Search This Blog
Load More
Trendy Right Now

Popular Posts

Showing posts with label Kaspersky. Show all posts
ZIP File
APT actors CVE vulnerability Cyber Attacks Google Play Store Kaspersky User Privacy VPN ZIP File

 SideWinder Hackers Have Planted a Bogus Android VPN Program

 

A bogus VPN program for Android smartphones was uploaded on the Google Play Store, along with a proprietary tool that screens users for improved targeting, according to phishing efforts linked to an advanced threat actor known as SideWinder. SideWinder is an APT organization that has been operating since at least 2012 and is thought to be led by an Indian actor with a high level of expertise.

Over 1,000 cyber attacks were ascribed to this gang in the last two years, according to Kaspersky, who praised its persistence and clever obfuscation tactics. Organizations in Pakistan, China, Nepal, and Afghanistan are the principal targets.

The threat actor uses spear-phishing emails to spread malicious ZIP bundles containing RTF or LNK files that install an HTML Application (HTA) payload from a remote server. The adversary uses a pretty big infrastructure that includes over 92 IP addresses, mostly for phishing assaults, and hundreds of domains and subdomains that serve as command and control servers. 

SideWinder, also known by the names, RattleSnake, Razor Tiger, T-APT-04, APT-C-17, and Hardcore Nationalist, was responsible for a recent phishing campaign that targeted both public and commercial sector institutions in Pakistan. 

A phishing document tempting victims with a document advocating "a formal debate of the impact of the US withdrawal from Afghanistan on maritime security" was discovered earlier this year by researchers at cybersecurity firm Group-IB. While the exact purpose of the bogus VPN program is unknown, this isn't the first time SideWinder has gotten around Google Play Store restrictions by publishing malicious apps disguised as utility software.

Trend Micro reported in January 2020 that three malicious applications masquerading as photography and file manager utilities used a security weakness in Android (CVE-2019-2215) to acquire root access and abuse accessibility service rights to gather sensitive data.
Read more »
RDP Flaw
Botnets C&C Cyber SecurityTrojan Attacks Kaspersky Phishing and Spam RDP Flaw

Small Businesses Remain Vulnerable, With Rising Cyberattacks

 

Small businesses are three times more likely than big corporations to fall prey to scammers in 2021. A single cyberattack's average loss has risen from $34,000 to just about $200,000. These businesses have had to deal with legal bills, compliance penalties, reputational harm, and client loss in addition to cash losses. Many small enterprises are unable to recover from these setbacks.

Kaspersky Lab researchers tracked the amount of Trojan-PSW (Password Stealing Ware) detections in 2022: 4,003,323 versus 3,029,903, up nearly a quarter from the same period in 2021. Trojan-PSW is malware that collects passwords and other account information, allowing attackers to gain access to a company's network and steal important information. Web malware has been particularly bad in Indonesia, the United States, Peru, and Egypt, with the number of incidents in these nations growing several times in the last year.

Several firms have adopted the Remote Desktop Protocol (RDP), a technology that allows computers on the same corporate network to be linked together and accessed remotely, even when employees are at home. However, because RDP is of particular interest to cybercriminals, if an attacker gains access to the corporate network through RDP, they can commit fraud on any of the company's PCs that have been linked. 

The general number of RDP attacks has fallen marginally, but not across the board. There were around 47.5 million attacks in the first trimester of 2021 in the United States, compared to 51 million in the same period in 2022. 

Advanced security services might include built-in training to keep IT professionals informed about the latest cyberthreats. Business owners can transform themselves into sought-after cybersecurity specialists by investing in training and education. 

These specialists will be able to understand how threats may affect their organization and change technological and organizational cybersecurity measures accordingly. Experts at Kaspersky recommend investing in an advanced security product that can perform incident analysis. 

These authorities can figure out where and how a leak happened, they will be better equipped to deal with any unwanted ramifications. Kaspersky Endpoint Security Cloud Pro is a new edition of Kaspersky Endpoint Security Cloud that includes advanced new features such as automated response options and an expanded range of security controls in a single solution. 

Along with all the more ground capabilities, Cobb, the security consultant, recommends that businesses invest in three extra protection measures: 
  • Data backup solution: This ensures that information that has been compromised or lost during a breach can be easily restored from a different place. 
  • Businesses may consider adopting encryption software to protect sensitive data such as employee records, client/customer information, and financial statements. 
  • Password-security software or two-step authentication: To limit the likelihood of password cracking, use these technologies with internal programs.
Read more »
Kaspersky
Amazon Web Services Botnets Cloudfare Cryptocurrency Frauds Cyber Attacks DDOS Attacks ISP Kaspersky

Cloudflare Blocks a  DDoS Attack with 15 million Requests Per Second

 

On Wednesday, Cloudflare, an internet infrastructure company, revealed it has successfully resisted one of the largest volumetric distributed denials of service (DDoS) attacks ever seen. A DDoS attack with a pace of 15.3 million requests per second (rps) was discovered and handled earlier this month, making it one of the greatest HTTPS DDoS attacks ever. 

According to Cloudflare's Omer Yoachimik and Julien Desgats, "HTTPS DDoS assaults are more pricey of necessary computational resources due to the increased cost of establishing a secure TLS encrypted connection." "As a result, the attacker pays more to launch the assault, and the victim pays more to mitigate it. Traditional bandwidth DDoS assaults, in which attackers seek to exhaust and jam the victim's internet connection bandwidth, are different from volumetric DDoS attacks. Instead, attackers concentrate on sending as many spam HTTP requests as possible to a victim's server to consume valuable server CPU and RAM and prevent legitimate visitors from accessing targeted sites."

Cloudflare previously announced it mitigated the world's largest DDoS attack in August 2021, once it countered a 17.2 million HTTP requests per second (rps) attack, which the company described as nearly three times larger than any prior volumetric DDoS attack ever observed in the public domain. As per Cloudflare, the current attack was launched from a botnet including about 6,000 unique infected devices, with Indonesia accounting for 15% of the attack traffic, trailed by Russia, Brazil, India, Colombia, and the United States. 

"What's intriguing is the majority of the attacks came from data centers," Yoachimik and Desgats pointed out. "We're seeing a significant shift away from residential network Internet Service Providers (ISPs) and towards cloud compute ISPs." According to Cloudflare, the attack was directed at a "crypto launchpad," which is "used to showcase Decentralized Finance projects to potential investors." 

Amazon Web Services recorded the largest bandwidth DDoS assault ever at 2.3 terabytes per second (Tbps) in February 2020. In addition, cybersecurity firm Kaspersky reported this week about the number of DDoS attacks increased 4.5 times year over year in the first quarter of 2022, owing partly to Russia's invasion of Ukraine.
Read more »
Spam
Banking Trojan Cyber Attacks Cyberattacks DHL Express DLL load hijacking Emotet Kaspersky malspam Outlook PayPal PowerShell Spam

Emotet : The Infamous Botnet Has Returned

 

Kaspersky researchers were able to retrieve and analyze 10 out of 16 modules, with most having been used by Emotet in the past in one form or another. Kaspersky Lab was created in 1997 as multinational cybersecurity and digital privacy organization. Kaspersky's deep risk intelligence and security expertise are continually evolving into new security solutions and services to safeguard enterprises, vital infrastructure, governments, and consumers all around the world. 

Emotet was discovered in the wild for the first time in 2014. Its major purpose back then was to steal user's financial credentials. Since then, it has gone through several modifications, began transmitting other viruses, and eventually evolved into a strong botnet. Emotet is a type of malware classified as banking Trojans. Malspam, or spam emails with malware, is the most common way for it to propagate. To persuade users, these communications frequently contain familiar branding, imitating the email structure of well-known and trustworthy companies such as PayPal or DHL. 

As per Kaspersky telemetry, the number of victims increased from 2,843 in February 2022 to 9,086 in March 2022, indicating the attackers targeted more than three times the number of users. As a result, the number of threats detected by Kaspersky solutions has increased, from 16,897 in February 2022 to 48,597 in March 2022. 

A typical Emotet infection starts with spam e-mails containing malicious macros in Microsoft Office attachments. The actor can use this macro to launch a malicious PowerShell command which will drop and start a module loader, which will then talk with a command and control server to download and start modules. In the percent Windows percent SysWOW64 or percent User percent AppDataLocal directory, Emotet creates a subfolder with a random name and replicates itself under a completely random name and extension. The exported Control RunDLL method is used to launch the Emotet DLL's primary activity. These modules can be used to carry out a range of actions on the infected computer. Kaspersky researchers were able to extract and evaluate 10 of the 16 modules, the majority of which had previously been utilized by Emotet. 

Researchers now state that the Emotet can download 16 modules judging by the recent Emotet protocol and C2 answers. They were able to recover ten of them (including two separate copies of the Spam module), which were utilized by Emotet to steal credentials, passwords, accounts, and e-mail addresses, as well as spam. We present a brief examination of these modules and also statistics on current Emotet attacks in this post. 

To gather the account details of various email clients, the current version of Emotet can create automated spam campaigns which are further spread down the network from infected devices, retrieving emails and email addresses from Thunderbird and Outlook apps and accumulating passwords from popular web browsers like Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 

Emotet infects computers in businesses and homes all around the world. As per our telemetry, Emotet most frequently targeted users from the following countries in Q1 2022: Italy (10.04%), Russia (9.87%), Japan (8.55%), Mexico (8.36%), Brazil (6.88%), Indonesia (4.92%), India (3.21%), Vietnam (2.70%), China (2.62), Germany (2.19%) and Malaysia (2.13%). 

The present set of components is capable of a wide range of malicious activities, including stealing e-mails, passwords, and login data from a variety of sources, as well as spamming. Except for the Thunderbird components, Emotet has utilized all of these modules in some form or another before. However, there are still a few modules that we haven't been able to get our hands-on.
Read more »
Two Factor Authentication
Cyber Crime Kaspersky Phishing emails Spyware Attack Two Factor Authentication

Kaspersky ICS CERT has Discovered Several Spyware Attacks Aimed at Industrial Enterprises

 

Researchers discovered that attackers are targeting industrial businesses with spyware operations that look for corporate credentials to utilise for financial gain as well as to cannibalise infiltrated networks to proliferate further attacks. According to researchers at Kaspersky ICS CERT who discovered the campaigns, the campaigns use off-the-shelf spyware but are unique in that they limit the scope and longevity of each sample to the bare minimum. 

In contrast to generic spyware, the bulk of "anomalous" samples were configured to employ SMTP-based (rather than FTP or HTTP(s)) C2s as a one-way communication channel, implying that they were designed primarily for stealing. Researchers believe that stolen data is used mostly by threat operators to spread the assault within the attacked organization's local network (through phishing emails) and to attack other companies in order to collect new credentials. The attackers exploit corporate email compromised in previous attacks as C2 servers for new assaults.

Researchers have discovered a huge set of campaigns that spread from one industrial firm to another via hard-to-detect phishing emails disguised as the victim companies' correspondence and abusing their corporate email systems to attack through the contact lists of infected mailboxes. 

Surprisingly, corporate antispam solutions assist attackers in remaining undetected while exfiltrating stolen credentials from infected machines by rendering them 'invisible' among all the junk emails in spam folders. As a result of malicious operations of this type, researchers have identified over 2,000 business email accounts belonging to industrial companies that have been abused as next-attack C2 servers. Many more have been stolen and sold on the internet, or have been abused in other ways. 

According to the researchers, the actors behind similar campaigns are "low-skilled people and small groups" operating individually. Their goal is to either commit financial crimes using stolen credentials or to profit from selling access to corporate network systems and services. Indeed, they discovered over 25 separate markets where threat actors sell data collected during attacks against industrial businesses. 

“At these markets, various sellers offer thousands of RDP, SMTP, SSH, cPanel, and email accounts, as well as malware, fraud schemes, and samples of emails and webpages for social engineering,” Kaspersky’s Kirill Kruglov explained. More severe threat actors, such as Advanced Persistent Threat (APT) and ransomware gangs, can also use the credentials to launch assaults, according to him. 

To avoid being compromised by the campaigns, Kaspersky recommends establishing two-factor authentication for corporate email access and other internet-facing services such as RDP and VPN-SSL gateways.
Read more »
Security Researchers
APT China Kaspersky malware Security Researchers

APT41 Used the New MoonBounce UEFI Malware in Targeted Attacks

 

According to the Kaspersky researchers who discovered it, a new firmware bootkit discovered in the wild demonstrates remarkable advances over previous similar tools. MoonBounce is a harmful implant that hides in a computer's UEFI firmware in the system's SPI flash - a storage component external to the hard drive, making it difficult to remove and difficult for proprietary security products to detect. UEFI is a technical specification that aids in the interoperability of computer systems' operating systems (OS) and firmware software. 

Being able to place malicious code known as a "UEFI bootkit" in the firmware is an ideal approach to avoid detection by antivirus software and other security measures running at the OS level. This has been done before, with the FinFisher malware and the ESPecter backdoor being two recent instances. In general, these tools hijack the boot sequence and initialize it before the operating system's security components. They are extremely tenacious because they nest in regions that cannot be wiped, such as reserved disk space. 

"The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table, namely AllocatePool, CreateEventEx, and ExitBootServices," explains Kaspersky in the report. "Those hooks are used to divert the flow of these functions to malicious shellcode that is appended by the attackers to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot chain, namely the Windows loader." 

MoonBounce is the third bootkit identified in the wild, following LoJax and MosaicRegressor, and it shows "substantial development, with a more sophisticated attack flow and better technical sophistication" when compared to predecessors. It was discovered in 2021 by Kaspersky using its Firmware Scanner, which is designed to detect threats hidden in the ROM BIOS, including UEFI firmware images.

Kaspersky discovered a plethora of evidence linking MoonBounce to APT41, ranging from the deployment of the ScrambleCross malware itself to unique certificates acquired from its C2 servers that correspond to earlier FBI reports on APT41 activities. While the United States Department of Justice discovered and charged five APT41 members in September 2020, the presence of MoonBounce and the operation around it demonstrates that the threat actors were not deterred by the legal pressure. 

According to the telemetry data, the attacks were extremely targeted, and Kaspersky only detected the firmware rootkit on one occasion. Kaspersky discovered several malware samples and loaders in other devices on the same network, however, they were non-UEFI implants. Microcin backdoor, Mimikat credential stealer, Go implant, StealthMutant loader, and ScrambleCross malware are a few examples.
Read more »
Kaspersky
Cyber Attacks Kaspersky

Kaspersky Lab estimated the losses of Russian business from cyberattacks

After a targeted attack, large businesses lost an average of $695,000, while small and medium businesses lost almost $32,000.

Kaspersky Lab experts have studied the cyberattacks that Russian companies have been subjected to since the beginning of the year. The collected statistics helped to identify the most dangerous type of data hacking for businessmen. The greatest damage was caused by targeted attacks.

The experts explained that these are pre-planned attacks, when attackers “purposefully attack a specific company”, having previously conducted reconnaissance and selected tools for the attack. On average, after such an attack, large businesses lost $695,000, while small and medium businesses lost $32,000 this year.

In addition, the damage to Russian business in 2021 was caused by “the illegal use of IT resources by employees.” Kaspersky Lab experts also attributed such cases to cyber incidents. The losses caused by them reached nearly $510 thousand for large companies and $30 thousand for small ones.

A little less business suffered in cases when employees did not comply with the internal information security policy. In such incidents, according to the study, the damage for a large organization was $465 thousand, and for a small one — almost $30 thousand.

DDoS attacks, according to Kaspersky Lab, in turn, deprived large businesses of $463 thousand, and owners of small companies — more than $28 thousand.

At the end of May, Kaspersky Lab announced that the new attacks differ from cyberattacks using encryption viruses in that the scammers do not use specially created malware, but the standard BitLocker Drive Encryption technology included in the Windows operating system. Several Russian companies have been hit by ransomware attacks that have blocked access to corporate data and demanded a ransom.

Read more »
Vulnerabilities and Exploits
Kaspersky Microsoft Office vulnerability Russia Russian Cyber Security Vulnerabilities and Exploits

Hackers attack Russian organizations through a new Microsoft Office vulnerability

Information security specialists from Kaspersky Lab reported that hackers are trying to attack Russian companies through a new vulnerability in Microsoft Office products. At least one attack targeted government agencies. Using the vulnerability, attackers can not only spy on users of the infected system, but also download malicious programs like ransomware viruses into it. Experts expect that hackers will actively exploit the system's flaw, as users are slow to install updates.

According to Yevgeny Lopatin, head of the complex threat detection department at Kaspersky Lab, attackers are now exploiting the vulnerability by sending a phishing email with a document attachment. An employee only needs to open such a document on his computer for the vulnerability to work, and then malware is downloaded and installed on the victim’s computer.

Rostelecom-Solar has registered one targeted attack on government bodies using this vulnerability, said Igor Zalevsky, head of the Solar JSOC CERT cyber incident investigation department.

The expert added that a number of government systems are still using Internet Explorer as the recommended browser.

This is actually a vulnerability in MSHTML, the engine of the Internet Explorer browser. This part is responsible for displaying the content of the web page (images, fonts, and other files). In this case, MSHTML is used by the Microsoft Office software package to display web content in documents.

The vulnerability in MSHTML allows an attacker to create modified documents with malicious scripts. After compromising the system through this vulnerability, an attacker can install a backdoor.

According to experts, a wave of attacks using the problem in MSHTML is expected. The vulnerability can be exploited both in advanced attacks and in regular phishing emails.

Read more »
Windows
Kaspersky malware Microsoft Scammers Trojans Windows

Fake Windows 11 Installers are Being Used to Spread Malware

 

Although Windows 11 isn't expected to be released until later this year, hackers have already begun attempting to use it to infect victims with malware. On Friday, security firm Kaspersky warned that crooks were using bogus installers to take advantage of consumers eager to get their hands on the Microsoft operating system update, which is set to be released in the fall. 

“Although Microsoft has made the process of downloading and installing Windows 11 from its official website fairly straightforward, many still visit other sources to download the software, which often contains unadvertised goodies from cybercriminals (and isn’t necessarily Windows 11 at all),” Kaspersky wrote. The sarcastic "goodies" include anything from harmless adware to password stealers and trojans. 

An executable file called 86307 windows 11 build 21996.1 x64 + activator.exe is one example. It certainly appears credible, with a file size of 1.75GB. However, the majority of that space is taken up by a single DLL file that contains a lot of irrelevant data. 

When you run the application, the installer seems to be a standard Windows installation wizard. Its primary function is to download and execute a more intriguing executable. The second executable is likewise an installer, with a license agreement that describes it as a “download manager for 86307 windows 11 build 21996.1 x64 + activator” and notes that it will also install some sponsored applications. If you accept the agreement, your computer will be infected with a number of malicious programmes. 

It's not uncommon for hackers to take advantage of victims' demand for a product or service, whether it's coronavirus contact tracing apps or the Telegram encrypted messaging app. In late June, Microsoft announced Windows 11 and made an initial “insider preview” accessible. Security has been highlighted as a key driving factor in the development of the operating system upgrade. 

The bogus installers are proliferating as Microsoft battles a number of security threats directed at the firm. Last week, Microsoft revealed instructions on how to protect against the "PetitPotam" attack, which might allow attackers to take control of Windows domains, as well as a solution for the "SeriousSAM" vulnerability, which could let attackers get administrative access. Last week, the corporation also issued a warning about LemonDuck, a cryptocurrency mining malware that has been targeting Microsoft devices. 
Read more »
Pegasus
Android Cyber Security GitHub iOS Kaspersky Pegasus

Pegasus: The Case of the Infamous Spyware

 

The case of the infamous spyware Pegasus has taken the world by storm, with news revealing its unlawful use infringing on many people's basic human rights. With such remote surveillance now accessible via an infected device, the issue of cybersecurity has grown more pressing than ever. According to sources from throughout the world, NSO Group's software was used to spy on around 50,000 people, including politicians, businessmen, journalists, and activists. 

Dmitry Galov, a security researcher at Kaspersky's GReAT, describes the Pegasus spyware's beginnings and how it differs from vulnerabilities. “Pegasus is a spyware with versions for both iOS and Android devices,” he explains. Even in 2017, the criminal had the ability to “read the victim's SMS and emails, listen to calls, take screenshots, record keystrokes, and access contacts and browser history, among other things.” To clarify, Galov argues that Pegasus is a sophisticated and costly malware. It was created with the intent of spying on people of particular interest. As a result, the typical user is unlikely to be a target. 

However, the spyware's sophistication makes it one of the most powerful tools for spying on one's smartphone. Pegasus has evolved over time to attack a number of zero-day vulnerabilities in Android and iOS. Although it tries to remove its own traces from an infected device, some of them can still be seen under forensic examination. According to Galov, many parties on the darknet can sell and buy malware as well as zero-day vulnerabilities. Vulnerabilities can cost up to $2.5 million - that's how much the whole chain of Android vulnerabilities was offered for, in 2019. 

Amnesty International researchers have created a toolkit that can assist consumers to determine whether their phone has been infected with spyware. The open-source toolkit has been made accessible on GitHub by Amnesty International. Users must first download and install a python package from the MVT (Mobile Verification Toolkit) website's documentation. It also contains advice on how to complete the procedure on both iOS and Android. Users must take a backup of their iOS device before launching MVT. 

According to Amnesty International, the goal of MVT is to make it easier to conduct a "consensual forensic study" of devices belonging to people who may be the victims of sophisticated mobile spyware attacks. “We do not want MVT to enable privacy violations of non-consenting individuals,” Amnesty said. “Therefore, the goal of this license is to prohibit the use of MVT (and any other software licensed the same) for the purpose of adversarial forensics.”
Read more »
Pegasus
Apple iMessage iPhone Kaspersky Mobile Security Pegasus

Apple’s iPhone is the Easiest to Snoop on Using the Pegasus, Says Amnesty

 

NSO Group, an Israeli cyber intelligence firm, developed Pegasus spyware as a surveillance tool. As claimed by the corporation, this firm is known for developing advanced software and technology for selling primarily to law enforcement and intelligence agencies of approved nations with the sole objective of saving lives by preventing crime and terror activities. Pegasus is one such software designed to get unauthorized access to your phone, gather personal and sensitive data, and transfer it to the user who is spying on you. 

Pegasus spyware, according to Kaspersky, can read SMS messages and emails, listen to phone calls, take screenshots, record keystrokes, and access contacts and browser history. A hacker may commandeer the phone's microphone and camera, turning it into a real-time monitoring device, according to another claim. It's also worth mentioning that Pegasus is a complex and expensive spyware meant to spy on specific individuals, so the typical user is unlikely to come across it. 

Pegasus malware snooped on journalists, activists, and certain government officials, and Apple, the tech giant that emphasizes user privacy, was a victim of the attack. Indeed, according to Amnesty's assessment, Apple's iPhone is the easiest to snoop on with Pegasus software. According to the leaked database, iPhones running iOS 14.6 feature a zero-click iMessage exploit, which could have been used to install Pegasus software on the targeted entities' iPhones. The Cupertino behemoth has issued a statement condemning the assault. 

Apple’s Head of Security Engineering and Architecture, Ivan Krsti, in a statement said, "Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data." 

Citizen Labs had already uncovered this flaw. Zero-click attacks are practically invisible and run in the background because they do not require the user's involvement. In iOS 14, Apple included the Blastdoor framework to make zero-click attacks more difficult, although it does not appear to be operating as planned.
Read more »
Russian Hackers
Cyber Crime Hackers News Kaspersky Russian Hackers

Kaspersky: the most malicious hackers speak Russian

Kaspersky said that the most professional, most aggressive espionage attacks are carried out by those who speak English, Russian and Chinese.

As for the most professional cybercrime groups, they almost all speak Russian, "because the best programmers in the world also speak Russian," he noted, explaining the difference between cybercrime and cyber espionage, that is, hackers who work for the state.

"The Soviet, Russian education system produces the most intelligent programmers in large numbers. The most malicious cybercriminals graduated from the same universities as the most professional programmers who work as white hat hackers," Kaspersky said.

The second factor explaining the abundance of Russian-speaking cybercrime groups is that English-speaking cybercriminals are quickly found and punished in the United States.

"There were criminal groups in the United States, in other countries, but they were almost liquidated. This is explained very simply. Where is the most money? In the USA. Who are the American criminals attacking? Their own. And they are immediately taken on their own territory. Who are the Russian-speaking groups attacking? Again, America. All. It's just the economy," Kaspersky said.

According to Mr. Kaspersky, that is why it is completely ineffective to fight cybercrime by the forces of disunited cyber police units.

"Cybercriminals commit crimes on the Web, where there are no borders. Police units act only in their own territory," Kaspersky added.

He believes that cooperation at the international level is needed, which is currently working very poorly to solve this problem.

Kaspersky recalled that cooperation between different countries on cybersecurity issues has been built for several years, its peak occurred in 2015-2016. Then there was a fairly successful joint police operation of Russia, the U.S. and some European countries against the high-profile international cyber gang Carbanak.


Read more »
malware
Kaspersky malware

Kaspersky detected a new method of cyber attacks on corporate data

Kaspersky Lab noted that the new attacks differ from cyberattacks using encryption viruses in that the scammers do not use specially created malware, but the standard BitLocker Drive Encryption technology included in the Windows operating system. Several Russian companies have been hit by ransomware attacks that have blocked access to corporate data and demanded a ransom.

The company explained that scammers get into the corporate network with the help of phishing emails that are sent on behalf of different companies in order to obtain user data or vulnerabilities in the system. After that, they find the BitLocker function in the control panel, perform encryption, and assign themselves the keys, usernames, and passwords that this program generates.

As the company said, as soon as the scammers get access to the server, which contains information about all corporate devices, they can completely encrypt the IT infrastructure of the organization.

Sergey Golovanov, the chief expert at Kaspersky Lab, explained that it is now difficult to estimate the actual number of attacks since the attackers use standard operating system tools.

"At this stage, we can assume that this is not a targeted campaign: the attacked companies are not similar both in size and in areas of activity," the expert said. According to Mr. Golovanov, scammers make phishing emails without taking into account the specifics of the enterprise and are widespread.

Earlier, Kaspersky Lab recorded hacker attacks on ten Russian financial and transport companies using a previously unknown Quoter ransomware program, as well as phishing emails with a banking Trojan program. The hackers sent out phishing emails with topics such as "Request for refund" or "Copies of Last Month's documents". As soon as the recipient clicked on the link or opened the attachment, a malicious RTM Trojan was downloaded to their device.

Read more »
malware
APT CIA Cyberespionage Hacking Attack Kaspersky malware

Kaspersky Discovered Purple Lambert to be a Part of the CIA

 

Kaspersky Lab, a cybersecurity company, has uncovered a new malware that analysts believe is linked to the US Central Intelligence Agency. Multiple antivirus providers obtained a series of malware samples in February 2019, according to Kaspersky experts, some of which cannot be linked to the operation of established APT classes. There were no parallels between these malware strains and malware affiliated with other APT classes.

Although an initial investigation revealed no common code with any previously-known malware samples, Kaspersky recently re-analyzed the files and discovered that “the samples have intersections with coding patterns, style, and techniques that have been used in different Lambert families,” according to the company. Lamberts is Kaspersky's internal codename for tracking CIA hacking operations.

Kasperksy has dubbed this new malware cluster Purple Lambert due to the shared similarity between these recently found samples and previous CIA malware. The malware samples seem to have been collected seven years earlier, in 2014, according to Purple Lambert metadata. Although Kaspersky has not seen any of these samples in the wild, it believes Purple Lambert samples were “most certainly deployed in 2014 and probably as late as 2015.”

“Although we have not found any shared code with any other known malware, the samples have intersections of coding patterns, style and techniques that have been seen in various Lambert families. We therefore named this malware Purple Lambert.” states the APT trends report Q1 2021 published by Kaspersky. “Purple Lambert is composed of several modules, with its network module passively listening for a magic packet. It is capable of providing an attacker with basic information about the infected system and executing a received payload. Its functionality reminds us of Gray Lambert, another user-mode passive listener. Gray Lambert turned out to be a replacement of the kernel-mode passive-listener White Lambert implant in multiple incidents. In addition, Purple Lambert implements functionality similar to, but in different ways, both Gray Lambert and White Lambert.” 

While the Lambert APT (also known as the Longhorn APT) has been present since at least 2008, the first samples were discovered in 2014. The group is extremely advanced, and it has penetrated organisations all over the world with a sophisticated cyberattack network that can hack both Windows and Mac systems. The researchers discovered and studied numerous backdoors and hacking methods that make up the cyberespionage group's arsenal over the years.
Read more »
Trojan
Android devices APKPure Kaspersky malware Trojan

APKPure Compromised to Deliver Malware

 

APKPure, one of the biggest alternative application stores outside of the Google Play Store, was tainted with malware this week, permitting threat actors to disseminate Trojans to Android gadgets. In an incident that is like that of German telecommunications equipment manufacturer Gigaset, the APKPure customer variant 3.17.18 is said to have been altered trying to trick unsuspecting clients into downloading and installing noxious applications linked to the malevolent code incorporated into the APKpure application. The development was reported by researchers from Doctor Web and Kaspersky. 

“Doctor Web specialists have discovered a malicious functionality in APKPure—an official client application of popular third-party Android app store. The trojan built into it downloads and installs various apps, including other malware, without users’ permission.” reads a post published by Doctor Web. "This trojan belongs to the dangerous Android.Triada malware family capable of downloading, installing, and uninstalling software without users' permission," Doctor Web researchers added.

Triada was designed with the particular purpose to carry out financial frauds, typically hijacking financial SMS transactions. The most intriguing trait of the Triada Trojan is its modular architecture, which gives it theoretically a wide range of abilities. 

As per Kaspersky, the APKPure rendition 3.17.18 was altered to incorporate an advertisement SDK that goes about as a Trojan dropper intended to convey other malware to a victim's gadget. "This component can do several things: show ads on the lock screen; open browser tabs; collect information about the device; and, most unpleasant of all, download other malware," Kaspersky's Igor Golovin said. In light of the discoveries, APKPure has released another rendition of the application (form 3.17.19) on April 9 that eliminates the malevolent part. "Fixed a potential security problem, making APKPure safer to use," the developers behind the app distribution platform said in the release notes.

“If the user has a relatively recent version of the operating system, meaning Android 8 or higher, which doesn’t hand out root permissions willy-nilly, then it loads additional modules for the Triada Trojan. These modules, among other things, can buy premium subscriptions and download other malware. If the device is older, running Android 6 or 7, and without security updates installed (or in some cases not even released by the vendor), and thus more easily rootable, it could be the xHelper Trojan.” states Kaspersky.
Read more »
ransomware attacks
Cyber Attacks Fortinet FortiOS Kaspersky ransomware attacks

Cring Ransomware Attacks Exploited Fortinet Flaw

 

Ransomware operators shut down two production facilities having a place with a European manufacturer in the wake of conveying a relatively new strain that encrypted servers that control a manufacturer's industrial processes, a researcher from Kaspersky Lab said on Wednesday. Threat actors are abusing a Fortinet vulnerability flagged by the feds a week ago that conveys a new ransomware strain, named Cring, that is targeting industrial enterprises across Europe. 

Researchers say the attackers are misusing an unpatched path-reversal flaw, followed as CVE-2018-13379, in Fortinet's FortiOS. The objective is to access the victim's enterprise networks and eventually convey ransomware, as indicated by a report by Kaspersky Lab. “In at least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted,” Kaspersky senior security researcher Vyacheslav Kopeytsev wrote in the report. 

Cring is relatively new to the ransomware threat scene—which as of now incorporates prevailing strains REvil, Ryuk, Maze, and Conti. Cring was first noticed and revealed by the analyst who goes by Amigo_A and Swisscom's CSIRT team in January. The ransomware is one of a kind in that it utilizes two types of encryption and annihilates backup files to threaten victims and keep them from retrieving backup files without paying the ransom. A week ago, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) cautioned that nation-state advanced persistent threat (APT) groups were effectively abusing known security vulnerabilities in the Fortinet FortiOS operating system, influencing the organization's SSL VPN items. 

In its report, Kaspersky echoed the feds cautioning adding attackers are first scanning connections with Fortinet VPNs to check whether the software utilized on the gadget is the vulnerable version. The objective is to crack open affected hardware, give adversaries admittance to network credentials, and build up traction in the targeted network, Kopeytsev clarified. “A directory-traversal attack allows an attacker to access system files on the Fortigate SSL VPN appliance,” he wrote. “Specifically, an unauthenticated attacker can connect to the appliance through the internet and remotely access the file ‘sslvpn_websession,’ which contains the username and password stored in cleartext.”
Read more »
Ransomware
Kaspersky malware Malware Attack Ransomware

Kaspersky detected new ransomware attack on Russian companies

Kaspersky Lab has recorded a series of targeted attacks targeting Russian financial and transport companies. Hackers used a previously unknown ransomware virus

According to a statement from Kaspersky Lab, since December 2020, ten Russian financial and transport companies have been subjected to hacker attacks using the previously unknown Quoter ransomware. Experts believe that the Russian-speaking group RTM is engaged in this.

The hackers sent out phishing emails, choosing topics that they calculated should force the recipient to open the message, for example, "Request for refund", "Copies of documents from the last month" and so on. As soon as the recipient clicked on the link or opened the attachment, the RTM Trojan was downloaded to their device.

Then the attackers tried to transfer money through accounting programs by replacing the details in payment orders or manually using remote access tools. If they failed, they used Quoter, which encrypted the data using the AES cryptographic algorithm and left contacts for communication with hackers. If the recipient did not respond, they threatened to make the stolen personal data publicly available and attached evidence, and demanded about $1 million as a ransom.

Sergey Golovanov, a leading expert at Kaspersky Lab, warned that the attacks pose a serious threat to companies, as hackers use several tools at once: a phishing email with a banking Trojan and an encryption program.

"Among the features of this campaign is that the Russian-speaking RTM attackers changed the tools used for the first time, moreover, now they are attacking Russian companies," said Mr. Golovanov, noting that usually encryption programs are used in attacks on foreign organizations.

Group-IB also warned about hacker attacks from RTM. According to the company, from September to December 2018, they sent more than 11 thousand malicious emails to financial institutions from addresses faked for government agencies. The emails contained a malicious attachment. They had fake PDF icons, and after running the file extracted from the archive, the computer was infected. On average, one successful theft of this type brought the attackers about 1.1 million rubles ($15,000).

Read more »
lazarus
Cyber Attacks Hacker attack Kaspersky lazarus

Kaspersky has reported hacker attacks on COVID-19 researchers

The hacker group Lazarus attacked the developers of the coronavirus vaccine: the Ministry of Health and a pharmaceutical company in one of the Asian countries

Kaspersky Lab reported that the hacker group Lazarus has launched two attacks on organizations involved in coronavirus research. The targets of the hackers, whose activities were discovered by the company, were the Ministry of Health in one of the Asian countries and a pharmaceutical company.

According to Kaspersky Lab, the attack occurred on September 25. Hackers used the Bookcode virus, as well as phishing techniques and compromising sites. A month later, on October 27, the Ministry of Health servers running on the Windows operating system was attacked. In the attack on the Ministry, according to the IT company, the wAgent virus was used. Similarly, Lazarus previously infected the networks of cryptocurrency companies.

"Two Windows servers of a government agency were compromised on October 27 by a sophisticated malware known to Kaspersky Lab as wAgent. The infection was carried out in the same way that was previously used by the Lazarus group to penetrate the networks of cryptocurrency companies," said Kaspersky Lab.

Both types of malware allow attackers to gain control over an infected device. Kaspersky Lab continues its investigation.

"All companies involved in the development and implementation of the vaccine should be as ready as possible to repel cyber attacks," added Kaspersky Lab.

The Lazarus group is also known as APT38. The US Federal Bureau of Investigation (FBI) reported that their activities are sponsored by the DPRK authorities.

Recall that in July, the National Cyber Security Centre (NCSC) and similar departments of the United States and Canada accused the hacker group APT29, allegedly associated with the Russian special services, in an attempt to steal information about the coronavirus vaccine. Dmitry Peskov, press secretary of the Russian President, denied the Kremlin's involvement in the break-ins.

Read more »
Security News
Kaspersky malware Security News

Kaspersky Lab and Yandex have detected malicious browser extensions

 Kaspersky Lab and Yandex have identified malicious code in browser extensions. Through them, attackers could gain access to the account in social networks and increase views of videos on various sites

Kaspersky Lab and Yandex experts have identified potentially malicious code that pulls more than twenty browser extensions, including Frigate Light, Frigate CDN and SaveFrom.

Through extensions, cybercriminals could, unnoticed by the user, gain access to his VKontakte account, and increase video views on various sites. Extensions received tasks from their own server, generated fraud traffic by playing videos in hidden tabs, and intercepted a token for access to the social network. The code was run only when the browser was actively used, activating the built-in detection protection.

The investigation began after users of Yandex.Browser began to complain about the sounds of advertising, although the video on the screen was not played. Yandex disabled extensions in Yandex. Browser after detecting a hidden traffic flow. Kaspersky lab blocks such activity on devices where the company's products are installed. The results of the investigation were sent to the developers of the social network and the most popular browsers.

According to Anton Mityagin, head of Yandex's Internet Security and Anti-Fraud Department, the traffic generated by extensions is very difficult to detect, as it is mixed with real user actions. He recalled that browser extensions are very popular and the total number of their installations has long been estimated in the tens or even hundreds of millions.

The leading expert of Kaspersky Lab Sergey Golovanov noted that more than 1 million users could become potential victims of the scheme. "The code from the browser extensions not only increased video views but also gained access to social network accounts, which could later be used, for example, to increase likes," added he.

Read more »
Mobile Security
Antivirus Cyber Security News Kaspersky Mobile Security

Kaspersky announced the creation of the new smartphones with protection from hackers

A smartphone with a secure Kaspersky will have minimal functionality, said the head of Kaspersky Lab, Eugene Kaspersky. According to him, it will have its own basic applications and browser, but the smartphone has other tasks, it's security.

"There will be minimal functionality, but don't wait for beauty, both Android and iOS, this smartphone will perform other special tasks," said Mr. Kaspersky. "The device can call and send SMS, of course, there will be an office suite, its own browser with minimal functionality and a standard set of applications, such as an alarm clock, calculator, and so on,” added he.

So far, Kaspersky Lab does not plan to have an App store on its OS, but this is possible in the future. "Most likely, first we will make our own, and then we will be ready to attract other app stores," said Eugene Kaspersky.

At the same time, he said that smartphones on the Kaspersky operating system may appear next year. The company agreed with a Chinese smartphone manufacturer to install a new OS. 

He noted that the company does not plan to enter the platforms Google and Apple and try to replace them. "Our task is to create a secure phone that is almost impossible to hack, for processing secret and confidential information of both government officials and enterprises, and infrastructure management," said the head of Kaspersky Lab.

It’s interesting to note that Kaspersky Lab has been creating an operating system designed for maximum protection of equipment and operating on the principle of "everything is forbidden that is not allowed" for several years.

Read more »
Subscribe to: Posts (Atom)