Kaspersky Securelist

Syndikovat obsah Securelist
Aktualizace: 20 min 29 sek zpět

Indicators of compromise (IOCs): how we collect and use them

2 Prosinec, 2022 - 09:00

It would hardly be an exaggeration to say that the phrase “indicators of compromise” (or IOCs) can be found in every report published on the Securelist. Usually after the phrase there are MD5 hashes[1], IP addresses and other technical data that should help information security specialists to counter a specific threat. But how exactly can indicators of compromise help them in their everyday work? To find the answer we asked three Kaspersky experts: Pierre Delcher, Senior Security Researcher in GReAT, Roman Nazarov, Head of SOC Consulting Services, and Konstantin Sapronov, Head of Global Emergency Response Team, to share their experience.

What is cyber threat intelligence, and how do we use it in GReAT?

We at GReAT are focused on identifying, analyzing and describing upcoming or ongoing, preferably unknown cyberthreats, to provide our customers with detailed reports, technical data feeds, and products. This is what we call cyber threat intelligence. It is a highly demanding activity, which requires time, multidisciplinary skills, efficient technology, innovation and dedication. It also requires a large and representative set of knowledge about cyberattacks, threat actors and associated tools over an extended timeframe. We have been doing so since 2008, benefiting from Kaspersky’s decades of cyberthreat data management, and unrivaled technologies. But why are we offering cyber threat intelligence at all?

The intelligence we provide on cyberthreats is composed of contextual information (such as targeted organization types, threat actor techniques, tactics and procedures – or TTPs – and attribution hints), detailed analysis of malicious tools that are exploited, as well as indicators of compromise and detection techniques. This in effect offers knowledge, enables anticipation, and supports three main global goals in an ever-growing threats landscape:

  • Strategic level: helping organizations decide how many of their resources they should invest in cybersecurity. This is made possible by the contextual information we provide, which in turn makes it possible to anticipate how likely an organization is to be targeted, and what the capabilities are of the adversaries.
  • Operational level: helping organizations decide where to focus their existing cybersecurity efforts and capabilities. No organization in the world can claim to have limitless cybersecurity resources and be able to prevent or stop every kind of threat! Detailed knowledge on threat actors and their tactics makes it possible for a given sector of activity to focus prevention, protection, detection and response capabilities on what is currently being (or will be) targeted.
  • Tactical level: helping organizations decide how relevant threats should be technically detected, sorted, and hunted for, so they can be prevented or stopped in a timely fashion. This is made possible by the descriptions of standardized attack techniques and the detailed indicators of compromise we provide, which are strongly backed by our own widely recognized analysis capabilities.
What are indicators of compromise?

To keep it practical, indicators of compromise (IOCs) are technical data that can be used to reliably identify malicious activities or tools, such as malicious infrastructure (hostnames, domain names, IP addresses), communications (URLs, network communications patterns, etc.) or implants (hashes that designate files, files paths, Windows registry keys, artifacts that are written in memory by malicious processes, etc.). While most of them will in practice be file hashes – designating samples of malicious implants – and domain names – identifying malicious infrastructure, such as command and control (C&C) servers – their nature, format and representation are not limited. Some IOC sharing standards exist, such as STIX.

As mentioned before, IOCs are one result of cyber threat intelligence activities. They are useful at operational and tactical levels to identify malicious items and help associate them with known threats. IOCs are provided to customers in intelligence reports and in technical data feeds (which can be consumed by automatic systems), as well as further integrated in Kaspersky products or services (such as sandbox analysis products, Kaspersky Security Network, endpoint and network detection products, and the Open Threat Intelligence Portal to some extent).

How does GReAT identify IOCs?

As part of the threat-hunting process, which is one facet of cyber threat intelligence activity (see the picture below), GReAT aims at gathering as many IOCs as possible about a given threat or threat actor, so that customers can in turn reliably identify or hunt for them, while benefiting from maximum flexibility, depending on their capabilities and tools. But how are those IOCs identified and gathered? The rule of thumb on threat hunting and malicious artifacts collection is that there is no such thing as a fixed magic recipe: several sources, techniques and practices will be combined, on a case-by-case basis. The more comprehensively those distinct sources are researched, the more thoroughly analysis practices are executed, and the more IOCs will be gathered. Those research activities and practices can only be efficiently orchestrated by knowledgeable analysts, who are backed by extensive data sources and solid technologies.

General overview of GReAT cyber threat intelligence activities

GReAT analysts will leverage the following sources of collection and analysis practices to gather intelligence, including IOCs – while these are the most common, actual practices vary and are only limited by creativity or practical availability:

  • In-house technical data: this includes various detection statistics (often designated as “telemetry”[2]), proprietary files, logs and data collections that have been built across time, as well as the custom systems and tools that make it possible to query them. This is the most precious source of intelligence as it provides unique and reliable data from trusted systems and technologies. By searching for any previously known IOC (e.g., a file hash or an IP address) in such proprietary data, analysts can find associated malicious tactics, behaviors, files and details of communications that directly lead to additional IOCs, or will produce them through analysis. Kaspersky’s private Threat Intelligence Portal (TIP), which is available to customers as a service, offers limited access to such in-house technical data.
  • Open and commercially available data: this includes various services, file data collections that are publicly available, or sold by third parties, such as online file scanning services (e.g., VirusTotal), network system search engines (e.g., Onyphe), passive DNS databases, public sandbox reports, etc. Analysts can search those sources the same way as proprietary data. While some of these data are conveniently available to anyone, information about the collection or execution context, the primary source of information, or data processing details are often not provided. As a result, such sources cannot be trusted by GReAT analysts as much as in-house technical data.
  • Cooperation: by sharing intelligence and developing relationships with trusted partners such as peers, digital service providers, computer security incident response teams (CSIRTs), non-profit organizations, governmental cybersecurity agencies, or even some Kaspersky customers, GReAT analysts can sometimes acquire additional knowledge in return. This vital part of cyber threat intelligence activity enables a global response to cyberthreats, broader knowledge of threat actors, and additional research that would not otherwise be possible.
  • Analysis: this includes automated and human-driven activities that consist of thoroughly dissecting gathered malicious artifacts, such as malicious implants, or memory snapshots, in order to extract additional intelligence from them. Such activities include reverse-engineering or live malicious implant execution in controlled environments. By doing so, analysts will often be able to discover concealed (obfuscated, encrypted) indicators, such as command and control infrastructure for malware, unique development practices from malware authors, or additional malicious tools that are delivered by a threat actor as an additional stage of an attack.
  • Active research: this includes specific threat research operations, tools, or systems (sometimes called “robots”) that are built by analysts with the specific intent to continuously look for live malicious activities, using generic and heuristic approaches. Those operations, tools or systems include, but are not limited to, honeypots[3], sinkholing[4], internet scanning and some specific behavioral detection methods from endpoint and network detection products.
How does GReAT consume IOCs?

Sure, GReAT provides IOCs to customers, or even to the public, as part of its cyber threat intelligence activities. However, before providing them, the IOCs are also a cornerstone of the intelligence collection practices described here. IOCs enable GReAT analysts to pivot from an analyzed malicious implant to additional file detection, from a search in one intelligence source to another. IOCs are thus the common technical interface to all research processes. As an example, one of our active research heuristics might identify previously unknown malware being tentatively executed on a customer system. Looking for the file hash in our telemetry might help identify additional execution attempts, as well as malicious tools that were leveraged by a threat actor, just before the first execution attempt. Reverse engineering of the identified malicious tools might in turn produce additional network IOCs, such as malicious communication patterns or command and control server IP addresses. Looking for the latter in our telemetry will help identify additional files, which in turn will enable further file hash research. IOCs enable a continuous research cycle to spin, but it only begins at GReAT; by providing IOCs as part of an intelligence service, GReAT expects the cycle to keep spinning at the customer’s side.

Apart from their direct use as research tokens, IOCs are also carefully categorized, attached to malicious campaigns or threat actors, and utilized by GReAT when leveraging internal tools. This IOC management process allows for two major and closely related follow-up activities:

  • Threat tracking: by associating known IOCs (as well as advanced detection signatures and techniques) to malicious campaigns or threat actors, GReAT analysts can automatically monitor and sort detected malicious activities. This simplifies any subsequent threat hunting or investigation, by providing a research baseline of existing associated IOCs for most new detections.
  • Threat attribution: by comparing newly found or extracted IOCs to utilized IOCs, GReAT analysts can quickly establish links from unknown activities to define malicious campaigns or threat actors. While a common IOC between a known campaign and newly detected activity is never enough to draw any attribution conclusion, it’s always a helpful lead to follow.
IOC usage scenarios in SOCs

From our perspective, every security operation center (SOC) uses known indicators of compromise in its operations, one way or another. But before we talk about IOC usage scenarios, let’s go with the simple idea that an IOC is a sign of a known attack.

At Kaspersky, we advise and design SOC operations for different industries and in different formats, but IOC usage and management are always part of the SOC framework we suggest our customers implement. Let’s highlight some usage scenarios of IOCs in an SOC.

Prevention

In general, today’s SOC best practices tell us to defend against attacks by blocking potential threats at the earliest possible stage. If we know the exact indicators of an attack, then we can block it, and it is better to do so on multiple levels (both network and endpoint) of our protected environment. In other words, the concept of defense in depth. Blocking any attempts to connect to a malicious IP, resolve a C2 FQDN, or run malware with a known hash should prevent an attack, or at least not give the attacker an easy target. It also saves time for SOC analysts and reduces the noise of SOC false positive alerts. Unfortunately, an excellent level of IOC confidence is vital for the prevention usage scenario; otherwise, a huge number of false positive blocking rules will affect the business functions of the protected environment.

Detection

The most popular scenario for IOC usage in an SOC – the automatic matching of our infrastructure telemetry with a huge collection of all possible IOCs. And the most common place to do it is SIEM. This scenario is popular for a number of reasons:

  • SIEM records multiple types of logs, meaning we can match the same IOC with multiple log types, e.g., domain name with DNS requests, those received from corporate DNS servers, and requested URLs obtained from the proxy.
  • Matching in SIEM helps us to provide extended context for analyzed events: in the alert’s additional information an analyst can see why the IOC-based alert was triggered, the type of threat, confidence level, etc.
  • Having all the data on one platform can reduce the workload for the SOC team to maintain infrastructure and prevent the need to organize additional event routing, as described in the following case.

Another popular solution for matching is the Threat Intelligence Platform (TIP). It usually supports better matching scenarios (such as the usage of wildcards) and assumes reducing some of the performance impact generated by correlation in SIEM. Another huge advantage of TIP is that this type of solution was initially designed to work with IOCs, to support their data schema and manage them, with more flexibility and features to set up detection logic based on an IOC.

When it comes to detection we usually have a lower requirement for IOC confidence because, although unwanted, false positives during detection are a common occurrence.

Investigation

Another routine where we work with IOCs is in the investigation phase of any incident. In this case, we are usually limited to a specific subset of IOCs – those that were revealed within the particular incident. These IOCs are needed to identify additional affected targets in our environment to define the real scope of the incident. Basically, the SOC team has a loop of IOC re-usage:

  1. Identify incident-related IOC
  2. Search for IOC on additional hosts
  3. Identify additional IOC on revealed targets, repeat step 2.
Containment, Eradication and Recovery

The next steps of incident handling also apply IOCs. In these stages the SOC team focuses on IOCs obtained from the incident, and uses them in the following way:

  • Containment – limit attacker abilities to act by blocking identified IOCs
  • Eradication and Recovery – control the lack of IOC-related behavior to verify that the eradication and recovery phases were completed successfully and the attacker’s presence in the environment was fully eliminated.
Threat Hunting

By threat hunting we imply activity aimed at revealing threats, namely those that have bypassed SOC prevention and detection capabilities. Or, in other words, Assume Breach Paradigm, which intends that despite all the prevention and detection capabilities, it’s possible that we have missed a successful attack and have to analyze our infrastructure as though it is compromised and find traces of the breach.

This brings us to IOC-based threat hunting. The SOC team analyzes information related to the attack and evaluates if the threat is applicable to the protected environment. If yes, the hunter tries to find an IOC in past events (such as DNS queries, IP connection attempts, and processes execution), or in the infrastructure itself – the presence of a specific file in the system, a specific value of registry key, etc. The typical solutions supporting the SOC team with such activity are SIEM, EDR and TIP. For this type of scenario, the most suitable IOCs are those extracted from APT reports, or received by your TI peers.

In IOC usage scenarios we have touched on different types of IOCs multiple times. Let’s summarize this information by breaking down IOC types according to their origin:

  • Provider feeds – subscription for IOC provided by security vendors in the form of a feed. Usually contains a huge number of IOCs observed in different attacks. The level of confidence varies from vendor to vendor, and the SOC team should consider vendor specialization and geo profile to utilize actual IOCs. Usage feeds for prevention and threat hunting are questionable due to the potentially high level of false positives.
  • Incident IOCs – IOC generated by the SOC team during analysis of security incidents. Usually, the most trusted type of IOC.
  • Threat intelligence IOCs – a huge family of IOCs generated by the TI team. The quality depends directly on the level of expertise of your TI Analysts. The usage of TI IOCs for prevention depends heavily on the TI data quality and can trigger too many false positives, and therefore impact business operation.
  • Peer IOCs – IOCs provided by peer organizations, government entities, and professional communities. Can usually be considered as a subset of TI IOCs or incident IOCs, depending on the nature of your peers.

If we summarize the reviewed scenarios, IOC origin, and their applicability, then map this information to NIST Incident Handling stages[5], we can create the following table.

IOC scenario usage in SOC

All these scenarios have different requirements for the quality of IOCs. Usually, in our SOC we don’t have too many issues with Incident IOCs, but for the rest we must track quality and manage it in some way. For better quality management, the provided metrics should be aggregated for every IOC origin to evaluate IOC source, not the dedicated IOCs. Some basic metrics, identified by our SOC Consultancy team, that can be implemented to measure IOC quality are:

  • Conversion to incident – which proportion of IOCs has triggered a real incident. Applied for detection scenarios
  • FP rate – false positive rate generated by IOC. Works for detection and prevention
  • Uniqueness – applied for IOC source and tells the SOC team how unique the set of provided IOCs is compared to other providers
  • Aging – whether an IOC source provides up-to-date IOCs or not
  • Amount – number of provided IOCs by source
  • Context information – usability and fullness of context provided with IOCs

To collect these metrics, the SOC team should carefully track every IOC origin, usage scenario and the result of use.

How does the GERT team use IOCs in its work?

In GERT we specialize in the investigation of incidents and the main sources of information in our work are digital artifacts. By analyzing them, experts discover data that identifies activity directly related to the incident under investigation. Thus, the indicators of compromise allow experts to establish a link between the investigated object and the incident.

Throughout the entire cycle of responding to information security incidents, we use different IOCs at different stages. As a rule, when an incident occurs and a victim is contacted, we receive indicators of compromise that can serve to confirm the incident, attribute the incident to an attacker and make decisions on the initial response steps. For example, if we consider one of the most common incidents involving ransomware, then the initial artifact is the files. The IOC indicators in this case will be the file names or their extensions, as well as the hash of the sum of the files. Such initial indicators make it possible to determine the type of cryptographer, to point to a group of attackers and their characteristic techniques, tactics and procedures. They also make it possible to define recommendations for an initial response.

The next set of IOCs that we can get are indicators from the data collected by triage. As a rule, these indicators show the attackers’ progress through the network and allow additional systems involved in the incident to be identified. Mostly, these are the names of compromised users, hash sums of malicious files, IP addresses and URL links. Here it is necessary to note the difficulties that arise. Attackers often use legitimate software that is already installed on the targeted systems (LOLBins). In this case, it is more difficult to distinguish malicious launches of such software from legitimate launches. For example, the mere fact that the PowerShell interpreter is running cannot be considered without context and payload. In such cases it is necessary to use other indicators such as timestamps, user name, correlation of events.

Ultimately, all identified IOCs are used to identify compromised network resources and to block the actions of attackers. In addition, attack indicators are built on the basis of compromise indicators, which are used for preventive detection of attackers. In the final stage of the response, the indicators that are found are used to verify there are no more traces of the attackers’ presence in the network.

The result of each completed case with an investigation is a report that collects all the indicators of compromise and indicators of attack based on them. Monitoring teams should add these indicators to their monitoring systems and use them to proactively detect threats.

 
[1] A “hash” is a relatively short, fixed-length, sufficiently unique and non-reversible representation of arbitrary data, which is the result of a “hashing algorithm” (a mathematical function, such as MD5 or SHA-256). Contents of two identical files that are processed by the same algorithm result in the same hash. However, processing two files which only differ slightly will result in two completely different hashes. As a hash is a short representation, it is more convenient to designate (or look for) a given file using its hash than using its whole content.
[2] Telemetry designates the detection statistics and malicious files that are sent from detection products to the Kaspersky Security Network when customers agree to participate.
[3] Vulnerable, weak, and/or attractive systems that are deliberately exposed to Internet and continuously monitored in a controlled fashion, with the expectation that they will be attacked by threat actors. When such happens, monitoring practices enable detecting new threats, exploitation methods or tools from attackers.
[4] Hijacking of known malicious command and control servers, with cooperation from Internet hosters or leveraging threat actors errors and infrastructure desertion, in order to neutralize their malicious behaviors, monitor malicious communications, as well as identify and notify targets.
[5] NIST. Computer Security Incident Handling Guide. Special Publication 800-61 Revision 2

Kaspersky Security Bulletin 2022. Statistics

1 Prosinec, 2022 - 12:00

All statistics in this report are from the global cloud service Kaspersky Security Network (KSN), which receives information from components in our security solutions. The data was obtained from users who had given their consent to it being sent to KSN. Millions of Kaspersky users around the globe assist us in collecting information about malicious activity. The statistics in this report cover the period from November 2021 to October 2022, inclusive.

Figures of the year
  • During the year, 15.37% of internet user computers worldwide experienced at least one Malware-class attack.
  • Kaspersky solutions blocked 505,879,385 attacks launched from online resources across the globe.
  • 101,612,333 unique malicious URLs triggered Web Anti-Virus components.
  • Our Web Anti-Virus blocked 109,183,489 unique malicious objects.
  • Ransomware attacks were defeated on the computers of 271,215 unique users.
  • During the reporting period, miners attacked 1,392,398 unique users.
  • Attempted infections by malware designed to steal money via online access to bank accounts were logged on the devices of 376,742 users.

Fill the form below to download the Kaspersky Security Bulletin 2022. Statistics full report (English, PDF)

MktoForms2.loadForm("//app-sj06.marketo.com", "802-IJN-240", 24273, function(form) { form.onSuccess(function(values, followUpUrl){ //Take the lead to a different page on successful submit, ignoring the forms configured followUpUrl. location.href = "https://go.kaspersky.com/rs/802-IJN-240/images/KSB_statistics_2022_en_final.pdf"; //return false to prevent the submission handler continuing with its own processing return false; }); }); .googleRecaptcha { padding: 20px !important; } var GOOGLE_RECAPTCHA_SITE_KEY = '6Lf2eUQUAAAAAC-GQSZ6R2pjePmmD6oA6F_3AV7j'; var insertGoogleRecaptcha = function (form) { var formElem = form.getFormElem().get(0); if (formElem && window.grecaptcha) { var div = window.document.createElement('div'); var divId = 'g-recaptcha-' + form.getId(); var buttonRow = formElem.querySelector('.mktoButtonRow'); var button = buttonRow ? buttonRow.querySelector('.mktoButton[type="submit"]') : null; var submitHandler = function (e) { var recaptchaResponse = window.grecaptcha && window.grecaptcha.getResponse(widgetId); e.preventDefault(); if (form.validate()) { if (!recaptchaResponse) { div.setAttribute('data-error', 'true'); } else { div.setAttribute('data-error', 'false'); form.addHiddenFields({ reCAPTCHAFormResponse: recaptchaResponse, }); form.submit(); } } }; div.id = divId; div.classList.add('googleRecaptcha'); if (button) { button.addEventListener('click', submitHandler); } if (buttonRow) { formElem.insertBefore(div, buttonRow); } if (window.grecaptcha.render) { var widgetId = window.grecaptcha.render(divId, { sitekey: GOOGLE_RECAPTCHA_SITE_KEY, }); formElem.style.display = ''; } } }; function onloadApiCallback() { var forms = MktoForms2.allForms(); for (var i = 0; i < forms.length; i++) { insertGoogleRecaptcha(forms[i]); } } (function () { MktoForms2.whenReady(function (form) { form.getFormElem().get(0).style.display = 'none'; jQuery.getScript('//www.google.com/recaptcha/api.js?onload=onloadApiCallback'); }); })();

Privacy predictions 2023

28 Listopad, 2022 - 09:00

Our last edition of privacy predictions focused on a few important trends where business and government interests intersect, with regulators becoming more active in a wide array of privacy issues. Indeed, we saw regulatory activity around the globe. In the US, for example, the FTC has requested public comments on the “prevalence of commercial surveillance and data security practices that harm consumers” to inform future legislation. In the EU, lawmakers are working on the Data Act, meant to further protect sensitive data, as well as a comprehensive AI legal strategy that might put a curb on a range of invasive machine-learning technologies and require greater accountability and transparency.

On the other hand, we saw the repeal of Roe vs Wade and the subsequent controversy surrounding female reproductive health data in the US as well as investigations into companies selling fine-grained commercial data and facial recognition services to law enforcement. This showed how consumer data collection can directly impact the relationships between citizens and governments.

We think the geopolitical and economic events of 2022, as well as new technological trends, will be the major factors influencing the privacy landscape in 2023. Here we take a look at the most important developments that, in our opinion, will affect online privacy in 2023.

  1. Internet balkanization will lead to more diverse (and localized) behavior tracking market and checks on cross-border data transfer.

    As we know, most web pages are crawling with invisible trackers, collecting behavioral data that is further aggregated and used primarily for targeted advertising. While there are many different companies in the business of behavioral ads, Meta, Amazon, and Google are the unquestionable leaders. However, these are all US companies, and in many regions, authorities are becoming increasingly wary of sharing data with foreign companies. This may be due to an incompatibility of legal frameworks: for example, in July 2022, European authorities issued multiple rulings stating use of Google Analytics may be in violation of GDPR.

    Moreover, the use of commercial data by law enforcement (and potentially intelligence bodies) makes governments suspicious of foreign data-driven enterprises. Some countries, such as Turkey, already have strict data localization legislation.

    These factors will probably lead to a more diverse and fragmented data market, with the emergence and re-emergence of local web tracking and mobile app tracking companies, especially on government and educational websites. While some countries, such as France, Russia, or South Korea, already have a developed web tracking ecosystem with strong players, more countries may follow suit and show a preference for local players.

    This might have various implications for privacy. While big tech companies may spend more on security than smaller players, even they have their share of data breaches. A smaller entity might be less interesting for hackers, but also faces less scrutiny from regulatory bodies.

  2. Smartphones will replace more paper documents.

    Using smartphones or other smart devices to pay via NFC (e.g., Apple Pay, Samsung Pay) or QR code (e.g., Swish in Sweden, SBPay in Russia or WeChat in China) is rapidly growing and will probably render the classic plastic debit and credit card obsolete, especially where cashless payments already dominate. COVID-19, however, showed that smartphones can also be used as proof of vaccination or current COVID-negative health status, as many countries used dedicated apps or QR codes, for example, to provide access to public facilities for vaccinated citizens.

    Why stop there? Smartphones can also be used as IDs. A digitized version of an ID card, passport or driver license can be used instead of the old-fashioned plastic and paper. In fact, several US states are already using or plan to use digital IDs and driver licenses stored in Apple Wallet.

    Having your ID stored on a phone brings both convenience as well as risks. On the one hand, a properly implemented system would, for example, allow you to verify at a store that you are of legal age to buy alcohol without brandishing the whole document with other details like name or street address to the cashier. Also digitized IDs can significantly speed up KYC procedures, for example, to apply for a loan online from a smartphone.

    On the other hand, using a smartphone to store an increasing amount of personal data creates a single point of failure, raising serious security concerns. This places serious demands on security of mobile devices and privacy-preserving ways of storing the data.

  3. Companies will fight the human factor in cybersecurity to curb insider threat and social engineering to protect user data.

    As companies deploy increasingly comprehensive cybersecurity measures moving from endpoint protection to XDR (eXtended Detection & Response) and even proactive threat hunting, people remain the weakest link. According to estimates, 91% of all cyberattacks begin with a phishing email, and phishing techniques are involved in 32% of all successful data breaches. Also, a lot of damage can be done by a disgruntled employee or a person who joined the company for nefarious purposes. The FBI has even warned recently that deep fakes can be used by those seeking remote jobs to confuse the employer, probably with the goal of gaining access to internal IT systems.

    We expect less data leaks caused by misconfiguration of S3 buckets or Elasticsearch instances, and more breaches caused by exploiting the human factor. To mitigate these threats, companies might invest in data leak prevention solutions as well as more thorough user education to raise cybersecurity awareness.

  4. We will hear more concerns about metaverse privacy – but with smartphones and IoT, aren’t we already in a metaverse?

    While skeptics and enthusiasts keep fighting over whether a metaverse is a gamechanger or just a fad, tech companies and content creators continue to polish the technology. Meta has recently announced Meta Quest Pro, and an Apple headset is rumored to appear in 2023. Some, however, raise concerns over metaverse privacy. While smartphones with their multiple sensors from accelerometers to cameras can feel quite intrusive, a VR headset is in a league of its own. For example, one of the latest VR headsets features four front-facing cameras, three cameras on each controller and several cameras to track eyes and facial expressions. This means that in a nightmare scenario such devices would not only have a very deep insight into your activity in the metaverse services provided by the platform, they may be very effective, for example, in reading your emotional reaction to ads and making inferences about you from the interior of your home — from what colors you like to how many pets and children you have.

    While this sounds scary (which is why Meta addresses these concerns in a separate blog post), the fears might actually be exaggerated. The amount of data we generate just by using cashless payments and carrying a mobile phone around during the day is enough to make the most sensitive inferences. Smart home devices, smart cities with ubiquitous video surveillance, cars equipped with multiple cameras and further adoption of IoT, as well as continuous digitalization of services will make personal privacy, at least in cities, a thing of the past. So, while a metaverse promises to bring offline experiences to the online world, the online world is already taking hold of the physical realm.

  5. Desperate to stop data leaks, people will insure against them.

    Privacy experts are eagerly giving advice on how to secure your accounts and minimize your digital footprint. However, living a convenient modern life comes with a cost to privacy, whether you like it or not: for example, ordering food deliveries or using a ride-hailing service will generate, at the very least, sensitive geodata. And as the data leaves your device, you have little control over it, and it is up to the company to store it securely. However, we see that due to misconfigurations, hacker attacks and malicious insiders, data might leak and appear for sale on the dark web or even on the open web for everyone to see.

    Companies take measures to protect the data, as breaches cause reputation damage, regulatory scrutiny and, depending on local legislation, heavy fines. In countries like the US, people use class action lawsuits to receive compensation for damages. However, privacy awareness is growing, and people might start to take preventive measures. One way to do that might be to insure yourself against data breaches. While there are already services that recoup losses in case of identity theft, we could expect a larger range of insurance offers in the future.

We have looked at several factors that, in our opinion, will most prominently affect the way data flows, and possibly leaks, between countries, businesses and individuals. As the digital world continues to permeate the physical realm, we expect even more interesting developments in the future.

Consumer cyberthreats: predictions for 2023

28 Listopad, 2022 - 09:00

The consumer threat landscape constantly changes. Although the main types of threats (phishing, scams, malware, etc.) remain the same, lures that fraudsters use vary greatly depending on the time of year, current major events, news, etc. This year, we have seen spikes in cybercriminal activity aimed at users amid the shopping and back-to-school season, big pop culture events, such as Grammy and Oscar, movie premieres, new smartphone announcements, game releases, etc. The list can go on, as cybercriminals are quick to adapt to new social, political, economic, and cultural trends, coming up with new fraudulent schemes to benefit from the situation.

Below, we present a number of key ideas about what the consumer-oriented threat landscape will look like in 2023, and describe how users could be lured into cybertraps with fake content and third-party apps.

Games and streaming services

Users will face more gaming subscription fraud. Sony’s PlayStation Plus is starting to compete with Microsoft’s subscription service, GamePass, and offers to play subscription games not only on consoles, but also on the PC, to increase the market share. The larger the subscription base, the greater the number of fraudulent key-selling schemes and attempts at stealing accounts. These schemes can be very similar to the streaming scams that we have been observing for the past several years.

Gaming console shortage to be exploited. The shortage of consoles, relieved slightly in 2022, could start to increase again already in 2023, spurred by the release of the PS VR 2 by Sony. The headset, which requires a PS5 to function, will be a convincing reason for many to buy the console. A further factor is expected to be the release of “pro” console versions, rumors about which began to circulate in the middle of 2022, and which may trigger more demand than can be satisfied. Fake presale offers, generous “giveaways” and “discounts”, as well as online store clones that sell hard-to-find consoles—we expect all these types of fraud to exploit the console shortage.

In-game virtual currencies will be in demand among cybercriminals. Most modern games have introduced monetization: the sale of in-game items and boosters, as well as the use of in-game currencies. Games that include these features are cybercriminals’ primary targets as they process money directly. In-game items and money are some of the prime goals for attackers stealing players’ accounts. This summer for instance, cyberthieves stole 2 million dollars’ worth of items from an account that they hacked. To get a hold of in-game valuables, scammers may also trick their victims into a fraudulent in-game deal. In the coming year, we expect new schemes relating to resale or theft of virtual currencies and items to emerge.

Cybercriminals will capitalize on long-awaited titles. This year, we have already seen an attacker claim to leak several dozen gameplay videos from GTA 6. Chances are that in 2023, we will see more attacks relating to games slated for release in that year: Diablo IV, Alan Wake 2, and Stalker 2. Besides possible leaks, we expect to see the increase in scams that target these games, as well as in Trojans disguised as those games.

Streaming will remain cybercriminals’ bottomless source of income. Every year, streaming services produce more and more exclusive content that gets released on select platforms. A growing number of TV shows are becoming not just a source of entertainment, but a cultural phenomenon that influences fashion and trends in general. 2023 promises a wealth of new releases. We expect cybercriminals to use these anticipated titles along with streaming service names when distributing Trojans, creating phishing pages and implementing scams.

The talked-about movies and shows that could be exploited by cybercriminals include the new seasons of Euphoria and The Mandalorian; the long-awaited show starring Lily Rose Depp and The Weeknd, “The Idol”; the Barbie movie; and the post-apocalyptic drama series based on the video game “The Last of Us”. The list of potential bait films to be exploited can go on and on, since fraudsters are quick to adapt to consumer tastes. If they see that users are looking for the latest episode of a popular show, they will simply find their way to benefit from that interest.

Social media and the metaverse

New social media will bring more privacy risks. We would like to believe that the near future will see a new revolutionary phenomenon in the world of social networks. Perhaps this will happen already in VR, but rather in AR. As soon as a new trendy app appears, so do risks for its users. Cybercriminals can start distributing fake trojanized applications to infect victims’ phones for further malicious purposes. Further dangers are associated with data and money theft, as well as phishing pages aimed at hijacking accounts in the new social media. Privacy most probably will be a major concern, too, as many startups neglect to configure their applications in accordance with privacy protection best practices. This attitude may lead to a high risk of personal data compromise and cyberbullying in the new social media, however trendy and convenient it may be.

Exploitation of the metaverse. Right now, we are only taking the first steps toward complete immersion in virtual reality, already using metaverses for entertainment while testing industrial and business applications of this new technology. Although so far, there are only a few metaverse platforms, they already have revealed risks that future users will face. As the metaverse experience is universal and does not obey regional data protection laws, such as GDPR, this might create complex conflicts between the requirements of the regulations regarding data breach notification.

Virtual abuse and sexual assault will spill over into metaverses. We have already seen cases of avatar rape and abuse, despite efforts to build a protection mechanism into metaverses. As there are no specific regulation or moderation rules, this scary trend is likely to follow us into 2023.

New source of sensitive personal data for cybercriminals

Data from mental health apps will be used in accurately targeted social engineering attacks. Taking care of your mental health is no longer just some kind of whim or trend, but an absolutely necessary activity. And if, at some point, we are accustomed to the fact that the Internet knows almost everything about us, we are yet to realize that now our virtual portrait can be enriched with sensitive data about our mental state. As usage of mental health apps increases, the risk of this sensitive data being accidentally leaked or obtained by a third party through a hacked account will also grow. Armed with details on the victim’s mental state, the attacker is likely to launch an extremely precise social engineering attack. Now, imagine that the target is a key employee of a company. We are likely to see stories of targeted attacks involving data on the mental health of corporate executives. And, if you add here data, such as facial expressions and eye movement, that sensors in VR headsets collect, the leakage of that data may prove disastrous.

Education platforms and the learning process

Online education platforms will attract more cybercrime. In the post-pandemic times, online education has proven to be no less efficient than offline classes, we expect investment in online education platforms and learning management systems (LMS) to increase significantly. The trend is not new, but the relevance of concomitant threats will grow along with the growth in digitalization: trojanized files and phishing pages mimicking online educational platforms and videoconferencing services, as well as LMS credential theft are all set to grow in 2023.

A greater number of innovative technologies embedded in the learning process. These can be the use of virtual and augmented reality, voice interfaces, process automation (including robotization of communication), machine analysis of user actions, and AI-assisted testing and grading.

Gamification of education. In 2023, we will see greater use of gamification technologies in online learning to achieve functional goals: user acquisition and engagement, holding attention, personalized learning, inclusivity, and reducing resistance to learning. This will expose students to additional risks, the like of which have plagued the gaming industry, among them trolls, phishing, and bullying, on platforms built for communication, competition, and teamwork.

Who tracked internet users in 2021–2022

25 Listopad, 2022 - 09:00

Every time you go online, someone is watching over you. The services you use, the websites you visit, the apps on your phone, smart TVs, gaming consoles, and any networked devices collect data on you with the help of trackers installed on web pages or in software. The websites and services send this data to their manufacturers and partners whose trackers they use. Companies are looking for all kinds of information on you: from device specifications to the way you are using a service, and the pages you are opening. Data thus collected primarily helps companies, firstly, to understand their customers better and improve the products by analyzing the user experience, and, secondly, to predict user needs and possibly even manipulate them. Besides, the more an organization knows about you, the better it can personalize ads that it shows you. These ads command higher rates than random ones and therefore generate higher profits.

Understanding who is collecting the data and why requires you to have free time and to know where to look. Most services have published privacy policies, which should ideally explain in detail what data the service collects and why. Sadly, these policies are seldom transparent enough. Worried about this lack of transparency, users and privacy watchdogs put pressure on technology companies. Certain tech giants recently started adding tools to their ecosystems that are meant to improve the data collection transparency. For example, upon the first run of an app downloaded from the App Store, Apple inquires if the user is willing to allow that app to track their activity. However, not every service provides this kind of warnings. You will not see a prompt like that when visiting a website, even if you are doing it on an Apple device.

Browser privacy settings and special extensions that recognize tracking requests from websites and block these can protect you from tracking as you surf the web. That is how our Do Not Track (DNT) extension works. Furthermore, with the user’s consent, DNT collects anonymized data on what tracking requests are being blocked and how frequently. This report will look at companies that collect, analyze, store user data, and share it with partners, as reported by DNT.

Statistics collection principles

This report uses anonymous statistics collected between August 2021 and August 2022 by the Do Not Track component, which blocks loading of web trackers. The statistics consist of anonymized data provided by users voluntarily. We have compiled a list of 25 tracking services that DNT detected most frequently across nine regions and certain individual countries. 100% in each case represents the total number of DNT detections triggered by all 25 tracking services.

DNT (disabled by default) is part of Kaspersky Internet Security, Kaspersky Total Security, and Kaspersky Security Cloud.

Global web tracking giants

Six tracking services made the TOP 25 rankings in each of the regions at hand. Four of them are owned by Google: Google Analytics, Google AdSense, Google Marketing Platform, and YouTube Analytics. The remaining two are owned by Meta and Criteo, which we will cover later.

Google

Our last report, published in 2019, took a close look at Google’s trackers: DoubleClick, Google AdSense, Google Analytics, and YouTube Analytics. This was right around the time when the search giant announced plans to rebrand the DoubleClick advertising platform and merge it with its advertising ecosystem. Today, DoubleClick is part of Google Marketing Platform, although the tracking URLs have not changed and continue to function as before. For convenience, our statistics will refer to that tracking service as “Google Marketing Platform (ex-DoubleClick)”.

Share of DNT detections triggered by Google Marketing Platform (ex-DoubleClick) trackers in each region, August 2021 — August 2022 (download)

Google Marketing Platform (ex-DoubleClick) had its largest shares in our TOP 25 rankings for South Asia (32.92%) and the Middle East (32.84%). These were followed by its shares in Africa and Latin America: 25.37% and 24.64%, respectively. The lowest share (just 7.05%) of Google Marketing Platform (ex-DoubleClick) DNT detections in our regional TOP 25 rankings of the busiest tracking services were observed in the CIS.

A further tracking service operated by Google, Google Analytics, collects data on website visitors and provides detailed statistics to clients. That service, too, accounts for a fairly large share of DNT detections across the world.

Share of DNT detections triggered by Google Analytics trackers in each region, August 2021 — August 2022 (download)

A look at the share of Google Analytics in various regions will reveal a similar pattern to the Google Marketing Platform (ex-DoubleClick). Google Analytics received its largest shares of detections in South Asia (18.04%), Latin America (17.97%), Africa (16.56%) and the Middle East (16.44%). Its smallest share was in the CIS: 9.06%.

Share of DNT detections triggered by Google AdSense trackers in each region, August 2021 — August 2022 (download)

Another tracking system operated by Google is Google AdSense context ad service. This, again, had its highest percentages in the Middle East (5.27%), Africa (4.63%), Latin America (4.44%), and South Asia (4.44%). Here, too, the CIS ranked last with just 1.45% of detections triggered by the service.

Rounding out the list of Google’s tracking services is YouTube Analytics. It provides YouTube bloggers with data on their audiences that its trackers collect and analyze.

Share of DNT detections triggered by YouTube Analytics trackers in each region, August 2021 — August 2022 (download)

The Middle East (8.04%), South Asia (7.79%), Africa (5.97%), and Latin America (5.02%) again accounted for the highest shares of detections. At the bottom of the region list this time around is North America (1.82%), rather than the CIS (2.54%). The low percentage is no indication of YouTube’s insignificant presence in the region. The small share of YouTube Analytics in the region was likely due to fierce competition among services that collect and analyze data. We will revisit this later.

Meta (Facebook)

Facebook Custom Audiences by Meta, which provides targeted advertising services, was present in each of the regions along with Google’s tracking services. Services like that collect various types of user data, analyze these, and segment the audience to ensure better ad targeting. An advertiser who uses a targeting service wins by having their products shown to the people who are the likeliest to be interested. Compared to smaller advertising providers, Facebook Custom Audiences covers a significantly larger audience. Our data shows, however, that Meta was second to Google in terms of presence in all regions of the world.

Share of DNT detections triggered by Facebook Custom Audiences trackers in each region, August 2021 — August 2022 (download)

Facebook Custom Audiences had its largest shares in Latin America (8.76%) and Oceania (7.95%), and its smallest, in the CIS (2.12%). As mentioned above, the modest shares occupied by the global trackers could be linked to serious competition from local data collection and analysis services.

Criteo

The last on the list of tracking services detected in every corner of the world was Criteo. Though a less familiar name than Google or Facebook, Criteo actually is a major French advertising company providing a range of services from collection and analysis of user data to advertising itself.

Share of DNT detections triggered by Criteo trackers in each region, August 2021 —August 2022 (download)

Criteo trackers were most frequently detected in Europe (7.07%), East Asia (6.09%), and Latin America (5.24%), and least frequently, in South Asia (just 1.59%).

Regional landscape

In addition to the tracking services detected everywhere in the world, there were players of comparable size that did appear in most, but not all, TOP 25 rankings and local giants that dominated individual regions or countries. We will cover these below.

Europe

The aforementioned global tracking services held the top three places in Europe: Google Marketing Platform (ex-DoubleClick) (21.39%), Google Analytics (15.23%), and Criteo (7.07%). Facebook Custom Audiences was fifth, with 5.29%, Google AdSense was seventh, with 3.59%, and YouTube Analytics eleventh, with 2.97%. Trackers owned by five other major companies occupied the fourth, sixth, eighth, ninth, and tenth positions in our rankings.

TOP 25 tracking services in Europe, August 2021 — August 2022 (download)

Amazon Technologies, which accounted for 6.31% of total detections associated with prevalent trackers in Europe, stands for trackers operated by Amazon Advertising, an Amazon subsidiary that collects and analyzes user data to help their clients to connect with consumers, in addition to placing ads in all Amazon services. This is essentially a classic advertising giant similar to Google Marketing Platform and Criteo. Amazon trackers will come up more than once in other regional TOP 25 rankings.

Index Exchange, the Canadian-based global advertising marketplace with a 4.12% percent share in Europe, is another such giant.

Bing Ads, with a share of 3.45%, was another tracking service popular in the region. It provides search query analysis and displays ads in the Bing search engine. It was followed by Adloox (3.21%), which we covered in the previous review, and Improve Digital (3.17%), a Dutch advertising platform.

Facebook was the fifteenth most popular tracking service in the region, with 1.96%. This is another Meta service, which tracks Facebook account activity, such as logins and interaction with plugins and Like buttons on other websites. The service features in the TOP 25 almost in every region, with the exception of North America, Russia and Iran.

Certain tracking services, such as Meetrics (DoubleVerify), with a share of 1.28%, and Virtual Minds, with a share of 1.39%, feature in the European TOP 25 only. This is hardly surprising, as both companies are headquartered in Germany.

Africa

The familiar advertising giants occupied the top four positions in Africa. Google Marketing Platform (ex-DoubleClick) had a huge share of 25.37%. Google Analytics was second, with 16.56%. YouTube Analytics and Facebook Custom Audiences were detected in 5.97% and 5.90% of total cases, respectively.

TOP 25 tracking services in Africa, August 2021 — August 2022 (download)

The fifth place was taken by Yahoo Web Analytics, with a share of 4.86%. This is a service that collects and analyzes data on Yahoo users. The presence of Yahoo Web Analytics in a regional TOP 25 is an indication that Yahoo services are popular in that region.

It is worth noting that the African TOP 25 included none of the tracking services popular in that region exclusively.

The Middle East

The six global tracking services occupied the top six positions in the Middle East. Google Marketing Platform (ex-DoubleClick) accounted for almost one-third (32.84%) of the total detections of the region’s most popular tracking services. Google Analytics trackers were detected in 16.44% of cases; YouTube Analytics trackers, in 8.04%; аnd Google AdSense trackers, in 5.27%. Google is evidently the biggest collector of user data in the Middle East.

TOP 25 tracking services in the Middle East, August 2021 — August 2022 (download)

There is a certain country in the region whose TOP 25 statistics we would like to consider separately because of a unique advertising market and hence, an online tracking landscape different from the rest of the Middle East.

Iran

Iran is the only country on our list where Google Analytics accounted for 50.72% of the total detections associated with the 25 leading tracking services. Google Marketing Platform (ex-DoubleClick) accounted for 11.76%.

TOP 25 tracking services in Iran, August 2021 — August 2022 (download)

Iran also has local tracking services that internet users there encounter fairly often. For instance, the advertising agency SabaVision, with a share of 4.62%, was third in the rankings and the advertising platform Yektan was fifth, with 3.90%.

Latin America

The tracking landscape in Latin America was not drastically different from the rest of the world. Again, Google, Facebook, and Criteo occupied the leading positions. They were followed by Yahoo Web Analytics (3.48%), trackers operated by the US analytics company Chartbeat (3.00%), Twitter (2.65%), and Amazon Technologies (2.62%).

TOP 25 tracking services in Latin America, August 2021 — August 2022 (download)

North America

The share of Google’s global tracking services was comparatively small in North America, as the charts in the first part of this report show. Google Marketing Platform (ex-DoubleClick) accounted for 18.22% of total detections in August 2021 — August 2022, which was the second smallest figure in terms of its regional shares. The North American share of YouTube Analytics trackers was their smallest altogether. This was due to the heavy presence of trackers operated by other companies: Amazon Technologies (6.90%), Yahoo Web Analytics (5.67%), and Adloox (5.57%). These companies created a more competitive environment, which resulted in the share of each tracking service in the total DNT detections being smaller.

TOP 25 tracking services in North America, August 2021 — August 2022 (download)

In addition to other regions’ leaders, the North American TOP 25 featured a few that only made the local rankings. Examples included the Canadian advertising ecosystem Sharethrough with a share of 1.99% and the American advertising company The Trade Desk, which accounted for 1.65% of the detections.

Oceania

Every well-known global web tracking service was represented in Oceania. Interestingly enough, Oceania and North America were the only two regions where trackers by Tremor Video, a company that specializes in video advertising, made their way into the TOP 25, with the shares of 1.15% and 2.54%, respectively.

TOP 25 tracking services in Oceania, August 2021 — August 2022 (download)

The CIS

The CIS (Commonwealth of Independent States) is a fairly interesting region that has a variety of local tracking services. It comprises diverse countries, each with its distinctive internet regulations and restrictions, which certainly affects the presence of advertising companies. We will start by looking at the aggregate statistics for the CIS exclusive of Russia, as that country dominates the market, distorting other countries’ statistical data somewhat.

TOP 25 tracking services in the CIS (excluding Russia), August 2021 — August 2022 (download)

The CIS was the only region at hand dominated by a local internet giant, rather than the Google Marketing Platform (ex-DoubleClick). Yandex.Metrika, with a share of 19.24%, topped the rankings of trackers popular in the region. Google’s tracking services occupied second (16.17%) and third (13.14%) places.

The Mediascope research company was fourth, with 5.55%. Besides collecting and analyzing user data for marketing purposes, Mediascope is the organization officially designated to evaluate the size of television channel audiences, and sending reports to Roskomnadzor, Russia’s mass media regulator.

Other tracking services specific to the CIS are the web counter Yadro.ru (4.88%), the ad management platform AdFox (4.68%), Russian ad tech company Buzzoola (3.03%), the ad management and audit service Adriver (2.74%), Between Digital (2.23%), Rambler Internet Holdings (1.95%), VK (ex-Mail.Ru Group, 1.92%), VKontakte (1.86%), AdMixer (1.70%), originally from Russia but now headquartered in London, and Uniontraff.com (1.03%).

Thus, 12 out of 25 most widely used web tracking services in the CIS (exclusive of Russia) were endemic to the market.

Russian Federation

Most of the tracking services that made the TOP 25 in Russia are homegrown. Yandex.Metrika and Mediascope, mentioned above, were first and second, respectively, with 19.73% and 12.51%. Google Analytics (8.83%) and Google Marketing Platform (ex-DoubleClick, 6.59%) occupied the third and fourth positions, their respective shares fairly low in comparison to the Russia-less CIS average of 13.14% and 16.17% respectively. The rest of the top positions went to local Russian tracking services.

TOP 25 tracking services in Russia, August 2021 — August 2022 (download)

East Asia

The East Asian landscape did not differ drastically from the rest of the world. It featured mostly the same tracking services as other parts of the globe. However, there were two exceptions: Japan and Korea. We singled out these countries as separate research entities to demonstrate their distinctive features and the maturity of local advertising companies, which were, by and large, the key user data collectors and analysts there.

Google Marketing Platform (ex-DoubleClick) featured quite prominently in the East Asian TOP 25 rankings with a 27.62% share, followed by Google Analytics (16.13%) and Facebook Custom Audiences (6.65%). YouTube Analytics had a share of 6.54%, and Yahoo Web Analytics, 5.79%.

TOP 25 tracking services in East Asia (excluding Japan and Korea), August 2021 — August 2022 (download)

Japan

Japan is the only country where Twitter trackers had a fairly high share (11.67%), overtaking both Facebook Custom Audiences (4.43%) and YouTube Analytics (3.24%). Similarly to other major social networks, Twitter tracks user activity on other websites in addition to its own. One of the tracking tools is Twitter Pixel, which owners can embed into their websites. Twitter trackers notably featured in the TOP 25 rankings of every region and country covered by the report, with the exception of Russia, where this service is blocked.

TOP 25 tracking services in Japan, August 2021 — August 2022 (download)

In addition to the global companies, the TOP 25 rankings for Japan featured local tracking services. Examples include trackers operated by the Japanese marketing and advertising agencies, such as Digital Advertising Consortium Inc (3.01%), Supership (2,86%), I-mobile (2.13%), AdStir (1.44%), Samurai Factory (0.99%), Logly (0.90%), the blogging platform Ameba (1.47%), and the online services vendor LINE Corporation (0.71%).

South Korea

Like Japan, South Korea is a peculiar region with mature local tech companies, which affects tracker distribution. Google led by a fairly wide margin: Google Marketing Platform (ex-DoubleClick) had a share of 25.49% and Google Analytics 19.74%. Trackers operated by Kakao, Korea’s largest internet company, accounted for as much as 10.90%, pushing it to third place. Kakao’s scale of operations is comparable to Japan’s LINE, Russia’s Yandex or China’s WeChat.

TOP 25 tracking services in South Korea, August 2021 — August 2022 (download)

Other Korean tracking services in the TOP 25 were eBay Korea (2.02%) and the targeted advertising service WiderPlanet (1.77%).

South Asia

The South Asian TOP 25 rankings of web tracking services most frequently detected by DNT looked similar to the general global pattern. As in the Middle East, Google Marketing Platform (ex-DoubleClick) had one of the highest shares globally in South Asia, 32.92%.

TOP 25 tracking services in South Asia, August 2021 — August 2022 (download)

The Indian tech and media giant Times Internet, which was not part of the TOP 25 in any other region of the world, had some presence in South Asia (0.97%).

Conclusion

There are only a few global companies that collect user data in every corner of the world. They are the universally recognized Google and Meta, as well as the advertising giant Criteo, little known to common users. We have seen that the more distinctive the region or country is linguistically, economically, and technologically, the higher the chances are that local companies will have some presence on the market and be able to compete with the global giants. Major local players typically go beyond just advertising and marketing to be providers of diverse online services on their home markets. For example, Korea’s Kakao, Japan’s LINE, and Russia’s Yandex are not just internet giants but key regional services that provide the population with all that it needs: from email and instant messaging to food delivery. As they collect and analyze user data, they naturally pursue the same objectives as the global giants.

Being aware that your online activity is tracked is no fun. Unfortunately, you cannot fully protect yourself against tracking — you can only minimize the amount of data that a company tracking you will obtain. That is also important, though: the less information on you is collected beyond your control, the less painful potential future leakages would be. There are various types of technical tools to protect you from web tracking. For instance, VPN changes your IP address, thus distorting to a degree the digital profile of you that marketing companies strive to build. Anti-tracking browser extensions like DNT block trackers while you surf the web, preventing companies from finding out what websites you use and how. You can also reduce the risk by sharing only the data that services need to function. That will not stop them from collecting your data, but it can significantly reduce the scope of the information that companies have about you.

Black Friday shoppers beware: online threats so far in 2022

23 Listopad, 2022 - 09:00

The shopping event of the year, Black Friday, is almost here, and while the big day does not officially arrive until Friday, November 25th, deals are already starting. The day kickstarts the frenzied holiday shopping season with eye-catching promotional deals that lure shoppers into spending more of their hard-earned cash. In the weeks leading up to Black Friday, we have already seen discounts reaching 70% and even 80%, grabbing the attention of millions of customers.

Today, e-commerce sales make up 21% of global retail sales, which is a 50% increase on the pre-pandemic levels. Besides, 94% of shoppers now do at least some of their shopping online. As the volume of purchases around Black Friday increases, the attention of cybercriminals to e-commerce intensifies proportionally. The risk of being scammed runs even higher. While on ordinary days, the customer can easily see that if the product is too cheap, it is most likely a scam, during the Black Friday sales, it gets harder to tell. Shoppers become less vigilant, and therefore, an easy target for cybercriminals. That is why we constantly monitor the landscape of shopping-related cyberthreats and protect users from these risks. Here is what we have found this year.

Methodology

In this research, we analyze various types of threats, such as financial malware and phishing pages mimicking the world’s biggest retail platforms, banking and payment systems, and discuss recent trends. The threat statistics we use come from Kaspersky Security Network (KSN), a system for processing anonymized cyberthreat-related data shared voluntarily by Kaspersky users, for the period from January through October 2022. In addition, we analyzed Black Friday-related spam and phishing pages mimicking popular BNPL (buy now, pay later) services, which have proven to be particularly popular during shopping seasons like Black Friday.

Key findings

  • Over the first ten months of 2022, Kaspersky prevented 38,596,555 financial phishing attacks.
  • In 2022, the number of attacks using banking Trojans doubled when compared to the same period of 2021, reaching almost 20 million.
  • The number of financial phishing attempts for online shopping platforms (16,424,303) comprised 42.55% of all financial phishing attempts.
  • The number of phishing pages mimicking the most popular shopping platforms (Apple, Amazon, eBay, Walmart, Aliexpress, and Mercado Libre) totaled 12,787,534 in the first ten months of 2022.
  • Apple was consistently the most popular lure among online shopping platforms, with phishing attempts using its name reaching 9,858,254 in the first ten months of 2022.
  • Spam campaigns intensify as Black Friday approaches. In the first three weeks of November, Kaspersky telemetry spotted 351,800 spam emails that contained the word combination “Black Friday”. This is five times more than September’s figure.
Phishing for shopping credentials: financial threats in numbers

One of the prime threats during the shopping season is financial phishing. Kaspersky distinguishes several types of financial phishing: banking, payment system, and online store phishing. Banking phishing includes fake banking websites that cybercriminals create to mislead their victims into giving up their credentials and card details. Payment system phishing involves pages mimicking well-known payment systems, such as PayPal, Visa, MasterCard and American Express. The third type of phishing mimics online stores, such as Amazon, eBay, Aliexpress, or smaller ones.

Number of attempts to visit phishing pages using banking, online payment and online retail brands as a lure, January–October 2022 (download)

During the first ten months of 2022, Kaspersky products detected 38,596,555 phishing attacks targeting users of online shopping platforms, payment systems and banking institutions. We count one attempt to open a phishing link detected by Kaspersky as one phishing attack. During the first ten months of this year, the number of financial phishing attempts for online shopping platforms comprised 42.55% of all financial phishing attempts, which is 10.19 p.p. higher than the share of online payment phishing (32.36%), and 17.47 p.p. higher than the share of banking phishing (25.08%). Moreover, some of the payment system and banking phishing cases may be related to online store phishing. For example, if a phishing or scam page mimicking Amazon redirects the user to a payment page mimicking PayPal, these two pages will be categorized as online store and payment system phishing, respectively. In total, Kaspersky solutions detected 16,424,303 online store phishing attacks, 12,491,239 online payment phishing attacks, and 9,681,013 banking phishing attempts. We also observed a sharp spike in the number of attacks on online store users in June–July 2022. This was caused by a massive phishing campaign involving a fake Apple device giveaway, which Kaspersky security solutions successfully repelled.

Number of attempts to visit phishing pages using Apple as a lure, January–October 2022 (download)

Overall, the number of phishing attacks mimicking the most popular shopping platforms (Apple, Amazon, eBay, Walmart, Aliexpress, and Mercado Libre) amounted to 12,787,534 for the ten months of 2022. The majority of these attacks targeted Apple users: 9,858,254 phishing attempts, most of them occurring during the summer campaign mentioned above.

Number of attempts to visit phishing pages using popular shopping platforms (excluding Apple) as a lure in 2022 (download)

Amazon was the second most popular lure, with phishing attempts using its name peaking in April at 342,829. In total, 2,101,599 phishing attacks exploiting the Amazon brand were detected between January and October of 2022. The third most popular lure was, for most of 2022, Mercado Libre. Although the marketplace is local to Latin America, cybercriminals notably abused it much more via phishing attacks than global corporations like eBay or Walmart. Specifically, attackers used the brand name of Mercado Libre most heavily during the summer season, with 56,099 attempts in June and 42,862 in August, which is more than the summer figures for eBay, Walmart, and Aliexpress. Curiously, the number of phishing sites mimicking Walmart’s platform peaked in February, likely because of Valentine’s Day. During that month, we detected 76,618 phishing attempts abusing Walmart, which is 45% of all phishing attempts that targeted Walmart users in the first ten months of 2022.

“Pick a prize and cry in surprise”

A large share of fake e-commerce pages comprises scams: juicy fake offers, often made in the name of a popular brand, which draw buyers. Scam websites will typically display a discount, giveaway or another attractive deal that supposedly expires soon, urging the user to hurry while the products are free or heavily discounted. This is where cybercriminals catch customers who are hungry for freebies and fail to double-check where they are about to enter their details: on a phishing page or the official website.

A brightly colored phishing site with a Mercado Libre logo on it lights up with, “Pick a prize and cry in surprise” written in Spanish. The surprise box can contain anything: the latest iPhone, an expensive TV set, or a much-needed lawn mower for the garden. To get it, the user just needs to pay a small delivery fee. However, all they really get if they fall for the trick is their money lost and bank card details compromised.

Fake Mercado Libre site in Spanish that reads, “Pick a prize and cry in surprise”

Cybercriminals often start to spread phishing and scam pages even before Black Friday sales begin in order to squeeze out the shopping season as much as possible. One scam site, for example, offers users early access to all Amazon deals a few days before the discounts become effective, to grab everything they want before other customers sweep the shelves. To get the “early access”, you have to subscribe to “Amazon Prime” on the scammers’ website. However, paying for the subscription will not get users access to Amazon’s offers. Instead of being the first among buyers, they will join the ranks of scam victims.

Users are offered early access to Amazon sales

In addition to promises of early access, attackers use other tricks to lure victims. For example, they offer eBay gift cards for free. In order to generate a gift card code, users are asked to select an amount to add to the gift card account: from $10 to $300. They will then be asked to fill out a simple survey and to pay a small fee for the card, which the scammers promise to send by email. However, victims will not get any gift cards, but just lose their money to the scammers.

Victims are promised that gift card codes will be sent to their emails, which does not happen

A promise of cashback is another kind of bait used by cyberthieves. That is how they lured victims into a phishing scheme that targeted users of the Indian payment system PhonePe. The attackers sent out text messages promising cashback to users who followed a link. The phishing page urged victims to enter their UPI PIN: the secret code that is used to confirm transactions.

Fake cashback page phishing for UPI PINs

In certain cases, cybercriminals exploited several brands with one phishing page. On the screenshot below, the fake website mimics the login page for Landesbank Berlin’s Amazon.de cards. It offers users to “activate Visa Secure to pay safely with their Amazon.de Visa card”. To do that, the victim needs to enter their Landesbank Berlin login credentials, which will then be stolen by the attackers.

Users are prompted to log in to their Landesbank Berlin account to allegedly activate Visa Secure option

“Buy now, regret later”: phishing examples for BNPL services

“Buy now, pay later” (BNPL) services allow customers to split the cost of a purchase into several interest-free installments. These services appeal to consumers, especially youngsters, and have proven to be particularly popular during shopping days like Black Friday. Juniper Research assesses the BNPL user base at 360 million in 2022 and predicts this number to surpass 900 million globally by 2027. All of this makes BNPL an attractive target for cybercriminals.

BNPL phishing on the eve of Black Friday 2022

One of the most popular BNPL services is Affirm, with around 12.7 million active users worldwide. According to the official website, a user can shop online or in-store and pay later with the service at checkout. Another option is to request a virtual card in the app. Payments are managed in the app or online. The service offers a browser extension for Chrome.

Cybercriminals have created a nearly perfect replica of the official Affirm login page—the only difference is missing links to the privacy policy and merchant login. By creating the malicious lookalike, the attackers are trying to gain access to victims’ Affirm accounts.

Affirm phishing page

The real Affirm login page (Differences highlighted)

Another pre-Black Friday phishing site found by Kaspersky researchers spoofs an even more popular service named Afterpay (Clearpay in the U.K. and Italy), which has 20 million active users globally. Perpetrators have set up a page that mimics the official website, apparently trying to trick unsuspecting visitors into entering their bank card details, including the CVV, into a fake form.

A further example of a phishing page mimicking Afterpay is aimed at gaining access to potential victims’ accounts.

Phishing distribution

To attract potential victims to phishing pages, attackers usually send links to these pages by email. The email body employs social engineering techniques, for instance, to convince the user that they need to update their payment data, or that a lucrative deal awaits them on the phishing site. However, there are other ways of delivering phishing links, such as instant messages, social media, or SMS.

Phishing and scam: red flags

More often than not, a vigilant user can recognize phishing and scam pages. The text on the page can contain typos, while the domain name in the URL can differ from that of the official website by a few characters, contain extra words, or look totally unrelated to the brand whose users it targets. The only functional buttons are often those related to the main phishing or scam functionality: “pick your prize”, submit buttons, etc. All other buttons such as “I forgot my password”, the menu, etc. are typically unclickable or lead nowhere. That said, links to the terms of use and privacy policy in the footer of a phishing page can lead to the documents published on the original website, and thus help to conceal the website’s malicious purpose.

Spam

Despite all the benefits of online shopping, one of its most annoying downsides is finding your inbox clogged up with unsolicited email. Spam campaigns tend to intensify dramatically around the shopping and holiday seasons. From November 1 through November 17, 2022, Kaspersky telemetry recorded 351,800 emails containing the word combination “Black Friday”. This is more than five times the number of such emails recorded in October, when we saw 65,608. Compared to September, the increase is more than 32 times.

The number of spam emails containing “Black Friday”; September, October, and November 2022 (download)

When left unfiltered by antispam systems, spam is an annoyance and a waste of time. Our recent study revealed that employees who receive 30–60 external emails per day could be wasting as much as 11 hours annually looking through and identifying spam messages. For employees receiving between 60–100 emails a day, the figure increases to 18 hours per year, which is more than two business days.

Additionally, an important email might be lost in a deluge of spam and unintentionally deleted. Needless to say, many spam emails contain links to phishing and scam websites, or malicious attachments.

Banking Trojans go after payment credentials

Banking Trojans (bankers) are a staple in the arsenal of cyberthieves who seek to profit from the sales season. These are malicious computer programs that obtain access to confidential information stored or processed by online banking and payment systems. Bankers use webinjects and form-grabbing functionality to steal credentials, card details, or even all of the data a user enters on the target website.

After a sharp drop in banking Trojan attacks in 2021, cybercriminals reverted to using the tool heavily: from January through October 2022, Kaspersky products detected and prevented almost 20 million attacks, a 92% increase year on year.

Overall number of banking Trojan attacks, January–October 2020–2022 (download)

Conclusion

The shopping season is a profitable time not just for stores owners and consumers but also for cybercrooks. Every year, we see how fraudsters step up their activities amid the sales season by exploiting the names of popular stores, retail platforms and financial services. Unfortunately, the trend is not likely to go anywhere. This means users should be prepared and know how to stay protected at least from the “traditional” types of threats we observe every year: spam, phishing, and banking Trojans.

To enjoy the best that Black Friday has to offer this year, be sure to follow a few safety tips.

  • Protect all devices that you use for online shopping with a reliable security solution.
  • Do not trust any links or attachments received by email; double-check the sender’s name and email address before opening anything.
  • Check that the online store address is correct and the page has no errors or visual defects on it before filling out any forms there.
  • In order to protect your data and finances, it is a safe practice to make sure the checkout page is secure, and there is a locked padlock icon beside the address.
  • If you want to buy something from an unfamiliar company, check customer reviews before making the decision.
  • Despite taking as many precautions as possible, you probably will not know whether something is amiss until you see your bank account statement. So, if you are still getting paper statements, do not wait until they hit your mailbox. Get online to see if all of the charges look legitimate, and if not, contact your bank or card issuer immediately.

ICS cyberthreats in 2023 – what to expect

22 Listopad, 2022 - 09:00

Cybersecurity incidents were plentiful in 2022, causing many problems for industrial infrastructure owners and operators. However, luckily, we did not see any sudden or catastrophic changes in the overall threat landscape – none that were difficult to handle, despite many colorful headlines in the media.

As we see it, the coming year looks to be much more complicated. Many people may be surprised by unexpected twists and turns, though we should already be examining these eventualities today. Below we share some of our thoughts on potential developments of 2023, though we cannot claim to be providing either a complete picture or a high degree of precision.

As we analyze the events of 2022, we must profess that we have entered an era where the most significant changes in the threat landscape for industrial enterprises and OT infrastructures are mostly determined by geopolitical trends and the related macroeconomic factors.

Cybercriminals are naturally cosmopolitan; however, they do pay close attention to political and economic trends as they chase easy profits and ensure their personal safety.

APT activity, which is traditionally ascribed to intelligence agencies of various governments, always occurs in line with developments in foreign policy and the changing goalposts inside countries and inter-governmental blocks.

Developments in the APT world

Internal and external political changes will deliver new directions for APT activity.

Changes in attack geography

Attack geography will inevitably change following transformations of existing and the emergence of new tactical and strategic alliances. As alliances shift, we see cybersecurity tensions arise between countries where such tensions had never existed. Yesterday’s allies become today’s targets.

Changes in industry focus

We are going to see APT activity change the focus on specific industries very soon because the evolving geopolitical realities are closely intertwined with economic changes. Therefore, we should soon see attacks targeting the following sectors representing the real economy:

  • Agriculture, manufacturing of fertilizers, agricultural machinery and food products – all as a result of upcoming food crises and shifting food markets;
  • Logistics and transport (including transportation of energy resources) due to the on-going changes in global logistics chains;
  • The energy sector, mining and processing of mineral resources, non-ferrous and ferrous metallurgy, chemical industry, shipbuilding, instrument and machine-tool manufacturing, as the availability of these companies’ products and technologies is part of the foundation for the economic security of both individual countries and political alliances;
  • The alternative energy sector, specifically where it is on the geopolitical agenda;
  • High-tech, pharmaceuticals and medical equipment producers, since these are integral for ensuring technological independence.
Continuing attacks on traditional targets

Naturally, we will still see APT attacks on traditional targets, with the main APT attack focus definitely including:

  • enterprises in the military industrial complex, with geopolitical tensions, confrontations escalating to red alert status, along with the rising possibilities of military confrontations being the main drivers for the attackers;
  • the government sector – we expect attacks to focus on information gathering regarding government initiatives and projects related to the growth of industrial sectors of the economy;
  • critical infrastructure – attacks aiming to gain a foothold for future use, and sometimes, for instance when conflicts between specific countries are in the “hot” phase, the goal may even be to inflict immediate and direct damage.
Other changes in the threat landscape

Other important changes in the threat landscape which we already see and which we believe will increasingly contribute to the overall picture include the following:

  • A rising number of hacktivists “working” to internal and external political agendas. These attacks will garner more results – quantity will begin to morph into quality.
  • A growing risk of volunteer ideologically and politically motivated insiders, as well as insiders working with criminal (primarily ransomware) and APT groups – both at enterprises and among technology developers and vendors.
  • Ransomware attacks on critical infrastructure will become more likely – under the auspices of hostile countries or in countries unable to respond effectively to attacks by attacking the adversary’s infrastructure and conducting a full-blown investigation leading to a court case.
  • Cybercriminals’ hands will be untied by degrading communications between law enforcement agencies from different countries and international cooperation in cybersecurity grinding to a halt, enabling threat actors to freely attack targets in ‘hostile’ countries. This applies to all types of cyberthreats and is a danger for enterprises in all sectors and for all types of OT infrastructure.
  • Criminal credential harvesting campaigns will increase in response to the growing demand for initial access to enterprise systems.
Risk factors due to geopolitical ebb and flow

The current situation forces industrial organizations into making an extremely complicated choice – which products and from which vendors should they be using and why.

On the one hand, we are seeing failing trust relationships in supply chains for both products and services (including OEM), which in turn increases the risks in using many of the products companies are used to:

  • It becomes more difficult to deploy security updates when vendors end support for products or leave the market.
  • This is equally applicable to degrading quality of security solutions when regular updates cease due to security vendors leaving the market.
  • We cannot totally rule out the possibility of political pressure being applied to weaponize products, technologies and services of some minor market players. When it comes to global market leaders and respected vendors, however, we believe this to be extremely unlikely.

On the other hand, searching for alternative solutions can be extremely complicated. Products from local vendors, whose secure development culture, as we have often found, is usually significantly inferior to that of global leaders, are likely to have ‘silly’ security errors and zero-day vulnerabilities, rendering them easy prey for both cybercriminals and hacktivists.

Organizations based in countries where the political situation does not require addressing the above issues, should still consider the risk factors which affect everyone:

  • The quality of threat detection decreases as IS developers lose some markets, resulting in the expected loss of some of their qualified IS experts. This is a real risk factor for all security vendors experiencing political pressure.
  • The communication breakdowns between IS developers and researchers located on opposite sides of the new ‘iron curtain’ or even on the same side (due to increased competition on local markets) will undoubtedly decrease the detection rates of security solutions that are currently being developed.
  • Decreasing CTI quality – unfounded politically motivated cyberthreat attribution, exaggerated threats, lower statement validity criteria due to political pressure and in an attempt to utilize the government’s political narrative to earn additional profits.
  • Government attempts to consolidate information about incidents, threats and vulnerabilities and to limit access to this information detract from overall awareness, since information may sometimes be kept under wraps without good reasons.

    And at the same time, this results in an increased risk of confidential data leaks (example: PoC of an RCE published by mistake in a national vulnerability database). This issue could be addressed by building broad cybersecurity capacity in the public sector to ensure that responsible treatment of sensitive cybersecurity information and efficient coordinated vulnerability disclosure can always be guaranteed.

  • Additional IS risks due to the growing role of governments in the operations of industrial enterprises, including connections to government clouds and services, which may sometimes be less protected than some of the best private ones.
Additional technical and technological risk factors
  • Digitalization in a race for higher efficiency – IIoT and SmartXXX (including predictive maintenance systems and digital twin technology) leads to significantly increased attack surfaces. This is confirmed by the attack statistics on CMMS (Computerized Maintenance Management Systems).

    Top 10 countries ranked by the percentage of CMMS attacked in H1 2022:

    It is significant that in this Top 10 ranking by the percentage of attacked CMMS in H1 2022 we see the traditionally ‘secure’ countries which are not seen in rankings based on the overall percentage of OT computers attacked in the country or based on the percentage of attacked OT computers by sector.

  • Rising energy carrier prices and the resulting rises in hardware prices, on the one hand, will force many enterprises to abandon plans to deploy on premise infrastructure in favor of cloud services from third party vendors (which increases IS risks). In addition, this will negatively impact budgets allocated for IT/OT security.
  • The deployment of various unmanned vehicles and units (trucks, drones, agricultural equipment and so forth), which can be abused as either targets or tools for attacks.
Most noteworthy techniques and tactics in future attacks

Let’s not indulge in any fantastic suppositions about tactics and techniques used by the most advanced attackers, such as APTs connected to intelligence agencies in leading countries, as we can then be waylaid by unexpected twists and turns. Let’s also not discuss the tactics and techniques used by the numerous threat actors at the other end of the spectrum – the least qualified ones, since it is unlikely that they will come up with something interesting or new, and the security solutions already in place at most organizations can effectively block their attacks.

Let’s focus instead on the middle of the spectrum – the techniques and tactics used by the more active APT groups, whose activity is usually ascribed as being in line with the interests of countries in the Middle East and the Far East, as well as being used by more advanced cybercriminals, such as ransomware gangs.

Based on our experience of investigating such attacks and the related incidents, we believe that ICS cybersecurity specialists need to focus on the following tactics and techniques:

  • Phishing pages and scripts embedded on legitimate sites.
  • The use of Trojanized “cracked” distribution packages, “patches” and key generators for commonly used and specialist software (this will be stimulated by rising license costs and the departure of vendors from certain markets due to political pressure).
  • Phishing emails about current events with especially dramatic subjects, including events the root causes of which are political in nature.
  • Documents stolen in previous attacks on related or partner organizations being used as bait in phishing emails.
  • The distribution of phishing emails disguised as legitimate work correspondence via compromised mailboxes.
  • N-day vulnerabilities – these will be closed even more slowly as security updates for some solutions will become less accessible.
  • Exploiting foolish configuration errors (such as failing to change default passwords) and zero-day vulnerabilities in products from ‘new’ vendors, including local ones. Mass rollouts of such products are inevitable, despite the serious doubts about the developers’ security maturity.

For instance, recommendations such as “enter password xyz in the password field” can be found in installation instructions and user manuals in a surprising number of products from small ‘local’ vendors. Furthermore, you will rarely find information about vulnerabilities inherited from common components and OEM technologies on such vendors’ websites.

  • Exploiting inherent security flaws in cloud services from ‘local’ service providers and government information systems (see above).
  • Exploiting configuration errors in security solutions. This includes the possibility of disabling an antivirus product without entering an administrator password (antivirus is almost useless if an attacker can easily disable it). Another instance would be the weak security of the IS solution centralized management systems. In this case, IS solutions are not only easy to bypass, but they can also be used to move laterally – for instance to deliver malware or to gain access to ‘isolated’ network segments and to bypass access control rules.
  • Using popular cloud services as CnC – even after an attack is identified, the victim might still be unable to block it because important business processes could depend on the cloud.
  • Exploiting vulnerabilities in legitimate software, for instance, using DLL Hijacking and BYOVD (Bring Your Own Vulnerable Driver) to bypass endpoint security solutions.
  • Distributing malware via removable media to overcome air gaps, in those instances where air gaps actually do exist.
Some final thoughts

When writing about potential future issues, we did not aim to describe a full set of potential threats. Instead, we attempted to convey the impression of a global character of upcoming developments and to encourage our readers to assess those issues (including similar ones not mentioned specifically in this paper) which are most relevant to their organization.

We included only those developments and described only those risks which we believe to be most widespread and generally applicable to many organizations in many countries. Therefore, we kept the predictions less specific on purpose.

Only you can determine which threats are relevant for you. Naturally, if you need some assistance with this rather complicated task, we are always ready to help.

Our predictions are the sum of the opinions of our entire team based on our collective experience in researching vulnerabilities and attacks and investigating incidents, as well as our personal vision of the main vectors driving changes in the threat landscape. We will be very glad if any of our negative predictions do not come true in 2023.

We are always happy to discuss our ideas and we welcome your questions at ics-cert@kaspersky.com.

Policy trends: where are we today on regulation in cyberspace?

22 Listopad, 2022 - 09:00

This is the first edition of our policy analysis and observations of trends in the regulation of cyberspace, and cybersecurity, within the Kaspersky Security Bulletin.

This year so far has been very challenging: increased tensions in international relations have had a huge impact on both cyberspace and cybersecurity. Further to this, we share below our key observations regarding the trends we believe have been the highlights of this year and have the potential to shape the future of cyberspace in the year ahead.

#1 Fragmentation shifting to polarization: governments and multistakeholder communities are all the more divided — and have formed into groups based on like-mindedness

The previously observed and discussed fragmentation of cyberspace on the whole — and the internet in particular (also referred to as the ““splinternet” or the balkanization of the internet) — is taking on a new form. In the past we observed the first signs of governments’ diverging views on how cyberspace and cybersecurity should be regulated. Although by no means all governments stepped into this arena, the few countries that did managed to establish initial laws with extraterritorial effect (such as the EU’s GDPR, which established extraterritorial requirements for many organizations outside the EU) that produced a far larger impact beyond their national borders.

The year 2022, however, has overhauled the existing fragmentation: it does still exist, but only among the emerging alliances of the like-minded, covering not only governments but also non-state actors. The war in Ukraine has further deepened polarization between different groups of states and communities. The biggest challenge stems from the IT security community (which traditionally sticks together and is supposed to act as “neutral firefighters” in cyberspace) splitting into separate closed groups as well. For example, the global Forum of Incident Response and Security Teams (FIRST) suspended all member organizations originating from Russia or Belarus, thereby undermining the fundamental principle of trust in cybersecurity. Such a decision also prevents further threat information exchange between those in charge of responding to cyberincidents. Perhaps naturally, this has triggered talk among those left out regarding launching their own alternative communities.

The growing polarization in cyberspace poses a security risk for many of us, given the borderless nature of the threats and incidents we face. Even when the initial intention of threat actors is to target a particular organization, this can easily spill over to many others in ICT supply chains, going far beyond the initial target (as already occurred with, for example, WannaCry). Will organizations from different jurisdictions be able to exchange threat information with each other, and will they be able to cooperate across borders for incident response? Some of them will, but overall more and more barriers are emerging to this, creating security risks.

#2 Tech localization and “digital sovereignty” is no longer just about data

Globalization is still with us in 2022, but it’s becoming less popular: there’s a move toward buying local or domestic products because it could be safer. Unfortunately, cyberspace and the tech sector have already become one more arena for economic and geostrategic competition among states, while vaguely-defined (most likely intentionally so) concepts about “digital sovereignty”, “data sovereignty”, “strategic autonomy”, etc. are discussed more in different communities — from decision-makers to the media. Though initially perceived as attempts by governments to regulate and protect data (after the first data localization laws appeared), this now has the potential to affect far more areas, including microchip and other hardware manufacturing and software development. In some critical sectors of cybermature jurisdictions this already exists: mostly domestic companies are preferred for procurement. But could it expand further into the consumer market?

If so, in a global context, widespread application of data localization rules in particular would most likely create challenges for cybersecurity (i.e., for better and more effective threat intelligence to fight cyberthreats). With less visibility into the cyberthreat landscape, the lower the chances of developing effective detection tools or producing high-quality threat intelligence. These risks will increase if more and more countries impose data localization rules on their markets.

Thus, a dilemma could arise where attempts to provide more cybersecurity through strengthening data security, on the one hand, may actually lead to weaker cybersecurity (from less visibility and threat intelligence), on the other. The solution could lie in developing smart regulation approaches as well as defining clear security criteria for vendors to be trusted enough for cyberthreat-related data processing.

#3 Do cyberdiplomacy and international cybersecurity still exist? If so, they’ve taken a back seat this year

Kaspersky has been actively involved in many multistakeholder initiatives to advance cyberdiplomacy, including at the UN and regional levels. Subjectively speaking, 2022 has seen the discussion of cyberdiplomacy and international cybersecurity become less widespread and profound. What does this mean? The war in Ukraine and ongoing tensions in international relations have placed onto the agenda issues about security in its conventional sense, where cyber is just one of its aspects. What will happen next is hard to predict, but if military action continues, cyberdiplomacy will most likely stay sat firmly on the back seat; however, it’s to be hoped that it won’t disappear completely.

#4 Full-blown cyberwar hasn’t occurred, and this is of course good news. But we seem to be facing a more complex challenge — hybrid operations

Cyber Armageddon hasn’t occurred. Though many experts predicted it, it hasn’t materialized in the current war in Ukraine. This is good news, for sure. At the same time, unfortunately, the unfolding events have shown that cyberweapons are being used in the conflict to create hybrid warfare, where actions take place both in the digital realm (including with data manipulation and misinformation operations) and on the ground. The challenge is that the international community hasn’t developed clear responses to deal with this, and most likely any technological and technical solutions will be insufficient.

#5 Liability of digital products: a new area in future regulatory efforts

Safety and security labels don’t exist yet for software. And where a vulnerability may create security or safety risks, users may wonder whom to reach out to for liability issues. So far, different vertical legislative approaches do provide solutions for consumers, such as personal data protection laws for cases where personal data has been affected. The financial and banking sector is well-regulated too. But what about a mass-market photo-editing app that can be exploited by stalkerware? Should the developer be responsible? Some jurisdictions apparently already have the answer. The EU — as a norm-setter — has been among the first to propose a game-changing draft law titled the Cyber Resilience Act, with proposed fines as high as those in the GDPR. And in the U.S. there have been some first attempts to define baseline criteria for cybersecurity labeling of consumer software, as discussed in a separate blog post. Most likely, next year and beyond, other governments will find the regulation of software development liability a good idea, and we could well see even further fragmentation as a result of the different approaches taken among states.

Crimeware and financial cyberthreats in 2023

22 Listopad, 2022 - 09:00

A look back on the year 2022 and what to expect in 2023

Every year, as part of the Kaspersky Security Bulletin, we predict which major trends will be followed in the coming year by attackers, who target financial organizations. The predictions, based on our extensive experience, help individuals and businesses improve their cybersecurity and prevent the vast range of possible risks.

As the financial threat landscape has been dramatically evolving over the past few years, with the expansion of such activities as ransomware or cryptofraud, we believe it is no longer sufficient to look at the threats to traditional financial institutions (like banks), but rather assess financial threats as a whole. The cybercriminal market has been developing extensively, with the overwhelming majority of cybercriminals pursuing one goal — financial profit, no matter the source. However, the way they do it varies from year to year, and understanding the changes in their tactics and tools can help organizations improve their security.

This year, we have decided to adjust our predictions accordingly, expanding them to encompass crimeware developments and financial cyberthreats as a whole.

This report assesses how accurately we predicted the developments in the financial threats landscape in 2022 and ponder at what to expect in 2023.

Analysis of forecasts for 2022
  • Rise and consolidation of information stealers. Our telemetry shows an exponential growth in infostealers in 2021. Given the variety of offers, low costs, and effectiveness, we believe this trend will continue. Additionally, they might even be used as bulk collectors for targeted and more complex attacks.

    Yes. While we haven’t seen exponential growth in the use of stealers, their advancement and evolution has been very noticeable. In 2022, we uncovered some new malicious families actively sold on dark markets, such as Rhadamanthys, BlueFox, and Parrot, stealing sensitive information from the victims’ devices. One of the most striking new stealers has been OnionPoison. Unlike common stealers, this malware gathered data that can be used to identify the victims, such as browsing histories, social networking account IDs and Wi-Fi networks. Previously discovered stealers have not been left behind. This year we observed the updates of AcridRain and Racoon stealers, and the remarkable evolution of RedLine stealer, making it a self-spreading threat that attacks gamers via YouTube. Also of note in 2022 are campaigns impersonating well-known software brands like Notepad++. The trend remains solid, and these types of campaigns impact a large number of users, hitting the target brand’s bottom line. Moreover, the ransomware gang ransomExx also abuses open source software by recompiling it to load a malicious shellcode; Notepad++ was also used in one of their attacks.

    While there are still top-level threats that are not distributed openly, the vast majority of stealers have become more affordable and cheaper for average cybercriminals, making this threat more likely to evolve even more in the following year.

  • Cryptocurrency targeted attacks. The cryptocurrency business continues to grow, and people continue to invest their money in this market because it’s a digital asset and all transactions occur online. It also offers anonymity to users. These are attractive aspects that cybercrime groups will be unable to resist. And not only cybercrime groups, but also state-sponsored groups who have already started targeting this industry. After the Bangladesh bank heist, the BlueNoroff group is still aggressively attacking the cryptocurrency business, and we anticipate this activity will continue.

    Despite these uncovered campaigns, attackers were still more likely to hunt for cryptocurrency using phishing, offering dubious cryptocurrency exchange platforms, and launching cryptojacking to illicitly mint cryptocurrency. Previously, mining was mostly a threat for general users, but today miners are stealing power from large businesses and critical infrastructures. Even big ransomware operators, for example, AstraLocker, are shutting down their operations to switch to cryptojacking.

  • More cryptocurrency-related threats: fake hardware wallets, smart contract attacks, DeFi hacks, and more. In the scramble for cryptocurrency investment opportunities, we believe that cybercriminals will take advantage of fabricating and selling rogue devices with backdoors, followed by social engineering campaigns and other methods to steal victims’ financial assets.

    Yes. In 2022, we observed many other cryptocurrency-related threats potentially costing users millions of dollars. Since the start of 2022, cybercriminals have stolen $3 billion from DeFi protocols, with 125 crypto hacks in total. According to the freshest data on DeFi, every hour 15 newly deployed scams against smart contracts are detected. At this rate, 2022 will likely surpass 2021 as the biggest year for hacking on record. The lack of state-of-the-art security for smart contracts leads to attacks on these platforms and, based on how the business model works, the potential theft of a lot of money.

  • Targeted ransomware — more targeted and more regional. With the international efforts to crack down on major targeted ransomware groups, we will see a rise in small, regionally derived groups focused on local The adoption of Open Banking in more countries may lead to more opportunities for cyberattacks.

    Yes. We’ve observed a rise in the number of targeted and regional ransomware attacks. One of the reasons why ransomware attacks have become more regional is the decrease in collaboration between ransomware groups. In the past, many actors would join forces to attack and encrypt as many organizations around the world as possible. But thanks to international efforts, such as No More Ransom, to crack down on their work, global attacks have become much rarer.

    Interestingly, this trend was also influenced by geopolitical conflict, which we did not anticipate last year. Many ransomware groups took sides in the conflict between Russia and Ukraine, focusing their activities on destructive attacks or limiting the range of their targets by geography. The most significant reaction of all was likely by the Conti ransomware group, who announced that it would retaliate with full capabilities against any “enemy’s” critical infrastructure if Russia became a target of cyberattacks. On the other side, Kaspersky discovered Freeud, a wiper under the guise of ransomware whose creators proclaimed support for Ukraine.

  • Access broker specialists — professionalize access to compromised networks. Instead of major efforts to compromise access to a corporate or public entity, we can expect Ransomware-as-a-Service operators to seek to buy access to another cybercriminal group that already has access to the target, focusing their activity on ransomware deployment.

    Yes. Attackers have indeed resorted to buying initial access to compromised services more often than hacking it themselves. This has become a real stand-alone business in the dark web (Malware-as-a-Service, MaaS). This year we detected a malicious spam campaign targeting organizations tenfold growth in a month, spreading Emotet malware, which is used by Conti ransomware affiliates to gain initial access. Once access is obtained, the organization is placed into a pool of potential ransomware targets. This growth in the Emotet campaign suggests that the Access-as-a-Service continues to be actively used by cybercriminal groups, and the trend of hiring access broker specialists is likely to continue in 2023.

  • Mobile banking Trojans on the rise. As mobile banking experienced booming adoption worldwide due to the pandemic (in Brazil it represented 51% of all transactions in 2020), we can expect more mobile banking Trojans for Android, especially RATs that can bypass security measures adopted by banks (such as OTP and MFA). Regional Android implant projects will move globally, exporting attacks to Western European countries.

    Yes. Security remains the biggest problem for users who want to make regular mobile payments. As predicted, the number of mobile banking Trojan detections increased considerably in 2022 worldwide compared to the last year, reaching more than 55,000 attacks in the second quarter of 2022 alone. With the rising number of attacks, cybercriminals have evolved new banking Trojans, targeting mobile users. In 2022, Kaspersky researchers have so far discovered more than 190 applications distributing Harly Trojan with more than 4.8 million downloads. While these apps were available in official stores and disguised as legitimate apps, the fraudsters behind them subscribed unsuspecting users to unwanted paid services.

  • Rise of threat to online payment systems. Amid the pandemic, many companies went digital and moved their systems online. And the longer people stay at home because of quarantine and lockdowns, the more they rely on online markets and payment systems. However, this rapid shift is not accompanied by the appropriate security measures, and it is attracting lots of cybercriminals. This issue is particularly severe in developing countries, and the symptoms will last for a while.

    No. This year, we have not observed a lot of new fintech players that went big and which could become new targets for cybercriminals.

  • With more fintech apps out there, the increasing volume of financial data is attracting cybercriminals. Thanks to online payment systems and fintech applications, large amounts of important personal information is stored on mobile. Many cybercrime groups will continue to attack personal mobile phones with evolved strategies such as deep fake technology and advanced malware to steal victims’ data.

    No. Mobile malware techniques haven’t changed much in the course of 2022.

  • Remote workers using corporate computers for entertainment purposes, such as online games, continue to pose financial threats organizations. In a previous post, we wrote that users rely on corporate laptops to play video games, watch movies, and use e-learning platforms. This behavior was easy to identify because there was a boom in the Intel and AMD mobile graphic cards market in 2020-2021 compared to previous years. This trend is here to stay, and while during 2020 46% of employees had never worked remotely before, now two-thirds of them state they wouldn’t go back to the office, with the rest claiming to have a shorter office work week.

    Yes. The level of cybersecurity after the pandemic and the initial adoption of remote work by organizations en masse has become better. Nevertheless, corporate computers used for entertainment purposes remain one of the most important ways to get initial access to a company’s network. Looking for alternative sources to download an episode of a show or a newly released film, users encounter various types of malware, including Trojans, spyware and backdoors, as well as adware. According to Kaspersky statistics, 35% of users who faced threats under the guise of streaming platforms were affected by Trojans. If such malware ends up on a corporate computer, attackers could even penetrate the corporate network and search for and steal sensitive information, including both business development secrets and employees’ personal data.

  • ATM and PoS malware to return with a vengeance. During the pandemic, some locations saw PoS (point of sale) and ATM transaction levels drop significantly. Lockdowns forced people to stay at home and make purchases online, and this was mirrored in PoS/ATM malware too. As restrictions are lifted, we should expect the return of known PoS/ATM malware and the appearance of new projects. Cybercriminals will regain their easy physical access to ATMs and PoS devices at the same time as customers of retailers and financial institutions.

    Yes. As predicted, with the lift of COVID-19 restrictions, attackers have stepped up their activities again in 2022. In the first eight months of the year, the number of unique devices affected by ATM/PoS malware grew by 19% as compared to the same period in 2020, and by nearly 4% compared to 2021. Kaspersky researchers have also discovered cybercriminals creating and deploying new never-seen-before tools targeting ATM and PoS devices. For instance, the Prilex threat group, famous for stealing millions of dollars from banks, has evolved substantially. Specifically, Prilex has upgraded its tools from a simple memory scraper to an advanced and complex malware that now targets modular PoS terminals and is the first malware able to clone credit card transactions, even those protected by CHIP and PIN.

    Perhaps one of the biggest shifts is PoS malware becoming a service sold on the dark web, which means it is now available to other cybercriminals, and the risk of losing money is increasing for businesses worldwide.

Forecasts for 2023 Led by gaming and other entertainment sectors, Web3 continues to gain traction and so will threats for it

With the increasing popularity of cryptocurrencies, the number of crypto scams has also increased. However, we believe that users are now much more aware of crypto and will not fall for primitive scams, such as a video featuring an Elon Musk deepfake promising huge returns in a dodgy cryptocurrency investment scheme that went viral. Cybercriminals will continue to try to steal money through fake ICOs and NFTs along with other cryptocurrency-based financial theft (like exploitation of vulnerable smart contracts), but will make them more advanced and widespread.

Malware loaders to become the hottest goods on the underground market

Many actors have their own malware, but that alone is not enough. Entire samples used to consist solely of ransomware, but the more diverse the modules in a piece of ransomware, the better it will evade detection. As a result, attackers are now paying much more attention to downloaders and droppers, which can avoid detection. This has become a major commodity in the MaaS industry, and there are even already favorites among cybercriminals on the dark web — the Matanbunchus downloader, for example. All in all, stealth execution and bypassing EDRs is what malicious loader developers are going to focus on in 2023.

More new “Red Team” penetration testing frameworks deployed by cybercriminals

At the same time as vendors create and improve penetration testing frameworks to protect companies, crimeware actors are expected to use them much more actively for illegal activities. The most remarkable example of this trend starting to spread globally is Cobalt Strike. The tool is so powerful that threat groups have added it to their arsenal, already using it in a wide variety of attacks and cyberespionage campaigns. In 2022, the news hit the headlines that another pentester toolkit dubbed Brute Ratel C4 had been hacked, and is now being distributed on hacker forums. We predict that, along with the development of new penetration tools, cybercriminals will increasingly use them for their own malicious purposes — and Brute Ratel C4 and Cobalt Strike are just the beginning of this trend.

Ransomware negotiations and payments begin to rely less on Bitcoin as a transfer of value

As sanctions continue to be issued, the markets become more regulated, and technologies improve at tracking the flow and sources of Bitcoin, cybercrooks will rotate away from this cryptocurrency toward other forms of value transfer.

Ransomware groups following less financial interest, but more destructive activity

Perhaps a surprising prediction in a report about future financial threats, yet ransomware has been one of the biggest threats in recent years, inflicting massive financial damage on organizations. As the geopolitical agenda increasingly occupies the attention not only of the public but also of cybercriminals, we expect ransomware groups to make demands for some form of political action, instead of demands for ransom money. One of such examples is Freeud, a brand-new ransomware with wiper capabilities.

IT threat evolution in Q3 2022. Non-mobile statistics

18 Listopad, 2022 - 09:10

These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q3 2022:

  • Kaspersky solutions blocked 956,074,958 attacks from online resources across the globe.
  • Web Anti-Virus recognized 251,288,987 unique URLs as malicious.
  • Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 99,989 unique users.
  • Ransomware attacks were defeated on the computers of 72,941 unique users.
  • Our File Anti-Virus detected 49,275,253 unique malicious and potentially unwanted objects.
Financial threats Number of users attacked by banking malware

In Q3 2022, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 99,989 unique users.

Number of unique users attacked by financial malware, Q3 2022 (download)

TOP 10 banking malware families Name Verdicts %* 1 Ramnit/Nimnul Trojan-Banker.Win32.Ramnit 33.2 2 Zbot/Zeus Trojan-Banker.Win32.Zbot 15.2 3 IcedID Trojan-Banker.Win32.IcedID 10.0 4 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 5.8 5 Trickster/Trickbot Trojan-Banker.Win32.Trickster 5.8 6 SpyEye Trojan-Spy.Win32.SpyEye 2.1 7 RTM Trojan-Banker.Win32.RTM 1.9 8 Danabot Trojan-Banker.Win32.Danabot 1.4 9 Tinba/TinyBanker Trojan-Banker.Win32.Tinba 1.4 10 Gozi Trojan-Banker.Win32.Gozi 1.1

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Geography of financial malware attacks

TOP 10 countries and territories by share of attacked users

Country or territory* %** 1 Turkmenistan 4.7 2 Afghanistan 4.6 3 Paraguay 2.8 4 Tajikistan 2.8 5 Yemen 2.3 6 Sudan 2.3 7 China 2.0 8 Switzerland 2.0 9 Egypt 1.9 10 Venezuela 1.8

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

Ransomware programs Quarterly trends and highlights

The third quarter of 2022 saw the builder for LockBit, a well-known ransomware, leaked online. LockBit themselves attributed the leakage to one of their developers’ personal initiative, not the group’s getting hacked. One way or another, the LockBit 3.0 build kit is now accessible to the broader cybercriminal community. Similarly to other ransomware families in the past, such as Babuk and Conti, Trojan builds generated with the leaked builder began to serve other groups unrelated to LockBit. One example was Bloody/Bl00dy spotted back in May. A borrower rather than a creator, this group added the freshly available LockBit to its arsenal in September 2022.

Mass attacks on NAS (network attached storage) devices continue. QNAP issued warnings about Checkmate and Deadbolt infections in Q3 2022. The former threatened files accessible from the internet over SMB protocol and protected by a weak account password. The latter attacked devices that had a vulnerable version of the Photo Station software installed. Threats that target NAS remain prominent, so we recommend keeping these devices inaccessible from the internet to ensure maximum safety of your data.

The United States Department of Justice announced that it had teamed up with the FBI to seize about $500,000 paid as ransom after a Maui ransomware attack. The Trojan was likely used by the North Korean operators Andariel. The DOJ said victims had started getting their money back.

The creators of the little-known AstraLocker and Yashma ransomware published decryptors and stopped spreading both of them. The hackers provided no explanation for the move, but it appeared to be related to an increase in media coverage.

Number of new modifications

In Q3 2022, we detected 17 new ransomware families and 14,626 new modifications of this malware type. More than 11,000 of those were assigned the verdict of Trojan-Ransom.Win32.Crypmod, which hit the sixth place in our rankings of the most widespread ransomware Trojans.

Number of new ransomware modifications, Q3 2021 — Q3 2022 (download)

Number of users attacked by ransomware Trojans

In Q3 2022, Kaspersky products and technologies protected 72,941 users from ransomware attacks.

Number of unique users attacked by ransomware Trojans, Q3 2022 (download)

TOP 10 most common families of ransomware Trojans

Name Verdicts %* 1 (generic verdict) Trojan-Ransom.Win32.Encoder 14.76 2 WannaCry Trojan-Ransom.Win32.Wanna 12.12 3 (generic verdict) Trojan-Ransom.Win32.Gen 11.68 4 Stop/Djvu Trojan-Ransom.Win32.Stop 6.59 5 (generic verdict) Trojan-Ransom.Win32.Phny 6.53 6 (generic verdict) Trojan-Ransom.Win32.Crypmod 7 Magniber Trojan-Ransom.Win64.Magni 4.93 8 PolyRansom/VirLock Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom 4.84 9 (generic verdict) Trojan-Ransom.Win32.Instructions 4.35 10 Hive Trojan-Ransom.Win32.Hive 3.87

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Geography of attacked users

TOP 10 countries and territories attacked by ransomware Trojans

Country or territory* %** 1 Bangladesh 1.66 2 Yemen 1.30 3 South Korea 0.98 4 Taiwan 0.77 5 Mozambique 0.64 6 China 0.52 7 Colombia 0.43 8 Nigeria 0.40 9 Pakistan 0.39 10 Venezuela 0.32

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country.

TOP 10 most common families of ransomware Trojans Name Verdicts* Percentage of attacked users** 1 (generic verdict) Trojan-Ransom.Win32.Encoder 14.76 2 WannaCry Trojan-Ransom.Win32.Wanna 12.12 3 (generic verdict) Trojan-Ransom.Win32.Gen 11.68 4 Stop/Djvu Trojan-Ransom.Win32.Stop 6.59 5 (generic verdict) Trojan-Ransom.Win32.Phny 6.53 6 (generic verdict) Trojan-Ransom.Win32.Crypmod 5.46 7 Magniber Trojan-Ransom.Win64.Magni 4.93 8 PolyRansom/VirLock Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom 4.84 9 (generic verdict) Trojan-Ransom.Win32.Instructions 4.35 10 Hive Trojan-Ransom.Win32.Hive 3.87

* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to providing statistical data.
** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans.

Miners Number of new miner modifications

In Q3 2022, Kaspersky systems detected 153,773 new miner mods. More than 140,000 of these were found in July and August; combined with June’s figure of more than 35,000, this suggests that miner creators kept themselves abnormally busy this past summer.

Number of new miner modifications, Q3 2022 (download)

Number of users attacked by miners

In Q3, we detected attacks that used miners on the computers of 432,363 unique users of Kaspersky products worldwide. A quieter period from late spring through the early fall was followed by another increase in activity.

Number of unique users attacked by miners, Q3 2022 (download)

Geography of miner attacks

TOP 10 countries and territories attacked by miners

Country or territory* %** 1 Ethiopia 2.38 2 Kazakhstan 2.13 3 Uzbekistan 2.01 4 Rwanda 1.93 5 Tajikistan 1.83 6 Venezuela 1.78 7 Kyrgyzstan 1.73 8 Mozambique 1.57 9 Tanzania 1.56 10 Ukraine 1.54

* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by criminals during cyberattacks Quarterly highlights

Q3 2022 was remembered for a series of vulnerabilities discovered in various software products. Let’s begin with Microsoft Windows and some of its components. Researchers found new vulnerabilities that affected the CLFS driver: CVE-2022-30220, along with CVE-2022-35803 and CVE-2022-37969, both encountered in the wild. By manipulating Common Log File System data in a specific way, an attacker can make the kernel write their own data to arbitrary memory addresses, allowing cybercriminals to hijack kernel control and elevate their privileges in the system. Several vulnerabilities were discovered in the Print Spooler service: CVE-2022-22022, CVE-2022-30206, and CVE-2022-30226. These allow elevating the system privileges through a series of manipulations while installing a printer. Serious vulnerabilities were also discovered in the Client/Server Runtime Subsystem (CSRSS), an essential Windows component. Some of these can be exploited for privilege escalation (CVE-2022-22047, CVE-2022-22049, and CVE-2022-22026), while CVE-2022-22038 affects remote procedure call (RPC) protocol, allowing an attacker to execute arbitrary code remotely. A series of critical vulnerabilities were discovered in the graphics subsystem, including CVE-2022-22034 and CVE-2022-35750, which can also be exploited for privilege escalation. Note that most of the above vulnerabilities require that exploits entrench in the system before an attacker can run their malware. The Microsoft Support Diagnostic Tool (MSDT) was found to contain a further two vulnerabilities, CVE-2022-34713 and CVE-2022-35743, which can be exploited to take advantage of security flaws in the link handler to remotely run commands in the system.

Most of the network threats detected in Q3 2022 were again attacks associated with brute-forcing passwords for Microsoft SQL Server, RDP, and other services. Network attacks on vulnerable versions of Windows via EternalBlue, EternalRomance, and other exploits were still common. The attempts at exploiting network services and other software via vulnerabilities in the Log4j library (CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, and CVE-2021-45105) also continued. Several vulnerabilities were found in the Microsoft Windows Network File System (NFS) driver. These are CVE-2022-22028, which can lead to leakage of confidential information, as well as CVE-2022-22029, CVE-2022-22039 and CVE-2022-34715, which a cybercriminal can use to remotely execute arbitrary code in the system — in kernel context — by using a specially crafted network packet. The TCP/IP stack was found to contain the critical vulnerability CVE-2022-34718, which allows in theory to remotely exploit a target system by taking advantage of errors in the IPv6 protocol handler. Finally, it is worth mentioning the CVE-2022-34724 vulnerability, which affects Windows DNS Server and can lead to denial of service if exploited.

Two vulnerabilities in Microsoft Exchange Server, CVE-2022-41040 and CVE-2022-41082, received considerable media coverage. They were collectively dubbed “ProxyNotShell” in reference to the ProxyShell vulnerabilities with similar exploitation technique (they were closed earlier). Researchers discovered the ProxyNotShell exploits while investigating an APT attack: an authenticated user can use the loopholes to elevate their privileges and run arbitrary code on an MS Exchange server. As a result, the attacker can steal confidential data, encrypt critical files on the server to to extort money from the victim, etc.

Vulnerability statistics

In Q3 2022, malicious Microsoft Office documents again accounted for the greatest number of detections — 80% of the exploits we discovered, although the number decreased slightly compared to Q2. Most of these detections were triggered by exploits that targeted the following vulnerabilities:

  • CVE-2018-0802 and CVE-2017-11882, in the Equation Editor component, which allow corrupting the application memory when processing formulas, and subsequently running arbitrary code in the system;
  • CVE-2017-0199, which allows downloading and running malicious script files;
  • CVE-2022-30190, also known as “Follina”, which exploits a flaw in the Microsoft Windows Support Diagnostic Tool (MSDT) for running arbitrary programs in a vulnerable system even in Protected Mode or when macros are disabled;
  • CVE-2021-40444, which allows an attacker to deploy malicious code using a special ActiveX template due to inadequate input validation.

Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2022 (download)

These were followed by exploits that target browsers. Their share amounted to 6%, or 1% higher than in Q2. We will list the most serious vulnerabilities, all of them targeting Google Chrome:

  • CVE-2022-2294, in the WebRTC component, which leads to buffer overflow;
  • CVE-2022-2624, which exploits a memory overflow error in the PDF viewing component;
  • CVE-2022-2295, a Type Confusion error that allows an attacker to corrupt the browser process memory remotely and run arbitrary code in a sandbox;
  • CVE-2022-3075, an error linked to inadequate input validation in the Mojo interprocess communication component in Google Chromium-based browsers that allows escaping the sandbox and running arbitrary commands in the system.

Since many modern browsers are based on Google Chromium, attackers can often take advantage of the shared vulnerabilities to attack the other browsers as long as they run on one engine.

A series of vulnerabilities were identified in Microsoft Edge. Worth noting is CVE-2022-33649, which allows running an application in the system by circumventing the browser protections; CVE-2022-33636 and CVE-2022-35796, Race Condition vulnerabilities that ultimately allow a sandbox escape; and CVE-2022-38012, which exploits an application memory corruption error, with similar results.

The Mozilla Firefox browser was found to contain vulnerabilities associated with memory corruption, which allow running arbitrary code in the system: CVE-2022-38476, a Race Condition vulnerability that leads to a subsequent Use-After-Free scenario, and the similar vulnerabilities CVE-2022-38477 and CVE-2022-38478, which exploit memory corruption. As you can see from our reports, browsers are an attractive target for cybercriminals, as these are widely used and allow attackers to infiltrate the system remotely and virtually unbeknownst to the user. That said, browser vulnerabilities are not simple to exploit, as attackers often have to use a chain of vulnerabilities to work around the protections of modern browsers.

The remaining positions in our rankings were distributed among Android (5%) and Java (4%) exploits. The fifth-highest number of exploits (3%) targeted Adobe Flash, a technology that is obsolete but remains in use. Rounding out the rankings with 2% were exploits spread through PDF documents.

Attacks on macOS

The third quarter of 2022 brought with it a significant number of interesting macOS malware discoveries.  In particular, researchers found Operation In(ter)ception, a campaign operated by North Korean Lazarus group, which targets macOS users looking for cryptocurrency jobs. The malware was disguised as documents containing summaries of positions at Coinbase and Crypto.com.

CloudMensis, a spy program written in Objective-C, used cloud storage services as C&C servers and shared several characteristics with the RokRAT Windows malware operated by ScarCruft.

The creators of XCSSET adapted their toolset to macOS Monterey and migrated from Python 2 to Python 3.

In Q3, cybercrooks also began to make use of open-source tools in their attacks. July saw the discovery of two campaigns that used a fake VPN application and fake Salesforce updates, both built on the Sliver framework.

In addition to this, researchers announced a new multi-platform find: the LuckyMouse group (APT27 / Iron Tiger / Emissary Panda) attacked Windows, Linux, and macOS users with a malicious mod of the Chinese MiMi instant messaging application.

TOP 20 threats for macOS Verdict %* 1 AdWare.OSX.Amc.e 14.77 2 AdWare.OSX.Pirrit.ac 10.45 3 AdWare.OSX.Agent.ai 9.40 4 Monitor.OSX.HistGrabber.b 7.15 5 AdWare.OSX.Pirrit.j 7.10 6 AdWare.OSX.Bnodlero.at 6.09 7 AdWare.OSX.Bnodlero.ax 5.95 8 Trojan-Downloader.OSX.Shlayer.a 5.71 9 AdWare.OSX.Pirrit.ae 5.27 10 Trojan-Downloader.OSX.Agent.h 3.87 11 AdWare.OSX.Bnodlero.bg 3.46 12 AdWare.OSX.Pirrit.o 3.32 13 AdWare.OSX.Agent.u 3.13 14 AdWare.OSX.Agent.gen 2.90 15 AdWare.OSX.Pirrit.aa 2.85 16 Backdoor.OSX.Twenbc.e 2.85 17 AdWare.OSX.Ketin.h 2.82 18 AdWare.OSX.Pirrit.gen 2.69 19 Trojan-Downloader.OSX.Lador.a 2.52 20 Downloader.OSX.InstallCore.ak 2.28

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

As usual, our TOP 20 ranking for biggest threats encountered by users of Kaspersky security solutions for macOS were dominated by adware. AdWare.OSX.Amc.e, touted as “Advanced Mac Cleaner,” had taken the top place for a second quarter in a row. This application displays fake system issue messages, offering to buy the full version to fix those. Second and third places went to members of the AdWare.OSX.Pirrit and AdWare.OSX.Agent families.

Geography of threats for macOS

TOP 10 countries and territories by share of attacked users

Country or territory* %** 1 France 1.71 2 Canada 1.70 3 Russia 1.57 4 India 1.53 5 United States 1.52 6 Spain 1.48 7 Australia 1.36 8 Italy 1.35 9 Mexico 1.27 10 United Kingdom 1.24

* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.

France, with 1.71%, was again the most attacked country by number of users. Canada, with 1.70%, and Russia, with 1.57%, followed close behind. The most frequently encountered family in France and Canada was AdWare.OSX.Amc.e, and in Russia, it was AdWare.OSX.Pirrit.ac.

IoT attacks IoT threat statistics

In Q3 2022, three-fourths of the devices that attacked Kaspersky honeypots used the Telnet protocol.

Telnet 75.92% SSH 24.08%

Distribution of attacked services by number of unique IP addresses of attacking devices, Q3 2022

A majority of the attacks on Kaspersky honeypots in terms of sessions were controlled via Telnet as well.

Telnet 97.53% SSH 2.47%

Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2022

TOP 10 threats delivered to IoT devices via Telnet

Verdict %* 1 Backdoor.Linux.Mirai.b 28.67 2 Trojan-Downloader.Linux.NyaDrop.b 18.63 3 Backdoor.Linux.Mirai.ba 11.63 4 Backdoor.Linux.Mirai.cw 10.94 5 Backdoor.Linux.Gafgyt.a 3.69 6 Backdoor.Linux.Mirai.ew 3.49 7 Trojan-Downloader.Shell.Agent.p 2.56 8 Backdoor.Linux.Gafgyt.bj 1.63 9 Backdoor.Linux.Mirai.et 1.17 10 Backdoor.Linux.Mirai.ek 1.08

* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.

Detailed IoT-threat statistics are published in the DDoS report for Q3 2022.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums.

Countries and territories that serve as sources of web-based attacks: TOP 10

The following statistics show the distribution by country or territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.

In Q3 2022, Kaspersky solutions blocked 956,074,958 attacks launched from online resources across the globe. A total of 251,288,987 unique URLs were recognized as malicious by Web Anti-Virus components.

Distribution of web-attack sources country and territory, Q3 2022 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries and territories, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

Note that these rankings only include attacks by malicious objects that fall under the Malware class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

Country or territory* %** 1 Taiwan 19.65 2 Belarus 17.01 3 Serbia 15.05 4 Russia 14.12 5 Algeria 14.01 6 Turkey 13.82 7 Tunisia 13.31 8 Bangladesh 13.30 9 Moldova 13.22 10 Palestine 12.61 11 Yemen 12.58 12 Ukraine 12.25 13 Libya 12.23 14 Sri Lanka 11.97 15 Kyrgyzstan 11.69 16 Estonia 11.65 17 Hong Kong 11.52 18 Nepal 11.52 19 Syria 11.39 20 Lithuania 11.33

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

On average during the quarter, 9.08% of internet users’ computers worldwide were subjected to at least one Malware-class web attack.

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q3 2022, our File Anti-Virus detected 49,275,253 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

These rankings only include attacks by malicious programs that fall under the Malware class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country or territory* %** 1 Turkmenistan 46.48 2 Yemen 45.12 3 Afghanistan 44.18 4 Cuba 40.48 5 Tajikistan 39.17 6 Bangladesh 37.06 7 Uzbekistan 37.00 8 Ethiopia 36.96 9 South Sudan 36.89 10 Myanmar 36.64 11 Syria 34.82 12 Benin 34.56 13 Burundi 33.91 14 Tanzania 33.05 15 Rwanda 33.03 16 Chad 33.01 17 Venezuela 32.79 18 Cameroon 32.30 19 Sudan 31.93 20 Malawi 31.88

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

On average worldwide, Malware-class local threats were registered on 14.74% of users’ computers at least once during Q3. Russia scored 16.60% in this ranking.

IT threat evolution in Q3 2022. Mobile statistics

18 Listopad, 2022 - 09:05

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q3 2022:

  • A total of 5,623,670 mobile malware, adware, and riskware attacks were blocked.
  • Droppers (Trojan-Dropper), accounting for 26.28% of detections, were the most common threat to mobile devices.
  • 438,035 malicious installation packages were detected, of which:
    • 35,060 packages were related to mobile banking Trojans,
    • 2,310 packages were mobile ransomware Trojans.
Quarterly highlights

Judging by the number of attacks on mobile devices, cybercriminal activity stabilized in Q3 2022 after a gradual drop in the previous quarters. Over the three months, Kaspersky products prevented a total of 5.6 million mobile malware, adware, and riskware attacks.

Number of attacks targeting users of Kaspersky mobile solutions, Q1 2021 — Q3 2022 (download)

The new Triada Trojan, discovered inside a modified WhatsApp build, was an interesting find. It was notable for spreading via ads inside the popular Snaptube app and through the Vidmate internal store. Once on a device, the Trojan decrypts and runs a payload, which downloads and runs further malicious modules. The modules can display ads, subscribe the user to paid services, or download and run other malicious modules. Besides that, the Trojan steals various keys from the legitimate WhatsApp, potentially hijacking the account.

The Harly Trojan subscribers were another malware family spread via legitimate channels. These are published in Google Play under the guise of authentic apps, subscribing the unknowing user to paid services once installed. We have discovered 200 malicious applications of this type starting in 2020, and a total count of installations at the time of writing this report had exceeded 5 million.

One of the most recently detected Harly-type apps in Google Play, with more than 50,000 installations.

Google Play keeps getting new banking Trojans, such as new versions of the Trojan dropper that downloads and runs Sharkbot.

Despite a general decline in the number of mobile attacks, we can see that cybercriminals are using increasingly smarter tricks to deliver malware to user devices.

Mobile threat statistics

In Q3 2022, Kaspersky detected 438,035 malicious installation packages, which is 32,351 more than in the previous quarter and down 238,155 against Q3 2021.

Number of detected malicious installation packages, Q3 2021 — Q3 2022 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q2 and Q3 2022 (download)

Threats in the Trojan-Dropper class ranked first among all threats detected in Q3, with 26.28%, exceeding the previous quarter’s figure by 22.15 percentage points. Nearly half (45.33%) of all detected threats of that type belonged to the Ingopack family. These were followed by banking Trojan droppers from Wroba (41.24%) and Hqwar families (5.98%).

AdWare, the ex-leader, moved 2.5 percentage points down the rankings to second place with a share of 22.78%. A fourth of all detected threats of that class belonged to the Aldo family (25.64%).

Third place was taken by various Trojans with a cumulative share of 16.01%, which was 4.48 percentage points lower than in the previous quarter. Half of all detected threats of that class were objects from the Boogr family (50.16%).

Top 20 mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

Verdict %* 1 DangerousObject.Multi.Generic 22.58 2 Trojan.AndroidOS.Generic 14.59 3 Trojan-Spy.AndroidOS.Agent.aas 8.51 4 Trojan-SMS.AndroidOS.Fakeapp.d 6.95 5 Trojan.AndroidOS.GriftHorse.l 5.57 6 Trojan-Dropper.AndroidOS.Hqwar.hd 2.94 7 DangerousObject.AndroidOS.GenericML 2.90 8 Trojan-Dropper.AndroidOS.Wroba.o 2.46 9 Trojan-Dropper.AndroidOS.Agent.sl 2.21 10 Trojan-Downloader.AndroidOS.Necro.d 1.93 11 Trojan-Dropper.AndroidOS.Agent.rv 1.84 12 Trojan-Banker.AndroidOS.Bian.h 1.71 13 Trojan-Downloader.AndroidOS.Agent.kx 1.69 14 Trojan-Dropper.AndroidOS.Hqwar.hc 1.66 15 Trojan.AndroidOS.Hiddad.hh 1.52 16 Trojan.AndroidOS.GriftHorse.ah 1.45 17 Trojan-SMS.AndroidOS.Agent.ado 1.41 18 Trojan-Dropper.AndroidOS.Hqwar.gen 1.39 19 Trojan-Dropper.AndroidOS.Triada.az 1.35 20 Trojan.AndroidOS.Soceng.f 1.33

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

First and second places went to DangerousObject.Multi.Generic (22.58%) and Trojan.AndroidOS.Generic (14.59%), respectively, which are verdicts we use for malware detected with cloud technology. Cloud technologies are used when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.

Trojan-Spy.AndroidOS.Agent.aas (8.51%), an evil twin of WhatsApp with a spy module built in, rose to third position. Trojan-SMS.AndroidOS.Fakeapp.d slid from second to fourth place with 6.95%. This malware is capable of sending text messages and calling predefined numbers, displaying ads and hiding its icon. Members of the Trojan.AndroidOS.GriftHorse family, which subscribe the user to premium SMS services, took fifth and sixteenth places.

Malware from the Trojan-Dropper.AndroidOS.Hqwar family, used for unpacking and running various banking Trojans, occupied sixth, fourteenth, and eighteenth places. These attacked a combined 6% of all users who encountered malware.

The verdict of DangerousObject.AndroidOS.GenericML came seventh with 2.90%. This verdict is assigned to files recognized as malicious by our machine-learning systems. Eighth place was occupied by Trojan-Dropper.AndroidOS.Agent.sl (2.46%), a dropper that unpacks and runs the banking Trojan from the Roaming Mantis campaign. Roaming Mantis mainly attacks users in Japan and France. Another banking Trojan dropper, Trojan-Dropper.AndroidOS.Agent.sl, sunk to ninth place with 2.21%.

Trojan-Downloader.AndroidOS.Necro.d, used for downloading and running other forms of malware on infected devices, jumped from sixteenth to tenth place with 1.93%. Trojan-Dropper.AndroidOS.Agent.rv, a dropper that unpacks and runs various types of malware, took eleventh place with 1.84%.

Twelfth place saw the arrival of the banking Trojan, Trojan-Banker.AndroidOS.Bian.h, with 1.71%. Trojan-Downloader.AndroidOS.Agent.kx, an adware dropper, accounted for 1.69%, climbed from twentieth to thirteenth place. Trojan.AndroidOS.Hiddad.hh, an adware Trojan that mostly attacks users in Russia, Kazakhstan, and Ukraine, was fifteenth with 1.52%.

Trojan-SMS.AndroidOS.Agent.ado, known for sending text messages to premium-rate shortcodes, remained seventeenth with 1.41%. Nineteenth place, with 1.35%, was occupied by Trojan-Dropper.AndroidOS.Triada.az, a type of malware that decrypts and runs a payload capable of displaying ads on the lock screen, opening new browser tabs, gathering device information, and dropping other malicious code.

The last in the rankings (previously thirteenth) is Trojan.AndroidOS.Soceng.f with 1,33%. It sends text messages to the user’s contacts, deletes files on the memory card, and overlays the interfaces of popular apps with its own window.

Geography of mobile threats

TOP 10 countries and territories by share of users attacked by mobile malware

Countries and territories* %** 1 Iran 81.37 2 Yemen 18.91 3 Saudi Arabia 12.68 4 Oman 11.99 5 Algeria 11.93 6 Kenya 11.42 7 Nigeria 10.72 8 India 10.65 9 Egypt 9.39 10 Ecuador 8.66

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 10,000) have been excluded from the rankings.
** Unique users attacked as a percentage of all users of Kaspersky mobile security solutions in the country.

The countries with the largest shares of attacked users and the most widespread threats in these regions remained unchanged in Q3 2022.

Iran came first with a record 81.37%, still plagued by the annoying adware modules from the AdWare.AndroidOS.Notifyer and AdWare.AndroidOS.Fyben families. Yemen, where users were attacked mostly by Trojan-Spy.AndroidOS.Agent.aas, stayed at second place with 18,91%. In Saudi Arabia, which came third with 12.68%, users most commonly encountered adware from the AdWare.AndroidOS.Adlo and AdWare.AndroidOS.Fyben families.

Mobile banking Trojans

The number of detected installation packages for mobile banking Trojans dropped to 35,060. This figure represents a decrease of 20,554 from Q2 2022, but a decrease of 22,963 from Q3 2021.

Two-thirds (66.20%) of the detected banking Trojan installation packages belonged to the Trojan-Banker.AndroidOS.Bray family. These were followed by Trojan-Banker.AndroidOS.Bian with 5,46% and Trojan-Banker.AndroidOS.Fakecalls with 4,59%.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2021 — Q3 2022 (download)

Top 10 most common mobile bankers

Verdict %* 1 Trojan-Banker.AndroidOS.Bian.h 29.61 2 Trojan-Banker.AndroidOS.Anubis.t 10.67 3 Trojan-Banker.AndroidOS.Svpeng.q 7.72 4 Trojan-Banker.AndroidOS.Gustuff.d 5.35 5 Trojan-Banker.AndroidOS.Asacub.ce 4.18 6 Trojan-Banker.AndroidOS.Agent.eq 3.94 7 Trojan-Banker.AndroidOS.Agent.ep 3.21 8 Trojan-Banker.AndroidOS.Agent.cf 2.51 9 Trojan-Banker.AndroidOS.Faketoken.z 2.12 10 Trojan-Banker.AndroidOS.Hqwar.t 2.08

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

The three most-attacked countries in terms of affected users remained the same as in Q2 2022.

Geography of mobile bankers

TOP 10 countries and territories by shares of users attacked by mobile banking Trojans

Countries and territories* %** 1 Saudi Arabia 1.36 2 Spain 1.05 3 Australia 0.79 4 Turkey 0.41 5 Switzerland 0.20 6 Japan 0.11 7 France 0.08 8 Colombia 0.08 9 South Korea 0.07 10 Italy 0.04

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 10,000) have been excluded from the rankings.
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Saudi Arabia had the largest share (1.36%) of unique users who came across mobile financial threats in Q3 2022. Trojan-Banker.AndroidOS.Bian.h accounted for more than 99% of attacks in that country. Spain, formerly the hardest-hit country, had the second largest share (1.05%), with 93.46% of attacks linked to the same malware type. Australia again had the third-largest (0.79%) share, with 98.27% of attacks there involving Trojan-Banker.AndroidOS.Gustuff.d.

Mobile ransomware Trojans

We detected 2,310 mobile Trojan ransomware installers in Q3 2022, a decrease of 1,511 from Q2 2022 and a decrease of 3,847 year on year.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q3 2021 — Q3 2022 (download)

Top 10 most common mobile ransomware

Verdict %* 1 Trojan-Ransom.AndroidOS.Pigetrl.a 58.73 2 Trojan-Ransom.AndroidOS.Small.as 4.52 3 Trojan-Ransom.AndroidOS.Rkor.cw 4.17 4 Trojan-Ransom.AndroidOS.Rkor.cl 1.92 5 Trojan-Ransom.AndroidOS.Fusob.h 1.92 6 Trojan-Ransom.AndroidOS.Rkor.cm 1.60 7 Trojan-Ransom.AndroidOS.Rkor.da 1.60 8 Trojan-Ransom.AndroidOS.Rkor.bi 1.60 9 Trojan-Ransom.AndroidOS.Rkor.cx 1.57 10 Trojan-Ransom.AndroidOS.Small.ce 1.32

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

Geography of mobile ransomware

TOP 10 countries and territories by share of users attacked by mobile ransomware Trojans

Countries and territories* %** 1 Yemen 0.28 2 Kazakhstan 0.15 3 Saudi Arabia 0.02 4 Jordan 0.02 5 Switzerland 0.02 6 Azerbaijan 0.01 7 Kyrgyzstan 0.01 8 Egypt 0.01 9 Iran 0.01 10 Algeria 0.01

* Excluded from the rankings are countries and territories with relatively few (under 10,000) Kaspersky mobile security users.
** Unique users attacked by ransomware Trojans as a percentage of all Kaspersky mobile security solution users in the country or territory.

Yemen (0.28%), Kazakhstan (0.15%) and Saudi Arabia (0.02%) had the largest shares of users attacked by mobile ransomware Trojans. Users in Yemen and Saudi Arabia most often encountered Trojan-Ransom.AndroidOS.Pigetrl.a, while users in Kazakhstan were attacked mainly by members of the Trojan-Ransom.AndroidOS.Rkor family.

IT threat evolution Q3 2022

18 Listopad, 2022 - 09:00

Targeted attacks CosmicStrand:  discovery of a sophisticated UEFI rootkit

In July, we reported a rootkit that we found in modified Unified Extensible Firmware Interface (UEFI) firmware, the code that loads and initiates the boot process when the computer is turned on. Rootkits are malware implants that are installed deep in the operating system. Difficult to detect, they ensure that a computer remains infected even if someone reinstalls the operating system or replaces the hard drive. However, they aren’t easy to create: the slightest programming error could crash the machine. Nevertheless, in our APT predictions for 2022, we noted that more attackers would reach the sophistication level required to develop such tools.

The main purpose of CosmicStrand is to download a malicious program at startup, which then performs the tasks set by the attackers. Having successfully passed through all stages of the boot process, the rootkit eventually runs a shell code and contacts the attackers’ C2 (Command-and-Control) server, from which it receives a malicious payload.

We were unable to intercept the file received by the rootkit from the C2 server. However, on one of the infected machines, we found malware that we think is probably related to CosmicStrand. This malware creates a user named “aaaabbbb” in the operating system with local administrator rights.

We identified targets of CosmicStrand, which we attribute to an unknown Chinese-speaking threat actor, in China, Vietnam, Iran and Russia. All of them were ordinary people using our free antivirus solution, seemingly unconnected with any organization of interest to a sophisticated attacker of this kind. It also turned out that the motherboards infected in all known cases came from just two manufacturers. Therefore, it’s likely that the attackers found some common vulnerability in these motherboards that made UEFI infection possible.

It’s also unclear how the attackers managed to deliver the malware. It’s possible that the attackers are able to infect UEFI remotely. Or that those infected had purchased a modified motherboard from a reseller.

Andariel deploys DTrack and Maui ransomware

On 6 July, the US CISA (Cybersecurity and Infrastructure Security Agency) published an alert in which they accused North Korean state-sponsored threat actors of using the Maui ransomware to target the US healthcare sector. While CISA offered nothing to substantiate its attribution, we determined that approximately 10 hours prior to deploying Maui to the initial target system, the group deployed a variant of the well-known DTrack malware to the same target, preceded by deployment of the 3proxy tool months earlier. We believe that this helps to solidify the attribution to the Korean-speaking APT Andariel (aka Silent Chollima and Stonefly), with low-to-medium confidence.

Andariel’s primary tool is DTrack, used to collect information about the target, send it to a remote host and, in the case of the variant used in these attacks, store it on a remote host in the target network. When the attackers find noteworthy data, the Maui ransomware is deployed – it is typically detected on targeted hosts 10 hours after the activation of DTrack.

The attackers also use another tool, called 3Proxy, to maintain remote access to the compromised computer.

To infect target systems, the attackers exploit unpatched versions of public online services. In one such case, the malware was downloaded from an HFS (HTTP file server): the attackers used an unknown exploit that enabled them to run a PowerShell script from a remote server. In another, they were able to compromise a WebLogic server through an exploit for the CVE-2017-10271 vulnerability, which ultimately allowed them to run a script.

Our research revealed that, rather than just focusing on a particular industry, Andariel is ready to attack any company. We detected at least one attack on a housing company in Japan, as well as several targets in India, Vietnam and Russia.

VileRAT:  DeathStalker’s continuous strike at foreign and crypto-currency exchanges

In late August 2020, we published an overview of DeathStalker and its activities, including the Janicab, Evilnum and PowerSing campaigns. Later that year, we documented the PowerPepper campaign. We believe DeathStalker to be a group of mercenaries, offering hack-for-hire services, or acting as an information broker to support competitive and financial intelligence efforts. Meanwhile, in August 2020, we also released a private report on VileRAT for our threat intelligence customers. VileRAT is a Python implant, part of an evasive and highly intricate attack campaign against foreign exchange and cryptocurrency trading companies. We discovered it in Q2 2020 as part of an update of Evilnum, and attributed it to DeathStalker.

Since we first identified it, DeathStalker has continuously updated and used its VileRAT tool-chain against the same type of targets.

The threat actor has also sought to escape detection. However, the VileRAT campaign took this to another level: it is undoubtedly the most intricate, obfuscated and tentatively evasive campaign we have ever identified from DeathStalker. From state-of-the-art obfuscation with VBA and JavaScript, to multi-layered and low-level packing with Python, a robust multi-stage in-memory PE loader and security vendor-specific heuristic bypasses – the threat actor has left nothing to chance. On top of this, DeathStalker has developed a vast and quickly changing infrastructure as well.

On the other side, there are some glitches and inconsistencies. VileRAT, the final payload in the tool-chain is more than 10MB in size. The group uses simple infection vectors, many suspicious communication patterns, noisy and easy-to-identify process executions or file deployments, as well as sketchy development practices leaving bugs that require frequent implant updates.  For these reasons, an effective endpoint solution will still be able to detect and block most VileRAT-related malicious activities.

Using only data that we could verify with our own telemetry, we identified 10 organizations compromised or targeted by DeathStalker since 2020 – in Bulgaria, Cyprus, Germany, the Grenadines, Kuwait, Malta, the UAE and the Russian Federation.

We do not know what DeathStalker’s principal intention is in targeting these organizations: this could range from due diligence, asset recovery, information gathering in the context of litigation or arbitration cases, aiding customers to bypass sanctions and/or spying on targets’ customers. However, it does not appear to be direct financial gain.

Kimsuky’s GoldDragon cluster and C2 operations

Kimsuky is a prolific and active threat actor primarily targeting North Korea-related entities. Like other sophisticated adversaries, this group updates its tools frequently. We recently had the chance to investigate how the threat actor configures its GoldDragon cluster and what kind of tricks it uses to confirm and further validate its victims. The Kimsuky group has configured multi-stage C2 servers with various commercial hosting services located around the world.

The attacks occur in several stages. First, the threat actor sends a spear-phishing email to the potential victim with a lure to download additional documents. If the victim clicks the link, it results in a connection to the first-stage C2 server, with an email address as a parameter. The first-stage C2 server verifies that the incoming email address parameter is expected and delivers the malicious document if it’s in the target list. The first-stage script also forwards the victim’s IP address to the next-stage server. When the fetched document is opened, it connects to the second C2 server. The corresponding script on the second C2 server checks the IP address forwarded from the first-stage server to verify that it’s an expected request from the same victim. Using this IP validation scheme, the actor verifies whether the incoming request is from the victim or not. On top of that, the operator relies on several other processes to carefully deliver the next payload. Another C2 script on the second C2 server checks the operating system type and predefined user-agent strings to filter out requests from security researchers or auto-analysis systems.

Based on the contents of the decoy document, we hypothesize that the targets of this operation are people or entities related to political or diplomatic activities. We know that historically politicians, diplomats, journalists, professors and North Korean defectors have been prime targets of the Kimsuky group. The email address names from the C2 scripts help to confirm this hypothesis.

Our research underlines how Kimsuky pays close attention to validating its victims and delivering the next-stage payloads to them, while taking steps to make analysis difficult.

Targeted attacks on industrial enterprises

In August, Kaspersky ICS CERT experts reported a wave of targeted attacks on military industrial complex enterprises and public institutions in Belarus, Russia, Ukraine and Afghanistan. The attacks, which took place earlier this year, affected industrial plants, design bureaus and research institutes, government agencies, ministries and departments. We identified more than a dozen targets, and observed significant overlaps in TTPs (Tactics, Techniques and Procedures) with the threat actor TA428.

The attackers gained access to the enterprise network using carefully crafted phishing emails. Some of the information they contained is not publicly available, indicating that the attackers conducted reconnaissance ahead of the attack, possibly using information obtained in earlier attacks on the target organization or others associated with the target. Microsoft Word documents attached to the phishing emails contained malicious code that exploits the CVE-2017-11882 vulnerability, which enables an attacker to execute arbitrary code – in this case, the main module of the PortDoor backdoor – without any additional user action.

The attackers used five different backdoors at the same time – probably for redundancy. They provide extensive functionality for controlling infected systems and collecting confidential data. Once they have gained initial access, the attackers attempt to spread to other computers on the network. Once they have obtained domain administrator privileges, they search for, and exfiltrate, sensitive data to their servers hosted in different countries – these servers are also used as first-stage C2 servers. The attackers compress stolen files into encrypted and password-protected ZIP archives. After receiving the data, the first-stage C2 servers forward the archives to a second-stage server located in China.

Other malware Prilex: the pricey prickle credit card complex

Prilex, active since 2014, is a well-known threat actor targeting ATMs and Point of Sale (PoS) terminals. In 2016, the group began to focus all its activities on PoS systems. Since then the group has greatly improved its malware: it develops complex threats and poses a major threat to the payment chain. Prilex is now conducting so-called “GHOST” attacks – fraudulent transactions using cryptograms, which are pre-generated by the victim’s card during the store payment process.

The group delivers its malware using social engineering. The cybercriminals call their chosen target and tell them their PoS software needs to be updated by a technician. Later, the fake technician goes to the targeted company in person and infects the machines. Alternatively, they persuade the target to install AnyDesk and use this to install the malware remotely.

Prior to striking victims, the cybercriminals perform an initial screening of the machine, in order to check the number of transactions that have already taken place and whether this target is worth attacking. If so, the malware captures any running transaction and modifies its content in order to be able to capture the card information. All the captured card details are then saved to an encrypted file, which is later sent to the attackers’ server, allowing them to make transactions through a fraudulent PoS device registered in the name of a fake company.

Having attacked one PoS system, the cybercriminals obtain data from dozens, or even hundreds, of cards daily. It is especially dangerous if the infected machines are located in popular shopping malls in densely populated cities, where the daily flow of customers can reach thousands of people.

In our recent investigation, we discovered that the Prilex group is controlling the development lifecycle of its malware using Subversion – used by professional development teams. Moreover, there is also a supposed official Prilex website selling its malware kits to other cybercriminals as Malware-as-a-Service (MaaS). Prilex has previously sold various versions of its malware on the dark web, for example, in 2019 a German bank lost more than €1.5 million in a similar attack by the Prilex malware. The development of its MasS operation means that highly sophisticated and dangerous PoS malware could spread to many countries, increasing the risk of multimillion-dollar losses for businesses all around the world.

We also discovered web sites and Telegram chats where cybercriminals sell Prilex malware. Posing as the Prilex group itself, they offer the latest versions of PoS malware, costing from $3,500 to $13,000. We are not sure about the real ownership of these web sites, as they could be copycats.

Luna and Black Basta: new ransomware for Windows, Linux and ESXi

Ransomware groups have increasingly targeted not only Windows computers, but also Linux devices and ESXi virtual machines. We highlighted one example earlier this year – the BlackCat gang, which distributes malware written in the cross-platform language Rust. We recently analyzed two other malware families that provide similar functionality: Black Basta and Luna.

Black Basta, first discovered in February, exists in versions for Windows and for Linux – the latter primarily targeting ESXi virtual machine images. One of the key features of the Windows version is that it boots the system in Safe Mode before encrypting data: this allows the malware to evade detection by security solutions, many of which don’t work in Safe Mode.

At the time we published our report, Black Basta operators had released information on 40 victims, among them manufacturing and electronics firms, contractors, and others, located in the US, Australia, Europe, Asia and Latin America.

Luna, discovered in June and also written in Rust, is able to encrypt both Windows and Linux devices, as well as ESXi virtual machine images. In an advert on the dark web, the cybercriminals claim to co-operate only with Russian-speaking partners. This means that the targets of interest to the attackers are most likely located outside the former Soviet Union. This is also borne out by the fact that the ransom note embedded into the code of the ransomware is written in English, albeit with mistakes.

Malicious packages in online code repositories

In July, we reported a malicious campaign that we named LofyLife. Using our internal automated system for monitoring open-source repositories, our researchers identified four malicious packages spreading Volt Stealer and Lofy Stealer malware in the npm repository.

The identified malicious packages appeared to be used for ordinary tasks such as formatting headlines or certain gaming functions. The “formatting headlines” package was in Brazilian Portuguese with a “#brazil” hashtag, suggesting that the attackers were seeking to target people based in Brazil. Other packages were presented in English, so they could be targeting users from other countries.

The packages contained highly obfuscated malicious JavaScript and Python code. This made them harder to analyze when being uploaded to the repository. The malicious payload consisted of malware written in Python dubbed Volt Stealer – an open-source malicious script – and JavaScript malware dubbed Lofy Stealer. Volt Stealer was used to steal Discord tokens from infected machines, along with the victim’s IP address, and upload them via HTTP. Lofy Stealer infects Discord client files and monitors the victim’s actions, detecting when a person logs in, changes the registered email or password, enables or disables multi-factor authentication and adds new payment methods (in which case the malware steals full credit card details). It uploads collected information to a remote endpoint.

The npm repository is an open-source home for JavaScript developers to share and reuse code for building various web applications. As such, it represents a significant supply chain that, if exploited by attackers, can be used to deliver malware to many people. This is not the first time we’ve seen an npm package poisoned in this way.

npm is not the only such code repository to have been targeted recently. In August, Check Point published a report on 10 malicious Python packages in the Python Package Index (PyPI), the most popular Python repository among software developers. The malicious packages were intended to steal developers’ personal data and credentials. Following this research, we discovered two other malicious Python packages in the PyPI, masquerading as one of the most popular open-source packages named “requests“.

The attacker used a description of the legitimate “requests” package in order to trick victims into installing a malicious one. In addition, the description contained fake statistics and the project description referenced the web pages of the original “requests” package, as well as the author’s email. All mentions of the legitimate package’s name were replaced with the name of the malicious one.

Cyberthreats facing gamers

The gaming industry is huge and growing. The industry attracts an audience of more than 3 billion people worldwide – a huge pool of potential victims for cybercriminals who target this sector. Cybercriminals make extensive use of social engineering tricks to entice potential victims into installing malware: the promise of an Android version of a game that’s not on Google Play; the chance to play games for free; access to game cheats; etc.

We recently published our report on gaming-related threats in 2021–22. Here are some of the key headlines:

  • In the year up to June 2022, Kaspersky blocked gaming-related malware and unwanted software on the computers of 384,224 people, with 91,984 files distributed under the guise of 28 games.
  • The top five PC games used as bait in these attacks were Minecraft, Roblox, Need for Speed, Grand Theft Auto and Call of Duty.
  • The top five mobile games used as a lure to target gamers were Minecraft, Roblox, Grand Theft Auto, PUBG and FIFA.
  • Malware and unwanted software distributed as cheat programs stand out as a particular threat to gamers’ security. In the year to June 2022, we detected 3,154 unique files of this type, affecting 13,689 people.
  • Miners pose an increasing threat, with Far Cry, Roblox, Minecraft, Valorant and FIFA heading the list of games and game series that cybercriminals used as a lure for such threats.

Among the top threats is RedLine, which we deemed worthy of a separate report. The attackers distribute this password-stealing Trojan under the guise of game cheats in an attempt to steal accounts, card numbers, crypto-wallets and more. They post videos on YouTube purportedly about how to use cheats in popular online games such as Rust, FIFA 22, DayZ and others. The videos prompt the victim to follow a link in the description to download and run a self-extracting archive.

The Trojan, once installed, steals account passwords, credit card details, session cookies and more. RedLine is also able to execute commands on the computer, as well as download and install other programs onto the infected machine.

RedLine also comes with a cryptocurrency miner. Gaming computers are a logical target for cybercriminals, since they typically have powerful GPUs – useful for cryptocurrency mining.

In addition to losing sensitive data, the player’s reputation is at stake. RedLine downloads videos from the C2 server and posts them on the victim’s YouTube channel – the same video that led the gamer to become infected. In this way, they become the means by which other gamers become infected.

NullMixer: oodles of Trojans in a single dropper

Trying to save money by using unlicensed software can be costly: a single file downloaded from an unreliable source can result in system compromise. In September, we published our analysis of NullMixer, a Trojan dropper designed to drop a wide variety of malware families.

NullMixer spreads via malicious web sites that can be accessed using standard search engines. Often, the web sites host “cracks”, “keygens” and activators for downloading software illegally: they pretend to be legitimate, but actually contain a malware dropper. They stay at the top of search engine results using SEO.

When someone attempts to download software from one of these sites, they are redirected multiple times, ending up on a page containing download instructions and archived password-protected malware masquerading as the desired piece of software. When they extract and execute the file, the malware drops a number of malicious files to the compromised machine. The malware families dropped onto the computer include SmokeLoader/Smoke, LgoogLoader, Disbuk, RedLine (described above), Fabookie and ColdStealer, consisting of backdoors, spyware, bankers, credential stealers, droppers and more.

Once all the dropped files have been launched, the NullMixer starter beacons to the C2 to confirm the successful installation. The dropped files are then left to their own devices.

Since the beginning of the year, we have blocked attempts to infect more than 47,778 people worldwide. Some of the most targeted countries are Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey and the US.

Many of the malware families dropped by NullMixer are downloaders, which suggests that infections will not be limited to the malware families described in our report. Many of the other malware families mentioned here are stealers, and compromised credentials can be used for further attacks inside a local network.

Potential threat in the browser

Browser extensions are very useful for blocking ads, keeping a to-do list, spellchecking, translating text and much more. They are also popular: Chrome, Safari, Mozilla and other browsers have their own online stores distributing thousands of extensions – and the most popular plug-ins there reach over 10 million people. However, extensions are not always secure; and even seemingly innocent add-ons can present a real risk.

Malicious and unwanted add-ons promote themselves as useful, and often do have legitimate functions implemented along with malicious ones. Some impersonate popular legitimate extensions. Often, such add-ons are distributed through official marketplaces. In 2020, Google removed 106 browser extensions from its Chrome Web Store – all siphoned off sensitive user data, such as cookies and passwords, and even took screenshots. These extensions had been downloaded 32 million times.

It’s always good to check the permissions an extension requests during installation. And if it’s asking for permission to do things that don’t seem appropriate, don’t install it. For example, a browser calculator that asks for access to geolocation or browsing history. However, it’s not always so clear. Often the wording is so vague that it is impossible to tell exactly how secure an extension is. Basic extensions often require permission to “read and change all your data on the websites you visit”. They may really need it in order to function properly, but this permission gives the extension wide powers.

Even if not malicious, they can still be dangerous. Many collect massive amounts of data from web pages people visit. To earn more money, some developers may pass it on to third parties or sell it to advertisers. If that data is not anonymized properly, information about web sites that people visit and what they do there could be exposed to third parties.

Extension developers are also able to push updates without requiring any action by the person who installed it. Even a legitimate extension could be later hijacked to install malware.

We recently published an overview of the types of threat that mimic useful web-browser extensions and statistics on attacks, using data from the Kaspersky Security Network (KSN), for the period between January 2020 and June 2022.

In the first half of this year, 1,311,557 people tried to download malicious or unwanted extensions at least once, which is more than 70 percent affected by the same threat in the whole of last year.

From January 2020 to June 2022, adware hiding in browser extensions affected more than 4.3 million people, which is approximately 70 percent of all people affected by malicious and unwanted add-ons.

The most common threat in the first half of 2022 was the WebSearch family of adware extensions, able to collect and analyze search queries and redirect people to affiliate links.

DTrack activity targeting Europe and Latin America

15 Listopad, 2022 - 11:00

Introduction

DTrack is a backdoor used by the Lazarus group. Initially discovered in 2019, the backdoor remains in use three years later. It is used by the Lazarus group against a wide variety of targets. For example, we’ve seen it being used in financial environments where ATMs were breached, in attacks on a nuclear power plant and also in targeted ransomware attacks. Essentially, anywhere the Lazarus group believes they can achieve some financial gain.

DTrack allows criminals to upload, download, start or delete files on the victim host. Among those downloaded and executed files already spotted in the standard DTrack toolset there is a keylogger, a screenshot maker and a module for gathering victim system information. With a toolset like this, criminals can implement lateral movement into the victims’ infrastructure in order to, for example, retrieve compromising information.

As part of our crimeware reporting service, we published a new private report about recent Dtrack activity. In this public article we highlight some of the main findings shared in that report. For more information about our crimeware reporting service, please contact crimewareintel@kaspersky.com.

So, what’s new?

DTrack itself hasn’t changed much over the course of time. Nevertheless, there are some interesting modifications that we want to highlight in this blogpost. Dtrack hides itself inside an executable that looks like a legitimate program, and there are several stages of decryption before the malware payload starts.

First stage – implanted code

DTrack unpacks the malware in several stages. The second stage is stored inside the malware PE file. To get it, there are two approaches:

  • offset based;
  • resource based.

The idea is that DTrack retrieves the payload by reading it from an offset within the file or by reading it from a resource within the PE binary. An example of a decompiled pseudo function that retrieves the data using the offset-based approach can be found below.

Example of DTrack offset-oriented retrieval function

After retrieving the location of the next stage and its key, the malware then decrypts the buffer (with a modified RC4 algorithm) and passes control to it. To figure out the offset of the payload, its size and decryption keys, DTrack has a special binary (we have dubbed it ‘Decrypt config’) structure hidden in an inconspicuous part of the PE file.

Second stage – shellcode

The second stage payload consists of heavily obfuscated shellcode as can be seen below.

Heavily obfuscated second stage shellcode

The encryption method used by the second layer differs for each sample. So far, we have spotted modified versions of RC4, RC5 and RC6 algorithms. The values of the third stage payload and its decryption key are obtained by reading Decrypt config again.

One new aspect of the recent DTrack variants is that the third stage payload is not necessarily the final payload; there may be another piece of binary data consisting of a binary configuration and at least one shellcode, which in turn decrypts and executes the final payload.

Third stage – shellcode and final binary

The shellcode has some quite interesting obfuscation tricks to make analysis more difficult. When started, the beginning of the key (used to decrypt the final payload) is searched for. For example, when the beginning of the key is 0xDEADBEEF, the shellcode searches for the first occurrence of 0xDEADBEEF.

Chunk decryption routine example

Once the key is found, the shellcode uses it to decrypt the next eight bytes after the key, which form yet another configuration block with final payload size and its entry point offset. The configuration block is followed by an encrypted PE payload that starts at the entry point offset after decryption with the custom algorithm.

Final payload

Once the final payload (a DLL) is decrypted, it is loaded using process hollowing into explorer.exe. In previous DTrack samples the libraries to be loaded were obfuscated strings. In more recent versions they use API hashing to load the proper libraries and functions. Another small change is that three C2 servers are used instead of six. The rest of the payload’s functionality remains the same.

Infrastructure

When we look at the domain names used for C2 servers, a pattern can be seen in some cases. For example, the actors combine a color with the name of an animal (e.g., pinkgoat, purplebear, salmonrabbit). Some of the peculiar names used in the DTrack infrastructure can be found below:

Domain IP First seen ASN pinkgoat.com 64.190.63.111 2022‑03‑03 15:34 AS47846 purewatertokyo.com 58.158.177.102 2022‑05‑20 16:07 AS17506 purplebear.com 52.128.23.153 2021‑01‑08 08:37 AS19324 salmonrabbit.com 58.158.177.102 2022‑05‑20 09:37 AS17506 Victims

According to KSN telemetry, we have detected DTrack activity in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey and the United States, indicating that DTrack is spreading into more parts of the world. The targeted sectors are education, chemical manufacturing, governmental research centers and policy institutes, IT service providers, utility providers and telecommunications.

Conclusions

The DTrack backdoor continues to be used actively by the Lazarus group. Modifications in the way the malware is packed show that Lazarus still sees DTrack as an important asset. Despite this, Lazarus has not changed the backdoor much since 2019, when it was initially discovered. When the victimology is analyzed, it becomes clear that operations have expanded to Europe and Latin America, a trend we’re seeing more and more often.

IOCs

C2 domains
pinkgoat[.]com
purewatertokyo[.]com
purplebear[.]com
salmonrabbit[.]com

MD5
1A74C8D8B74CA2411C1D3D22373A6769
67F4DAD1A94ED8A47283C2C0C05A7594

Advanced threat predictions for 2023

14 Listopad, 2022 - 09:00

It is fair to say that since last year’s predictions, the world has dramatically changed. While the geopolitical landscape has durably shifted, cyberattacks remain a constant threat and show no signs of receding – quite the contrary. No matter where they are, people around the world should be prepared for cybersecurity incidents. A useful exercise in that regard is to try to foresee the future trends and significant events that might be coming in the near future.

We polled our experts from the GReAT team and have gathered a small number of key insights about what APT actors are likely to focus on in 2023. But first, let’s examine how they fared with the predictions for 2022.

What we predicted in 2022 Mobile devices exposed to wide attacks

Although 2022 did not feature any mobile intrusion story on the scale of the Pegasus scandal, a number of 0-days have still been exploited in the wild by threat actors. Last June, Google’s TAG team released a blog post documenting attacks on Italian and Kazakh users that they attribute to RCS Lab, an Italian offensive software vendor. In another publication, Google also followed up on the activities of a similar vendor named Cytrox that had leveraged four 0-day vulnerabilities in a 2021 campaign.

The cyber-offense ecosystem still appears to be shaken by the sudden demise of NSO Group; at the same time, these activities indicate to us that we’ve only seen the tip of the iceberg when it comes to commercial-grade mobile surveillance tooling. It’s also likely that the remaining actors will make every effort to reduce their public exposure from now on, limiting our visibility into their activities.

From a different angle, reporting from The Intercept revealed mobile surveillance capabilities available to Iran for the purposes of domestic investigations that leverage direct access to (and cooperation of) local telecommunication companies. Looking back at past leaks of private companies providing such services, such as in the case of Hacking Team, we learned that many states all over the world were buying these capabilities, whether to complement their in-house technologies or as a stand-alone solution they couldn’t develop. This reveals a likely blind spot for defenders and endpoint vendors: in a number of cases, perhaps even the majority, attackers have no need for 0-days and malware deployment to gain access to the information they need. This story also raises questions about whether attackers who have breached telecommunication companies would also be able to leverage these legal interception systems.

Verdict: some incidents, but no major event ❌

Private sector supporting an influx of new APT players

The previous discussion covered a number of private companies that have filled the void left by NSO and have made a business of providing offensive software to their customers. In 2022, the GReAT team tracked several threat actors leveraging SilentBreak’s toolset as well as a commercial Android spyware we named MagicKarakurt. One question mark here is that it’s difficult to tell whether we’re seeing new APT actors being bootstrapped by commercial toolsets, or established ones updating their TTPs.

BruteRatel, an attack tool comparable to CobaltStrike, remains on our radar when it comes to APT adoption. A recent leak has put it in the hands of cybercrime actors and it is very likely that by the end of the year we will see it involved in APT cases too.

A worrying trend we did not explicitly mention is underlined by a Meta report published shortly after last year’s predictions. In the report, they describe the emergence of a “surveillance-for-hire” sector composed of companies all around the world that provide cyber-offensive services for (hopefully) law-enforcement customers. In practice, Facebook found that not only criminals or terrorists were targeted by such groups, but journalists, dissidents and human rights activists as well. Our own research confirms that mercenary threat actors such as DeathStalker were very active in 2022.


Source: Meta

Verdict: prediction fulfilled ✅

More supply chain attacks

Following the SolarWinds incident, we foresaw that attackers would notice the enormous potential of the supply chain attack vector. In 2022, we spotted malicious Python packages distributed through the PyPI archive (CheckPoint also detected 10 of them). As Cisco Talos notes, Python is not alone in this: NPM, NuGet or RubyGems are all potential candidates for such attacks and all it would take for a catastrophic event would be the compromise of a single developer’s credentials. Doubling down on developer-specific threats, IBM presented noteworthy research at this year’s edition of BlackHat, evidencing how source code management or continuous integration systems could be leveraged by attackers.

Another aspect of supply chain security is the reliance on open-source software components that may contain vulnerabilities: this was the root cause of a Zimbra 0day massively exploited in the wild this year.

When it comes to stealthy malware pushed to customers in the form of a software update however, we are not aware of any significant event in 2022, so we’ll only count this prediction as partially accomplished.

Verdict: prediction partially fulfilled &#x1f197; (more cases, no major event)

Continued exploitation of remote work

The reasoning behind this prediction is that we expected that in 2022, companies would still be lagging behind the transformative effects the COVID-19 crisis had on work organization. In many cases, this led to a rushed deployment of remote access means for employees, in the form of appliances that could be misconfigured, or hadn’t received much security attention until now.

A massive number of vulnerabilities were patched in such devices this year (firewalls, routers, VPN software…) – whether or not each of these vulnerabilities were exploited in the wild before being discovered, they affect devices that are not typically updated in a timely fashion and become prime targets for hackers immediately after vulnerability details are published. Such discoveries usually lead to massive and indiscriminate exploitation, and compromised machines are sold on dark markets to secondary buyers for the purposes of ransomware deployment.

Our own telemetry also confirms that RDP brute-force attacks have remained predominant throughout 2022.

Verdict: prediction fulfilled ✅

Increase in APT intrusions in the META region, especially Africa

At the end of last year, we expected the rise of Africa to be one of the major geopolitical events of the year in lieu of the ever-increasing investment and relationships with China and the Middle East.

We have indeed seen an increase in the number of persistent, sophisticated attacks targeting various states in META and specifically Africa. Starting from the most recent publication about Metador targeting telecommunication companies, HotCousin expanding its operations to this region, the numerous campaigns deploying various IIS backdoors, DeathStalker and Lazarus attacking multiple industries there and a mysterious SSP-library backdoor discovered on governmental and non-profit entities, we saw quite a few new threats active in the region over the last year.

Statistically speaking, we released information about an increase of backdoor infections on the continent. While such raw statistics are difficult to interpret and are not necessarily linked to strong APT activity, it could correlate to the increase in APT attacks we’ve seen in the region in 2022.

One glaring example is Iran, which faced a series of spectacular hacks and sabotages. Its atomic energy agency, live television and steel industry have been targeted, among others.

Verdict: prediction fulfilled ✅

Explosion of attacks against cloud security and outsourced services

One of the major cyber-incidents of 2022 took place early this year: the Okta hack. Okta was breached through one of its service providers, Sitel, itself compromised via the insecure VPN gateway of a recently acquired company. Fortunately for them, the hacker appears to have been a lone 16-year-old. Unfortunately for us, it demonstrates how easy it must be for sophisticated attackers to penetrate (and, in all likelihood, remain undetected) major platforms. Okta is a widely used authentication services provider, and it is safe to assume that a hacker controlling their network would be able to infect any of their customers.

In related news, CISA released an advisory in May warning managed service providers that they saw an increase of malicious activity targeting their sector. Beyond this, we also saw reports of important data leaks related to misconfigured AWS S3 buckets, although those are nothing new. Overall, we count this prediction as having turned out to be accurate.

Verdict: prediction fulfilled ✅

The return of low-level attacks: bootkits are ‘hot’ again

In line with our predictions, we released two blog posts in 2022 introducing sophisticated low-level bootkits. The first one, in January, was MoonBounce; the other was CosmicStrand in July 2022. In both cases, we described new UEFI firmware bootkits that managed to propagate malicious components from the deepest layers of the machine up to Windows’ user-land. Amn Pardaz also released a report about a malicious program called iLOBleed, which affects a management module present on HP servers and should be counted in the same category. Such highly sophisticated implants remain rare, and witnessing three separate cases in a single year is significant.

Worthy of mention is Binarly’s excellent work on firmware vulnerability research with 22 high-severity vulnerabilities discovered in low-level components for 2022, indicating an enormous attack surface remains. As Gartner once put it: “There are two types of companies – those who have experienced a firmware attack, and those who have experienced a firmware attack but don’t know it.”

Verdict: prediction fulfilled ✅

States clarify their acceptable cyber-offense practices

The rise of hacker indictments as part of states’ retorsion measures led us to believe that each of them would be forced to clarify their vision of what acceptable behavior in cyberspace is. Indeed, since most states admit to having their own cyber-offense program, there is a need to clarify why their own activities are tolerable while those of their adversaries deserve legal action. We therefore expected various parties to release a sort of taxonomy indicating which types of ends would justify the means.

Shortly after the release of our predictions (yet still in 2021), the UK released its Integrated Review of Security, Defence, Development and Foreign Policy in which it describes its vision of what a “responsible democratic cyber power” should be. No other country followed suit. With many key “cyber powers” engaged one way or another in the Ukrainian conflict, cyber-diplomacy has unfortunately taken a back seat and we are seeing less transparency (as well as less calls for transparency) in the cyber realm. In the end, our assessment that the world was moving towards a clarification of cyber-policies didn’t come to pass.

Verdict: very limited fulfillment of the prediction ❌

APT predictions for 2023

And now, we turn our attention to the future. Here are the developments we think we could be seeing in 2023.

The rise of destructive attacks

2022 bore witness to brutal geopolitical shifts that will echo for years to come. History shows that such tensions always translate to increased cyber-activities – sometimes for the purpose of intelligence gathering, sometimes as a means of diplomatic signaling. With the antagonism between the West and the East having reached the maximum possible level short of open conflict, we unfortunately expect 2023 will feature cyberattacks of unprecedented gravity.

Specifically, we foresee that a record number of disruptive and destructive cyberattacks will be observed next year, affecting both the government sector and key industries. One caveat is that in all likelihood, a proportion of them will not be easily traceable to cyber-incidents and will look like random accidents. The rest will take the form of pseudo-ransomware attacks or hacktivist operations in order to provide plausible deniability for their real authors.

In addition, we also fear that a limited number of high-profile cyberattacks against civilian infrastructure (energy grid or public broadcasting for instance) will take place. A last point of concern is the safety of underwater cables and fiber distribution hubs in such a context, as they are particularly difficult to protect from physical destruction.

Mail servers become priority targets

In the past years, we have seen vulnerability researchers increasingly focus on emailing software. The reason is simple: they represent huge software stacks that must support many protocols and have to be internet-facing to operate properly. The market leaders, Microsoft Exchange and Zimbra have both faced critical vulnerabilities (pre-authentication RCEs) that were exploited, sometimes massively, by attackers before a patch was available.

We believe that research into mail software vulnerabilities is only getting started. Mail servers have the double misfortune of harboring key intelligence of interest to APT actors and having the biggest attack surface imaginable. 2023 will very likely be a year of 0-days for all major email software. We encourage system administrators to immediately set up monitoring for these machines, due to the unlikelihood that patching (even in a timely fashion) will be sufficient to protect them.

The next WannaCry

Statistically, some of the largest and the most impactful cyber epidemics occur every 6-7 years. The last incident of the sort was the infamous WannaCry ransomware-worm, leveraging the extremely potent EternalBlue vulnerability to automatically spread to vulnerable machines.

Fortunately, vulnerabilities that enable the creation of worms are rare and far-between, and need to meet a number of conditions to be suitable (reliability of the exploit, stability of the target machine, etc.). It is extremely difficult to predict when such a bug will be discovered next, but we will take a wild guess and mark it up for next year. One potential reason increasing the likelihood of such an event is the fact that the most sophisticated actors in the world likely possess at least one suitable exploit of the sort, and current tensions greatly increase the chance that a ShadowBrokers-style hack-and-leak (see below) could take place.

APT targeting turns toward satellite technologies, producers and operators

It is nearly 40 years since the US’s Strategic Defense Initiative (nicknamed “Star Wars”) contemplated extending military capabilities to include space technologies. While such things may have seemed a little far-fetched in 1983, there have been several instances where countries have successfully interfered with satellites orbiting the earth.

Both China and Russia have used ground-based missiles to destroy their own satellites. There have also been claims that China has launched a satellite with a grappling arm that could be used to interfere with orbiting equipment and that Russia may have developed the same technology. We have already seen the hijacking of satellite communications by an APT threat actor.

If the Viasat incident is any indication, it is likely that APT threat actors will increasingly turn their attention to the manipulation of, and interference with, satellite technologies in the future, making the security of such technologies ever more important.

Hack-and-leak is the new black (and bleak)

There is still much debate regarding whether “cyberwar” indeed took place in the context of the Ukrainian crisis. It is however clear that a new form of hybrid conflict is currently unfolding, involving (among many things) hack-and-leak operations.

This modus operandi involves breaching a target and releasing internal documents and emails publicly. Ransomware groups have resorted to this tactic as a way to apply pressure on victims, but APTs may leverage it for purely disruptive ends. In the past, we’ve seen APT actors leak data about competing threat groups, or create websites disseminating personal information. While it is difficult to assess their effectiveness from the sidelines, there’s no doubt they’re part of the landscape now and that 2023 will involve a high number of cases.

More APT groups will move from CobaltStrike to other alternatives

CobaltStrike, released in 2012, is a threat emulation tool designed to help red teams understand the methods an attacker can use to penetrate a network. Unfortunately, along with the Metasploit Framework, it has since become a tool of choice for cybercriminal groups and APT threat actors alike. However, we believe that a number of threat actors will begin to use other alternatives.

One of these alternatives is Brute Ratel C4, a commercial attack simulation tool that is especially dangerous since it has been designed to avoid detection by antivirus and EDR protection. Another is the open-source offensive tool Sliver.

In addition to off-the-shelf products abused by threat actors, there are other tools that are likely to be included in APT toolsets. One of these, Manjusaka, is advertised as an imitation of the Cobalt Strike framework. The implants of this tool are written in the Rust language for Windows and Linux. A fully functional version of the C&C written in Golang is freely available and can easily generate new implants with custom configurations. Another is Ninja, a tool that provides a large set of commands, which allows attackers to control remote systems, avoid detection and penetrate deep inside a target network.

Overall, we suspect that CobaltStrike is receiving too much attention from defenders (especially when it comes to the infrastructure), and that APTs will make attempts to diversify their toolsets in order to remain undetected.

SIGINT-delivered malware

It has been almost 10 years since the Snowden revelations shed light on the FoxAcid/Quantum hacking system used by the NSA. They involve leveraging “partnerships with US telecoms companies” to place servers in key positions of the internet backbone, allowing them to perform man-on-the-side attacks. This is one of the most potent attack vectors imaginable, as they allow victims to be infected without any interaction. In 2022, we saw another threat actor replicate this technique in China, and there is little doubt in our minds that many groups have worked tirelessly to acquire this capability. While deploying it at scale requires political and technological power available to few, it is likely that by now, Quantum-like tools would be implemented on the local level (i.e., at country level, by relying on national ISPs).

Such attacks are extremely hard to spot, but we predict that their becoming more widespread will lead to more discoveries in 2023.

Drone hacking!

Despite the flashy title, we’re not talking about hacks of unmanned aircrafts used for surveillance or even military support (although that could happen too). This final prediction concerns itself with the other way around: the use of commercial-grade drones to enable proximity hacking.

Year after year, drones available to the general public gain additional range and capabilities. It wouldn’t take too much work to mount one of them with a rogue Wi-Fi access point or an IMSI catcher; or sufficient tooling that would allow the collection of WPA handshakes used for offline cracking of Wi-Fi passwords. Another attack scenario would be using drones to drop malicious USB keys in restricted areas, in the hope that a passer-by would pick them up and plug them into a machine. All in all, we believe this to be a promising attack vector, likely to be used by bold attackers or specialists already adept at mixing physical- and cyber-intrusion.

See you next year to see how we fared!

The state of cryptojacking in the first three quarters of 2022

10 Listopad, 2022 - 09:00

Cryptocurrency prices were dropping from the end of 2021 and throughout the first half of 2022. Although finance experts and retail investors estimate crypto to have a solid chance of recovery in the long term, at the time of writing this report the prices remain low. However, cybercriminals are capitalizing on this vulnerable industry more than ever. From advanced APT campaigns targeting crypto organizations (BlueNoroff, NaiveCopy, etc) to various types of hastily made crypto scams, we observe threat actors diversifying their malicious activity against crypto investors — and not only them.

In fact, cybercriminals hunting for crypto can target anyone. Apart from cryptocurrency theft they extort digital money or illicitly mine it using victim’s devices instead of their own. Cryptocurrency mining is a painstaking and costly process, and not as rewarding as when the prices were high. However, it still attracts even legitimate miners. This can be explained, on the one hand, by the falling cost of mining equipment and, on the other, by less efficient market players having left the game, allowing those who remain to increase their market share. Cybercriminals pay neither for equipment, nor for electricity, which is rather expensive in 2022. They install mining software on the target computer to use its processing power without the victim’s consent. Moreover, malicious mining, or cryptojacking, does not require a lot of narrow technical expertise. In fact, all the attacker needs to know is how to create a miner using open-source code, or where to buy one. If the cryptomining malware is installed successfully on the victim’s computer, it delivers its operator stable earnings. In this report we analyze cryptojacking activity in the first three quarters of 2022, and provide some relevant statistics and insights.

Methodology

This research aims to define the state of cryptojacking in the current threat landscape. The data in this report has been taken from aggregated threat statistics obtained from a variety of sources that include our internal sources, open sources, etc. The main tool we use to obtain and analyze threat-related data is Kaspersky Security Network (KSN). KSN is dedicated to processing cybersecurity-related depersonalized data streams from Kaspersky products whose users consented to anonymized data collection. The metrics provided in this report are based on the number of distinct users of Kaspersky products with KSN enabled who encountered cryptominers at least once in a given period, as well as research into the threat landscape by Kaspersky experts. All analyzed data is anonymized.

In this report, we examine the main motivation factors for cybercriminals resorting to malicious mining, as well as the most widespread ways of propagation into the victim’s computer. The threat landscape of hidden mining malware is analyzed through a close examination of new malware modifications, the number of affected users, and their geographical distribution. Additionally, we look into certain cryptojackers’ wallets to get some insight into the amount of money they receive.

The statistics in this report are provided for the first three quarters of 2022. The data from 2022 is compared to data from 2021 to assess year-on-year development trends in cryptojacking.

Key findings:
  • Malicious mining programs are widely distributed through unpatched vulnerabilities in operating systems. In Q3 2022, nearly one in six cases of exploiting well-known vulnerabilities was accompanied with miner infection.
  • In Q3 2022, the number of new variants of miners saw more than triple growth when compared to Q3 2021, and exceeded 150,000.
  • Q1 2022 saw the biggest number of users (over 500,000) affected by malicious mining software, and the smallest number of new malicious miner variants.
  • The country with the highest number of attacked users was Ethiopia, where cryptocurrencies are banned officially.
  • Monero (XMR) is the most popular cryptocurrency for malicious mining.
To mine or not to mine?

Cryptojacking is becoming more prominent in the global threat landscape. This year we saw various types of attackers switching their attention to crypto mining. For example, AstraLocker, a major ransomware operator, shut down this activity to pursue cryptojacking. One of the main reasons for that shift may lie in the fact that malicious mining is one of the easiest ways to earn passive income. While ransomware operators pursue bigger money, not every attack results in the ransom being paid. Miners, on the contrary, just infect the machine and earn a stable profit for their operators. Moreover, unlike ransomware, which announces its presence as soon as the victim files are encrypted, mining malware can remain in the target system unnoticed for months or even longer.

Ways of propagation

There are many ways to distribute miners, and most of them are similar to the methods of distribution of any other type of malware.

One of the most popular miner distribution methods is through malicious files masquerading as pirated content. Cybercriminals actively lure their victims with trendy films, music, games, and software to spread malicious mining programs. They can distribute them through specially crafted landing pages, as well as via torrent links.

While the method described above affects mostly consumer devices, there are a number of distribution methods for delivering miners to more powerful equipment used by businesses. They include hacking the victim’s server using leaked or bruteforced credentials, worm-like spreading through flash drives or network storages, and distributing miners through unpatched vulnerabilities in the OS and other software.

Not always malware

Interestingly, cybercriminals use not only malware to mine digital currency without users’ consent. They try to avoid detection and save resources on malware development using legitimate mining programs with open-source code. By themselves, these tools do not contain malicious functionality, but they can be loaded by mining malware and used for cryptojacking.

Example of legitimate programs used by cryptojackers to covertly mine Ethereum (ETH), Ravencoin (RVN), Ethereum Classic (ETC), and Ergo (ERG), according to our statistics

Cryptojacking in numbers Vulnerability exploitation and miners

Unpatched vulnerabilities pose a serious challenge to users, while being an appealing lure for cybercriminals who exploit them to spread malicious activity. Our telemetry shows that miners are one of the most widespread types of threats when it comes to attacks via vulnerable software. Moreover, 2022 saw an increase in the share of hidden mining software distributed through well-known vulnerabilities. This year, nearly one in seven attacks exploiting such vulnerabilities was accompanied with miner infection. In Q3, miners became even more widespread than backdoors, which were the prime choice of cybercriminals throughout the first half of 2022, and accounted for one sixth of all vulnerability exploitation attacks.

TOP 4 malware types that attackers tried to launch as a result of exploiting vulnerabilities, Q1–Q3 2022 (download)

Let’s look at some specific services whose vulnerabilities are often used in cyberattacks. In Q1 2022, 14% of SQLAgent vulnerability exploitation cases resulted in miner infection, and in Q3 2022 this number grew slightly to 16% of all SQLAgent attacks.

TOP 4 malicious and unwanted file types installed via SQLAgent vulnerabilities, Q1–Q3 2022 (download)

The share of mining software loaded as a result of exploitation of LSASS-related vulnerabilities grew as well, from 17% in Q1 2022 to 19% in Q3.

TOP 4 malicious and unwanted file types installed as a result of exploitation of LSASS-related vulnerabilities, Q1–Q3 2022 (download)

New modifications and affected users

The overall number of new modifications of malicious mining software also increased dramatically in 2022. From January to the end of October 2022, Kaspersky solutions detected 215,843 new modifications of miners. This is more than twice the rate for the same period in 2021, when the number of modifications edged slightly over 100,000.

Notably, the number of new variants of such programs skyrocketed in Q3 2022. Compared to Q3 2021, that was more than threefold growth. Thus, in Q3 2022, the number of new malicious miners exceeded 150,000. This may be explained by the fact that after hitting their lowest rates in late June and the beginning of July, cryptocurrencies grew slightly at the end of the month. Cybercriminals may have increased their activity in anticipation of further growth that did not happen.

Number of new miner modifications, Q1–Q3, 2021 and 2022 (download)

Interestingly, during the period of analysis, the biggest number of affected users was registered not in Q3, which experienced a surge in new miner modifications, but in Q1, when the number of new modifications was the lowest.

Number of users affected by miners, Q1–Q3, 2021 and 2022 (download)

Attack geography

Interestingly, the most targeted country in Q3 2022 was Ethiopia (2.38%), where it is illegal to use and mine cryptocurrencies. Kazakhstan (2.13%) and Uzbekistan (2.01%) follow in second and third place.

TOP 10 most targeted countries by share of users encountering miners, Q3 2022:

Country* % of users attacked by miners** 1 Ethiopia 2.38% 2 Kazakhstan 2.13% 3 Uzbekistan 2.01% 4 Rwanda 1.93% 5 Tajikistan 1.83% 6 Venezuela 1.78% 7 Kyrgyzstan 1.73% 8 Mozambique 1.57% 9 Tanzania 1.56% 10 Ukraine 1.54%

* Excluded are countries where the number of Kaspersky users is relatively small (less than 50,000)
** Percentage of unique users whose devices were attacked by miners, from all unique users of Kaspersky products in the country.

Fourth place goes to Rwanda (1.93%), and fifth to Tajikistan (1.83%). The sixth most attacked country is Venezuela (1.78%), which is known to be among the first nations in the world to introduce a national cryptocurrency, Petro.

Let’s talk money

We took a closer look into the mining attacks to get some understanding of which coins are more popular among cybercriminals, and how much money they make mining these coins. For this we analyzed mining malware samples that were detected by our products in September 2022, extracted cryptocurrency wallet addresses from them, and monitored transactions to these wallets from January 1, 2022, through September 30, 2022. Note that there are other miner samples, as well as other wallets out there that are not represented in these statistics. Note also that we cannot distinguish mining transactions to the monitored wallets from other types of transactions.

Most of the analyzed samples of malicious mining software (48%) secretly mine Monero (XMR) currency via the victim’s engine. This currency is known for its advanced technologies that anonymize transaction data to achieve maximum privacy. Observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories — all these factors are extremely appealing to cybercriminals.

Most popular digital cryptocurrencies mined via cryptojacking (download)

The world’s most popular cryptocurrency, Bitcoin (BTC), was cybercriminals’ second choice with a share of 17%; while Ethereum (ETH), which is most frequently used to exchange NFTs, closes the Top 3 with 14%. Other cryptocurrencies mined by cybercriminals are Litecoin (LTC), Bit Hotel (BTH), Dash (DASH), Dogecoin (DOGE), and Neo (NEO).

Cybercriminal profits vary greatly from wallet to wallet. Bitcoin wallets we monitored on average received 0.08 BTC or around US$1.6K per month. However, one Bitcoin wallet showed significantly greater transaction amounts. In September 2022, for example, it received nearly 1.79 BTC, the equivalent of more than US$34K at the time of research.

Conclusion

Even though the world is facing a crypto winter with digital currencies losing their value, cryptocurrencies remain appealing for cybercriminals. The rise in the number of cryptojacking attacks goes hand in hand with the rising number of new program modifications and diversified ways of propagation. Hidden mining is a profitable activity which requires minimum effort; therefore, cybercriminals will continue to try to gain profit this way. Although hidden mining doesn’t cause direct financial damage to victims, it lowers the performance of infected systems, at the same time as increasing the electricity costs for victims. Therefore, companies and users should remain alert to the current threat trends and get ready for the crypto spring ahead of us.

To ensure no one is using your home equipment for their own profit, follow these tips:

  • Use reliable security solutions that protect your computer and other devices from mining malware.
  • Download software and media from official sources; remember that pirate files can contain a malicious payload.
  • Do not forget to update your operating system and other software.

To keep your corporate devices protected, we recommend:

  • Always keeping software updated on all devices you use so as to prevent attackers from infiltrating your network by exploiting vulnerabilities.
  • Introducing strict cybersecurity policies in your organization to avoid a situation when employees use corporate computing power to mine crypto coins or install malicious software on corporate equipment by accident.
  • Using a dedicated security solution such as Kaspersky Endpoint Security for Business that can quickly detect and eliminate malicious activity, as well as help manage vulnerabilities and patches.

Cybersecurity threats: what awaits us in 2023?

9 Listopad, 2022 - 09:00

Knowing what the future holds can help with being prepared for emerging threats better. Every year, Kaspersky experts prepare forecasts for different industries, helping them to build a strong defense against any cybersecurity threats they might face in the foreseeable future. Those predictions form Kaspersky Security Bulletin (KSB), an annual project lead by Kaspersky experts.

As for KSB 2022, we invited notable experts to share their insights and unbiased opinions on what we should expect from cybersecurity in the following year. The contributors include representatives from government institutions: H.E. Dr.Mohamed Al Kuwaiti (UAE Cyber Security Council), and public organizations: Kubo Mačák, Tilman Rodenhäuser, Mauro Vignati (ICRC), Serge Droz (FIRST), Sven Herpig (the think tank Stiftung Neue Verantwortung). Also, we’d like to thank Prof. Dr. Dennis-Kenji Kipker (the University of Bremen; European Academy for Freedom of Information and Data Protection (EAID)), Arthur Laudrain (The Hague Centre for Strategic Studies), Stefan Soesanto (The Center for Security Studies (CSS) at ETH Zurich) for their scientific and profound contribution. Moreover, we included predictions made by our fellow commercial organizations – James Range (White Rock Security Group) and Irena Yordanova (Polycomp Ltd.).

The opinions shared by the contributing experts do demonstrate a complexity of the modern cybersecurity industry and a strong need for collaboration among different organizations in order to combat cyberthreats that companies, individuals or even whole countries are exposed to.

What cyberthreats for business will be the greatest in 2023?

Vladimir Dashchenko, Security Evangelist, Kaspersky

The ongoing geopolitical storm brings not only classical cyberthreats for business, but also unpredictable risks and ‘black swans’. The main problem for 2023 will be supply-chain stability and cybersecurity. While supply-chain is a big challenge for business right now, its cybersecurity is not merely an issue, it’s a major problem. Supply-chain will become more of a sweet spot for targeted ransomware and state-sponsored espionage campaigns.

Another big issue is global semiconductor shortage. This will definitely play its role in corporate cybersecurity. While many companies need increasingly more computing power, (servers, workstations, network hardware and so on…) the price on the equipment continues to rise. There’s a possibility that, to cover hardware needs, some of the businesses will have to cut planned cybersecurity expenses.

Yury Slobodyanuk, head of content filtering research, Kaspersky

I think we will continue seeing attacks targeting the infrastructure of different countries and organizations. Phishing attacks are going to become even more sophisticated, since a lot of basic tactics have already been tried this year, and businesses learned to repel those.

Ivan Kwiatkowski, senior security researcher, Global Research and Analysis Team, Kaspersky

Businesses will still be mostly concerned with ransomware. The conflict between Russia and Ukraine has marked an end to any possible law enforcement cooperation in the foreseeable future. We can therefore expect that cybercrime groups from either block will feel safe to attack companies from the opposing side. Some may even perceive this as their patriotic duty. The economic downturn (caused by energy prices, inflation, sanctions, etc.) will lead more people to poverty, which always translates to increased criminality (cyber or otherwise), and we know ransomware to be extremely profitable.

James Range, President of White Rock Security Group

Zero trust will take on greater prominence with the continued role of the remote and hybrid workplace. Remote work will continue driving the need for zero trust since hybrid work is now the new normal. With the federal government mandating agencies to adopt zero-trust network policies and design, we expect this to become more common and the private sector to follow suit as 2023 becomes the year of verifying everything.

Arthur Laudrain, Strategic Analyst (Cyber Program), The Hague Centre for Strategic Studies

In 2023, we might see a slight decline in the raw number of ransomware attacks, reflecting the slowdown of the cryptocurrency markets. However, ransomware operators will keep professionalizing their operations and will target higher value organizations. At the same time, state-sponsored attacks will remain high in the threat landscape, with no ease of geopolitical tensions with Russia, China, North Korea, and Iran in sight. Businesses most at risk are aerospace and defense contractors, as well as critical infrastructure operators (utilities such as water, electricity, and Internet, but also hospitals and operators of large cyber-physical systems such as dams).

Stefan Soesanto, Senior Cyber Defense Researcher, The Center for Security Studies (CSS) at ETH Zürich

If I had a magic 8-ball, I would predict that the greatest cyberthreats to businesses in 2023 will be a significant increase in foreign intelligence services conducting operations under the cover of hacktivist groups, fighting big oil, climate change, fiscal policies etc. And that (b) we are also likely to see a steep increase in DDoS extortion campaigns as the Cyberwar in Ukraine leads to all-time-high levels of DDoS attacks.

Irena Yordanova, Product Manager Software, Polycomp Ltd.

We expect cyberthreats to rise in 2023, as unrest in the world contributes to an increase in cybercrimes. Malware attacks like ransomware will happen to businesses more frequently. And IT teams should be prepared to deal with evolving threats posed by emerging technologies which are becoming widespread, such as geo-targeted phishing or attacks related to Cloud Security, IOT and AI. Most probably more attacks on the education and healthcare sectors will occur plus targeted campaigns against industry leaders – especially those that hold critical information: sensitive data, top expertise, and latest technologies. Given that, employees should be educated and equipped to fight these mature attacks; and their companies can contribute by having experienced outside security partners to support them on this issue. End-users can prepare themselves with an easy-to-use security solution for upcoming challenges, whether it’s phishing attacks or threats related to multiple layers of security.

What cybersecurity challenges will industries face next year?

Vladimir Dashchenko, Security Evangelist, Kaspersky

Threat modeling approaches will be changed in 2023. Internet ‘balkanization’, ongoing military conflicts, changes, and tensions in existing political groups of countries are influencing cyberspace and cybercrime. We will see an increasing number of cybercriminals taking political sides and breaking the law with political statements. Also, script-kiddies (low skilled hackers) will be joining groups of cybercriminals led by more skilled perpetrators, or state sponsored hackers more often.

The major challenge for cybersecurity itself will be a lack of transparency and information sharing between companies. It will be extremely difficult to follow the ‘business as usual’ concept and remain neutral. Global political conglomerates will unfortunately influence cyberspace and cybersecurity.

Arthur Laudrain, Strategic Analyst (Cyber Program), The Hague Centre for Strategic Studies

Next year should see a continuation of existing trends. In particular, governments, critical infrastructure operators, and businesses with a large international footprint will face the continued challenge of ensuring the safety and integrity of their supply-chains, both in terms of software and hardware. Often, this will require closer integration with their contractors and suppliers, none the least to comply with new regulatory obligations in the U.S. and the E.U.

James Range, President of White Rock Security Group

Given the continued surge of ransomware attacks, which soared 288% in the first half of 2022 alone, the need for cyber insurance will be a bigger priority, especially in the SMB market. Although many industry experts argue against payouts, making cyber coverage a controversial topic, the evolving threat landscape means cyber insurance should be a top consideration as part of organizations’ cyber strategy. As such, we anticipate a booming cyber insurance industry as many organizations heed these warnings and seek to guard against ransomware attacks. Yet, in addition to cyber insurance, companies will need a designated DR or RR (Rolling Recovery) plan.

Kubo Mačák, Legal Adviser, Tilman Rodenhäuser, Legal Adviser, Mauro Vignati, Adviser on Digital Technologies of Warfare, ICRC

A key concern for 2023 is that civilians will be further impacted by cyber operations during armed conflict. Civilian data, devices, and networks – such as government services, critical infrastructure, or companies – risk being deliberately disrupted or damaged, often in violation of the laws of war. Civilians – individuals and companies – may get drawn into digital warfare activities, encouraged to engage in cyber operations or to support kinetic military operations through digital means. Such developments put people and societies in danger and undermine the cardinal rule that belligerents must at all times distinguish between what is military and what is civilian.

Stefan Soesanto, Senior Cyber Defense Researcher, Center for Security Studies (CSS)

I expect that the theft of medical data (ex. Finland’s Vastamoo in 2020 & Australia’s Medibank in 2022), as well as highly private personal data (ex. Ashley Madison in 2015) will become the major focus of ransomware groups and other cybercriminal actors alike. Underpinning this trend, the lesson learned is that imposing massive psychological pressure directly on thousands of separate victims, increases the likelihood of individual extortion payouts being made.

What cyberthreats will pose the most danger to end-users?

Yury Slobodyanuk, head of content filtering research, Kaspersky

As the geopolitical situation is quite tense, different types of fraud will take advantage of new events that will take place. Also, various techniques of generating fake news using AI may be used.

Sven Herpig, Director Cybersecurity at think tank Stiftung Neue Verantwortung

I believe cybercrime is the biggest threat to end-users, but mainly in an indirect fashion. Cybercrime is looming over providers of essential services and goods such as municipalities, hospitals and even producers of baby food offline, rendering them less or non-operational for several days or weeks. This has a direct impact on citizens’ lives in the real world and is therefore something that I would see as one of the most prevailing threats to individuals.

Prof. Dr. Dennis-Kenji Kipker, Professor for IT Security Law at the University of Bremen; Visiting Professor at Riga Graduate School of Law; Member of the Board of the European Academy for Freedom of Information and Data Protection (EAID)

Remote workers in home offices continue to play a major role in everyday working daily life, along with the increased use of BYOD, which takes control of devices away from administrators. Since 2020, therefore, forms of spear phishing, social engineering and CEO fraud, as well as ransomware, become increasingly prevalent and will continue to be of considerable importance in 2023. The professionalization of cybercrime, now an independent “industry”, is contributing to a further tightening of the security situation for end users, as low-cost mass attacks are made possible in this way.

H.E. Dr.Mohamed Al Kuwaiti, UAE Cyber Security Council

IoT Vulnerabilities. Security issues keep plaguing IoT devices dominating the market today. As IoT combines the physical world and virtual space, home intrusions are being added to the list of the scariest possible threats that IoT brings.

Vulnerabilities in Autonomous Vehicles. Due to the inherent risks of Autonomous Vehicles, they are increasingly vulnerable to attacks resulting in data breaches, supply chain disruptions, property damage, financial loss, and injury or loss of life.

What are the main challenges cybersecurity will face in 2023?

Ivan Kwiatkowski, senior security researcher, GReAT Kaspersky

The security industry will face direct pressure resulting from the political situation. Things were complex before and they will only get worse. The biggest challenge that vendors will have to face in 2023 will be to remain neutral, if they haven’t decided to align with one block or the other already. (My opinion on this bigger matter is explained in this talk.) Generally speaking, politics and threat intelligence will become more and more entwined, and we’re very unprepared for this as a community.

Yury Slobodyanuk, head of content filtering research, Kaspersky

I think attacks will evolve a lot quicker next year, and a main challenge will be to still be a couple of steps ahead.

Sven Herpig, Director Cybersecurity at think tank Stiftung Neue Verantwortung

I don’t think that there will be anything substantially new in 2023 – one of the key challenges will still be the lack of adoption of basic security and resilience measures which cybercriminals will successfully exploit.

Prof. Dr. Dennis-Kenji Kipker, Professor for IT Security Law at the University of Bremen; Visiting Professor at Riga Graduate School of Law; Member of the Board of the European Academy for Freedom of Information and Data Protection (EAID)

Cybersecurity requires not only secure software, but also sufficiently trustworthy hardware. For too long, we have relied on globalization in IT security and placed too little emphasis on protecting the digital supply chain. In Germany, this was made clear by the debate about protecting sensitive 5G networks; in the geostrategic conflict between the People’s Republic of China and Taiwan, we are now seeing that we are already in the midst of a semiconductor crisis that threatens the security of supply with trustworthy IT. Here, it can be assumed that significant cybersecurity challenges will continue to rise in 2023 as political tensions grow.

Serge Droz, Technical Advisor, Member of the Board, FIRST

Cybercrime will continue to focus on optimizing gains per investment, meaning that smaller and/or less mature organizations will be targeted even more. These may be SMEs or businesses in sectors that don’t include IT in their core business, in particular health services. The problem with this target group is that they either have very different priorities (a ransomed hospital simply cannot afford to delay recovery, and thus pays) and don’t have the resources to defend themselves, or they just don’t have the expertise. This is what Wendy Nater calls “living below the security poverty line”. And this will be the challenge to our industry: how can we provide effective protection that works and is affordable to these types of organizations. Or in other words, can we provide security services to people other than for security specialists? My guess would be that reaching this goal requires different industries working together, in particular I feel the role of insurance needs to be clarified and aligned.

James Range, President of White Rock Security Group

Cyber teams are going to be in the spotlight now more than ever. Understanding your security posture is crucial; knowing what current tools are available and the gaps that currently exist in your infrastructure will help you to protect your enterprise. The need for bigger cyber budgets and having the right people in place is critical. With ongoing talent shortages, consider partnering with a third-party firm to ensure you have fail-proof processes, documentation, and regular third-party assessments.

H.E. Dr.Mohamed Al Kuwaiti, UAE Cyber Security Council

DDOS Botnets. One of the most recent severe attacks around the end of June 2021, was made using malware called the Mēris botnet which has climbed to the record. Due to the new nature of the malware as it has been described as a “new assaulting force on the Internet – a botnet of a new kind” and its impact is more likely to be that similar real-time emerging malware-related DDoS attacks like this one will be used in 2023.

Ransomware as a service (RaaS). Unlike other forms of malware, this new service provides “a sort of criminal Content Distribution Network (CDN) similar, in principle, to those used by major internet portals but used exclusively for malware”. Nearly half of breaches during the first six months of 2022 involved stolen credentials, Switzerland-based cybersecurity company Acronis reported in its Mid-Year Cyberthreat Report, published on August 24, 2022. This has probably been the most discussed attack in 2022 as it’s the first time a country declared a national emergency in response to a cyber-attack. Ransomware-based malware had been quite active in 2022.

Deep fake enabled business compromise. Deepfake-enabled compromise is a type of attack where threat actors leverage synthetic content. This includes video or audio altered or created using artificial intelligence and machine learning to impersonate C-suite executives and trick employees into transferring large sums of cash.

DDoS attacks in Q3 2022

7 Listopad, 2022 - 09:00

News overview

In Q3 2022, DDoS attacks were, more often than not, it seemed, politically motivated. As before, most news was focused on the conflict between Russia and Ukraine, but other high-profile events also affected the DDoS landscape this quarter.

The pro-Russian group Killnet, active since January 2022, took the responsibility for several more cyberattacks. According to the hacktivists themselves, more than 200 websites in Estonia fell victim to their attacks, including the ESTO AS payment system. In nearby Lithuania, the websites and e-services of the energy company Ignitis Group were hit. Both attacks were described by the affected organizations as the largest they’ve faced in the last 10–15 years.

Killnet also claimed responsibility for an attack on the website and services of the US Electronic Federal Tax Payment System. The attackers stated on Telegram that they were “testing a new DDoS method.” During the attack, they said, the site administration tried to change the DDoS protection vendor, but then had a rethink. In addition, Killnet disrupted the US Congress website for a couple of hours.

On the other side of the Pacific, in Japan, 20 websites of four different government departments were hit by DDoS attacks. Killnet hacktivists claimed involvement in this incident, too. The defending side managed to eliminate the main damage within 24 hours, although the e-Gov administrative portal continued to experience access problems the day after.

The lesser known pro-Russian group Noname057(16) took the credit for the attacks on the website of Finland’s parliament and the publication archive of its government, which they managed to take offline temporarily. If the group’s Telegram channel is to be believed, the reason for the attacks was because “[Finnish] officials are so eager to join NATO.”

In turn, Russian resources suffered from DDoS attacks by pro-Ukrainian hacktivists. Victims included the Unistream, Korona Pay, and Mir payment systems, as well as the Russian National Payment Card System, which ensures the operation of Mir and the Faster Payments System. What’s more, activists brought down the website, call center, and SMS provider of Gazprombank; Otkritie Bank noted disruptions to its internet banking service and mobile app, and SberBank reported 450 repelled DDoS attacks in the first two months of Q3. According to SberBank, this is the same number as in the previous five years put together.

Electronic document management systems, in particular SKB Kontur and Taxcom, were also in the firing line. Their websites were either down or slow, which caused supply troubles for dairy producers. The websites of the political parties United Russia, Young Guard of United Russia, and A Just Russia — For Truth.

Media outlets did not go unaddressed either: RIA Novosti and Sputnik suffered attacks that lasted almost 24 hours, while the website of Argumenti i Fakti was unavailable for some time. Meanwhile, StormWall reported that 70 regional newspapers in 14 Russian cities, among them Bryansk, Kaluga, Chelyabinsk, Pskov, Omsk, Tyumen, and Sochi, were hit by garbage traffic.

A wave of DDoS attacks swept across many tech and entertainment companies as well. Hacktivists attacked around 20 Russian video-conferencing platforms. Among the services affected were TrueConf, Videomost, Webinar.ru, and iMind. Also targeted were the websites of Kinomax, Mori Cinema, Luxor, Almaz Cinema, and other movie theaters. Hacktivists also tried to disable the websites of the car information portal Drom, the drone store MyDrone, and the security vendor Avangard.

Already in Q1, various sites and apps were available to allow technically inexperienced users who sympathize with Ukraine to join DDoS attacks against Russian resources. The Russian-speaking APT group Turla exploited the hype. In July, Google researchers reported a piece of Android malware being distributed by cybercriminals under the guise of a DDoS tool for attacking Russian websites. According to experts, this is Turla’s first ever malware for Android.

Besides the Russia–Ukraine conflict, there were reports of politically motivated DDoS attacks in other hot spots on the planet. US Congress Speaker Nancy Pelosi’s visit to Taiwan provoked not only a public outcry in mainland China, but also a string of cyberattacks both before her arrival on the island and in the hours immediately after. In particular, the websites of Taiwan’s president and its Ministry of National Defense experienced downtime. Also affected were the online resources of the Ministry of Foreign Affairs and Taoyuan International Airport.

Israel, too, became a DDoS target when cybercriminals attacked the websites of the country’s Ministry of Health and Tel Aviv-Yafo Municipality. As a result, access to these resources from abroad was limited. Responsibility for the cyberattacks was claimed by Al-Tahira (aka ALtahrea), a group opposed to NATO and its allies.

The post-Soviet space was also a hotbed of activity. Amid the escalating conflict between Armenia and Azerbaijan, a DDoS attack battered the official site of the Collective Security Treaty Organization (CSTO), a Russia-led military alliance in Eurasia. The CSTO reported that attackers, under the guise of a DDoS, had attempted to change some information on its website. And in the last third of September, the Kazakhstani segment of the internet faced a DDoS onslaught from abroad. At around the same time, local media (Top Press, New Times, Skif News) were also subjected to DDoS attacks.

Some events in Q3 could not be described as unambiguously political. For example, the company Russian Environmental Operator reported DDoS attacks on the new Secondary Material Resources Exchange immediately after the announcement of the platform’s launch. Although this may have been part of a hacktivist campaign, new online resources regularly face DDoS attacks before going live even during quiet times. The largest Russian-language torrent tracker RuTracker and the entertainment portal Live62 also admitted to being attacked in Q3. Both sites have been beset by copyright infringement claims, and RuTracker has been blocked in Russia as a pirate resource.

In addition, a number of firms specializing in DDoS protection reported major attacks in Q3.

Akamai announced two major attacks on the same client from Eastern Europe. In both cases, the number of packets per second sent by the attackers was extraordinary. The first attack, on July 21, peaked at 659.6 million packets per second, a new European record at the time, says Akamai. This was not an isolated case: in July, this same client was attacked more than 70 times. The record held until September 12, when another attack posted 704.8 million packets per second.

In continuation of a Q2 trend, Google says it blocked an HTTPS-based DDoS attack that peaked at 46 million requests per second, 77 percent more than the record-breaking HTTPS attack mentioned in our previous report. According to experts, the attack involved more than 5,000 IP addresses from 132 countries, with around 30 percent of the traffic coming from Brazil, India, Russia, and Indonesia. The geographical distribution and botnet characteristics suggest the use of the Mēris family.

Lumen reported stopping an attack with a capacity of over 1 terabyte per second on the servers of its client. At the time of the attack, the target servers were hosting a gaming service. In the week leading up to the incident, the attackers tested various DDoS methods and studied the victim’s protection capabilities by issuing commands to bots from three different C2 servers.

Gaming services are regularly targeted by DDoS. In Q3, the servers of Gaijin Entertainment, which developed War Thunder, Enlisted, and Crossout, were hit by an extended series of attacks. They began on September 24, and users were still complaining of disruptions at the time of writing. To reduce the negative effect of the DDoS attack, Gaijin promised to extend its promotions and premium subscriptions, as well as award bonuses to players for a whole week.

The North American data centers of Final Fantasy 14 were attacked in early August. Players experienced connection, login, and data-sharing issues. Blizzard’s multiplayer games — Call of Duty, World of Warcraft, Overwatch, Hearthstone, and Diablo: Immortal — were also DDoSed yet again.

An ESL eSports match between the teams NaVi and Heroic was held up for over an hour due to a DDoS attack on individual players. The match continued only after the organizer had dealt with the threat.

In turn, the developers of the game Tanki Online announced they had finally neutralized a string of DDoS attacks that had plagued players since the summer. Having beefed up protection and stabilized the servers, the organizers thanked the players for their patience with a prize giveaway.

That was not the only good news regarding DDoS attacks on gaming services this quarter: in Sweden, police detained a suspect in a DDoS attack on Esportal, a CS:GO tournament platform. If convicted, they face from six months to six years in prison.

Anti-DDoS measures are also being implemented at the national level. For instance, Israel announced the launch of the Cyber-Dome project, designed to secure national digital resources. According to the Israel National Cyber Directorate, having a single protective complex will “elevate national cybersecurity by implementing new mechanisms in the national cyber perimeter and reducing the harm from cyberattacks at scale.”

In Bangladesh, the governmental Computer Incident Response Team required all key organizations, including those responsible for the country’s IT infrastructure, to develop and introduce anti-DDoS measures. This came after a reported spike in attacks.

At the same time, the global legal consensus that any DDoS attack constitutes a cybercrime came under threat in Q3, and from an unexpected source. The Hungarian Cable Communications Association (MKSZ) requested that the law be changed to officially allow MKSZ members and legal enterprises from the telecom industry to carry out DDoS attacks as a means of combating IPTV piracy. Traditional measures, such as blocking IP addresses and domain names, MKSZ described as slow and ineffective, while legally sanctioned cyberattacks could genuinely force users to abandon pirate services.

It was not only Hungarian telecom companies that had the idea of taking the fight to cybercriminals. After the ransomware group LockBit hacked Entrust, a specialist cybersecurity firm, and began publishing confidential data, unknown actors attacked the site where the information was being leaked. The packets they sent contained an unambiguously worded message: DELETE_ENTRUSTCOM_[BAD_WORD].

Quarter trends

The main surprise of Q3 2022 was the lack of surprises, which were continuously present since late 2021. But that doesn’t mean it was a dull quarter. Let’s take a look at the statistics.

Comparative number of DDoS attacks, Q3 2021, Q2 and Q3 2022. Q3 2021 data is taken as 100% (download)

The first thing worth noting is the significant rise in the number of DDoS attacks of all types relative to the previous reporting period. At the same time the quarter picture is fairly standard: a relatively calm summer followed by a sharp surge in DDoS activity. In September, the Kaspersky DDoS Protection team repelled 51 percent of all attacks in the quarter, which amounts to roughly the same number as in the previous two months. This is a normal situation that we observe and report on every year. Usually the autumn growth is more of a recovery after the summer slump, but the fact remains that the number of DDoS attacks always increases sharply in September. This is due to a general rise in activity after the lazy summer months: people return from vacation, students go back to school, and everything picks up, including the DDoS market.

Share of smart attacks, Q3 2021 and Q2/Q3 2022 (download)

What is unusual, however, is the continued growth in the share of smart attacks, which, with 53 percent, already account for the majority, setting a new record in the history of our observations. Moreover, DDoS attacks on HTTP(S) this quarter exceeded those on TCP for the first time, despite the latter being easier to organize and still the most common type of DDoS.

Ratio of HTTP(S) and TCP attacks, Q2 2021–Q3 2022 The number of TCP-based attacks for the corresponding period is taken as 100% (download)

What’s most interesting is that, in absolute terms, the number of attacks on HTTP(S) has remained quite stable over the past year. The share of attacks on TCP is on a downward curve, which reflects well the general trend: the share of dumb DDoS attacks is falling, while that of smart attacks is growing. This was bound to happen sooner or later, as tools on both the attacking and defending sides evolve and become more readily available. Organizing L7 attacks is getting easier, while L4 attacks are losing their effectiveness. As a result, they are being used less and less by professionals in their pure form (although L4 vectors are still found in mixed attacks), and more and more by amateurs. The above figures illustrate this well.

Note this Q1 2022 stat: There were half as many DDoS attacks on HTTP(S) as on TCP. February and March saw a significant increase in non-professional attacks due to the geopolitical situation, as outlined in our report. Hacktivists are passionate but fickle. Having quickly tired of DDoS, they switched to other attacks, and the share of DDoS started to fall. By Q3, it was tending to zero. Meanwhile, the number of high-quality professional attacks, after increasing in Q1, remains at a high level. The targets have not changed either: mainly the financial and government sectors. Both of these facts reinforce our notion that, from the spring until at least the end of September, professionals were working to order against these sectors, which is reflected in our statistics.

In terms of DDoS attack duration, there were no new records: if Q2 was marked by the longest attack ever observed, Q3 was calmer: on average, attacks lasted about eight hours, with the longest being just under four days. Compared to the previous quarter, this seems rather modest, but the numbers are still huge: in Q3 of last year, the duration of DDoS attacks was measured in minutes, not hours. In this regard, the situation remains challenging.

DDoS attack duration, Q3 2021 and Q2/Q3 2022. Q3 2021 data is taken as 100% (download)

DDoS attack statistics Methodology

Kaspersky has a long history of combating cyberthreats, including DDoS attacks of varying type and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C2 servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q3 2022.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same resource is attacked by the same botnet after an interval of 24 hours or more, two attacks will be counted. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographic locations of DDoS-attack victims and C2 servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary

In Q3 2022:

  • Kaspersky’s DDoS Intelligence system detected 57,116 DDoS attacks.
  • A total of 39.61 percent of targets, affected by 39.60 percent of attacks, were located in the US.
  • The busiest day of the week (15.36 percent of attacks) was Friday and the calmest (12.99 percent) was Thursday.
  • July saw the sharpest contrast: The 1st and 5th saw 1494 and 1492 attacks, respectively, and the 24th just 135.
  • Attacks lasting less than four hours accounted for 60.65 percent of the total duration of attacks and for 94.29 percent of the total number of attacks.
  • UDP flood accounted for 51.84 percent of the total number of attacks, and SYN flood for 26.96 percent.
  • The country with the largest share of bots trying to hack into Kaspersky SSH honeypots was the US (17.60%).
DDoS attack geography

In Q3 2022, the top four countries in terms of resources attacked remained unchanged from the previous reporting period. The US (39.60%) remained in first place, despite losing 6.35 percentage points. Mainland China’s share (13.98%) increased by almost the same amount, up 6.31 percentage points, securing second place. Germany (5.07%) remains in third and France (4.81%) in fourth place.

Hong Kong (4.62%) rounded out the TOP 10 countries and territories with the highest number of DDoS attacks last quarter. Having seen its share more than double this quarter, it now ranks fifth. Brazil (4.19%) moved up into sixth position, while Canada (4.10%) and the UK (3.02%), which ranked fifth and sixth last quarter, dropped to seventh and eighth, respectively. Propping up the TOP 10 are Singapore (2.13%) and the Netherlands (2.06%).

Distribution of DDoS attacks by country and territory, Q2 and Q3 2022 (download)

The distribution of unique DDoS attack targets by country and territory is almost a carbon copy of the attack rating. In first place is the US (39.61%), followed by mainland China (12.41%), whose share grew most noticeably over the quarter, up 4.5 percentage points. Third place still belongs to Germany (5.28%), and fourth to France (4.79%).

As in the distribution of attacks, Brazil (4.37%) and Hong Kong (4.36%) ranked fifth and sixth by number of unique targets, but in reverse order. The former was home to slightly more DDoS targets, while the latter showed larger growth against the previous reporting period, climbing 2.36 percentage points. Canada (3.21%), the UK (2.96%) and Singapore (2.11%) occupied lines seven to nine in the table, while tenth place went to Poland (2.00%), squeezing the Netherlands (1.86%) out of the TOP 10.

Distribution of unique targets by country and territory, Q2 2022 and Q3 2022 (download)

Dynamics of the number of DDoS attacks

The number of DDoS attacks in Q3 2022 fell again. Having decreased by 13.72 percent in the previous reporting period relative to the one before, this quarter it dropped by a further 27.29 percent, to 57,116. August proved to be the busiest month, with Kaspersky’s DDoS Intelligence system detecting an average of 824 attacks per day. July, on the other hand, was calm: 45.84 percent of all attacks during this month occurred in the first seven days, maintaining the dynamics of June, which posted an average of 1301 per day; starting from week two, however, the average number of daily attacks fell to 448. Thus, the July average was just 641 DDoS attacks per day, slightly ahead of the even quieter September, which averaged 628.5. At the same time, September’s attacks were distributed more evenly throughout the month.

The quarter’s peak and trough both came in July: the most aggressive day was the 1st (1494 attacks); the calmest was the 24th (135). In August, over a thousand attacks were recorded on the 8th and 12th alone (1087 and 1079, respectively), and the quietest day was the 30th (373). September delivered no noteworthy highs or lows.

Dynamics of the number of DDoS attacks, Q3 2022 (download)

Sunday (13.96%) in Q3 fell by 1.85 percentage points compared to the previous reporting period, and lost its position as the leading day in terms of traffic. Saturday’s share also declined, but remained above 15 percent. First place by number of DDoS attacks went to Friday, which showed a noticeable increase — from 13.33 to 15.36 percent. Thursday was the only day whose share dropped below 13 percent, down to 12.99 percent.

Distribution of DDoS attacks by day of the week, Q3 2022 (download)

Thursday was also the only weekday that saw its share decrease.

Duration and types of DDoS attacks

In Q3 2022, sustained attacks of 20 hours or more accounted for 19.05 percent of the total duration of attacks. This figure almost tripled after falling in the previous reporting period, almost reaching the level as that at the beginning of the year. Accordingly, the proportion of long-term attacks increased quantitatively: from 0.29 to 0.94 percent.

Short attacks lasting up to four hours showed a slight decrease to 94.29 percent. At the same time, their share of the total duration of DDoS attacks fell significantly, from 74.12 to 60.65 percent. Attacks lasting from five to nine hours remained in second place (3.16% of attacks); attacks lasting from 10 to 19 hours were in third (1.60%).

The longest attack of Q3 lasted 451 hours (18 days 19 hours). That was way ahead of the second-place 241 hours (10 days 1 hour). The average duration of attacks rose slightly to around 2 hours 2 minutes, which is not surprising given the increase in the share of sustained attacks and the decrease in the share of short ones.

Distribution of DDoS attacks by duration, Q2 and Q3 2022 (download)

In Q3 2022, the ranking of DDoS attack types was unchanged from the previous reporting period. The share of UDP flood fell from 62.53 to 51.84 percent, but remained the most common type of DDoS. The second most common, SYN flood, on the contrary, increased its share to 26.96 percent. TCP flood (15.73%) reversed its decline, adding more than 4 percentage points to hold on to third place. GRE flood and HTTP flood made up 3.70 and 1.77 percent, respectively, of the total number of attacks.

Distribution of DDoS attacks by type, Q3 2022 (download)

Geographic distribution of botnets

Botnet C2 servers are still mainly located in the US (43.10.%), but its share fell by 3 percentage points. The Netherlands (9.34%), which ranked second last quarter, slipped more than 5 percentage points and again changed places with Germany (10.19%). Russia (5.94%) stayed in fourth place.

Asian countries come next: fifth place goes to Singapore (4.46%) and sixth to Vietnam (2.97%), whose share in Q3 continued to grow, although not as rapidly as in Q2. They are followed by a new entry in the ranking, Bulgaria (2.55%), whose share increased more than sixfold.

France dropped from fifth place to eighth (2.34%), and the UK (1.91%) to ninth. Canada and Croatia, which rounded out last quarter’s TOP 10, gave way to Hong Kong (1.49%) by number of C2 servers.

Distribution of botnet C2 servers by country and territory, Q3 2022 (download)

Attacks on IoT honeypots

In Q3, mainland China surrendered its lead in terms of number of bots attacking Kaspersky SSH honeypots: its share dropped to 10.80 percent. First place was claimed instead by US-based bots (17.60%). Third, fourth, and fifth positions, with hardly any distance between, belong to India (5.39%), South Korea (5.20%), and Brazil (5.01%). Germany (4.13%) dropped from third place last quarter to seventh, but bots based there were among the most active in Q3, responsible for 11.22 percent of attacks. This figure is bettered only by the US bots (27.85%). What’s more, over five percent of attacks came from bots in Singapore (5.95%) and India (5.17%), which took third and fourth place, respectively.

TOP 10 countries and territories by number of devices from which Kaspersky SSH traps were attacked, Q3 2022 (download)

As for Kaspersky Telnet honeypots, here mainland China retained its lead among countries and territories by number of both attacks and attacking devices. The first figure, however, declined from 58.89 to 38.18 percent, while the second climbed slightly from 39.41 to 41.91 percent. Second place by number of attacks went to the US (11.30%), with Russia third (9.56%). In terms of their share of bots, these two countries rank slightly lower: in sixth (4.32%) and fourth (4.61%) place, respectively. The TOP 3 countries by number of bots featured South Korea (8.44%) and India (6.71%). Taiwan ranked fifth with 4.39 percent.

TOP 10 countries and territories by number of devices from which Kaspersky Telnet traps were attacked, Q3 2022 (download)

Conclusion

The situation in Q3 2022 points to a stabilization of the DDoS market after a tumultuous first half of the year, although it remains difficult. Yet the picture changes every quarter and forecasts remain tentative at best: pretty much anything can happen. That said, we don’t expect any significant surges or drops in Q4. If our conclusions are correct, and the market is indeed back on a predictable track, we expect similar indicators in Q4 as in Q3, adjusted for the slight growth we usually see toward the end of the year. In any case, we can assume such a development in terms of both number and quality of attacks. As for duration, here we can only guess: the DDoS market is still very far from the norm, and the length of attacks tends to jump up and down. We hope that Q4 shows relative stability in this regard, too, and does not try to break any records.