After a targeted attack, large businesses lost an average of $695,000, while small and medium businesses lost almost $32,000.
Kaspersky Lab experts have studied the cyberattacks that Russian companies have been subjected to since the beginning of the year. The collected statistics helped to identify the most dangerous type of data hacking for businessmen. The greatest damage was caused by targeted attacks.
The experts explained that these are pre-planned attacks, when attackers “purposefully attack a specific company”, having previously conducted reconnaissance and selected tools for the attack. On average, after such an attack, large businesses lost $695,000, while small and medium businesses lost $32,000 this year.
In addition, the damage to Russian business in 2021 was caused by “the illegal use of IT resources by employees.” Kaspersky Lab experts also attributed such cases to cyber incidents. The losses caused by them reached nearly $510 thousand for large companies and $30 thousand for small ones.
A little less business suffered in cases when employees did not comply with the internal information security policy. In such incidents, according to the study, the damage for a large organization was $465 thousand, and for a small one — almost $30 thousand.
DDoS attacks, according to Kaspersky Lab, in turn, deprived large businesses of $463 thousand, and owners of small companies — more than $28 thousand.
At the end of May, Kaspersky Lab announced that the new attacks differ from cyberattacks using encryption viruses in that the scammers do not use specially created malware, but the standard BitLocker Drive Encryption technology included in the Windows operating system. Several Russian companies have been hit by ransomware attacks that have blocked access to corporate data and demanded a ransom.
Information security specialists from Kaspersky Lab reported that hackers are trying to attack Russian companies through a new vulnerability in Microsoft Office products. At least one attack targeted government agencies. Using the vulnerability, attackers can not only spy on users of the infected system, but also download malicious programs like ransomware viruses into it. Experts expect that hackers will actively exploit the system's flaw, as users are slow to install updates.
According to Yevgeny Lopatin, head of the complex threat detection department at Kaspersky Lab, attackers are now exploiting the vulnerability by sending a phishing email with a document attachment. An employee only needs to open such a document on his computer for the vulnerability to work, and then malware is downloaded and installed on the victim’s computer.
Rostelecom-Solar has registered one targeted attack on government bodies using this vulnerability, said Igor Zalevsky, head of the Solar JSOC CERT cyber incident investigation department.
The expert added that a number of government systems are still using Internet Explorer as the recommended browser.
This is actually a vulnerability in MSHTML, the engine of the Internet Explorer browser. This part is responsible for displaying the content of the web page (images, fonts, and other files). In this case, MSHTML is used by the Microsoft Office software package to display web content in documents.
The vulnerability in MSHTML allows an attacker to create modified documents with malicious scripts. After compromising the system through this vulnerability, an attacker can install a backdoor.
According to experts, a wave of attacks using the problem in MSHTML is expected. The vulnerability can be exploited both in advanced attacks and in regular phishing emails.
Kaspersky said that the most professional, most aggressive espionage attacks are carried out by those who speak English, Russian and Chinese.
As for the most professional cybercrime groups, they almost all speak Russian, "because the best programmers in the world also speak Russian," he noted, explaining the difference between cybercrime and cyber espionage, that is, hackers who work for the state.
"The Soviet, Russian education system produces the most intelligent programmers in large numbers. The most malicious cybercriminals graduated from the same universities as the most professional programmers who work as white hat hackers," Kaspersky said.
The second factor explaining the abundance of Russian-speaking cybercrime groups is that English-speaking cybercriminals are quickly found and punished in the United States.
"There were criminal groups in the United States, in other countries, but they were almost liquidated. This is explained very simply. Where is the most money? In the USA. Who are the American criminals attacking? Their own. And they are immediately taken on their own territory. Who are the Russian-speaking groups attacking? Again, America. All. It's just the economy," Kaspersky said.
According to Mr. Kaspersky, that is why it is completely ineffective to fight cybercrime by the forces of disunited cyber police units.
"Cybercriminals commit crimes on the Web, where there are no borders. Police units act only in their own territory," Kaspersky added.
He believes that cooperation at the international level is needed, which is currently working very poorly to solve this problem.
Kaspersky recalled that cooperation between different countries on cybersecurity issues has been built for several years, its peak occurred in 2015-2016. Then there was a fairly successful joint police operation of Russia, the U.S. and some European countries against the high-profile international cyber gang Carbanak.
Kaspersky Lab noted that the new attacks differ from cyberattacks using encryption viruses in that the scammers do not use specially created malware, but the standard BitLocker Drive Encryption technology included in the Windows operating system. Several Russian companies have been hit by ransomware attacks that have blocked access to corporate data and demanded a ransom.
The company explained that scammers get into the corporate network with the help of phishing emails that are sent on behalf of different companies in order to obtain user data or vulnerabilities in the system. After that, they find the BitLocker function in the control panel, perform encryption, and assign themselves the keys, usernames, and passwords that this program generates.
As the company said, as soon as the scammers get access to the server, which contains information about all corporate devices, they can completely encrypt the IT infrastructure of the organization.
Sergey Golovanov, the chief expert at Kaspersky Lab, explained that it is now difficult to estimate the actual number of attacks since the attackers use standard operating system tools.
"At this stage, we can assume that this is not a targeted campaign: the attacked companies are not similar both in size and in areas of activity," the expert said. According to Mr. Golovanov, scammers make phishing emails without taking into account the specifics of the enterprise and are widespread.
Earlier, Kaspersky Lab recorded hacker attacks on ten Russian financial and transport companies using a previously unknown Quoter ransomware program, as well as phishing emails with a banking Trojan program. The hackers sent out phishing emails with topics such as "Request for refund" or "Copies of Last Month's documents". As soon as the recipient clicked on the link or opened the attachment, a malicious RTM Trojan was downloaded to their device.
Kaspersky Lab has recorded a series of targeted attacks targeting Russian financial and transport companies. Hackers used a previously unknown ransomware virus
According to a statement from Kaspersky Lab, since December 2020, ten Russian financial and transport companies have been subjected to hacker attacks using the previously unknown Quoter ransomware. Experts believe that the Russian-speaking group RTM is engaged in this.
The hackers sent out phishing emails, choosing topics that they calculated should force the recipient to open the message, for example, "Request for refund", "Copies of documents from the last month" and so on. As soon as the recipient clicked on the link or opened the attachment, the RTM Trojan was downloaded to their device.
Then the attackers tried to transfer money through accounting programs by replacing the details in payment orders or manually using remote access tools. If they failed, they used Quoter, which encrypted the data using the AES cryptographic algorithm and left contacts for communication with hackers. If the recipient did not respond, they threatened to make the stolen personal data publicly available and attached evidence, and demanded about $1 million as a ransom.
Sergey Golovanov, a leading expert at Kaspersky Lab, warned that the attacks pose a serious threat to companies, as hackers use several tools at once: a phishing email with a banking Trojan and an encryption program.
"Among the features of this campaign is that the Russian-speaking RTM attackers changed the tools used for the first time, moreover, now they are attacking Russian companies," said Mr. Golovanov, noting that usually encryption programs are used in attacks on foreign organizations.
Group-IB also warned about hacker attacks from RTM. According to the company, from September to December 2018, they sent more than 11 thousand malicious emails to financial institutions from addresses faked for government agencies. The emails contained a malicious attachment. They had fake PDF icons, and after running the file extracted from the archive, the computer was infected. On average, one successful theft of this type brought the attackers about 1.1 million rubles ($15,000).
The hacker group Lazarus attacked the developers of the coronavirus vaccine: the Ministry of Health and a pharmaceutical company in one of the Asian countries
Kaspersky Lab reported that the hacker group Lazarus has launched two attacks on organizations involved in coronavirus research. The targets of the hackers, whose activities were discovered by the company, were the Ministry of Health in one of the Asian countries and a pharmaceutical company.
According to Kaspersky Lab, the attack occurred on September 25. Hackers used the Bookcode virus, as well as phishing techniques and compromising sites. A month later, on October 27, the Ministry of Health servers running on the Windows operating system was attacked. In the attack on the Ministry, according to the IT company, the wAgent virus was used. Similarly, Lazarus previously infected the networks of cryptocurrency companies.
"Two Windows servers of a government agency were compromised on October 27 by a sophisticated malware known to Kaspersky Lab as wAgent. The infection was carried out in the same way that was previously used by the Lazarus group to penetrate the networks of cryptocurrency companies," said Kaspersky Lab.
Both types of malware allow attackers to gain control over an infected device. Kaspersky Lab continues its investigation.
"All companies involved in the development and implementation of the vaccine should be as ready as possible to repel cyber attacks," added Kaspersky Lab.
The Lazarus group is also known as APT38. The US Federal Bureau of Investigation (FBI) reported that their activities are sponsored by the DPRK authorities.
Recall that in July, the National Cyber Security Centre (NCSC) and similar departments of the United States and Canada accused the hacker group APT29, allegedly associated with the Russian special services, in an attempt to steal information about the coronavirus vaccine. Dmitry Peskov, press secretary of the Russian President, denied the Kremlin's involvement in the break-ins.
Kaspersky Lab and Yandex have identified malicious code in browser extensions. Through them, attackers could gain access to the account in social networks and increase views of videos on various sites
Kaspersky Lab and Yandex experts have identified potentially malicious code that pulls more than twenty browser extensions, including Frigate Light, Frigate CDN and SaveFrom.
Through extensions, cybercriminals could, unnoticed by the user, gain access to his VKontakte account, and increase video views on various sites. Extensions received tasks from their own server, generated fraud traffic by playing videos in hidden tabs, and intercepted a token for access to the social network. The code was run only when the browser was actively used, activating the built-in detection protection.
The investigation began after users of Yandex.Browser began to complain about the sounds of advertising, although the video on the screen was not played. Yandex disabled extensions in Yandex. Browser after detecting a hidden traffic flow. Kaspersky lab blocks such activity on devices where the company's products are installed. The results of the investigation were sent to the developers of the social network and the most popular browsers.
According to Anton Mityagin, head of Yandex's Internet Security and Anti-Fraud Department, the traffic generated by extensions is very difficult to detect, as it is mixed with real user actions. He recalled that browser extensions are very popular and the total number of their installations has long been estimated in the tens or even hundreds of millions.
The leading expert of Kaspersky Lab Sergey Golovanov noted that more than 1 million users could become potential victims of the scheme. "The code from the browser extensions not only increased video views but also gained access to social network accounts, which could later be used, for example, to increase likes," added he.
A smartphone with a secure Kaspersky will have minimal functionality, said the head of Kaspersky Lab, Eugene Kaspersky. According to him, it will have its own basic applications and browser, but the smartphone has other tasks, it's security.
"There will be minimal functionality, but don't wait for beauty, both Android and iOS, this smartphone will perform other special tasks," said Mr. Kaspersky. "The device can call and send SMS, of course, there will be an office suite, its own browser with minimal functionality and a standard set of applications, such as an alarm clock, calculator, and so on,” added he.
So far, Kaspersky Lab does not plan to have an App store on its OS, but this is possible in the future. "Most likely, first we will make our own, and then we will be ready to attract other app stores," said Eugene Kaspersky.
At the same time, he said that smartphones on the Kaspersky operating system may appear next year. The company agreed with a Chinese smartphone manufacturer to install a new OS.
He noted that the company does not plan to enter the platforms Google and Apple and try to replace them. "Our task is to create a secure phone that is almost impossible to hack, for processing secret and confidential information of both government officials and enterprises, and infrastructure management," said the head of Kaspersky Lab.
It’s interesting to note that Kaspersky Lab has been creating an operating system designed for maximum protection of equipment and operating on the principle of "everything is forbidden that is not allowed" for several years.