Viry a Červi

Pretty much all the headaches at MSPs stem from cybersecurity

The Register - Anti-Virus - 30 Květen, 2024 - 12:30
More cybercrime means more problems as understaffed teams stretched to the limit

Managed Service Partners (MSPs) say cybersecurity dwarfs all other main concerns about staying competitive in today's market.…

Kategorie: Viry a Červi

Indian stock exchange finally encrypting all messages to traders

The Register - Anti-Virus - 30 Květen, 2024 - 07:36
Requests for pricing will soon be encrypted, after implementation deadline was extended

India's Bombay Stock Exchange (BSE) has told market participants they need to adopt encryption – which, shockingly, isn't already implemented – for certain messages sent to its trading platforms when using its Enhanced Trading Interface (ETI).…

Kategorie: Viry a Červi

Chinese national cuffed on charges of running 'likely the world's largest botnet ever'

The Register - Anti-Virus - 30 Květen, 2024 - 01:58
DoJ says 911 S5 crew earned $100M from 19 million PCs pwned by fake VPNs

US authorities have arrested the alleged administrator of what FBI director Christopher Wray has described as "likely the world's largest botnet ever," comprising 19 million compromised Windows machines used by its operators to reap millions of dollars over the last decade.…

Kategorie: Viry a Červi

Miscreants claim they've snatched 560M people's info from Ticketmaster

The Register - Anti-Virus - 30 Květen, 2024 - 01:00
All that data allegedly going for a song on revived BreachForums

Updated  Ticketmaster is believed to have had its IT breached by cybercriminals who claim to have stolen 1.3TB of data on 560 million of the corporation's customers – and are now selling all that info for $500,000.…

Kategorie: Viry a Červi

Multi-day DDoS storm batters Internet Archive

The Register - Anti-Virus - 29 Květen, 2024 - 22:16
Think this is bad? See what Big Media wants to do to us, warns founder

Updated  The Internet Archive has been under a distributed-denial-of-service (DDoS) attack since Sunday, and is trying to keep services going.…

Kategorie: Viry a Červi

North Korea building cash reserves using ransomware, video games

The Register - Anti-Virus - 29 Květen, 2024 - 15:00
Microsoft says Kim’s hermit nation is pivoting to latest tools as it evolves in cyberspace

A brand-new cybercrime group that Microsoft ties to North Korea is tricking targets using fake job opportunities to launch malware and ransomware, all for financial gain.…

Kategorie: Viry a Červi

pfSense, VLANy, proxy, … aneb začínáme krotit divočinu v domácí síti

VIRY.CZ - 29 Květen, 2024 - 09:30

Po čtrnácti dnech je tu závěrečný díl celé série o zabezpečení chytré domácnosti. Pokud tedy nechcete mít doma trojského koně v podobě čínské fotovoltaiky či jiných čínských chytrých zařízení, zde je rozuzlení celé problematiky. A vlastně, ono tohle řešení nabídne i daleko vyšší komfort než řada oficiálních řešení od výrobců!

Předem hlásím, že existuje hromada dalších způsobů, jak si zabezpečit domácí síť a jakým způsobem zajistit dostupnost chytrých zařízení z internetu. Já jsem to zrealizoval následovně.

VLANy – oddělené sítě a přesto provázané

Domácí síť mám rozdělenu do 4 VLAN s využítím IEEE 802.1Q a takhle to mám jak na úrovni bezdrátové (WiFi síť), tak i „drátové“ (ethernetové kabely CAT6). Poněkud úsměvná je ale realita, kdy mám po domě nataženo přes 300m ethernetového kabelu, v každé místnosti minimálně 2 zásuvky, za TV skříní hned 4 a přesto jsem ani tu televizi kabelem nepřipojil. 24-portový switch s podporou VLAN tak byla volba typu „kanónem na vrabce“. Zpět ale k VLAN. Mám nakonec tyto:

  • IOT – zde mám všechna chytrá zařízení, včetně IP kamer, Shelly zařízení, Android TV + Home Assistant nainstalovaný na Raspberry Pi 3.
  • SERVERS – zde mám NAS Synology a UniFi controller (v provozu na Raspberry Pi).
  • PRIVATE – zde jsou zařízení jako stolní PC, notebook, mobilní telefony, tiskárna.
  • GUEST – pro účely Guest WiFi. Vlastně velice podobné IOT, ale včetně izolace zařízení.

Home Assistant pro správu IOT zařízení by měl být z logiky věci spíše ve VLAN SERVERS, nicméně využívám toho, že takhle dokáže automaticky detekovat nová zařízení na stejném segmentu sítě (typicky když dokoupím další Shelly komponentu) a celá topologie sítě je o něco jednodušší.

pfSense – srdce celé infrastruktury

Routování mezi VLANama obstarává pfSense, stejně jako funkci firewallu a dalších služeb. Nejprve jsem provozoval pfSense+ na oficiálním zařízení Netgate 1100. Jakmile si ale začnete s pfSense více hrát, zapínat inspekci provozu a další služby, velice rychle narazíte na limit RAM o velikosti 1 GB. Tudíž později došlo k výměně za výkonější stroj se 4 GB RAM – PC Engines s procesorem AMD GX-412TC-quad core. Bohužel AMD další vývoj těchto chipsetů ukončil, takže pokud to umře, do třetice to bude zase něco zcela jiného, avšak stále s pfSense.

pfSense má dlouhou historii. Je tu s námi od roku 2004, kdy se oddělil od jiné legendy – m0n0wall. V roce 2015 vznikla alternativa v podobě OPNsense. Vše běží na FreeBSD.

VLANu IOT mám zcela odříznutou od internetu a ostatních VLAN. K dispozici je tam DHCP. Podle charakteru mají některá IOT zařízení IP adresu volně přiřazenu a jiné ji mají nastavenu „natvrdo“ (vůči MAC adrese + v nastavení IOT). Toto je typické pro IP kamery či jiná zařízení, kde by změna IP v čase mohla způsobit komplikace (tepelné čerpadlo, fotovoltaika – oboje kvůli TCP Modbus komunikaci). Jedinou povolenou komunikací směrem ven je DNS a NTP (kamery tak budou mít správný datum/čas). Na firewallu pak mám připraveny pravidla, která povolí základní set portů, pokud bych chtěl například aktualizovat firmware IOT zařízení či pustit k tepelnému čerpadlu vzdáleného technika. Standardně jako ale tato pravidla neaktivní.

Nejvíce benevolentní je pochopitelně nastavení VLAN SERVERS a PRIVATE. Z obou se lze dostat do všech ostatních.

Tři WiFi sítě

Drtivou většinu IOT zařízení provozuju bezdrátově přes WiFi síť. WiFi řeším přes několik stropních „talířů“ značky Ubiquiti UniFi s POE napájením. VLANa IOT, PRIVATE a GUEST má své vlastní SSID. V okoli tak vidím 3 WiFi sítě. IOT WiFi jede jen na 2,4 GHz, ostatní pak na 2,4 i 5 GHz. Vím, že některá IOT zařízení mají problém s prvotní instalací, pokud Váš mobil jede na 5 GHz síti a má sloužit k spárování s IOT zařízením, jenž podporuje pouze 2,4 GHz. WiFi síť je pak řízena skrze UniFi Controller, který provozuju též na obstarožním Raspberry Pi 3.

Vedlejším efektem v případě Ubiquiti je například to, že Vám to samo vizualizuje infrastrukturu. Pozor na vyždímané baterie!

Speciálně u bateriových zařízení (ideálně však všude) doporučuji v konfiguraci zakázat používání cloudové infrastruktury výrobce. On sice komunikaci zabrání firewall na pfSense, nicméně pokud necháte cloud povolený třeba v nastavení detektoru otevřených dvěří/oken „Shelly door window 2“, opakované neúspěšné pokusy o navázání komunikace s cloudem vedou k tomu, že baterii, která by měla v zařízení vydržet více než rok, vyždímáte v řádu týdnů! A že jsem těch náhradních baterií nakoupil, než jsem na to přišel Naopak v případě Shelly je doporučeno zapnout ColoT protokol a uvést IP adresu Home Assistant serveru.

To je asi vše k vnitřní části. Jak je ale realizována dostupnost IOT zařízení z internetu? Existuje opět spousta řešení, já se ale rozhodl pro následující.

Dostupnost chytré domácnosti z internetu po vlastní ose

Od internetového poskytovatele mám zajištěnu statickou veřejnou IP adresu (i když stačí i promapování klíčových portů). K ní mám vytvořeny DNS záznamy typu A. Jeden pro přístup k NAS Synology (kde je i správa kamerového systému) a druhý k Home Assistant. Oba záznamy, resp. IP adresa mě dovede až k WAN portu firewallu pfSense.

Na pfSense běží služba pfBlockerNG, která využívá GeoIP pravidla a rovnou zahazuje komunikaci vedenou z jiných zemí, než ČR a SR a blacklistovaných IP adres. Intuitivně není problém přidávat další regiony. Pak je tam v provozu služba Snort, která detekuje různé anomálie v síťové komunikaci a též dokáže rozdávat ať už permanentní nebo dočasne „bany“ na veřejné IP adresy.

Reverzní proxy, HTTP SSL, ACME, Lets encrypt, Fail 2 ban, …

Za tímhle je pak schovaná další služba, reverzní proxy HA Proxy, která legitimní požadavky z internetu na Home Assistant či Synology NAS směruje na správné „backendy“. Ať už se k NAS Synology či Home Assistantu připojujete z internetu skrze webový prohlížeč či mobilní aplikaci výrobce, technicky jde vždy o HTTP komunikaci. Nešifrovanou podobu na portu 80 mám pochopitelně zakázanou. Povolena je pouze šifrovaná varianta SSL, přičemž HA Proxy tuto komunikaci zaterminuje a dále ji podle hostname posílá lokálně již po HTTP na Synology či Home Assistant.

Validitu SSL certifikátů zařizuje další služba, jenž běží na pfSense – ACME. Využita je přitom autorita Lets Encrypt. Žádné výjimky na nedůvěryhodné servery tak není potřeba řešit. „Fail2Ban“, tedy blokování IP adres v případě, že se z ní někdo několikrát pokusí o neúspěšné přihlášení k systému, řeším až na cílových systémech Synology a Home Assistant. Aby to fungovalo korektně, je potřeba v HA Proxy povolit zasílání hlaviček X-Forwarded a brát je v potaz v nastavení Synology / Home Assistantu. V opačném případě zabanujete leda tak sami sebe, resp. vnitřní IP adresu pfSense, nikoliv skutečného viníka / útočníka.

Závěr

Tohle je tak nějak v kostce řešení, které v domácnosti využívám. Znovu říkám, dalo by se to vyřešit úplně jinak, ale já jsem s tímhle maximálně spokojen. Vše mám v jedné aplikaci, která je rychlejší, lepší a stabilnější, než řada oficiálních řešení od výrobců. Home Assistant zároveň umožňuje realizovat automatizace, které by byly jinak nemyslitelné, drahé, nebo komplikované. Více o tom v předchozím díle. Nicméně zde je rekapitulace všech předchozích dílů:

Máte rádi trojské koně? Pořiďte si čínskou fotovoltaiku!

Rizika nevedou jen přes fotovoltaiku, stačí Vám „Powered by Tuya“ zařízení za pár stovek

Odříznutí internetu, přesun k Home Assistantu

A jak řešíte zabezpečení Vy? A nebo na to „prdíte“? Klidně pište do komentářů.

The post pfSense, VLANy, proxy, … aneb začínáme krotit divočinu v domácí síti appeared first on VIRY.CZ.

Kategorie: Viry a Červi

2.8M US folks learn their personal info was swiped months ago in Sav-Rx IT heist

The Register - Anti-Virus - 29 Květen, 2024 - 00:20
Theft happened in October, only now are details coming to light

Sav-Rx has started notifying about 2.8 million people that their personal information was likely stolen during an IT intrusion that happened more than seven months ago.…

Kategorie: Viry a Červi

BreachForums returns just weeks after FBI-led takedown

The Register - Anti-Virus - 28 Květen, 2024 - 20:45
Website whack-a-mole getting worse

BreachForums is back online just weeks after the notorious dark-web marketplace for stolen data was seized by law enforcement.…

Kategorie: Viry a Červi

SpiderOak One customers threaten to jump ship following datacenter upgrade

The Register - Anti-Virus - 28 Květen, 2024 - 18:45
One tricky cluster is causing outrage among longstanding customers

Over a month after an April datacenter upgrade coincided with problems with some of its customers' backups, secure storage biz SpiderOak still isn't fully operational, and some angry users say they're ready to cut ties.…

Kategorie: Viry a Červi

Auction house Christie’s confirms criminals stole some client data

The Register - Anti-Virus - 28 Květen, 2024 - 15:30
Centuries-old institution dodges questions on how it happened as ransomware gang claims credit

International auctioning giant Christie's has confirmed data was stolen during an online attack after a top-three ransomware group claimed credit.…

Kategorie: Viry a Červi

Trusted relationship attacks: trust, but verify

Kaspersky Securelist - 28 Květen, 2024 - 12:00

IT outsourcing market continues to demonstrate strong growth globally – such services are becoming increasingly popular. But along with the advantages, such as saved time and resources, delegating non-core tasks creates new challenges in terms of information security. By providing third-party companies (service providers or contractors) with access to their infrastructure, businesses increase the risk of trusted relationship attacks – T1199 in the MITRE ATT&CK classification.

In 2023, trusted relationship cyberattacks ranked among the top three most frequently used attack vectors. In such attacks, attackers first gain access to the service provider’s network, and then, if they manage to obtain active credentials for connecting to the target organization’s network, infiltrate the target infrastructure. In most cases, contractors are small- and medium-sized businesses that are less protected than large enterprises. This is also why IT service providers attract the attention of attackers.

Trusted relationship vector is attractive for attackers because it allows them to carry out large-scale attacks with significantly less effort than other vectors. Attackers only need to gain access to the service provider’s network to expose all its clients to cyberrisk, regardless of their size or industry. Moreover, attackers using legitimate connections often go unnoticed, as their actions within the affected organization’s infrastructure look like the actions of the service provider’s employees. According to 2023 statistics, only one in four affected organizations identified an incident as a result of detecting suspicious activity (launch of hacker tools, malware, network scanners, etc.) in their infrastructure, while the rest discovered they had been infiltrated via a third party only after data leakage or encryption.

How access is set up between the target organization and the service provider

Any way of connecting a contractor to the systems of a target organization – even the most secure way – is a potential point of entry for intruders. However, the customer company often gives the service provider quite a lot of access to its systems, including:

  • allocating various systems for conducting operations;
  • issuing accesses for connecting to the infrastructure;
  • creating domain accounts.

Most often, communication between the service provider and the client takes place via VPN connections and Remote Desktop Protocol (RDP) services. Access is set up using a certificate or a login/password pair, and in rare cases multi-factor authentication is added. Having compromised the service provider’s infrastructure, intruders can obtain user accounts or certificates issued by the target organization, and thereby connect to their systems.

Many companies resort to using remote management utilities such as AnyDesk or Ammyy Admin. Most of these utilities allow automatic access by login/password, but they are vulnerable to brute-force attacks. In addition, if misconfigured, these utilities allow connections from any IP addresses/systems if you have valid credentials.

Access to the internal infrastructure can also be organized using SSH or RDP protocols and an allowlist of IP addresses. With this method, there’s no need to connect to a VPN, but the security risks grow significantly (for example, the possibility of brute-force attacks).

At the same time, organizations find it difficult to monitor service providers’ compliance with security policies. For example, contractors may store credentials for connecting to the target organization’s network in plain text in public directories or in corporate information systems such as Jira or Confluence, which the client’s security service may not be aware of.

How attackers gain access to a service provider’s network

In our incident investigations, we continuously note the use of various initial attack vectors to gain access to the infrastructures of IT outsourcing companies. Let’s consider the three most popular ones, which make up more than 80% of all initial attack vectors.

The most common method of initial compromise is exploiting vulnerabilities in applications accessible from the internet. Thus, to penetrate the infrastructure, attackers most often used vulnerabilities in Microsoft Exchange, Atlassian Confluence, CMS Bitrix, and Citrix VDI.

The second most popular method is the use of compromised credentials. In every third incident where this vector was used, attackers bruteforced passwords for services accessible from the external network: RDP, SSH, and FTP. In other cases, they used data that was stolen before the incident began.

Rounding out the top three is targeted phishing. Attackers continue to refine their multi-step schemes and social engineering methods, often using attached documents and archives containing malware to penetrate the network.

Attack development

By investigating incidents related to trusted relationship attacks, we have identified the most interesting attacker tactics and techniques. We present them here in the order they appear in the attack process. In the incidents we worked on, attackers can be divided into two groups according to the tactics and techniques used: let’s call them Group A and Group B.

No. Event Description 1 Gaining access to service providers In most cases, the hack started by exploiting vulnerabilities in software accessible from the internet (Initial Access, Exploit Public-Facing Application, T1190). 2 Establishing persistence in the service provider’s infrastructure Attackers in Group A exclusively used the Ngrok tunneling utility at this stage. They installed it in the service provider’s infrastructure as a service. Only the Windows segment was compromised (Persistence, technique Create or Modify System Process: Windows Service, T1543.003). Attackers in Group B initially used backdoors for persistence, which were later used to load and launch Ngrok or the remote management utility AnyDesk. As a result, both Windows and Linux segments were compromised. The attackers used the following backdoors:

In some incidents, Ngrok persistence was achieved through the task scheduler. 3 Actions after compromising credentials for connecting to target organizations Group A, having discovered credentials for connecting to the service provider’s clients’ VPN tunnel, penetrated their infrastructure on the same day: the attackers connected to systems allocated to the contractor via the RDP protocol using accounts allocated for the contractor’s employees (Initial Access, Valid Accounts: Domain Accounts, T1078.002), established persistence using the Ngrok utility (probably in case of losing access to the VPN), and returned to the new victims’ infrastructure after several months. Up to three months could have passed between initial access to the target organization and attack discovery. Group B established persistence in the service provider’s infrastructure and returned after several months to carry out attacks on their clients. Up to three months could have passed between initial access to the contractor and attack discovery 4 Actions of attackers in the systems allocated to the service provider in the target organization The systems allocated to the service provider in the target organization became the entry point for the attackers. During incident investigations, traces of launch of numerous utilities were found on these systems:

5 Lateral movement in the target organization’s network For lateral movement within the target organization’s network, the attackers used the RDP protocol (Lateral Movement, Remote Services: Remote Desktop Protocol, T1021.001). 6 Data collection from workstations and servers of the target organization In some incidents, attackers from both groups collected data from workstations and servers (Collection, Data from Local System, T1005), packed them into archives (Collection, Archive Collected Data: Archive via Utility, T1560.001) and uploaded them to external file-sharing resources (Exfiltration, Exfiltration Over Web Service, T1567). 7 Fulfilling attack objectives In most cases, the attackers launched ransomware in the target organization’s infrastructure (Impact Data, Encrypted for Impact, T1486). It’s worth noting that group policies or remote creation of Windows services were often used to distribute ransomware files in the infrastructure. Less frequently, distribution and execution were carried out manually.

Attackers use tunneling utilities (Command and Control, Protocol Tunneling, T1572) or remote access software (Command and Control, Remote Access Software, T1219) for several reasons:

Firstly, this eliminates the need for a VPN, which is necessary to connect to the system in the target infrastructure via the RDP protocol, as contractor’s employees do. Attackers are often active during non-working hours, and correctly configured monitoring can alarm the security personnel upon detecting VPN connections at odd hours from suspicious IP addresses (for example, those belonging to public anonymization services). If such activity is detected, then the corresponding accounts will most likely be blocked, and, as a result, the attackers will lose access to the infrastructure.

With tunneling and remote access utilities, attackers can gain a secure foothold in the target system. AnyDesk allows you to register this software as a service. We’ve seen several options for establishing persistence through the Ngrok utility:

Launch type Commands As a service ngrok.exe service run –config ngrok.yml Manually ngrok.exe config add-authtoken <TOKEN>
ngrok.exe tcp 3389 As a task ngrok.exe tcp 3389 (authentication data was set manually before establishing persistence by executing the following command: ngrok.exe config add-authtoken <TOKEN>)

Secondly, the use of such utilities is convenient for attackers. The presence of a backdoor in the network provides them with unhindered access to the internal infrastructure; however, it’s not always comfortable to interact with the compromised system in this way, so attackers turn to utilities. By forwarding the RDP port through Ngrok or connecting via AnyDesk, the attacker is able to interact with the compromised system more easily.

Thirdly, such utilities are quite difficult to track. Ngrok and AnyDesk are legitimate utilities; they are not detected by antivirus tools as malware and are often used for legitimate purposes. In addition, they allow attackers to hide the IP address of the connection source in the compromised system.

For example, with a regular RDP connection, in the Microsoft-Windows-TerminalServices-LocalSessionManager/Operational.evtx log, we will see connection events (ID 21) or reconnection events (ID 25), where the attacker’s IP address will be indicated in the connection source field (external IP address if the system is accessible from the internet, or internal IP address of another compromised system). In the case of an RDP connection through a tunneling utility, the source connection value in the log will be ::%16777216 – it doesn’t carry any information about the connecting system. In most cases, this artifact will merely indicate a connection through a tunneling utility.

AnyDesk creates its own logs. Among them, the most useful for incident investigation are connection_trace.txt and ad.trace/ad_svc.trace, as they are named in Windows. The connection_trace.txt log allows you to quickly identify connections to the analyzed system and their type (User, Token, Password). If the attackers used AnyDesk and the log indicates a Token and Password connection type, it can be concluded that the attacker set up automatic connection by password and, with AnyDesk running, can reconnect to the system at any time. The ad.trace/ad_svc.trace log contains debugging information, which allows you to determine the IP address from which the connection was made. However, it’s worth noting that attackers often delete AnyDesk logs, making it nearly impossible to detect traces of their connections.

Fulfilling attack objectives

The ultimate goals of attacks on service providers and target organizations can vary. For example:

  • Establish persistence in the contractor’s infrastructure and remain undetected for as long as possible in order to gain access to their clients’ infrastructure.
  • Remain undetected for as long as possible in order to obtain confidential information (industrial espionage).
  • Exfiltrate as much data as possible and deploy ransomware or a wiper in the organization’s infrastructure to paralyze its activities. We observed this scenario in most attacks on target organizations.
Conclusion and advice

Practice shows that attackers, remaining undetected, usually stayed in the target organization’s infrastructure for up to three months and managed to gain control over critical servers and hosts in various network segments. Only after this did they proceed to encrypt the data. This is enough time for the information security department to detect the incident and respond to the attackers’ actions.

The results of our incident investigations indicate that in the overwhelming majority of cases, antivirus solutions detected malicious activity, but the antivirus verdicts were not paid due attention. Therefore, if you have an in-house incident response team, keep them alert through training and cyberexercises; if you don’t have one, subscribe to incident response services from a provider who can guarantee the necessary service level via appropriate SLA.

Attacks through trusted relationships are quite difficult to detect because:

  • Connections to the target organization’s VPN from the service provider’s network in the early stages are initiated from legitimate IP addresses.
  • Attackers use legitimate credentials to connect to systems within the target organization’s infrastructure (and otherwise).
  • Attackers increasingly use legitimate tools in their attacks.

Nevertheless, it is possible to detect these attacks by following certain rules. We’ve put together recommendations for service providers and their clients that will help detect trusted relationship attacks early on or avoid them altogether.

If you’re an IT service provider:

  • Ensure proper storage of credentials issued for connecting to your clients’ infrastructure.
  • Set up logging of connections from your infrastructure to the clients’ one.
  • Promptly install software updates or use additional protection measures for services at the network perimeter.
  • Implement a robust password policy and multi-factor authentication.
  • Monitor the use of legitimate tools that could be exploited by attackers.

If your organization uses the services of IT outsourcing companies:

  • When allowing service providers into your infrastructure, give them time-limited access to necessary hosts only.
  • Monitor VPN connections: which account was authorized, at what time, and from which IP address.
  • Implement a robust password policy and multi-factor authentication for VPN connections.
  • Limit the privileges of accounts issued to service providers, applying the principle of least privilege.
  • Apply the same information security requirements to third parties connecting to the internal infrastructure as to hosts in the internal network.
  • Identify situations where chains of different accounts are used to access systems within the infrastructure. For example, if service provider’s employees connect to the VPN using one account and then authenticate via RDP using another account.
  • Monitor the use of remote access and tunneling utilities or other legitimate tools that could be used by attackers.
  • Ensure the detection of the following events within the network perimeter: port scanning, bruteforcing domain account passwords, bruteforcing domain and local account names.
  • Pay special attention to activity within your infrastructure outside of working hours.
  • Back up your data and ensure that your backups are protected as strictly as your primary assets.
Key MITRE ATT&CK tactics and techniques used in trusted relationship attacks Tactic Technique Technique ID Initial Access Exploit Public-Facing Application T1190 Initial Access Trusted Relationship T1199 Initial Access Valid Accounts: Domain Accounts T1078.002 Persistence Create or Modify System Process: Windows Service T1543.003 Persistence Hijack Execution Flow: Dynamic Linker Hijacking T1574.006 Persistence Scheduled Task/Job: Scheduled Task T1053.005 Credential Access OS Credential Dumping T1003 Discovery Network Service Discovery T1046 Discovery Account Discovery: Domain Account T1087.002 Discovery Remote System Discovery T1018 Lateral Movement Remote Services: Remote Desktop Protocol T1021.001 Collection Data from Local System T1005 Collection Archive Collected Data: Archive via Utility T1560.001 Command and Control Protocol Tunneling T1572 Command and Control Remote Access Software T1219 Exfiltration Exfiltration Over Web Service T1567 Impact Data Encrypted for Impact T1486

Take two APIs and call me in the morning: How healthcare research can cure cyber crime

The Register - Anti-Virus - 28 Květen, 2024 - 10:30
In evolving smarter security, open source is the missing link

Opinion  Some ideas work better than others. Take DARPA, the US Defense Advanced Research Projects Agency. Launched by US President Dwight Eisenhower in 1957 response to Sputnik, its job is to create and test concepts that may be useful in thwarting enemies. Along the way, it's helped make happen GPS, weather satellites, PC technology, and something called the internet.…

Kategorie: Viry a Červi

How's Uncle Sam getting on with Biden's AI exec order? Pretty good, we're told

The Register - Anti-Virus - 27 Květen, 2024 - 18:56
Former Pentagon deputy CIO Rob Carey tells us guardrails should steer Feds away from bad ML

Interview  President Biden's October executive order encouraging the safe use of AI included a ton of requirements for federal government agencies that are developing and deploying machine learning technologies.…

Kategorie: Viry a Červi

Message board scams

Kaspersky Securelist - 27 Květen, 2024 - 15:00

Marketplace fraud is nothing new. Cybercriminals swindle money out of buyers and sellers alike. Lately, we’ve seen a proliferation of cybergangs operating under the Fraud-as-a-Service model and specializing in tricking users of online marketplaces, in particular, message boards. Criminals are forever inventing new schemes for stealing personal data and funds, which are then quickly distributed to other scammers through automation and the sale of phishing tools. This article explores how these cybergangs operate, how they find and fool victims, with a special look at a campaign targeting users of several European message boards.

Ways to deceive message board users

There are two main types of message board scams.

  1. The first one is when a scammer impersonates the seller and offers to ship an item to the buyer. When the buyer inquires about the terms of delivery and method of payment, the scammer (in the role of the seller) asks for the buyer’s full name, address and phone number, and for online payment. If the victim agrees, they are sent a phishing link to pay for the order (in a third-party messenger or in a dialog box on the message board itself, if the site does not block such links). As soon as the user enters their card details on the fake site, they go straight to the fraudster, who debits the available balance.
    This type of fraud is known as scam 1.0 or a buyer scam, because the attacker poses as the seller to deceive the buyer. It is considered outdated as most message board users are aware of it. Besides, the method involves waiting around for a buyer to take an interest in the item on offer.
  2. Alternatively, the scammer can pose as the buyer and deceive the seller by persuading the seller to dispatch the item and collect payment by “secure transaction”. As in scam 1.0, the attackers send a phishing link to the duped seller via a third-party messenger or directly on the message board. The linked page requests payment card details. If the seller enters these, supposedly to receive payment, the attacker debits all the money from the card.
    This is known as scam 2.0 or a seller scam, because the attacker deceives the seller posing as the buyer. This type of scam is more common than the first, since fewer users are familiar with it, so the chances of finding a victim are greater. What’s more, in scam 2.0 the attacker proactively searches for victims, instead of waiting for one to appear, which speeds up the operation.

In both cases, clicking the link opens a phishing site – a near exact replica of a real trading platform or payment service with just one tiny difference: all the data you enter there will fall into cybercriminal hands. Now for a closer look at the scam 2.0 scheme targeting sellers.

How attackers choose their victims

Scammers have several criteria for selecting potential victims. Primarily they are drawn to ads that sellers have paid to promote. Such ads usually appear at the top of search results and are marked as sponsored. They attract scammers for two reasons: first, a seller who pays for promotion is more likely to have money, and second, they are probably looking for a quickish sale.

Besides the sponsored label, attackers look at the photos in the ad: if they are of professional quality, it is most likely an offer from a store. Scammers are not interested in such ads.

Lastly, attackers need sellers who use a third-party messenger and are willing to provide a phone number. This information becomes known only after contact is made.

How the victim is deceived

The main goal is to persuade the victim to click a phishing link and enter their card details. Like any buyer, the scammer opens the conversation with a greeting and an inquiry about whether the offer is still on the table. After that, the threat actor asks the seller various questions about the product, such as its condition, how long ago they purchased it, why they want to sell it, and so on. Experienced scammers ask no more than three questions to avoid arousing suspicion.

Next, the attacker agrees to buy the item, but says they cannot pick it up in person and pay in cash because, say, they are out of town (here the scammer can get creative), and then asks if delivery with “secure payment” is acceptable.

To deflect potential questions from the seller, the scammer explains the payment scheme in detail, roughly as follows:

  1. I pay for the item on [name of site].
  2. You get a link to receive the money.
  3. You follow the link and enter your card details to receive the payment.
  4. Once you receive the money, the delivery service will contact you to establish your preferred shipping method. Shipping will already be paid for. The delivery service will pack and document the item for you.

If the victim starts to quibble about the payment method, the scammer simply vanishes so as not to waste time. If the seller wants to continue negotiations on the marketplace’s official website, the attacker concludes they smell a rat and will be unlikely to click the phishing link, and so stops replying and begins the search for a new victim.

If, however, the victim clicks the link and enters their card details, the scammers siphon off all available funds. The price of the item is irrelevant: even if the amount asked for in the ad was insignificant, the attackers will steal whatever they can.

What phishing pages look like

In the scam 2.0 scheme, there are two main flavors of phishing site: some mimic the marketplace with the victim’s ad, others a secure payment service such as Twint. Below is an example of a phishing ad and the original on the official site.

Phishing ad

Original ad

As we see, the scammers have produced a near exact copy of the marketplace interface. The fake page differs from the original only in minor details. In particular, instead of the Inserent kontaktieren (“Contact advertiser”) button, the phishing page shows a Receive 150 CHF button. Clicking this button opens a page with a form for entering card details.

Phishing payment pages

If the original link opens a copy of a secure payment service, the card data entry form appears directly on this page, without additional redirections.

Cybergangs

Recently, whole groups of scammers specializing in message boards have gained widespread notoriety. Practicing both types of fraud (scam 1.0 and scam 2.0), they unite criminal masterminds, support teams, and low-level players.

We carried out an in-depth study of one such gang targeting message board users in Switzerland. Drawing on this example, we will show the internal structure and organization of activities in such structures.

A cybercriminal group may include the following roles:

  • Topic starter (TS) is the team’s founder and main administrator.
  • Coder is responsible for all technical components: Telegram channels, chats, bots, etc.
  • Refunder is a scammer who handles tech support chats on phishing sites. They help coax the victim into entering their card details, which is the attackers’ ultimate goal. The name “refunder” comes from the fact that the victim is directed to such a “specialist” if they are unhappy about the debit and want a refund.
  • Carder has the task of withdrawing money from the victim’s bank account. As a rule, having received card data, the carder uses it to pay for various goods, services, loans, etc. The process of paying for purchases with someone else’s card is called carding.
  • Motivator provides moral support to scammers. Their task is to make sure the gang remains focused and doesn’t lose heart. The motivator offers podcasts and support in personal messages – a chance to discuss any problems, including personal issues unrelated to fraud. Only large operations have the funds to engage such an “employee”. The motivator works for a percentage of the stolen money.
  • Marketer is responsible for ad campaigns and the design and appearance of bots and accompanying materials – mainly on dark web platforms and Telegram channels for scammers. Advertising is needed to attract new workers.
  • Worker is a scammer who directly deceives victims: finds ads, responds to them, persuades the victim to follow a phishing link, etc. Workers differ from regular scammers only in that they work for a group and make use of its tools and support. As payment, workers receive the funds they steal, minus a commission. The process of defrauding victims is called work.
  • Mentor is an experienced worker assigned to a newcomer.
  • Consummator is a woman who encourages a man to buy gifts and scams money out of him. This role is offered to all women who join closed groups where scammers communicate with each other.

Other scammer terms worth highlighting are:

  • A trusting user who has already been deceived is called a mammoth.
  • The amount of money on the card whose details the victim entered on a phishing website is called logs.
  • The amount debited from the victim’s card is called profit.

Groups communicate in closed groups and channels on Telegram, where they search for new workers, support bots for creating phishing links, track clicks on sent links, as well as keep statistics on each case and the profits of individual workers and the group as a whole.

Fraud-as-a-Service

Cybergangs operate under the Fraud-as-a-Service model, in which the main service consumers are workers. Organizers provide functioning services (channels/chats/bots on Telegram, phishing sites, payment processing, laundering/debiting of funds), as well as moral support and “work” manuals. In return, they take a commission from each payment.

Which countries are targeted by message board scams?

Scam 1.0 and scam 2.0 appeared several years ago, and both schemes can still be found on Russian-language message boards. But scams aimed at the Russian segment are considered old-hat among experienced scammers, since Russian users are tuned in to such schemes and there is a high risk that the attackers will be found and arrested. Therefore, scammers are switching to other countries.

The group at the center of our investigation is primarily focused on Switzerland. In their chat, the scammers cite the reason as the lower risk of getting caught and Swiss-based users’ relative unfamiliarity with this type of scam. In addition, before placing ads or responding to them, the scammers get to know the target country’s market and basic facts about it. For example, what languages and dialects are spoken there. This is to address the victim in their local tongue so as to win trust more easily. According to 2023 data, over two-thirds of the Swiss population aged 15 and older are fluent in at least two languages.

The gang under study also operates in Canada, Austria, France, and Norway.

Work manual

We analyzed the instructions that the group gives to new workers and found out how they get started. First of all, on the dark web, the worker buys accounts on message boards, which they will then scour for victims. Attackers buy accounts rather than create them, since registering on sites carries more risks. That done, the worker creates an account in a third-party messenger. This account is used for communication with the victim. Some users themselves ask for a number to make contact via messenger; in other cases, it is the worker who offers it to reduce the risk of getting banned on the marketplace. Virtual phone numbers are used for registration.

The next step is for the worker to find a proxy server that will provide anonymity and confidentiality. When connecting through this, the marketplace sees the server’s IP address and other information, which allows the attacker to hide their identity data. A proxy is generally considered good if the account is not banned immediately after registration. If a worker uses a VPN, for instance, their accounts will get banned very quickly: connecting via VPN entails a frequent change of IP address and geolocation, which is why sites often identify such accounts as bots.

Besides instructions for getting started, the manual contains templates shared by experienced gang members. The novice worker can use the templates to persuade a victim to make a deal or assuage any concerns about the proposed payment method.

The manual also contains instructions on how to bypass restrictions imposed by sites. Message boards are constantly updated to strengthen internal security, so it’s increasingly difficult for workers to use stock phrases in communicating with users. For example, in November 2023, one popular marketplace banned payments through Tripartie, a commonly used platform for secure transactions in Switzerland, and began blocking accounts for mentioning this system in chats. To get around this update, workers deliberately misspell the name Tripartie. More experienced workers use the Cyrillic alphabet to make the name of the payment system unreadable to the site’s security systems.

Monetizing stolen cards

If the seller enters their card details, the worker sends the data to the carder, who withdraws money from the card within the established limits. There are different ways to do this: by purchasing expensive devices, transferring money to an e-wallet such as PayPal, etc. The carder may also try to have a credit or loan issued in the card owner’s name, or open a deposit. To do this, they use online banks that do not require SMS verification. Some institutions may ask for a passport scan, in which case the carder uses passport data that was stolen or taken from people with no fixed abode. Although this data has nothing to do with the card owner, scammers rely on the fact that online banks do not always check that the passport and card belong to the same person.

Fraud automation with Telegram bots

To simplify the job of workers, the group deploys a phishing Telegram bot. This automates the process of creating phishing pages and communicating with victims, as well as tracking the scammers’ progress. The bot’s main page has buttons for creating a phishing link, viewing a personal profile, quick access to the group’s chats and channels, plus settings.

Home page of the bot

Clicking the button to create a phishing page lets the user select a country for which a unique link will be generated.

Button for selecting a region

Next, the worker specifies the name of the item that the victim wants to buy (if the victim is a buyer) or sell (if a seller).

Specifying item name

With this data the bot is able to create a full copy of the original ad, but on the phishing page. In addition, the worker feeds information from the ad (photo, price, description, etc.) into the bot, so that the victim feels like they are on the original page.

After filling in all the data, the bot provides phishing links in all languages for the target country, for all available message boards, and for both scam types (buyer and seller), from which the worker chooses the most suitable.

Selecting the link

Here the scammer can message the victim by email, messenger or text. The contact information is obtained from the target’s profile on the site, or is wheedled out in a private chat.

Selecting actions to perform with the ad

After a successful phishing attack, the worker can view their in-bot profile, which displays personal information: ID, handle, card balance, amount earned by the worker personally and by the group as a whole.

Personal profile data

Also inside the bot, it is possible to make direct contact with a mentor and to earn additional revenue through the “refer-a-friend” scheme.

In-bot tools

What the phishing links look like

The phishing links that the group creates with its Telegram bot are built along the same pattern:

  • domain/language/action/ad number

The domain most often contains the full or partial name of the message board that the phishing page imitates, but this is not a mandatory component.

Language information may vary, as it depends on the target country. In case of Switzerland, there are the following options: en, it, fr, de.

The action is what the victim purportedly needs to do: pay for the item or receive payment. This element takes one of two values: pay (if the scammer is posing as a seller) or receive (if as a buyer).

The phishing link always ends in the ad number, identical to the original.

Examples of phishing links

Bot updates

Cybergangs are constantly tweaking and updating their Telegram bots. They add new information useful for workers and expand the arsenal of scam automation tools.

During our observation of the Telegram bot under study, information appeared about the group’s income for different periods: per day and for its entire existence, as well as information about the worker’s income per week and per month.

User profile information

The next update added detailed information about mentors and their workload. In total, the group has five mentors, who oversee more than 300 workers. At the time of posting, the scammers’ group on Telegram had more than 10,000 members.

The most experienced workers with profits in excess of 20,000 euros can become mentors. This involves submitting an application to the head mentor for consideration. Mentors receive a percentage of their mentees’ earnings. The size of the commission is set by mentors themselves, and goes up with experience.

Mentoring system

Besides the modified interface, the way in which links are created was updated, with an expanded list of platforms targeted by phishing.

Platforms for phishing

What happens after clicking a link

The link from the bot points to a phishing site, the address of which may differ from the original by just one letter. The page is a full copy of the original ad, including the site logo and name, price and description of the item of interest.

Phishing ad aimed at deceiving the buyer. For the seller, the page is the same, only instead of a Pay button there will be a Receive button.

When the victim clicks the phishing link, the worker receives a notification in the bot about this activity. The notification prompts the scammer to check if the victim is online (that is, whether they’ve opened the phishing link) and, if necessary, to start a chat. Such notifications are created to simplify the worker’s tasks and speed up the response.

Notification about a phishing link click

When the victim enters card details, the carder immediately uses them, and a notification is sent to the group’s general chat about receipt of a new payment. The message specifies the stolen amount, plus information about how much of it will go to the carder and the worker. The worker’s share is automatically credited to their account specified in the bot settings. The message from the bot also contains the name of the user who pays the worker their profit. This is so that scammers themselves do not get cheated, as there have been cases of workers, under the guise of payment, swindling money out of “colleagues” or asking to borrow a certain sum and not returning it.

Notification of payment

Late in the day, a notification is sent to the general chat about the amount earned by the entire group for the day, month and whole period of operation. The group in question was established in August 2023. It made its first profit 3 days and 17 hours later. Back then, it had 2,675 workers and receipts worth 1,458 USD.

Amount of group payments for February 2024

Profit and statistics

We compiled statistics on the group’s activities for the period February 1–4, 2024, inclusive.

Country Total logs Total profits Canada 1,084.999 CAD 0 CAD Switzerland 50,431.17 CHF 10,273 CHF France 850 EUR 0 EUR Austria 2,900 EUR 0 EUR

In four days, the group earned 10,273 CHF (roughly 11,500 USD). At the same time, from the log amounts, we see the attackers could have stolen over 50,000 USD from Swiss cards alone. Why didn’t they? The main reason is that the carder does not work with logs worth less than 300 CHF (330 USD). This is most likely because total profits received from such logs will be less than the cost of debiting them. Moreover, withdrawing money from a card carries a high risk of detection, so carders are only interested in cards holding large sums of money. Lastly, some victims may have managed to block their cards before they fell into the carder’s hands, or entered incorrect data, which would have impacted the total amount of logs.

Carder limit

Country Number of logs Switzerland 65 France 6 Austria 4 Canada 4

Looking at the number of logs received, we see the most popular country is Switzerland. France comes second. In joint third place are Austria and Canada.

Platforms Number of logs Total profits Facebook 26 0 CHF Post.ch 16 3,887 CHF Tutti.ch 16 2,434 CHF Anibis.ch 11 3,952 CHF

In terms of message boards whose users were scammed, the most popular platforms among attackers were: Facebook, Post.ch and Tutti.ch. That said, logs from Facebook earned no profits for scammers. The most profitable platform was Anibis.ch, which lies in fourth place by number of logs; Post.ch is in second place, and Tutti.ch in third.

How not to swallow workers’ bait

Although message board scams are automated and production-lined, you can take protective measures.

  • Trust only official sites. Before entering card details in any form, study the site address, make sure there are no typos or extra characters in the domain, and check when it was created: if the site is just a couple of months old, it is likely to be fraudulent. Safest of all is not to follow links to enter your data, but to type in the URL in the address bar manually or open it from bookmarks.
  • When buying or selling goods on message boards, do not switch to third-party messengers. Conduct all correspondence in a chat on the platform. Such platforms typically use fraud protection and forbid sending suspicious links.
  • Where possible, refuse payment in advance – pay only when you receive the item in good condition.
  • Do not scan QR codes sent from untrusted sources.
  • Do not sell goods “with delivery” if the platform has no such option. If the buyer is located in another city, choose a delivery service yourself, giving preference to large, reputable companies.

Threat landscape for industrial automation systems, Q1 2024

Kaspersky Securelist - 27 Květen, 2024 - 12:00

Global statistics Statistics across all threats

In the first quarter of 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.3 pp from the previous quarter to 24.4%.

Compared to the first quarter of 2023, the percentage decreased by 1.3 pp.

Percentage of ICS computers on which malicious objects were blocked, by quarter, 2022–2024

Selected industries

Building automation has historically led the surveyed industries in terms of the percentage of ICS computers on which malicious objects were blocked.

Percentage of ICS computers on which malicious objects were blocked in selected industries

In the first quarter of 2024, the percentage of ICS machines that blocked malicious objects decreased across all industries.

Diversity of detected malware

In the first quarter of 2024, Kaspersky’s protection solutions blocked malware from 10,865 different families belonging to various categories on industrial automation systems.

Percentage of ICS computers on which the activity of malicious objects in various categories was prevented

Compared to the previous quarter, in the first quarter of 2024, the most significant increase in the percentage of ICS computers on which malicious objects in various categories were blocked was detected for AutoCAD malware: by 1.16 times.

Main threat sources

The internet, email clients, and removable storage devices remain the primary sources of threats to computers in an organization’s operating technology infrastructure. Note that the sources of blocked threats cannot be reliably identified in all cases.

In the first quarter of 2024, the percentage of ICS computers on which threats from various sources were blocked decreased for every major source.

Percentage of ICS computers on which malicious objects from various sources were blocked

Regions

Regionally, the percentage of ICS computers that blocked malicious objects during the quarter ranged from 32.4% in Africa to 11.5% in Northern Europe.

Regions ranked by percentage of ICS computers where malicious objects were blocked, Q1 2024

The two regions with the highest percentage of attacked ICS computers, Africa and South-East Asia, saw their percentages increase from the previous quarter.

Malicious activity in numbers Malicious objects used for initial infection

Malicious objects that are used for initial infection of computers include dangerous internet resources that are added to denylists, malicious scripts and phishing pages, and malicious documents.

By cybercriminals’ logic, these malicious objects can spread easily. As a result, they are blocked by security solutions more often than everything else. This is also reflected in our statistics.

Globally and in almost all regions, denylisted internet resources and malicious scripts and phishing pages occupy first place in the rankings of malware categories by percentage of ICS computers on which this malware is blocked.

The sources of most malicious objects used for initial infection are the internet and email. The leading regions by percentage of ICS computers on which threats from these sources were blocked are the following:

Internet threats

  • Africa – 14.82%;
  • South-East Asia – 14.01%.

Email threats

  • Southern Europe – 6.85%;
  • Latin America – 5.09%.
Denylisted internet resources

The leading regions by percentage of ICS computers on which denylisted internet resources were blocked were:

  • Africa – 8.78%;
  • Russia – 7.49%;
  • South Asia – 7.48%.
Malicious scripts and phishing pages

The leading regions by percentage of ICS computers on which malicious scripts and phishing pages were blocked were:

  • Latin America – 7.23%;
  • Southern Europe – 6.96%;
  • Middle East – 6.95%.
Malicious documents

The leading regions by percentage of ICS computers on which malicious documents were blocked were:

  • Southern Europe – 3.24%;
  • Latin America – 2.94%;
  • Eastern Europe – 2.33%.
Next-stage malware

Malicious objects used for initial infection of computers deliver next-stage malware – spyware, ransomware, and miners – to victims’ computers.

Among the miners designed to run on Windows, some of the most common are those distributed by attackers in the form of NSIS installer files with legitimate software.

Spyware

As a rule, the higher the percentage of ICS computers on which initial infection malware is blocked, the higher the percentage of next-stage malware.

The three leading regions by percentage of ICS computers on which spyware was blocked were as follows:

  • Africa – 6.65%;
  • Middle East – 5.89%;
  • Southern Europe – 5.45%.

Spyware ranks no higher than third place in the threat category rankings by percentage of ICS computers on which it was blocked in almost every region except for:

  • East Asia: in this region, spyware is the number one malware category in terms of the percentage of ICS computers on which it was blocked, at 3.68%.
  • Central Asia: in this region, in the relevant rankings, spyware sits at second place with 4.40%.
Covert crypto mining programs Miners in the form of executable files for Windows

The leading regions by percentage of ICS computers on which miners in the form of executable files for Windows were blocked were:

  • Central Asia – 1.78%;
  • Russia – 1.38%;
  • Eastern Europe – 1.06%.

Miners in the form of Windows executable files are seventh in the global rankings of threat categories by percentage of ICS computers on which they were blocked.

  • They are fourth in the relevant rankings for Russia.
  • They are in fifth place in Central Asia.

We should note that during Q1 2024, the percentage of ICS computers on which miners in the form of Windows executable files were blocked increased in all regions except for Russia and Central Asia.

Web miners running in browsers

The leading regions by percentage of ICS computers on which browser-based web miners were blocked were:

  • Africa – 0.91%;
  • Middle East – 0.84%;
  • Australia and New Zealand – 0.78%.

In the regional rankings of threat categories by percentage of ICS computers on which they were blocked, web miners ended up in fifth place in the following regions:

  • Australia and New Zealand – 0.78%;
  • US and Canada – 0.45%;
  • Northern Europe – 0.27%.

Globally, this threat ranked eighth.

In Q1 2024, the percentage of ICS computers on which browser-based web miners were blocked increased in all regions except for Russia and Central Asia.

Ransomware

The regions with the highest percentage of ICS computers on which ransomware was blocked were:

  • Middle East – 0.28%;
  • Africa – 0.27%;
  • South Asia – 0.22%.
Self-propagating malware. Worms and viruses

Worms and virus-infected files were originally used for initial infection, but as botnet functionality evolved, they took on next-stage characteristics.

To spread across ICS networks, viruses and worms rely on removable media, network folders, infected files including backups, and network attacks on outdated software.

In three regions, the percentage of ICS computers on which threats were blocked when connecting removable media is higher than the percentage of ICS computers on which mail threats were blocked – although it was lower in all others:

  • Africa – 5.6% (leads this ranking);
  • South Asia – 2.46%;
  • Central Asia – 1.51%.
Worms

The leading regions by percentage of ICS computers on which worms were blocked were:

  • Africa – 5.29%;
  • Central Asia – 2.88%;
  • Middle East – 2.40%.

Globally, worms are in sixth place in the threat category ranking by percentage of ICS computers on which they were blocked. In similar regional rankings, worms are in fourth place in four regions:

  • Africa – 5.29%;
  • Central Asia – 2.88%;
  • Middle East – 2.40%;
  • South Asia – 1.95%.

Two of these regions led by percentage of ICS computers on which threats were blocked when connecting removable media:

  • Africa – 5.60%;
  • South Asia – 2.46%.
Viruses

The leading regions by percentage of ICS computers on which viruses were blocked were:

  • Southeast Asia – 7.61%;
  • Africa – 4.09%;
  • East Asia – 2.89%.

In Southeast Asia, viruses are in first place (!) in the threat category rankings by percentage of ICS computers on which they were blocked.

Note that two of the three top regions are also leaders by percentage of ICS computers on which network folder threats were blocked.

  • Southeast Asia – 0.43%;
  • East Asia – 0.32%.
AutoCAD malware

AutoCAD malware can spread in a variety of ways, so it falls into a separate catogory.

The same regions that lead in the virus rankings are also the leaders by percentage of ICS computers on which AutoCAD malware was blocked:

  • Southeast Asia – 2.81%;
  • East Asia – 1.49%;
  • Africa – 0.61%.

Normally, AutoCAD malware is a minor threat that usually comes last in the malware category rankings by percentage of ICS computers on which it is blocked. In Southeast Asia in Q1 2024, this category was fifth.

The full global and regional reports have been published on the Kaspersky ICS CERT website.

Bayer and 12 other major drug companies caught up in Cencora data loss

The Register - Anti-Virus - 27 Květen, 2024 - 04:59
Plus: US water systems fail at cyber security

Infosec in brief  More than a dozen big pharmaceutical suppliers have begun notifying people that their medical records were stolen when US drug wholesaler Cencora was breached in February.…

Kategorie: Viry a Červi

Man behind deepfake Biden robocall indicted on felony charges, faces $6M fine

The Register - Anti-Virus - 25 Květen, 2024 - 01:21
FCC wants to hit this political genius with first-of-a-kind punishment

The political consultant who admitted paying $150 to create a deepfake anti-Biden robocall has been indicted on charges of felony voter suppression and misdemeanor impersonation of a candidate.…

Kategorie: Viry a Červi

Best Buy and Geek Squad were most impersonated orgs by scammers in 2023

The Register - Anti-Virus - 25 Květen, 2024 - 00:23
But criminals posing as Microsoft workers scored the most ill-gotten gains

The Federal Trade Commission (FTC) has shared data on the most impersonated companies in 2023, which include Best Buy, Amazon, and PayPal in the top three.…

Kategorie: Viry a Červi

Suspected supply chain attack backdoors courtroom recording software

The Register - Anti-Virus - 24 Květen, 2024 - 22:29
An open and shut case, but the perps remain at large – whoever they are

Justice is served… or should that be saved now that audio-visual software deployed in more than 10,000 courtrooms is once again secure after researchers uncovered evidence that it had been backdoored for weeks.…

Kategorie: Viry a Červi
Syndikovat obsah