | %** \n---|---|--- \n1 | Kazakhstan | 0.99 \n2 | Italy | 0.64 \n3 | Ireland | 0.63 \n4 | Poland | 0.61 \n5 | Belgium | 0.56 \n6 | Austria | 0.38 \n7 | Romania | 0.37 \n8 | Hungary | 0.34 \n9 | Germany | 0.33 \n10 | Switzerland | 0.29 \n \n_* Excluded from the rating are countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (fewer than 10,000) \n** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nFirst place in the TOP 10 again went to Kazakhstan (0.99%); the most active family in this country was Trojan-Ransom.AndroidOS.Small. Second came Italy (0.64%), where most attacks were the work of Trojan-Ransom.AndroidOS.Zebt.a, which is also the most popular mobile ransomware in third-place Ireland (0.63%).\n\n## Vulnerable apps used by cybercriminals\n\nIn Q1 2018, we observed some major changes in the distribution of exploits launched against users. The share of Microsoft Office exploits (47.15%) more than doubled compared with the average for 2017. This is also twice the quarterly score of the permanent leader in recent years \u2014 browser exploits (23.47%). The reason behind the sharp increase is clear: over the past year, so many different vulnerabilities have been found and exploited in Office applications, that it can only be compared to amount of Adobe Flash vulnerabilities found in the past. But lately the share of Flash exploits has been decreasing (2.57% in Q1), since Adobe and Microsoft are doing all they can to hinder the exploitation of Flash Player.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171341/180511-it-threats-q1-18-statistics-11.png>)\n\n_Distribution of exploits used in attacks by type of application attacked, Q1 2018_\n\nThe most frequently used vulnerability in Microsoft Office in Q1 was [CVE-2017-11882](<https://threats.kaspersky.com/en/vulnerability/KLA11139/>) \u2014 a stack overflow-type vulnerability in Equation Editor, a rather old component in the Office suite. Attacks using this vulnerability make up approximately one-sixth of all exploit-based attacks. This is presumably because CVE-2017-11882 exploitation is fairly reliable. Plus, the bytecode processed by Equation Editor allows the use of various obfuscations, which increases the chances of bypassing the protection and launching a successful attack (Kaspersky Lab's Equation file format parser easily handles all currently known obfuscations). Another vulnerability found in Equation Editor this quarter was CVE-2018-0802. It too is exploited, but less actively. The following exploits for logical vulnerabilities in Office found in 2017 were also encountered: CVE-2017-8570, CVE-2017-8759, CVE-2017-0199. But even their combined number of attacks does not rival CVE-2017-11882.\n\nAs for zero-day exploits in Q1, CVE-2018-4878 was reported by a South Korean CERT and several other sources in late January. This is an Adobe Flash vulnerability originally used in targeted attacks (supposedly by the Scarcruft group). At the end of the quarter, an exploit for it appeared in the widespread GreenFlash Sundown, Magnitude, and RIG exploit kits. In targeted attacks, a Flash object with the exploit was embedded in a Word document, while exploit kits distribute it via web pages.\n\nLarge-scale use of network exploits using vulnerabilities patched by the MS17-010 update (those that exploited [EternalBlue](<https://threats.kaspersky.com/en/vulnerability/KLA10977/>) and other vulnerabilities from the Shadow Brokers leak) also continued throughout the quarter. MS17-010 exploits account for more than 25% of all network attacks that we registered.\n\n## Malicious programs online (attacks via web resources)\n\n_The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected. _\n\n### **Online threats in the financial sector**\n\n#### Q1 events\n\nIn early 2018, the owners of the Trojan Dridex were particularly active. Throughout its years-long existence, this malware has acquired a solid infrastructure. Today, its main line of activity is compromising credentials for online banking services with subsequent theft of funds from bank accounts. Its accomplice is fellow banking Trojan Emotet. Discovered in 2014, this malware also belongs to a new breed of banking Trojans developed from scratch. However, it was located on the same network infrastructure as Dridex, suggesting a close link between the two families. But now Emotet has lost its banking functions and is used by attackers as a spam bot and loader with Dridex as the payload. Early this year, it was reported that the encryptor BitPaymer (discovered last year) was developed by the same group behind [Dridex](<https://securelist.com/dridex-a-history-of-evolution/78531/>). As a result, the malware was rebranded FriedEx.\n\nQ1 saw the arrest of the head of the criminal group responsible for the Carbanak and Cobalt malware attacks, it was [reported by Europol](<https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain>). Starting in 2013, the criminal group attacked more than 40 organizations, causing damage to the financial industry estimated at more than EUR 1 billion. The main attack vector was to penetrate the target organization's network by sending employees spear-phishing messages with malicious attachments. Having penetrated the internal network via the infected computers, the cybercriminals gained access to the ATM control servers, and through them to the ATMs themselves. Access to the infrastructure, servers, and ATMs allowed the cybercriminals to dispense cash without the use of bank cards, transfer money from the organisation to criminal accounts, and inflate bank balances with money mules being used to collect the proceeds.\n\n#### Financial threat statistics\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data. As of Q1 2017, the statistics include malicious programs for ATMs and POS terminals, but do not include mobile threats._\n\nIn Q1 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 204,448 users.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171350/180511-it-threats-q1-18-statistics-12.png>)\n\n_Number of unique users attacked by financial malware, Q1 2018_\n\n##### Geography of attacks\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky Lab products that faced this threat during the reporting period out of all users of our products in that country.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171359/180511-it-threats-q1-18-statistics-13.png>)\n\n \n**_Geography of banking malware attacks in Q1 2018 (percentage of attacked users)_**\n\n**TOP 10 countries by percentage of attacked users**\n\n| **Country*** | **% of users attacked**** \n---|---|--- \n1 | Cameroon | 2.1 \n2 | Germany | 1.7 \n3 | South Korea | 1.5 \n4 | Libya | 1.5 \n5 | Togo | 1.5 \n6 | Armenia | 1.4 \n7 | Georgia | 1.4 \n8 | Moldova | 1.2 \n9 | Kyrgyzstan | 1.2 \n10 | Indonesia | 1.1 \n \n_These statistics are based on Anti-Virus detection verdicts received from users of Kaspersky Lab products who consented to provide statistical data. \nExcluded are countries with relatively few Kaspersky Lab' product users (under 10,000). \n** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky Lab products in the country._\n\n#### TOP 10 banking malware families\n\n**TOP 10 malware families used to attack online banking users in Q1 2018 (by share of attacked users):**\n\n| **Name** | **Verdicts*** | **% of attacked users**** \n---|---|---|--- \n1 | Zbot | Trojan.Win32. Zbot | 28.0% | \n2 | Nymaim | Trojan.Win32. Nymaim | 20.3% | \n3 | Caphaw | Backdoor.Win32. Caphaw | 15.2% | \n4 | SpyEye | Backdoor.Win32. SpyEye | 11.9% | \n5 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 4.5% | \n6 | Emotet | Backdoor.Win32. Emotet | 2.4% | \n7 | Neurevt | Trojan.Win32. Neurevt | 2.3% | \n8 | Shiz | Backdoor.Win32. Shiz | 2.1% | \n9 | Gozi | Trojan.Win32. Gozi | 1.9% | \n10 | ZAccess | Backdoor.Win32. ZAccess | 1.3% | \n \n_* Detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.__ \n** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nIn Q1 2018, TrickBot departed the rating to be replaced by Emotet (2.4%), also known as _Heodo_. Trojan.Win32.Zbot (28%) and Trojan.Win32.Nymaim (20.3%) remain in the lead, while Trojan.Win32.Neurevt (2.3%), also known as Betabot, suffered a major slide. Meanwhile, Caphaw (15.2%) and NeutrinoPOS (4.5%) climbed significantly, as did their Q1 activity.\n\n### Cryptoware programs\n\n#### Q1 events\n\nQ1 2018 passed without major incidents or mass cryptoware epidemics. The highlight was perhaps the emergence and widespread occurrence of a new Trojan called [GandCrab](<https://threatpost.com/tag/gandcrab-ransomware/>). Notable features of the malware include:\n\n * Use of C&amp;C servers in the .bit domain zone (this top-level domain is supported by an alternative decentralized DNS system based on Namecoin technology)\n * Ransom demand in the cryptocurrency Dash\n\nGandCrab was first detected in January. The cybercriminals behind it used spam emails and exploit kits to deliver the cryptoware to victim computers.\n\nThe RaaS (ransomware as a service) distribution model continues to attract malware developers. In February, for example, there appeared a new piece of ransomware called [Data Keeper](<https://securelist.ru/data-keeper-ransomware/88883/>), able to be distributed by any cybercriminal who so desired. Via a special resource on the Tor network, the creators of Data Keeper made it possible to generate executable files of the Trojan for subsequent distribution by \"affilate program\" participants. A dangerous feature of this malware is its ability to automatically propagate inside a local network. Despite this, Data Keeper did not achieve widespread distribution in Q1.\n\nOne notable success in the fight against cryptoware came from Europe: with the assistance of Kaspersky Lab, Belgian police [managed to locate and confiscate](<https://www.europol.europa.eu/newsroom/news/no-more-ransom-update-belgian-federal-police-releases-free-decryption-keys-for-cryakl-ransomware>) a server used by the masterminds behind the Trojan Cryakl. Following the operation, [Kaspersky Lab was given](<https://www.kaspersky.com/about/press-releases/2018_no-more-ransom-update>) several private RSA keys required to decrypt files encrypted with certain versions of the Trojan. As a result, we were able to develop a [tool](<https://support.kaspersky.com/viruses/disinfection/10556>) to assist victims.\n\n#### Number of new modifications\n\nIn Q1 2018, there appeared several new cryptors, but only one, GandCrab, was assigned a new family in our classification. The rest, which are not widely spread, continue to be detected with generic verdicts.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171409/180511-it-threats-q1-18-statistics-14.png>)\n\n_Number of new cryptoware modifications, Q2 2017 \u2013 Q1 2018_\n\nThe number of new modifications fell sharply against previous quarters. The trend indicates that cybercriminals using this type of malware are becoming less active.\n\n#### Number of users attacked by Trojan cryptors\n\nDuring the reporting period, Kaspersky Lab products blocked cryptoware attacks on the computers of 179,934 unique users. Despite fewer new Trojan modifications, the number of attacked users did not fall against Q3.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171418/180511-it-threats-q1-18-statistics-15.png>)\n\n_Number of unique users attacked by cryptors, Q1 2018_\n\n#### Geography of attacks\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171429/180511-it-threats-q1-18-statistics-16.png>)\n\n**TOP 10 countries attacked by Trojan cryptors**\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Uzbekistan | 1.12 \n2 | Angola | 1.11 \n3 | Vietnam | 1.04 \n4 | Venezuela | 0.95 \n5 | Indonesia | 0.95 \n6 | Pakistan | 0.93 \n7 | China | 0.87 \n8 | Azerbaijan | 0.75 \n9 | Bangladesh | 0.70 \n10 | Mongolia | 0.64 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 50,000). \n** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country._\n\nThe makeup of the rating differs markedly from 2017. That said, most positions were again filled by Asian countries, while Europe did not have a single representative in the TOP 10 countries attacked by cryptors.\n\nDespite not making the TOP 10 last year, Uzbekistan (1.12%) and Angola (1.11%) came first and second. Vietnam (1.04%) moved from second to third, Indonesia (0.95%) from third to fifth, and China (0.87%) from fifth to seventh, while Venezuela (0.95%) climbed from eighth to fourth.\n\n**TOP 10 most widespread cryptor families**\n\n| **Name** | **Verdicts*** | **% of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 38.33 | \n2 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 4.07 | \n3 | Cerber | Trojan-Ransom.Win32.Zerber | 4.06 | \n4 | Cryakl | Trojan-Ransom.Win32.Cryakl | 2.99 | \n5 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.77 | \n6 | Shade | Trojan-Ransom.Win32.Shade | 2.61 | \n7 | Purgen/GlobeImposter | Trojan-Ransom.Win32.Purgen | 1.64 | \n8 | Crysis | Trojan-Ransom.Win32.Crusis | 1.62 | \n9 | Locky | Trojan-Ransom.Win32.Locky | 1.23 | \n10 | (generic verdict) | Trojan-Ransom.Win32.Gen | 1.15 | \n| | | | | \n \n_* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data. \n** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors._\n\nThis quarter, the rating is again topped by WannaCry (38.33%), extending its already impressive lead. Second place was claimed by PolyRansom (4.07%), also known as VirLock, a worm that's been around for a while. This malware substitutes user files with modified instances of its own body, and places victim data inside these copies in an encrypted format. Statistics show that a new modification detected in December immediately began to attack user computers.\n\nThe remaining TOP 10 positions are taken by Trojans already known from previous reports: Cerber, Cryakl, Purgen, Crysis, Locky, and Shade.\n\n### Countries that are sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky Lab products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&amp;C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2018, Kaspersky Lab solutions blocked **796,806,112 **attacks launched from Internet resources located in 194 countries worldwide. **282,807,433** unique URLs were recognized as malicious by Web Anti-Virus components. These indicators are significantly higher than in previous quarters. This is largely explained by the large number of triggers in response to attempts to download web miners, which came to prominence towards the end of last year and continue to outweigh other web threats.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171439/180511-it-threats-q1-18-statistics-17.png>)\n\n_Distribution of web attack sources by country, Q1 2018_\n\nThis quarter, Web Anti-Virus was most active on resources located in the US (39.14%). Canada, China, Ireland, and Ukraine dropped out of TOP 10 to be replaced by Luxembourg (1.33%), Israel (0.99%), Sweden (0.96%), and Singapore (0.91%).\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Belarus | 40.90 \n2 | Ukraine | 40.32 \n3 | Algeria | 39.69 \n4 | Albania | 37.33 \n5 | Moldova | 37.17 \n6 | Greece | 36.83 \n7 | Armenia | 36.78 \n8 | Azerbaijan | 35.13 \n9 | Kazakhstan | 34.64 \n10 | Russia | 34.56 \n11 | Kyrgyzstan | 33.77 \n12 | Venezuela | 33.10 \n13 | Uzbekistan | 31.52 \n14 | Georgia | 31.40 \n15 | Latvia | 29.85 \n16 | Tunisia | 29.77 \n17 | Romania | 29.09 \n18 | Qatar | 28.71 \n19 | Vietnam | 28.66 \n20 | Serbia | 28.55 \n \n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data._ \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 23.69% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171448/180511-it-threats-q1-18-statistics-18.png>)\n\n_Geography of malicious web attacks in Q1 2018 (percentage of attacked users)_\n\nThe countries with the safest surfing environments included Iran (9.06%), Singapore (8.94%), Puerto Rico (6.67%), Niger (5.14%), and Cuba (4.44%).\n\n## Local threats\n\n_Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.). _\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q1 2018, our File Anti-Virus detected **187,597,494** malicious and potentially unwanted objects.\n\n**Countries where users faced the highest risk of local infection**\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating includes only **Malware-class** attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Uzbekistan | 57.03 \n2 | Afghanistan | 56.02 \n3 | Yemen | 54.99 \n4 | Tajikistan | 53.08 \n5 | Algeria | 49.07 \n6 | Turkmenistan | 48.68 \n7 | Ethiopia | 48.21 \n8 | Mongolia | 46.84 \n9 | Kyrgyzstan | 46.53 \n10 | Sudan | 46.44 \n11 | Vietnam | 46.38 \n12 | Syria | 46.12 \n13 | Rwanda | 46.09 \n14 | Laos | 45.66 \n15 | Libya | 45.50 \n16 | Djibouti | 44.96 \n17 | Iraq | 44.65 \n18 | Mauritania | 44.55 \n19 | Kazakhstan | 44.19 \n20 | Bangladesh | 44.15 \n \n_These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data include detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera and phone memory cards, or external hard drives._ \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000). \n_** _Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 23.39% of computers globally faced at least one **Malware-class** local threat in Q1.\n\nThe figure for Russia was 30.92%.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171457/180511-it-threats-q1-18-statistics-19.png>)\n\n**The safest countries in terms of infection risk included** Estonia (15.86%), Singapore (11.97%), New Zealand (9.24%), Czech Republic (7.89%), Ireland (6.86%), and Japan (5.79%).", "cvss3": {}, "published": "2018-05-14T10:00:30", "type": "securelist", "title": "IT threat evolution Q1 2018. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2018-4878"], "modified": "2018-05-14T10:00:30", "id": "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "href": "https://securelist.com/it-threat-evolution-q1-2018-statistics/85541/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-08-04T10:41:58", "description": "\n\nFor more than four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q2 2021.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## The most remarkable findings\n\nInvestigating the recent Microsoft Exchange vulnerabilities we and our colleagues from AMR found an attacker deploying a previously unknown backdoor, &quot;FourteenHi&quot;, in a campaign that we dubbed ExCone, active since mid-March. During our investigation we revealed multiple tools and variants of FourteenHi, configured with infrastructure that FireEye reported as being related to the UNC2643 activity cluster. Moreover, we saw ShadowPad detections coincide with FourteenHi variant infections, possibly hinting at a shared operator between these two malware families.\n\nFourteenHi abuses the popular VLC media player to execute its loader. It is capable of performing basic backdoor functions. Further investigation also revealed scripts used by the actor to gain situational awareness post-exploitation, as well as previous use of the infrastructure to operate Cobalt Strike Beacon.\n\nAlthough we couldn&#x27;t directly attribute this activity to any known threat actor, we found older, highly similar 64-bit samples of the backdoor used in close proximity with ShadowPad malware, mostly known for its operations involving supply-chain attacks as an infection vector. Notably, we also found one C2 IP used in a 64-bit sample reportedly used in the UNC2643 activity set, associated with the HAFNIUM threat actor, also using Cobalt Strike, DLL side-loading and exploiting the same Exchange vulnerabilities.\n\n## Russian-speaking activity\n\nOn May 27 and 28, details regarding an ongoing email campaign against diplomatic entities throughout Europe and North America were released by Volexity and Microsoft. These attacks were attributed to Nobelium and APT29 by Microsoft and Volexity respectively. While we were able to verify the malware and possible targeting for this cluster of activity, we haven&#x27;t been able to make a definitive assessment at this time about which threat actor is responsible, although we found ties to Kazuar. We have designated it as a new threat actor and named it &quot;HotCousin&quot;. The attacks began with a spear-phishing email which led to an ISO file container being stored on disk and mounted. From here, the victim was presented with a LNK file made to look like a folder within an Explorer window. If the victim double clicked on it, the LNK then executed a loader written in .NET referred to as BoomBox, or a DLL. The execution chain ultimately ended with a Cobalt Strike beacon payload being loaded into memory. According to public blogs, targeting was widespread but focused primarily on diplomatic entities throughout Europe and North America: based on the content of the lure documents bundled with the malware, this assessment appears to be accurate. This cluster of activity was conducted methodically beginning in January with selective targeting and slow operational pace, then ramping up and ending in May. There are indications of previous activity from this threat actor dating back to at least October 2020, based on other Cobalt Strike payloads and loaders bearing similar toolmarks.\n\n## Chinese-speaking activity\n\nWhile investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. This cluster stood out because it used a formerly unknown Windows kernel mode rootkit and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers. The former is used to hide the user mode malware&#x27;s artefacts from investigators and security solutions, while demonstrating an interesting loading scheme involving the kernel mode component of an open source project named &quot;Cheat Engine&quot; to bypass the Windows Driver Signature Enforcement mechanism. We were able to determine that this toolset had been in use from as early as July 2020; and that the threat actor was mostly focused on Southeast Asian targets, including several governmental entities and telecoms companies. Since this was a long-standing operation, with high-profile victims, an advanced toolset and no affinity to a known threat actor, we decided to name the underlying cluster &quot;GhostEmperor&quot;.\n\nAPT31 (aka ZIRCONIUM) is a Chinese-speaking intrusion set. This threat actor set up an ORB (Operational Relay Boxes) infrastructure, composed of several compromised SOHO routers, to target entities based in Europe (and perhaps elsewhere). As of the publication of our report in May, we had seen these ORBs used to relay Cobalt Strike communications and for anonymization proxying purposes. It is likely that APT31 uses them for other implants and ends as well (for example, exploit or malware staging). Most of the infrastructure put in place by APT31 comprises compromised Pakedge routers (RK1, RE1 and RE2). This little-known constructor specializes in small enterprise routers and network devices. So far, we don&#x27;t know which specific vulnerability has been exploited by the intrusion set to compromise the routers. Nor do we currently possess telemetry that would provide further visibility into this campaign. We will, of course, continue to track these activities.\n\nFollowing our previous report on EdwardsPheasant, DomainTools and BitDefender published articles about malicious activities against targets in Southeast Asia which we believe, with medium to high confidence, are parts of EdwardsPheasant campaigns. While tracking the activities of this threat actor, analyzing samples discovered or provided by third parties, and investigating from public IoCs, we discovered an updated DropPhone implant, an additional implant loaded by FoundCore&#x27;s shellcode, several possible new infection documents and malicious domain names, as well as additional targets. While we do not believe we have a complete picture of this set of activities yet, our report this quarter marks a significant step further in understanding its extent.\n\nA Chinese-speaking APT compromised a certificate authority in Mongolia and replaced digital certificate management client software with a malicious downloader in February. We are tracking this group as BountyGlad. Related infrastructure was identified and used in multiple other incidents: interesting related activity included server-side attacks on WebSphere and WebLogic services in Hong Kong; and on the client-side, Trojanized Flash Player installers. The group demonstrated an increase in strategic sophistication with this supply-chain attack. While replacing a legitimate installer on a high value website like a certificate authority requires a medium level of skill and coordination, the technical sophistication is not on par with ShadowHammer. And while the group deploys fairly interesting, but simplistic, steganography to cloak its shellcode, we think it was probably generated with code that has been publicly available for years. Previous activity also connected with this group relied heavily on spear-phishing and Cobalt Strike throughout 2020. Some activity involved PowerShell commands and loader variants different from the downloaders presented in our recent report. In addition to spear-phishing, the group appears to rely on publicly available exploits to penetrate unpatched target systems. They use implants and C2 (Command and Control) code that are a mix of both publicly available and privately shared across multiple Chinese-speaking APTs. We are able to connect infrastructure across multiple incidents. Some of those were focused on Western targets in 2020. Some of the infrastructure listed in an FBI Flash alert published in May 2020, targeting US organizations conducting COVID-19 research, was also used by BountyGlad.\n\nWhile investigating users infected with the TPCon backdoor, previously discussed in a private report, we detected loaders which are part of a new multi-plugin malware framework that we named &quot;QSC&quot;, which allows attackers to load and run plugins in-memory. We attribute the use of this framework to Chinese-speaking groups, based on some overlaps in victimology and infrastructure with other known tools used by these groups. We have so far observed the malware loading a Command shell and File Manager plugins in-memory. We believe the framework has been used in the wild since April 2020, based on the compilation timestamp of the oldest sample found. However, our telemetry suggests that the framework is still in use: the latest activity we detected was in March this year.\n\nEarlier this month, Rostelecom Solar and NCIRCC issued a joint public report describing a series of attacks against networks of government entities in Russia. The report described a formerly unknown actor leveraging an infection chain that leads to the deployment of two implants - WebDav-O and Mail-O. Those, in conjunction with other post-exploitation activity, have led to network-wide infections in the targeted organizations that resulted in exfiltration of sensitive data. We were able to trace the WebDav-O implant&#x27;s activity in our telemetry to at least 2018, indicating government affiliated targets based in Belarus. Based on our investigation, we were able to find additional variants of the malware and observe some of the commands executed by the attackers on the compromised machines.\n\nWe discovered a cluster of activity targeting telecom operators within a specific region. The bulk of this activity took place from May to October 2020. This activity made use of several malware families and tools; but the infrastructure, a staging directory, and in-country target profiles tie them together. The actors deployed a previously unknown passive backdoor, that we call &quot;TPCon&quot;, as a primary implant. It was later used to perform both reconnaissance within target organizations and to deploy a post-compromise toolset made up mostly of publicly available tools. We also found other previously unknown active backdoors, that we call &quot;evsroin&quot;, used as secondary implants. Another interesting find was a related loader (found in a staging directory) that loaded a KABA1 implant variant. KABA1 was an implant used against targets throughout the South China Sea that we attributed to the Naikon APT back in 2016. On another note, on the affected hosts we found additional multiple malware families shared by Chinese-speaking actors, such as ShadowPad and Quarian backdoors. These did not seem to be directly connected to the TPCon/evsroin incidents because the supporting infrastructure appeared to be completely separate. One of the ShadowPad samples appears to have been detected in 2020, while the others were detected well before that, in 2019. Besides the Naikon tie, we found some overlaps with previously reported IceFog and IamTheKing activities.\n\n## Middle East\n\nBlackShadow is a threat group that became known after exfiltrating sensitive documents from Shirbit, an Israeli insurance company, and demanding a ransom in exchange for not releasing the information in its possession. Since then, the group has made more headlines, breaching another company in Israel and publishing a trove of documents containing customer related information on Telegram. Following this, we found several samples of the group&#x27;s unique .NET backdoor in our telemetry that were formerly unknown to us, one of which was recently detected in Saudi Arabia. By pivoting on new infrastructure indicators that we observed in those samples, we were able to find a particular C2 server that was contacted by a malicious Android implant and shows ties to the group&#x27;s activity.\n\nWe previously covered a WildPressure campaign against targets in the Middle East . Keeping track of the threat actor&#x27;s malware this spring, we were able to find a newer version (1.6.1) of their C++ Trojan, a corresponding VBScript variant with the same version and a completely new set of modules, including an orchestrator and three plugins. This confirms our previous assumption that there are more last-stagers besides the C++ ones, based on one of the fields in the C2 communication protocol which contains the &quot;client&quot; programming language. Another language used by WildPressure is Python. The PyInstaller module for Windows contains a script named &quot;Guard&quot;. Perhaps the most interesting finding here is that this malware was developed for both Windows and macOS operating systems. In this case, the hardcoded version is 2.2.1. The coding style, overall design and C2 communication protocol is quite recognisable across all programming languages used by the attackers. The malware used by WildPressure is still under active development in terms of versions and programming languages in use. Although we could not associate WildPressure&#x27;s activity with other threat actors, we did find minor similarities in the TTPs (Tactics, Techniques and Procedures) used by BlackShadow, which is also active in the same region. However, we consider that these similarities serve as minor ties and are not enough to make any attribution.\n\nWe discovered an ongoing campaign that we attribute to an actor named WIRTE, beginning in late 2019, targeting multiple sectors, focused on the Middle East. WIRTE is a lesser-known threat actor first publicly referenced in 2019, which we suspect has relations with the Gaza Cybergang threat actor group. During our hunting efforts, in February, for threat actor groups that are using VBS/VBA implants, we came across MS Excel droppers that use hidden spreadsheets and VBA macros to drop their first stage implant - a VBS script. The VBS script&#x27;s main function is to collect system information and execute arbitrary code sent by the attackers. Although we recently reported on a new Muddywater first stage VBS implant used for reconnaissance and profiling activities, these intrusion sets have slightly different TTPs and wider targeting. To date, we have recorded victims focused in the Middle East and a few other countries outside this region. Despite various industries being affected, the focus was mainly towards government and diplomatic entities; however, we also noticed an unusual targeting of law firms.\n\nGoldenJackal is the name we have given to a cluster of activity, recently discovered in our telemetry, that has been active since November 2019. This intrusion set consists of a set of .NET-based implants that are intended to control victim machines and exfiltrate certain files from them, suggesting that the actor&#x27;s primary motivation is espionage. Furthermore, the implants were found in a restricted set of machines associated with diplomatic entities in the Middle East. Analysis of the aforementioned malware, as well as the accompanied detection logs, portray a capable and moderately stealthy actor. This can be substantiated by the successful foothold gained by the underlying actor in the few organizations we came across, all the while keeping a low signature and ambiguous footprint.\n\n## Southeast Asia and Korean Peninsula\n\nThe ScarCruft group is a geo-political motivated APT group that usually attacks government entities, diplomats and individuals associated with North Korean affairs. Following our last report about this group, we had not seen its activities for almost a year. However, we observed that ScarCruft compromised a North Korea-related news media website in January, beginning a campaign that was active until March. The attackers utilized the same exploit chains, CVE-2020-1380 and CVE-2020-0986, also used in [Operation Powerfall](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>). Based on the exploit code and infection scheme characteristics, we suspect that Operation PowerFall has a connection with the ScarCruft group. The exploit chain contains several stages of shellcode execution, finally deploying a Windows executable payload in memory. We discovered several victims from South Korea and Singapore. Besides this watering-hole attack, this group also used Windows executable malware concealing its payload. This malware, dubbed &quot;ATTACK-SYSTEM&quot;, also used multi-stage shellcode infection to deliver the same final payload named &quot;BlueLight&quot;. BlueLight uses OneDrive for C2. Historically, ScarCruft malware, especially RokRat, took advantage of personal cloud servers as C2 servers, such as pCloud, Box, Dropbox, and Yandex.\n\nIn May 2020, the Criminal Investigation Bureau (CIB) of Taiwan published an announcement about an attack targeting Taiwanese legislators. Based on their information, an unknown attacker sent spear-phishing emails using a fake presidential palace email account, delivering malware we dubbed &quot;Palwan&quot;. Palwan is malware capable of performing basic backdoor functionality as well as downloading further modules with additional capabilities. Analysing the malware, we discovered another campaign, active in parallel, targeting Nepal. We also found two more waves of attacks launched against Nepal in October 2020 and in January this year using Palwan malware variants. We suspect that the targeted sector in Nepal is similar to the one reported by the CIB of Taiwan. Investigating the infrastructure used in the Nepal campaigns, we spotted an overlap with Dropping Elephant activity. However, we don&#x27;t deem this overlap sufficient to attribute this activity to the Dropping Elephant threat actor.\n\nBlueNoroff is a long-standing, financially motivated APT group that has been targeting the financial industry for years. In recent operations, the group has focused on cryptocurrency businesses. Since the publication of our research of BlueNoroff&#x27;s &quot;SnatchCrypto&quot; campaign in 2020, the group&#x27;s strategy to deliver malware has evolved. In this campaign, BlueNoroff used a malicious Word document exploiting CVE-2017-0199, a remote template injection vulnerability. The injected template contains a Visual Basic script, which is responsible for decoding the next payload from the initial Word document and injecting it into a legitimate process. The injected payload creates a persistent backdoor on the victim&#x27;s machine. We observed several types of backdoor. For further surveillance of the victim, the malware operator may also deploy additional tools. BlueNoroff has notably set up fake blockchain, or cryptocurrency-related, company websites for this campaign, to lure potential victims and initiate the infection process. Numerous decoy documents were used, which contain business and nondisclosure agreements as well as business introductions. When compared to the previous SnatchCrypto campaign, the BlueNoroff group utilized a similar backdoor and PowerShell agent but changed the initial infection vector. Windows shortcut files attached to spear-phishing emails used to be the starting point for an infection: they have now been replaced by weaponized Word documents.\n\nWe have discovered [Andariel activity](<https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/>) using a revised infection scheme and custom ransomware targeting a broad spectrum of industries located in South Korea. In April, we observed a suspicious document containing a Korean file name and decoy uploaded to VirusTotal. It revealed a novel infection scheme and an unfamiliar payload. During the course of our research, Malwarebytes published a report with technical details about the same series of attacks, which attributed it to the Lazarus group. After a deep analysis we reached a different conclusion - that the Andariel group was behind these attacks. Code overlaps between the second stage payload in this campaign and previous malware from the Andariel group allowed for this attribution. Apart from the code similarity and the victimology, we found additional connections with the Andariel group. Each threat actor has a characteristic habit when they interactively work with a backdoor shell in the post-exploitation phase. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity. The threat actor has been spreading the third stage payload since the middle of 2020 and leveraged malicious Word documents and files mimicking PDF documents as infection vectors. Notably, in addition to the final backdoor, we discovered one victim infected with custom ransomware. This ransomware adds another facet to this Andariel campaign, which also sought financial profit in a previous operation involving the compromise of ATMs.\n\nWe recently uncovered a large-scale and highly active attack in Southeast Asia coming from a threat actor we dubbed [LuminousMoth](<https://securelist.com/apt-luminousmoth/103332/>). Further analysis revealed that this malicious activity dates back to October 2020 and was still ongoing at the time we reported it in June. LuminousMoth takes advantage of DLL sideloading to download and execute a Cobalt Strike payload. However, perhaps the most interesting part of this attack is its capability to spread to other hosts by infecting USB drives. In addition to the malicious DLLs, the attackers also deployed a signed, but fake version of the popular application Zoom on some infected systems, enabling them to exfiltrate files; and an additional tool that accesses a victim&#x27;s Gmail session by stealing cookies from the Chrome browser. Infrastructure ties as well as shared TTPs allude to a possible connection between LuminousMoth and the HoneyMyte threat group, which was seen targeting the same region and using similar tools in the past. Most early sightings of this activity were in Myanmar, but it now appears that the attackers are much more active in the Philippines, where the number of known attacks has grown more than tenfold. This raises the question of whether this is caused by a rapid replication through removable devices or by an unknown infection vector, such as a watering-hole focusing on the Philippines.\n\nWe recently reported SideCopy campaigns attacking the Windows platform together with Android-based implants. These implants turned out to be multiple applications working as information stealers to collect sensitive information from victims&#x27; devices, such as contact lists, SMS messages, call recordings, media and other types of data. Following up, we discovered additional malicious Android applications, some of them purporting to be known messaging apps like Signal or an adult chat platform. These newly discovered applications use the Firebase messaging service as a channel to receive commands. The operator is able to control if either Dropbox or another, hard coded server is used to exfiltrate stolen files.\n\n## Other interesting discoveries\n\nExpanding our research on the exploit targeting CVE-2021-1732, originally discovered by DBAPPSecurity Threat Intelligence Center and used by the Bitter APT group, [we discovered another possible zero-day exploit used in the Asia-Pacific (APAC) region](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>). Interestingly, the exploit was found in the wild as part of a separate framework, alongside CVE-2021-1732 as well as other previously patched exploits. We are highly confident that this framework is entirely unrelated to Bitter APT and was used by a different threat actor. Further analysis revealed that this Escalation of Privilege (EoP) exploit has potentially been used in the wild since at least November 2020. Upon discovery, we reported this new exploit to Microsoft in February. After confirmation that we were indeed dealing with a new zero-day, it received the designation CVE-2021-28310.\n\nVarious marks and artifacts left in the exploit mean that we are also highly confident that CVE-2021-1732 and CVE-2021-28310 were created by the same exploit developer that we track as &quot;Moses&quot;. &quot;Moses&quot; appears to be an exploit developer who makes exploits available to several threat actors, based on other past exploits and the actors observed using them. To date, we have confirmed that at least two known threat actors have utilized exploits originally developed by Moses: Bitter APT and Dark Hotel. Based on similar marks and artifacts, as well as privately obtained information from third parties, we believe at least six vulnerabilities observed in the wild in the last two years have originated from &quot;Moses&quot;. While the EoP exploit was discovered in the wild, we are currently unable to directly tie its usage to any known threat actor that we are currently tracking. The EoP exploit was probably chained together with other browser exploits to escape sandboxes and obtain system level privileges for further access. Unfortunately, we weren&#x27;t able to capture a full exploit chain, so we don&#x27;t know if the exploit is used with another browser zero-day, or coupled with exploits taking advantage of known, patched vulnerabilities.\n\nIn another, more recent investigation into the surge of attacks by APT actors against Exchange servers following the revelation of ProxyLogon and other Exchange vulnerabilities, we took note of one unique cluster of activity. It attracted our attention because the actor behind it seemed to have been active in compromising Exchange servers since at least December 2020, all the while using a toolset that we were not able to associate with any known threat group. During March, several waves of attacks on Exchange servers were made public, partially describing the same cluster of activity that we had observed. One of them, reported by ESET, contained an assessment that the actor behind this activity had access to the Exchange exploits prior to their public release, which aligns with our observations of the early activity of it last year. That said, none of the public accounts described sightings of the full infection chain and later stages of malware deployed as part of this group&#x27;s operation. Adopting the name Websiic, given publicly to this cluster of activity by ESET, we reported the TTPs of the underlying threat actor. Namely, we focused on the usage of both commodity tools like the China Chopper webshell and a proprietary .NET backdoor used by the group, which we dubbed &quot;Samurai&quot;, as well as describing a broader set of targets than the one documented thus far.\n\nOn 15 April, Codecov publicly disclosed that its Bash Uploader script had been compromised and was distributed to users between the 31 January and the 1 April. The Bash Uploader script is publicly distributed by Codecov and aims to gather information on the user&#x27;s execution environments, collect code coverage reports, and send them to the Codecov infrastructure. As a result, this script compromise effectively constitutes a supply-chain attack. The Bash uploader script is typically executed as a trusted resource in development and testing environments (including as part of automated build processes, such as continuous integration or development pipelines); and its compromise could enable malicious access to infrastructure or account secrets, as well as code repositories and source code. While we haven&#x27;t been able to confirm the malicious script deployment, retrieve any information on the compromise goals, or identify further associated malicious tools yet, we were able to collect one sample of a compromised Bash uploader script, as well as identify some possibly associated additional malicious servers.\n\nAn e-mail sent by Click Studios to its customers on 22 April informed them that a sophisticated threat actor had gained access to the Passwordstate automatic updating functionality, referred to as the in-place upgrade. Passwordstate is a password management tool for enterprises, and on 20 April, for a period of about 28 hours, a malicious DLL was included in the software updates. On 24 April, an incident management advisory was also released. The purpose of the campaign was to steal passwords stored in the password manager. Although this attack was only active for a short time, we managed to obtain the malicious DLLs and reported our initial findings. Nevertheless, it&#x27;s still unclear how the attackers gained access to the Passwordstate software to begin with. Following a new advisory published by Click Studio on 28 April, we discovered a new variant of the malicious DLL used to backdoor the Passwordstate password manager. This DLL variant was distributed in a phishing campaign, most likely by the same actor.\n\nA few days after April&#x27;s Patch Tuesday updates from Microsoft (13 April), a number of suspicious files caught our attention. These files were binaries, disguised as &quot;April 2021 Security Update Installers&quot;. They were signed with a valid digital signature, delivering Cobalt Strike beacon modules. It is likely that the modules were signed with a stolen digital certificate. These Cobalt Strike beacon implants were configured with a hardcoded C2, &quot;code.microsoft.com&quot;. Contrary to a (now redacted) publication from the Qihoo 360 team revolving around this activity, we can confirm that there was no compromise of Microsoft&#x27;s infrastructure. In fact, an unauthorized party took over the dangling subdomain &quot;code.microsoft.com&quot; and configured it to resolve to their Cobalt Strike host, setup around 15 April. That domain hosted a Cobalt Strike beacon payload served to HTTP clients using a specific and unique user agent. According to Microsoft and the initial Qihoo notification, the impact in this case was very limited and didn&#x27;t affect unsuspecting visitors to this website because of the required unique user agent.\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for Remote Code Execution (RCE) in the Chrome web-browser, we were able to find and analyze an Escalation of Privilege (EoP) exploit used to escape the sandbox and obtain system privileges. The EoP exploit was fine-tuned to work against the latest and the most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2) and it exploits two distinct vulnerabilities in the Microsoft Windows OS kernel. On April 20, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the Information Disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8, as a part of the June Patch Tuesday. The exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a &quot;remote shell&quot;-style backdoor which in turns connects to the C2 to get commands. So far, we haven&#x27;t been able to find any connections or overlaps with a known actor. Therefore, we are tentatively calling this cluster of activity [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\nOn April 16, we began hearing rumors about active exploitation of Pulse Secure devices from other researchers in the community. One day prior to this, the NSA, CISA, and FBI had jointly published an advisory stating that APT29 was conducting widespread scanning and exploitation of vulnerable systems, including Pulse Secure. For this reason, initial thoughts were that the two were related; and these were just rumors circulating the community about old activity that was being brought to light again. Following this, we were able to at least confirm that the initial rumors were part of a separate set of activities that had occurred between January and March and were not directly related to the advisory mentioned above. This new activity involved the exploitation of at least two vulnerabilities in Pulse Secure; one previously patched and one zero-day (CVE-2021-22893). We also became aware of affected organizations that were notified by a third party that they were potentially compromised by this activity. After exploitation, the threat actor proceeded to deploy a simple webshell to maintain persistence. On May 3, Pulse Secure delivered &quot;out-of-cycle&quot; update and workaround packages to provide a solution for the multiple vulnerabilities.\n\nCooperating with Check Point Research, we discovered an ongoing attack targeting a small group of individuals in Xinjiang and Pakistan, in regions mostly populated by the Uyghur minority. The attackers used malicious executables that collect information about the infected system and attempt to download a second-stage payload. The actor put considerable effort into disguising the payloads, whether by creating delivery documents that appear to be originating from the United Nations using up-to-date related themes, or by setting up websites for non-existing organizations claiming to fund charity groups. In our report, we examined the flow of both infection vectors and provided our analysis of the malicious artifacts we came across during this investigation, even though we were unable to obtain the later stages of the infection chain.\n\n## Final thoughts\n\nWhile the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a means of gaining a foothold in a target organisation or compromising an individual&#x27;s device, others refresh their toolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key developments of APT groups.\n\nHere are the main trends that we&#x27;ve seen in Q2 2021:\n\n * We have reported several supply-chain attacks in recent months.. While some were major and have attracted worldwide attention, we observed equally successful low-tech attacks, such as BountyGlad, CoughingDown and the attack targeting Codecov.\n * APT groups mainly use social engineering to gain an initial foothold in a target network. However, we&#x27;ve seen a rise in APT threat actors leveraging exploits to gain that initial foothold - including the zero-days developed by the exploit developer we call &quot;Moses&quot; and those used in the PuzzleMaker, Pulse Secure attacks and the Exchange server vulnerabilities.\n * APT threat actors typically refresh and update their toolsets: this includes not only the inclusion of new platforms but also the use of additional languages as seen by WildPressure&#x27;s macOS-supported Python malware.\n * As illustrated by the campaigns of various threat actors - including BountyGlad, HotCousin, GoldenJackal, Scarcruft, Palwan, Pulse Secure and the threat actor behind the WebDav-O/Mail-O implants - geo-politics continues to drive APT developments.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T10:00:46", "type": "securelist", "title": "APT trends report Q2 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2020-0986", "CVE-2020-1380", "CVE-2021-1732", "CVE-2021-22893", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-07-29T10:00:46", "id": "SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "href": "https://securelist.com/apt-trends-report-q2-2021/103517/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-26T14:36:44", "description": "\n\n * **IT threat evolution Q3 2021**\n * [IT threat evolution in Q3 2021. PC statistics](<https://securelist.com/it-threat-evolution-in-q3-2021-pc-statistics/104982/>)\n * [IT threat evolution in Q3 2021. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q3-2021-mobile-statistics/105020/>)\n\n## Targeted attacks\n\n### WildPressure targets macOS\n\nLast March, we reported a [WildPressure campaign targeting industrial-related entities in the Middle East](<https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/>). While tracking this threat actor in spring 2021, we discovered a newer version. It contains the C++ Milum Trojan, a corresponding VBScript variant and a set of modules that include an orchestrator and three plugins. This confirms our previous assumption that there were more last-stagers besides the C++ ones.\n\nAnother language used by WildPressure is Python. The PyInstaller module for Windows contains a script named &quot;Guard&quot;. Interestingly, this malware was developed for both Windows and macOS operating systems. The coding style, overall design and C2 communication protocol is quite recognizable across all three programming languages used by the authors.\n\nWildPressure used both virtual private servers (VPS) and compromised servers in its infrastructure, most of which were WordPress websites.\n\nWe have very limited visibility for the samples described in our report, but our telemetry suggests that the targets in this campaign were also from the oil and gas industry.\n\nYou can view our report on the new version [here](<https://securelist.com/wildpressure-targets-macos/103072/>), together with a video presentation of our findings.\n\n### LuminousMoth: sweeping attacks for the chosen few\n\nWe recently uncovered a large-scale and highly active attack against targets in Southeast Asia by a threat actor that we call [LuminousMoth](<https://securelist.com/apt-luminousmoth/103332/>). The campaign dates back to October last year and was still ongoing at the time we published our public report in July. Most of the early sightings were in Myanmar, but it seems the threat actor is now much more active in the Philippines. Targets include high-profile organizations: namely, government entities located both within those countries and abroad.\n\nMost APT threats carefully select their targets and tailor the infection vectors, implants and payloads to the victims&#x27; identities or environment. It&#x27;s not often we observe a large-scale attack by APT threat actors \u2013 they usually avoid such attacks because they are too &#x27;noisy&#x27; and risk drawing attention to the campaign. LuminousMoth is an exception. We observed a high number of infections; although we think the campaign was aimed at a few targets of interest.\n\nThe attackers obtain initial access to a system by sending a spear-phishing email to the victim containing a Dropbox download link. The link leads to a RAR archive that masquerades as a Word document. The archive contains two malicious DLL libraries as well as two legitimate executables that side-load the DLL files. We found multiple archives like this with file names of government entities linked to Myanmar.\n\nWe also observed a second infection vector that comes into play after the first one has successfully finished. The malware tries to spread to other hosts on the network by infecting USB drives.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/12153755/LuminousMoth_01.png>)\n\nIn addition to the malicious DLLs, the attackers also deployed a signed, but fake version of the popular application Zoom on some infected systems, enabling them to exfiltrate data.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/12154002/LuminousMoth_05.png>)\n\nThe threat actor also deploys an additional tool that accesses a victim&#x27;s Gmail session by stealing cookies from the Chrome browser.\n\nInfrastructure ties as well as shared TTPs allude to a possible connection between LuminousMoth and the HoneyMyte threat group, which has been seen targeting the same region using similar tools in the past.\n\n### Targeted attacks exploiting CVE-2021-40444\n\nOn September 7, [Microsoft reported a zero-day vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) (CVE-2021-40444) that could allow an attacker to execute code remotely on vulnerable computers. The vulnerability is in MSHTML, the Internet Explorer engine. Even though few people use IE nowadays, some programs use its engine to handle web content \u2013 in particular, Microsoft Office applications.\n\nWe [have seen targeted attacks](<https://securelist.com/exploitation-of-the-cve-2021-40444-vulnerability-in-mshtml/104218/>) exploiting the vulnerability to target companies in research and development, the energy sector and other major industries, banking, the medical technology sector, as well as telecoms and IT.\n\nTo exploit the vulnerability, attackers embed a special object in a Microsoft Office document containing a URL for a malicious script. If the victim opens the document, Microsoft Office downloads the script and runs it using the MSHTML engine. Then the script can use ActiveX controls to perform malicious actions on the victim&#x27;s computer.\n\n### Tomiris backdoor linked to SolarWinds attack\n\nThe SolarWinds incident last December stood out because of the extreme carefulness of the attackers and the high-profile nature of their victims. The evidence suggests that the threat actor behind the attack, DarkHalo (aka Nobelium), had spent six months inside OrionIT&#x27;s networks to perfect their attack. The following timeline sums up the different steps of the campaign.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/27145035/SAS_story_Tomiris_connection_01.png>)\n\nIn June, more than six months after DarkHalo had gone dark, we observed the DNS hijacking of multiple government zones of a CIS member state that allowed the attacker to redirect traffic from government mail servers to computers under their control \u2013 probably achieved by obtaining credentials to the control panel of the victims&#x27; registrar. When victims tried to access their corporate mail, they were redirected to a fake copy of the web interface.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/27145115/SAS_story_Tomiris_connection_02.png>)\n\nAfter this, they were tricked into downloading previously unknown malware. The backdoor, dubbed Tomiris, bears a number of similarities to the second-stage malware, Sunshuttle (aka GoldMax), used by DarkHalo last year. However, there are also a number of overlaps between Tomiris and Kazuar, a backdoor that has been linked to the Turla APT threat actor. None of the similarities is enough to link Tomiris and Sunshuttle with sufficient confidence. However, taken together they suggest the possibility of common authorship or shared development practices.\n\nYou can read our analysis [here](<https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/>).\n\n### GhostEmperor\n\nEarlier this year, while investigating the rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. We attribute the activity to a previously unknown threat actor that we have called [GhostEmperor](<https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/>). This cluster stood out because it used a formerly unknown Windows kernel mode rootkit that we dubbed Demodex; and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers.\n\nThe rootkit is used to hide the user mode malware&#x27;s artefacts from investigators and security solutions, while demonstrating an interesting loading scheme involving the kernel mode component of an open-source project named Cheat Engine to bypass the Windows Driver Signature Enforcement mechanism.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/29150203/Ghost_Emperor_06.png>)\n\nWe identified multiple attack vectors that triggered an infection chain leading to the execution of the malware in memory. The majority of GhostEmperor infections were deployed on public-facing servers, as many of the malicious artefacts were installed by the httpd.exe Apache server process, the w3wp.exe IIS Windows server process, or the oc4j.jar Oracle server process. This means that the attackers probably abused vulnerabilities in the web applications running on those systems, allowing them to drop and execute their files.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/29150042/Ghost_Emperor_04.png>)\n\nAlthough infections often start with a BAT file, in some cases the known infection chain was preceded by an earlier stage: a malicious DLL that was side-loaded by wdichost.exe, a legitimate Microsoft command line utility (originally called MpCmdRun.exe). The side-loaded DLL then proceeds to decode and load an additional executable called license.rtf. Unfortunately, we did not manage to retrieve this executable, but we saw that the consecutive actions of loading it included the creation and execution of GhostEmperor scripts by wdichost.exe.\n\nThis toolset was in use from as early as July 2020, mainly targeting Southeast Asian entities, including government agencies and telecoms companies.\n\n### FinSpy: analysis of current capabilities\n\nAt the end of September, at the Kaspersky [Security Analyst Summit](<https://thesascon.com/>), our researchers provided an [overview of FinSpy](<https://securelist.com/finspy-unseen-findings/104322/>), an infamous surveillance toolset that several NGOs have repeatedly reported being used against journalists, political dissidents and human rights activists. Our analysis included not only the Windows version of FinSpy, but also Linux and macOS versions, which share the same internal structure and features.\n\nAfter 2018, we observed falling detection rates for FinSpy for Windows. However, it never actually went away \u2013 it was simply using various first-stage implants to hide its activities. We started detecting some suspicious backdoored installer packages (including TeamViewer, VLC Media Player and WinRAR); then in the middle of 2019 we found a host that served these installers along with FinSpy Mobile implants for Android.\n\nThe authors have gone to great lengths to make FinSpy inaccessible to security researchers \u2013 it seems they have put as much work into anti-analysis and obfuscation as they have into the Trojan itself. First, the samples are protected with multiple layers of evasion tactics.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/24151828/SAS_story_FinFisher_02.png>)\n\nMoreover, once the Trojan has been installed, it is heavily camouflaged using four complex, custom-made obfuscators.\n\nApart from Trojanized installers, we also observed infections involving use of a UEFI (Unified Extensible Firmware Interface) and MBR (Master Boot Record) bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit were publicly revealed for the first time in our private report on FinSpy.\n\nThe user of a smartphone or tablet can be infected through a link in a text message. In some cases (for example, if the victim&#x27;s iPhone has not been not [jailbroken](<https://encyclopedia.kaspersky.com/glossary/jailbreak/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>)), the attacker may need physical access to the device.\n\n## Other malware\n\n### REvil attack on MSPs and their customers worldwide\n\nAn attack perpetrated by the REvil Ransomware-as-a-Service gang (aka Sodinokibi) targeting Managed Service Providers (MSPs) and their clients was discovered on July 2.\n\nThe attackers [identified and exploited](<https://threatpost.com/kaseya-patches-zero-day-exploits/167548/>) a zero-day vulnerability in the Kaseya Virtual System/Server Administrator (VSA) platform. The VSA software, used by Kaseya customers to remotely monitor and manage software and network infrastructure, is supplied either as a cloud service or via on-premises VSA servers.\n\nThe exploit involved deploying a malicious dropper via a PowerShell script. The script disabled Microsoft Defender features and then used the certutil.exe utility to decode a malicious executable (agent.exe) that dropped an older version of Microsoft Defender, along with the REvil ransomware packed into a malicious library. That library was then loaded by the legitimate MsMpEng.exe by utilizing the DLL side-loading technique.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/05113533/02-revil-attacks-msp.png>)\n\nThe attack is estimated to have resulted in the encryption of files belonging to around 60 Kaseya customers using the on-premises version of the platform. Many of them were MSPs who use VSA to manage the networks of other businesses. This MSP connection gave REvil access to those businesses, and Kaseya estimated that [around 1,500 downstream businesses were affected](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021>).\n\nUsing our Threat Intelligence service, we observed more than 5,000 attack attempts in 22 countries by the time [our analysis of the attack](<https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/>) was published.\n\n### What a [Print]Nightmare\n\nEarly in July, Microsoft published an alert about vulnerabilities in the Windows Print Spooler service. The vulnerabilities, [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675>) and [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527>) (aka PrintNightmare), can be used by an attacker with a regular user account to take control of a vulnerable server or client machine that runs the Windows Print Spooler service. This service is enabled by default on all Windows clients and servers, including domain controllers, making both vulnerabilities potentially very dangerous.\n\nMoreover, owing to a misunderstanding between teams of researchers, a [proof-of-concept](<https://encyclopedia.kaspersky.com/glossary/poc-proof-of-concept/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (PoC) exploit for PrintNightmare was [published](<https://therecord.media/poc-released-for-dangerous-windows-printnightmare-bug/>) online. The researchers involved believed that Microsoft&#x27;s Patch Tuesday release in June had already solved the problem, so they shared their work with the expert community. However, while Microsoft had published a patch for CVE-2021-1675, the PrintNightmare vulnerability remained unpatched until July. The PoC was quickly removed, but not before it had been copied multiple times.\n\nCVE-2021-1675 is a [privilege elevation](<https://encyclopedia.kaspersky.com/glossary/privilege-escalation/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) vulnerability, allowing an attacker with low access privileges to craft and use a malicious DLL file to run an exploit and gain higher privileges. However, that is only possible if the attacker already has direct access to the vulnerable computer in question.\n\nCVE-2021-34527 is significantly more dangerous because it is a [remote code execution](<https://encyclopedia.kaspersky.com/glossary/remote-code-execution-rce/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (RCE) vulnerability, which means it allows remote injection of DLLs.\n\nYou can find a more detailed technical description of both vulnerabilities [here](<https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/>).\n\n### Grandoreiro and Melcoz arrests\n\nIn July, the Spanish Ministry of the Interior [announced](<http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853>) the arrest of 16 people connected to the [Grandoreiro and Melcoz (aka Mekotio) cybercrime groups](<https://securelist.com/arrests-of-members-of-tetrade-seed-groups-grandoreiro-and-melcoz/103366/>). Both groups are originally from Brazil and form part of the [Tetrade umbrella](<https://securelist.com/the-tetrade-brazilian-banking-malware/97779/>), operating for a few years now in Latin America and Western Europe.\n\nThe Grandoreiro banking Trojan malware family initially started its operations in Brazil and then expanded its operations to other Latin American countries and then to Western Europe. The group has regularly improved its techniques; and, based on our analysis of the group&#x27;s campaigns, it operates as a [malware-as-a-service (MaaS)](<https://encyclopedia.kaspersky.com/glossary/malware-as-a-service-maas/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) project. Our telemetry shows that, since January 2020, Grandoreiro has mainly attacked victims in Brazil, Mexico, Spain, Portugal and Turkey.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/14175031/tetrade_arrest_01.png>)\n\nMelcoz had been active in Brazil since at least 2018, before expanding overseas. We observed the group attacking assets in Chile in 2018 and, more recently, in Mexico: it&#x27;s likely that there are victims in other countries too, as some of the targeted banks have international operations. As a rule, the malware uses AutoIt or VBS scripts, added into MSI files, which run malicious DLLs using the DLL-Hijack technique, aiming to bypass security solutions. The malware steals passwords from browsers and from the device&#x27;s memory, providing remote access to capture internet banking access. It also includes a Bitcoin wallet stealing module. Our telemetry confirms that, since January 2020, Melcoz has been actively targeting Brazil, Chile and Spain, among other countries.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/14175038/tetrade_arrest_02.png>)\n\nSince both malware families are from Brazil, the individuals arrested in Spain are just operators. So, it&#x27;s likely that the creators of Grandoreiro and Melcoz will continue to develop new malware techniques and recruit new members in their countries of interest.\n\n### Gamers beware\n\nEarlier this year, we discovered an ad in an underground forum for a piece of malware dubbed BloodyStealer by its creators. The malware is designed to steal passwords, cookies, bank card details, browser auto-fill data, device information, screenshots, desktop and client uTorrent files, Bethesda, Epic Games, GOG, Origin, Steam, Telegram, and VimeWorld client sessions and logs.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/16141037/bloodystealer-and-gaming-accounts-in-darknet-screen-1.png>)\n\n**_The BloodyStealer ad (Source: [https://twitter.com/3xp0rtblog](<https://twitter.com/3xp0rtblog/status/1380087553676697617>))_**\n\nThe authors of the malware, which has hit users in Europe, Latin America and the Asia-Pacific region, have adopted a MaaS distribution model, meaning that anyone can buy it for the modest price of around $10 per month (roughly $40 for a &quot;lifetime license&quot;).\n\nOn top of its theft functions, the malware includes tools to thwart analysis. It sends stolen information as a ZIP archive to the C2 (command-and-control) server, which is protected against DDoS (distributed denial of service) attacks. The cybercriminals use either the (quite basic) control panel or Telegram to obtain the data, including gamer accounts.\n\nBloodyStealer is just one of many tools available on the dark web for stealing gamer accounts. Moreover, underground forums often feature ads offering to post a malicious link on a popular website or selling tools to generate phishing pages automatically. Using these tools, cybercriminals can collect, and then try to monetize, a huge amount of credentials. All kinds of offers related to gamer accounts can be found on the dark web.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/16141127/bloodystealer-and-gaming-accounts-in-darknet-screen-2.png>)\n\nSo-called logs are among the most popular. These are databases containing reams of data for logging into accounts. In their ads, attackers can specify the types of data, the geography of users, the period over which the logs were collected and other details. For example, in the screenshot below, an underground forum member offers an archive with 65,600 records, of which 9,000 are linked to users from the US, and 5,000 to residents of India, Turkey and Canada. The entire archive costs $150 (that&#x27;s about 0.2 cents per record).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/16141203/bloodystealer-and-gaming-accounts-in-darknet-screen-3.png>)\n\nCybercriminals can also use compromised gaming accounts to launder money, distribute phishing links and conduct other illegal business.\n\nYou can read more about gaming threats, including BloodyStealer, [here](<https://securelist.com/game-related-cyberthreats/103675/>) and [here](<https://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/>).\n\n### Triada Trojan in WhatsApp mod\n\nNot everyone is happy with the official WhatsApp app, turning instead to modified WhatsApp clients for features that the WhatsApp developers haven&#x27;t yet implemented in the official version. The creators of these mods often embed ads in them. However, their use of third-party ad modules can provide a mechanism for malicious code to be slipped into the app unnoticed.\n\nThis happened recently with FMWhatsApp, a popular WhatsApp mod. In version 16.80.0 the developers used a third-party ad module that includes the Triada Trojan (detected by Kaspersky&#x27;s mobile antivirus as Trojan.AndroidOS.Triada.ef). This Trojan performs an intermediary function. First, it collects data about the user&#x27;s device, and then, depending on the information, it downloads one of several other Trojans. You can find a description of the functions that these other Trojans perform in [our analysis of the infected FMWhatsApp mod](<https://securelist.com/triada-trojan-in-whatsapp-mod/103679/>).\n\n### Qakbot banking Trojan\n\nQakBot (aka QBot, QuackBot and Pinkslipbot) is a banking Trojan that was first discovered in 2007, and has been continually maintained and developed since then. It is now one of the leading banking Trojans around the globe. Its main purpose is to steal banking credentials (e.g., logins, passwords, etc.), but it has also acquired functionality allowing it to spy on financial operations, spread itself and install ransomware in order to maximize revenue from compromised organizations.\n\nThe Trojan also includes the ability to log keystrokes, backdoor functionality, and techniques to evade detection. The latter includes virtual environment detection, regular self-updates and cryptor/packer changes. QakBot also tries to protect itself from being analyzed and debugged by experts and automated tools. Another interesting piece of functionality is the ability to steal emails: these are later used by the attackers to send targeted emails to the victims, with the information obtained used to lure victims into opening those emails.\n\nQakBot is known to infect its victims mainly via spam campaigns. In some cases, the emails are delivered with Microsoft Office documents or password-protected archives with documents attached. The documents contain macros and victims are prompted to open the attachments with claims that they contain important information (e.g., an invoice). In some cases, the emails contain links to web pages distributing malicious documents.\n\nHowever, there is another infection vector that involves a malicious QakBot payload being transferred to the victim&#x27;s machine via other malware on the compromised machine. The initial infection vectors may vary depending on what the threat actors believe has the best chance of success for the targeted organization(s). It&#x27;s known that various threat actors perform reconnaissance of target organizations beforehand to decide which infection vector is most suitable.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/01145837/Qakbot_technical_analysis_01.png>)\n\nWe analyzed statistics on QakBot attacks collected from our Kaspersky Security Network (KSN), where anonymized data voluntarily provided by Kaspersky users is accumulated and processed. In the first seven months of 2021 our products detected 181,869 attempts to download or run QakBot. This number is lower than the detection number from January to July 2020, though the number of users affected grew by 65% \u2013 from 10,493 in the previous year to 17,316 this year.\n\n_Number of users affected by QakBot attacks from January to July in 2020 and 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/01155141/01-en-qakbot.png>))_\n\nYou can read our full analysis [here](<https://securelist.com/qakbot-technical-analysis/103931/>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-26T12:00:36", "type": "securelist", "title": "IT threat evolution Q3 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527", "CVE-2021-40444"], "modified": "2021-11-26T12:00:36", "id": "SECURELIST:86368EF0EA7DAA3D2AB20E0597A62656", "href": "https://securelist.com/it-threat-evolution-q3-2021/104876/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-03T11:50:54", "description": "\n\n## Key findings\n\nWhile investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be described in this publication:\n\n * Cycldek (also known as Goblin Panda and Conimes) has been active in the past two years, conducting targeted operations against governments in Southeast Asia.\n * Our analysis shows two distinct patterns of activity, indicating the group consists of two operational entities that are active under a mutual quartermaster.\n * We were able to uncover an extensive toolset for lateral movement and information stealing used in targeted networks, consisting of custom and unreported tools as well as living-off-the-land binaries.\n * One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data. This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.\n\n## Background\n\nCycldek is a long-known Chinese-speaking threat actor. Based on the group's past activity, it has a strong interest in Southeast Asian targets, with a primary focus on large organizations and government institutions in Vietnam. This is evident from a series of targeted campaigns that are publicly attributed to the group, as outlined below:\n\n * 2013 - indicators affiliated to the group were found in a network of a technology company operating in several sectors, as briefly [described](<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/>) by CrowdStrike.\n * 2014 - further accounts by CrowdStrike describe vast activity by the group against Southeast Asian organizations, most notably Vietnam. The campaigns made prominent use of Vietnamese-language lure documents, delivering commodity malware like PlugX, that was typically leveraged by Chinese-speaking actors.\n * 2017 - the group was witnessed launching attacks using RTF lure documents with political content related to Vietnam, dropping a variant of a malicious program named NewCore RAT, as [described](<https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html>) by Fortinet.\n * 2018 - attacks have been witnessed in government organizations across several Southeast Asian countries, namely Vietnam, Thailand and Laos, using a variety of tools and new TTPs. Those include usage of the Royal Road builder, developed versions of the NewCore RAT malware and other unreported implants. These were the focus of intel reports available to Kaspersky's Threat Intelligence Portal subscribers since October 2019, and will be the subject matter of this blog post.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122651/cycldek_bridging_01.png>)\n\n**__Figure 1_: Timeline of Cycldek-attributed attacks._**\n\nMost attacks that we observed after 2018 start with a politically themed RTF document built with the 8.t document builder (also known as 'Royal Road') and sent as a phishing mail to the victims. These documents are bundled with 1-day exploits (e.g. CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) which in turn run a dropper for three files:\n\n * a legitimate signed application, usually related to an AV product, e.g. QcConsol - McAfee's QuickClean utility, and wsc_proxy.exe, Avast's remediation service.\n * a malicious DLL which is side-loaded by the former application.\n * an encrypted binary which gets decrypted and executed by the DLL.\n\nThe final payload that is run in memory is malware known as NewCore RAT. It is based on an open-source framework named PcShare or PcClient that used to be prevalent in Chinese hacker forums more than a decade ago. Today, the software is fully available on [Github](<https://github.com/xdnice/PCShare>), allowing attackers to leverage and modify it for their needs.\n\nIn the case of Cycldek, the first public accounts of the group's usage of NewCore date back to 2017. As described in a blog post by Fortinet, the malware provides the attacker with broad capabilities such as conducting a range of operations on files, taking screenshots, controlling the machine via a remote shell and shutting down or restarting the system.\n\n## Two implants, two clusters\n\nWhen inspecting the NewCore RAT malware delivered during the various attacks we investigated, we were able to distinguish between two variants. Both were deployed as side-loaded DLLs and shared multiple similarities, both in code and behavior. At the same time, we noticed differences that indicate the variants could have been used by different operators.\n\nOur analysis shows that the underlying pieces of malware and the way they were used form two clusters of activity. As a result, we named the variants BlueCore and RedCore and examined the artifacts we found around each one in order to profile their related clusters. Notable characteristics of each cluster's implant are summarized in the table below.\n\n| **BlueCore** | **RedCore** | \n---|---|---|--- \nInitial Infection Vector | RTF documents | Unknown | \nLegitimate AV Utility | QcConcol.exe (McAfee's QuickClean utility) | wsc_proxy.exe (Avast's remediation application) | \nSide-Loaded DLL | QcLite.dll | wsc.dll | \nPayload Loader | stdole.tlb - contains PE loading shellcode and an encrypted BlueCore binary | msgsm64.acm -contains PE loading shellcode and and an encrypted RedCore binary | \nInjected Process | dllhst3g.exe | explorer.exe or winlogon.exe | \nConfiguration File | %APPDATA%\\desktop.ini | C:\\Documents and Settings\\All Users\\Documents\\desktop.ini or\n\nC:\\Documents and Settings\\All Users\\Documents\\desktopWOW64.ini | \nMutexes | UUID naming scheme, e.g. {986AFDE7-F299-4A7D-BBF4-CA756FC27208}, {CF94A87F-4B49-4751-8E5C-DA2D0A8DEC2F} | UUID naming scheme, e.g. {CB191C19-1D2D-45FC-9092-6DB462EFEAC6},\n\n{F0062B9A-15F8-4D5F-9DE8-02F39EBF71FB},\n\n{E68DFA68-1132-4A32-ADE2-8C87F282C457},\n\n{728264DE-3701-419B-84A4-2AD86B0C43A3},\n\n{2BCD5B61-288C-44D5-BA0D-AAA00E9D2273},\n\n{D9AE3AB0-D123-4F38-A9BE-898C8D49A214} | \nCommunicated URL Scheme | http://%s:%d/link?url=%s&amp;enpl=%s&amp;encd=%s | http://%s:%d/search.jsp?referer=%s&amp;kw=%s&amp;psid=%s\n\nor\n\nhttp://%s:%d/search.jsp?url=%s&amp;referer=%s&amp;kw=%s&amp;psid=%s | \n \n_**_Table 1_: Comparison of BlueCore and RedCore loader and implant traits.** _\n\nAs demonstrated by the table, the variants share similar behavior. For example, both use DLL load order hijacking to run code from DLLs impersonating dependencies of legitimate AV utilities and both share a mutex naming convention of random UUIDs, where mutexes are used for synchronization of thread execution. By comparing code in both implants, we can find multiple functions that originate from the PCShare RAT; however, several others (like the injection code in the figure below) are proprietary and demonstrate identical code that may have been written by a shared developer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122817/cycldek_bridging_02.png>)\n\n**__Figure_ 2: Code similarity in proprietary injection code used in both RedCore and BlueCore implants. Code marked in yellow in BlueCore is an inlined version of the marked function in RedCore._**\n\nMoreover, both implants leverage similar injected shellcode used to load the RedCore and BlueCore implants. This shellcode, which resides in the files 'stdole.tlb' and 'msgsm64.acm', contains a routine used to decrypt the implants' raw executable from an embedded blob, map it to memory and execute it from its entry point in a new thread. Since both pieces of shellcode are identical for the two variants and cannot be attributed to any open source project, we estimate that they originate from a proprietary shared resource.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122905/cycldek_bridging_03.png>)\n\n**__Figure 3_: Call flow graph comparison for binary decryption functions used by the shellcode in both clusters._**\n\nHaving said that, it is also evident that there are differences between the variants. The clearest distinctions can be made by looking at malware functionality that is unique to one type of implant and absent from the other. The following are examples of features that could be found only in RedCore implants, suggesting that despite their similarity with BlueCore, they were likely used by a different entity for different purposes:\n\n * _Keylogger_: RedCore records the title of the current foreground window (if it exists) and logs keystrokes each 10ms to an internal buffer of size 65530. When this buffer is filled, data from it is written to a file named 'RCoRes64.dat'. The data is encoded using a single byte XOR with the key 0xFA.\n * _Device enumerator_: RedCore registers a window class intended to intercept window messages with a callback that checks if the inspected message was sent as a result of a DBT_DEVICEARRIVAL Such events signal the connection of a device to the system, in which case the callback verifies that this device is a new volume, and if it is, it sends a bitmap with the currently available logical drives to the C&amp;C.\n * _RDP logger_: RedCore subscribes to an RDP connection event via ETW and notifies the C&amp;C when it occurs. The code that handles this functionality is based on a little-known Github repository named [EventCop](<https://github.com/Mandar-Shinde/EventCop>) which is intended to obtain a list of users that connected to a system via RDP. The open-source code was modified so that instead of printing the data of the incoming connection, the malware would contact the C&amp;C and inform it about the connection event.\n * _Proxy server_: RedCore spawns a server thread that listens on a pre-configured port (by default 49563) and accepts requests from non-localhost connections. A firewall exception is made for the process before the server starts running, and any subsequent requests passed from a source to it will be validated and passed on to the C&amp;C in their original format.\n\nPerhaps the most notable difference between the two implants is the URL scheme they use to connect and beacon their C&amp;C servers. By looking for requests made using similar URL patterns in our telemetry, we were able to find multiple C&amp;C servers and divide the underlying infrastructure based on the aforementioned two clusters. The requests by each malware type were issued only by legitimate and signed applications that were either leveraged to side-load a malicious DLL or injected with malicious code. All of the discovered domains were used to download further samples.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122956/cycldek_bridging_04.png>)\n\n**__Figure 4_: Difference in URL scheme used by each implant for C2 communication._**\n\nThe conclusion that we were able to reach from this is that while all targets were diplomatic and government entities, each cluster of activity had a different geographical focus. The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018. The statistics of these activities, based on the number of detected samples we witnessed downloaded from each cluster of C&amp;Cs, are outlined in the figures below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123040/cycldek_bridging_05.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123118/cycldek_bridging_06.png>)\n\n_**_Figure 5_: Volume of downloaded samples from C&amp;Cs of each cluster by country and month, since mid-2018.** _\n\nFurthermore, considering both differences and similarities, we are able to conclude that the activities we saw are affiliated to a single actor, which we refer to as Cycldek. In several instances, we spotted unique tools crafted by the group that were downloaded from servers of both groups. One example of this, which can be seen in the figure below, is a tool custom built by the group named USBCulprit. Two samples of it were downloaded from both BlueCore and RedCore servers. A more comprehensive list can be found in the Appendix. All in all, this suggests the entities operating behind those clusters are sharing multiple resources \u2013 both code and infrastructure \u2013 and operating under a single organizational umbrella.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123202/cycldek_bridging_07.png>)\n\n_**_Figure 6_: Examples of proprietary malware named USBCulprit downloaded from servers of both clusters. Further examples are provided in the Appendix.** _\n\n## Info stealing and lateral movement toolset\n\nDuring the analysis, we were able to observe a variety of tools downloaded from both BlueCore and RedCore implants used for either lateral movement in the compromised networks or information stealing from infected nodes. There were several types of these tools \u2013 some were proprietary and formerly unseen in the wild; others were pieces of software copied from open-source post-exploitation frameworks, some of which were customized to complete specific tasks by the attackers.\n\nAs in the cases of RedCore and BlueCore, the downloaded tools were all invoked as side-loaded DLLs of legitimate signed applications. Such applications included AV components like wsc_proxy.exe (Avast remediation service), qcconsol.exe and mcvsshld.exe (McAfee components), as well as legitimate Microsoft and Google utilities like the resource compiler (rc.exe) and Google Updates (googleupdate.exe). These tools could be used in order to bypass weak security mechanisms like application whitelisting, grant the malware additional permissions during execution or complicate incident response.\n\nAs already mentioned, the bulk of these tools are common and widespread among attackers, sometimes referred to as living-off-the-land binaries, or LOLbins. Such tools can be part of open-source and legitimate software, abused to conduct malicious activities. Examples include BrowserHistoryView (a Nirsoft utility to obtain browsing history from common browsers), ProcDump (Sysinternals tools used to dump memory, possibly to obtain passwords from running processes), Nbtscan (command line utility intended to scan IP networks for NetBIOS information) and PsExec (Sysinternals tools used to execute commands remotely in the network, typically used for lateral movement).\n\nThe rest of the tools were either developed fully by the attackers or made use of known tools that were customized to accommodate particular attack scenarios. The following are several notable examples:\n\n * **Custom HDoor: **an old tool providing full-featured backdoor capabilities like remote machine administration, information theft, lateral movement and the launch of DDoS attacks. Developed by a hacker known as Wicked Rose, it was popular in Chinese underground forums for a while and made its way into the APT world in the form of variants based on it. One example is the [Naikon APT](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf>) that made use of the original tool. \nThe custom version used by Cycldek uses a small subset of the features and the attackers used it to scan internal networks and create tunnels between compromised hosts in order to avoid network detections and bypass proxies. The tool allows the attackers to exfiltrate data from segregated hosts accessible through the local network but not connected to the internet.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123304/cycldek_bridging_08.png>)\n\n_**_Figure 7_: Command line usage of the custom HDoor tool.** _\n\n * **JsonCookies**: proprietary tool that steals cookies from SQLite databases of Chromium-based browsers. For this purpose, the sqlite3.dll library is downloaded from the C&amp;C and used during execution to parse the database and generate a JSON file named 'FuckCookies.txt' containing stolen cookie info. Entries in the file resemble this one:\n \n \n {\n \"domain\": \".google.com\",\n \"id\": 1,\n \"name\": \"NID\",\n \"path\": \"/\",\n \"value\": \"%VALUE%\"\n }\n\n * **ChromePass**: proprietary tool that steals saved passwords from Chromium-based browser databases. The output of the parsed database is an HTML document containing a table with URLs and their corresponding stolen username and password information. This program includes a descriptive command line message that explains how to use it, as outlined below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123439/cycldek_bridging_09.png>)\n\n**__Figure 8_: Command line usage of the ChromePass tool._**\n\n#### \n\n## Formerly Unreported Malware: USBCulprit\n\nOne of the most notable examples in Cycldek's toolset that demonstrates both data stealing and lateral movement capabilities is a malware we discovered and dubbed USBCulrpit. This tool, which we saw downloaded by RedCore implants in several instances, is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.\n\nDuring the time the malware was active, it showed little change in functionality. Based on Kaspersky's telemetry, USBCulprit has been seen in the wild since 2014, with the latest samples emerging at the end of 2019. The most prominent addition incorporated to samples detected after 2017 is the capability to execute files with a given name from a connected USB. This suggests that the malware can be extended with other modules. However, we were not able to capture any such files and their purpose remains unknown.\n\nAnother change we saw is the loading scheme used for variants spotted after 2017. The older versions made use of a dropper that wrote a configuration file to disk and extracted an embedded cabinet archive containing a legitimate binary and a malicious side-loaded DLL. This was improved in the newer versions, where an additional stage was added, such that the side-loaded DLL decrypts and loads a third file from the archive containing the malicious payload. As a result, the latter can be found in its decrypted form only in memory.\n\nThis loading scheme demonstrates that the actor behind it makes use of similar TTPs seen in the previously described implants attributed to Cycldek. For example, binaries mimicking AV components are leveraged for conducting DLL load-order hijacking. In this case, one of the files dropped from the cabinet archive named 'wrapper.exe' (originally named 'PtUserSessionWrapper.exe' and belonging to Trend Micro) forces the execution of a malicious DLL named 'TmDbgLog.dll'. Also, the malware makes use of an encrypted blob that is decrypted using RC4 and executed using a custom PE loader. The full chain is depicted in the figure below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123540/cycldek_bridging_10.png>)\n\n**__Figure 9_: USBCulprit's loading flow, as observed in samples after 2017._**\n\nOnce USBCulprit is loaded to memory and executed, it operates in three phases:\n\n * **Boostrap and data collection:** this stage prepares the environment for the malware's execution. Namely, it invokes two functions named 'CUSB::RegHideFileExt' and 'CUSB::RegHideFile' that modify registry keys to hide the extensions of files in Windows and verify that hidden files are not shown to the user. It also writes several files to disk and initializes a data structure with paths that are later used or searched by the malware.Additionally, the malware makes a single scan to collect files it intends to steal using a function named 'CUSB::USBFindFile'. They are sought by enumerating several predefined directories to locate documents with either one of the following extensions: *.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf. Every document found is logged in a file that enlists all targeted paths for theft within a directory, such that every checked directory has a corresponding list file.\n\nThe chosen files are then grouped into encrypted RAR archives. To achieve that, the malware extracts a 'rar.exe' command line utility, hardcoded as a cabinet archive in its binary, and runs it against every list created in the former step. The password for the archive is initialized at the beginning of the malware's execution, and is set to 'abcd!@#$' for most variants that we observed.\n\nIt is worth noting that sought documents can be filtered by their modification date. Several variants of USBCulprit perform a check for a file named 'time' within the directory from which the malware is executed. This file is expected to have a date-time value that specifies the modification timestamp beyond which files are considered of interest and should be collected. If the 'time' file doesn't exist, it is created with the default value '20160601000000' corresponding to 01/06/2016 00:00:00.\n\n * **USB connection interception and data exfiltration/delivery**: when bootstrapping and data collection is completed, the malware attempts to intercept the connection of new media and verify that it corresponds to a removable drive. This is achieved by running an infinite loop, whereby the malware is put to sleep and wakes at constant intervals to check all connected drives with the GetDriveTypeW function. If at least one is of type DRIVE_REMOVABLE, further actions are taken.\n\nWhen a USB is connected, the malware will verify if stolen data should be exfiltrated to it or it already contains existing data that should be copied locally. To do this, a directory named '$Recyc1e.Bin' will be searched in the drive and if not found, will be created. This directory will be used as the target path for copying files to the drive or source path for obtaining them from it.\n\nTo understand which direction of file copy should take place, a special marker file named '1.txt' is searched locally. If it exists, the malware would expect to find the aforementioned '$Recyc1e.Bin' directory in the drive with previously stolen document archives and attempt to copy it to the disk. Otherwise, the local archive files will be copied to the same directory from the disk to the drive.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123634/cycldek_bridging_11.png>)\n\n**__Figure 10_: USBCulprit's check for the 1.txt marker, indicating if stolen files should be copied to the removable drive, or from it._**\n\n * **Lateral movement and extension**: as part of the same loop mentioned above, the existence of another marker file named '2.txt' will be checked locally to decide if lateral movement should be conducted or not. Only if this file exists, will the malware's binary be copied from its local path to the '$Recyc1e.Bin' directory. It's noteworthy that we were unable to spot any mechanism that could trigger the execution of the malware upon USB connection, which leads us to believe the malware is supposed to be run manually by a human handler.Apart from the above, USBCulprit is capable of updating itself or extending its execution with further modules. This is done by looking for the existence of predefined files in the USB and executing them. Examples for these include {D14030E9-C60C-481E-B7C2-0D76810C6E96} and {D14030E9-C60C-481E-B7C2-0D76810C6E95}.Unfortunately, we could not obtain those files during analysis and cannot tell what their exact purpose is. We can only guess that they are used as extension modules or updated versions of the malware itself based on their behavior. The former is an archive that is extracted to a specific directory that has its files enumerated and executed using an internal function named 'CUSB::runlist', while the latter is a binary that is copied to the %TEMP% directory and spawned as a new process.\n\nThe characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines. This would explain the lack of any network communication in the malware, and the use of only removable media as a means of transferring inbound and outbound data. Also, we witnessed some variants issue commands to gather various pieces of host network information. These are logged to a file that is later transferred along with the stolen data to the USB and can help attackers profile whether the machine in which the malware was executed is indeed part of a segregated network.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123723/cycldek_bridging_12.png>)\n\n**__Figure 11_: Commands used to profile the network connectivity of the compromised host._**\n\nAnother explanation is that the malware was handled manually by operators on the ground. As mentioned earlier, there is no evident mechanism for automatically executing USBCulprit from infected media, and yet we saw that the same sample was executed from various drive locations, suggesting it was indeed spread around. This, along with the very specific files that the malware seeks as executable extensions and could not be found as artifacts elsewhere in our investigation, point to a human factor being required to assist deployment of the malware in victim networks.\n\n## Conclusion\n\nCycldek is an example of an actor that has broader capability than publicly perceived. While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.\n\nFurthermore, our analysis of the implants affiliated to the group give an insight into its organizational structure. As already stated, the similarities and differences in various traits of these pieces of malware indicate that they likely originated from different arms of a single organization. Perhaps it's worth noting that we noted multiple points where such entities didn't work in a well-coordinated manner, for example, infecting machines using the BlueCore implant when they were already infected with RedCore.\n\nLastly, we believe that such attacks will continue in Southeast Asian countries. The use of different tools to reach air-gapped networks in the same countries and attempts to steal data from them have been witnessed in the past. Our analysis shows this type of activity has not ceased \u2013 it has merely evolved and changed shape, in terms of malware and actors. We continue to track the actor and report on its activity in our Threat Intelligence Portal.\n\nFor more information about Cycldek operations, contact us at: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n### Appendix - IOCs\n\n_Note_: a full list of IOCs can be found in our reports on the subject in Kaspersky's Threat Intelligence Portal.\n\n**RedCore**:\n\nA6C751D945CFE84C918E88DF04D85798 - wsc.dll (side-loaded DLL) \n4B785345161D288D1652C1B2D5CEADA1 - msgsm64.acm (encrypted shellcode and implant)\n\n**BlueCore**:\n\n1B19175C41B9A9881B23B4382CC5935F - QcLite.dll (side-loaded DLL) \n6D2E6A61EEDE06FA9D633CE151208831 - QcLite.dll (side-loaded DLL) \n6EA33305B5F0F703F569B9EBD6035BFD - QcLite.dll (side-loaded DLL) \n600E14E4B0035C6F0C6A344D87B6C27F- stdole.tlb (encrypted Shellcode and Implant)\n\n**Lateral Movement and Info-Stealing Toolset:**\n\n1640EE7A414DFF996AF8265E0947DE36 Chromepass \n1EA07468EBDFD3D9EEC59AC57A490701 Chromepass \n07EE1B99660C8CD5207E128F44AA8CBC JsonCookies \n809196A64CA4A32860D28760267A1A8B Custom HDoor \n81660985276CF9B6D979753B6E581D34 Custom HDoor \nA44804C2767DCCD4902AAE30C36E62C0 Custom HDoor\n\n \n\n**USBCulprit: **\n\nA9BCF983FE868A275F8D9D8F5DEFACF5 USBCulprit Loader \nC73B000313DCD2289F51B367F744DCD8 USBCulprit Loader \n2FB731903BD12FF61E6F778FDF9926EE USBCulprit Loader \n4A21F9B508DB19398AEE7FE4AE0AC380 USBCulprit Loader \n6BE1362D722BA4224979DE91A2CD6242 USBCulprit Loader \n7789055B0836A905D9AA68B1D4A50F09 USBCulprit Loader \n782FF651F34C87448E4503B5444B6164 USBCulprit Loader \n88CDD3CE6E5BAA49DC69DA664EDEE5C1 USBCulprit Loader \nA4AD564F8FE80E2EE52E643E449C487D USBCulprit Loader \n3CA7BD71B30007FC30717290BB437152 USBCulprit Payload \n58FE8DB0F7AE505346F6E4687D0AE233 USBCulprit Payload \nA02E2796E0BE9D84EE0D4B205673EC20 USBCulprit Payload \nD8DB9D6585D558BA2D28C33C6FC61874 USBCulprit Payload \n2E522CE8104C0693288C997604AE0096 USBCulrprit Payload\n\n \n\n**Toolset overlapping in both clusters:**\n\n**Common Name ** | **MD5** | **Blue Cluster Domain** | **Red Cluster Domain** | **Description** \n---|---|---|---|--- \nchromepass.exe | 1EA07468EBDFD3D9EEC59AC57A490701 | http://login.vietnamfar.com:8080\n\n | http://news.trungtamwtoa.com:88 | ChromePass \ngoopdate.dll | D8DB9D6585D558BA2D28C33C6FC61874 | http://cophieu.dcsvnqvmn.com:8080 | http://mychau.dongnain.com:443\n\nhttp://hcm.vietbaonam.com:443 | USBCulprit \n2E522CE8104C0693288C997604AE0096 | http://nghiencuu.onetotechnologys.com:8080\n\nttp://tinmoi.thoitietdulich.com:443\n\nhttp://tinmoi.thoitietdulich.com:53 | http://tinmoi.vieclamthemde.com:53\n\nhttp://tinmoi.vieclamthemde.com | USBCulprit \nqclite.dll | 7FF0AF890B00DEACBF42B025DDEE8402 | http://web.hcmuafgh.com | http://tinmoi.vieclamthemde.com\n\nhttp://tintuc.daikynguyen21.com | BlueCore Loading Hijacked DLL \nsilverlightmsi.dat | A44804C2767DCCD4902AAE30C36E62C0 | http://web.laovoanew.com:443\n\nhttp://cdn.laokpl.com:8080 | http://login.dangquanwatch.com:53\n\nhttp://info.coreders.com:8080 | Custom HDoor \n \n \n\n**C&amp;Cs and Dropzones**:\n\nhttp://web.laovoanew[.]com - Red Cluster\n\nhttp://tinmoi.vieclamthemde[.]com - Red Cluster\n\nhttp://kinhte.chototem[.]com - Red Cluster\n\nhttp://news.trungtamwtoa[.]com - Red Cluster\n\nhttp://mychau.dongnain[.]com - Red Cluster\n\nhttp://hcm.vietbaonam[.]com - Red Cluster\n\nhttp://login.thanhnienthegioi[.]com - Red Cluster\n\nhttp://103.253.25.73 - Red Cluster\n\nhttp://luan.conglyan[.]com - Red Cluster\n\nhttp://toiyeuvn.dongaruou[.]com - Red Cluster\n\nhttp://tintuc.daikynguyen21[.]com - Red Cluster\n\nhttp://web.laomoodwin[.]com - Red Cluster\n\nhttp://login.giaoxuchuson[.]com - Red Cluster\n\nhttp://lat.conglyan[.]com - Red Cluster\n\nhttp://thegioi.kinhtevanhoa[.]com - Red Cluster\n\nhttp://laovoanew[.]com - Red Cluster\n\nhttp://cdn.laokpl[.]com - Red Cluster\n\nhttp://login.dangquanwatch[.]com - Blue Cluster\n\nhttp://info.coreders[.]com - Blue Cluster\n\nhttp://thanhnien.vietnannnet[.]com - Blue Cluster\n\nhttp://login.diendanlichsu[.]com - Blue Cluster\n\nhttp://login.vietnamfar[.]com - Blue Cluster\n\nhttp://cophieu.dcsvnqvmn[.]com - Blue Cluster\n\nhttp://nghiencuu.onetotechnologys[.]com - Blue Cluster\n\nhttp://tinmoi.thoitietdulich[.]com - Blue Cluster\n\nhttp://khinhte.chinhsech[.]com - Blue Cluster\n\nhttp://images.webprogobest[.]com - Blue Cluster\n\nhttp://web.hcmuafgh[.]com - Blue Cluster\n\nhttp://news.cooodkord[.]com - Blue Cluster\n\nhttp://24h.tinthethaoi[.]com - Blue Cluster\n\nhttp://quocphong.ministop14[.]com - Blue Cluster\n\nhttp://nhantai.xmeyeugh[.]com - Blue Cluster\n\nhttp://thoitiet.yrindovn[.]com - Blue Cluster\n\nhttp://hanghoa.trenduang[.]com - Blue Cluster", "cvss3": {}, "published": "2020-06-03T10:00:32", "type": "securelist", "title": "Cycldek: Bridging the (air) gap", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0802"], "modified": "2020-06-03T10:00:32", "id": "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "href": "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-29T10:36:40", "description": "\n\n## Targeted attacks and malware campaigns\n\n### Mobile espionage targeting the Middle East\n\nAt the end of June we reported the details of a highly targeted campaign that we dubbed 'Operation ViceLeaker' involving the spread of malicious Android samples via instant messaging. The campaign affected several dozen victims in Israel and Iran. We discovered this activity in May 2018, right after Israeli security agencies announced that Hamas had installed spyware on the smartphones of Israeli soldiers, and we released a private report on our [Threat Intelligence Portal](<https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting>). We believe the malware has been in development since late 2016, but the main distribution began at the end of 2017. The attackers used two methods to install these implants: they backdoored legitimate apps, injecting malicious Smali code; and they built an open-source legitimate 'Conversations' messenger that included the malicious code. You can read more about Operation ViceLeaker [here](<https://securelist.com/fanning-the-flames-viceleaker-operation/90877/>).\n\n### APT33 beefs up its toolset\n\nIn July, we published an update on the 2016-17 activities of [NewsBeef](<https://securelist.com/twas-the-night-before/91599/>) (aka APT33 and Charming Kitten), a threat actor that has focused on targets in Saudi Arabia and the West. NewsBeef lacks advanced offensive capabilities and has previously engaged in long-term, elaborate social engineering schemes that take advantage of popular social network platforms. In previous campaigns, this threat actor has relied heavily on the Browser Exploitation Framework (BeEF). However, in the summer of 2016, the group deployed a new toolset that included macro-enabled Office documents, PowerSploit, and the Pupy backdoor. The most recent campaign uses this toolset in conjunction with [spear-phishing](<https://encyclopedia.kaspersky.com/glossary/spear-phishing/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) emails, links sent over social media and standalone private messaging applications, and [watering-hole](<https://encyclopedia.kaspersky.com/glossary/watering-hole/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) attacks that use compromised high-profile websites (some belonging to the Saudi government). The group has changed multiple characteristics year over year \u2013 tactics, the malicious JavaScript injection strategically placed on compromised websites, and command-and-control (C2) infrastructure. Subscribers to our [private intelligence reports](<https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting>) receive unique and extraordinary data on significant activity and campaigns of more than 1009 APTs from across the world, including NewsBeef.\n\n### New FinSpy iOS and Android implants found in the wild\n\nWe recently reported on the [latest versions of FinSpy for Android and iOS](<https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/>). Governments and law enforcement agencies across the world use this surveillance software to collect personal data. FinSpy implants for iOS and Android have almost identical functionality: they are able to collect personal information such as contacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers. The Android implant includes functionality to gain root privileges by abusing known vulnerabilities. The iOS version doesn't provide infection exploits for its customers and so can only be installed on [jailbroken](<https://encyclopedia.kaspersky.com/glossary/jailbreak/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) devices \u2013 suggesting that physical access is required in order to install the implant. During our latest research we detected up-to-date versions of these implants in almost 20 countries, but we think the actual number of infections could be much higher.\n\n### Turla revamps its toolset\n\nTurla (aka Venomous Bear, Uroboros and Waterbug), a high profile Russian-speaking threat actor with a known interest in cyber-espionage against government and diplomatic targets, has made significant changes to its toolset. Most notably, the group has wrapped its notorious JavaScript KopiLuwak malware in a new dropper called Topinambour, a new.NET file that is being used by Turla to distribute and drop its JavaScript KopiLuwak through infected installation packages for legitimate software programs such as VPNs for circumventing internet censorship. Named by the malware authors, Topinambour is an alternative name for the Jerusalem artichoke. Some of the changes the threat actor has made are intended to help it evade detection. For example, the C2 infrastructure uses IP addresses that appear to mimic ordinary LAN addresses. Further, the malware is almost completely 'fileless': the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer's registry for the malware to access when ready. The two KopiLuwak analogues \u2013 the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan \u2013 are used for cyber-espionage. We think the threat actor deploys these versions when the computers of the targets are protected with security software capable of detecting KopiLuwak. All three implants are able to fingerprint targets, gather information on system and network adapters, steal files, and download and execute additional malware. MiamiBeach is also able to take screenshots. You can read more [here](<https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/>).\n\n### CloudAtlas uses new infection chain\n\n[Cloud Atlas](<https://securelist.com/recent-cloud-atlas-activity/92016/>) (aka Inception) has a long history of cyber-espionage operations targeting industries and government bodies. We first reported this group in 2014 and we have continued to track its activities. During the first half of this year, we identified campaigns focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts. Cloud Atlas hasn't changed its TTPs (Tactics, Techniques and Procedures) since 2018 and continues to rely on existing tactics and malware to compromise high value targets. The threat actor's Windows intrusion set still uses spear-phishing emails to target its victims: these are crafted with Office documents that use malicious remote templates \u2013 whitelisted per victim \u2013 hosted on remote servers. Previously, Cloud Atlas dropped its 'validator' implant, named PowerShower, directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. In recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed in 2014.\n\n### Dtrack banking malware discovered\n\nIn summer 2018, we discovered ATMDtrack, a piece of banking malware targeting banks in India. We used YARA and the Kaspersky Attribution Engine to try to uncover more information about this ATM malware; and we found more than 180 new malware samples of a spy tool that we now call Dtrack. All the Dtrack samples we initially found were dropped samples, as the real payload was encrypted with various droppers \u2013 we were able to find them because of the unique sequences shared by ATMDtrack and the Dtrack [memory dumps](<https://encyclopedia.kaspersky.com/glossary/dump/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). Once we decrypted the final payload and used the Kaspersky Attribution Engine again, we saw similarities with the [DarkSeoul campaign](<https://unit42.paloaltonetworks.com/tdrop2-attacks-suggest-dark-seoul-attackers-return/>), dating back to 2013 and attributed to the Lazarus group. It seems that they reused part of their old code to attack the financial sector and research centers in India. Our telemetry indicates that the latest DTrack activity was detected in the beginning of September 2019. This is a good example of how proper YARA rules and a solid working attribution engine can help to uncover connections with established malware families. In this case, we were able to add another family to the Lazarus group's arsenal: ATMDtrack and Dtrack. You can find our public report on Dtrack [here](<https://securelist.com/my-name-is-dtrack/93338/>).\n\n## Other security news\n\n### Sodin ransomware attacks MSP\n\nIn April, the Sodin ransomware (aka Sodinokibi and REvil) caught our attention, not least, because of the way it spread. The Trojan [exploited the CVE-2019-2725 vulnerability](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>) to execute a PowerShell command on a vulnerable Oracle WebLogic server, allowing the attackers to upload a dropper to the server, which then installed the ransomware payload. Patches for this vulnerability were released in April, but at the end of June, a similar vulnerability was discovered \u2013 CVE-2019-2729. Sodin also carried out [attacks on MSPs](<https://www.darkreading.com/attacks-breaches/attackers-exploit-msps-tools-to-distribute-ransomware/d/d-id/1335025>). In some cases, the attackers used the Webroot and Kaseya remote access consoles to deliver the Trojan. In others, [the attackers penetrated MSP infrastructure using an RDP connection](<https://www.reddit.com/r/msp/comments/c2wls0/kaseya_weaponized_to_deliver_sodinokibi_ransomware/>), elevated privileges, deactivated security solutions and backups and then downloaded the ransomware to client computers. This ransomware was also unusual because it didn't require the victim to carry out any action. Our statistics indicated that most victims were located in the Asia-Pacific region, including Taiwan, Hong Kong and South Korea.\n\nRansomware continues to be a major headache for consumers and businesses alike. Recovering data that a ransomware Trojan has encrypted is often impossible. However, in some cases we are able to do so. Recent examples include the [Yatron and FortuneCrypt malware](<https://securelist.com/ransomware-two-pieces-of-good-news/93355/>). If you ever face a situation where a ransomware Trojan has encrypted your data, and you don't have a backup, it's always worth checking the [No More Ransom](<https://www.nomoreransom.org/>) site, to see if a decryptor is available. You can find our decryptors for both of the above ransomware programs [here](<https://support.kaspersky.com/viruses/disinfection/10556>) and [here](<https://www.nomoreransom.org/en/decryption-tools.html>).\n\n### The impact of web mining\n\n[Malicious miners](<https://securelist.com/kaspersky-security-bulletin-2018-story-of-the-year-miners/89096/>) are programs designed to hijack the victim's CPU in order to mine crypto-currencies. The business model is simple: infect the computer, use the processing power of their [CPU](<https://en.wikipedia.org/wiki/Central_processing_unit>) or [GPU](<https://en.wikipedia.org/wiki/Graphics_processing_unit>) to generate coins and earn real-world money through legal exchanges and transactions. It's not obvious to the victim that they are infected \u2013 most people seldom use most of their computer's processing power and miners harness the 70-80% that is not being used for anything else. Miners can be installed along with adware, hacked games and other pirated content. However, there's also another model \u2013 using an embedded mining script that starts when the victim opens an infected web page. Where a corporate network has been infected, the CPU capacity available to the cybercriminals can be huge. But what impact does mining have? We recently tried to quantify the economic and environmental impact of web miners; and thereby evaluate the positive benefit of protecting against mining.\n\nThe total power saving can be calculated using the formula \u00b7N, where is the average value of the increase in power consumption of the victim's device during the web mining process, and N is the number of blocked attempts according to KSN ([Kaspersky Security Network](<https://www.kaspersky.com/ksn>)) data for 2018. This figure is equal to 18.8\u00b111.8 gigawatts (GW) \u2013 twice the average power consumption rate of all Bitcoin miners in the same year. To assess the amount of saved energy based on this power consumption rate, this number is multiplied by the average time that victim devices spend on web mining; that is, according to the formula '\u00b7N\u00b7t', where 't' is the average time that web miners would have been working had they not been blocked by our products. Since this value cannot be obtained from Kaspersky data, we used information from open sources provided by third-party researchers, according to which the estimated amount of electricity saved by users of our products ranges from 240 to 1,670 megawatt hours (MWh). Using the average prices for individual consumers, this amount of electricity could cost up to $200,000 for residents in North America or up to \u20ac250,000 for residents in Europe.\n\nYou can read our report [here](<https://securelist.com/electricity-and-mining/93292/>).\n\n### Mac OS threat landscape\n\nSome people still believe that there are no serious threats for Mac OS. There are certainly fewer threats than for Windows, mainly because more people run Windows, so there is a bigger pool of potential victims for attackers to target. However, as the number of people running Mac OS has grown, so have the number of threats targeting them.\n\nOur database currently contains 206,759 unique malicious and potentially unwanted files for Mac OS. From 2012 to 2017, the number of people facing attack grew year by year, reaching a peak in 2017, when we blocked attacks on around 255,000 computers running Mac OS. Since then, there has been a drop; and in the first half of 2019, we blocked around 87,000 attacks. The majority of threats for Mac OS in 2019 fell into the adware category \u2013 these threats are easier to create, offering a better return on investment for cybercriminals.\n\nThe number of phishing attacks targeting Mac OS has also increased year by year. During the first half of 2019, we detected nearly 6 million phishing attacks, 11.8% of which targeted corporate users. The countries facing the most phishing attacks were Brazil (30.87%), India (22.08%) and France (22.02%). The number of phishing attacks seeking to exploit the Apple brand name has also grown in recent years \u2013 by around 30-40% each year. In 2018, there were nearly 1.5 million such attacks; and in the first half of 2019 alone, the number exceeded 1.6 million \u2013 already an increase of 9% over the previous year.\n\nYou can read our report on the current Mac OS threat landscape [here](<https://securelist.com/threats-to-macos-users/93116/>).\n\n### Smart home vulnerabilities\n\nOne of our colleagues chose to turn his home into a smart home and installed a Fibaro Home Center system, so that he could remotely manage smart devices in the house, including lights, heating system, fridge, stereo system, sauna heater, smoke detectors, flood sensors, IP cameras and doorbell. He invited researchers from the [Kaspersky ICS CERT](<https://ics-cert.kaspersky.com/>) team to investigate it to see how secure it was. The researchers knew the model of the smart home hub and the IP address. They decided not to look at the Z-Wave protocol, which the smart home hub uses to talk to the appliances, because this required physical proximity to the house. They also discarded the idea of exploiting the programming language interpreter \u2013 the Fibaro hub used the patched version.\n\nOur researchers were able to find a remote SQL injection vulnerability, despite the efforts of Fibaro to avoid them, and a couple of remote code execution vulnerabilities in the PHP code. If exploited, these vulnerabilities would allow attackers to get root access rights on the smart hub, giving them full control over it. They also found a severe vulnerability in the Fibaro cloud that could allow an attacker to access all backups uploaded from Fibaro hubs around the world. This is how our research team acquired the backup data stored by the Fibaro Home Center located in this particular home. Among other things, this backup contains a database file with a lot of personal information, including the house's location, geo-location data from the owner's smartphone, the email address used to register with Fibaro, information about smart devices in the owner's home and even the owner's password. Credit to Fibaro Group not only for creating a rather secure product but also for working closely with our researchers to quickly patch the vulnerabilities we reported to them. You can read the full story [here](<https://securelist.com/fibaro-smart-home/91416/>).\n\n### Security of smart buildings\n\nThis quarter we also looked at the [security of automation systems in buildings](<https://securelist.com/smart-buildings-threats/93322/>) \u2013 sensors and controllers to manage elevators, ventilation, heating, lighting, electricity, water supply, video surveillance, alarm systems, fire extinguishing systems and more in industrial facilities. Such systems are used not only in office and residential buildings but also in hospitals, shopping malls, prisons, industrial production, public transport and other places where large work and/or living areas need to be controlled. We looked at the live threats to building-based automation systems to see what malware their owners encountered in the first six months of 2019.\n\nMost of the blocked threats were neither targeted, nor specific to building-based automation systems, but ordinary malware regularly found on corporate networks unrelated to automation systems. Such threats can still have a significant impact on the availability and integrity of automation systems, from file encryption (including databases) to denial of service on network equipment and workstations because of malicious traffic and unstable exploits. Spyware and backdoors pose a far greater threat, since stolen authentication data and the remote control it provides can be used to plan and carry out a subsequent targeted attack on a building's automation system.\n\n### Smart cars and connected devices\n\nKaspersky has investigated smart car security several times in recent years ([here](<https://securelist.com/mobile-apps-and-stealing-a-connected-car/77576/>) and [here](<https://securelist.com/a-study-of-car-sharing-apps/86948/>)), revealing a number of security issues. As vehicles become smarter and more connected they are also becoming more exposed. However, this doesn't just apply to smart cars and the apps that support them. There is now a whole industry of after-market devices designed to improve the driving experience \u2013 from car scanners to tuning gadgets. In a recent report, [we reviewed a number of automotive connected devices](<https://securelist.com/on-the-iot-road/91833/>) and reviewed their security setup. This exercise provided us with a first look at security issues in these devices. Our review included a couple of auto scanners, a dashboard camera, a GPS tracker, a smart alarm system and a pressure and temperature monitoring system.\n\nWe found the security of these devices more or less adequate, leaving aside minor issues. This is partly due to the limited device functionality and a lack of serious consequences in the event of a successful attack. It's also due to the vigilance of vendors. However, as we move towards a more and more connected future, it's important to remember that the smarter an object is the more attention should be paid to security in the development and updating of a device: careless development or an unpatched vulnerability could allow an attacker to hijack a victim's car or spy on an entire car fleet.\n\nWe continue to develop [KasperskyOS](<https://os.kaspersky.com/2019/05/20/kasperskyos-an-immune-based-approach-to-information-system-security/>), to help customers secure connected systems \u2013 including mobile devices and PCs, internet of things devices, intelligent energy systems, industrial systems, telecommunications systems and transportation systems.\n\nIf you're considering buying a device to make your car a little bit smarter, you should think about the security risks. Check to see if any vulnerabilities affect the device and whether it's possible to apply security updates to it. Don't automatically buy the most recently released product, since it might contain a security flaw that hasn't yet been discovered: the best choice is to buy a product that has already been updated several times. Finally, always consider the security of the 'mobile dimension' of the device, especially if you use an Android device: while applications make life easier, once a smartphone is hit by malware a lot can go wrong.\n\n### Personal data theft\n\nWe've become used to a steady stream of reports in the news about data breaches. Recent examples include the [theft of 23,205,290 email addresses](<https://www.forbes.com/sites/daveywinder/2019/08/05/cafepress-hacked-23m-accounts-compromised-is-yours-one-of-them/#625d70cf407e>) together with passwords weakly stored as base64 SHA-1 encoded hashes from CafePress. Worryingly, the hack was reported by [Have I Been Pwned](<https://haveibeenpwned.com>) \u2013 CafePress didn't notify its customers until some months after the breach had occurred.\n\nIn August, two Israeli [researchers discovered fingerprints, facial recognition data and other personal information from the Suprema Biostar 2 biometric access control system in a publicly accessible database](<https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms>). The exposure of biometric data is of particular concern. If a hacker is able to obtain my password, I can change it, but a biometric is for life.\n\n[Facebook has faced criticism on several occasions for failing to handle customers' data properly](<https://www.kaspersky.com/blog/facebook-10-fails/26980/>). In the latest of a long list of incidents, hundreds of millions of [phone numbers linked to Facebook accounts were found online](<https://techcrunch.com/2019/09/04/facebook-phone-numbers-exposed/?guccounter=1>) on a server that wasn't protected with a password. Each record contained a unique Facebook ID and the phone number listed on the account, leaving affected Facebook customers open to spam calls and SIM-swap attacks.\n\nOn September 12, mobile gaming company [Zynga reported that some player account data may have been accessed illegally by 'outside hackers'](<https://www.scmagazine.com/home/security-news/the-word-is-out-zynga-was-breached/>). Subsequently, a hacker going by the name of Gnosticplayers claimed to have breached the player database of _Words With Friends_, as well as data from _Draw Something_ and the discontinued game _OMGPOP_, exposing the data of more than 200 million Android and iOS players. While Zynga spotted the breach and notified customers, it's worrying that passwords were stored in cleartext.\n\nConsumers have no direct control over the security of the personal data they disclose to online providers. However, we can limit the damage of a security breach at an online provider by ensuring that they create passwords that are unique and hard to guess, or use a password manager to do this for us. By making use of two-factor authentication, where offered by an online provider, we can further reduce the impact of any breach.\n\nIt's also worth bearing in mind that hacking the server of an online provider isn't the only way that cybercriminals can get their hands on passwords and other personal data. They also harvest data stored on a consumer's computer directly. This includes data stored in browsers, files from the hard disk, system data, account logins and more. Our data shows that 940,000 people were targeted by malware designed to steal such data in the first half of 2019. We would recommend using specialist software to store account passwords and bank card details, rather than relying on your browser. You can find out more about how cybercriminals target personal data on computers [here](<https://securelist.com/how-to-steal-a-million-of-your-data/91855/>).", "cvss3": {}, "published": "2019-11-29T10:00:12", "type": "securelist", "title": "IT threat evolution Q3 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802", "CVE-2019-2725", "CVE-2019-2729"], "modified": "2019-11-29T10:00:12", "id": "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "href": "https://securelist.com/it-threat-evolution-q3-2019/95268/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2021-07-28T14:34:07", "description": "Hello everyone! Let&#x27;s now talk about Microsoft Patch Tuesday vulnerabilities for the second quarter of 2021. April, May and June. Not the most exciting topic, I agree. I am surprised that someone is reading or watching this. For me personally, this is a kind of tradition. Plus this is an opportunity to try Vulristics in action and find possible problems. It is also interesting to see what VM vendors considered critical back then and what actually became critical. I will try to keep this video short.\n\nFirst of all, let&#x27;s take a look at the vulnerabilities from the April Patch Tuesday. 108 vulnerabilities, 55 of them are RCEs. Half of these RCEs (27) are weird RPC vulnerabilities. &quot;Researcher who reported these bugs certainly found quite the attack surface&quot;. The most critical vulnerability is RCE in Exchange (CVE-2021-28480). This is not ProxyLogon, this is another vulnerability. ProxyLogon was in March. And this vulnerability is simply related to ProxyLogon, so it is believed that it is exploited in the wild as well. In the second place this Win32k Elevation of Privilege (CVE-2021-28310). It is clearly mentioned in several sources as being used in real attacks. &quot;Bugs of this nature are typically combined with other bugs, such as a browser bug or PDF exploit, to take over a system&quot;. And the only vulnerability with a public exploit is the Azure DevOps Server Spoofing (CVE-2021-28459). Previously known as Team Foundation Server (\u200bTFS), Azure DevOps Server is a set of collaborative software development tools. It is hosted on-premises. Therefore, this vulnerability can be useful for attackers.\n\nLet&#x27;s take a look at May. A very small Patch Tuesday. There are only 55 vulnerabilities. Vendors mainly wrote about HTTP Protocol Stack Remote Code Execution Vulnerability. But no catastrophe happened. &quot;tenable: On May 16, security researcher 0vercl0k published PoC code to github for CVE-2021-31166. Based on our analysis, this exploit could only result in a denial of service (DoS) condition&quot;. VM vendors also wrote a lot about Hyper-V Remote Code Execution Vulnerability. But there was no real exploitation there either. But a real exploit appeared for Remote Code Execution in Microsoft SharePoint (CVE-2021-31181). And exploitation in the wild was mentioned for Windows Container Manager Service (CVE-2021-31167), which no VM vendor mentioned at all. But the exploitation was &quot;Personally observed in an environment&quot;, so this may not be accurate. Also take a look at Memory Corruption in Microsoft Scripting Engine (CVE-2021-26419) with a public exploit and Information Disclosure in Windows Wireless Networking (CVE-2020-24587) with a sign of exploitation in the wild (but this also may not be accurate).\n\nAnd finally June. There are even fewer vulnerabilities, only 49. But there are a lot of them with a sign of exploitation in the wild. And this information is directly from Microsoft. Windows MSHTML Platform Remote Code Execution (CVE-2021-33742). Elevations of Privilege in Windows NTFS (CVE-2021-31956), Microsoft Enhanced Cryptographic Provider (CVE-2021-31199, CVE-2021-31201), Microsoft DWM Core Library (CVE-2021-33739). Windows Kernel Information Disclosure (CVE-2021-31955). Much more than usual. VM vendors have written the most about EoP in Windows NTFS (CVE-2021-31956). Do you know what vulnerability they didn&#x27;t highlight at all? Elevations of Privilege and later Remote Code Execution in Windows Print Spooler (CVE-2021-1675). The one that started the PrintNightmare story. Very ironic. Also pay attention to Spoofing in Microsoft SharePoint (CVE-2021-31950) for which there is a public Server-Side Request Forgery exploit. VM vendors also did not write anything about this vulnerability in their reviews.\n\nFull Vulristics reports:\n\n * [ms_patch_tuesday_april2021_report_avleonov_comments.html](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_april2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_may2021_report_avleonov_comments.html](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_may2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_june2021_report_avleonov_comments.html](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_june2021_report_avleonov_comments.html>)\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-10T00:14:59", "type": "avleonov", "title": "Vulristics: Microsoft Patch Tuesdays Q2 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24587", "CVE-2021-1675", "CVE-2021-26419", "CVE-2021-28310", "CVE-2021-28459", "CVE-2021-28480", "CVE-2021-31166", "CVE-2021-31167", "CVE-2021-31181", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31950", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-07-10T00:14:59", "id": "AVLEONOV:9D3D76F4CC74C7ABB8000BC6AFB2A2CE", "href": "http://feedproxy.google.com/~r/avleonov/~3/zKo35MmSBcA/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-03-09T15:18:57", "description": "The version of Apple iOS running on the mobile device is prior to 12.5.3. It is, therefore, affected by multiple vulnerabilities including the following: \n\n - A use after free issue was addressed with improved memory management (CVE-2021-30661).\n\n - An integer overflow was addressed with improved input validation (CVE-2021-30663).\n\n - A buffer overflow issue was addressed with improved memory handling (CVE-2021-30666).\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-05-07T00:00:00", "type": "nessus", "title": "Apple iOS < 12.5.3 Multiple Vulnerabilities (HT212341)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666"], "modified": "2023-03-08T00:00:00", "cpe": ["cpe:/o:apple:iphone_os"], "id": "APPLE_IOS_1253_CHECK.NBIN", "href": "https://www.tenable.com/plugins/nessus/149331", "sourceData": "Binary data apple_ios_1253_check.nbin", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-09T15:18:02", "description": "The version of Apple iOS running on the mobile device is prior to 14.5.1. It is, therefore, affected by multiple vulnerabilities.\n\n - Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved state management. (CVE-2021-30665)\n\n - Processing maliciously crafted web content may lead to arbitrary code execution. An integer overflow was addressed with improved input validation. (CVE-2021-30663)\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-05-07T00:00:00", "type": "nessus", "title": "Apple iOS < 14.5.1 Multiple Vulnerabilities (HT212336)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30663", "CVE-2021-30665"], "modified": "2023-03-08T00:00:00", "cpe": ["cpe:/o:apple:iphone_os"], "id": "APPLE_IOS_1451_CHECK.NBIN", "href": "https://www.tenable.com/plugins/nessus/149353", "sourceData": "Binary data apple_ios_1451_check.nbin", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-16T14:28:25", "description": "The remote Windows host is missing security update 5003695. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003695: Windows Server 2008 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31962", "CVE-2021-31971", "CVE-2021-31973", "CVE-2021-33742"], "modified": "2023-02-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003695.NASL", "href": "https://www.tenable.com/plugins/nessus/150357", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150357);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/15\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31962\",\n \"CVE-2021-31971\",\n \"CVE-2021-31973\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003661\");\n script_xref(name:\"MSKB\", value:\"5003695\");\n script_xref(name:\"MSFT\", value:\"MS21-5003661\");\n script_xref(name:\"MSFT\", value:\"MS21-5003695\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0032\");\n\n script_name(english:\"KB5003695: Windows Server 2008 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003695. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003695\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003661\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003695\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003695',\n '5003661'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0', \n sp:2,\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003695, 5003661])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-16T14:28:10", "description": "The remote Windows host is missing security update 5003694. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003694: Windows 7 and Windows Server 2008 R2 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31971", "CVE-2021-31973", "CVE-2021-33742"], "modified": "2023-02-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003694.NASL", "href": "https://www.tenable.com/plugins/nessus/150368", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150368);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/15\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31971\",\n \"CVE-2021-31973\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003667\");\n script_xref(name:\"MSKB\", value:\"5003694\");\n script_xref(name:\"MSFT\", value:\"MS21-5003667\");\n script_xref(name:\"MSFT\", value:\"MS21-5003694\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0032\");\n\n script_name(english:\"KB5003694: Windows 7 and Windows Server 2008 R2 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003694. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003694\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003667\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003694\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003694',\n '5003667'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1', \n sp:1,\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003694, 5003667])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:49:27", "description": "The version of Google Chrome installed on the remote host is prior to 91.0.4472.114. It is, therefore, affected by multiple vulnerabilities as referenced in the 2021_06_stable-channel-update-for-desktop_17 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-17T00:00:00", "type": "nessus", "title": "Google Chrome < 91.0.4472.114 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30554"], "modified": "2021-06-17T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "701349.PASL", "href": "https://www.tenable.com/plugins/nnm/701349", "sourceData": "Binary data 701349.pasl", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-16T14:28:24", "description": "The remote Windows host is missing security update 5003697. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, &