Viry a Červi
An attorney says she saw her library reading habits reflected in mobile ads. That's not supposed to happen
Feature In April, attorney Christine Dudley was listening to a book on her iPhone while playing a game on her Android tablet when she started to see in-game ads that reflected the audiobooks she recently checked out of the San Francisco Public Library.…
Gawd, after that week, we wonder what's next for China and the Western world
Kettle It's been a fairly troubling week in terms of the relationship between China and the Western world.…
How two brothers allegedly swiped $25M in a 12-second Ethereum heist
The US Department of Justice has booked two brothers on allegations that they exploited open source software used in the Ethereum blockchain world to bag $25 million (£20 million).…
Aussie cops probe MediSecure's 'large-scale ransomware data breach'
Australian prescriptions provider MediSecure is the latest healthcare org to fall victim to a ransomware attack, with crooks apparently stealing patients' personal and health data.…
Three cuffed for 'helping North Koreans' secure remote IT jobs in America
Three individuals accused of helping North Korea fund its weapons programs using US money are now in handcuffs.…
First LockBit, now BreachForums: Are cops winning the war or just a few battles?
Interview On Wednesday the FBI and international cops celebrated yet another cybercrime takedown – of ransomware brokerage site BreachForums – just a week after doxing and imposing sanctions on the LockBit ransomware crew's kingpin, and two months after compromising the gang's website.…
Crims abusing Microsoft Quick Assist to deploy Black Basta ransomware
A cybercrime gang has been abusing Microsoft's Quick Assist application in social engineering attacks that ultimately allow the crew to infect victims with Black Basta ransomware.…
EU probes Meta over its provisions for protecting children
The European Commission has opened formal proceedings to assess whether Meta, the provider of Facebook and Instagram, may have breached the Digital Services Act (DSA) in areas linked to the protection of minors.…
Stifling Beijing in cyberspace is now British intelligence’s number-one mission
CyberUK Regular attendees of CYBERUK, the annual conference hosted by British intelligence unit the National Cyber Security Centre (NCSC), will know that in addition to the expected conference panels, there is usually an interwoven theme to proceedings.…
NCSC CTO: Broken market must be fixed to usher in new tech
CYBERUK National Cyber Security Centre (NCSC) CTO Ollie Whitehouse kicked off day two of Britain's cyber watchdog's annual shindig, CYBERUK, with a tirade about the tech market, pulling it apart to demonstrate why he believes it's at fault for many of the security problems the industry is facing today. …
FBI takes down BreachForums ransomware website and Telegram channel
The FBI, in combination with police around the world, have taken control of the website and Telegram channel of ransomware brokerage site BreachForums.…
Crook brags about US Army and $75B defense biz pwnage
An extortionist claims to have stolen files from the US Army Aviation and Missile Command in August 2023, and now claims they are selling access to a $75 billion aerospace and defense company.…
Improving cyber defense with open source SIEM and XDR
Partner Content A cyber defense strategy outlines policies, procedures, and technologies to prevent, detect, and respond to cyber attacks. This helps avoid financial loss, reputational damage, and legal repercussions.…
Microsoft fixes a bug abused in QakBot attacks plus a second under exploit
Happy May Patch Tuesday. We've got a lot of vendors joining this month's patchapalooza, which includes a handful of bugs that have been exploited — either in the wild or at Pwn2Own — and now fixed by Microsoft, Apple, Google and VMware.…
FCC names and shames Royal Tiger AI robocall crew
The US Federal Communications Commission has named its first robocall gang, dubbing the crew "Royal Tiger," and detailed its operations in an attempt to encourage international action against the scammers.…
QakBot attacks with Windows zero-day (CVE-2024-30051)
In early April 2024, we decided to take a closer look at the Windows DWM Core Library Elevation of Privilege Vulnerability CVE-2023-36033, which was previously discovered as a zero-day exploited in the wild. While searching for samples related to this exploit and attacks that used it, we found a curious document uploaded to VirusTotal on April 1, 2024. This document caught our attention because it had a rather descriptive file name, which indicated that it contained information about a vulnerability in Windows OS. Inside we found a brief description of a Windows Desktop Window Manager (DWM) vulnerability and how it could be exploited to gain system privileges, everything written in very broken English. The exploitation process described in this document was identical to that used in the previously mentioned zero-day exploit for CVE-2023-36033, but the vulnerability was different. Judging by the quality of the writing and the fact that the document was missing some important details about how to actually trigger the vulnerability, there was a high chance that the described vulnerability was completely made up or was present in code that could not be accessed or controlled by attackers. But we still decided to investigate it, and a quick check showed that this is a real zero-day vulnerability that can be used to escalate privileges. We promptly reported our findings to Microsoft, the vulnerability was designated CVE-2024-30051, and a patch was released on May 14, 2024, as part of Patch Tuesday.
After sending our findings to Microsoft, we began to closely monitor our statistics in search of exploits and attacks that exploit this zero-day vulnerability, and in mid-April we discovered an exploit for this zero-day vulnerability. We have seen it used together with QakBot and other malware, and believe that multiple threat actors have access to it.
We are going to publish technical details about CVE-2024-30051 once users have had time to update their Windows systems.
Kaspersky products detect the exploitation of CVE-2024-30051 and related malware with the verdicts:
- PDM:Exploit.Win32.Generic;
- PDM:Trojan.Win32.Generic;
- UDS:DangerousObject.Multi.Generic;
- Trojan.Win32.Agent.gen;
- Trojan.Win32.CobaltStrike.gen.
Kaspersky would like to thank Microsoft for their prompt analysis of the report and patches.
Cybersec chiefs team up with insurers to say 'no' to ransomware bullies
The latest effort to reduce the number of ransom payments sent to cybercriminals in the UK involves the country's National Cyber Security Centre (NCSC) locking arms with insurance associations.…
Telegram CEO calls out rival Signal, claiming it has ties to US government
Telegram CEO Pavel Durov issued a scathing criticism of Signal, alleging the messaging service is not secure and has ties to US intelligence agencies.…
Google, Apple gear to raise tracking tag stalker alarm
Google and Apple are rolling out an anti-stalking feature for Android 6.0+ and iOS 17.5 that will issue an alert if some scumbag is using a gadget like an AirTag or similar to clandestinely track the user.…
Incident response analyst report 2023
Incident response analyst report 2023
As an information security company, our services include incident response and investigation, and malware analysis. Our customer base spans Russia, Europe, Asia, South and North America, Africa and the Middle East. Our annual Incident Response Report presents anonymized statistics on the cyberattacks we investigated in 2023. All data is derived from working with organizations that requested our expertise in carrying out incident response (IR) or assisting their in-house expert team.
Distribution of incidents by region and industryThe geography of the service has changed somewhat of late, with the share of requests in Russia and the CIS (47.27%) continuing to rise. At the same time, 2023 is notable for the significant increase in the number of IR requests in the second-place Americas region (21.82%).
Looking at the distribution of incidents by industry, we see that in 2023 the majority of requests came from government agencies (27.89%) and industrial enterprises (17.01%).
2023 trends: ransomware and supply chain attacksIn 2023, ransomware remained the most prevalent threat, despite a drop in share to 33.3%, down from 39.8% in 2022. Ransomware targeted organizations indiscriminately, regardless of industry. The most common families we came across in our investigations were LockBit (27.78%), BlackCat (12.96%), Phobos (9.26%) and Zeppelin (9.26%).
Another important trend we observed in 2023 was the significant rise in the number of attacks through trusted relationships with contractors and service providers. This attack vector was among the three most frequently seen in 2023. This is not surprising, for it allows threat actors to carry out large-scale attacks with a great deal more efficiency than if they targeted each victim individually. For many organizations such attacks can be devastating, and detecting them takes a lot longer because the attackers’ actions can be hard to distinguish from those of employees working for a contractor.
Report contentsThe full report covers:
- IR statistics: what events prompted organizations to request IR services, at what stages attacks were detected, how long it took on average to respond to them;
- Common tactics, techniques and procedures employed by threat actors at different stages of attack development;
- Legitimate tools used in attacks, with examples of their use in real-world incidents;
- Vulnerabilities most often exploited by threat actors.
To reduce the risk of a successful cyberattack on your organization, or minimize the damage if attackers do penetrate your infrastructure, we recommend:
- Enforcing a strict password policy and protecting key resources with multi-factor authentication;
- Closing remote management ports to outside access;
- Promptly updating software and deploying additional security measures for services at the network perimeter;
- Cybersecurity awareness training and related activities for employees;
- Restricting the use of legitimate tools that may be utilized for attacks on the corporate network, and creating rules for detecting such tools;
- Conducting regular cyber drills focused on common attacker techniques;
- Backing up data on a regular basis;
- Protecting endpoints with EDR solutions;
- Subscribing to an IR service guaranteed under an SLA.
Read the full 2023 Incident Response Report (PDF).
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- následující ›
- poslední »