Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

Zoom for Mac patches get-root bug – update now!

Sophos Naked Security - 2 hodiny 8 min zpět
There's many a slip 'twixt the cup and the lip. Or at least between the TOC and the TOU...

Credential Theft Is (Still) A Top Attack Method

The Hacker News - 2 hodiny 9 min zpět
Credential theft is clearly still a problem. Even after years of warnings, changing password requirements, and multiple forms of authentication, password stealing remains a top attack method used by cyber criminals. The latest report from the Ponemon Institute shares that 54% of security incidents were caused by credential theft, followed by ransomware and DDoS attacks. 59% of organizations The Hacker Newshttp://www.blogger.com/profile/16801458706306167627noreply@blogger.com
Kategorie: Hacking & Security

Black Hat and DEF CON Roundup

Threatpost - 4 hodiny 38 min zpět
‘Summer Camp’ for hackers features a compromised satellite, a homecoming for hackers and cyberwarfare warnings.
Kategorie: Hacking & Security

Businesses Should Dump Windows for the Linux Desktop

LinuxSecurity.com - 5 hodin 26 min zpět
It makes perfect sense for enterprises as well as enthusiasts. Just ask GitLab
Kategorie: Hacking & Security

PyPI Package Installs Cryptominer on Linux Systems

LinuxSecurity.com - 5 hodin 38 min zpět
A malicious PyPI package was used to install a Monero cryptominer on Linux systems.
Kategorie: Hacking & Security

Vydávají se za exekutory, důvěřivce připraví o peníze

Novinky.cz - bezpečnost - 6 hodin 35 sek zpět
Exekutorská komora varovala před novým phishingovým podvodem, ve kterém se útočníci vydávají za exekutory. Využívají přitom i falešné webové stránky komory, jejichž prostřednictvím se snaží důvěřivce připravit o peníze.
Kategorie: Hacking & Security

IT threat evolution in Q2 2022. Mobile statistics

Kaspersky Securelist - 6 hodin 34 min zpět

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q2 2022:

  • 5,520,908 mobile malware, adware and riskware attacks were blocked.
  • The most common threat to mobile devices was adware: 25.28% of all threats detected.
  • 405,684 malicious installation packages were detected, of which:
    • 55,614 packages were related to mobile banking Trojans;
    • 3,821 packages were mobile ransomware Trojans.
Quarterly highlights

In the second quarter of 2022, cybercriminal activity continued to decline — if the number of attacks on mobile devices is any indication.

Number of attacks targeting users of Kaspersky mobile solutions, Q1 2020 — Q2 2022 (download)

As in the previous quarter, fraudulent apps occupied seven out of twenty leading positions in the malware rankings. That said, the total number of attacks by these apps started to decrease.

Interestingly enough, some fraudulent app creators were targeting users from several countries at once. For instance, J-Lightning Application purported to help users to invest into a Polish oil refinery, a Russian energy company, a Chinese cryptocurrency exchange and an American investment fund.

On the contrary, the number of attacks by the RiskTool.AndroidOS.SpyLoan riskware family (loan apps that request access to users’ text messages, contact list and photos) more than quadrupled from the first quarter. The majority of users whose devices were found to be infected with this riskware were based in Mexico: a third of the total number of those attacked. This was followed by India and Colombia. The ten most-affected countries include Kenya, Brazil, Peru, Pakistan, Nigeria, Uganda and the Philippines.

The second quarter was also noteworthy for Europol taking down the infrastructure of the FluBot mobile botnet, also known as Polph and Cabassous. This aggressively spreading banking Trojan attacked mainly users in Europe and Australia.

Mobile threat statistics

In Q2 2022, Kaspersky detected 405,684 malicious installation packages, a reduction of 110,933 from the previous quarter and a year-on-year decline of 480,421.

Number of detected malicious installation packages, Q2 2021 — Q2 2022 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q1 and Q2 2022 (download)

Adware ranked first among all threats detected in Q2 2022 with 25.28%, exceeding the previous quarter’s figure by 8.36 percentage points. A third of all detected threats of that class were objects of the AdWare.AndroidOS.Ewind family (33.21%). This was followed by the AdWare.AndroidOS.Adlo (22.54%) and AdWare.AndroidOS.HiddenAd (8.88%) families.

The previous leader, the RiskTool riskware, moved to second place with 20.81% of all detected threats, a decline of 27.94 p.p. from the previous quarter. More than half (60.16%) of the discovered apps of that type belonged to the Robtes family.

Various Trojans came close behind with 20.49%, a rise of 5.81 p.p. on the previous quarter. The largest contribution was made by objects belonging to the Mobtes (38.75%), Boogr (21.12%) and Agent (18.98%) families.

Top 20 mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

Verdict %* 1 DangerousObject.Multi.Generic 21.90 2 Trojan-SMS.AndroidOS.Fakeapp.d 10.71 3 Trojan.AndroidOS.Generic 10.55 4 Trojan.AndroidOS.GriftHorse.ah 6.07 5 Trojan-Spy.AndroidOS.Agent.aas 5.40 6 Trojan.AndroidOS.GriftHorse.l 3.43 7 DangerousObject.AndroidOS.GenericML 3.21 8 Trojan-Dropper.AndroidOS.Agent.sl 2.82 9 Trojan.AndroidOS.Fakemoney.d 2.33 10 Trojan.AndroidOS.Fakeapp.ed 1.82 11 Trojan.AndroidOS.Fakeapp.dw 1.68 12 Trojan.AndroidOS.Fakemoney.i 1.62 13 Trojan.AndroidOS.Soceng.f 1.59 14 Trojan-Ransom.AndroidOS.Pigetrl.a 1.59 15 Trojan.AndroidOS.Boogr.gsh 1.56 16 Trojan-Downloader.AndroidOS.Necro.d 1.56 17 Trojan-SMS.AndroidOS.Agent.ado 1.54 18 Trojan-Dropper.AndroidOS.Hqwar.gen 1.54 19 Trojan.AndroidOS.Fakemoney.n 1.52 20 Trojan-Downloader.AndroidOS.Agent.kx 1.45

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

First and third places went to DangerousObject.Multi.Generic (21.90%) and Trojan.AndroidOS.Generic (10.55%), respectively, which are verdicts we use for malware detected with cloud technology. Cloud technology is triggered whenever the antivirus databases lack data for detecting a piece of malware, but the antivirus company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.

Trojan-SMS.AndroidOS.Fakeapp.d rose from third to second place with 10.71%. This malware is capable of sending text messages and calling predefined numbers, displaying ads and hiding its icon.

Members of the Trojan.AndroidOS.GriftHorse family took fourth and sixth places with 6.07% and 3.43%, respectively. This family includes fraudulent apps that purchase paid subscriptions on the user’s behalf.

Trojan-Spy.AndroidOS.Agent.aas (5.40%), an evil twin of WhatsApp with a spy module built in, retained fifth position.

The verdict of DangerousObject.AndroidOS.GenericML (3.21%) came seventh. These verdicts are assigned to files recognized as malicious by our machine-learning systems.

Trojan-Dropper.AndroidOS.Agent.sl (2.82%), a dropper that unpacks and runs a banking Trojan on devices, remained in eighth place. Most of the attacked users were based in Russia or Germany.

Trojan.AndroidOS.Fakemoney.d slid from second to ninth place with 2.33%. Other members of the family occupied twelfth and nineteenth places in the rankings. These are fraudulent apps that offer users to fill out fake welfare applications.

Trojan.AndroidOS.Fakeapp.ed dropped to tenth place from sixth with 1.82%; this verdict covers fraudulent apps purporting to help with investing in gas utilities and mostly targeting Russian users.

Trojan.AndroidOS.Fakeapp.dw dropped from tenth place to eleventh with 1.68%. This verdict is assigned to various scammer apps, for example, those offering to make extra income.

Trojan.AndroidOS.Soceng.f (1.59%) dropped from twelfth to thirteenth place. This Trojan sends text messages to people in your contacts list, deletes files on the user’s SD card, and overlays the interfaces of popular apps with its own window.

Trojan-Ransom.AndroidOS.Pigetrl.a dropped from eleventh to fourteenth place with 1.59%. This malware locks the screen, asking to enter an unlock code. The Trojan provides no instructions on how to obtain this code, which is embedded in the body of the malware.

The verdict of Trojan.AndroidOS.Boogr.gsh occupied fifteenth place with 1.56%. Like DangerousObject.AndroidOS.GenericML, this verdict is produced by a machine learning system.

Trojan-Downloader.AndroidOS.Necro.d (1.56%), designed for downloading and running other malware on infected devices, climbed to sixteenth place from seventeenth.

Trojan-SMS.AndroidOS.Agent.ado dropped from fifteenth to seventeenth place with 1.54%. This malware sends text messages to short codes.

Trojan-Dropper.AndroidOS.Hqwar.gen, which unpacks and runs various banking Trojans on a device, kept eighteenth place with 1.54%.

Trojan-Downloader.AndroidOS.Agent.kx (1.45%), which loads adware, dropped to the bottom of the rankings.

Geography of mobile threats

Map of attempts to infect mobiles with malware, Q2 2022 (download)

TOP 10 countries and territories by share of users attacked by mobile malware

Countries and territories* %** 1 Iran 26,91 2 Yemen 17,97 3 Saudi Arabia 12,63 4 Oman 12,01 5 Algeria 11,49 6 Egypt 10,48 7 Morocco 7,88 8 Kenya 7,58 9 Ecuador 7,19 10 Indonesia 6,91

* Excluded from the rankings are countries and territories with relatively few (under 10,000) Kaspersky mobile security users.
** Unique users attacked as a percentage of all users of Kaspersky mobile security solutions in the country.

Iran remained the leader in terms of the share of infected devices in Q2 2022 with 26.91%; the most widespread threats there as before were the annoying AdWare.AndroidOS.Notifyer and AdWare.AndroidOS.Fyben families. Yemen rose to second place with 17.97%; the Trojan-Spy.AndroidOS.Agent.aas spyware was the threat most often encountered by users in that country. Saudi Arabia came third with 12.63%, the most common malware apps in the country being the AdWare.AndroidOS.Adlo and AdWare.AndroidOS.Fyben adware families.

Mobile banking Trojans

The number of detected mobile banking Trojan installation packages increased slightly compared to the previous quarter: during the reporting period, we found 55,614 of these, an increase of 1,667 on Q1 2022 and a year-on-year increase of 31,010.

Almost half (49.28%) of the detected installation packages belonged to the Trojan-Banker.AndroidOS.Bray family. The Trojan-Banker.AndroidOS.Wroba was second with 5.54%, and Trojan-Banker.AndroidOS.Fakecalls third with 4.83%.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q2 2021 — Q2 2022 (download)

Ten most common mobile bankers

Verdict %* 1 Trojan-Banker.AndroidOS.Bian.h 23.22 2 Trojan-Banker.AndroidOS.Anubis.t 10.48 3 Trojan-Banker.AndroidOS.Svpeng.q 7.88 4 Trojan-Banker.AndroidOS.Asacub.ce 4.48 5 Trojan-Banker.AndroidOS.Sova.g 4.32 6 Trojan-Banker.AndroidOS.Gustuff.d 4.04 7 Trojan-Banker.AndroidOS.Ermak.a 4.00 8 Trojan-Banker.AndroidOS.Agent.ep 3.66 9 Trojan-Banker.AndroidOS.Agent.eq 3.58 10 Trojan-Banker.AndroidOS.Faketoken.z 2.51

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Geography of mobile banking threats, Q2 2022 (download)

TOP 10 countries and territories by shares of users attacked by mobile banking Trojans

Countries and territories* %** 1 Spain 1.04 2 Turkey 0.71 3 Australia 0.67 4 Saudi Arabia 0.64 5 Switzerland 0.38 6 UAE 0.23 7 Japan 0.14 8 Colombia 0.14 9 Italy 0.10 10 Portugal 0.09

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 10,000) have been excluded from the ranking.
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

In Q2 2022, Spain still had the largest share of unique users attacked by mobile financial threats: 1.04%. Trojan-Banker.AndroidOS.Bian.h accounted for 89.95% of attacks on Spanish users. Turkey had the second-largest share (0.71%), with attacks on Turkish users dominated by Trojan-Banker.AndroidOS.Ermak.a (41.38%). Australia was third with 0.67%; most attacks in this country were attributed to Trojan-Banker.AndroidOS.Gustuff.d (96,55%).

Mobile ransomware Trojans

The number of mobile ransomware Trojan installation packages we detected in Q2 2022 (3,821) almost doubled from Q1 2022, increasing by 1,879; the figure represented a year-on-year increase of 198.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q2 2021 — Q2 2022 (download)

Top 10 most common mobile ransomware

Verdict %* 1 Trojan-Ransom.AndroidOS.Pigetrl.a 76.81 2 Trojan-Ransom.AndroidOS.Rkor.ch 2.66 3 Trojan-Ransom.AndroidOS.Small.as 2.51 4 Trojan-Ransom.AndroidOS.Rkor.br 1.46 5 Trojan-Ransom.AndroidOS.Rkor.bi 1.40 6 Trojan-Ransom.AndroidOS.Svpeng.ah 1.29 7 Trojan-Ransom.AndroidOS.Congur.cw 1.23 8 Trojan-Ransom.AndroidOS.Small.cj 1.14 9 Trojan-Ransom.AndroidOS.Svpeng.ac 1.14 10 Trojan-Ransom.AndroidOS.Congur.bf 1.07

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

Geography of mobile ransomware Trojans, Q2 2022 (download)

TOP 10 countries and territories by share of users attacked by mobile ransomware Trojans

Countries and territories* %** 1 Yemen 0,30 2 Kazakhstan 0,19 3 Azerbaijan 0,06 4 Kyrgyzstan 0,04 5 Switzerland 0,04 6 Egypt 0,03 7 Saudi Arabia 0,03 8 Uzbekistan 0,02 9 Russian Federation 0,02 10 Morocco 0,02

* Excluded from the rankings are countries and territories with relatively few (under 10,000) Kaspersky mobile security users.
** Unique users attacked by ransomware Trojans as a percentage of all Kaspersky mobile security solution users in the country or territory.

Countries leading by number of users attacked by mobile ransomware Trojans were Yemen (0.30%), Kazakhstan (0.19%) and Azerbaijan (0.06%). Users in Yemen most often encountered Trojan-Ransom.AndroidOS.Pigetrl.a, while users in Kazakhstan and Azerbaijan were attacked mainly by members of the Trojan-Ransom.AndroidOS.Rkor family.

IT threat evolution in Q2 2022. Non-mobile statistics

Kaspersky Securelist - 6 hodin 34 min zpět

These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q2 2022:

  • Kaspersky solutions blocked 1,164,544,060 attacks from online resources across the globe.
  • Web Anti-Virus recognized 273,033,368 unique URLs as malicious. Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 100,829 unique users.
  • Ransomware attacks were defeated on the computers of 74,377 unique users.
  • Our File Anti-Virus detected 55,314,176 unique malicious and potentially unwanted objects.
Financial threats Financial threat statistics

In Q2 2022, Kaspersky solutions blocked the launch of malware designed to steal money from bank accounts on the computers of 100,829 unique users.

Number of unique users attacked by financial malware, Q2 2022 (download)

Geography of financial malware attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of Kaspersky users who faced this threat during the reporting period as a percentage of all users of our products in that country or territory.

Geography of financial malware attacks, Q2 2022 (download)

TOP 10 countries and territories by share of attacked users

Country or territory* %** 1 Turkmenistan 4.8 2 Afghanistan 4.3 3 Tajikistan 3.8 4 Paraguay 3.1 5 China 2.4 6 Yemen 2.4 7 Uzbekistan 2.2 8 Sudan 2.1 9 Egypt 2.0 10 Mauritania 1.9

* Excluded are countries and territories with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

TOP 10 banking malware families

Name Verdicts %* 1 Ramnit/Nimnul Trojan-Banker.Win32.Ramnit 35.5 2 Zbot/Zeus Trojan-Banker.Win32.Zbot 15.8 3 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 6.4 4 Trickster/Trickbot Trojan-Banker.Win32.Trickster 6 5 RTM Trojan-Banker.Win32.RTM 2.7 6 SpyEye Trojan-Spy.Win32.SpyEye 2.3 7 IcedID Trojan-Banker.Win32.IcedID 2.1 8 Danabot Trojan-Banker.Win32.Danabot 1.9 9 BitStealer Trojan-Banker.Win32.BitStealer 1.8 10 Gozi Trojan-Banker.Win32.Gozi 1.3

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Ransomware programs Quarterly trends and highlights

In the second quarter, the Lockbit group launched a bug bounty program. The cybercriminals are promising $1,000 to $1,000,000 for doxing of senior officials, reporting  web service, Tox messenger or ransomware Trojan algorithm vulnerabilities, as well as for ideas on improving the Lockbit website and Trojan. This was the first-ever case of ransomware groups doing a (self-promotion?) campaign like that.

Another well-known group, Conti, said it was shutting down operations. The announcement followed a high-profile attack on Costa Rica’s information systems, which prompted the government to declare a state of emergency. The Conti infrastructure was shut down in late June, but some in the infosec community believe that Conti members are either just rebranding or have split up and joined other ransomware teams, including Hive, AvosLocker and BlackCat.

While some ransomware groups are drifting into oblivion, others seem to be making a comeback. REvil’s website went back online in April, and researchers discovered a newly built specimen of their Trojan. This might have been a test build, as the sample did not encrypt any files, but these events may herald the impending return of REvil.

Kaspersky researchers found a way to recover files encrypted by the Yanluowang ransomware and released a decryptor for all victims. Yanluowang has been spotted in targeted attacks against large businesses in the US, Brazil, Turkey, and other countries.

Number of new modifications

In Q2 2022, we detected 15 new ransomware families and 2355 new modifications of this malware type.

Number of new ransomware modifications, Q2 2021 — Q2 2022 (download)

Number of users attacked by ransomware Trojans

In Q2 2022, Kaspersky products and technologies protected 74,377 users from ransomware attacks.

Number of unique users attacked by ransomware Trojans, Q2 2022 (download)

Geography of attacked users

Geography of attacks by ransomware Trojans, Q2 2022 (download)

TOP 10 countries and territories attacked by ransomware Trojans

Country or territory* %** 1 Bangladesh 1.81 2 Yemen 1.24 3 South Korea 1.11 4 Mozambique 0.82 5 Taiwan 0.70 6 China 0.46 7 Pakistan 0.40 8 Angola 0.37 9 Venezuela 0.33 10 Egypt 0.32

* Excluded are countries and territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country.

TOP 10 most common families of ransomware Trojans Name Verdicts* Percentage of attacked users** 1 Stop/Djvu Trojan-Ransom.Win32.Stop 17.91 2 WannaCry Trojan-Ransom.Win32.Wanna 12.58 3 Magniber Trojan-Ransom.Win64.Magni 9.80 4 (generic verdict) Trojan-Ransom.Win32.Gen 7.91 5 (generic verdict) Trojan-Ransom.Win32.Phny 6.75 6 (generic verdict) Trojan-Ransom.Win32.Encoder 6.55 7 (generic verdict) Trojan-Ransom.Win32.Crypren 3.51 8 (generic verdict) Trojan-Ransom.MSIL.Encoder 3.02 9 PolyRansom/VirLock Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom 2.96 10 (generic verdict) Trojan-Ransom.Win32.Instructions 2.69

* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data.
** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans.

Miners Number of new miner modifications

In Q2 2022, Kaspersky solutions detected 40,788 new modifications of miners. A vast majority of these (more than 35,000) were detected in June. Thus, the spring depression — in March through May we found a total of no more than 10,000 new modifications — was followed by a record of sorts.

Number of new miner modifications, Q2 2022 (download)

Number of users attacked by miners

In Q2, we detected attacks using miners on the computers of 454,385 unique users of Kaspersky products and services worldwide. We are seeing a reverse trend here: miner attacks have gradually declined since the beginning of 2022.

Number of unique users attacked by miners, Q2 2022 (download)

Geography of miner attacks

Geography of miner attacks, Q2 2022 (download)

TOP 10 countries and territories attacked by miners

Country or territory* %** 1 Rwanda 2.94 2 Ethiopia 2.67 3 Tajikistan 2.35 4 Tanzania 1.98 5 Kyrgyzstan 1.94 6 Uzbekistan 1.88 7 Kazakhstan 1.84 8 Venezuela 1.80 9 Mozambique 1.68 10 Ukraine 1.56

* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by criminals during cyberattacks Quarterly highlights

During Q2 2022, a number of major vulnerabilities were discovered in the Microsoft Windows. For instance, CVE-2022-26809 critical error allows an attacker to remotely execute arbitrary code in a system using a custom RPC request. The Network File System (NFS) driver was found to contain two RCE vulnerabilities: CVE-2022-24491 and CVE-2022-24497. By sending a custom network message via the NFS protocol, an attacker can remotely execute arbitrary code in the system as well. Both vulnerabilities affect server systems with the NFS role activated. The CVE-2022-24521 vulnerability targeting the Common Log File System (CLFS) driver was found in the wild. It allows elevation of local user privileges, although that requires the attacker to have gained a foothold in the system. CVE-2022-26925, also known as LSA Spoofing, was another vulnerability found during live operation of server systems. It allows an unauthenticated attacker to call an LSARPC interface method and get authenticated by Windows domain controller via the NTLM protocol. These vulnerabilities are an enduring testament to the importance of timely OS and software updates.

Most of the network threats detected in Q2 2022 had been mentioned in previous reports. Most of those were attacks that involved brute-forcing  access to various web services. The most popular protocols and technologies susceptible to these attacks include MS SQL Server, RDP and SMB. Attacks that use the EternalBlue, EternalRomance and similar exploits are still popular. Exploitation of Log4j vulnerability (CVE-2021-44228) is also quite common, as the susceptible Java library is often used in web applications. Besides, the Spring MVC framework, used in many Java-based web applications, was found to contain a new vulnerability CVE-2022-22965 that exploits the data binding functionality and results in remote code execution. Finally, we have observed a rise in attacks that exploit insecure deserialization, which can also result in access to remote systems due to incorrect or missing validation of untrusted user data passed to various applications.

Vulnerability statistics

Exploits targeting Microsoft Office vulnerabilities grew in the second quarter to 82% of the total. Cybercriminals were spreading malicious documents that exploited CVE-2017-11882 and CVE-2018-0802, which are the best-known vulnerabilities in the Equation Editor component. Exploitation involves the component memory being damaged and a specially designed script, run on the target computer. Another vulnerability, CVE-2017-8570, allows downloading and running a malicious script when opening an infected document, to execute various operations in a vulnerable system. The emergence of CVE-2022-30190or Follina vulnerability also increased the number of exploits in this category. An attacker can use a custom malicious document with a link to an external OLE object, and a special URI scheme to have Windows run the MSDT diagnostics tool. This, in turn, combined with a special set of parameters passed to the victim’s computer, can cause an arbitrary command to be executed — even if macros are disabled and the document is opened in Protected Mode.

Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2022 (download)

Attempts at exploiting vulnerabilities that affect various script engines and, specifically, browsers, dipped to 5%. In the second quarter, a number of critical RCE vulnerabilities were discovered in various Google Chrome based browsers: CVE-2022-0609, CVE-2022-1096, and CVE-2022-1364. The first one was found in the animation component; it exploits a Use-After-Free error, causing memory damage, which is followed by the attacker creating custom objects to execute arbitrary code. The second and third vulnerabilities are Type Confusion errors associated with the V8 script engine; they also can result in arbitrary code being executed on a vulnerable user system. Some of the vulnerabilities discovered were found to have been exploited in targeted attacks, in the wild. Mozilla Firefox was found to contain a high-risk Use-After-Free vulnerability, CVE-2022-1097, which appears when processing NSSToken-type objects from different streams. The browser was also found to contain CVE-2022-28281, a vulnerability that affects the WebAuthn extension. A compromised Firefox content process can write data out of bounds of the parent process memory, thus potentially enabling code execution with elevated privileges. Two further vulnerabilities, CVE-2022-1802 and CVE-2022-1529, were exploited in cybercriminal attacks. The exploitation method, dubbed “prototype pollution”, allows executing arbitrary JavaScript code in the context of a privileged parent browser process.

As in the previous quarter, Android exploits ranked third in our statistics with 4%, followed by exploits of Java applications, the Flash platform, and PDF documents, each with 3%.

Attacks on macOS

The second quarter brought with it a new batch of cross-platform discoveries. For instance, a new APT group Earth Berberoka (GamblingPuppet) that specializes in hacking online casinos, uses malware for Windows, Linux, and macOS. The TraderTraitor campaign targets cryptocurrency and blockchain organizations, attacking with malicious crypto applications for both Windows and macOS.

TOP 20 threats for macOS

Verdict %* 1 AdWare.OSX.Amc.e 25.61 2 AdWare.OSX.Agent.ai 12.08 3 AdWare.OSX.Pirrit.j 7.84 4 AdWare.OSX.Pirrit.ac 7.58 5 AdWare.OSX.Pirrit.o 6.48 6 Monitor.OSX.HistGrabber.b 5.27 7 AdWare.OSX.Agent.u 4.27 8 AdWare.OSX.Bnodlero.at 3.99 9 Trojan-Downloader.OSX.Shlayer.a 3.87 10 Downloader.OSX.Agent.k 3.67 11 AdWare.OSX.Pirrit.aa 3.35 12 AdWare.OSX.Pirrit.ae 3.24 13 Backdoor.OSX.Twenbc.e 3.16 14 AdWare.OSX.Bnodlero.ax 3.06 15 AdWare.OSX.Agent.q 2.73 16 Trojan-Downloader.OSX.Agent.h 2.52 17 AdWare.OSX.Bnodlero.bg 2.42 18 AdWare.OSX.Cimpli.m 2.41 19 AdWare.OSX.Pirrit.gen 2.08 20 AdWare.OSX.Agent.gen 2.01

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

As usual, the TOP 20 ranking for threats detected by Kaspersky security solutions for macOS users is dominated by various adware. AdWare.OSX.Amc.e, also known as Advanced Mac Cleaner, is a newcomer and already a leader, found with a quarter of all attacked users. Members of this family display fake system problem messages, offering to buy the full version to fix those. It was followed by members of the AdWare.OSX.Agent and AdWare.OSX.Pirrit families.

Geography of threats for macOS

Geography of threats for macOS, Q2 2022 (download)

TOP 10 countries and territories by share of attacked users

Country or territory* %** 1 France 2.93 2 Canada 2.57 3 Spain 2.51 4 United States 2.45 5 India 2.24 6 Italy 2.21 7 Russian Federation 2.13 8 United Kingdom 1.97 9 Mexico 1.83 10 Australia 1.82

* Excluded from the rating are countries and territories  with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.

In Q2 2022, the country where the most users were attacked was again France (2.93%), followed by Canada (2.57%) and Spain (2.51%). AdWare.OSX.Amc.e was the most common adware encountered in these three countries.

IoT attacks IoT threat statistics

In Q2 2022, most devices that attacked Kaspersky traps did so using the Telnet protocol, as before.

Telnet 82,93% SSH 17,07%

Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2022

The statistics for working sessions with Kaspersky honeypots show similar Telnet dominance.

Telnet 93,75% SSH 6,25%

Distribution of cybercriminal working sessions with Kaspersky traps, Q2 2022

TOP 10 threats delivered to IoT devices via Telnet

Verdict %* 1 Backdoor.Linux.Mirai.b 36.28 2 Trojan-Downloader.Linux.NyaDrop.b 14.66 3 Backdoor.Linux.Mirai.ek 9.15 4 Backdoor.Linux.Mirai.ba 8.82 5 Trojan.Linux.Agent.gen 4.01 6 Trojan.Linux.Enemybot.a 2.96 7 Backdoor.Linux.Agent.bc 2.58 8 Trojan-Downloader.Shell.Agent.p 2.36 9 Trojan.Linux.Agent.mg 1.72 10 Backdoor.Linux.Mirai.cw 1.45

* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.

Detailed IoT-threat statistics are published in the DDoS report for Q2 2022.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums.

TOP 10 countries and territories that serve as sources of web-based attacks

The following statistics show the distribution by country or territory  of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.

In Q2 2022, Kaspersky solutions blocked 1,164,544,060 attacks launched from online resources across the globe. A total of 273,033,368 unique URLs were recognized as malicious by Web Anti-Virus components.

Distribution of web-attack sources by country and territory, Q2 2022 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of online infection faced by users around the world, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

Note that these rankings only include attacks by malicious objects that fall under the Malware class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

Country or territory* %** 1 Taiwan 26.07 2 Hong Kong 14.60 3 Algeria 14.40 4 Nepal 14.00 5 Tunisia 13.55 6 Serbia 12.88 7 Sri Lanka 12.41 8 Albania 12.21 9 Bangladesh 11.98 10 Greece 11.86 11 Palestine 11.82 12 Qatar 11.50 13 Moldova 11.47 14 Yemen 11.44 15 Libya 11.34 16 Zimbabwe 11.15 17 Morocco 11.03 18 Estonia 11.01 19 Turkey 10.75 20 Mongolia 10.50

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

On average during the quarter, 8.31% of the Internet users’ computers worldwide were subjected to at least one Malware-class web attack.

Geography of web-based malware attacks, Q2 2022 (download)

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q2 2022, our File Anti-Virus detected 55,314,176 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries and territories.

Note that these rankings only include attacks by malicious programs that fall under the Malware class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country or territory* %** 1 Turkmenistan 47.54 2 Tajikistan 44.91 3 Afghanistan 43.19 4 Yemen 43.12 5 Cuba 42.71 6 Ethiopia 41.08 7 Uzbekistan 37.91 8 Bangladesh 37.90 9 Myanmar 36.97 10 South Sudan 36.60 11 Syria 35.60 12 Burundi 34.88 13 Rwanda 33.69 14 Algeria 33.61 15 Benin 33.60 16 Tanzania 32.88 17 Malawi 32.65 18 Venezuela 31.79 19 Cameroon 31.34 20 Chad 30.92

*  Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

Geography of local infection attempts, Q2 2022 (download)

On average worldwide, Malware-class local threats were registered on 14.65% of users’ computers at least once during Q2. Russia scored 16.66% in this rating.

IT threat evolution Q2 2022

Kaspersky Securelist - 6 hodin 35 min zpět

Targeted attacks New technique for installing fileless malware

Earlier this year, we discovered a malicious campaign that employed a new technique for installing fileless malware on target machines by injecting a shellcode directly into Windows event logs. The attackers were using this to hide a last-stage Trojan in the file system.

The attack starts by driving targets to a legitimate website and tricking them into downloading a compressed RAR file that is booby-trapped with the network penetration testing tools Cobalt Strike and SilentBreak. The attackers use these tools to inject code into any process of their choosing. They inject the malware directly into the system memory, leaving no artifacts on the local drive that might alert traditional signature-based security and forensics tools. While fileless malware is nothing new, the way the encrypted shellcode containing the malicious payload is embedded into Windows event logs is.

The code is unique, with no similarities to known malware, so it is unclear who is behind the attack.

WinDealer’s man-on-the-side spyware

We recently published our analysis of WinDealer: malware developed by the LuoYu APT threat actor. One of the most interesting aspects of this campaign is the group’s use of a man-on-the-side attack to deliver malware and control compromised computers. A man-on-the-side attack implies that the attacker is able to control the communication channel, allowing them to read the traffic and inject arbitrary messages into normal data exchange. In the case of WinDealer, the attackers intercepted an update request from completely legitimate software and swapped the update file with a weaponized one.

The malware does not contain the exact address of the C2 (command-and-control) server, making it harder for security researchers to find it. Instead, it tries to access a random IP address from a predefined range. The attackers then intercept the request and respond to it. To do this, they need constant access to the routers of the entire subnet, or to some advanced tools at ISP level.

The vast majority of WinDealer’s targets are located in China: foreign diplomatic organizations, members of the academic community, or companies active in the defense, logistics or telecoms sectors. Sometimes, though, the LuoYu APT group will infect targets in other countries: Austria, the Czech Republic, Germany, India, Russia and the US. In recent months, they have also become more interested in businesses located in other East Asian countries and their China-based offices.

ToddyCat: previously unknown threat actor attacks high-profile organizations in Europe and Asia

In June, we published our analysis of ToddyCat, a relatively new APT threat actor that we have not been able to link to any other known actors. The first wave of attacks, against a limited number of servers in Taiwan and Vietnam, targeted Microsoft Exchange servers, which the threat actor compromised with Samurai, a sophisticated passive backdoor that typically works via ports 80 and 443. The malware allows arbitrary C# code execution and is used alongside multiple modules that let the attacker administer the remote system and move laterally within the targeted network. In certain cases, the attackers have used the Samurai backdoor to launch another sophisticated malicious program, which we dubbed Ninja. This is probably a component of an unknown post-exploitation toolkit exclusively used by ToddyCat.

The next wave saw a sudden surge in attacks, as the threat actor began abusing the ProxyLogon vulnerability to target organizations in multiple countries, including Iran, India, Malaysia, Slovakia, Russia and the UK.

Subsequently, we observed other variants and campaigns, which we attributed to the same group. In addition to affecting most of the previously mentioned countries, the threat actor targeted military and government organizations in Indonesia, Uzbekistan and Kyrgyzstan. The attack surface in the third wave was extended to desktop systems.

SessionManager IIS backdoor

In 2021, we observed a trend among certain threat actors for deploying a backdoor within IIS after exploiting one of the ProxyLogon-type vulnerabilities in Microsoft Exchange. Dropping an IIS module as a backdoor enables threat actors to maintain persistent, update-resistant and relatively stealthy access to the IT infrastructure of a target organization — to collect emails, update further malicious access or clandestinely manage compromised servers.

We published our analysis of one such IIS backdoor, called Owowa, last year. Early this year, we investigated another, SessionManager. Developed in C++, SessionManager is a malicious native-code IIS module. The attackers’ aim is for it to be loaded by some IIS applications, to process legitimate HTTP requests that are continuously sent to the server. This kind of malicious modules usually expects seemingly legitimate but specifically crafted HTTP requests from their operators, triggers actions based on the operators’ hidden instructions and then transparently passes the request to the server for it to be processed just as any other request.

As a result, these modules are not easily spotted through common monitoring practices.

SessionManager has been used to target NGOs and government organizations in Africa, South America, Asia, Europe and the Middle East.

We believe that this malicious IIS module may have been used by the GELSEMIUM threat actor, because of similar victim profiles and the use of a common OwlProxy variant.

Other malware Spring4Shell

Late in March, researchers discovered a critical vulnerability (CVE-2022-22965) in Spring, an open-source framework for the Java platform. This is a Remote Code Execution (RCE) vulnerability, allowing an attacker to execute malicious code remotely on an unpatched computer. The vulnerability affects the Spring MVC and Spring WebFlux applications running under version 9 or later of the Java Development Kit. By analogy with the well-known Log4Shell vulnerability, this one was dubbed “Spring4Shell”.

By the time researchers had reported it to VMware, a proof-of-concept exploit had already appeared on GitHub. It was quickly removed, but it is unlikely that cybercriminals would have failed to notice such a potentially dangerous vulnerability.

You can find more details, including appropriate mitigation steps, in our blog post.

Actively exploited vulnerability in Windows

Among the vulnerabilities fixed in May’s “Patch Tuesday” update was one that has been actively exploited in the wild. The Windows LSA (Local Security Authority) Spoofing Vulnerability (CVE-2022-26925) is not considered critical per se. However, when the vulnerability is used in a New Technology LAN Manager (NTLM) relay attack, the combined CVSSv3 score for the attack-chain is 9.8. The vulnerability, which allows an unauthenticated attacker to force domain controllers to authenticate with an attacker’s server using NTLM, was already being exploited in the wild as a zero-day, making it a priority to patch it.

Follina vulnerability in MSDT

At the end of May, researchers with the nao_sec team reported a new zero-day vulnerability in MSDT (the Microsoft Support Diagnostic Tool) that can be exploited using a malicious Microsoft Office document. The vulnerability, which has been designated as CVE-2022-30190 and has also been dubbed “Follina”, affects all operating systems in the Windows family, both for desktops and servers.

MSDT is used to collect diagnostic information and send it to Microsoft when something goes wrong with Windows. It can be called up from other applications via the special MSDT URL protocol; and an attacker can run arbitrary code with the privileges of the application that called up the MSD: in this case, the permissions of the user who opened the malicious document.

Kaspersky has observed attempts to exploit this vulnerability in the wild; and we would expect to see more in the future, including ransomware attacks and data breaches.

BlackCat: a new ransomware gang

It was only a matter of time before another ransomware group filled the gap left by REvil and BlackMatter shutting down operations. Last December, advertisements for the services of the ALPHV group, also known as BlackCat, appeared on hacker forums, claiming that the group had learned from the errors of their predecessors and created an improved version of the malware.

The BlackCat creators use the ransomware-as-a-service (RaaS) model. They provide other attackers with access to their infrastructure and malicious code in exchange for a cut of the ransom. BlackCat gang members are probably also responsible for negotiating with victims. This is one reason why BlackCat has gained momentum so quickly: all that a “franchisee” has to do is obtain access to the target network.

The group’s arsenal comprises several elements. One is the cryptor. This is written in the Rust language, allowing the attackers to create a cross-platform tool with versions of the malware that work both in Windows and Linux environments. Another is the Fendr utility (also known as ExMatter), used to exfiltrate data from the infected infrastructure. The use of this tool suggests that BlackCat may simply be a re-branding of the BlackMatter faction, since that was the only known gang to use the tool. Other tools include the PsExec tool, used for lateral movement on the victim’s network; Mimikatz, the well-known hacker software; and the Nirsoft software, used to extract network passwords.

Yanluowang ransomware: how to recover encrypted files

The name Yanluowang is a reference to the Chinese deity Yanluo Wang, one of the Ten Kings of Hell. This ransomware is relatively recent. We do not know much about the victims, although data from the Kaspersky Security Network indicates that threat actor has carried out attacks in the US, Brazil, Turkey and a few other countries.

The low number of infections is due to the targeted nature of the ransomware: the threat actor prepares and implements attacks on specific companies only.

Our experts have discovered a vulnerability that allows files to be recovered without the attackers’ key — although only under certain conditions — with the help of a known-plaintext attack. This method overcomes the encryption algorithm if two versions of the same text are available: one clean and one encrypted. If the victim has clean copies of some of the encrypted files, our upgraded Rannoh Decryptor can analyze these and recover the rest of the information.

There is one snag: Yanluowang corrupts files slightly differently depending on their size. It encrypts small (less than 3 GB) files completely, and large ones, partially. So, the decryption requires clean files of different sizes. For files smaller than 3 GB, it is enough to have the original and an encrypted version of the file that are 1024 bytes or more. To recover files larger than 3 GB, however, you need original files of the appropriate size. However, if you find a clean file larger than 3 GB, it will generally be possible to recover both large and small files.

Ransomware TTPs

In June, we carried out an in-depth analysis of the TTPs (tactics, techniques and procedures) (TTPs) of the eight most widespread ransomware families: Conti/Ryuk, Pysa, Clop, Hive, Lockbit2.0, RagnarLocker, BlackByte and BlackCat. Our aim was to help those tasked with defending corporate systems to understand how ransomware groups operate and how to protect against their attacks.

The report includes the following:

  • The TTPs of eight modern ransomware groups.
  • A description of how various groups share more than half of their components and TTPs, with the core attack stages executed identically across groups.
  • A cyber-kill chain diagram that combines the visible intersections and common elements of the selected ransomware groups and makes it possible to predict the threat actors’ next steps.
  • A detailed analysis of each technique with examples of how various groups use them, and a comprehensive list of mitigations.
  • SIGMA rules based on the described TTPs that can be applied to SIEM solutions.
Ransomware trends in 2022

Ahead of the Anti-Ransomware Day on May 12, we took the opportunity to outline the tendencies that have characterized ransomware in 2022. In our report, we highlight several trends that we have observed.

First, we are seeing more widespread development of cross-platform ransomware, as cybercriminals seek to penetrate complex environments running a variety of systems. By using cross-platform languages such as Rust and Golang, attackers are able to port their code, which allows them to encrypt data on more computers.

Second, ransomware gangs continue to industrialize and evolve into real businesses by adopting the techniques and processes used by legitimate software companies.

Third, the developers of ransomware are adopting a political stance, involving themselves in the conflict between Russia and Ukraine.

Finally, we offer best practices that organizations should adopt to help them defend against ransomware attacks:

  • Keep software updated on all your devices.
  • Focus your defense strategy on detecting lateral movements and data exfiltration.
  • Enable ransomware protection for all endpoints.
  • Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents.
  • Provide your SOC team with access to the latest threat intelligence.
Emotet’s return

Emotet has been around for eight years. When it was first discovered in 2014, its main purpose was stealing banking credentials. Subsequently, the malware underwent numerous transformations to become one of the most powerful botnets ever. Emotet made headlines in January 2021, when its operations were disrupted through the joint efforts of law enforcement agencies in several countries. This kind of “takedowns” does not necessarily lead to the demise of a cybercriminal operation. It took the cybercriminals almost ten months to rebuild the infrastructure, but Emotet did return in November 2021. At that time, the Trickbot malware was used to deliver Emotet, but it is now spreading on its own through malicious spam campaigns.

Recent Emotet protocol analysis and C2 responses suggest that Emotet is now capable of downloading sixteen additional modules. We were able to retrieve ten of these, including two different copies of the spam module, used by Emotet for stealing credentials, passwords, accounts and emails, and to spread spam.

You can read our analysis of these modules, as well as statistics on recent Emotet attacks, here.

Emotet infects both corporate and private computers all around the world. Our telemetry indicates that in the first quarter of 2022, targeted: it mostly targeted users in Italy, Russia, Japan, Mexico, Brazil, Indonesia, India, Vietnam, China, Germany and Malaysia.

Moreover, we have seen a significant growth in the number of users attacked by Emotet.

Mobile subscription Trojans

Trojan subscribers are a well-established method of stealing money from people using Android devices. These Trojans masquerade as useful apps but, once installed, silently subscribe to paid services.

The developers of these Trojans make money through commissions: they get a cut of what the person “spends”. Funds are typically deducted from the cellphone account, although in some cases, these may be debited directly to a bank card. We looked at the most notable examples that we have seen in the last twelve months, belonging to the Jocker, MobOk, Vesub and GriftHorse families.

Normally, someone has to actively subscribe to a service; providers often ask subscribers to enter a one-time code sent via SMS, to counter automated subscription attempts. To sidestep this protection, malware can request permission to access text messages; where they do not obtain this, they can steal confirmation codes from pop-up notifications about incoming messages.

Some Trojans can both steal confirmation codes from texts or notifications, and work around CAPTCHA: another means of protection against automated subscriptions. To recognize the code in the picture, the Trojan sends it to a special CAPTCHA recognition service.

Some malware is distributed through dubious sources under the guise of apps that are banned from official stores, for example, masquerading as apps for downloading content from YouTube or other streaming services, or as an unofficial Android version of GTA5. In addition, they can appear in these same sources as free versions of popular, expensive apps, such as Minecraft.

Other mobile subscription Trojans are less sophisticated. When run for the first time, they ask the user to enter their phone number, seemingly for login purposes. The subscription is issued as soon as they enter their number and click the login button, and the amount is debited to their cellphone account.

Other Trojans employ subscriptions with recurring payments. While this requires consent, the person using the phone might not realize they are signing up for regular automatic payments. Moreover, the first payment is often insignificant, with later charges being noticeably higher.

You can read more about this type of mobile Trojan, along with tips on how to avoid falling victim to it, here.

The threat from stalkerware

Over the last four years, we have published annual reports on the stalkerware situation, in particular using data from the Kaspersky Security Network. This year, our report also included the results of a survey on digital abuse commissioned by Kaspersky and several public organizations.

Stalkerware provides the digital means for a person to secretly monitor someone else’s private life and is often used to facilitate psychological and physical violence against intimate partners. The software is commercially available and can access an array of personal data, including device location, browser history, text messages, social media chats, photos and more. It may be legal to market stalkerware, although its use to monitor someone without their consent is not. Developers of stalkerware benefit from a vague legal framework that still exists in many countries.

In 2021, our data indicated that around 33,000 people had been affected by stalkerware.

The numbers were lower than what we had seen for a few years prior to that. However, it is important to remember that the decrease of 2020 and 2021 occurred during successive COVID-19 lockdowns: that is, during conditions that meant abusers did not need digital tools to monitor and control their partners’ personal lives. It is also important to bear in mind that mobile apps represent only one method used by abusers to track someone — others include tracking devices such as AirTags, laptop applications, webcams, smart home systems and fitness trackers. KSN tracks only the use of mobile apps. Finally, KSN data is taken from mobile devices protected by Kaspersky products: many people do not protect their mobile devices.  The Coalition Against Stalkerware, which brings together members of the IT industry and non-profit companies, believes that the overall number of people affected by this threat might be thirty times higher — that is around a million people!

Stalkerware continues to affect people across the world: in 2021, we observed detections in 185 countries or territories.

Just as in 2020, Russia, Brazil, the US and India were the top four countries with the largest numbers of affected individuals. Interestingly, Mexico had fallen from fifth to ninth place. Algeria, Turkey and Egypt entered the top ten, replacing Italy, the UK and Saudi Arabia, which were no longer in the top ten.

We would recommend the following to reduce your risk of being targeted:

  • Use a unique, complex password on your phone and do not share it with anyone.
  • Try not to leave your phone unattended; and if you have to, lock it.
  • Download apps only from official stores.
  • Protect your mobile device with trustworthy security software and make sure it is able to detect stalkerware.

Remember also that if you discover stalkerware on your phone, dealing with the problem is not as simple as just removing the stalkerware app. This will alert the abuser to the fact that you have become aware of their activities and may precipitate physical abuse. Instead, seek help:  you can find a list or organizations that can provide help and support on the Coalition Against Stalkerware site.

SOVA Android Banking Trojan Returns With New Capabilities and Targets

The Hacker News - 6 hodin 1 min zpět
The SOVA Android banking trojan is continuing to be actively developed with upgraded capabilities to target no less than 200 mobile applications, including banking apps and crypto exchanges and wallets, up from 90 apps when it started out. That's according to the latest findings from Italian cybersecurity firm Cleafy, which found newer versions of the malware sporting functionality to intercept Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

Open Source OSINT Tools and Techniques

LinuxSecurity.com - 6 hodin 56 min zpět
What is Open Source Intelligence (OSINT)?Open Source Intelligence (OSINT) is the practice of collecting information from published or publicly available sources for intelligence purposes. The term ''Open Source' within OSINT refers to the public nature of the analyzed data; publicly available information includes blogs, forums, social media sites, traditional media (TV, radio, and publications), research papers, government records, and academic journals. The scope of this information is almost infinite, concerning various people, companies, and organizations. Individuals who leverage OSINT can span from IT security professionals and state-sanctioned intelligence operatives with ethical intentions to malicious hackers with unethical intentions.
Kategorie: Hacking & Security

Ubuntu 22.04 LTS and 20.04 LTS: Canonical Releases Kernel Security Updates

LinuxSecurity.com - 7 hodin 34 min zpět
British Linux distributor Canonical is releasing security updates to the Linux kernel for Ubuntu 22.04 LTS (''Jammy Jellyfish'') and Ubuntu 20.04 LTS (''Focal Fossa''), patching vulnerabilities in its operating systems. The vulnerabilities fixed could lead to a Denial of Service (DOS) lead.
Kategorie: Hacking & Security

Newly Uncovered PyPI Package Drops Fileless Cryptominer to Linux Systems

The Hacker News - 11 hodin 58 min zpět
A now-removed rogue package pushed to the official third-party software repository for Python has been found to deploy cryptominers on Linux systems. The module, named "secretslib" and downloaded 93 times prior to its deletion, was released to the Python Package Index (PyPI) on August 6, 2022 and is described as "secrets matching and verification made easy." "On a closer Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

Jak vyzrát na inflaci? Internet zaplavují kryptoměnové podvody

Novinky.cz - bezpečnost - 14 Srpen, 2022 - 12:30
V době rostoucí inflace hledají lidé přirozeně způsoby, jak své úspory ochránit. Toho se snaží využít i vykutálení podvodníci, kteří je vybízejí k investicím do kryptoměn. Ve skutečnosti jim ale nabízejí falešné virtuální měny, které mnohdy spojují se jmény známých osobností, například amerického podnikatele a vizionáře Elona Muska.
Kategorie: Hacking & Security

Tornado Cash Developer Arrested After U.S. Sanctions the Cryptocurrency Mixer

The Hacker News - 14 Srpen, 2022 - 09:11
Dutch authorities on Friday announced the arrest of a software developer in Amsterdam who is alleged to be working for Tornado Cash, days after the U.S. sanctioned the decentralized crypto mixing service. The 29-year-old individual is "suspected of involvement in concealing criminal financial flows and facilitating money laundering" through the service, the Dutch Fiscal Information and Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

What to watch for as 'Hacker Summer Camp' gets underway in Las Vegas

LinuxSecurity.com - 13 Srpen, 2022 - 18:16
A trio of cybersecurity conferences '' BSidesLV, Black Hat USA and DEF CON '' kicks off this week in Las Vegas in what's collectively known as Hacker Summer Camp, bringing together policymakers, executives, experts, hackers and enthusiasts against a backdrop of some of the most unsettled international events of recent years.
Kategorie: Hacking & Security

Jak vyzrát na inflaci? Internet zaplavují kryptoměnové podvody

Novinky.cz - bezpečnost - 13 Srpen, 2022 - 15:58
V době rostoucí inflace hledají lidé přirozeně způsoby, jak své úspory ochránit. Toho se snaží využít i vykutálení podvodníci, kteří je vybízejí k investicím do kryptoměn. Ve skutečnosti jim ale nabízejí falešné virtuální měny, které mnohdy spojují se jmény známých osobností, například amerického podnikatele a vizionáře Elona Muska.
Kategorie: Hacking & Security

Takhle kradou Čechům peníze. Přes SMS zprávy

Novinky.cz - bezpečnost - 13 Srpen, 2022 - 15:44
Škodlivé kódy se nešíří pouze přes nevyžádané e-maily a podvodné webové stránky, tuzemští uživatelé se s nimi mohou setkat klidně i v SMS zprávách. Přesně prostřednictvím nich se šíří v posledních týdnech nezvaný návštěvník MaliBot, který dokáže bankovní účty svých obětí pěkně provětrat. Před novou hrozbou varovala kyberbezpečnostní společnost Check Point, která zároveň popsala, jak útočníci pracují.
Kategorie: Hacking & Security

Chinese Hackers Backdoored MiMi Chat App to Target Windows, Linux, macOS Users

The Hacker News - 13 Srpen, 2022 - 14:41
A pair of reports from cybersecurity firms SEKOIA and Trend Micro sheds light on a new campaign undertaken by a Chinese threat actor named Lucky Mouse that involves leveraging a trojanized version of a cross-platform messaging app to backdoor systems. Infection chains leverage a chat application called MiMi, with its installer files compromised to download and install HyperBro samples for the Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security

Researchers Uncover UEFI Secure Boot Bypass in 3 Microsoft Signed Boot Loaders

The Hacker News - 12 Srpen, 2022 - 22:02
A security feature bypass vulnerability has been uncovered in three signed third-party Unified Extensible Firmware Interface (UEFI) boot loaders that allow bypass of the UEFI Secure Boot feature. "These vulnerabilities can be exploited by mounting the EFI System Partition and replacing the existing bootloader with the vulnerable one, or modifying a UEFI variable to load the vulnerable loader Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com
Kategorie: Hacking & Security
Syndikovat obsah