CVE-2017-11882
published 2017-11-15CVE-2017-11882: Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker…
PriorityP194high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.94%
100.0th percentile
Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | excel | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft_corporation | microsoft_office | — | — |
| msrc | microsoft_office_2007_service_pack_3 | — | — |
| msrc | microsoft_office_2010_service_pack_2 | — | — |
| msrc | microsoft_office_2013_service_pack_1 | — | — |
| msrc | microsoft_office_2016 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit uses a buffer overflow to override a return address in the EQNEDT32.EXE stack with a constant address; look for shellcode execution patterns within EQNEDT32.EXE's stack memory. ↗
- →Post-exploitation shellcode calls URLDownloadToFileW() to drop a .js file to the AppData\Roaming directory, then ShellExecuteW() to run it via WScript.exe; monitor for this sequence from EQNEDT32.EXE. ↗
- →Agent Tesla performs anti-analysis checks including CheckRemoteDebuggerPresent(), timing-based VM detection, and loading of sandbox DLLs (SbieDLL.dll, SxIn.dll, Sf2.dll, snxhk.dll, cmdvrt32.dll); presence of these checks in a .NET binary is a strong indicator. ↗
- →The Agent Tesla loader-module is fileless — it is never written to disk; detection should focus on memory scanning of PowerShell processes for the PROJETOAUTOMACAO.VB namespace and the VAI() method call. ↗
- →Malicious spam delivering CVE-2017-11882 exploits was the most prevalent malware detection in 2018 (Kaspersky verdict: Win32.CVE-2017-11882); use this AV verdict as a hunt/detection pivot. ↗
- →ChessMaster campaign used CVE-2017-11882 alongside DDEAUTO, Microsoft Office Frameset, and Link auto update as entry vectors; detections should cover all four techniques in spear-phishing document analysis. ↗
- ·The initial Excel document exploits CVE-2017-0199 (not CVE-2017-11882) to download an RTF file; CVE-2017-11882 is exploited in the second stage within the downloaded RTF document, not the initial attachment. ↗
- ·ANEL version 5.1.2 rc1 uses HTTPS for C2 communications to prevent capture of data in clear text, unlike earlier versions; network-based detection of ANEL C2 traffic must account for TLS-encrypted channels. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Office Memory Corruption Vulnerability
cisa·2021-11-03·CVSS 7.8
CVE-2017-11882 [HIGH] CWE-119 Microsoft Office Memory Corruption Vulnerability
Vulnerability: Microsoft Office Memory Corruption Vulnerability
Affected: Microsoft Office
Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-11882
Remediation Due Date: 2022-05-03
Microsoft
Microsoft Office Memory Corruption Vulnerability
vendor_msrc·2017-11-14·CVSS 7.8
CVE-2017-11882 [HIGH] Microsoft Office Memory Corruption Vulnerability
Microsoft Office Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Exploitation of the vulnerability requires that a user open a specially crafted file with
GHSA
GHSA-cf25-5rjj-26cw: Microsoft Excel 2016 Click-to-Run (C2R) allows an attacker to run arbitrary code in the context of the current user by failing to properly handle obje
ghsa_unreviewed·2022-05-14·CVSS 7.8
CVE-2017-11884 [HIGH] CWE-119 GHSA-cf25-5rjj-26cw: Microsoft Excel 2016 Click-to-Run (C2R) allows an attacker to run arbitrary code in the context of the current user by failing to properly handle obje
Microsoft Excel 2016 Click-to-Run (C2R) allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11882.
GHSA
GHSA-vjph-m3mp-rqj5: Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an a
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2017-11882 [HIGH] CWE-119 GHSA-vjph-m3mp-rqj5: Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an a
Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
VulnCheck
Microsoft Excel Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2017·CVSS 7.8
CVE-2017-11884 [HIGH] Microsoft Excel Improper Restriction of Operations within the Bounds of a Memory Buffer
Microsoft Excel Improper Restriction of Operations within the Bounds of a Memory Buffer
Microsoft Excel 2016 Click-to-Run (C2R) allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11882.
Affected: Microsoft Excel
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://bi.zone/upload/for_download/Threat_Zone_2024_BI.ZONE_Research_rus.pdf
VulnCheck
Microsoft Office Memory Corruption Vulnerability
vulncheck·2017·CVSS 7.8
CVE-2017-11882 [HIGH] CWE-119 Microsoft Office Memory Corruption Vulnerability
Microsoft Office Memory Corruption Vulnerability
Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.
Affected: Microsoft Office
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.fortinet.com/blog/threat-research/cobalt-malware-strikes-using-cve-2017-11882-rtf-vulnerability; https://www.riskiq.com/blog/labs/cobalt-strike/; https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html; https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/17-year-old-ms-office-flaw-cve-2017-11882-actively-exploited-in-the-wild; https://www.freebuf.com/column/159865.html; https://www.riski
Suricata
ET MALWARE RedLine Stealer - CheckConnect Response
suricata·2023-04-17
CVE-2017-11882 ET MALWARE RedLine Stealer - CheckConnect Response
ET MALWARE RedLine Stealer - CheckConnect Response
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RedLine Stealer - CheckConnect Response"; flow:established,to_client; http.response_body; bsize:212; content:"|3c|s|3a|Envelope|20|xmlns|3a|s|3d 22|http|3a 2f 2f|schemas|2e|xmlsoap|2e|org|2f|soap|2f|envelope|2f 22 3e 3c|s|3a|Body|3e 3c|CheckConnectResponse|20|xmlns|3d 22|http|3a 2f 2f|tempuri|2e|org|2f 22 3e 3c|CheckConnectResult|3e|true|3c 2f|CheckConnectResult|3e 3c 2f|CheckConnectResponse|3e 3c 2f|s|3a|Body|3e 3c 2f|s|3a|Envelope|3e|"; fast_pattern; reference:url,fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two; reference:url,witter.com/crep1x/status/1648063045808148481; reference:md5,43967615d9e0e19bc59d32f
YARA
potential_CVE_2017_11882
yara
CVE-2017-11882 potential_CVE_2017_11882
rule potential_CVE_2017_11882
{
meta:
author = "ReversingLabs"
reference = "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html"
strings:
$docfilemagic = { D0 CF 11 E0 A1 B1 1A E1 }
$equation1 = "Equation Native" wide ascii
$equation2 = "Microsoft Equation 3.0" wide ascii
$mshta = "mshta"
$http = "http://"
$https = "https://"
$cmd = "cmd"
$pwsh = "powershell"
$exe = ".exe"
$address = { 12 0C 43 00 }
condition:
$docfilemagic at 0 and any of ($mshta, $http, $https, $cmd, $pwsh, $exe) and any of ($equation1, $equation2) and $address
}
Exploit-DB
Microsoft Office - OLE Remote Code Execution
exploitdb·2017-11-20·CVSS 7.8
CVE-2017-11882 [HIGH] Microsoft Office - OLE Remote Code Execution
Microsoft Office - OLE Remote Code Execution
---
Source: https://github.com/embedi/CVE-2017-11882
CVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/
MITRE CVE-2017-11882: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882
Research: https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about
Patch analysis: https://0patch.blogspot.ru/2017/11/did-microsoft-just-manually-patch-their.html
DEMO PoC exploitation: https://www.youtube.com/watch?v=LNFG0lktXQI&lc=z23qixrixtveyb2be04t1aokgz10ymfjvfkfx1coc3qhrk0h00410
webdav_exec CVE-2017-11882
A simple PoC for CVE-2017-11882. This exploit triggers WebClient service to start and execute remote file from attacker-controlled WebDav server. The reason why this approach might be
Metasploit
Microsoft Office CVE-2017-11882
metasploit·CVSS 7.8
CVE-2017-11882 [HIGH] Microsoft Office CVE-2017-11882
Microsoft Office CVE-2017-11882
Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.
Tenable
Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
blogs_tenable·2026-05-27
CVE-2023-4966 Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploit
Securelist
Exploits and vulnerabilities in Q1 2026
blogs_securelist·2026-05-07·CVSS 7.8
CVE-2026-21519 [HIGH] Exploits and vulnerabilities in Q1 2026
Alexander Kolesnikov
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Notable vulnerabilities
CVE-2026-21519: Desktop Window Manager vulnerability
RegPwn (CVE-2026-21533): a system settings access control vulnerability
CVE-2026-21514: a Microsoft Office vulnerability
Clawdbot (CVE-2026-25253): an OpenClaw vulnerability
CVE-2026-34070: LangChain framework vulnerability
CVE-2026-22812: an OpenCode vulnerability
Conclusion and advice
Authors
Alexander Kolesnikov
During Q1 2026, the exploit kits leveraged by threat actors to target user systems expanded once again, incorporating new exploits for the Microsoft Off
Tenable
Iranian-linked actors are engaging in disruptive attacks
blogs_tenable·2026-03-11
Iranian-linked actors are engaging in disruptive attacks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
Vulnerability landscape in Q4 2025
blogs_securelist·2026-03-06
Vulnerability landscape in Q4 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Notable vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vulnerability disclosures, hitting popular libraries and mainstream applications. Several of these vulnerabilities were picked up by attackers and exploited in the wild almost immediately.
In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged with popular C2 frameworks throughout Q4 2025.
## Statistics on registered vulnerabilities
This section contains statistics on regis
Securelist
Exploits and vulnerabilities in Q4 2025
blogs_securelist·2026-03-06·CVSS 7.8
CVE-2025-55182 [HIGH] Exploits and vulnerabilities in Q4 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Notable vulnerabilities
React2Shell (CVE-2025-55182): a vulnerability in React Server Components
CVE-2025-54100: command injection during the execution of curl (Invoke-WebRequest)
CVE-2025-11001: a vulnerability in 7-Zip
RediShell (CVE-2025-49844): a vulnerability in Redis
CVE-2025-24990: a vulnerability in the ltmdm64.sys driver
CVE-2025-59287: a vulnerability in Windows Server Update Services (WSUS)
Conclusion and advice
Authors
Alexander Kolesnikov
The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vul
Fortinet
Deep Dive into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails | FortiGuard Labs
blogs_fortinet·2026-02-10·CVSS 7.8
[HIGH] Deep Dive into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails | FortiGuard Labs
FortiGuard Labs Threat Research
# Deep Dive into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails
Technical analysis of a multi-stage phishing campaign delivering XWorm RAT through malicious Excel attachments, fileless .NET loaders, and process hollowing
FortiGuard Security Portfolio
2025 Threat Landscape Report
By
Xiaopeng Zhang
| February 10, 2026
- Article Contents
By
Xiaopeng Zhang
| February 10, 2026
Affected Platforms: Microsoft Windows
Impacted Users: Windows Users
Impact: Full remote control of the victim’s computer
Severity Level: High
## Background
FortiGuard Labs recently captured a phishing campaign in the wild delivering a new variant of XWorm.
XWorm is a multi-functional Remote Access Trojan (RAT) first identified in 2022 that remains actively
Fortinet
Deep Dive into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails | FortiGuard Labs
blogs_fortinet·2026-02-10·CVSS 7.8
CVE-2018-0802 [HIGH] Deep Dive into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Deep Dive into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails
Technical analysis of a multi-stage phishing campaign delivering XWorm RAT through malicious Excel attachments, fileless .NET loaders, and process hollowing
FORTIGUARD SECURITY PORTFOLIO 2025 THREAT LANDSCAPE REPORT
Background
Infection Chain
Multiple-Themed Phishing Emails
Crafted Excel File to Exploit
CVE-2018-0802
Analyzing the HTA File
The Fileless .NET Module and Process Hollowing
The XWorm Payload File
Dissecting the Packet
XWorm Control Commands
XWorm Plugins
XWorm Features
System Control:
Attacks:
XWorm RAT Management:
Other Capabilities:
Summary
Fortinet Protections
URLs:
C2 Server:
Relevant Sample SHA-256:
By Xiaopeng Zhang | February 10, 2026
Affected Platforms: Micros
Zscaler
GuLoader Obfuscation Analysis | ThreatLabz
blogs_zscaler·2026-02-09
GuLoader Obfuscation Analysis | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Fortinet
New Remcos Campaign Distributed Through Fake Shipping Document | FortiGuard Labs
blogs_fortinet·2026-01-14·CVSS 7.8
CVE-2017-11882 [HIGH] New Remcos Campaign Distributed Through Fake Shipping Document | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
New Remcos Campaign Distributed Through Fake Shipping Document
A fileless Remcos RAT campaign abuses remote Word templates and CVE-2017-11882 for full system compromise
Background
Infection Chain
Captured Phishing Email
Dissecting the Word Document
Exploiting
CVE-2017-11882
Analyzing the VBScript File and PowerShell Code
The .NET Module
1. Persistence
2. Remcos Payload Loader
Remcos Payload File
Remcos Configuration Block
Remcos Packet
Remcos Features
System:
Surveillance:
Network:
Comms:
Extra:
Remcos:
Summary
Fortinet Protections
IOCs
URLs:
Relevant Sample SHA-256:
By Xiaopeng Zhang | January 14, 2026
Affected Platforms: Microsoft Windows
Impacted Users: Windows Users
Impact: Full remote control of the victim’s computer
Severity Level: High
Background
Fortinet
New Remcos Campaign Distributed Through Fake Shipping Document | FortiGuard Labs
blogs_fortinet·2026-01-14·CVSS 7.8
CVE-2017-11882 [HIGH] New Remcos Campaign Distributed Through Fake Shipping Document | FortiGuard Labs
FortiGuard Labs Threat Research
# New Remcos Campaign Distributed Through Fake Shipping Document
A fileless Remcos RAT campaign abuses remote Word templates and CVE-2017-11882 for full system compromise
By
Xiaopeng Zhang
| January 14, 2026
- Article Contents
By
Xiaopeng Zhang
| January 14, 2026
Affected Platforms: Microsoft Windows
Impacted Users: Windows Users
Impact: Full remote control of the victim’s computer
Severity Level: High
## Background
FortiGuard Labs discovered a new phishing campaign in the wild. The campaign delivers a new variant of Remcos, a commercial lightweight remote access tool (RAT) with a wide range of capabilities, including system resource management, remote surveillance, network management, and Remcos agent management.
I conducted an in-depth inve
Securelist
Threat landscape for industrial automation systems in Q3 2025
blogs_securelist·2025-12-25
Threat landscape for industrial automation systems in Q3 2025
Table of Contents
Statistics across all threats
Selected industries
Diversity of detected malicious objects
Main threat sources
Threat categories
Malicious objects used for initial infection
Next-stage malware
Self-propagating malware
AutoCAD malware
Authors
Kaspersky ICS CERT
## Statistics across all threats
In Q3 2025, the percentage of ICS computers on which malicious objects were blocked decreased from the previous quarter by 0.4 pp to 20.1%. This is the lowest level for the observed period.
Percentage of ICS computers on which malicious objects were blocked, Q3 2022–Q3 2025
Regionally, the percentage of ICS computers on which malicious objects were blocked ranged from 9.2% in Northern Europe to 27.4% in Africa.
Regions ranked by percentage of ICS computers on which mal
Securelist
Threat landscape for industrial automation systems in Q3 2025
blogs_securelist·2025-12-25
Threat landscape for industrial automation systems in Q3 2025
Table of Contents
- Statistics across all threats
- Selected industries
- Diversity of detected malicious objects
- Main threat sources
- Threat categories
Authors
- Kaspersky ICS CERT
## Statistics across all threats
In Q3 2025, the percentage of ICS computers on which malicious objects were blocked decreased from the previous quarter by 0.4 pp to 20.1%. This is the lowest level for the observed period.
Percentage of ICS computers on which malicious objects were blocked, Q3 2022–Q3 2025
Regionally, the percentage of ICS computers on which malicious objects were blocked ranged from 9.2% in Northern Europe to 27.4% in Africa.
Regions ranked by percentage of ICS computers on which malicious objects were blocked
In Q3 2025, the percentage increased in five regions. The most notable i
Securelist
Exploits and vulnerabilities in Q3 2025
blogs_securelist·2025-12-03·CVSS 7.8
CVE-2025-49704 [HIGH] Exploits and vulnerabilities in Q3 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Interesting vulnerabilities
ToolShell (CVE-2025-49704 and CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771): insecure deserialization and an authentication bypass
CVE-2025-8088: a directory traversal vulnerability in WinRAR
CVE-2025-41244: a privilege escalation vulnerability in VMware Aria Operations and VMware Tools
Conclusion and advice
Authors
Alexander Kolesnikov
In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vuln
Securelist
Analyzing the vulnerability landscape in Q3 2025
blogs_securelist·2025-12-03
Analyzing the vulnerability landscape in Q3 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vulnerabilities and exploits, the most common security issues impacting Windows and Linux, and the vulnerabilities being leveraged in APT attacks that lead to the launch of widespread C2 frameworks. The report utilizes anonymized Kaspersky Security Network data, which was consensually provided by our users, as well as information from open sources.
## Statistics on
Securelist
Mysterious Elephant: a growing threat
blogs_securelist·2025-10-15
Mysterious Elephant: a growing threat
Table of Contents
Introduction
The emergence of Mysterious Elephant
Latest campaign
Spear phishing
Malicious tools
PowerShell scripts
BabShell
Customized open-source tools
WhatsApp-specific exfiltration tools
Infrastructure
Victimology
Conclusion
Indicators of compromise
File hashes
Domains/IPs
Authors
Noushin Shabab
Ye Jin
## Introduction
Mysterious Elephant is a highly active advanced persistent threat (APT) group that we at Kaspersky GReAT discovered in 2023. It has been consistently evolving and adapting its tactics, techniques, and procedures (TTPs) to stay under the radar. With a primary focus on targeting government entities and foreign affairs sectors in the Asia-Pacific region, the group has been using a range of sophisticated tools and techniques to infiltrate
Securelist
Mysterious Elephant APT: TTPs and tools
blogs_securelist·2025-10-15
Mysterious Elephant APT: TTPs and tools
Table of Contents
- Introduction
- The emergence of Mysterious Elephant
- Latest campaign
- Infrastructure
- Victimology
- Conclusion
- Indicators of compromise
Authors
- Noushin Shabab
- Ye Jin
## Introduction
Mysterious Elephant is a highly active advanced persistent threat (APT) group that we at Kaspersky GReAT discovered in 2023. It has been consistently evolving and adapting its tactics, techniques, and procedures (TTPs) to stay under the radar. With a primary focus on targeting government entities and foreign affairs sectors in the Asia-Pacific region, the group has been using a range of sophisticated tools and techniques to infiltrate and exfiltrate sensitive information. Notably, Mysterious Elephant has been exploiting WhatsApp communications to steal sensitive data, including
Securelist
Exploits and vulnerabilities in Q2 2025
blogs_securelist·2025-08-27·CVSS 8.2
CVE-2025-32433 [HIGH] Exploits and vulnerabilities in Q2 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Interesting vulnerabilities
CVE-2025-32433: vulnerability in the SSH server, part of the Erlang/OTP framework
CVE-2025-6218: directory traversal vulnerability in WinRAR
CVE-2025-3052: insecure data access vulnerability in NVRAM, allowing bypass of UEFI signature checks
CVE-2025-49113: insecure deserialization vulnerability in Roundcube Webmail
CVE-2025-1533: stack overflow vulnerability in the AsIO3.sys driver
Conclusion and advice
Authors
Alexander Kolesnikov
Vulnerability registrations in Q2 2025 proved to be quite dynamic. Vulnerabilities that were published i
Securelist
Vulnerability landscape analysis for Q2 2025
blogs_securelist·2025-08-27
Vulnerability landscape analysis for Q2 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
Vulnerability registrations in Q2 2025 proved to be quite dynamic. Vulnerabilities that were published impact the security of nearly every computer subsystem: UEFI, drivers, operating systems, browsers, as well as user and web applications. Based on our analysis, threat actors continue to leverage vulnerabilities in real-world attacks as a means of gaining access to user systems, just like in previous periods.
This report also describes known vulnerabilities used with popular C2 frameworks during the first half of 2025.
## Statistics on registered vulnera
Securelist
Vulnerability landscape analysis for Q1 2025
blogs_securelist·2025-05-30
Vulnerability landscape analysis for Q1 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
The first quarter of 2025 saw the continued publication of vulnerabilities discovered and fixed in 2024, as some researchers were previously unable to disclose the details. This partially shifted the focus away from vulnerabilities that received new CVE-2025-NNNNN identifiers. The nature of the CVE assignment process can result in a notable delay between problem investigation and patch release, which is mitigated by reserving a CVE ID early in the process. As for trends in vulnerability exploitation, we are seeing increasing rates of attacks targeting older operating syste
Securelist
Exploits and vulnerabilities in Q1 2025
blogs_securelist·2025-05-30·CVSS 7.8
CVE-2025-21333 [HIGH] Exploits and vulnerabilities in Q1 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
Interesting vulnerabilities
ZDI-CAN-25373: a vulnerability in Windows that affects how LNK files are displayed
CVE-2025-21333: a heap buffer overflow vulnerability in the vkrnlintvsp.sys driver
CVE-2025-24071: a NetNTLM hash leakage vulnerability in the file system indexer
Conclusion and advice
Authors
Alexander Kolesnikov
The first quarter of 2025 saw the continued publication of vulnerabilities discovered and fixed in 2024, as some researchers were previously unable to disclose the details. This partially shifted the focus away from vulnerabilities that received new CVE-2025-NN
Fortinet
Infostealer Malware FormBook Spread via Phishing Campaign – Part II | FortiGuard Labs
blogs_fortinet·2025-05-27·CVSS 7.8
[HIGH] Infostealer Malware FormBook Spread via Phishing Campaign – Part II | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Infostealer Malware FormBook Spread via Phishing Campaign – Part II
FormBook Analysis - Part II
FormBook Execution inside ImagingDevices.exe
Anti-Analysis Techniques
Random Process Selection
64-bit Code Execution for Process Control
Diving into the Malicious Code Running in a Selected Process
A Look into the FormBook Payload
Sensitive Data Collection
Communicating with the C2 Server
Control Commands
Summary
Fortinet Protections
IOCs
By Xiaopeng Zhang | May 27, 2025
Affected platforms: Microsoft Windows
Impacted parties: Windows Users
Impact: Fully remotely control the victim’s computer
Severity level: High
Background
This is part II of the FormBook analysis blog. In the previous post (Part I), I covered the campaign’s initialization via a phishing email,
Fortinet
Infostealer Malware FormBook Spread via Phishing Campaign – Part I | FortiGuard Labs
blogs_fortinet·2025-04-22·CVSS 7.8
CVE-2017-11882 [HIGH] Infostealer Malware FormBook Spread via Phishing Campaign – Part I | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Infostealer Malware FormBook Spread via Phishing Campaign – Part I
FORTIGUARD SECURITY PORTFOLIO 2025 THREAT LANDSCAPE REPORT
Phishing Email Initialization
Exploiting CVE-2017-11882
Dissecting the Extracted 64-bit Dll File
Performing Process Hollowing
Summary
Fortinet Protections
IOCs
URLs
Relevant Sample SHA-256
By Xiaopeng Zhang | April 22, 2025
Fortinet’s FortiGuard Labs observed a phishing campaign in the wild that delivered a malicious Word document as an attachment. This document contained crafted data designed to exploit the vulnerability CVE-2017-11882. After conducting an in-depth analysis, I discovered that the campaign was spreading a new variant of Formbook.
Formbook is information-stealing malware targeting Windows users. It steals sensitive
Bleepingcomputer
Chinese hackers target Russian govt with upgraded RAT malware
blogs_bleepingcomputer·2025-04-18
Chinese hackers target Russian govt with upgraded RAT malware
## Chinese hackers target Russian govt with upgraded RAT malware
## Sergiu Gatlan
Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organizations using upgraded MysterySnail remote access trojan (RAT) malware.
Security researchers at Kaspersky's Global Research and Analysis Team (GReAT) spotted the updated implant while investigating recent attacks where the attackers deployed the RAT malware using a malicious MMC script camouflaged as a Word document, which downloaded second-stage payloads and gained persistence on compromised systems.
One of the malicious payloads is an unknown intermediary backdoor that helps transfer files between the command and control servers and hacked devices, run command shells, create new processes, delete files, and more.
"I
Securelist
SideWinder APT attacks in H2 2024
blogs_securelist·2025-03-10
SideWinder APT attacks in H2 2024
Table of Contents
- Infection vectors
- RTF exploit
- JavaScript loader
- Downloader Module
- Backdoor Loader
- Victims
- Conclusion
- Indicators of compromise
Authors
- Giampaolo Dedola
- Vasily Berdnikov
Last year, we published an article about SideWinder, a highly prolific APT group whose primary targets have been military and government entities in Pakistan, Sri Lanka, China, and Nepal. In it, we described activities that had mostly happened in the first half of the year. We tried to draw attention to the group, which was aggressively extending its activities beyond their typical targets, infecting government entities, logistics companies and maritime infrastructures in South and Southeast Asia, the Middle East, and Africa. We also shared further information about SideWinder’s post
Securelist
SideWinder targets the maritime and nuclear sectors with an updated toolset
blogs_securelist·2025-03-10
SideWinder targets the maritime and nuclear sectors with an updated toolset
Table of Contents
Infection vectors
RTF exploit
JavaScript loader
Downloader Module
Backdoor Loader
Victims
Conclusion
Indicators of compromise
Microsoft Office Documents
Backdoor Loader
Domains and IPs
Authors
Giampaolo Dedola
Vasily Berdnikov
Last year, we published an article about SideWinder , a highly prolific APT group whose primary targets have been military and government entities in Pakistan, Sri Lanka, China, and Nepal. In it, we described activities that had mostly happened in the first half of the year. We tried to draw attention to the group, which was aggressively extending its activities beyond their typical targets, infecting government entities, logistics companies and maritime infrastructures in South and Southeast Asia, the Middle East, and Africa. We also
Securelist
Vulnerability landscape analysis for Q4 2024
blogs_securelist·2025-02-26
Vulnerability landscape analysis for Q4 2024
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
Q4 2024 saw fewer published exploits for Windows and Linux compared to the first three quarters. Although the number of registered vulnerabilities continued to rise, the total number of Proof of Concept (PoC) instances decreased compared to 2023. Among notable techniques in Q4, attackers leveraged undocumented RPC interfaces and targeted the Windows authentication mechanism.
## Statistics on registered vulnerabilities
This section contains statistics on registered vulnerabilities. Data is sourced from the CVE portal: cve.org.
Total number of registered vulnerabilities a
Securelist
Exploits and vulnerabilities in Q4 2024
blogs_securelist·2025-02-26·CVSS 6.5
CVE-2024-43572 [MEDIUM] Exploits and vulnerabilities in Q4 2024
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
Interesting vulnerabilities
CVE-2024-43572—Remote code execution vulnerability in Microsoft Management Console
CVE-2024-43451—NetNTLM hash disclosure vulnerability
CVE-2024-49039—Elevation of privilege vulnerability in Windows Task Scheduler
Conclusion and advice
Authors
Alexander Kolesnikov
Q4 2024 saw fewer published exploits for Windows and Linux compared to the first three quarters. Although the number of registered vulnerabilities continued to rise, the total number of Proof of Concept (PoC) instances decreased compared to 2023. Among notable techniques in Q4, attackers leve
Greynoiseio
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
blogs_greynoiseio·2025-02-26·CVSS 9.8
[CRITICAL] GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Defense Lessons From the Black Basta Ransomware Playbook
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook
## Table of Contents
Know Your Enemys Playbook
Attackers Move Fast
How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against evolving
Qualys
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
#### Table of Contents
- Know Your Enemys Playbook
- Attackers Move Fast
- How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against ev
Securelist
Exploits and vulnerabilities in Q3 2024
blogs_securelist·2024-12-06·CVSS 8.1
CVE-2024-47177 [HIGH] Exploits and vulnerabilities in Q3 2024
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most prevalent exploits
Vulnerability exploitation in APT attacks
Interesting vulnerabilities
CVE-2024-47177 (CUPS filters)
CVE-2024-38112 (MSHTML Spoofing)
CVE-2024-6387 (regreSSHion)
CVE-2024-3183 (Free IPA)
CVE-2024-45519 (Zimbra)
CVE-2024-5290 (Ubuntu wpa_supplicant)
Conclusion and advice
Authors
Alexander Kolesnikov
Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log integrity check is set to appear in the Co
Securelist
Analyzing the vulnerability landscape in Q3 2024
blogs_securelist·2024-12-06·CVSS 8.1
CVE-2024-47177 [HIGH] Analyzing the vulnerability landscape in Q3 2024
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Interesting vulnerabilities
- CVE-2024-47177 (CUPS filters)
- CVE-2024-38112 (MSHTML Spoofing)
- CVE-2024-6387 (regreSSHion)
- CVE-2024-3183 (Free IPA)
- CVE-2024-45519 (Zimbra)
- CVE-2024-5290 (Ubuntu wpa_supplicant)
- Conclusion and advice
Authors
- Alexander Kolesnikov
Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log integrity check is set to appear in the Common Log Filing System (CLFS) in Windows, so the number
Tenable
From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25
blogs_tenable·2024-10-22
From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
SideWinder APT’s post-exploitation framework analysis
blogs_securelist·2024-10-15
SideWinder APT’s post-exploitation framework analysis
Table of Contents
- Infection vectors
- RTF exploit
- Downloader module
- ModuleInstaller
- Backdoor loader module
- StealerBot
- IOCs
Authors
- Giampaolo Dedola
- Vasily Berdnikov
SideWinder, aka T-APT-04 or RattleSnake, is one of the most prolific APT groups that began its activities in 2012 and was first publicly mentioned by us in 2018. Over the years, the group has launched attacks against high-profile entities in South and Southeast Asia. Its primary targets have been military and government entities in Pakistan, Sri Lanka, China and Nepal.
Over the years, SideWinder has carried out an impressive number of attacks and its activities have been extensively described in various analyses and reports published by different researchers and vendors (for example, here, here and here), o
Securelist
Beyond the Surface: the evolution and expansion of the SideWinder APT group
blogs_securelist·2024-10-15
Beyond the Surface: the evolution and expansion of the SideWinder APT group
Table of Contents
Infection vectors
RTF exploit
Initial infection LNK
Downloader module
ModuleInstaller
Backdoor loader module
StealerBot
StealerBot Orchestrator
Modules
Keylogger
Screenshot Grabber
File Stealer
Live Console
RDP Credential Stealer
Token Grabber
Credential Phisher
UACBypass
Downloader
Installers
InstallerPayload
InstallerPayload_NET
Infrastructure
Victims
Attribution
IOCs
Malicious documents
Rtf
Lnk
Backdoor Loader
StealerBot
SyncBotServiceHijack.dll
Service Hijack
Backdoor Loader devobj.dll
Domains and IPs
Authors
Giampaolo Dedola
Vasily Berdnikov
SideWinder, aka T-APT-04 or RattleSnake, is one of the most prolific APT groups that began its activities in 2012 and was first publicly mentioned by us in 2018 . Over the years, the group ha
Securelist
Exploits and vulnerabilities in Q2 2024
blogs_securelist·2024-08-21·CVSS 7.8
CVE-2024-26169 [HIGH] Exploits and vulnerabilities in Q2 2024
Table of Contents
Statistics on registered vulnerabilities
Vulnerability exploitation statistics
Windows and Linux vulnerability exploitation
Most common exploits
Vulnerability exploitation in APT attacks
Exploiting vulnerable drivers to attack operating systems
BYOVD attack tools
Interesting vulnerabilities
CVE-2024-26169 (WerKernel.sys)
CVE-2024-26229 (csc.sys)
CVE-2024-4577 (PHP CGI)
Takeaways and recommendations
Authors
Vitaly Morgunov
Alexander Kolesnikov
Q2 2024 was eventful in terms of new interesting vulnerabilities and exploitation techniques for applications and operating systems. Attacks through vulnerable drivers have become prevalent as a general means of privilege escalation in the operating system. Such attacks are notable in that the vulnerability does not h
Securelist
Analyzing the vulnerability landscape in Q2 2024
blogs_securelist·2024-08-21·CVSS 7.8
CVE-2024-26169 [HIGH] Analyzing the vulnerability landscape in Q2 2024
Table of Contents
- Statistics on registered vulnerabilities
- Vulnerability exploitation statistics
- Vulnerability exploitation in APT attacks
- Exploiting vulnerable drivers to attack operating systems
- Interesting vulnerabilities
- CVE-2024-26169 (WerKernel.sys)
- CVE-2024-26229 (csc.sys)
- CVE-2024-4577 (PHP CGI)
- Takeaways and recommendations
Authors
- Vitaly Morgunov
- Alexander Kolesnikov
Q2 2024 was eventful in terms of new interesting vulnerabilities and exploitation techniques for applications and operating systems. Attacks through vulnerable drivers have become prevalent as a general means of privilege escalation in the operating system. Such attacks are notable in that the vulnerability does not have to be fresh, since attackers themselves deliver unpatched drivers to t
Fortinet
New Agent Tesla Campaign Targeting Spanish-Speaking People | FortiGuard Labs
blogs_fortinet·2024-06-07·CVSS 7.8
CVE-2017-11882 [HIGH] New Agent Tesla Campaign Targeting Spanish-Speaking People | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
New Agent Tesla Campaign Targeting Spanish-Speaking People
The Phishing Email
The Excel Document
CVE-2017-11882 is Exploited
JavaScript Files Lead to Execute PowerShell Code
A Look into the Loader-Module
Agent Tesla Executable Module
Sensitive Information Stolen from the Victim Device
Submitting Stolen Data to an FTP Server
Summary
Fortinet Protections
IOCs
URLs
FTP Server List
Relevant Sample SHA-256
By Xiaopeng Zhang | June 07, 2024
Affected Platforms: Microsoft Windows
Impacted Users: Windows Users
Impact: Collects sensitive information from a victim’s computer
Severity Level: Critical
A new phishing campaign was recently captured by our FortiGuard Labs that spreads a new Agent Tesla variant targeting Spanish-speaking people.
Security researchers have
Fortinet
Menace Unleashed: Excel File Deploys Cobalt Strike at Ukraine | FortiGuard Labs
blogs_fortinet·2024-06-03
Menace Unleashed: Excel File Deploys Cobalt Strike at Ukraine | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Menace Unleashed: Excel File Deploys Cobalt Strike at Ukraine
Excel Document
DLL Downloader
DLL Injector
The Cobalt Strike Payload
Conclusion
Fortinet Protections
IOCs
By Cara Lin | June 03, 2024
Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: Compromised machines are under the control of the threat actor
Severity Level: High
FortiGuard Labs has recently identified a sophisticated cyberattack involving an Excel file embedded with a VBA macro designed to deploy a DLL file. The attacker uses a multi-stage malware strategy to deliver the notorious "Cobalt Strike" payload and establish communication with a command and control (C2) server. This attack employs various evasion techniques to ensure successful payload delivery.
Ove
Fortinet
Unraveling Cyber Threats: Insights from Code Analysis | FortiGuard Labs
blogs_fortinet·2024-04-19
Unraveling Cyber Threats: Insights from Code Analysis | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Unraveling Cyber Threats: Insights from Code Analysis
Introduction
Detecting Debugging or Analysis Environment
System Initialization and Socket.IO Events
Command Handling Functions
Malicious Intent
Conclusion
Fortinet Protections
IOCs
By Jenna Wang | April 19, 2024
Affected platforms: All platforms where PyPI packages can be installed
Impacted parties: Any individuals or institutions that have these malicious packages installed
Impact: Leak of credentials, sensitive information, etc.
Severity level: High
Vigilance is paramount in cybersecurity, especially when it comes to understanding and dissecting potentially malicious code. In this blog post, we'll delve into a piece of code designed (discordpy_bypass-1.7 ) to extract sensitive data from user systems
Bleepingcomputer
New SteganoAmor attacks use steganography to target 320 orgs globally
blogs_bleepingcomputer·2024-04-15·CVSS 7.8
[HIGH] New SteganoAmor attacks use steganography to target 320 orgs globally
## New SteganoAmor attacks use steganography to target 320 orgs globally
## Bill Toulas
A new campaign conducted by the TA558 hacking group is concealing malicious code inside images using steganography to deliver various malware tools onto targeted systems.
Steganography is the technique of hiding data inside seemingly innocuous files to make them undetectable by users and security products.
TA558 is a threat actor that has been active since 2018, known for targeting hospitality and tourism organizations worldwide, focusing on Latin America.
The group's latest campaign, dubbed "SteganoAmor" due to the extensive use of steganography, was uncovered by Positive Technologies. The researchers identified over 320 attacks in this campaign that affected various sectors and countries.
## Ste
Securelist
Spam and phishing in 2023
blogs_securelist·2024-03-07
Spam and phishing in 2023
Table of Contents
The year in figures
Phishing and scams in 2023
Hunting gamers
Out-of-the-blue winnings and refunds
Easy money
Cryptocurrency scams
Reeling in readers
Social networks and instant messaging under attack
Beating two-factor authentication
Artificial intelligence at the service of scammers
Spam in 2023
Scams
Cryptocurrency scams
Charity scams
Blackmail
Malicious attachments
List linking
Spear phishing and BEC attacks in 2023
Other email phishing trends in 2023
Obfuscation
QR codes
IPFS
Statistics: spam
Share of spam in email traffic
Countries and territories where spam originated
Malicious email attachments
Countries and territories targeted by malicious mailings
Statistics: phishing
Map of phishing attacks
Top-level domains
Organizations targete
Securelist
Kaspersky spam and phishing report for 2023
blogs_securelist·2024-03-07
Kaspersky spam and phishing report for 2023
Table of Contents
- The year in figures
- Phishing and scams in 2023
- Spam in 2023
- Spear phishing and BEC attacks in 2023
- Statistics: spam
- Statistics: phishing
- Conclusion
Authors
- Tatyana Kulikova
- Olga Altukhova
- Andrey Kovtun
- Irina Shimko
- Roman Dedenok
## The year in figures
- 45.60% of all email sent worldwide and 46.59% of all email sent in the Runet (the Russian web segment) was spam
- 31.45% of all spam email was sent from Russia
- Kaspersky Mail Anti-Virus blocked 135,980,457 malicious email attachments
- Our Anti-Phishing system thwarted 709,590,011 attempts to follow phishing links
- SafeMessaging feature in Kaspersky mobile solutions prevented more than 62,000 redirects via phishing links from Telegram
## Phishing and scams in 2023
### Hunting gamers
In 2
Checkpoint
12th February – Threat Intelligence Report
blogs_checkpoint·2024-02-12
CVE-2022-42475 12th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 12th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 12th February, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
One of the largest unions in California, Service Employees International Union (SEIU) Local 1000, has confirmed a ransomware attack that led to network disruption. The LockBit ransomware gang has assumed responsibility, claiming to have stolen 308GB of data including sensitive employee information such as Social Securit
Checkpoint
Maldocs of Word and Excel: Vigor of the Ages
blogs_checkpoint·2024-02-08·CVSS 7.8
CVE-2017-11882 [HIGH] Maldocs of Word and Excel: Vigor of the Ages
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Maldocs of Word and Excel: Vigor of the Ages
Research by: Raman Ladutska
We chose a fantasy decoration style at certain points of the article to attract attention to the described proble
Zscaler
CVE-2024-23897 | ThreatLabz
blogs_zscaler·2024-02-06·CVSS 9.8
[CRITICAL] CVE-2024-23897 | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
Ivanti VPN Vulnerability | ThreatLabz
blogs_zscaler·2024-02-02·CVSS 8.2
[HIGH] Ivanti VPN Vulnerability | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
Rise in Source IP-Based Authentication Abuse
blogs_zscaler·2024-01-19
Rise in Source IP-Based Authentication Abuse
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
CVE-2017-11882 To Deliver Agent Tesla | ThreatLabz
blogs_zscaler·2023-12-19·CVSS 7.8
[HIGH] CVE-2017-11882 To Deliver Agent Tesla | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Securelist
PC malware statistics, Q3 2023
blogs_securelist·2023-12-01
PC malware statistics, Q3 2023
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used in cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks on IoT honeypots
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q3 2023
- IT threat evolution in Q3 2023. Non-mobile statistics
- IT threat evolution in Q3 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3 2023:
- Kaspersky solutions blocked 694,400,301 attacks from online resources across the globe.
- A total of 169,194,807 unique links were recognized as malicious by Web Anti-Virus
Securelist
Kaspersky malware report for Q3 2023
blogs_securelist·2023-12-01·CVSS 9.8
[CRITICAL] Kaspersky malware report for Q3 2023
Table of Contents
- Targeted attacks
- Other malware
Authors
- David Emm
- IT threat evolution in Q3 2023
- IT threat evolution in Q3 2023. Non-mobile statistics
- IT threat evolution in Q3 2023. Mobile statistics
## Targeted attacks
### Unknown threat actor targets power generator with DroxiDat and Cobalt Strike
Earlier this year, we reported on a new variant of SystemBC called DroxiDat that was deployed against a critical infrastructure target in South Africa. This proxy-capable backdoor was deployed alongside Cobalt Strike beacons.
The incident occurred in the third and fourth week of March, as part of a small wave of attacks involving both DroxiDat and Cobalt Strike beacons around the world; and we believe this incident may have been the initial stage of a ransomware attack.
D
Securelist
IT threat evolution in Q3 2023. Non-mobile statistics
blogs_securelist·2023-12-01
IT threat evolution in Q3 2023. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
Vulnerability exploitation
More attacks on healthcare
Most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used in cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks on IoT honeypots
Attacks via web resources
Countries and territories that serve as sourc
Securelist
IT threat evolution Q3 2023
blogs_securelist·2023-12-01·CVSS 9.8
CVE-2023-23397 [CRITICAL] IT threat evolution Q3 2023
Table of Contents
Targeted attacks
Unknown threat actor targets power generator with DroxiDat and Cobalt Strike
Analysis of samples exploiting CVE-2023-23397 vulnerability
Common TTPs in attacks on industrial organizations
Evil Telegram doppelganger used to target people in China
Other malware
Possible supply-chain attack on Linux machines
The Cuba ransomware gang
Leaked Lockbit 3 builder
The evolving world of crimeware
A cryptor, a stealer and a banking Trojan
Authors
David Emm
IT threat evolution in Q3 2023
IT threat evolution in Q3 2023. Non-mobile statistics
IT threat evolution in Q3 2023. Mobile statistics
## Targeted attacks
## Unknown threat actor targets power generator with DroxiDat and Cobalt Strike
Earlier this year, we reported on a new variant of SystemBC ca
Fortinet
New Agent Tesla Variant Being Spread by Crafted Excel Document | FortiGuard Labs
blogs_fortinet·2023-09-05·CVSS 7.8
[HIGH] New Agent Tesla Variant Being Spread by Crafted Excel Document | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
New Agent Tesla Variant Being Spread by Crafted Excel Document
By Xiaopeng Zhang | September 05, 2023
Affected platforms: Microsoft Windows
Impacted parties: Windows Users
Impact: Collects sensitive information from a victim’s computer
Severity level: Critical
Our FortiGuard Labs captured a phishing campaign that spreads a new Agent Tesla variant. This well-known malware family uses a .Net-based Remote Access Trojan (RAT) and data stealer to gain initial access. It is often used for Malware-as-a-Service (MaaS).
I performed an in-depth analysis of this campaign, from the initial phishing email to the actions of Agent Tesla installed on the victim’s machine to the collecting of sensitive information from the affected device. In this analysis, you will lear
Qualys
Top 20 Vulnerabilities Exploited by Cyber Attackers | Qualys
blogs_qualys·2023-09-04·CVSS 7.8
[HIGH] Top 20 Vulnerabilities Exploited by Cyber Attackers | Qualys
#### Table of Contents
- Stats on the Top 20 Vulnerable Vendors & By-Products
- Top Twenty Most Targeted by Attackers
- TruRisk Dashboard
- Key Insights & Takeaways
- References
- Additional Contributors
The earlier blog posts showcased an overview of the vulnerability threat landscape that is either remotely exploited or most targeted by attackers. A quick recap – We focused on high-risk vulnerabilities that can be remotely exploited with or without authentication, and with the view on the time to CISA being down to 8 days, the most vulnerabilities targeted by threat actors, malware & ransomware.
This blog post will focus on Qualys’ Top Twenty Vulnerabilities, targeted by threat actors, malware, and ransomware, with recent trending/sightings observed in the last few years and the curre
Qualys
Qualys Top 20 Most Exploited Vulnerabilities
blogs_qualys·2023-09-04·CVSS 7.8
[HIGH] Qualys Top 20 Most Exploited Vulnerabilities
## Table of Contents
Stats on the Top 20 Vulnerable Vendors & By-Products
Top Twenty Most Targeted by Attackers
TruRisk Dashboard
Key Insights & Takeaways
References
Additional Contributors
The earlier blog posts showcased an overview of the vulnerability threat landscape that is either remotely exploited or most targeted by attackers. A quick recap – We focused on high-risk vulnerabilities that can be remotely exploited with or without authentication, and with the view on the time to CISA being down to 8 days, the most vulnerabilities targeted by threat actors, malware & ransomware.
This blog post will focus on Qualys’ Top Twenty Vulnerabilities, targeted by threat actors, malware, and ransomware, with recent trending/sightings observed in the last few years and the current year.
Securelist
IT threat evolution in Q2 2023. Non-mobile statistics
blogs_securelist·2023-08-30
IT threat evolution in Q2 2023. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
MOVEit Transfer vulnerabilities exploited
Attacks on municipal organizations, educational and healthcare establishments
Most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by criminals during cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks on IoT
Securelist
PC malware statistics, Q2 2022
blogs_securelist·2023-08-30
PC malware statistics, Q2 2022
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Most prolific groups
- Miners
- Vulnerable applications used by criminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks on IoT honeypots
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q2 2023
- IT threat evolution in Q2 2023. Non-mobile statistics
- IT threat evolution in Q2 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q2 2023:
- Kaspersky solutions blocked 801,934,281 attacks from online resources across the globe.
- A total of 209,716,810 unique links were d
Securelist
What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot
blogs_securelist·2023-08-03
What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot
Table of Contents
Introduction
DarkGate
LokiBot
Emotet
Conclusion
Indicators of compromise (MD5s)
Authors
GReAT
## Introduction
The malware landscape keeps evolving. New families are born, while others disappear. Some families are short-lived, while others remain active for quite a long time. In order to follow this evolution, we rely both on samples that we detect and our monitoring efforts, which cover botnets and underground forums.
While doing so, we found new Emotet samples, a new loader dubbed “DarkGate”, and a new LokiBot infostealer campaign. We described all three in private reports, from which this post contains an excerpt.
If you want to learn more about our crimeware reporting service, please contact us at [email protected] .
## DarkGate
In June 2023, a
Tenable
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
blogs_tenable·2023-08-03
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
Kaspersky crimeware report: Emotet, DarkGate and LokiBot
blogs_securelist·2023-08-03
Kaspersky crimeware report: Emotet, DarkGate and LokiBot
Table of Contents
- Introduction
- DarkGate
- LokiBot
- Emotet
- Conclusion
- Indicators of compromise (MD5s)
Authors
- GReAT
## Introduction
The malware landscape keeps evolving. New families are born, while others disappear. Some families are short-lived, while others remain active for quite a long time. In order to follow this evolution, we rely both on samples that we detect and our monitoring efforts, which cover botnets and underground forums.
While doing so, we found new Emotet samples, a new loader dubbed “DarkGate”, and a new LokiBot infostealer campaign. We described all three in private reports, from which this post contains an excerpt.
If you want to learn more about our crimeware reporting service, please contact us at [email protected].
## DarkGate
In Jun
Securelist
APT trends report Q2 2023
blogs_securelist·2023-07-27
APT trends report Q2 2023
Table of Contents
The most remarkable findings
Russian-speaking activity
Chinese-speaking activity
Spanish-speaking activity
Middle East
Southeast Asia and Korean Peninsula
Final thoughts
Authors
GReAT
For more than six years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q2 2023.
Readers who would like to lea
Securelist
APT trends report Q2 2023
blogs_securelist·2023-07-27
APT trends report Q2 2023
Table of Contents
- The most remarkable findings
- Russian-speaking activity
- Chinese-speaking activity
- Spanish-speaking activity
- Middle East
- Southeast Asia and Korean Peninsula
- Final thoughts
Authors
- GReAT
For more than six years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q2 2023.
Readers who would
Qualys
Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers’ Edition) | Qualys
blogs_qualys·2023-07-18
Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers’ Edition) | Qualys
#### Table of Contents
- Top Ten Vulnerabilities Exploited by Threat Actors
- Top Ten Highly Active Threat Actors
- Top Ten Most Exploited Vulnerabilities by Malware
- Top Ten Most Active Malware
- Top Ten Vulnerabilities Exploited by Ransomware
- Prioritizing Exploited Vulnerabilities with TheQualys VMDR and TruRisk
- Assess Your Organizations Exposure to Risk / TruRisk Dashboard
- Key Insights & Takeaways
- References
- Additional Contributor
The previous blog from this three-part series showcased an overview of the vulnerability threat landscape. To summarize quickly, it illustrated the popular methods of exploiting vulnerabilities and the tactical techniques employed by threat actors, malware, and ransomware groups. Perhaps more crucially, we stated that commonly used solutions (CISA
Qualys
Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers’ Edition)
blogs_qualys·2023-07-18
Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers’ Edition)
## Table of Contents
Top Ten Vulnerabilities Exploited by Threat Actors
Top Ten Highly Active Threat Actors
Top Ten Most Exploited Vulnerabilities by Malware
Top Ten Most Active Malware
Top Ten Vulnerabilities Exploited by Ransomware
Prioritizing Exploited Vulnerabilities with TheQualys VMDR and TruRisk
Assess Your Organizations Exposure to Risk / TruRisk Dashboard
Key Insights & Takeaways
References
Additional Contributor
The previous blog from this three-part series showcased an overview of the vulnerability threat landscape. To summarize quickly, it illustrated the popular methods of exploiting vulnerabilities and the tactical techniques employed by threat actors, malware, and ransomware groups. Perhaps more crucially, we stated that commonly used solutions (CISA KEV/EPSS) of
Securelist
Non-mobile malware statistics, Q1 2023
blogs_securelist·2023-06-07
Non-mobile malware statistics, Q1 2023
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Most prolific groups
- Miners
- Vulnerable applications used in cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q1 2023
- IT threat evolution in Q1 2023. Non-mobile statistics
- IT threat evolution in Q1 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q1 2023:
- Kaspersky solutions blocked 865,071,227 attacks launched from online resources across the globe.
- Web Anti-Virus detected 246,912,694 unique URLs.
- Attempts to run malware fo
Securelist
IT threat evolution in Q1 2023. Non-mobile statistics
blogs_securelist·2023-06-07
IT threat evolution in Q1 2023. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
Attacks on Linux and VMWare ESXi servers
Progress in combating cybercrime
Conti-based Trojan decrypted
Most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used in cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks via web resources
Countries/territories
Tenable
What Security Leaders Need to Know About Security End of Life: How Tenable is Leading the Way
blogs_tenable·2023-04-25
What Security Leaders Need to Know About Security End of Life: How Tenable is Leading the Way
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
Spam and phishing in 2022
blogs_securelist·2023-02-16
Spam and phishing in 2022
Table of Contents
Figures of the year
Phishing in 2022
Last year’s resonant global events
The pandemic
Crypto phishing and crypto scams
Compensation, bonus, and paid survey scams
Fake online stores and large vendor phishing
Hijacking of social media accounts
Spam in 2022
The pandemic
Contact form spam
Blackmail in the name of law enforcement agencies
Exploiting the news
Spam with malicious attachments
Two-stage spear phishing using a known phish kit
Statistics
How a phishing campaign unfolds
Victims
Statistics: spam
Share of spam in mail traffic
Countries and territories — sources of spam
Malicious mail attachments
Countries and territories targeted by malicious mailings
Statistics: phishing
Map of phishing attacks
Top-level domains
Organizations under phishing a
Securelist
Kaspersky's 2022 spam and phishing report
blogs_securelist·2023-02-16
Kaspersky's 2022 spam and phishing report
Table of Contents
- Figures of the year
- Phishing in 2022
- Spam in 2022
- Two-stage spear phishing using a known phish kit
- Statistics: spam
- Statistics: phishing
- Conclusion
Authors
- Tatyana Kulikova
- Roman Dedenok
- Olga Altukhova
- Andrey Kovtun
- Irina Shimko
## Figures of the year
In 2022:
- 48.63% of all emails around the world and 52.78% of all emails in the Russian segment of the internet were spam
- As much as 29.82% of all spam emails originated in Russia
- Kaspersky Mail Anti-Virus blocked 166,187,118 malicious email attachments
- Our Anti-Phishing system thwarted 507,851,735 attempts to follow phishing links
- 378,496 attempts to follow phishing links were associated with Telegram account hijacking
## Phishing in 2022
### Last year’s resonant global events
The
Checkpoint
Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine
blogs_checkpoint·2022-12-09
CVE-2017-11882 Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine
## Introduction
Cloud Atlas (or Inception ) is a cyber-espionage group. Since its discovery in 2014, th
Securelist
IT threat evolution Q3 2022
blogs_securelist·2022-11-18
IT threat evolution Q3 2022
Table of Contents
- Targeted attacks
- Other malware
Authors
- David Emm
- IT threat evolution in Q3 2022
- IT threat evolution in Q3 2022. Non-mobile statistics
- IT threat evolution in Q3 2022. Mobile statistics
## Targeted attacks
### CosmicStrand: discovery of a sophisticated UEFI rootkit
In July, we reported a rootkit that we found in modified Unified Extensible Firmware Interface (UEFI) firmware, the code that loads and initiates the boot process when the computer is turned on. Rootkits are malware implants that are installed deep in the operating system. Difficult to detect, they ensure that a computer remains infected even if someone reinstalls the operating system or replaces the hard drive. However, they aren’t easy to create: the slightest programming error could crash th
Securelist
IT threat evolution in Q3 2022. Non-mobile statistics
blogs_securelist·2022-11-18
IT threat evolution in Q3 2022. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Number of users attacked by banking malware
TOP 10 banking malware families
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by criminals during cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
TOP 20 threats for macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks via web resources
Countries and territories that serve as sources of web-ba
Securelist
PC malware statistics, Q3 2022
blogs_securelist·2022-11-18
PC malware statistics, Q3 2022
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by criminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q3 2022
- IT threat evolution in Q3 2022. Non-mobile statistics
- IT threat evolution in Q3 2022. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3 2022:
- Kaspersky solutions blocked 956,074,958 attacks from online resources across the globe.
- Web Anti-Virus recognized 251,288,987 unique URLs as malicious.
- Attempts to run malware fo
Securelist
IT threat evolution Q3 2022
blogs_securelist·2022-11-18
IT threat evolution Q3 2022
Table of Contents
Targeted attacks
CosmicStrand: discovery of a sophisticated UEFI rootkit
Andariel deploys DTrack and Maui ransomware
VileRAT: DeathStalker’s continuous strike at foreign and crypto-currency exchanges
Kimsuky’s GoldDragon cluster and C2 operations
Targeted attacks on industrial enterprises
Other malware
Prilex: the pricey prickle credit card complex
Luna and Black Basta: new ransomware for Windows, Linux and ESXi
Malicious packages in online code repositories
Cyberthreats facing gamers
NullMixer: oodles of Trojans in a single dropper
Potential threat in the browser
Authors
David Emm
IT threat evolution in Q3 2022
IT threat evolution in Q3 2022. Non-mobile statistics
IT threat evolution in Q3 2022. Mobile statistics
## Targeted attacks
## CosmicStrand: d
Fortinet
FortiGuard Labs Researcher Discovers Multiple Vulnerabilities in Multiple Autodesk Products: Autodesk Design Review, Autodesk Subassembly Composer, and More | FortiGuard Labs
blogs_fortinet·2022-10-20·CVSS 7.8
[HIGH] FortiGuard Labs Researcher Discovers Multiple Vulnerabilities in Multiple Autodesk Products: Autodesk Design Review, Autodesk Subassembly Composer, and More | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
FortiGuard Labs Researcher Discovers Multiple Vulnerabilities in Multiple Autodesk Products
By Kushal Arvind Shah | October 20, 2022
Late May 2022, I discovered and reported multiple zero-day vulnerabilities in Autodesk Design Review, Autodesk Subassembly Composer, Autodesk Moldflow Communicator, and Autodesk Dwg2Spd. Recently, Autodesk released several security patches, security patches, security patches, security patches & security patches which fixed them. These vulnerabilities are identified as CVE-2022-33883, CVE-2022-27525, CVE-2022-41306, CVE-2022-42934, CVE-2022-42935, CVE-2022-42936, CVE-2022-42937, CVE-2022-42933, CVE-2022-42943, CVE-2022-41310, CVE-2022-42040, CVE-2022-42939, CVE-2022-42942, CVE-2022-42941, CVE-2022-42938, CVE-2022-41309, CVE-20
Fortinet
Ukrainian Military-Themed Excel File Delivers Multi-Stage Cobalt Strike Loader | Fortinet Blog
blogs_fortinet·2022-10-11
Ukrainian Military-Themed Excel File Delivers Multi-Stage Cobalt Strike Loader | Fortinet Blog
FORTIGUARD LABS THREAT RESEARCH
Ukrainian Military-Themed Excel File Delivers Multi-Stage Cobalt Strike Loader
By FortiGuard Labs | October 11, 2022
FortiGuard Labs has observed an increasing number of campaigns targeting either side of the ongoing Russian-Ukrainian conflict. These may be a cyber element to the conflict or simply opportunistic threat actors taking advantage of the war to further their malicious objectives.
Recently, we encountered a malicious Excel document masquerading as a tool to calculate salaries for Ukrainian military personnel. This article discusses the technical details of this document that, when triggered, executes evasive multi-stage loaders, eventually leading to Cobalt Strike Beacon malware being loaded onto the victim’s device (Figure 1).
Figure 1: Overv
Fortinet
Excel Document Delivers Multiple Malware by Exploiting CVE-2017-11882 – Part II | FortiGuard Labs
blogs_fortinet·2022-10-05·CVSS 7.8
CVE-2017-11882 [HIGH] Excel Document Delivers Multiple Malware by Exploiting CVE-2017-11882 – Part II | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Excel Document Delivers Multiple Malware by Exploiting CVE-2017-11882 – Part II
By Xiaopeng Zhang | October 05, 2022
FortiGuard Labs recently captured an Excel document with an embedded malicious file in the wild. The embedded file with a randomized file name exploits a particular vulnerability —CVE-2017-11882—to execute malicious code to deliver and execute malware on a victim’s device.
Part I of my analysis explained how this crafted Excel document exploits CVE-2017-11882 and what it does when exploiting that vulnerability. An involved website (hxxp[:]//lutanedukasi[.]co[.]id/wp-includes/{file name}) was found storing and delivering numerous malware family samples, like Formbook and Redline. I dissected a recent Formbook sample from that website in part
Fortinet
Delivery of Malware: A Look at Phishing Campaigns in Q3 2022 | FortiGuard Labs
blogs_fortinet·2022-10-04
Delivery of Malware: A Look at Phishing Campaigns in Q3 2022 | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Delivery of Malware: A Look at Phishing Campaigns in Q3 2022
By Erin Lin | October 04, 2022
Entering the second half of 2022, phishing attacks and campaigns continue to be the top threats targeting organizations, using a variety of techniques to infect users and organizations. Following our observations posted last quarter, FortiGuard Labs has continued to track many malware families, including Emotet, Qbot, and Icedid. We continually find malicious files delivered via phishing emails using Microsoft Excel files, Microsoft Word Documents, Windows shortcut files, and ISO image files to deliver their malware.
To help organizations better identify and prevent phishing attacks and infections, this blog provides some of the most common details and techniques u
Fortinet
Leveraging Microsoft Office Documents to Deliver Agent Tesla and njRat | FortiGuard Labs
blogs_fortinet·2022-10-03
Leveraging Microsoft Office Documents to Deliver Agent Tesla and njRat | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Leveraging Microsoft Office Documents to Deliver Agent Tesla and njRat
By Cara Lin | October 03, 2022
We recently found some malicious Microsoft Office documents that attempted to leverage legitimate websites—MediaFire and Blogger—to execute a shell script and then dropped two malware variants of Agent Tesla and njRat. Agent Tesla is a well-known spyware, first discovered in 2014, which can steal personal data from web browsers, mail clients, and FTP servers, collect screenshots and videos, and capture clipboard data. njRat (also known as Bladabindi) is a remote agent Trojan first discovered in 2013 that is capable of remotely controlling a victim’s device to log keystrokes, access the camera, steal credentials stored in browsers, upload/download files, ma
Fortinet
Excel Document Delivers Multiple Malware By Exploiting CVE-2017-11882 – Part I | Fortinet Blog
blogs_fortinet·2022-09-19·CVSS 7.8
CVE-2017-11882 [HIGH] Excel Document Delivers Multiple Malware By Exploiting CVE-2017-11882 – Part I | Fortinet Blog
FORTIGUARD LABS THREAT RESEARCH
Excel Document Delivers Multiple Malware By Exploiting CVE-2017-11882 – Part I
By Xiaopeng Zhang | September 19, 2022
FortiGuard Labs recently captured an Excel document with an embedded file in the wild. Of course, we do this all the time. What caught my eye this time is that the embedded file name is randomized, which drove me to want to analyze this Excel document. After some quick research on the file, I learned that it exploits a particular vulnerability —CVE-2017-11882—to execute malicious code to deliver and execute malware on a victim’s device.
In this analysis, you will see how the crafted Excel document exploits CVE-2017-11882, what it does when exploiting the vulnerability, what malware families it can download onto a victim’s device, and what
Fortinet
A Tale of PivNoxy and Chinoxy Puppeteer | FortiGuard Labs
blogs_fortinet·2022-08-22·CVSS 7.8
[HIGH] A Tale of PivNoxy and Chinoxy Puppeteer | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
A Tale of PivNoxy and Chinoxy Puppeteer
By Shunichi Imano and Fred Gutierrez | August 22, 2022
Recently, a simple and short email with a suspicious RTF attachment that had been sent to a telecommunications agency in South Asia caught the attention of FortiGuard Labs. The email was disguised as having come from a Pakistan government division and delivered the PivNoxy malware.
Affected Platforms: Windows
Impacted Parties: Windows users
Impact: Controls victim’s machine and collects sensitive information
Severity Level: Medium
This blog describes how the attack works, suggests who the threat actor behind the operation might be, and details the techniques used by the attacker.
Attack Overview
The attack started with a simple email that included a bare doc
Tenable
Cybersecurity Snapshot: 6 Things That Matter Right Now
blogs_tenable·2022-08-19
Cybersecurity Snapshot: 6 Things That Matter Right Now
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
IT threat evolution in Q2 2022. Non-mobile statistics
blogs_securelist·2022-08-15
IT threat evolution in Q2 2022. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Ransomware programs
Quarterly trends and highlights
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by criminals during cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks via web resources
TOP 10 countries and territories that serve as sources of web-based attacks
Countries and territories where users faced the greatest risk of online infection
Local threat
Securelist
Non-mobile malware statistics, Q2 2022
blogs_securelist·2022-08-15
Non-mobile malware statistics, Q2 2022
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by criminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q2 2022
- IT threat evolution in Q2 2022. Non-mobile statistics
- IT threat evolution in Q2 2022. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q2 2022:
- Kaspersky solutions blocked 1,164,544,060 attacks from online resources across the globe.
- Web Anti-Virus recognized 273,033,368 unique URLs as malicious. Attempts to run malware fo
Fortinet
Life After Death—SmokeLoader Continues to Haunt Using Old Vulnerabilities
blogs_fortinet·2022-08-09·CVSS 7.8
[HIGH] Life After Death—SmokeLoader Continues to Haunt Using Old Vulnerabilities
FORTIGUARD LABS THREAT RESEARCH
Life After Death—SmokeLoader Continues to Haunt Using Old Vulnerabilities
By James Slaughter | August 09, 2022
Vulnerability management and remediation are some of the most difficult problems to tackle within an organization. Multiple solutions, watchlists, and warnings are designed to ensure that companies and end users patch their software against known security vulnerabilities.
Unfortunately, even with tools available and teams forewarned with up-to-date information, this often does not happen in a timely manner or even at all. This is usually due to outdated software, overworked teams, or even negligence or incompetence—and threat actors know this. Patching is often mundane and tedious work. Organizations that are either late, inconsistent, or sloppy
Securelist
Targeted attack on industrial enterprises and public institutions
blogs_securelist·2022-08-08·CVSS 7.8
[HIGH] Targeted attack on industrial enterprises and public institutions
Table of Contents
Initial infection
Additional malware
Lateral movement
Data theft
Who is behind the attack?
Conclusion
Authors
Kaspersky ICS CERT
In January 2022, Kaspersky ICS CERT experts detected a wave of targeted attacks on military industrial complex enterprises and public institutions in several countries. In the course of our research, we were able to identify over a dozen of attacked organizations. The attack targeted industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries (Belarus, Russia, and Ukraine), as well as Afghanistan.
The attackers were able to penetrate dozens of enterprises and even hijack the IT infrastructure of some, taking control of systems used to manage security solu
Securelist
Targeted attack on industrial enterprises and public institutions
blogs_securelist·2022-08-08·CVSS 7.8
[HIGH] Targeted attack on industrial enterprises and public institutions
Table of Contents
- Initial infection
- Additional malware
- Lateral movement
- Data theft
- Who is behind the attack?
- Conclusion
Authors
- Kaspersky ICS CERT
In January 2022, Kaspersky ICS CERT experts detected a wave of targeted attacks on military industrial complex enterprises and public institutions in several countries. In the course of our research, we were able to identify over a dozen of attacked organizations. The attack targeted industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries (Belarus, Russia, and Ukraine), as well as Afghanistan.
The attackers were able to penetrate dozens of enterprises and even hijack the IT infrastructure of some, taking control of systems used to manage sec
Tenable
Analyzing the Vulnerabilities Associated with the Top Malware Strains of 2021
blogs_tenable·2022-08-04
Analyzing the Vulnerabilities Associated with the Top Malware Strains of 2021
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
IT threat evolution in Q1 2022. Non-mobile statistics
blogs_securelist·2022-05-27
IT threat evolution in Q1 2022. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
TOP 10 banking malware families
Ransomware programs
Quarterly trends and highlights
Law enforcement successes
HermeticWiper, HermeticRansom and RUransom, etc.
Conti source-code leak
Attacks on NAS devices
Maze Decryptor
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by criminals during cyberattacks
Quarter highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat
Securelist
PC malware statistics, Q1 2022
blogs_securelist·2022-05-27
PC malware statistics, Q1 2022
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by criminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q1 2022
- IT threat evolution in Q1 2022. Non-mobile statistics
- IT threat evolution in Q1 2022. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q1 2022:
- Kaspersky solutions blocked 1,216,350,437 attacks from online resources across the globe.
- Web Anti-Virus recognized 313,164,030 unique URLs as malicious.
- Attempts to run malware
Talos
Bitter APT adds Bangladesh to their targets
blogs_talos·2022-05-11·CVSS 7.8
[HIGH] Bitter APT adds Bangladesh to their targets
- Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.
- As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other features, includes remote file execution capability.
- Based on the similarities between the C2 server in this campaign with that of Bitter's previous campaign, we assess with moderate confidence that this campaign is operated by the Bitter APT group.
### Executive Summary
Cisco Talos discovered an ongoing campaign operated by what we believe is the Bitter APT group since August 2021. This campaign is a typical example of the actor targeting South Asian government entities.
This campaign targets an elite
Talos
Bitter APT adds Bangladesh to their targets
blogs_talos·2022-05-11·CVSS 7.8
[HIGH] Bitter APT adds Bangladesh to their targets
## Bitter APT adds Bangladesh to their targets
Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.
As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other features, includes remote file execution capability.
Based on the similarities between the C2 server in this campaign with that of Bitter's previous campaign, we assess with moderate confidence that this campaign is operated by the Bitter APT group.
## Executive Summary
Cisco Talos discovered an ongoing campaign operated by what we believe is the Bitter APT group since August 2021. This campaign is a typical example of the actor targeting South Asian government
Securelist
APT trends report Q1 2022
blogs_securelist·2022-04-27
APT trends report Q1 2022
Table of Contents
The most remarkable findings
Russian-speaking activity
Chinese-speaking activity
Middle East
Southeast Asia and Korean Peninsula
Other interesting discoveries
Final thoughts
Authors
GReAT
For five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q1 2022.
Readers who would like to learn mo
Securelist
APT trends report Q1 2022
blogs_securelist·2022-04-27
APT trends report Q1 2022
Table of Contents
- The most remarkable findings
- Russian-speaking activity
- Chinese-speaking activity
- Middle East
- Southeast Asia and Korean Peninsula
- Other interesting discoveries
- Final thoughts
Authors
- GReAT
For five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q1 2022.
Readers who would like
Checkpoint
State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage
blogs_checkpoint·2022-03-31
CVE-2017-11882 State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage
## Introduction
Geopolitical tensions often make headlines and present a golden opportunity for threat
Talos
Threat Advisory: Opportunistic cyber criminals take advantage of Ukraine invasion
blogs_talos·2022-03-14
Threat Advisory: Opportunistic cyber criminals take advantage of Ukraine invasion
## Threat Advisory: Opportunistic cyber criminals take advantage of Ukraine invasion
By Edmund Brumaghin , with contributions from Jonathan Byrne, Perceo Lemos and Vasileios Koutsoumpogeras.
## This post is also available in:
日本語 (Japanese)
Українська (Ukrainian)
## Executive Summary
Since the beginning of the war in Ukraine, we have observed threat actors using email lures with themes related to the conflict, including humanitarian assistance and various types of fundraising. This activity has been increasing since the end of February.
These emails are primarily related to scam activity but have also delivered a variety of threats, including remote access trojans (RATs). This is in addition to the malicious activity we've recently seen related to the crowd-sourced attacks in the re
Unit42
Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
blogs_unit42·2022-02-26
Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
Threat Research Center
Threat Research
Malware
## Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
Unit 42
Published: February 25, 2022
Malware
Threat Research
Information disclosure
OutSteel
Phishing
SaintBot
Ukraine
## Executive Summary
On Feb. 1, 2022, Unit 42 observed an attack targeting an energy organization in Ukraine. CERT-UA publicly attributed the attack to a threat group they track as UAC-0056. The targeted attack involved a spear phishing email sent to an employee of the organization, which used a social engineering theme that suggested the individual had committed a crime. The email had a Word document attached that contained a malicious JavaScript file that would download and i
Unit42
Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
blogs_unit42·2022-02-26
Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
## Executive Summary
On Feb. 1, 2022, Unit 42 observed an attack targeting an energy organization in Ukraine. CERT-UA publicly attributed the attack to a threat group they track as UAC-0056. The targeted attack involved a spear phishing email sent to an employee of the organization, which used a social engineering theme that suggested the individual had committed a crime. The email had a Word document attached that contained a malicious JavaScript file that would download and install a payload known as SaintBot (a downloader) and OutSteel (a document stealer). Unit 42 discovered that this attack was just one example of a larger campaign dating back to at least March 2021, when Unit 42 saw the threat group target a Western government entity in Ukraine, as well as several Ukrainian governme
Fortinet
Nobelium Returns to the Political World Stage | FortiGuard Labs
blogs_fortinet·2022-02-24
Nobelium Returns to the Political World Stage | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Nobelium Returns to the Political World Stage
By Fred Gutierrez | February 24, 2022
Nobelium, also known as APT29 and Cozy Bear, is a highly sophisticated group of Russian-sponsored cybercriminals. Approximately two years ago, countless system administrators and IT teams were forced to work around the clock to address Nobelium’s attack on SolarWinds. And last year, they similarly targeted numerous IT supply chains in the hopes of being able to embed themselves once again deep inside IT networks. But fast forward to today, and the Nobelium group seems to have shifted their focus. This time, rather than targeting software solutions, they have begun targeting embassies. While these attacks may not impact the average Windows computer user, they do have potenti
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Securelist
Kaspersky spam and phishing report for 2021
blogs_securelist·2022-02-09
Kaspersky spam and phishing report for 2021
Table of Contents
- Figures of the year
- Trends of the year
- Statistics: spam
- Statistics: phishing
- Conclusion
Authors
- Tatyana Kulikova
- Tatyana Shcherbakova
## Figures of the year
In 2021:
- 45.56% of e-mails were spam
- 24.77% of spam was sent from Russia with another 14.12% from Germany
- Our Mail Anti-Virus blocked 148 173 261 malicious attachments sent in e-mails
- The most common malware family found in attachments were Agensla Trojans
- Our Anti-Phishing system blocked 253 365 212 phishing links
- Safe Messaging blocked 341 954 attempts to follow phishing links in messengers
## Trends of the year
### How to make an unprofitable investment with no return
The subject of investments gained significant relevance in 2021, with banks and other organizations actively prom
Securelist
Spam and phishing in 2021
blogs_securelist·2022-02-09
Spam and phishing in 2021
Table of Contents
Figures of the year
Trends of the year
How to make an unprofitable investment with no return
Films and events “streamed” on fake sites: not seeing is believing!
A special offer from cybercriminals: try hand at spamming
Hurry up and lose your account: phishing in the corporate sector
COVID-19
Scams
The corporate sector
COVID-19 vaccination
Statistics: spam
Share of spam in mail traffic
Source of spam by country or region
Malicious mail attachments
Malware families
Countries and regions targeted by malicious mailings
Statistics: phishing
Map of phishing attacks
Top-level domains
Organizations mimicked in phishing attacks
Phishing in messengers
Conclusion
Authors
Tatyana Kulikova
Tatyana Shcherbakova
## Figures of the year
In 2021:
45.56% of e-mai
Securelist
IT threat evolution in Q3 2021. PC statistics
blogs_securelist·2021-11-26
IT threat evolution in Q3 2021. PC statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Ransomware programs
Quarterly trends and highlights
Attack on Kaseya and the REvil story
The arrival of BlackMatter: DarkSide restored?
Q3 closures
Exploitation of vulnerabilities and new attack methods
Number of new ransomware modifications
Number of users attacked by ransomware Trojans
Geography of ransomware attacks
Top 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by cybercriminals during cyberattacks
Quarter highlights
Statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks via web resources
Countries tha
Securelist
IT threat evolution in Q3 2021. PC statistics
blogs_securelist·2021-11-26
IT threat evolution in Q3 2021. PC statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Number of users attacked by ransomware Trojans
- Geography of ransomware attacks
- Top 10 most common families of ransomware Trojans
- Miners
- Vulnerable applications used by cybercriminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution Q3 2021
- IT threat evolution in Q3 2021. PC statistics
- IT threat evolution in Q3 2021. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3 2021:
- Kaspersky solutions blocked 1,098,968,315 attacks from online reso
Securelist
Q3 2021 spam and phishing report
blogs_securelist·2021-11-01
Q3 2021 spam and phishing report
Table of Contents
- Quarterly highlights
- Statistics: spam
- Statistics: phishing
- Takeaways
Authors
- Tatyana Kulikova
- Tatyana Shcherbakova
## Quarterly highlights
### Scamming championship: sports-related fraud
This summer and early fall saw some major international sporting events. The delayed Euro 2020 soccer tournament was held in June and July, followed by the equally delayed Tokyo Olympics in August. Q3 2021 also featured several F1 Grand Prix races. There was no way that cybercriminals and profiteers could pass up such a golden opportunity. Fans wanting to attend events live encountered fake ticket-selling websites. Some sites made a point of stressing the tickets were “official”, despite charging potential victims several times the real price of a ticket, and some just
Checkpoint
25th October – Threat Intelligence Report
blogs_checkpoint·2021-10-25
CVE-2017-11882 25th October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 25th October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 25th October, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Russia-based REvil ransomware gang, responsible for the Colonial Pipeline and Kaseya attacks among others, has been hacked and taken-down by law enforcement groups and intelligence agencies from different governments. Following the news of REvil’s take-down, the Groove ransomware gang is calling on other extortion groups
Talos
Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India
blogs_talos·2021-10-20·CVSS 7.8
CVE-2017-11882 [HIGH] Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India
## Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India
Cisco Talos recently discovered a threat actor using political and government-themed malicious domains to target entities in India and Afghanistan.
These attacks use dcRAT and QuasarRAT for Windows delivered via malicious documents exploiting CVE-2017-11882 — a memory corruption vulnerability in Microsoft Office — and AndroidRAT to target mobile devices.
The actor also uses a custom file enumerator and infector in their initial reconnaissance phase of the attack.
The actor appears to be a lone wolf using a front company to run a crimeware campaign, possibly to establish initial footholds into high-value targets for future operations or monetary gain.
## What’s new?
Cisco Talos has observed a new ca
Talos
Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India
blogs_talos·2021-10-20·CVSS 7.8
CVE-2017-11882 [HIGH] Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India
- Cisco Talos recently discovered a threat actor using political and government-themed malicious domains to target entities in India and Afghanistan.
- These attacks use dcRAT and QuasarRAT for Windows delivered via malicious documents exploiting CVE-2017-11882 — a memory corruption vulnerability in Microsoft Office — and AndroidRAT to target mobile devices.
- The actor also uses a custom file enumerator and infector in their initial reconnaissance phase of the attack.
- The actor appears to be a lone wolf using a front company to run a crimeware campaign, possibly to establish initial footholds into high-value targets for future operations or monetary gain.
# What’s new?
Cisco Talos has observed a new campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver
Unit42
SilverTerrier – Nigerian Business Email Compromise
blogs_unit42·2021-10-07
SilverTerrier – Nigerian Business Email Compromise
## Executive Summary
Business email compromise (BEC) remains the most common and most costly threat facing our customers. The year 2020 marked the fifth year in which these schemes held the top position on the annual FBI Internet Crime Complaint Center (IC3) report. Over half a decade, global losses ballooned from $360 million in 2016 to a staggering $1.8 billion in 2020. Put in perspective, the annual losses associated with BEC schemes now exceed the gross domestic product (GDP) of 24 countries. Of greater concern, the combined losses in the three year period 2018-2020 are now estimated to be in excess of $4.93 billion worldwide. This threat shows no sign of slowing down, as losses increased 29% last year to an average of $96,372 per victim.
Over the past half decade, Palo Alto Networks
Unit42
SilverTerrier – Nigerian Business Email Compromise
blogs_unit42·2021-10-07
SilverTerrier – Nigerian Business Email Compromise
Threat Research Center
Threat Research
Business Email Compromise
## SilverTerrier – Nigerian Business Email Compromise
Peter Renals
Published: October 7, 2021
Business Email Compromise
Cybercrime
Threat Research
Law Enforcement
SilverTerrier
## Executive Summary
Business email compromise (BEC) remains the most common and most costly threat facing our customers. The year 2020 marked the fifth year in which these schemes held the top position on the annual FBI Internet Crime Complaint Center (IC3) report . Over half a decade, global losses ballooned from $360 million in 2016 to a staggering $1.8 billion in 2020. Put in perspective, the annual losses associated with BEC schemes now exceed the gross domestic product (GDP) of 24 countries. Of greater concern, the combined losses
Trendmicro
CISA Reports Top Vulnerabilities From Remote Work
blogs_trendmicro·2021-09-21·CVSS 9.1
[CRITICAL] CISA Reports Top Vulnerabilities From Remote Work
Exploits & Vulnerabilities
# CISA Reports Top Vulnerabilities From Remote Work
Trend Micro’s Next-Generation IPS protects organizations from threats as attackers now target remote work-related vulnerabilities.
By: Jon Clay
2021/09/21
Read time: ( words)
Save to Folio
As COVID-19 moves people to the cloud, cyber actors now aim at shooting the sky.
On July 28, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the top exploited vulnerabilities in 2020 and 2021. The report shows that the attackers’ favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.
As remote work became widespread, cyber actors have been taking advantage of the young, unpat
Trendmicro
New Campaign Sees LokiBot Delivered Via Multiple Methods
blogs_trendmicro·2021-08-25·CVSS 7.5
[HIGH] New Campaign Sees LokiBot Delivered Via Multiple Methods
Malware
# New Campaign Sees LokiBot Delivered Via Multiple Methods
We recently detected an aggressive malware distribution campaign delivering LokiBot via multiple techniques, including the exploitation of older vulnerabilities.
By: William Gamazo Sanchez, Bin Lin
2021/08/25
Read time: ( words)
Save to Folio
# Introduction
We recently detected an aggressive malware distribution campaign delivering LokiBot via multiple techniques, including the exploitation of older vulnerabilities. This blog entry describes and provides an example of one the methods used in the campaign, as well as a short analysis of the payload. We found that one of the command-and-control (C&C) servers had enabled directory browsing, allowing us to retrieve updated samples.
Figure 1. C&C server with directory br
Securelist
IT threat evolution in Q2 2021. PC statistics
blogs_securelist·2021-08-12
IT threat evolution in Q2 2021. PC statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q2 2021:
- Kaspersky solutions blocked 1,686,025,551 attacks from online resources across the globe.
- Web antivirus recognized 675,832,360 unique URLs as malicious.
- Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 119,252 unique users.
- Ransomware attacks were defeated on the computers
Securelist
Q2 2021 spam and phishing report
blogs_securelist·2021-08-05
Q2 2021 spam and phishing report
Table of Contents
- Quarterly highlights
- Statistics: spam
- Statistics: phishing
- Conclusion
Authors
- Tatyana Kulikova
- Tatyana Shcherbakova
## Quarterly highlights
### The corporate sector
In Q2 2021, corporate accounts continued to be one of the most tempting targets for cybercriminals. To add to the credibility of links in emails, scammers imitated mailings from popular cloud services. This technique has been used many times before. A fake notification about a Microsoft Teams meeting or a request to view an important document traditionally takes the victim to a phishing login page asking for corporate account credentials.
Cybercriminals also faked emails from cloud services in schemes aimed at stealing not accounts but money. We saw, for example, spoofed messages about a co
Tenable
How Risk-based Vulnerability Management Can Help Address the Most Commonly Exploited Vulnerabilities Today
blogs_tenable·2021-07-30
How Risk-based Vulnerability Management Can Help Address the Most Commonly Exploited Vulnerabilities Today
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
CISA Alert: Top Routinely Exploited Vulnerabilities | Qualys
blogs_qualys·2021-07-29·CVSS 10.0
[CRITICAL] CISA Alert: Top Routinely Exploited Vulnerabilities | Qualys
#### Table of Contents
- Top Routinely Exploited Vulnerabilities
- Detect CISAs Top Routinely Exploited Vulnerabilities using Qualys VMDR
- Recommendations
- Remediation and Mitigation
- Get Started Now
On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity advisory detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.
The advisory states, “If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the large
Qualys
CISA Alert: Top Routinely Exploited Vulnerabilities
blogs_qualys·2021-07-29·CVSS 9.1
[CRITICAL] CISA Alert: Top Routinely Exploited Vulnerabilities
## Table of Contents
Top Routinely Exploited Vulnerabilities
Detect CISAs Top Routinely Exploited Vulnerabilities using Qualys VMDR
Recommendations
Remediation and Mitigation
Get Started Now
On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity advisory detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.
The advisory states, “If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest numbe
Talos
Threat Source newsletter (June 24, 2021)
blogs_talos·2021-06-24
Threat Source newsletter (June 24, 2021)
## Threat Source newsletter (June 24, 2021)
Good afternoon, Talos readers.
Even though spam emails asking for gift cards may seem like the oldest trick in the book, they're still effective in 2021. The FBI estimates that business email compromise cost victims around $1.8 billion in 2020, and we've seen recent campaigns that are showing the damage can only get worse.
Attackers are taking over businesses' emails and then sending employees and customers messages themed around everything from COVID-19 to PlayStation 5 sales . So while BEC may not seem like the most exciting threat out there, it's still one that can't be ignored.
## Upcoming Talos public engagements
Workshop: Analysing Android malware at VirusBulletin localhost 2021
Speaker: Vitor Ventura
Date: Oct. 7 - 8
Location: Virt
Talos
Threat Source newsletter (June 24, 2021)
blogs_talos·2021-06-24
Threat Source newsletter (June 24, 2021)
Good afternoon, Talos readers.
Even though spam emails asking for gift cards may seem like the oldest trick in the book, they're still effective in 2021. The FBI estimates that business email compromise cost victims around $1.8 billion in 2020, and we've seen recent campaigns that are showing the damage can only get worse.
Attackers are taking over businesses' emails and then sending employees and customers messages themed around everything from COVID-19 to PlayStation 5 sales. So while BEC may not seem like the most exciting threat out there, it's still one that can't be ignored.
## Upcoming Talos public engagements
Workshop: Analysing Android malware at VirusBulletin localhost 2021
Speaker: Vitor Ventura
Date: Oct. 7 - 8
Location: Virtual
Description: Android malware has become p
Securelist
IT threat evolution Q1 2021. Non-mobile statistics
blogs_securelist·2021-05-31
IT threat evolution Q1 2021. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Ransomware programs
Quarterly trends and highlights
Number of new modifications
Number of users attacked by ransomware Trojans
Attack geography
Top 10 most common families of ransomware Trojans
Miners
Number of new modifications
Number of users attacked by miners
Attack geography
Vulnerable applications used by cybercriminals during cyber attacks
Attacks on macOS
Threat geography
IoT attacks
IoT threat statistics
SSH-based attacks
Threats loaded into traps
Attacks via web resources
Countries that are sources of web-based attacks: Top 10
Countries where users faced the greatest risk of online infection
Local threats
Countries where users faced the highest risk of local infection
Autho
Securelist
IT threat evolution Q1 2021. Non-mobile statistics
blogs_securelist·2021-05-31
IT threat evolution Q1 2021. Non-mobile statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyber attacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q1 2021:
- Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources across the globe.
- 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempts to run malware designed to steal money via online access to bank accounts were stopped on the computers of 118,099 users.
- Ransomware att
Securelist
Kaspersky Security Bulletin 2020-2021. EU statistics
blogs_securelist·2021-05-26
Kaspersky Security Bulletin 2020-2021. EU statistics
Table of Contents
- Main figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
- Phishing in the EU
Authors
- Kaspersky
All statistics in this report are from the global cloud service Kaspersky Security Network (KSN), which receives information from components in our security solutions. The data was obtained from users who have given their consent to it being sent to KSN. Millions of Kaspersky users around the globe assist us in this endeavor to collect information about malicious activity. The statistics in this report cover the period from May 2020 to April 2021, inclusive.
## Main figures
- 70% of Internet user computers in the EU experienced at least
Securelist
Kaspersky Security Bulletin 2020-2021. EU statistics
blogs_securelist·2021-05-26
Kaspersky Security Bulletin 2020-2021. EU statistics
Table of Contents
Main figures
Financial threats
Number of users attacked by banking malware
Threat geography
Ransomware programs
Number of users attacked by ransomware Trojans
Threat geography
Top 10 most common families of ransomware Trojans
Miners
Number of users attacked by miners in the EU
Threat geography
Vulnerable applications used by cybercriminals
Attacks on macOS
Threat geography
IoT attacks
IoT threat statistics
Malware loaded into honeypots
Attacks via web resources
Countries that are sources of web-based attacks
Countries where users faced the greatest risk of online infection
Top 20 malicious programs most actively used in online attacks
Local threats
Countries where users faced the highest risk of local infection
Top 20 malicious objects detected on
Fortinet
Spearphishing Attack Uses COVID-21 Lure to Target Ukrainian Government | FortiGuard Labs
blogs_fortinet·2021-05-03
Spearphishing Attack Uses COVID-21 Lure to Target Ukrainian Government | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Spearphishing Attack Uses COVID-21 Lure to Target Ukrainian Government
By Fred Gutierrez and Val Saengphaibul | May 03, 2021
FortiGuard Labs Threat Research Report
Affected platforms: Microsoft Windows
Impacted parties: Windows Users
Impact: Collection of sensitive information from infected victims
Severity level: High
Introduction
FortiGuard Labs has discovered yet another COVID themed lure designed to compel unsuspecting victims to click on what appears at first be an innocuous link. However, unbeknownst to the target, the link leads to a zip file that contains malicious attachments. This blog will highlight the steps taken by an unnamed threat actor targeting the security interests of a former Eastern bloc nation.
Key Takeaways of This Blog
Spearphi
Securelist
Spam and phishing in Q1 2021
blogs_securelist·2021-05-03
Spam and phishing in Q1 2021
Table of Contents
- Quarterly highlights
- Statistics: spam
- Statistics: phishing
- Conclusion
Authors
- Tatyana Kulikova
- Tatyana Shcherbakova
- Tatyana Sidorina
## Quarterly highlights
### Banking phishing: new version of an old scheme
In Q1 2021, new banking scams appeared alongside ones that are more traditional. Clients of several Dutch banks faced a phishing attack using QR codes. The fraudsters invited the victim to scan a QR code in an email, ostensibly to unblock mobile banking. In actual fact, scanning the code resulted in a data leak, money theft or device infection, if it contained a link to a web page with malware.
To lure users to their sites, phishers exploited the COVID-19 topic. In particular, in a newsletter purporting to be from the MKB bank, recipients were as
Securelist
Spam and phishing in Q1 2021
blogs_securelist·2021-05-03
Spam and phishing in Q1 2021
Table of Contents
Quarterly highlights
Banking phishing: new version of an old scheme
Vaccine with cyberthreat
Corporate segment: on-the-job fraud
Every little bit helps
Intrigue: emails from strangers
Statistics: spam
Proportion of spam in mail traffic
Sources of spam by country
Malicious mail attachments
Malware families
Countries targeted by malicious mailings
Statistics: phishing
Geography of phishing attacks
Top-level domains
Organizations under attack
Conclusion
Authors
Tatyana Kulikova
Tatyana Shcherbakova
Tatyana Sidorina
## Quarterly highlights
## Banking phishing: new version of an old scheme
In Q1 2021, new banking scams appeared alongside ones that are more traditional. Clients of several Dutch banks faced a phishing attack using QR codes. The fraudsters
Securelist
Spam and phishing in 2020
blogs_securelist·2021-02-15
Spam and phishing in 2020
Table of Contents
Figures of the year
Trends of the year
Contact us to lose your money or account!
Reputation, bitcoins or your life?
Attacks on the corporate sector
Messengers targeted
COVID-19
“Public relief” by spammers
Malicious links
Viral postal services
The corporate sector
“Nigerian” crooks making money from the pandemic
An unusual turn of events
Statistics: spam
Proportion of spam in email traffic
Sources of spam by country
Malicious email attachments
Malware families
Countries targeted by malicious mailshots
Statistics: phishing
Attack geography
TOP 10 countries by number of attacked users
Top-level domains
Organizations under attack
Conclusion
Authors
Tatyana Kulikova
Tatyana Shcherbakova
Tatyana Sidorina
## Figures of the year
In 2020:
The share
Talos
Kasablanka Group's LodaRAT improves espionage capabilities on Android and Windows
blogs_talos·2021-02-09
Kasablanka Group's LodaRAT improves espionage capabilities on Android and Windows
- The developers of LodaRAT have added Android as a targeted platform.
- A new iteration of LodaRAT for Windows has been identified with improved sound recording capabilities.
- The operators behind LodaRAT tied to a specific campaign targeting Bangladesh, although others have been seen.
- Kasablanca, the group behind LodaRAT, seems to be motivated by information gathering and espionage rather than direct financial gain. Threat actors attempt to evolve over time and the ones behind Loda are no different. Loda now has an Android version. Just like its Windows version, the Android version is also a remote access tool (RAT) with the features one would expect out of this kind of malware. This Android RAT had been previously referred to as "Gaza007." However, Talos linked it to the Loda develop
Talos
Kasablanka Group's LodaRAT improves espionage capabilities on Android and Windows
blogs_talos·2021-02-09
Kasablanka Group's LodaRAT improves espionage capabilities on Android and Windows
## Kasablanka Group's LodaRAT improves espionage capabilities on Android and Windows
The developers of LodaRAT have added Android as a targeted platform.
A new iteration of LodaRAT for Windows has been identified with improved sound recording capabilities.
The operators behind LodaRAT tied to a specific campaign targeting Bangladesh, although others have been seen.
Kasablanca, the group behind LodaRAT, seems to be motivated by information gathering and espionage rather than direct financial gain. Threat actors attempt to evolve over time and the ones behind Loda are no different. Loda now has an Android version. Just like its Windows version, the Android version is also a remote access tool (RAT) with the features one would expect out of this kind of malware. This Android RAT had been
Trendmicro
SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks
blogs_trendmicro·2020-12-09
SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks
APT & Targeted Attacks
## SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks
While tracking the activities of the SideWinder group, we identified a server used to deliver a malicious LNK file and host multiple credential phishing pages. In addition, we also found multiple Android APK files on their phishing server.
By: Joseph C Chen, Jaromir Horejsi, Ecular Xu 2020/12/09 Read time: ( words)
Save to Folio
While tracking the activities of the SideWinder group, which has become infamous for targeting the South Asia region and its surrounding countries, we identified a server used to deliver a malicious LNK file and host multiple credential phishing pages. We learned that these pages were copied from their victims’ webmail login pages and subsequently modified for phish
Trendmicro
SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks
blogs_trendmicro·2020-12-09
SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks
APT y ataques dirigidos
## SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks
While tracking the activities of the SideWinder group, we identified a server used to deliver a malicious LNK file and host multiple credential phishing pages. In addition, we also found multiple Android APK files on their phishing server.
By: Joseph C Chen, Jaromir Horejsi, Ecular Xu Dec 09, 2020 Read time: ( words)
Save to Folio
While tracking the activities of the SideWinder group, which has become infamous for targeting the South Asia region and its surrounding countries, we identified a server used to deliver a malicious LNK file and host multiple credential phishing pages. We learned that these pages were copied from their victims’ webmail login pages and subsequently modified for ph
Trendmicro
SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks
blogs_trendmicro·2020-12-09
SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks
APT & attacchi mirati
## SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks
While tracking the activities of the SideWinder group, we identified a server used to deliver a malicious LNK file and host multiple credential phishing pages. In addition, we also found multiple Android APK files on their phishing server.
By: Joseph C Chen, Jaromir Horejsi, Ecular Xu Dec 09, 2020 Read time: ( words)
Save to Folio
While tracking the activities of the SideWinder group, which has become infamous for targeting the South Asia region and its surrounding countries, we identified a server used to deliver a malicious LNK file and host multiple credential phishing pages. We learned that these pages were copied from their victims’ webmail login pages and subsequently modified for phis
Trendmicro
SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks
blogs_trendmicro·2020-12-09
SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks
APT & Targeted Attacks
# SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks
While tracking the activities of the SideWinder group, we identified a server used to deliver a malicious LNK file and host multiple credential phishing pages. In addition, we also found multiple Android APK files on their phishing server.
By: Joseph C Chen, Jaromir Horejsi, Ecular Xu
2020/12/09
Read time: ( words)
Save to Folio
While tracking the activities of the SideWinder group, which has become infamous for targeting the South Asia region and its surrounding countries, we identified a server used to deliver a malicious LNK file and host multiple credential phishing pages. We learned that these pages were copied from their victims’ webmail login pages and subsequently modified for phish
Trendmicro
SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks
blogs_trendmicro·2020-12-09
SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks
APT & Targeted Attacks
## SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks
While tracking the activities of the SideWinder group, we identified a server used to deliver a malicious LNK file and host multiple credential phishing pages. In addition, we also found multiple Android APK files on their phishing server.
By: Joseph C Chen, Jaromir Horejsi, Ecular Xu Dec 09, 2020 Read time: ( words)
Save to Folio
While tracking the activities of the SideWinder group, which has become infamous for targeting the South Asia region and its surrounding countries, we identified a server used to deliver a malicious LNK file and host multiple credential phishing pages. We learned that these pages were copied from their victims’ webmail login pages and subsequently modified for phi
Trendmicro
SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks
blogs_trendmicro·2020-12-09
SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks
APT und gezielte Angriffe
## SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks
While tracking the activities of the SideWinder group, we identified a server used to deliver a malicious LNK file and host multiple credential phishing pages. In addition, we also found multiple Android APK files on their phishing server.
By: Joseph C Chen, Jaromir Horejsi, Ecular Xu Dec 09, 2020 Read time: ( words)
Save to Folio
While tracking the activities of the SideWinder group, which has become infamous for targeting the South Asia region and its surrounding countries, we identified a server used to deliver a malicious LNK file and host multiple credential phishing pages. We learned that these pages were copied from their victims’ webmail login pages and subsequently modified for
Securelist
IT threat evolution Q3 2020. Non-mobile statistics
blogs_securelist·2020-11-20
IT threat evolution Q3 2020. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Attack geography
Ransomware programs
Quarterly trends and highlights
Number of new modifications
Number of users attacked by ransomware Trojans
Attack geography
Miners
Number of new modifications
Number of users attacked by miners
Attack geography
Vulnerable applications used by cybercriminals during cyberattacks
Attacks on macOS
Threat geography
IoT attacks
IoT threat statistics
Attacks via web resources
Countries that are sources of web-based attacks: Top 10
Countries where users faced the greatest risk of online infection
Local threats
Countries where users faced the highest risk of local infection
Authors
Victor Chebyshev
Fedor Sinitsyn
Denis Parinov
Oleg Kupreev
Evgeny Lopati
Securelist
IT threat evolution Q3 2020. Non-mobile statistics
blogs_securelist·2020-11-20
IT threat evolution Q3 2020. Non-mobile statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Oleg Kupreev
- Evgeny Lopatin
- Alexey Kulaev
- Alexander Kolesnikov
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3:
- Kaspersky solutions blocked 1,416,295,227 attacks launched from online resources across the globe.
- 456,573,467 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempts to run malware for stealing
Securelist
Spam and phishing in Q3 2020
blogs_securelist·2020-11-12
Spam and phishing in Q3 2020
Table of Contents
- Quarterly highlights
- Statistics: spam
- Statistics: phishing
- Conclusion
Authors
- Tatyana Kulikova
- Tatyana Sidorina
## Quarterly highlights
### Worming their way in: cybercriminal tricks of the trade
These days, many companies distribute marketing newsletters via online platforms. In terms of capabilities, such platforms are quite diverse: they send out advertising and informational messages, harvest statistics (for example, about clicked links in emails), and the like. At the same time, such services attract both spammers, who use them to send their own mailings, and cybercriminals, who try to gain access to user accounts, usually through phishing. As a result, attackers also get their hands on user-created mailing lists, which allows them to disseminate m
Talos
LodaRAT Update: Alive and Well
blogs_talos·2020-09-29·CVSS 7.8
[HIGH] LodaRAT Update: Alive and Well
## LodaRAT Update: Alive and Well
During our continuous monitoring of LodaRAT, Cisco Talos observed changes in the threat that add new functionality.
Multiple new versions of LodaRAT have been spotted being used in the wild.
These new versions of LodaRAT abandoned their previous obfuscation techniques.
Direct interaction with the threat actor was observed during analysis, indicating the actor is actively monitoring infected hosts.
## What's New?
Talos recently identified new versions of LodaRAT, a remote access trojan written in AutoIt. Not only have these versions abandoned their usual obfuscation techniques, but several functions have also been rewritten and new functionality has been added. In one version, a hex-encoded PowerShell keylogger script has been added, along with a new
Talos
LodaRAT Update: Alive and Well
blogs_talos·2020-09-29·CVSS 7.8
[HIGH] LodaRAT Update: Alive and Well
- During our continuous monitoring of LodaRAT, Cisco Talos observed changes in the threat that add new functionality.
- Multiple new versions of LodaRAT have been spotted being used in the wild.
- These new versions of LodaRAT abandoned their previous obfuscation techniques.
- Direct interaction with the threat actor was observed during analysis, indicating the actor is actively monitoring infected hosts.
### What's New?
Talos recently identified new versions of LodaRAT, a remote access trojan written in AutoIt. Not only have these versions abandoned their usual obfuscation techniques, but several functions have also been rewritten and new functionality has been added. In one version, a hex-encoded PowerShell keylogger script has been added, along with a new VB script, only to be removed
Sentinelone
Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus Pandemic
blogs_sentinelone·2020-09-04
Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus Pandemic
## Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus Pandemic
At Sentinel Labs, we have been closely tracking adversarial behavior as it pertains to COVID-19/Coronavirus. To date, we have observed a significant number of malware campaigns, spam campaigns, and outright scams that are preying on the fears and uncertainties of the global population.
Updates are tagged in-line with respective dates within each section of this post.
## September 2020
[September 9, 2020]
On August 27, the Health Sector Cybersecurity Coordination Center (HC3) released report ID: 202008271653 . This report details a specific phishing campaign used to distribute the Agent Tesla RAT . The lure in the emails is centered around updates to COVID-specific PPE (Personal Protection Equipment). We have
Sentinelone
Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus Pandemic - SentinelLabs
blogs_sentinelone·2020-09-04
Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus Pandemic - SentinelLabs
At Sentinel Labs, we have been closely tracking adversarial behavior as it pertains to COVID-19/Coronavirus. To date, we have observed a significant number of malware campaigns, spam campaigns, and outright scams that are preying on the fears and uncertainties of the global population.
Updates are tagged in-line with respective dates within each section of this post.
## September 2020
[September 9, 2020]
On August 27, the Health Sector Cybersecurity Coordination Center (HC3) released report ID: 202008271653. This report details a specific phishing campaign used to distribute the Agent Tesla RAT. The lure in the emails is centered around updates to COVID-specific PPE (Personal Protection Equipment). We have seen similar campaigns running since late April / early May, and these current e
Securelist
IT threat evolution Q2 2020. PC statistics
blogs_securelist·2020-09-03
IT threat evolution Q2 2020. PC statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyberattacks
- Attacks on Apple macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- Victor Chebyshev
- Evgeny Lopatin
- Fedor Sinitsyn
- Denis Parinov
- Oleg Kupreev
- Alexey Kulaev
- Alexander Kolesnikov
IT threat evolution Q2 2020. Review
IT threat evolution Q2 2020. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q2:
- Kaspersky solutions blocked 899,744,810 attacks launched from online resources in 191 countries across the globe.
- As many as 286,
Securelist
IT threat evolution Q2 2020. PC statistics
blogs_securelist·2020-09-03
IT threat evolution Q2 2020. PC statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Ransomware programs
Quarterly trend highlights
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacks
Top 10 most common families of ransomware Trojans
Miners
Number of new modifications
Number of users attacked by miners
Geography of attacks
Vulnerable applications used by cybercriminals during cyberattacks
Attacks on Apple macOS
Threat geography
IoT attacks
IoT threat statistics
Threats loaded into traps
Attacks via web resources
Countries that are sources of web-based attacks: TOP 10
Countries where users faced the greatest risk of online infection
Local threats
Countries where users faced the highest risk of local infection
Authors
Victor
Unit42
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
blogs_unit42·2020-08-26
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
Threat Research Center
Threat Research
Vulnerabilities
## The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
Jay Chen
Published: August 26, 2020
Threat Research
Vulnerabilities
Exploit
## Executive Summary
With the ever-increasing number of new vulnerabilities, vulnerability management becomes one of the most critical processes in ensuring continuous business operation. While it is clear that timely patching is essential, it’s also important to know quantitatively how a delay could increase risk. What is the chance that attackers breach my organization using a CVE just disclosed or using an unknown (zero-day) vulnerability? To understand the state of vulnerability disclosure and exploit development, Unit 42 researchers analyzed 45,450 publicly availabl
Unit42
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
blogs_unit42·2020-08-26
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
## Executive Summary
With the ever-increasing number of new vulnerabilities, vulnerability management becomes one of the most critical processes in ensuring continuous business operation. While it is clear that timely patching is essential, it’s also important to know quantitatively how a delay could increase risk. What is the chance that attackers breach my organization using a CVE just disclosed or using an unknown (zero-day) vulnerability? To understand the state of vulnerability disclosure and exploit development, Unit 42 researchers analyzed 45,450 publicly available exploits in Exploit Database at the time of this writing. The research correlated the exploit data with vulnerability and patch information to study exploit development in multiple facets.
The research reveals that:
-
Sentinelone
Agent Tesla | Old RAT Uses New Tricks to Stay on Top - SentinelLabs
blogs_sentinelone·2020-08-10
Agent Tesla | Old RAT Uses New Tricks to Stay on Top - SentinelLabs
As other researchers have recently noted, the Agent Tesla RAT (Remote Access Trojan) has become one of the most prevalent malware families threatening enterprises in the first half of 2020, being seen in more attacks than even TrickBot or Emotet and only slightly fewer than Dridex. Although the Agent Tesla RAT has been around for at least 6 years, it continues to adapt and evolve, defeating many organizations’ security efforts. During the COVID-19 pandemic new variants have been introduced with added functionality, and the malware has been widely used in Coronavirus-themed phishing campaigns.
## Agent Tesla | Background & Overview
Agent Tesla is, at its core, a keylogger and information stealer. First discovered in late 2014, there has been steady growth in the use of Agent Tesla over th
Sentinelone
Agent Tesla | Old RAT Uses New Tricks to Stay on Top
blogs_sentinelone·2020-08-10
Agent Tesla | Old RAT Uses New Tricks to Stay on Top
## Agent Tesla | Old RAT Uses New Tricks to Stay on Top
As other researchers have recently noted , the Agent Tesla RAT (Remote Access Trojan) has become one of the most prevalent malware families threatening enterprises in the first half of 2020, being seen in more attacks than even TrickBot or Emotet and only slightly fewer than Dridex. Although the Agent Tesla RAT has been around for at least 6 years, it continues to adapt and evolve, defeating many organizations’ security efforts. During the COVID-19 pandemic new variants have been introduced with added functionality, and the malware has been widely used in Coronavirus-themed phishing campaigns.
## Agent Tesla | Background & Overview
Agent Tesla is, at its core, a keylogger and information stealer. First discovered in late 2014, ther
Securelist
Spam and phishing in Q2 2020
blogs_securelist·2020-08-07
Spam and phishing in Q2 2020
Table of Contents
- Quarterly highlights
- Statistics: spam
- Statistics: phishing
- Conclusion
Authors
- Tatyana Kulikova
- Tatyana Sidorina
- Tatyana Shcherbakova
## Quarterly highlights
### Targeted attacks
The second quarter often saw phishers resort to targeted attacks, especially against fairly small companies. To attract attention, scammers imitated email messages and websites of companies whose products or services their potential victims could be using.
The scammers did not try to make any of the website elements appear credible as they created the fake. The login form is the only exception. One of the phishing websites we discovered even used a real captcha on that form.
The main pretext that scammers use to prompt the target to enter their information is offering an onl
Securelist
Spam and phishing in Q2 2020
blogs_securelist·2020-08-07
Spam and phishing in Q2 2020
Table of Contents
Quarterly highlights
Targeted attacks
Waiting for your package: keeping your data secure and your computer, clean
Banking phishing amid a pandemic
Taxes and exemptions
Getting refunded and losing it all
Fake HR: getting dismissed by professional spammers
Your data wanted, now
Statistics: spam
Proportion of spam in email traffic
Sources of spam by country
Spam email size
Malicious attachments: malware families
Countries targeted by malicious mailshots
Statistics: phishing
Attack geography
Top-level domains
Organizations under attack
Conclusion
Authors
Tatyana Kulikova
Tatyana Sidorina
Tatyana Shcherbakova
## Quarterly highlights
## Targeted attacks
The second quarter often saw phishers resort to targeted attacks, especially against fairly small co
Fortinet
Global Malicious Spam Campaign Using Black Lives Matter as a Lure | FortiGuard Labs
blogs_fortinet·2020-06-15
Global Malicious Spam Campaign Using Black Lives Matter as a Lure | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Global Malicious Spam Campaign Using Black Lives Matter as a Lure
By Val Saengphaibul and Fred Gutierrez | June 15, 2020
FortiGuard Labs Threat Analysis
Affected platforms: Windows 10 & Windows Server 2019
Impacted parties: Windows 10 version 1809 + and Windows Server version 1903 +
Impact: Privilege Escalation & User-Privacy Settings Violation
Severity level: Important
On June 10, 2020, FortiGuard Labs came across a global malicious spam campaign that is targeting users who may be sympathetic to the Black Lives Matter movement that began in the United States. With all of the calamity of 2020, such as the ongoing COVID-19 pandemic and the numerous protests in the United States and elsewhere, attackers are leveraging the global news cycle to lure unsuspe
Securelist
Cycldek: Bridging the (air) gap
blogs_securelist·2020-06-03
Cycldek: Bridging the (air) gap
Table of Contents
Key findings
Background
Two implants, two clusters
Info stealing and lateral movement toolset
Formerly Unreported Malware: USBCulprit
Conclusion
Appendix – IOCs
Authors
GReAT
Mark Lechtik
Giampaolo Dedola
## Key findings
While investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be described in this publication:
Cycldek (also known as Goblin Panda and Conimes) has been active in the past two years, conducting targeted operations against governments in Southeast
Securelist
Cycldek: Bridging the (air) gap
blogs_securelist·2020-06-03
Cycldek: Bridging the (air) gap
Table of Contents
- Key findings
- Background
- Two implants, two clusters
- Info stealing and lateral movement toolset
- Formerly Unreported Malware: USBCulprit
- Conclusion
- Appendix – IOCs
Authors
- GReAT
- Mark Lechtik
- Giampaolo Dedola
## Key findings
While investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be described in this publication:
- Cycldek (also known as Goblin Panda and Conimes) has been active in the past two years, conducting targeted operations against governmen
Securelist
Spam and phishing in Q1 2020
blogs_securelist·2020-05-26
Spam and phishing in Q1 2020
Table of Contents
- Quarterly highlights
- Disaster and pandemic
- Statistics: spam
- Sources of spam by country
- Statistics: phishing
- Conclusion
Authors
- Tatyana Shcherbakova
- Tatyana Sidorina
- Tatyana Kulikova
## Quarterly highlights
### Don’t get burned
Burning Man is one of the most eagerly awaited events among fans of spectacular performance and installation art. The main obstacle to attending is the price of admission: a standard ticket will set you back $475, the number is limited, and the buying process is a challenge all by itself (there are several stages, registration data must be entered at a specific time, and if something goes wrong you might not get a second chance). Therefore, half-price fake tickets make for excellent bait.
Scammers tried to make their websit
Securelist
Spam and phishing in Q1 2020
blogs_securelist·2020-05-26
Spam and phishing in Q1 2020
Table of Contents
Quarterly highlights
Don’t get burned
Oscar-winning scammers
ID for hire
Disaster and pandemic
Fires in Australia
COVID-19
“Nigerian prince” scheme
Bitcoin for coronavirus
Dangerous advice from the WHO
Corporate segment
Government compensation
Anti-coronavirus protection with home delivery
Statistics: spam
Proportion of spam in mail traffic
Sources of spam by country
Spam e-mail size
Malicious attachments in e-mail
Countries targeted by malicious mailshots
Statistics: phishing
Attack geography
Organizations under attack
Conclusion
Authors
Tatyana Shcherbakova
Tatyana Sidorina
Tatyana Kulikova
## Quarterly highlights
## Don’t get burned
Burning Man is one of the most eagerly awaited events among fans of spectacular performance and installation
Sentinelone
Why On-Device Detection Matters: New Ramsay Trojan Targets Air-Gapped Networks
blogs_sentinelone·2020-05-20·CVSS 7.8
[HIGH] Why On-Device Detection Matters: New Ramsay Trojan Targets Air-Gapped Networks
The Ramsay “framework” emerged in late 2019 and was disclosed thanks to a discovery by researchers querying the VirusTotal public malware repository. As of April 2020, there appears to be two fully maintained branches of the toolkit. Although in-the-wild instances of the Ramsay malware appear to be low at present, this may be due to the malware’s highly-specialized objectives. The Ramsay samples discovered to date are heavily focused on both persistence and data exfiltration from air-gapped environments. This suggests the possibility that the malware was developed for advanced targeted campaigns by a threat actor primarily interested in organizations trying to protect the most-sensitive of information. As is often the case with specialized malware, there is also a real danger of it “leakin
Sentinelone
Why On-Device Detection Matters: New Ramsay Trojan Targets Air-Gapped Networks
blogs_sentinelone·2020-05-20·CVSS 7.8
[HIGH] Why On-Device Detection Matters: New Ramsay Trojan Targets Air-Gapped Networks
The Ramsay “framework” emerged in late 2019 and was disclosed thanks to a discovery by researchers querying the VirusTotal public malware repository. As of April 2020, there appears to be two fully maintained branches of the toolkit. Although in-the-wild instances of the Ramsay malware appear to be low at present, this may be due to the malware’s highly-specialized objectives. The Ramsay samples discovered to date are heavily focused on both persistence and data exfiltration from air-gapped environments. This suggests the possibility that the malware was developed for advanced targeted campaigns by a threat actor primarily interested in organizations trying to protect the most-sensitive of information. As is often the case with specialized malware, there is also a real danger of it “leakin
Unit42
Updated BackConfig Malware Targeting Government and Military Organizations in South Asia
blogs_unit42·2020-05-12
Updated BackConfig Malware Targeting Government and Military Organizations in South Asia
Threat Research Center
Threat Research
Malware
## Updated BackConfig Malware Targeting Government and Military Organizations in South Asia
Alex Hinchliffe
Robert Falcone
Published: May 11, 2020
Malware
Threat Research
BackConfig
Hangover Threat Group
Spear Phishing
## Executive Summary
Unit 42 has observed activity over the last 4 months involving the BackConfig malware used by the Hangover threat group (aka Neon, Viceroy Tiger, MONSOON). Targets of the spear-phishing attacks, using local and topical lures, included government and military organizations in South Asia.
The BackConfig custom trojan has a flexible plug-in architecture for components offering various features, including the ability to gather system and keylog information and to upload and execute additional p
Unit42
Updated BackConfig Malware Targeting Government and Military Organizations in South Asia
blogs_unit42·2020-05-12
Updated BackConfig Malware Targeting Government and Military Organizations in South Asia
## Executive Summary
Unit 42 has observed activity over the last 4 months involving the BackConfig malware used by the Hangover threat group (aka Neon, Viceroy Tiger, MONSOON). Targets of the spear-phishing attacks, using local and topical lures, included government and military organizations in South Asia.
The BackConfig custom trojan has a flexible plug-in architecture for components offering various features, including the ability to gather system and keylog information and to upload and execute additional payloads.
The initial infection occurs via a weaponized Microsoft Excel (XLS) document delivered via compromised legitimate websites for which the URLs are most likely shared via email. The documents use Visual Basic for Applications (VBA) Macro code which, if enabled by the victim
Unit42
COVID-19 Themed Malware Within Cloud Environments
blogs_unit42·2020-05-11
COVID-19 Themed Malware Within Cloud Environments
## Executive Summary
Unit 42 researchers found that public cloud infrastructure has communicated with domains known to distribute COVID-19 themed malware. On March 24, 2020, Unit 42 published a blog discussing attack patterns used by malicious actors in relation to the novel Coronavirus (COVID-19). Taking these findings a step further, researchers attempted to uncover if there are malicious COVID-19 related events taking place within public cloud infrastructure. If indications of this activity were found, how could organizations protect themselves?
Researchers identified 300+ COVID-19 themed malware samples that communicated with 20 unique IP addresses and domain indicators of compromise (IOCs). After querying Prisma Cloud for network connections to these 20 suspicious IOCs between March
Unit42
COVID-19 Themed Malware Within Cloud Environments
blogs_unit42·2020-05-11
COVID-19 Themed Malware Within Cloud Environments
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## COVID-19 Themed Malware Within Cloud Environments
Nathaniel Quist
Published: May 11, 2020
Cloud Cybersecurity Research
Malware
Threat Research
COVID
NetFlow
## Executive Summary
Unit 42 researchers found that public cloud infrastructure has communicated with domains known to distribute COVID-19 themed malware. On March 24, 2020, Unit 42 published a blog discussing attack patterns used by malicious actors in relation to the novel Coronavirus (COVID-19). Taking these findings a step further, researchers attempted to uncover if there are malicious COVID-19 related events taking place within public cloud infrastructure. If indications of this activity were found, how could organizations protect themselves?
Unit42
SilverTerrier: New COVID-19 Themed Business Email Compromise Schemes
blogs_unit42·2020-05-07
SilverTerrier: New COVID-19 Themed Business Email Compromise Schemes
Threat Research Center
Threat Research
Business Email Compromise
## SilverTerrier: New COVID-19 Themed Business Email Compromise Schemes
Peter Renals
Published: May 7, 2020
Business Email Compromise
Threat Research
BEC
COVID
Law Enforcement
SilverTerrier
Syndicate Orion
## Executive Summary
Focusing on one of the most active subsets of the global threat landscape, Palo Alto Networks Unit 42 tracks Nigerian cyber criminals involved in Business Email Compromise (BEC) activities under the name SilverTerrier . Over the past 90 days (Jan. 30 - Apr. 30), we have observed three SilverTerrier actors/groups launch a series of 10 COVID-19 themed malware campaigns. These campaigns have produced over 170 phishing emails seen across our customer base. While broad in their targeting, t
Unit42
SilverTerrier: New COVID-19 Themed Business Email Compromise Schemes
blogs_unit42·2020-05-07
SilverTerrier: New COVID-19 Themed Business Email Compromise Schemes
## Executive Summary
Focusing on one of the most active subsets of the global threat landscape, Palo Alto Networks Unit 42 tracks Nigerian cyber criminals involved in Business Email Compromise (BEC) activities under the name SilverTerrier. Over the past 90 days (Jan. 30 - Apr. 30), we have observed three SilverTerrier actors/groups launch a series of 10 COVID-19 themed malware campaigns. These campaigns have produced over 170 phishing emails seen across our customer base. While broad in their targeting, these actors have exercised minimal restraint in terms of targeting organizations that are critical to COVID-19 response efforts. Specifically, we find it alarming that several of these campaigns recklessly included targets at government healthcare agencies, local and regional governments,
Fortinet
Scammers Using COVID-19/Coronavirus Lure to Target Medical Suppliers | FortiGuard Labs
blogs_fortinet·2020-05-01·CVSS 7.8
[HIGH] Scammers Using COVID-19/Coronavirus Lure to Target Medical Suppliers | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Scammers Using COVID-19/Coronavirus Lure to Target Medical Suppliers
By Val Saengphaibul | May 01, 2020
FortiGuard Labs Threat Analysis
Affected Platforms: Microsoft Windows
Impacted Users: Medical Device Suppliers
Threat Severity: Medium
FortiGuard Labs has discovered a new malicious spearphishing campaign, once again using the COVID-19/Coronavirus pandemic as a lure. This latest email campaign targets a medical device supplier, wherein the attacker is inquiring about various materials needed to address the COVID-19 pandemic due to high demand for supplies, and includes a compelling statement that they have already tried to reach the recipient via telephone in order to create a stronger sense of urgency:
Figure 1. Spearphishing email
The email contain
Tenable
How VPR Helped Prioritize the Most Dangerous CVEs in 2019
blogs_tenable·2020-04-30
How VPR Helped Prioritize the Most Dangerous CVEs in 2019
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Critical Vulnerabilities You Need to Find and Fix to Protect the Remote Workforce
blogs_tenable·2020-04-13
Critical Vulnerabilities You Need to Find and Fix to Protect the Remote Workforce
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Management (CSPM)
Compliance
Cyber insurance
Data Security Posture Management (DSPM)
Google Cloud security
Infrastructure as Code (IaC) security
Kubernetes Security Pos
Securelist
Spam and phishing in 2019
blogs_securelist·2020-04-08·CVSS 7.8
[HIGH] Spam and phishing in 2019
Table of Contents
- Figures of the year
- Trends of the year
- Statistics: spam
- Statistics: phishing
- Wrap-up
Authors
- Maria Vergelis
- Tatyana Shcherbakova
- Tatyana Sidorina
- Tatyana Kulikova
## Figures of the year
- The share of spam in mail traffic was 56.51%, which is 4.03 p.p. more than in 2018.
- The biggest source of spam this year was China (21.26%).
- 78.44% of spam e-mails were less than 2 KB in size.
- Malicious spam was detected most commonly with the Exploit.MSOffice.CVE-2017-11882 verdict.
- The Anti-Phishing system was triggered 467,188,119 times.
- 15.17% of unique users encountered phishing.
## Trends of the year
### Beware of novelties
In 2019, attackers were more active than usual in their exploitation of major sports and movie events to gain access to use
Securelist
Spam and phishing in 2019
blogs_securelist·2020-04-08·CVSS 7.8
[HIGH] Spam and phishing in 2019
Table of Contents
Figures of the year
Trends of the year
Beware of novelties
The price of fame: attackers exploit popular resources
Malicious transactions
Anyone order bitcoin?
Cryptocurrencies and blackmail
Corporate sector in the crosshairs
Statistics: spam
Proportion of spam in mail traffic
Sources of spam by country
Spam e-mail size
Malicious mail attachments
Malware families
Countries targeted by malicious mailings
Statistics: phishing
Organizations under attack
Rating of categories of organizations attacked by phishers
Attack geography
Countries by share of attacked users
TOP 10 countries by share of attacked users
Wrap-up
Authors
Maria Vergelis
Tatyana Shcherbakova
Tatyana Sidorina
Tatyana Kulikova
## Figures of the year
The share of spam in mail traffic
Fortinet
Latest Global COVID-19/Coronavirus Spearphishing Campaign Drops Infostealer | FortiGuard Labs
blogs_fortinet·2020-04-02
Latest Global COVID-19/Coronavirus Spearphishing Campaign Drops Infostealer | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Latest Global COVID-19/Coronavirus Spearphishing Campaign Drops Infostealer
By Val Saengphaibul | April 02, 2020
FortiGuard Labs Threat Analysis
Affected platforms: Windows Platforms
Impacted parties: Global Distribution
Impact: Infostealer
Severity level: Medium
FortiGuard Labs recently discovered a new COVID-19/Coronavirus-themed spearphishing email sent from [159.69.16[.]177] that uses the World Health Organization (WHO) trademark in an attempt to convince recipients of its authenticity. The email contains the subject line “Coronavirus disease (COVID-19) Important Communication[.]”. It also includes an attachment entitled “COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC.zip.arj” that appears to contain additional information, but which in fact is a decoy.
Tenable
COVID-19: Coronavirus Fears Seized by Cybercriminals
blogs_tenable·2020-03-12
COVID-19: Coronavirus Fears Seized by Cybercriminals
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Loda RAT Grows Up
blogs_talos·2020-02-12·CVSS 7.8
CVE-2017-11882 [HIGH] Loda RAT Grows Up
By Chris Neal.
- Over the past several months, Cisco Talos has observed a malware campaign that utilizes websites hosting a new version of Loda, a remote access trojan (RAT) written in AutoIT.
- These websites also host malicious documents that begin a multi-stage infection chain which ultimately serves a malicious MSI file. The second stage document exploits CVE-2017-11882 to download and run the MSI file, which contains Loda version 1.1.1.
- This campaign appears to be targeting countries in South America and Central America, as well as the U.S.
## What's New?
Talos has observed several changes in this version of Loda. The obfuscation technique used within the AutoIT script changed to a different form of string encoding. Multiple persistence mechanisms have been employed to ensure Lod
Talos
Loda RAT Grows Up
blogs_talos·2020-02-12·CVSS 7.8
CVE-2017-11882 [HIGH] Loda RAT Grows Up
## Loda RAT Grows Up
By Chris Neal .
Over the past several months, Cisco Talos has observed a malware campaign that utilizes websites hosting a new version of Loda, a remote access trojan (RAT) written in AutoIT.
These websites also host malicious documents that begin a multi-stage infection chain which ultimately serves a malicious MSI file. The second stage document exploits CVE-2017-11882 to download and run the MSI file, which contains Loda version 1.1.1.
This campaign appears to be targeting countries in South America and Central America, as well as the U.S.
## What's New?
Talos has observed several changes in this version of Loda. The obfuscation technique used within the AutoIT script changed to a different form of string encoding. Multiple persistence mechanisms have been emp
Qualys
Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking
blogs_qualys·2019-12-27·CVSS 8.8
[HIGH] Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking
A recent report identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.
The list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.
No.
CVE
Products Affected by CVE
CVSS Score (NVD)
Examples of Threat Actors
1
CVE-2017-11882
Microsoft Office
7.8
APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia)
2
Qualys
Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking | Qualys
blogs_qualys·2019-12-27·CVSS 8.8
[HIGH] Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking | Qualys
A recent report identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.
The list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.
No.
CVE
Products Affected by CVE
CVSS Score (NVD)
Examples of Threat Actors
1
CVE-2017-11882
Microsoft Office
7.8
APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia)
2
CVE-2018-
Securelist
IT threat evolution Q3 2019
blogs_securelist·2019-11-29
IT threat evolution Q3 2019
Table of Contents
Targeted attacks and malware campaigns
Mobile espionage targeting the Middle East
APT33 beefs up its toolset
New FinSpy iOS and Android implants found in the wild
Turla revamps its toolset
CloudAtlas uses new infection chain
Dtrack banking malware discovered
Other security news
Sodin ransomware attacks MSP
The impact of web mining
Mac OS threat landscape
Smart home vulnerabilities
Security of smart buildings
Smart cars and connected devices
Personal data theft
Authors
David Emm
## Targeted attacks and malware campaigns
## Mobile espionage targeting the Middle East
At the end of June we reported the details of a highly targeted campaign that we dubbed ‘Operation ViceLeaker’ involving the spread of malicious Android samples via instant messaging. The cam
Securelist
IT threat evolution Q3 2019
blogs_securelist·2019-11-29
IT threat evolution Q3 2019
Table of Contents
- Targeted attacks and malware campaigns
- Other security news
Authors
- David Emm
## Targeted attacks and malware campaigns
### Mobile espionage targeting the Middle East
At the end of June we reported the details of a highly targeted campaign that we dubbed ‘Operation ViceLeaker’ involving the spread of malicious Android samples via instant messaging. The campaign affected several dozen victims in Israel and Iran. We discovered this activity in May 2018, right after Israeli security agencies announced that Hamas had installed spyware on the smartphones of Israeli soldiers, and we released a private report on our Threat Intelligence Portal. We believe the malware has been in development since late 2016, but the main distribution began at the end of 2017. The attack
Securelist
Spam and phishing in Q3 2019
blogs_securelist·2019-11-26
Spam and phishing in Q3 2019
Table of Contents
- Quarterly highlights
- Statistics: spam
- Statistics: phishing
- Conclusion
Authors
- Maria Vergelis
- Tatyana Sidorina
- Tatyana Shcherbakova
## Quarterly highlights
### Amazon Prime
In Q3, we registered numerous scam mailings related to Amazon Prime. Most of the phishing emails with a link to a fake Amazon login page offered new prices or rewards for buying things, or reported problems with membership, etc. Against the backdrop of September’s Prime Day sale, such messages were plausible.
Scammers also used another fraudulent scheme: An email informed victims that their request to cancel Amazon Prime had been accepted, but if they had changed their mind, they should call the number in the message. Fearing their accounts may have been hacked, victims phoned the
Securelist
Spam and phishing in Q3 2019
blogs_securelist·2019-11-26
Spam and phishing in Q3 2019
Table of Contents
Quarterly highlights
Amazon Prime
Scammers collect photos of documents and selfies
YouTube and Instagram
Back to school
Apple product launch
Attacks on pay TV users
Spam through website feedback forms
Attacks on corporate email
Statistics: spam
Proportion of spam in mail traffic
Sources of spam by country
Spam email size
Malicious attachments in email
Countries targeted by malicious mailings
Statistics: phishing
Attack geography
Organizations under attack
Conclusion
Authors
Maria Vergelis
Tatyana Sidorina
Tatyana Shcherbakova
## Quarterly highlights
## Amazon Prime
In Q3, we registered numerous scam mailings related to Amazon Prime. Most of the phishing emails with a link to a fake Amazon login page offered new prices or rewards for buying things
Fortinet
Threat Landscape Trends in Education
blogs_fortinet·2019-11-21
Threat Landscape Trends in Education
INDUSTRY TRENDS & INSIGHTS
Threat Landscape Trends in Education
By Anthony Giandomenico | November 21, 2019
Education continues to be one of the industries most targeted by cybercriminals, primarily due to the data that schools store in their data centers. This information ranges from the PII of students and faculty, to stored payment information related to fees and tuitions, to original research being conducted by faculty and graduate students.
This blog combines critical intelligence related to the education sector with general threat and attack trends gathered from our global threat intelligence database. We will examine two of the major threat vectors targeting educational institutions – viruses and malware, and then take a quick look at the security implications of one of the top a
Fortinet
FortiGuard Labs Weekly Threat Update – September 27, 2019
blogs_fortinet·2019-09-27
FortiGuard Labs Weekly Threat Update – September 27, 2019
FORTIGUARD LABS THREAT RESEARCH
FortiGuard Labs Weekly Threat Update – September 27, 2019
By Jeannette Jarvis | September 27, 2019
Each week, FortiGuard Labs publishes a Threat Brief to subscribers that profile notable hot topics and threats that were discovered or discussed during the week. Here is a recap of what we are covering in this week’s Threat Brief:
Malware and Zero Day Attacks
We breakdown our analysis of a newly discovered variant of the NetWire RAT that is spreading via phishing email. When the victim clicks on a PDF-like picture embedded in the email, the NetWire RAT malware is downloaded. This variant also includes various anti-analysis techniques that it uses to stay concealed. We go into further detail of some of these techniques.
We also summarize our analysis of a n
Fortinet
Newly Discovered Infostealer Attack Uses LokiBot
blogs_fortinet·2019-09-09
Newly Discovered Infostealer Attack Uses LokiBot
FORTIGUARD LABS THREAT RESEARCH
Newly Discovered Infostealer Attack Uses LokiBot
By FortiGuard SE Team | September 09, 2019
The FortiGuard Labs SE team identified a new malicious spam campaign on August 21st,, which we discovered after an analysis of information initially found on VirusTotal. It targeted a large US manufacturing company utilizing the well documented infostealer LokiBot. Interestingly enough, this also has a compilation date of August 21st, which is the same day we discovered the malspam campaign.
Campaign Details
The campaign consists of a spam email that had been sent to the sales email address of the recipients, possibly from a compromised trusted sender, originating from the IP address of [23.83.133.8].
Figure 1. Variant of spam email sent to recipient
The spam em
Securelist
Spam and phishing in Q2 2019
blogs_securelist·2019-08-28
Spam and phishing in Q2 2019
Table of Contents
Quarterly highlights
Spam through Google services
Bitcoin ransomware targets businesses
Global sporting events
Global TV and movie premieres
Tax refunds
Tourist phishing
Phishing emails supposedly from email services
Statistics: spam
Proportion of spam in mail traffic
Sources of spam by country
Spam email size
Malicious attachments, malware families
Statistics: phishing
Attack geography
Organizations under attack
Conclusion
Authors
Maria Vergelis
Tatyana Shcherbakova
Tatyana Sidorina
## Quarterly highlights
## Spam through Google services
In the second quarter of 2019, scammers were making active use of cloud-based data storage services such as Google Drive and Google Storage to hide their illegal content. The reasoning behind this is simple: a lin
Securelist
Spam and phishing in Q2 2019
blogs_securelist·2019-08-28
Spam and phishing in Q2 2019
Table of Contents
- Quarterly highlights
- Statistics: spam
- Statistics: phishing
- Conclusion
Authors
- Maria Vergelis
- Tatyana Shcherbakova
- Tatyana Sidorina
## Quarterly highlights
### Spam through Google services
In the second quarter of 2019, scammers were making active use of cloud-based data storage services such as Google Drive and Google Storage to hide their illegal content. The reasoning behind this is simple: a link from a legitimate domain is seen as more trustworthy by both users and spam filters. Most often, such links point to text files, tables, presentations, and other documents containing text and a link, say, to an advertised product or phishing page.
Also this past quarter, cybercriminals actively used Google Calendar to send out invitations to non-existent
Securelist
IT threat evolution Q2 2019. Statistics
blogs_securelist·2019-08-19
IT threat evolution Q2 2019. Statistics
Table of Contents
- Quarterly figures
- Mobile threats
- Attacks on Apple macOS
- IoT attacks
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyber attacks
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Boris Larin
- Oleg Kupreev
- Evgeny Lopatin
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network,
- Kaspersky solutions blocked 717,057,912 attacks launched from online resources in 203 countries across the globe.
- 217,843,293 unique URLs triggered Web Anti-Virus components.
- Attempted infections by malware designed to steal money via online access to bank accounts were
Securelist
Recent Cloud Atlas activity
blogs_securelist·2019-08-12·CVSS 7.8
[HIGH] Recent Cloud Atlas activity
Authors
GReAT
Also known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported Cloud Atlas in 2014 and we’ve been following its activities ever since.
From the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts.
Countries targeted by Cloud Atlas recently
Cloud Atlas hasn’t changed its TTPs (Tactic Tools and Procedures) since 2018 and is still relying on its effective existing tactics and malware in order to compromise high value targets.
The Windows branch of the Cloud Atlas intrusion set still uses spear-phishing ema
Securelist
Recent Cloud Atlas activity
blogs_securelist·2019-08-12·CVSS 7.8
[HIGH] Recent Cloud Atlas activity
Authors
- GReAT
Also known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported Cloud Atlas in 2014 and we’ve been following its activities ever since.
From the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts.
Countries targeted by Cloud Atlas recently
Cloud Atlas hasn’t changed its TTPs (Tactic Tools and Procedures) since 2018 and is still relying on its effective existing tactics and malware in order to compromise high value targets.
The Windows branch of the Cloud Atlas intrusion set still uses spear-phishing e
Fortinet
Tricky Chinese-Targeted Trojan Bypasses Authentication
blogs_fortinet·2019-08-07
CVE-2018-20250 Tricky Chinese-Targeted Trojan Bypasses Authentication
FORTIGUARD LABS THREAT RESEARCH
Tricky Chinese-Targeted Trojan Bypasses Authentication
By Yueh-Ting Chen | August 07, 2019
AFortiGuard Labs Threat Analysis Report
Introduction
FortiGuard Labs uncovered a new campaign targeted at Chinese-speakers using malware that bypasses normal authentication by exploiting known WinRAR file (cve-2018-20250) and RTF file (cve-2017-11882) vulnerabilities. This attack uses a watering hole attack strategy to target Chinese-speaking users by delivering malware through a hacked Chinese news site. Based on our analysis, the campaign also appears to be experimental because it uses so many different techniques and tools to target this end user community.
We first discovered this backdoor malware campaign in 2017, and over the years it has continued to upgra
Unit42
Unveiling 11 New Adversary Playbooks
blogs_unit42·2019-07-30·CVSS 7.8
[HIGH] Unveiling 11 New Adversary Playbooks
Today, Unit 42 released 11 new Adversary Playbooks as part of our mission to provide actionable threat intelligence. We use Playbooks to organize the tools, techniques, and procedures (TTPs) that an adversary uses into a structured format that can easily be shared and built upon. All of the Playbooks we have released can be accessed through our Playbook Viewer.
Here are brief descriptions of the new Unit 42 Adversary Playbooks:
- MuddyWater: In Spring 2019, the group altered its TTPs to evade particular security controls in the BlackWater attack campaign. An espionage campaign previously conflated with FIN7 activity, MuddyWater was first reported by Unit 42 in November 2017.
- Scarlet Mimic: Unveiled by Unit 42 in early 2016 and active since at least 2014, this espionage campaign largely
Unit42
Unveiling 11 New Adversary Playbooks
blogs_unit42·2019-07-30·CVSS 7.8
[HIGH] Unveiling 11 New Adversary Playbooks
Threat Research Center
Threat Research
Malware
## Unveiling 11 New Adversary Playbooks
Unit 42
Published: July 30, 2019
Malware
Threat Research
Chafer
CobaltGang
CozyDuke
Gorgon Group
Inception
MuddyWater
Playbook
Rocke
ScarletMimic
Sofacy
Th3bug
Tools
WINDSHIFT
Today, Unit 42 released 11 new Adversary Playbooks as part of our mission to provide actionable threat intelligence. We use Playbooks to organize the tools, techniques, and procedures (TTPs) that an adversary uses into a structured format that can easily be shared and built upon . All of the Playbooks we have released can be accessed through our Playbook Viewer.
Here are brief descriptions of the new Unit 42 Adversary Playbooks:
MuddyWater: In Spring 2019, the group altered its TTPs to evade particular secu
Fortinet
GandCrab Doppelgänged His Shell? | FortiGuard Labs
blogs_fortinet·2019-07-25
GandCrab Doppelgänged His Shell? | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
GandCrab Doppelgänged His Shell?
By Omri Misgav | July 25, 2019
Threat Analysis: This blog originally appeared on the enSilo website and is republished here for threat research purposes. enSilo was acquired by Fortinet in October 2019.
A new loader-type malware has adopted a technique similar to Process Doppelgänging and spread like wildfire in the last year and half. This loader is a significant threat – besides GandCrab, which closed up shop earlier this year – as it delivers over a dozen other payloads, including FormBook, LokiBot, SmokeLoader, AZORult, NetWire, njRat and Pony stealer.
Background
During an analysis we conducted while tracking the GandCrab ransomware (one of the more notorious malware families in 2018 and 2019), we noticed an interest
Talos
SWEED: Exposing years of Agent Tesla campaigns
blogs_talos·2019-07-15
SWEED: Exposing years of Agent Tesla campaigns
By Edmund Brumaghin and other Cisco Talos researchers.
## Executive summary
Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling "SWEED," including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans.
SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that's been around since at least 2014. The
Talos
SWEED: Exposing years of Agent Tesla campaigns
blogs_talos·2019-07-15
SWEED: Exposing years of Agent Tesla campaigns
## SWEED: Exposing years of Agent Tesla campaigns
By Edmund Brumaghin and other Cisco Talos researchers.
## Executive summary
Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling "SWEED," including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans. SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information st
Talos
RATs and stealers rush through “Heaven’s Gate” with new loader
blogs_talos·2019-07-01
RATs and stealers rush through “Heaven’s Gate” with new loader
## RATs and stealers rush through “Heaven’s Gate” with new loader
By Holger Unterbrink and Edmund Brumaghin .
## Executive summary
Malware is constantly finding new ways to avoid detection. This doesn't mean that some will never be detected, but it does allow adversaries to increase the period of time between initial release and detection. Flying under the radar for just a few days is enough to infect sufficient machines to earn a decent amount of revenue for an attack. Cisco Talos recently discovered a new campaign delivering the HawkEye Reborn keylogger and other malware that proves attackers are constantly creating new ways to avoid antivirus detection. In this campaign, the attackers built a complex loader to ensure antivirus systems to not detect the payload malware. Among these fe
Talos
RATs and stealers rush through “Heaven’s Gate” with new loader
blogs_talos·2019-07-01
RATs and stealers rush through “Heaven’s Gate” with new loader
By Holger Unterbrink and Edmund Brumaghin.
### Executive summary
Malware is constantly finding new ways to avoid detection. This doesn't mean that some will never be detected, but it does allow adversaries to increase the period of time between initial release and detection. Flying under the radar for just a few days is enough to infect sufficient machines to earn a decent amount of revenue for an attack. Cisco Talos recently discovered a new campaign delivering the HawkEye Reborn keylogger and other malware that proves attackers are constantly creating new ways to avoid antivirus detection. In this campaign, the attackers built a complex loader to ensure antivirus systems to not detect the payload malware. Among these features is the infamous "Heaven's Gate" technique — a trick that all
Checkpoint
17th June – Threat Intelligence Bulletin
blogs_checkpoint·2019-06-17·CVSS 7.8
CVE-2017-11882 [HIGH] 17th June – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 17th June – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 10th June 2019, please download our Threat Intelligence Bulletin
TOP ATTACKS AND BREACHES
Belgium-based airplane parts and aviation structuring business ASCO Industries has shuttered its plants in Belgium, Germany, Canada and the US after falling victim to a ransomware attack. Nearly 1,000 employees were sent home for the entire week.
Telegram’s founder Pavel Durov links China with the powerful DDoS attack, wh
Checkpoint
10th June – Threat Intelligence Bulletin
blogs_checkpoint·2019-06-16
CVE-2017-11882 10th June – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 10th June – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 10th June 2019, please download our Threat Intelligence Bulletin
TOP ATTACKS AND BREACHES
American Medical Collection Agency (AMCA) has suffered a major data breach exposing personal and payment information of some ten million patients. The information included names, date of birth, address, phone, date of service, provider, balance information, and credit card or bank account data.
A campaign using a replica
Securelist
IT threat evolution Q1 2019. Statistics
blogs_securelist·2019-05-23
IT threat evolution Q1 2019. Statistics
Table of Contents
- Quarterly figures
- Mobile threats
- Attacks on Apple macOS
- IoT attacks
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals
- Attacks via web resources
- Local threats
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Boris Larin
- Oleg Kupreev
- Evgeny Lopatin
These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network,
- Kaspersky Lab solutions blocked 843,096,461 attacks launched from online resources in 203 countries across the globe.
- 113,640,221 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempted infections by malware designed t
Securelist
Spam and phishing in Q1 2019
blogs_securelist·2019-05-15
Spam and phishing in Q1 2019
Table of Contents
- Quarterly highlights
- Statistics: spam
- Statistics: phishing
- Conclusion
Authors
- Maria Vergelis
- Tatyana Shcherbakova
- Tatyana Sidorina
## Quarterly highlights
### Valentine’s Day
As per tradition, phishing timed to coincide with lovey-dovey day was aimed at swindling valuable confidential information out of starry-eyed users, such as bank card details. The topics exploited by cybercriminals ranged from online flower shops to dating sites.
But most often, users were invited to order gifts for loved ones and buy medications such as Viagra. Clicking/tapping the link in such messages resulted in the victim’s payment details being sent to the cybercriminals.
### New Apple products
Late March saw the unveiling of Apple’s latest products, which fraudsters wer
Securelist
Spam and phishing in Q1 2019
blogs_securelist·2019-05-15
Spam and phishing in Q1 2019
Table of Contents
Quarterly highlights
Valentine’s Day
New Apple products
Fake technical support
New Instagram “features”
Mailshot phishing
Financial spam through the ACH system
“Dream job” offers from spammers
Ransomware and cryptocurrency
Malicious attacks on the corporate sector
Attacks on the banking sector
Statistics: spam
Proportion of spam in mail traffic
Sources of spam by country
Spam email size
Malicious attachments: malware families
Countries targeted by malicious mailshots
Statistics: phishing
Attack geography
Organizations under attack
Conclusion
Authors
Maria Vergelis
Tatyana Shcherbakova
Tatyana Sidorina
## Quarterly highlights
## Valentine’s Day
As per tradition, phishing timed to coincide with lovey-dovey day was aimed at swindling valuable conf
Securelist
FIN7.5: the infamous cybercrime rig “FIN7” continues its activities
blogs_securelist·2019-05-08
FIN7.5: the infamous cybercrime rig “FIN7” continues its activities
Authors
- Yury Namestnikov
- Félix Aime
On August 1, 2018, the US Department of Justice announced that it had arrested several individuals suspected of having ties to the FIN7 cybercrime rig. FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015. Interestingly, this threat actor created fake companies in order to hire remote pentesters, developers and interpreters to participate in their malicious business. The main goal behind its malicious activities was to steal financial assets from companies, such as debit cards, or get access to financial data or computers of finance department employees in order to conduct wire transfers to offshore accounts.
In 2018-2019, researchers of Kaspersky Lab’s Global Research and
Securelist
FIN7.5: the infamous cybercrime rig “FIN7” continues its activities
blogs_securelist·2019-05-08
FIN7.5: the infamous cybercrime rig “FIN7” continues its activities
Authors
Yury Namestnikov
Félix Aime
On August 1, 2018, the US Department of Justice announced that it had arrested several individuals suspected of having ties to the FIN7 cybercrime rig. FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015. Interestingly, this threat actor created fake companies in order to hire remote pentesters, developers and interpreters to participate in their malicious business. The main goal behind its malicious activities was to steal financial assets from companies, such as debit cards, or get access to financial data or computers of finance department employees in order to conduct wire transfers to offshore accounts.
In 2018-2019, researchers of Kaspersky Lab’s Global Research and Ana
Talos
New HawkEye Reborn Variant Emerges Following Ownership Change
blogs_talos·2019-04-15
New HawkEye Reborn Variant Emerges Following Ownership Change
## New HawkEye Reborn Variant Emerges Following Ownership Change
Edmund Brumaghin and Holger Unterbrink authored this blog post.
## Executive summary Malware designed to steal sensitive information has been a threat to organizations around the world for a long time. The emergence of the greyware market and the increased commercialization of keyloggers, stealers, and remote access trojans (RATs) has magnified this threat by reducing the barrier to entry for attackers. In many cases, the adversaries leveraging these tools do not need to possess programming skills or in-depth computer science expertise, as they are now being provided as commercial offerings across the cybercriminal underground. We have previously released in-depth analyses of these types of threats and how malicious attacke
Talos
New HawkEye Reborn Variant Emerges Following Ownership Change
blogs_talos·2019-04-15
New HawkEye Reborn Variant Emerges Following Ownership Change
Edmund Brumaghin and Holger Unterbrink authored this blog post.
## Executive summaryMalware designed to steal sensitive information has been a threat to organizations around the world for a long time. The emergence of the greyware market and the increased commercialization of keyloggers, stealers, and remote access trojans (RATs) has magnified this threat by reducing the barrier to entry for attackers. In many cases, the adversaries leveraging these tools do not need to possess programming skills or in-depth computer science expertise, as they are now being provided as commercial offerings across the cybercriminal underground. We have previously released in-depth analyses of these types of threats and how malicious attackers are leveraging them to attack organizations withRemcos in August
Securelist
Spam and phishing in 2018
blogs_securelist·2019-03-12·CVSS 7.8
[HIGH] Spam and phishing in 2018
Table of Contents
Numbers of the year
Global events and spam
GDPR
2018 FIFA World Cup
New iPhone launch
Malware and the corporate sector
New distribution channels
Cryptocurrencies and spam
Phishing
Cryptocurrency
Lotteries and surveys
Universities
Taxes
HTTPS
Sales
Statistics: spam
Proportion of spam in email traffic
Sources of spam by country
Spam email size
Malicious attachments in email
Malware families
Countries targeted by malicious mailshots
Statistics: phishing
Organizations under attack
Rating of categories of organizations attacked by phishers
Top 3 organizations under attack from phishers
Attack geography
Countries by share of attacked users
Top 10 countries by share of attacked users
Conclusion
Authors
Maria Vergelis
Tatyana Shcherbakova
Tatyana
Securelist
Spam and phishing in 2018
blogs_securelist·2019-03-12·CVSS 7.8
CVE-2017-11882 [HIGH] Spam and phishing in 2018
Table of Contents
- Numbers of the year
- Global events and spam
- Phishing
- Statistics: spam
- Statistics: phishing
- Conclusion
Authors
- Maria Vergelis
- Tatyana Shcherbakova
- Tatyana Sidorina
## Numbers of the year
- The share of spam in mail traffic was 52.48%, which is 4.15 p.p. less than in 2017.
- The biggest source of spam this year was China (11.69%).
- 74.15% of spam emails were less than 2 KB in size.
- Malicious spam was detected most commonly with the Win32.CVE-2017-11882 verdict.
- The Anti-Phishing system was triggered 482,465,211 times.
- 18.32% of unique users encountered phishing.
## Global events and spam
### GDPR
In the first months of the year alone, we registered a great many emails in spam traffic connected in some way to the EU General Data Protection Re
Unit42
Multiple ArtraDownloader Variants Used by BITTER to Target Pakistan
blogs_unit42·2019-02-25
Multiple ArtraDownloader Variants Used by BITTER to Target Pakistan
Threat Research Center
Threat Research
Malware
## Multiple ArtraDownloader Variants Used by BITTER to Target Pakistan
Josh Grunzweig
Brittany Barbehenn
Published: February 25, 2019
Cybercrime
Malware
Threat Research
Artradownloader
Bitter
## Executive Summary
Since at least 2015, a suspected South Asian threat grouping known as BITTER has been targeting Pakistan and Chinese organizations using variants of a previously unreported downloader. We have named this malware family ArtraDownloader based on a PDB string discovered within the samples. We’ve observed three variants of this downloader with the earliest timestamp of February 2015. This downloader has frequently been observed downloading the Remote Access Trojan (RAT) BitterRAT which is associated with BITTER threat ope
Unit42
Multiple ArtraDownloader Variants Used by BITTER to Target Pakistan
blogs_unit42·2019-02-25
Multiple ArtraDownloader Variants Used by BITTER to Target Pakistan
## Executive Summary
Since at least 2015, a suspected South Asian threat grouping known as BITTER has been targeting Pakistan and Chinese organizations using variants of a previously unreported downloader. We have named this malware family ArtraDownloader based on a PDB string discovered within the samples. We’ve observed three variants of this downloader with the earliest timestamp of February 2015. This downloader has frequently been observed downloading the Remote Access Trojan (RAT) BitterRAT which is associated with BITTER threat operations.
Starting in September 2018 and continuing through the beginning of 2019, BITTER launched a wave of attacks targeting Pakistan and Saudi Arabia. This is the first reported instance of BITTER targeting Saudi Arabia. Details surrounding these attac
Securelist
GreyEnergy’s overlap with Zebrocy
blogs_securelist·2019-01-24·CVSS 7.8
[HIGH] GreyEnergy’s overlap with Zebrocy
Table of Contents
- Details
- Conclusions
Authors
- Kaspersky ICS CERT
In October 2018, ESET published a report describing a set of activity they called GreyEnergy, which is believed to be a successor to BlackEnergy group. BlackEnergy (a.k.a. Sandworm) is best known, among other things, for having been involved in attacks against Ukrainian energy facilities in 2015, which led to power outages. Like its predecessor, GreyEnergy malware has been detected attacking industrial and ICS targets, mainly in Ukraine.
Kaspersky Lab ICS CERT has identified an overlap between GreyEnergy and a Sofacy subset called “Zebrocy”. The Zebrocy activity was named after malware that Sofacy group began to use since mid-November 2015 for the post-exploitation stage of attacks on its victims. Zebrocy’s target
Securelist
GreyEnergy’s overlap with Zebrocy
blogs_securelist·2019-01-24·CVSS 7.8
[HIGH] GreyEnergy’s overlap with Zebrocy
Table of Contents
Details
Servers
Attacked company
Attack timeframe
Conclusions
Authors
Kaspersky ICS CERT
In October 2018, ESET published a report describing a set of activity they called GreyEnergy, which is believed to be a successor to BlackEnergy group. BlackEnergy (a.k.a. Sandworm) is best known, among other things, for having been involved in attacks against Ukrainian energy facilities in 2015, which led to power outages. Like its predecessor, GreyEnergy malware has been detected attacking industrial and ICS targets, mainly in Ukraine.
Kaspersky Lab ICS CERT has identified an overlap between GreyEnergy and a Sofacy subset called “Zebrocy” . The Zebrocy activity was named after malware that Sofacy group began to use since mid-November 2015 for the post-exploitation stage of
Fortinet
Exploiting an RCE bug in the UDP Protocol implemented in FreeRTOS
blogs_fortinet·2018-12-04·CVSS 8.1
CVE-2018-16525 [HIGH] Exploiting an RCE bug in the UDP Protocol implemented in FreeRTOS
FORTIGUARD LABS THREAT RESEARCH
Exploiting an RCE bug in the UDP Protocol implemented in FreeRTOS
By Amir Zali | December 04, 2018
Recently, I saw a report about several bugs that were found on FreeRTOS. Curiosity got the best of me, and I started to take a look to see what can be done from the IPS side to protect our customers because of importance of IoT devices and the popularity of this operating system. (Since the initial report more details have been made available here, CVE-2018-16525.)
In this post I will just elaborate on a single RCE bug that I have managed to exploit in the UDP protocol which is implemented in FreeRTOS+TCP.
RTOS, Real Time Operating System, is a type of operating system that provides deterministic execution. AWS FreeRTOS is a class of RTOS from Amazon Web Se
Securelist
IT threat evolution Q3 2018. Statistics
blogs_securelist·2018-11-12
IT threat evolution Q3 2018. Statistics
Table of Contents
Q3 figures
Mobile threats
Q3 events
Mobile threat statistics
Distribution of detected mobile apps by type
Geography of mobile threats
Mobile banking Trojans
Mobile ransomware Trojans
Attacks on IoT devices
Telnet attacks
Financial threats
Q3 events
Financial threat statistics
Geography of attacks
Cryptoware programs
Q3 events
Statistics
Number of new modifications
Number of users attacked by Trojan cryptors
Geography of attacks
Cryptominers
Statistics
Number of new modifications
Number of users attacked by cryptominers
Geography of attacks
Vulnerable apps used by cybercriminals
Attacks via web resources
Countries where online resources are seeded with malware
Countries where users faced the greatest risk of online infection
Local threats
Cou
Securelist
IT threat evolution Q3 2018. Statistics
blogs_securelist·2018-11-12
IT threat evolution Q3 2018. Statistics
Table of Contents
- Q3 figures
- Mobile threats
- Attacks on IoT devices
- Financial threats
- Cryptoware programs
- Cryptominers
- Vulnerable apps used by cybercriminals
- Attacks via web resources
- Local threats
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Oleg Kupreev
- Evgeny Lopatin
- Alexander Liskin
These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.
## Q3 figures
According to Kaspersky Security Network:
- Kaspersky Lab solutions blocked 947,027,517 attacks launched from online resources located in 203 countries.
- 246,695,333 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempted infections by malware designed to steal money via online access to
Securelist
Spam and phishing in Q3 2018
blogs_securelist·2018-11-06
Spam and phishing in Q3 2018
Table of Contents
Quarterly highlights
Personal data in spam
Malicious spam attacks against the banking sector
New iPhone launch
Classic pharma spam in a new guise
Universities
Job search
Propagation methods
Scam notifications
Media
Instagram
Statistics: spam
Proportion of spam in email traffic
Sources of spam by country
Spam email size
Malicious attachments: malware families
Countries targeted by malicious mailshots
Statistics: phishing
Geography of attacks
Organizations under attack
Conclusion
Authors
Maria Vergelis
Nadezhda Demidova
Tatyana Shcherbakova
## Quarterly highlights
## Personal data in spam
We have often said that personal data is candy on a stick to fraudsters and must be kept safe (that is, not given out on dubious websites). It can be used to ga
Securelist
Spam and phishing in Q3 2018
blogs_securelist·2018-11-06
Spam and phishing in Q3 2018
Table of Contents
- Quarterly highlights
- Statistics: spam
- Statistics: phishing
- Conclusion
Authors
- Maria Vergelis
- Nadezhda Demidova
- Tatyana Shcherbakova
## Quarterly highlights
### Personal data in spam
We have often said that personal data is candy on a stick to fraudsters and must be kept safe (that is, not given out on dubious websites). It can be used to gain access to accounts and in targeted attacks and ransomware campaigns.
In Q3, we registered a surge of fraudulent emails in spam traffic. This type of scam we have already reported at the beginning of the year. A ransom (in bitcoins) is demanded in exchange for not disclosing the “damaging evidence” concerning the recipients. The new wave of emails contained users’ actual personal data (names, passwords, phone num
Unit42
Inception Attackers Target Europe with Year-old Office Vulnerability
blogs_unit42·2018-11-05·CVSS 8.8
CVE-2012-1856 [HIGH] Inception Attackers Target Europe with Year-old Office Vulnerability
Threat Research Center
Threat Research
Vulnerabilities
## Inception Attackers Target Europe with Year-old Office Vulnerability
Tom Lancaster
Published: November 5, 2018
Malware
Threat Research
Vulnerabilities
CVE-2012-1856
CVE-2017-11882
EMEA
Espionage
Government
Inception
PowerShell
PowerShower
Remote Templates
The Inception attackers have been active since at least 2014 and have been documented previously by both Blue Coat and Symantec ; historical attacks used custom malware for a variety of platforms, and targeting a range of industries, primarily in Russia, but also around the world. This blog describes attacks against European targets observed in October 2018, using CVE-2017-11882 and a new PowerShell backdoor we’re calling POWERSHOWER due to the attention to deta
Unit42
Inception Attackers Target Europe with Year-old Office Vulnerability
blogs_unit42·2018-11-05·CVSS 7.8
CVE-2017-11882 [HIGH] Inception Attackers Target Europe with Year-old Office Vulnerability
The Inception attackers have been active since at least 2014 and have been documented previously by both Blue Coat and Symantec; historical attacks used custom malware for a variety of platforms, and targeting a range of industries, primarily in Russia, but also around the world. This blog describes attacks against European targets observed in October 2018, using CVE-2017-11882 and a new PowerShell backdoor we’re calling POWERSHOWER due to the attention to detail in terms of cleaning up after itself, along with the malware being written in PowerShell.
Unit 42 has previously observed attacks from the group in 2017 against government targets in Europe, Russia, and Central Asia and expects these to remain the primary regions this threat is seen.
In the last writeup by Symantec they describe
Fortinet
CTA Adversary Playbook: Goblin Panda
blogs_fortinet·2018-11-01·CVSS 8.8
[HIGH] CTA Adversary Playbook: Goblin Panda
FORTIGUARD LABS THREAT RESEARCH
CTA Adversary Playbook: Goblin Panda
By FortiGuard SE Team | November 01, 2018
Adversary Playbook: The FortiGuard SE Team is releasing this new playbook on the threat actor group known as Goblin Panda as part of its role in the Cyber Threat Alliance. For more information regarding this series of adversary playbooks being created by CTA members, please visit the Cyber Threat Alliance Playbook Whitepaper.
Active since 2014, Goblin Panda is a threat actor that is focused on interests in Southeast Asia. Goblin Panda has been documented by various organizations, including Fortinet, over the past several years. Due to non-standardized naming conventions within the industry, Goblin Panda is also known as APT 27, Hellsing, Cycledek, and perhaps 1937CN. Goblin Pan
Talos
Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox
blogs_talos·2018-10-15·CVSS 7.8
[HIGH] Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox
## Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox
This blog post was authored by Edmund Brumaghin and Holger Unterbrink with contributions from Emmanuel Tacheau .
## Executive Summary
Cisco Talos has discovered a new malware campaign that drops the sophisticated information-stealing trojan called "Agent Tesla," and other malware such as the Loki information stealer. Initially, Talos' telemetry systems detected a highly suspicious document that wasn't picked up by common antivirus solutions. However, Threat Grid , Cisco's unified malware analysis and threat intelligence platform, identified the unknown file as malware. The adversaries behind this malware use a well-known exploit chain, but modified it in such a way so that antivirus sol
Talos
Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox
blogs_talos·2018-10-15·CVSS 7.8
[HIGH] Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox
This blog post was authored by Edmund Brumaghin and Holger Unterbrink with contributions from Emmanuel Tacheau.
### Executive Summary
Cisco Talos has discovered a new malware campaign that drops the sophisticated information-stealing trojan called "Agent Tesla," and other malware such as the Loki information stealer. Initially, Talos' telemetry systems detected a highly suspicious document that wasn't picked up by common antivirus solutions. However, Threat Grid, Cisco's unified malware analysis and threat intelligence platform, identified the unknown file as malware. The adversaries behind this malware use a well-known exploit chain, but modified it in such a way so that antivirus solutions don't detect it. In this post, we will outline the steps the adversaries took to remain undetecte
Securelist
Spam and phishing in Q2 2018
blogs_securelist·2018-08-14
Spam and phishing in Q2 2018
Table of Contents
Quarterly highlights
GDPR as a phishing opportunity
Malicious IQY attachments
Data leaks
Cryptocurrency
World Cup 2018
HTTPS
Vacation season
Distribution channels
WhatsApp
Twitter and Instagram
Facebook
Search results
Spammer tricks
Double email headers
Subscription forms
Statistics: spam
Proportion of spam in email traffic
Sources of spam by country
Spam email size
Malicious attachments: malware families
Countries targeted by malicious mailshots
Statistics: phishing
Geography of attacks
Organizations under attack
Conclusion
Authors
Maria Vergelis
Nadezhda Demidova
Tatyana Shcherbakova
## Quarterly highlights
## GDPR as a phishing opportunity
In the first quarter, we discussed spam designed to exploit GDPR (General Data Protection Regulati
Securelist
Spam and phishing in Q2 2018
blogs_securelist·2018-08-14
Spam and phishing in Q2 2018
Table of Contents
- Quarterly highlights
- Distribution channels
- Spammer tricks
- Statistics: spam
- Statistics: phishing
- Conclusion
Authors
- Maria Vergelis
- Nadezhda Demidova
- Tatyana Shcherbakova
## Quarterly highlights
### GDPR as a phishing opportunity
In the first quarter, we discussed spam designed to exploit GDPR (General Data Protection Regulation), which came into effect on May 25, 2018. Back then spam traffic was limited to invitations to participate in workshops and other educational events and purchase software or databases. We predicted that fraudulent emails were soon to follow. And we found them in the second quarter.
As required by the regulation, companies notified email recipients that they were switching to a new GDPR-compliant policy and asked them to con
Securelist
IT threat evolution Q2 2018. Statistics
blogs_securelist·2018-08-06
IT threat evolution Q2 2018. Statistics
Table of Contents
- Q2 figures
- Mobile threats
- Attacks on IoT devices
- Online threats in the financial sector
- Vulnerable apps used by cybercriminals
- Attacks via web resources
- Local threats
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Alexander Liskin
- Oleg Kupreev
## Q2 figures
According to KSN:
- Kaspersky Lab solutions blocked 962,947,023 attacks launched from online resources located in 187 countries across the globe.
- 351,913,075 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 215,762 users.
- Ransomware attacks were registered on the computers of 158,921 unique users.
- Our File Anti-Virus logged 192,053,
Securelist
IT threat evolution Q2 2018. Statistics
blogs_securelist·2018-08-06
IT threat evolution Q2 2018. Statistics
Table of Contents
Q2 figures
Mobile threats
General statistics
Distribution of detected mobile apps by type
TOP 20 mobile malware
Geography of mobile threats
Mobile banking Trojans
Mobile ransomware Trojans
Attacks on IoT devices
Telnet attacks
TOP 10 countries by shares of IoT devices infected via Telnet
TOP 10 malware downloaded to infected IoT devices in successful Telnet attacks
SSH attacks
TOP 10 countries by shares of IoT devices attacked via SSH
Online threats in the financial sector
Q2 events
New banking Trojan DanaBot
The peculiar BackSwap technique
Carbanak gang leader detained
Ransomware Trojan uses Doppelgänging technique
General statistics on financial threats
Geography of attacks
TOP 10 countries by percentage of attacked users
TOP 10 banking malware f
Unit42
Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway)
blogs_unit42·2018-07-24
Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway)
Nearly all of us have a use for Microsoft Office documents. Whether they are work documents, e-receipts, or a lease on a new apartment – Office documents are useful to all of us, and this is part of the reason we’re very likely to open an office document we receive as an attachment in e-mail. Armed with the knowledge that many people will open nearly any document, even those from an untrusted source, adversaries commonly choose these files in attacks to compromise a system.
In this threat brief we show you five different ways that Office documents can be subverted and abused to attack and compromise a Windows endpoint, some we’ve already posted about before, and some are new.
Macros
Macros are the most straight-forward way for an attacker to weaponize Office documents. Office applicatio
Unit42
Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway)
blogs_unit42·2018-07-24
Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway)
## Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway)
Liat Hayun
Published: July 24, 2018
High Profile Threats
Malware
Embedded Flash files
HTA Handlers
Macros
Microsoft Office Documents
OLE Objects
Nearly all of us have a use for Microsoft Office documents. Whether they are work documents, e-receipts, or a lease on a new apartment – Office documents are useful to all of us, and this is part of the reason we’re very likely to open an office document we receive as an attachment in e-mail. Armed with the knowledge that many people will open nearly any document, even those from an untrusted source, adversaries commonly choose these files in attacks to compromise a system.
In this threat brief we show you five different ways that Office documents
Fortinet
GandCrab v4.1 Ransomware and the Speculated SMB Exploit Spreader
blogs_fortinet·2018-07-12
GandCrab v4.1 Ransomware and the Speculated SMB Exploit Spreader
FORTIGUARD LABS THREAT RESEARCH
GandCrab v4.1 Ransomware and the Speculated SMB Exploit Spreader
By Joie Salvio | July 12, 2018
Only two days after the release of GandCrab 4.0, FortiGuard Labs found a newer version (v4.1) being distributed using the same method, which is through compromised websites disguised as download sites for cracked applications.
With this new version, GandCrab has added a network communication tactic that was not observed in the previous version. In addition, we will be sharing our analysis of currently circulating reports concerning an alleged “SMB exploit spreader” threat.
Network Communication
Figure 1 Malware sends Info to list of compromised websites
This new version of the GandCrab malware contains an unusually long hard-coded list of compromised website
Fortinet
Hussarini – Targeted Cyber Attack in the Philippines
blogs_fortinet·2018-07-08·CVSS 7.8
CVE-2017-11882 [HIGH] Hussarini – Targeted Cyber Attack in the Philippines
FORTIGUARD LABS THREAT RESEARCH
Hussarini – Targeted Cyber Attack in the Philippines
By Jasper Manuel and Rommel Joven | July 08, 2018
Two weeks ago, FortiGuard Labs spotted a malicious document with the politically themed file name “Draft PH-US Dialogue on Cyber Security.doc”. This document takes advantage of the vulnerability CVE-2017-11882. Upon successful exploitation, it drops a malware in the victim’s %temp% directory.
Our analysis of this malware shows that it belongs to Hussarini, also known as Sarhust, a backdoor family that has been used actively in APT attacks targeting countries in the ASEAN region since 2014.
According to reports, the Philippines is the most exposed country in ASEAN to the cyberattacks known as advanced persistent threats, or APTs. After several massive da
Talos
My Little FormBook
blogs_talos·2018-06-20·CVSS 7.8
[HIGH] My Little FormBook
This blog post is authored by Warren Mercer and Paul Rascagneres.
## SummaryCisco Talos has been tracking a new campaign involving the FormBook malware since May 2018 that utilizes four different malicious documents in a single phishing email. FormBook is an inexpensive stealer available as "malware as a service." This means an attacker can purchase a compiled piece of malware based on their desired parameters. This is commonplace with crimeware and stealer type malware such as FormBook. It is able to record keystrokes, steal passwords (stored locally and in web forms) and can take screenshots.
The author put a lot of effort in the infection vector using multiple malicious documents in a single phishing email. The author also mixed different file formats (PDF and Microsoft Office documen
Talos
My Little FormBook
blogs_talos·2018-06-20·CVSS 7.8
[HIGH] My Little FormBook
## My Little FormBook
This blog post is authored by Warren Mercer and Paul Rascagneres .
## Summary Cisco Talos has been tracking a new campaign involving the FormBook malware since May 2018 that utilizes four different malicious documents in a single phishing email. FormBook is an inexpensive stealer available as "malware as a service." This means an attacker can purchase a compiled piece of malware based on their desired parameters. This is commonplace with crimeware and stealer type malware such as FormBook. It is able to record keystrokes, steal passwords (stored locally and in web forms) and can take screenshots.
The author put a lot of effort in the infection vector using multiple malicious documents in a single phishing email. The author also mixed different file formats (PDF and
Securelist
LuckyMouse hits national data center to organize country-level waterholing campaign
blogs_securelist·2018-06-13
LuckyMouse hits national data center to organize country-level waterholing campaign
Table of Contents
What happened?
Who’s behind it?
How did the malware spread?
What did the malware do in the data center?
What does the resulting watering hole look like?
Conclusions
Some indicators of compromise
Authors
Denis Legezo
## What happened?
In March 2018 we detected an ongoing campaign targeting a national data center in the Central Asia that we believe has been active since autumn 2017. The choice of target made this campaign especially significant – it meant the attackers gained access to a wide range of government resources at one fell swoop. We believe this access was abused, for example, by inserting malicious scripts in the country’s official websites in order to conduct watering hole attacks.
The operators used the HyperBro Trojan as their last-stage in-memory
Securelist
LuckyMouse hits national data center to organize country-level waterholing campaign
blogs_securelist·2018-06-13
LuckyMouse hits national data center to organize country-level waterholing campaign
Table of Contents
- What happened?
- Who’s behind it?
- How did the malware spread?
- What did the malware do in the data center?
- What does the resulting watering hole look like?
- Conclusions
- Some indicators of compromise
Authors
- Denis Legezo
## What happened?
In March 2018 we detected an ongoing campaign targeting a national data center in the Central Asia that we believe has been active since autumn 2017. The choice of target made this campaign especially significant – it meant the attackers gained access to a wide range of government resources at one fell swoop. We believe this access was abused, for example, by inserting malicious scripts in the country’s official websites in order to conduct watering hole attacks.
The operators used the HyperBro Trojan as their last-stag
Fortinet
Non-Russian Matryoshka: Russian Service Centers Under Attack
blogs_fortinet·2018-06-07
Non-Russian Matryoshka: Russian Service Centers Under Attack
FORTIGUARD LABS THREAT RESEARCH
Non-Russian Matryoshka: Russian Service Centers Under Attack
By Artem Semenchenko, Evgeny Ananin, and Yueh Ting Chen | June 07, 2018
With the help of FortiGuard’s in-house Threat Intelligence Platform (Kadena), FortiGuard Labs discovered a series of attacks targeted at service centers in Russia. These service centers provide maintenance and support for a variety of electronic goods.
A distinctive feature of these attacks is their multi-staging. These attacks use forged emails, malicious Office documents with exploits for a vulnerability that is 17 years old, and a commercial version of a RAT that is tucked into five different layers of protective packers.
In this article we will overview every stage of these attacks. In addition, we will try to find any
Securelist
IT threat evolution Q1 2018. Statistics
blogs_securelist·2018-05-14
IT threat evolution Q1 2018. Statistics
Table of Contents
Q1 figures
Mobile threats
Q1 events
Mobile threat statistics
Distribution of detected mobile apps by type
TOP 20 mobile malware
Geography of mobile threats
Mobile banking Trojans
Mobile ransomware Trojans
Vulnerable apps used by cybercriminals
Malicious programs online (attacks via web resources)
Online threats in the financial sector
Q1 events
Financial threat statistics
Geography of attacks
TOP 10 banking malware families
Cryptoware programs
Q1 events
Number of new modifications
Number of users attacked by Trojan cryptors
Geography of attacks
Countries that are sources of web-based attacks: TOP 10
Countries where users faced the greatest risk of online infection
Local threats
Authors
Victor Chebyshev
Fedor Sinitsyn
Denis Parinov
Alexander Li
Securelist
IT threat evolution Q1 2018. Statistics
blogs_securelist·2018-05-14
IT threat evolution Q1 2018. Statistics
Table of Contents
- Q1 figures
- Mobile threats
- Vulnerable apps used by cybercriminals
- Malicious programs online (attacks via web resources)
- Local threats
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Alexander Liskin
- Oleg Kupreev
## Q1 figures
According to KSN:
- Kaspersky Lab solutions blocked 796,806,112 attacks launched from online resources located in 194 countries across the globe.
- 282,807,433 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 204,448 users.
- Ransomware attacks were registered on the computers of 179,934 unique users.
- Our File Anti-Virus logged 187,597,494 unique malicious and potentially
Fortinet
New Remcos RAT Variant is Spreading by Exploiting CVE-2017-11882
blogs_fortinet·2018-05-04·CVSS 7.8
CVE-2017-11882 [HIGH] New Remcos RAT Variant is Spreading by Exploiting CVE-2017-11882
FORTIGUARD LABS THREAT RESEARCH
New Remcos RAT Variant is Spreading by Exploiting CVE-2017-11882
By Xiaopeng Zhang | May 04, 2018
Several days ago, FortiGuard Labs captured a malware sample that was exploiting the Microsoft Office vulnerability CVE-2017-11882 patched by Microsoft last November. The sample is an RTF document with an Equation object. By analyzing its behavior in my test environment, I realized that it spreads a new variant of Remcos RAT, version “2.0.4 Pro,” that was released on April 7, 2018 from its official website. It is able to control the victim’s PC after infection.
In this blog, I am not going to explain the causes of the vulnerability CVE-2017-11882, but how the sample works to spread this new Remcos RAT, as well as what this variant does on a victim’s PC.
Explo
Zscaler
Malspam Campaigns Use Malicious RTF Documents | Zscaler Blog
blogs_zscaler·2018-04-26·CVSS 7.8
[HIGH] Malspam Campaigns Use Malicious RTF Documents | Zscaler Blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Securelist
APT Trends report Q1 2018
blogs_securelist·2018-04-12
APT Trends report Q1 2018
Authors
- GReAT
In the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of the research we have been conducting. This report serves as the next installment, focusing on the relevant activities that we observed during Q1 2018.
These summaries serve as a representative snapshot of what has been discussed in greater detail in our private reports, in order to highlight the significant events and findings that we feel people should be aware of. For brevity’s sake, we are choosing not to publish indicators associated with the reports highlighted. However, if you would like to learn more about our intelligence reports or request more information on
Securelist
APT Trends report Q1 2018
blogs_securelist·2018-04-12
APT Trends report Q1 2018
Authors
GReAT
In the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of the research we have been conducting. This report serves as the next installment, focusing on the relevant activities that we observed during Q1 2018.
These summaries serve as a representative snapshot of what has been discussed in greater detail in our private reports, in order to highlight the significant events and findings that we feel people should be aware of. For brevity’s sake, we are choosing not to publish indicators associated with the reports highlighted. However, if you would like to learn more about our intelligence reports or request more information on a
Talos
Fake AV Investigation Unearths KevDroid, New Android Malware
blogs_talos·2018-04-02·CVSS 4.9
[MEDIUM] Fake AV Investigation Unearths KevDroid, New Android Malware
This blog post is authored by Warren Mercer, Paul Rascagneres, Vitor Ventura and with contributions from Jungsoo An.
## SummarySeveral days ago,EST Securitypublished a post concerning a fake antivirus malware targeting the Android mobile platform. In theKorean media, it was mentioned that there could be a link between this Android malware and Group 123. Talos decided to investigate this malware. And due to our reporting and history of following of Group 123, we discovered some interesting elements.
Talos identified two variants of the Android Remote Administration Tool (RAT). Both samples have the same capabilities — namely to steal information on the compromised device (such as contacts, SMS and phone history) and record the victim's phone calls. One variant uses a known Android exploit
Talos
Fake AV Investigation Unearths KevDroid, New Android Malware
blogs_talos·2018-04-02·CVSS 4.9
[MEDIUM] Fake AV Investigation Unearths KevDroid, New Android Malware
## Fake AV Investigation Unearths KevDroid, New Android Malware
This blog post is authored by Warren Mercer , Paul Rascagneres , Vitor Ventura and with contributions from Jungsoo An.
## Summary Several days ago, EST Security published a post concerning a fake antivirus malware targeting the Android mobile platform. In the Korean media , it was mentioned that there could be a link between this Android malware and Group 123. Talos decided to investigate this malware. And due to our reporting and history of following of Group 123, we discovered some interesting elements.
Talos identified two variants of the Android Remote Administration Tool (RAT). Both samples have the same capabilities — namely to steal information on the compromised device (such as contacts, SMS and phone history) and r
Trendmicro
ChessMaster Adds Updated Tools to Its Arsenal
blogs_trendmicro·2018-03-29·CVSS 7.8
[HIGH] ChessMaster Adds Updated Tools to Its Arsenal
APT und gezielte Angriffe
## ChessMaster Adds Updated Tools to Its Arsenal
In this blog post, we analyze ChessMaster's current status, including the updated tools in its arsenal — with a particular focus on the evolution of ANEL and how it is used in the campaign.
By: Tamada Kiyotaka, MingYen Hsieh Mar 29, 2018 Read time: ( words)
Save to Folio
Trend Micro discovered the ChessMaster campaign back in July 2017 as part of our monitoring efforts to protect our customers. At the time, we found ChessMaster targeting different sectors from the academe to media and government agencies in Japan. The threat group used a variety of attack tools and techniques to spy on their target organizations.
Back then, we noted that ChessMaster's sophisticated nature implied that the campaign could evolve
Trendmicro
ChessMaster Adds Updated Tools to Its Arsenal
blogs_trendmicro·2018-03-29·CVSS 7.8
[HIGH] ChessMaster Adds Updated Tools to Its Arsenal
APT & Targeted Attacks
## ChessMaster Adds Updated Tools to Its Arsenal
In this blog post, we analyze ChessMaster's current status, including the updated tools in its arsenal — with a particular focus on the evolution of ANEL and how it is used in the campaign.
By: Tamada Kiyotaka, MingYen Hsieh 2018/03/29 Read time: ( words)
Save to Folio
Trend Micro discovered the ChessMaster campaign back in July 2017 as part of our monitoring efforts to protect our customers. At the time, we found ChessMaster targeting different sectors from the academe to media and government agencies in Japan. The threat group used a variety of attack tools and techniques to spy on their target organizations.
Back then, we noted that ChessMaster's sophisticated nature implied that the campaign could evolve, bef
Trendmicro
ChessMaster Adds Updated Tools to Its Arsenal
blogs_trendmicro·2018-03-29·CVSS 7.8
[HIGH] ChessMaster Adds Updated Tools to Its Arsenal
APT & Targeted Attacks
# ChessMaster Adds Updated Tools to Its Arsenal
In this blog post, we analyze ChessMaster's current status, including the updated tools in its arsenal — with a particular focus on the evolution of ANEL and how it is used in the campaign.
By: Tamada Kiyotaka, MingYen Hsieh
2018/03/29
Read time: ( words)
Save to Folio
Trend Micro discovered the ChessMaster campaign back in July 2017 as part of our monitoring efforts to protect our customers. At the time, we found ChessMaster targeting different sectors from the academe to media and government agencies in Japan. The threat group used a variety of attack tools and techniques to spy on their target organizations.
Back then, we noted that ChessMaster's sophisticated nature implied that the campaign could evolve, bef
Trendmicro
ChessMaster Adds Updated Tools to Its Arsenal
blogs_trendmicro·2018-03-29·CVSS 7.8
[HIGH] ChessMaster Adds Updated Tools to Its Arsenal
APT y ataques dirigidos
## ChessMaster Adds Updated Tools to Its Arsenal
In this blog post, we analyze ChessMaster's current status, including the updated tools in its arsenal — with a particular focus on the evolution of ANEL and how it is used in the campaign.
By: Tamada Kiyotaka, MingYen Hsieh Mar 29, 2018 Read time: ( words)
Save to Folio
Trend Micro discovered the ChessMaster campaign back in July 2017 as part of our monitoring efforts to protect our customers. At the time, we found ChessMaster targeting different sectors from the academe to media and government agencies in Japan. The threat group used a variety of attack tools and techniques to spy on their target organizations.
Back then, we noted that ChessMaster's sophisticated nature implied that the campaign could evolve,
Trendmicro
ChessMaster Adds Updated Tools to Its Arsenal
blogs_trendmicro·2018-03-29·CVSS 7.8
[HIGH] ChessMaster Adds Updated Tools to Its Arsenal
APT & Targeted Attacks
## ChessMaster Adds Updated Tools to Its Arsenal
In this blog post, we analyze ChessMaster's current status, including the updated tools in its arsenal — with a particular focus on the evolution of ANEL and how it is used in the campaign.
By: Tamada Kiyotaka, MingYen Hsieh Mar 29, 2018 Read time: ( words)
Save to Folio
Trend Micro discovered the ChessMaster campaign back in July 2017 as part of our monitoring efforts to protect our customers. At the time, we found ChessMaster targeting different sectors from the academe to media and government agencies in Japan. The threat group used a variety of attack tools and techniques to spy on their target organizations.
Back then, we noted that ChessMaster's sophisticated nature implied that the campaign could evolve, b
Fortinet
FortiGuard Labs Discovers Multiple Use-After-Free Vulnerabilities in Microsoft Word
blogs_fortinet·2018-03-22·CVSS 7.8
[HIGH] FortiGuard Labs Discovers Multiple Use-After-Free Vulnerabilities in Microsoft Word
FORTIGUARD LABS THREAT RESEARCH
FortiGuard Labs Discovers Multiple Use-After-Free Vulnerabilities in Microsoft Word
By Wayne Chin Yick Low | March 22, 2018
During the last few months, FortiGuard Labs discovered and reported multiple use-after-free (UAF) vulnerabilities found in different versions of Microsoft Word. These vulnerabilities were patched in the January and March security updates, respectively. These patches are rated as critical/important, and as always, we urge users update Microsoft Office as soon as possible.
Use-after-free refers to a vulnerability that allows an attacker to access memory after it has been freed, which can cause a program to crash, allow the execution of arbitrary code, or even enable full remote code execution. Following are some details of the UAF vuln
Trendmicro
Tropic Trooper’s New Strategy
blogs_trendmicro·2018-03-14·CVSS 7.8
[HIGH] Tropic Trooper’s New Strategy
APT & Targeted Attacks
# Tropic Trooper’s New Strategy
Tropic Trooper (also known as KeyBoy) levels its campaigns against Taiwanese, Philippine, and Hong Kong targets. Many of the tools they use now feature new behaviors, including a change in the way they maintain a foothold in the targeted network.
By: Jaromir Horejsi, Joey Chen, Joseph C Chen
2018/03/14
Read time: ( words)
Save to Folio
Tropic Trooper (also known as KeyBoy) levels its campaigns against Taiwanese, Philippine, and Hong Kong targets, focusing on their government, healthcare, transportation, and high-tech industries. Its operators are believed to be very organized and develop their own cyberespionage tools that they fine-tuned in their recent campaigns. Many of the tools they use now feature new behaviors, including a
Unit42
Dissecting Hancitor’s Latest 2018 Packer
blogs_unit42·2018-02-27·CVSS 7.8
[HIGH] Dissecting Hancitor’s Latest 2018 Packer
Summary
Over the past two years, the Hancitor malware family has been a fairly regular nuisance that defenders on the front line of organizations have to deal with on an almost weekly basis. The malware itself has gone through more than 80 variations during this time, sometimes just to define new variables for campaigns and other times a complete rewrite of the malware’s core functionality by the code authors. Every now and then though, they venture out into the unknown with techniques unlike what Hancitor has used before. These occasions tend to be short-lived and I look at them more as “testing” phases. I suspect the malware authors monitor their infection rates and when they deviate from the tried and true, campaigns end up being less successful. For those interested in an overview of
Unit42
Dissecting Hancitor’s Latest 2018 Packer
blogs_unit42·2018-02-27·CVSS 7.8
[HIGH] Dissecting Hancitor’s Latest 2018 Packer
## Dissecting Hancitor’s Latest 2018 Packer
Jeff White
Published: February 27, 2018
Cybercrime
Malware
Threat Research
Hancitor
Summary
Over the past two years, the Hancitor malware family has been a fairly regular nuisance that defenders on the front line of organizations have to deal with on an almost weekly basis. The malware itself has gone through more than 80 variations during this time, sometimes just to define new variables for campaigns and other times a complete rewrite of the malware’s core functionality by the code authors. Every now and then though, they venture out into the unknown with techniques unlike what Hancitor has used before. These occasions tend to be short-lived and I look at them more as “testing” phases. I suspect the malware authors monitor their infecti
Trendmicro
Deciphering Confucius’ Cyberespionage Operations
blogs_trendmicro·2018-02-13
Deciphering Confucius’ Cyberespionage Operations
APT und gezielte Angriffe
## Deciphering Confucius’ Cyberespionage Operations
Online romance scams are not uncommon; many catfishers toy with and manipulate victims’ to cash in on their bank accounts. However, it is unusual to see it used as a vector for cyberespionage.
By: Daniel Lunghi, Jaromir Horejsi Feb 13, 2018 Read time: ( words)
Save to Folio
In today’s online chat and dating scene, romance scams are not uncommon, what with catfishers and West African cybercriminals potently toying with their victims’ emotions to cash in on their bank accounts. It’s quite odd (and probably underreported), however, to see it used as a vector for cyberespionage.
We stumbled upon the Confucius hacking group while delving into Patchwork’s cyberespionage operations , and found a number of similari
Trendmicro
Deciphering Confucius’ Cyberespionage Operations
blogs_trendmicro·2018-02-13
Deciphering Confucius’ Cyberespionage Operations
APT & Targeted Attacks
# Deciphering Confucius’ Cyberespionage Operations
Online romance scams are not uncommon; many catfishers toy with and manipulate victims’ to cash in on their bank accounts. However, it is unusual to see it used as a vector for cyberespionage.
By: Daniel Lunghi, Jaromir Horejsi
2018/02/13
Read time: ( words)
Save to Folio
In today’s online chat and dating scene, romance scams are not uncommon, what with catfishers and West African cybercriminals potently toying with their victims’ emotions to cash in on their bank accounts. It’s quite odd (and probably underreported), however, to see it used as a vector for cyberespionage.
We stumbled upon the Confucius hacking group while delving into Patchwork’s cyberespionage operations, and found a number of similarities.
Trendmicro
Deciphering Confucius’ Cyberespionage Operations
blogs_trendmicro·2018-02-13
Deciphering Confucius’ Cyberespionage Operations
APT & Targeted Attacks
## Deciphering Confucius’ Cyberespionage Operations
Online romance scams are not uncommon; many catfishers toy with and manipulate victims’ to cash in on their bank accounts. However, it is unusual to see it used as a vector for cyberespionage.
By: Daniel Lunghi, Jaromir Horejsi 2018/02/13 Read time: ( words)
Save to Folio
In today’s online chat and dating scene, romance scams are not uncommon, what with catfishers and West African cybercriminals potently toying with their victims’ emotions to cash in on their bank accounts. It’s quite odd (and probably underreported), however, to see it used as a vector for cyberespionage.
We stumbled upon the Confucius hacking group while delving into Patchwork’s cyberespionage operations , and found a number of similarities.
Trendmicro
Deciphering Confucius’ Cyberespionage Operations
blogs_trendmicro·2018-02-13
Deciphering Confucius’ Cyberespionage Operations
APT & Targeted Attacks
## Deciphering Confucius’ Cyberespionage Operations
Online romance scams are not uncommon; many catfishers toy with and manipulate victims’ to cash in on their bank accounts. However, it is unusual to see it used as a vector for cyberespionage.
By: Daniel Lunghi, Jaromir Horejsi Feb 13, 2018 Read time: ( words)
Save to Folio
In today’s online chat and dating scene, romance scams are not uncommon, what with catfishers and West African cybercriminals potently toying with their victims’ emotions to cash in on their bank accounts. It’s quite odd (and probably underreported), however, to see it used as a vector for cyberespionage.
We stumbled upon the Confucius hacking group while delving into Patchwork’s cyberespionage operations , and found a number of similaritie
Trendmicro
Deciphering Confucius’ Cyberespionage Operations
blogs_trendmicro·2018-02-13
Deciphering Confucius’ Cyberespionage Operations
APT y ataques dirigidos
## Deciphering Confucius’ Cyberespionage Operations
Online romance scams are not uncommon; many catfishers toy with and manipulate victims’ to cash in on their bank accounts. However, it is unusual to see it used as a vector for cyberespionage.
By: Daniel Lunghi, Jaromir Horejsi Feb 13, 2018 Read time: ( words)
Save to Folio
In today’s online chat and dating scene, romance scams are not uncommon, what with catfishers and West African cybercriminals potently toying with their victims’ emotions to cash in on their bank accounts. It’s quite odd (and probably underreported), however, to see it used as a vector for cyberespionage.
We stumbled upon the Confucius hacking group while delving into Patchwork’s cyberespionage operations , and found a number of similariti
Trendmicro
Attack Using Windows Installer Leads to LokiBot
blogs_trendmicro·2018-02-08·CVSS 7.8
CVE-2017-11882 [HIGH] Attack Using Windows Installer Leads to LokiBot
Cyber Threats
# Attack Using Windows Installer Leads to LokiBot
Recently, we discovered CVE-2017-11882 being exploited again in an attack that uses an uncommon method of installation—via the Windows Installer service in Microsoft Windows operating systems.
By: Martin Co, Gilbert Sison
2018/02/08
Read time: ( words)
Save to Folio
Back in November 2017, Microsoft patched CVE-2017-11882, a remote code execution vulnerability that affected Microsoft Office. However, this didn’t prevent cybercrime groups such as Cobalt from exploiting this vulnerability in order to deliver a variety of malware, including FAREIT, Ursnif, and a cracked version of the Loki infostealer, a keylogger that was primarily advertised as capable of stealing passwords and cryptocurrency wallets.
Recently, we discove
Trendmicro
Attack Using Windows Installer Leads to LokiBot
blogs_trendmicro·2018-02-08·CVSS 7.8
CVE-2017-11882 [HIGH] Attack Using Windows Installer Leads to LokiBot
Cyber Threats
## Attack Using Windows Installer Leads to LokiBot
Recently, we discovered CVE-2017-11882 being exploited again in an attack that uses an uncommon method of installation—via the Windows Installer service in Microsoft Windows operating systems.
By: Martin Co, Gilbert Sison Feb 08, 2018 Read time: ( words)
Save to Folio
Back in November 2017, Microsoft patched CVE-2017-11882 , a remote code execution vulnerability that affected Microsoft Office. However, this didn’t prevent cybercrime groups such as Cobalt from exploiting this vulnerability in order to deliver a variety of malware , including FAREIT , Ursnif , and a cracked version of the Loki infostealer , a keylogger that was primarily advertised as capable of stealing passwords and cryptocurrency wallets.
Recently, we
Trendmicro
Attack Using Windows Installer Leads to LokiBot
blogs_trendmicro·2018-02-08·CVSS 7.8
CVE-2017-11882 [HIGH] Attack Using Windows Installer Leads to LokiBot
Cyber Threats
## Attack Using Windows Installer Leads to LokiBot
Recently, we discovered CVE-2017-11882 being exploited again in an attack that uses an uncommon method of installation—via the Windows Installer service in Microsoft Windows operating systems.
By: Martin Co, Gilbert Sison 2018/02/08 Read time: ( words)
Save to Folio
Back in November 2017, Microsoft patched CVE-2017-11882 , a remote code execution vulnerability that affected Microsoft Office. However, this didn’t prevent cybercrime groups such as Cobalt from exploiting this vulnerability in order to deliver a variety of malware , including FAREIT , Ursnif , and a cracked version of the Loki infostealer , a keylogger that was primarily advertised as capable of stealing passwords and cryptocurrency wallets.
Recently, we di
Trendmicro
Attack Using Windows Installer Leads to LokiBot
blogs_trendmicro·2018-02-08·CVSS 7.8
CVE-2017-11882 [HIGH] Attack Using Windows Installer Leads to LokiBot
Cyberbedrohungen
## Attack Using Windows Installer Leads to LokiBot
Recently, we discovered CVE-2017-11882 being exploited again in an attack that uses an uncommon method of installation—via the Windows Installer service in Microsoft Windows operating systems.
By: Martin Co, Gilbert Sison Feb 08, 2018 Read time: ( words)
Save to Folio
Back in November 2017, Microsoft patched CVE-2017-11882 , a remote code execution vulnerability that affected Microsoft Office. However, this didn’t prevent cybercrime groups such as Cobalt from exploiting this vulnerability in order to deliver a variety of malware , including FAREIT , Ursnif , and a cracked version of the Loki infostealer , a keylogger that was primarily advertised as capable of stealing passwords and cryptocurrency wallets.
Recently,
Trendmicro
Attack Using Windows Installer Leads to LokiBot
blogs_trendmicro·2018-02-08·CVSS 7.8
CVE-2017-11882 [HIGH] Attack Using Windows Installer Leads to LokiBot
Ciberamenazas
## Attack Using Windows Installer Leads to LokiBot
Recently, we discovered CVE-2017-11882 being exploited again in an attack that uses an uncommon method of installation—via the Windows Installer service in Microsoft Windows operating systems.
By: Martin Co, Gilbert Sison Feb 08, 2018 Read time: ( words)
Save to Folio
Back in November 2017, Microsoft patched CVE-2017-11882 , a remote code execution vulnerability that affected Microsoft Office. However, this didn’t prevent cybercrime groups such as Cobalt from exploiting this vulnerability in order to deliver a variety of malware , including FAREIT , Ursnif , and a cracked version of the Loki infostealer , a keylogger that was primarily advertised as capable of stealing passwords and cryptocurrency wallets.
Recently, we
Unit42
Traps Prevents Microsoft Office Equation Editor Zero-Day CVE-2018-0802
blogs_unit42·2018-01-19·CVSS 7.8
CVE-2018-0802 [HIGH] Traps Prevents Microsoft Office Equation Editor Zero-Day CVE-2018-0802
Threat Research Center
Threat Research
Vulnerabilities
## Traps Prevents Microsoft Office Equation Editor Zero-Day CVE-2018-0802
Gal De Leon
Maor Dokhanian
Published: January 19, 2018
Malware
Threat Research
Vulnerabilities
CVE-2018-0802
Equation Editor
Microsoft
Last November, Microsoft manually patched a remotely exploitable vulnerability (CVE-2017-11882) in Equation Editor, which is a program that lets you write a mathematical equation into a document. Our Unit 42 research team provided a detailed analysis on this vulnerability here .
Since then, Microsoft has received additional reports from multiple security vendors that turned out to be related to another vulnerability that was successfully exploited after applying Microsoft’s update – Microsoft assigned it as CVE-2018
Unit42
Traps Prevents Microsoft Office Equation Editor Zero-Day CVE-2018-0802
blogs_unit42·2018-01-19·CVSS 7.8
CVE-2017-11882 [HIGH] Traps Prevents Microsoft Office Equation Editor Zero-Day CVE-2018-0802
Last November, Microsoft manually patched a remotely exploitable vulnerability (CVE-2017-11882) in Equation Editor, which is a program that lets you write a mathematical equation into a document. Our Unit 42 research team provided a detailed analysis on this vulnerability here.
Since then, Microsoft has received additional reports from multiple security vendors that turned out to be related to another vulnerability that was successfully exploited after applying Microsoft’s update – Microsoft assigned it as CVE-2018-0802 and released a fix for it in the January 2018 monthly security updates.
The vulnerability is a stack overflow bug when parsing the long font name string in a FONT record, just like CVE-2017-11882. It can be used by attackers to execute code in the security context of the
Checkpoint
Many Formulas, One Calc – Exploiting a New Office Equation Vulnerability
blogs_checkpoint·2018-01-09·CVSS 7.8
CVE-2017-11882 [HIGH] Many Formulas, One Calc – Exploiting a New Office Equation Vulnerability
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Many Formulas, One Calc – Exploiting a New Office Equation Vulnerability
Research By: Omer Gull and Netanel Ben Simon
Background
A few weeks ago, a vulnerability in the Office Equation 3
Trendmicro
CVE-2017-11882 Exploited to Deliver a Loki Infostealer
blogs_trendmicro·2017-12-20·CVSS 7.8
CVE-2017-11882 [HIGH] CVE-2017-11882 Exploited to Deliver a Loki Infostealer
Exploits & Vulnerabilities
## CVE-2017-11882 Exploited to Deliver a Loki Infostealer
The Cobalt hacking group was one of the first to actively exploit CVE-2017-11882 in their cybercriminal campaigns. We uncovered several others following suit in early December, delivering a plethora of threats.
By: Rubio Wu, Anita Hsieh, Marshall Chen 2017/12/20 Read time: ( words)
Save to Folio
Additional analysis and insights from Fyodor Yarochkin and Joseph C. Chen
The Cobalt hacking group was one of the first to promptly and actively exploit CVE-2017-11882 (patched last November ) in their cybercriminal campaigns. We uncovered several others following suit in early December, delivering a plethora of threats that included Pony/ FAREIT , FormBook, ZBOT, and Ursnif . Another stood out to us: a recen
Trendmicro
CVE-2017-11882 Exploited to Deliver a Loki Infostealer
blogs_trendmicro·2017-12-20·CVSS 7.8
CVE-2017-11882 [HIGH] CVE-2017-11882 Exploited to Deliver a Loki Infostealer
Sfruttamento vulnerabilità
## CVE-2017-11882 Exploited to Deliver a Loki Infostealer
The Cobalt hacking group was one of the first to actively exploit CVE-2017-11882 in their cybercriminal campaigns. We uncovered several others following suit in early December, delivering a plethora of threats.
By: Rubio Wu, Anita Hsieh, Marshall Chen Dec 20, 2017 Read time: ( words)
Save to Folio
Additional analysis and insights from Fyodor Yarochkin and Joseph C. Chen
The Cobalt hacking group was one of the first to promptly and actively exploit CVE-2017-11882 (patched last November ) in their cybercriminal campaigns. We uncovered several others following suit in early December, delivering a plethora of threats that included Pony/ FAREIT , FormBook, ZBOT, and Ursnif . Another stood out to us: a rec
Zscaler
Microsoft Vulnerability Leads to RAT & Phishing Site | Blog
blogs_zscaler·2017-12-20·CVSS 7.8
[HIGH] Microsoft Vulnerability Leads to RAT & Phishing Site | Blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Trendmicro
CVE-2017-11882 Exploited to Deliver a Loki Infostealer
blogs_trendmicro·2017-12-20·CVSS 7.8
CVE-2017-11882 [HIGH] CVE-2017-11882 Exploited to Deliver a Loki Infostealer
Exploits & Vulnerabilities
## CVE-2017-11882 Exploited to Deliver a Loki Infostealer
The Cobalt hacking group was one of the first to actively exploit CVE-2017-11882 in their cybercriminal campaigns. We uncovered several others following suit in early December, delivering a plethora of threats.
By: Rubio Wu, Anita Hsieh, Marshall Chen Dec 20, 2017 Read time: ( words)
Save to Folio
Additional analysis and insights from Fyodor Yarochkin and Joseph C. Chen
The Cobalt hacking group was one of the first to promptly and actively exploit CVE-2017-11882 (patched last November ) in their cybercriminal campaigns. We uncovered several others following suit in early December, delivering a plethora of threats that included Pony/ FAREIT , FormBook, ZBOT, and Ursnif . Another stood out to us: a rec
Trendmicro
CVE-2017-11882 Exploited to Deliver a Loki Infostealer
blogs_trendmicro·2017-12-20·CVSS 7.8
CVE-2017-11882 [HIGH] CVE-2017-11882 Exploited to Deliver a Loki Infostealer
Ausnutzung von Schwachstellen
## CVE-2017-11882 Exploited to Deliver a Loki Infostealer
The Cobalt hacking group was one of the first to actively exploit CVE-2017-11882 in their cybercriminal campaigns. We uncovered several others following suit in early December, delivering a plethora of threats.
By: Rubio Wu, Anita Hsieh, Marshall Chen Dec 20, 2017 Read time: ( words)
Save to Folio
Additional analysis and insights from Fyodor Yarochkin and Joseph C. Chen
The Cobalt hacking group was one of the first to promptly and actively exploit CVE-2017-11882 (patched last November ) in their cybercriminal campaigns. We uncovered several others following suit in early December, delivering a plethora of threats that included Pony/ FAREIT , FormBook, ZBOT, and Ursnif . Another stood out to us: a
Trendmicro
CVE-2017-11882 Exploited to Deliver a Loki Infostealer
blogs_trendmicro·2017-12-20·CVSS 7.8
CVE-2017-11882 [HIGH] CVE-2017-11882 Exploited to Deliver a Loki Infostealer
Exploits y vulnerabilidades
## CVE-2017-11882 Exploited to Deliver a Loki Infostealer
The Cobalt hacking group was one of the first to actively exploit CVE-2017-11882 in their cybercriminal campaigns. We uncovered several others following suit in early December, delivering a plethora of threats.
By: Rubio Wu, Anita Hsieh, Marshall Chen Dec 20, 2017 Read time: ( words)
Save to Folio
Additional analysis and insights from Fyodor Yarochkin and Joseph C. Chen
The Cobalt hacking group was one of the first to promptly and actively exploit CVE-2017-11882 (patched last November ) in their cybercriminal campaigns. We uncovered several others following suit in early December, delivering a plethora of threats that included Pony/ FAREIT , FormBook, ZBOT, and Ursnif . Another stood out to us: a re
Trendmicro
CVE-2017-11882 Exploited to Deliver a Loki Infostealer
blogs_trendmicro·2017-12-20·CVSS 7.8
CVE-2017-11882 [HIGH] CVE-2017-11882 Exploited to Deliver a Loki Infostealer
Exploits & Vulnerabilities
# CVE-2017-11882 Exploited to Deliver a Loki Infostealer
The Cobalt hacking group was one of the first to actively exploit CVE-2017-11882 in their cybercriminal campaigns. We uncovered several others following suit in early December, delivering a plethora of threats.
By: Rubio Wu, Anita Hsieh, Marshall Chen
2017/12/20
Read time: ( words)
Save to Folio
Additional analysis and insights from Fyodor Yarochkin and Joseph C. Chen
The Cobalt hacking group was one of the first to promptly and actively exploit CVE-2017-11882 (patched last November) in their cybercriminal campaigns. We uncovered several others following suit in early December, delivering a plethora of threats that included Pony/FAREIT, FormBook, ZBOT, and Ursnif. Another stood out to us: a recent ca
Unit42
Analysis of CVE-2017-11882 Exploit in the Wild
blogs_unit42·2017-12-08·CVSS 7.8
CVE-2017-11882 [HIGH] Analysis of CVE-2017-11882 Exploit in the Wild
Threat Research Center
Threat Research
Vulnerabilities
## Analysis of CVE-2017-11882 Exploit in the Wild
Yanhui Jia
Published: December 8, 2017
Threat Research
Vulnerabilities
Equation Editor
Microsoft
Recently, Palo Alto Networks Unit 42 vulnerability researchers captured multiple instances of traffic in the wild exploiting CVE-2017-11882 , patched by Microsoft on November 14, 2017 as part of the monthly security update process. Exploits for this vulnerability have been released for Metasploit, and multiple security researchers have published articles on specific attacks taking advantage of this vulnerability. In this article, we describe the vulnerability and discuss mechanisms for exploiting it.
About CVE-2017-11882:
Microsoft Equation Editor, which is a Microsoft Office co
Unit42
Analysis of CVE-2017-11882 Exploit in the Wild
blogs_unit42·2017-12-08·CVSS 7.8
CVE-2017-11882 [HIGH] Analysis of CVE-2017-11882 Exploit in the Wild
Recently, Palo Alto Networks Unit 42 vulnerability researchers captured multiple instances of traffic in the wild exploiting CVE-2017-11882, patched by Microsoft on November 14, 2017 as part of the monthly security update process. Exploits for this vulnerability have been released for Metasploit, and multiple security researchers have published articles on specific attacks taking advantage of this vulnerability. In this article, we describe the vulnerability and discuss mechanisms for exploiting it.
About CVE-2017-11882:
Microsoft Equation Editor, which is a Microsoft Office component, contains a stack buffer overflow vulnerability that enables remote code execution on a vulnerable system. The component was compiled on November 9, 2000, over 17 years ago. Without any further recompilati
Fortinet
A Deep Dive Analysis of the FALLCHILL Remote Administration Tool
blogs_fortinet·2017-11-28
A Deep Dive Analysis of the FALLCHILL Remote Administration Tool
FORTIGUARD LABS THREAT RESEARCH
A Deep Dive Analysis of the FALLCHILL Remote Administration Tool
By Minh Tran | November 28, 2017
Advanced Persistent Threat (APT) groups pose a great threat to global security. Over the years, many threat groups have emerged but none have attracted more attention than North Korean groups due to the ongoing nature of the conflict between North Korea and the west. That, together with the great damage done so far by this threat group (most well-known are the infamous Sony attacks and the related Operation Blockbuster), has prompted significant institutional interest. The U.S. Government in particular refers to the malicious threat actor connected to the North Korean government as HIDDEN COBRA. US-CERT recently published several alerts [1] [2] detailing the a
Fortinet
Cobalt Malware Strikes Using CVE-2017-11882 RTF Vulnerability
blogs_fortinet·2017-11-27·CVSS 7.8
CVE-2017-11882 [HIGH] Cobalt Malware Strikes Using CVE-2017-11882 RTF Vulnerability
FORTIGUARD LABS THREAT RESEARCH
Cobalt Malware Strikes Using CVE-2017-11882 RTF Vulnerability
By Jasper Manual and Joie Salvio | November 27, 2017
Only a few days after FortiGuard Labs published an article about a spam campaign exploiting an RTF document, our Kadena Threat Intelligence System (KTIS) has found another spam campaign using an even more recent document vulnerability, CVE-2017-11882. Although the vulnerability has existed for 17 years, according to a report by SecurityWeek, it was only disclosed and patched by Microsoft in the second week of this month.
And as we have repeatedly seen, not long after its disclosure threat actors were quick to take advantage of this vulnerability to deliver a malware using a component from a well-known penetration testing tool, Cobalt Strike.
Fortinet
CVE-2017-11826 Exploited in the Wild with Politically Themed RTF Document
blogs_fortinet·2017-11-22·CVSS 7.8
CVE-2017-11826 [HIGH] CVE-2017-11826 Exploited in the Wild with Politically Themed RTF Document
FORTIGUARD LABS THREAT RESEARCH
CVE-2017-11826 Exploited in the Wild with Politically Themed RTF Document
By Jasper Manuel, Joie Salvio and Wayne Low | November 22, 2017
Recently, FortiGuard Labs found an interesting malware campaign using the recently documented vulnerability CVE-2017-11826 that was patched by Microsoft in October of this year. A detailed analysis of this exploit is also included in this article.
Based on the context of the campaign used to lure victims, as well as how the payload malware behaves, we had a hunch that this was not a common cybercrime campaign and was even possibly a targeted attack on specific institutions or locales. For this reason, we decided to look deeper.
As is common with this type of attack, the command-and-control (C2) server for this campaign
Qualys
November Patch Tuesday: 53 Vulnerabilities and a Massive Adobe Update
blogs_qualys·2017-11-14·CVSS 7.5
[HIGH] November Patch Tuesday: 53 Vulnerabilities and a Massive Adobe Update
This November Patch Tuesday is moderate in volume and severity. Microsoft released patches to address 53 unique vulnerabilities, with 25 focused on Remote Code Execution fixes. Windows OS receives 14 patches, while the lion’s share is focused on Browsers, Microsoft Office, and Adobe. According to Microsoft, there do not appear to be any actively attacked vulnerabilities in the wild in this patch release.
Interestingly enough, none of the Windows OS patches are listed as Critical this month, but we do recommend focusing on CVE-2017-11830 and CVE-2017-11847 , as they address a Security Feature Bypass, and a Privilege Elevation respectively.
It should also be noted that CVE-2017-11848 , CVE-2017-11827 , CVE-2017-11883 , CVE-2017-8700 have public exploits, but they do not appear to be used i
Talos
Microsoft Patch Tuesday - November 2017
blogs_talos·2017-11-14·CVSS 7.5
CVE-2017-16367 [HIGH] Microsoft Patch Tuesday - November 2017
Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 53 new vulnerabilities with 19 of them rated critical, 31 of them rated important and 3 of them rated moderate. These vulnerabilities impact Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, and more.
In addition, an update for Adobe Reader was released which addresses CVE-2017-16367 / TALOS-2017-0356 - Adobe Acrobat Reader DC PDF Structured Hierarchy ActualText Structure Element Code Execution Vulnerability which was discovered by Aleksandar Nikolic of Cisco Talos. This vulnerability manifests as a type confusion vulnerability in the PDF parsing functionality for documents containing marked stru
Qualys
November Patch Tuesday: 53 Vulnerabilities and a Massive Adobe Update | Qualys
blogs_qualys·2017-11-14·CVSS 7.5
[HIGH] November Patch Tuesday: 53 Vulnerabilities and a Massive Adobe Update | Qualys
This November Patch Tuesday is moderate in volume and severity. Microsoft released patches to address 53 unique vulnerabilities, with 25 focused on Remote Code Execution fixes. Windows OS receives 14 patches, while the lion’s share is focused on Browsers, Microsoft Office, and Adobe. According to Microsoft, there do not appear to be any actively attacked vulnerabilities in the wild in this patch release.
Interestingly enough, none of the Windows OS patches are listed as Critical this month, but we do recommend focusing on CVE-2017-11830 and CVE-2017-11847, as they address a Security Feature Bypass, and a Privilege Elevation respectively.
It should also be noted that CVE-2017-11848, CVE-2017-11827, CVE-2017-11883, CVE-2017-8700 have public exploits, but they do not appear to be used in an
Fortinet
A 14-day Journey through Embedded Open Type Font Fuzzing
blogs_fortinet·2017-10-19·CVSS 8.8
[HIGH] A 14-day Journey through Embedded Open Type Font Fuzzing
FORTIGUARD LABS THREAT RESEARCH
A 14-day Journey through Embedded Open Type Font Fuzzing
By Wayne Chin Yick Low | October 19, 2017
Introduction
One of our daily routines as researchers here at FortiGuard Labs is to write and maintain our internal fuzzers to help us more effectively find potential vulnerabilities on different software products. We have a range of such tools, from highly sophisticated algorithms to some dumb fuzzers that run 24/7 to find potential issues on Microsoft Office suites. Even those give us surprises from time to time, even though they are not cutting edge fuzzers. In this blog post we would like to share how we discovered multiple Embedded Open Type (EOT) font vulnerabilities by using a combination of dumb and intelligent open source fuzzers.
Background
EOT fo
Fortinet
PDF Phishing Leads to Nanocore RAT, Targets French Nationals
blogs_fortinet·2017-10-12
PDF Phishing Leads to Nanocore RAT, Targets French Nationals
FORTIGUARD LABS THREAT RESEARCH
PDF Phishing Leads to Nanocore RAT, Targets French Nationals
By Joie Salvio and Rommel Joven | October 12, 2017
Malware developers use a variety of distribution methods in order to confuse users and evade certain AV solutions. Recently, FortiGuard Labs found a phishing campaign targeting French Nationals. In this campaign, a PDF file with an embedded javascript is used to download the payload from a Google Drive shared link. As it turns out, the downloaded file is an HTA (HTML Application) file, a format that is becoming more and more common as a malware launch point. It is usually used as a downloader for the actual binary payload. However in this campaign, the binary payload, which was later found to be a NanoCore RAT client, is actually embedded in the
Fortinet
Deep Analysis of New Poison Ivy/PlugX Variant - Part II
blogs_fortinet·2017-09-15
Deep Analysis of New Poison Ivy/PlugX Variant - Part II
FORTIGUARD LABS THREAT RESEARCH
Deep Analysis of New Poison Ivy/PlugX Variant - Part II
By Xiaopeng Zhang | September 15, 2017
Background
This is the second part of the FortiGuard Labs analysis of the new Poison Ivy variant, or PlugX, which was an integrated part of Poison Ivy’s code. In the first part of this analysis we introduced how this malware was installed onto victim’s systems, the techniques it used to perform anti-analysis, how it obtained the C&C server’s IP&Port from the PasteBin website, and how it communicated with its C&C server.
What we didn’t talk much about in that first blog was the control-commands that are used by this malware, partly because only a few of those commands were used during our analysis. However, as you may know, RAT malware usually has many control-co
Fortinet
Rehashed RAT Used in APT Campaign Against Vietnamese Organizations
blogs_fortinet·2017-09-05·CVSS 8.8
CVE-2012-0158 [HIGH] Rehashed RAT Used in APT Campaign Against Vietnamese Organizations
FORTIGUARD LABS THREAT RESEARCH
Rehashed RAT Used in APT Campaign Against Vietnamese Organizations
By Jasper Manuel and Artem Semenchenko | September 05, 2017
Recently, FortiGuard Labs came across several malicious documents that exploit the vulnerability CVE-2012-0158. To evade suspicion from the victim, these RTF files drop decoy documents containing politically themed texts about a variety of Vietnamese government-related information. It was believed in a recent report that the hacking campaign where these documents were used was led by the Chinese hacking group 1937CN. The link to the group was found through malicious domains used as command and control servers by the attacker. In this blog, we will delve into the malware used in this campaign and will try to provide more clues as to
Fortinet
Locky Strikes Another Blow, Diablo6 Variant Starts Spreading Through Spam
blogs_fortinet·2017-08-14
Locky Strikes Another Blow, Diablo6 Variant Starts Spreading Through Spam
FORTIGUARD LABS THREAT RESEARCH
Locky Strikes Another Blow, Diablo6 Variant Starts Spreading Through Spam
By Floser Bacurio, Joie Salvio and Rommel Joven | August 14, 2017
Locky ransomware was first discovered in the first quarter of last year, and immediately became one of the major menaces of 2016, primarily affecting the United States.
Its effective spam delivery mechanism, combined with the constant release of variants with new evasion techniques, helped a lot with its success in the tightly packed ransomware competition. There were so many releases that there even came a point when they created some confusion regarding naming the new variants. The FortiGuard Lion Team discussed an extensive analysis of Locky’s evolution in Locky Strike: Smoking the Locky Ransomware Code, which was
Fortinet
FortiGuard Labs Discovers Multiple Vulnerabilities in Microsoft Word
blogs_fortinet·2017-03-21·CVSS 7.8
[HIGH] FortiGuard Labs Discovers Multiple Vulnerabilities in Microsoft Word
FORTIGUARD LABS THREAT RESEARCH
FortiGuard Labs Discovers Multiple Vulnerabilities in Microsoft Word
By Tony Loi and Wayne Chin Yick Low | March 21, 2017
Over the last few months FortiGuard Labs discovered and reported multiple vulnerabilities found in different versions of Microsoft Word. These vulnerabilities were patched in the January (MS17-002) and March (MS17-014) security updates. These patches are rated as important, and as always, we suggest users update Microsoft Office as soon as possible.
Following are some details of these vulnerabilities:
CVE-2017-0003 (Affects MS Word 2016)
This is a memory corruption vulnerability that occurs due to a miscalculation of the size of the object in heap. Later, this miscalculated size is passed to other functions, which then write more con
Fortinet
Cloud is the New Normal: The Challenge of Securing Workloads in the Cloud – Are You Ready?
blogs_fortinet·2017-02-07
Cloud is the New Normal: The Challenge of Securing Workloads in the Cloud – Are You Ready?
INDUSTRY TRENDS & INSIGHTS
Cloud is the New Normal: The Challenge of Securing Workloads in the Cloud – Are You Ready?
By Katrina Fox | February 07, 2017
Microsoft Ignite – Australia – Gold Coast Convention and Exhibition
February 14-17th,
Pod Number: 49
Is cloud the new normal for your enterprise?
Are you moving more and more applications into the cloud?
Have you asked yourself how you are securing your data in this new world of cloud?
Scalability and flexibility are the key drivers of Cloud networking and computing. With more and more business transitioning to public cloud environments, the cloud is becoming an increasingly attractive target for hackers due to the sheer amount of data being stored in public clouds.
As a result, the number one concern for many organisations is how to
Fortinet
Information-stealing Malware Is Spread Via Word Document
blogs_fortinet·2016-10-24
Information-stealing Malware Is Spread Via Word Document
FORTIGUARD LABS THREAT RESEARCH
Information-stealing Malware Is Spread Via Word Document
By Xiaopeng Zhang | October 24, 2016
Recently we received a SPAM with an attachment, which is a password-protected Word document. Its MD5 is 6619356e9e0c9d2445bf777a8bea5d6a, which is detected as “WM/Agent.60F9!tr” by the Fortinet AntiVirus service. When the document is opened, the attached malicious VB script code is executed and additional malware is created and executed.
Based on our analysis, this is information-stealing malware. In this blog, we’ll show you how the malware works, what information is stolen from a victim’s system, and how the stolen data is sent to attacker.
The SPAM
Figure 1, below, is a screenshot of the SPAM email we received. The message looks like a transaction notificati
Recorded Future
RedAlpha: New Campaigns Discovered Targeting the Tibetan Community
blogs_recorded_future
RedAlpha: New Campaigns Discovered Targeting the Tibetan Community
# RedAlpha: New Campaigns Discovered Targeting the Tibetan Community
Click here to download the complete analysis as a PDF.
Scope Note: Recorded Future analyzed new malware targeting the Tibetan community. This report includes a detailed analysis of the malware itself and associated infrastructure. Sources include Recorded Future’s platform, VirusTotal, ReversingLabs, and third-party metadata, as well as common OSINT and network metadata enrichments, such as DomainTools Iris and PassiveTotal, and researcher collaboration.1 The impetus of this research is twofold: to provide indicators to leverage for protection for likely victims and to raise awareness of a possible shift in adversary TTPs.
### Executive Summary
Recorded Future’s Insikt Group has identified two new cyberespionage campa
Huntress
CVE-2017-11882 Vulnerability: Analysis, Impact, Mitigation | Huntress
blogs_huntress·CVSS 7.8
CVE-2017-11882 [HIGH] CVE-2017-11882 Vulnerability: Analysis, Impact, Mitigation | Huntress
## CVE-2017-11882 Vulnerability
Published: 11/21/2025
Written by: Lizzie Danielson
## What is CVE-2017-11882 vulnerability?
CVE-2017-11882 is a remote code execution (RCE) vulnerability in Microsoft Office’s Equation Editor, a legacy component meant for mathematical equation editing. The flaw exists due to memory corruption caused by improper handling of objects in memory when processing malformed input. Exploiting this vulnerability enables attackers to execute arbitrary code, typically by encouraging users to open malicious Office documents, potentially compromising system integrity and confidentiality.
## When was it discovered?
CVE-2017-11882 was first publicly disclosed in November 2017 by Microsoft with credit given to various unnamed researchers. A patch was released the same
Recorded Future
Top Exploited Vulnerabilities in 2020 Affect Citrix, Microsoft Products
blogs_recorded_future
Top Exploited Vulnerabilities in 2020 Affect Citrix, Microsoft Products
## Top Exploited Vulnerabilities in 2020 Affect Citrix, Microsoft Products
This analysis focuses on ransomware, exploit kit, phishing attack, or remote access trojan co-occurrences with vulnerabilities from January 1 to December 31, 2020. We analyzed thousands of sources, including code repositories, underground forum postings, and dark web sites. This is a follow-up to our 2019 report , and the intended audience includes information security practitioners, especially those supporting vulnerability risk assessments.
## Executive Summary
This report highlights the top, most weaponized vulnerabilities in 2020 based on exploitation across all industries and associations with multiple types of malware. For the first time since this report’s inception in 2015, no vulnerabilities in Adobe pro
Threat Intel
RAZOR TIGER
threat_intel·CVSS 7.8
CVE-2017-11882 [HIGH] RAZOR TIGER
# Threat Actor: RAZOR TIGER
Suspected state sponsor: India
Known victims (countries): China, Pakistan, Nepal, Afghanistan
Target sectors: Government, Military, Private Sector
## Description
An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.
## Associated Malware Families (3)
apk.sidewinder, win.unidentified_093, win.sidewinder
Threat Intel
Cobalt Group (Cobalt Group, GOLD KINGSWOOD, Cobalt Gang)
threat_intel
Cobalt Group (Cobalt Group, GOLD KINGSWOOD, Cobalt Gang)
# Threat Actor Profile: Cobalt Group
ATT&CK ID: G0080
Also known as: Cobalt Group, GOLD KINGSWOOD, Cobalt Gang, Cobalt Spider
## Overview
Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation
Threat Intel
Confucius (Confucius, Confucius APT)
threat_intel·CVSS 7.8
[HIGH] Confucius (Confucius, Confucius APT)
# Threat Actor Profile: Confucius
ATT&CK ID: G0142
Also known as: Confucius, Confucius APT
## Overview
Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)
## Techniques (TTPs)
### Resource Development
- T1583.006 Web Services
Usage: Confucius has obtained cloud storage service accounts to host stolen data.(Citation: TrendMicro Confucius APT Feb 2018)
### Initial Access
- T156
Threat Intel
APT41 (APT41, Wicked Panda, Brass Typhoon)
threat_intel
APT41 (APT41, Wicked Panda, Brass Typhoon)
# Threat Actor Profile: APT41
ATT&CK ID: G0096
Also known as: APT41, Wicked Panda, Brass Typhoon, BARIUM
Suspected origin: China
## Overview
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 202
Threat Intel
Leviathan (Leviathan, MUDCARP, Kryptonite Panda)
threat_intel
Leviathan (Leviathan, MUDCARP, Kryptonite Panda)
# Threat Actor Profile: Leviathan
ATT&CK ID: G0065
Also known as: Leviathan, MUDCARP, Kryptonite Panda, Gadolinium, BRONZE MOHAWK, TEMP.Jumper, APT40, TEMP.Periscope, Gingham Typhoon
Suspected origin: China
## Overview
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.(Citation: CISA AA21-200A APT40 July 2021) Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proo
Threat Intel
APT32 (APT32, SeaLotus, OceanLotus)
threat_intel
APT32 (APT32, SeaLotus, OceanLotus)
# Threat Actor Profile: APT32
ATT&CK ID: G0050
Also known as: APT32, SeaLotus, OceanLotus, APT-C-00, Canvas Cyclone, BISMUTH
Suspected origin: Vietnam
## Overview
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: ESET OceanLotus)
## Techniques (TTPs)
### Reconnaissance
- T1598.003 Spearphishing Link
Usage: APT32 has used malicious links to direct users to web pages designed to
Recorded Future
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
blogs_recorded_future·CVSS 9.8
[CRITICAL] Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
# Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.
This report details multiple campaigns conducted by the likely Chinese state-sponsored threat activity group TA413. The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis. This report will be of most interest to individuals and organizations with strategic and operational intelligence requirements relating to Chinese cyber threat activity, as well as humanitarian and other organizations concerned with Tibetan interests. With thanks to our colleagues at Sophos for early sharing and collaboration.
Threat Intel
BITTER (BITTER, T-APT-17)
threat_intel·CVSS 8.8
[HIGH] BITTER (BITTER, T-APT-17)
# Threat Actor Profile: BITTER
ATT&CK ID: G1002
Also known as: BITTER, T-APT-17
Suspected origin: China
## Overview
BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)
## Techniques (TTPs)
### Resource Development
- T1588.002 Tool
Usage: BITTER has obtained tools such as PuTTY for use in their operations.(Citation: Forcepoint BITTER Pakistan Oct 2016)
- T1608.001 Upload Malware
Usage: BITTER has registered domains to stage payloads.(Citation: Forcepoint BITTER Pakistan Oct 2016)
- T1583.001 Domains
Usage: BITTER has regis
Recorded Future
Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018 | Recorded Future
blogs_recorded_future
Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018 | Recorded Future
## Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018
Click here to download the complete analysis as a PDF.
This analysis focuses on an exploit kit, phishing attack, or remote access trojan co-occurrence with a vulnerability from January 1, 2018 to December 31, 2018. We analyzed thousands of sources, including code repositories, deep web forum postings, and dark web sites. This is a follow-up to our 2017 report , and the intended audience includes information security practitioners, especially those supporting vulnerability risk assessments.
## Executive Summary
Many vulnerability management practitioners face the daunting task of prioritizing vulnerabilities without adequate insight into which vulnerabilities are actively exploited by cybercriminals. Here, we’ll attempt to she
Recorded Future
Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques | Recorded Future
blogs_recorded_future
Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques | Recorded Future
## Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques
_ Scope Note : Recorded Future’s Insikt Group analyzed network indicators of compromise and TTPs relating to an intrusion incident targeting a U.K.-based engineering company. Sources include Recorded Future’s product, VirusTotal, ReversingLabs, DomainTools Iris, and PassiveTotal, along with third-party metadata and common OSINT techniques.
This report will be of greatest interest to organizations within the high-tech engineering industries in the U.S., Europe, and Japan, as well as those investigating Chinese state-sponsored cyberespionage._
## Executive Summary
Employees of a U.K.-based engineering company were among the targeted victims of a spearphishing campaign in early July 20
Recorded Future
Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018
blogs_recorded_future
Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018
# Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018
Click here to download the complete analysis as a PDF.
This analysis focuses on an exploit kit, phishing attack, or remote access trojan co-occurrence with a vulnerability from January 1, 2018 to December 31, 2018. We analyzed thousands of sources, including code repositories, deep web forum postings, and dark web sites. This is a follow-up to our 2017 report, and the intended audience includes information security practitioners, especially those supporting vulnerability risk assessments.
### Executive Summary
Many vulnerability management practitioners face the daunting task of prioritizing vulnerabilities without adequate insight into which vulnerabilities are actively exploited by cybercriminals. Here, we’ll attempt to shed
Crowdstrike
5 Examples of Malspam in the Time of COVID-19
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] 5 Examples of Malspam in the Time of COVID-19
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
Recorded Future
Capitalizing on Coronavirus Panic, Threat Actors | Recorded Future
blogs_recorded_future
Capitalizing on Coronavirus Panic, Threat Actors | Recorded Future
## Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide
Recorded Future investigated how threat actors are using the global disruptions caused by COVID-19 to further their cyber threat activities. This research is targeted toward those who hope to understand the technical cybersecurity threats that have emerged from the spread of COVID-19.
## Executive Summary
The emergence of coronavirus disease 2019 (COVID-19), the novel coronavirus that originated in late December 2019, has brought with it chaos in many different economic sectors — finance, manufacturing, and healthcare, to name a few. However, it has also originated a new cybersecurity threat, igniting a bevy of COVID-19-themed phishing lures and newly registered COVID-19-related domains. The technical threat su
Recorded Future
Top Exploited Vulnerabilities in 2020 Affect Citrix, Microsoft Products
blogs_recorded_future
Top Exploited Vulnerabilities in 2020 Affect Citrix, Microsoft Products
# Top Exploited Vulnerabilities in 2020 Affect Citrix, Microsoft Products
Editor’s Note*: The following post is an excerpt of a full report. To read the entire analysis,*
to download the report as a PDF.
This analysis focuses on ransomware, exploit kit, phishing attack, or remote access trojan co-occurrences with vulnerabilities from January 1 to December 31, 2020. We analyzed thousands of sources, including code repositories, underground forum postings, and dark web sites. This is a follow-up to our 2019 report, and the intended audience includes information security practitioners, especially those supporting vulnerability risk assessments.
### Executive Summary
This report highlights the top, most weaponized vulnerabilities in 2020 based on exploitation across all industries and as
Threat Intel
Sidewinder (Sidewinder, T-APT-04, Rattlesnake)
threat_intel·CVSS 7.8
[HIGH] Sidewinder (Sidewinder, T-APT-04, Rattlesnake)
# Threat Actor Profile: Sidewinder
ATT&CK ID: G0121
Also known as: Sidewinder, T-APT-04, Rattlesnake
Suspected origin: China
## Overview
Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.(Citation: ATT Sidewinder January 2021)(Citation: Securelist APT Trends April 2018)(Citation: Cyble Sidewinder September 2020)
## Techniques (TTPs)
### Reconnaissance
- T1598.003 Spearphishing Link
Usage: Sidewinder has sent e-mails with malicious links to credential harvesting websites.(Citation: ATT Sidewinder January 2021)
- T1598.002 Spearphishing Attachment
Usage: Sidewinder has sent e-mails with mali
Crowdstrike
5 Examples of Malspam in the Time of COVID-19
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] 5 Examples of Malspam in the Time of COVID-19
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Threat Intel
Saint Bear (Saint Bear, Storm-0587, TA471)
threat_intel·CVSS 7.8
[HIGH] Saint Bear (Saint Bear, Storm-0587, TA471)
# Threat Actor Profile: Saint Bear
ATT&CK ID: G1031
Also known as: Saint Bear, Storm-0587, TA471, UAC-0056, Lorec53
Suspected origin: Russia
## Overview
Saint Bear is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, Saint Bot, and information stealer, OutSteel in campaigns. Saint Bear typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )(Citation: Cadet Blizzard emerges as novel threat actor) Saint Bear has previously been confused with Ember Bear operations, but analysis of behaviors, tools, and targeting indicates thes
Threat Intel
Tropic Trooper (Tropic Trooper, Pirate Panda, KeyBoy)
threat_intel
Tropic Trooper (Tropic Trooper, Pirate Panda, KeyBoy)
# Threat Actor Profile: Tropic Trooper
ATT&CK ID: G0081
Also known as: Tropic Trooper, Pirate Panda, KeyBoy
Suspected origin: China
## Overview
Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)
## Techniques (TTPs)
### Initial Access
- T1566.001 Spearphishing Attachment
Usage: Tropic Trooper sent spearphishing emails that contained malicious Microsoft Office and fake installer file attachments.(Citation: Unit 42 Tropic Trooper Nov 2016)(
Fortinet
FortiGuard Labs Threat Research
blogs_fortinet·CVSS 7.8
[HIGH] FortiGuard Labs Threat Research
FortiGuard Labs Threat Research
Stay connected:
THREAT RESEARCH
DPRK-Related Campaigns with LNK and GitHub C2
Analysis of DPRK-linked LNK-based attacks using GitHub as covert C2 infrastructure, detailing multi-stage PowerShell execution, persistence mechanisms, and data exfiltration techniques targeting Windows environments.
By Cara Lin April 02, 2026
THREAT RESEARCH
Cyber Fallout After the Strikes: Signal, Noise, and What Comes Next
Following U.S.-Israeli strikes on Iran, FortiGuard Labs has not yet observed large-scale cyber retaliation. However, we observed that regional cyber activity is rising. Organizations should take action to strengthen cyber hygiene, rotate credentials, and reduce exposure.
By Aamir Lakhani, Carl Windsor, and Derek Manky March 04, 2026
THREAT RESEARCH
U
Threat Intel
Tonto Team (Tonto Team, Earth Akhlut, BRONZE HUNTLEY)
threat_intel·CVSS 7.8
[HIGH] Tonto Team (Tonto Team, Earth Akhlut, BRONZE HUNTLEY)
# Threat Actor Profile: Tonto Team
ATT&CK ID: G0131
Also known as: Tonto Team, Earth Akhlut, BRONZE HUNTLEY, CactusPete, Karma Panda
Suspected origin: China
## Overview
Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).(Citation: Kaspersky CactusPete Aug 2020)(Citation: ESET Exchange Mar 2021)(Citation: FireEye Chinese Espionage October 2019)(Citation: ARS Te
Recorded Future
Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques
blogs_recorded_future
Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques
# Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques
Click here to download the complete analysis as a PDF.
_Scope Note: Recorded Future’s Insikt Group analyzed network indicators of compromise and TTPs relating to an intrusion incident targeting a U.K.-based engineering company. Sources include Recorded Future’s product, VirusTotal, ReversingLabs, DomainTools Iris, and PassiveTotal, along with third-party metadata and common OSINT techniques.
This report will be of greatest interest to organizations within the high-tech engineering industries in the U.S., Europe, and Japan, as well as those investigating Chinese state-sponsored cyberespionage._
### Executive Summary
Employees of a U.K.-based engineering company were among the targete
Zscaler
CISO Monthly Roundup, November/December 2023: ThreatLabz 2023 State of Encrypted Attacks report, DarkGate activity, Agent Tesla attacks, holiday threat trends, 2023 year-in-review, and 2024 prediction
blogs_zscaler
CISO Monthly Roundup, November/December 2023: ThreatLabz 2023 State of Encrypted Attacks report, DarkGate activity, Agent Tesla attacks, holiday threat trends, 2023 year-in-review, and 2024 prediction
## CISO Monthly Roundup, November/December 2023: ThreatLabz 2023 State of Encrypted Attacks report, DarkGate activity, Agent Tesla attacks, holiday threat trends, 2023 year-in-review, and 2024 predictions.
Deepen Desai
Contributor
Zscaler
## Jan 5, 2024
CISO Monthly Roundup, November/December 2023
The CISO Monthly Roundup provides the latest threat research from the ThreatLabz team, along with CISO insights on key trends. This year-end wrap up of cybersecurity topics include our 2023 State of Encrypted Attacks Report, DarkGate activity, Agent Tesla attacks, holiday cyber attack trends, and predictions for 2024.
## Zscaler ThreatLabz 2023 State of Encrypted Attacks report
The ThreatLabz 2023 State of Encrypted Attacks Report offers the latest insights on today’s encrypted threat lan
Threat Intel
Patchwork (Patchwork, Hangover Group, Dropping Elephant)
threat_intel
Patchwork (Patchwork, Hangover Group, Dropping Elephant)
# Threat Actor Profile: Patchwork
ATT&CK ID: G0040
Also known as: Patchwork, Hangover Group, Dropping Elephant, Chinastrats, MONSOON, Operation Hangover
Suspected origin: China
## Overview
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Cita
Recorded Future
Capitalizing on Coronavirus Panic, Threat Actors
blogs_recorded_future
Capitalizing on Coronavirus Panic, Threat Actors
# Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide
Click here to download the complete analysis as a PDF.
Recorded Future investigated how threat actors are using the global disruptions caused by COVID-19 to further their cyber threat activities. This research is targeted toward those who hope to understand the technical cybersecurity threats that have emerged from the spread of COVID-19.
### Executive Summary
The emergence of coronavirus disease 2019 (COVID-19), the novel coronavirus that originated in late December 2019, has brought with it chaos in many different economic sectors — finance, manufacturing, and healthcare, to name a few. However, it has also originated a new cybersecurity threat, igniting a bevy of COVID-19-themed phishing lures and newly regi
Threat Intel
Inception (Inception, Inception Framework, Cloud Atlas)
threat_intel·CVSS 8.8
[HIGH] Inception (Inception, Inception Framework, Cloud Atlas)
# Threat Actor Profile: Inception
ATT&CK ID: G0100
Also known as: Inception, Inception Framework, Cloud Atlas
Suspected origin: Russia
## Overview
Inception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.(Citation: Unit 42 Inception November 2018)(Citation: Symantec Inception Framework March 2018)(Citation: Kaspersky Cloud Atlas December 2014)
## Techniques (TTPs)
### Resource Development
- T1588.002 Tool
Usage: Inception has obtained and used open-source tools such as LaZagne.(Citation: Kaspersky Cloud Atlas August 2019)
### Initial Access
- T1566.001 Spearphishing Attachment
Usage: Ince
arXiv
POLAR: Automating Cyber Threat Prioritization through LLM-Powered Assessment
arxiv_fulltext·2025-10-02
POLAR: Automating Cyber Threat Prioritization through LLM-Powered Assessment
## Abstract
The rapid expansion of the cyber threat landscape, with over 11,000 new vulnerabilities reported in 2024 alone, has intensified the need for effective threat prioritization. Existing approaches, from rule-based systems to machine learning models, struggle with scalability, distribution shift, and context-independent scoring, often mis-ranking threats in dynamic exploitation environments. In this work, we present , an LLM-based framework that automates cyber threat prioritization across four sequential stages: Triage, Static Analysis, Exploitation Analysis, and Mitigation Recommendation. leverages LLM reasoning to transform unstructured threat intelligence into structured severity metrics, forecast exploitation likelihood using temporal narratives, and generate prioritized miti
arXiv
A Risk Manager for Intrusion Tolerant Systems: Enhancing HAL 9000 with New Scoring and Data Sources
arxiv_fulltext·2025-08-18
A Risk Manager for Intrusion Tolerant Systems: Enhancing HAL 9000 with New Scoring and Data Sources
A Risk Manager for Intrusion Tolerant Systems: Enhancing HAL 9000 with New Scoring and Data Sources
[1,2]Tadeu Freitas
[1]Carlos Novo
[1]Inês Dutra
[1]João Soares
[1,2]Manuel E. Correia
[3]Benham Shariati
[4]Rolando Martins
FREITAS et al.
A Risk Manager for Intrusion Tolerant Systems: Enhancing HAL 9000 with New Scoring and Data Sources
[1]Department of Computer Science, Faculty of Sciences of University of Porto, Porto, Portugal
[2]Centre Advanced Computing Systems, Institute for Systems and Computer Engineering, Technology and Science, Porto, Portugal
[3]UMBC, University of Maryland, Baltimore County,Baltimore, USA
[4]SafeHelm, lda, Porto, Portugal
Corresponding author Tadeu Freitas. [email protected]
[Abstract]Intrusion Tolerant Systems (ITSs) have become increasingly
arXiv
CLIProv: A Contrastive Log-to-Intelligence Multimodal Approach for Threat Detection and Provenance Analysis
arxiv_fulltext·2025-07-12
CLIProv: A Contrastive Log-to-Intelligence Multimodal Approach for Threat Detection and Provenance Analysis
1
.001
[mode = title]CLIProv: A Contrastive Log-to-Intelligence Multimodal Approach for Threat Detection and Provenance Analysis
[1].
[1]Jingwen Li[style=chinese]
Conceptualization, Methodology, Writing–original draft
[1]organization=Beijing University of Posts and Telecommunications,
city=Beijing,
postcode=100876,
country=China
[1]Ru Zhang[style=chinese, orcid=0000-0001-6641-3236]
[1]
[email protected]
Supervision, Writing-Review & Editing
[1]Jianyi Liu[style=chinese]
Methodology, Writing-Review & Editing, Resources
[2]WanGuo Zhao[style=chinese]
Data curation, Resources
[2]organization=Beijing Anheng Xin'an Technology Co., Ltd,
city=Beijing,
postcode=100089,
country=China
[1]Corresponding author
## Abstract
With the increasing complexity of cyberattacks, the proactive and f
arXiv
HAL 9000: a Risk Manager for ITSs
arxiv_fulltext·2025-03-21
HAL 9000: a Risk Manager for ITSs
HAL 9000: a Risk Manager for ITSs
This work is financed by National Funds through the Portuguese funding agency, FCT - Fundação para a Ciência e a Tecnologia, within project UIDB/50014/2020.
DOI 10.54499/UIDB/50014/2020 https://doi.org/10.54499/uidb/50014/2020
This work was funded by 2021.08532.BD (FCT), and by 2021.04529.BD (FCT).
Tadeu Freitas12, Carlos Novo1, João Soares12, Inês Dutra13,
Manuel E. Correia12, Behnam Shariati4, Rolando Martins15
1Faculty of Sciences, University of Porto, Portugal
2CRACS/INESC-TEC, Portugal
3CINTESIS@RISE, Portugal
4University of Maryland, Baltimore County, USA
5SafeHelm, lda, Porto, Portugal
\tadeufreitas, joao.soares, mdcorrei, carlosnovo, ines\@fc.up.pt,
[email protected], [email protected]
## Abstract
HAL 9000 is an Intrusion Tolerant Systems
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
arXiv
A Cascade Approach for APT Campaign Attribution in System Event Logs: Technique Hunting and Subgraph Matching
arxiv_fulltext·2024-10-29
A Cascade Approach for APT Campaign Attribution in System Event Logs: Technique Hunting and Subgraph Matching
A Cascade Approach for APT Campaign Attribution in System Event Logs: Technique Hunting and Subgraph Matching
Yi-Ting Huang, Ying-Ren Guo, Guo-Wei Wong, and Meng Chang Chen
## Abstract
As Advanced Persistent Threats (APTs) grow increasingly sophisticated, the demand for effective detection methods has intensified. This study addresses the challenge of identifying APT campaign attacks through system event logs. A cascading approach, name SFM, combines Technique hunting and APT campaign attribution. Our approach assumes that real-world system event logs contain a vast majority of normal events interspersed with few suspiciously malicious ones and that these logs are annotated with Techniques of MITRE ATT&CK framework for attack pattern recognition. Then, we attribute APT campaign attacks
arXiv
Holmes: An Efficient and Lightweight Semantic Based Anomalous Email Detector
arxiv_fulltext·2022-11-09
Holmes: An Efficient and Lightweight Semantic Based Anomalous Email Detector
Holmes: An Efficient and Lightweight Semantic Based Anomalous Email Detector
Peilun Wu1 and Hui Guo4
Data Security & Compliance, CDO Data & Cloud, PwC CN.1
School of Computer Science and Engineering, University of New South Wales (UNSW)14
Email: [email protected],
[email protected]
## Abstract
Email threat is a serious issue for enterprise security. The threat can be in various malicious forms, such as phishing, fraud, blackmail and malvertisement.
The traditional anti-spam gateway often maintains a greylist to filter out unexpected emails based on suspicious vocabularies present in the email's subject and contents.
However, this type of signature-based approach cannot effectively discover novel and unknown suspicious emails that utilize various evolving malicious payloads.
arXiv
AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports
arxiv_fulltext·2022-05-29
AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports
AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports
AttacKG: Constructing Technique Knowledge Graph from CTI Reports
Zhenyuan Li1
Jun Zeng2
Yan Chen3
Zhenkai Liang2
Z. Li et al.
Zhejiang University, Hangzhou, China
National University of Singapore, Singapore
Northwestern University, Evanston, USA
-0.1in
## Abstract
Cyber attacks are becoming more sophisticated and diverse, making detection increasingly challenging. To combat these attacks, security practitioners actively summarize and exchange their knowledge about attacks across organizations in the form of cyber threat intelligence (CTI) reports. However, as CTI reports written in natural language texts are not structured for automatic analysis, the report usage requires tedious manual efforts o
arXiv
MAAC: Novel Alert Correlation Method To Detect Multi-step Attack
arxiv_fulltext·2021-10-25
MAAC: Novel Alert Correlation Method To Detect Multi-step Attack
MAAC: Novel Alert Correlation Method To Detect Multi-step Attack
This work was supported by the National Natural Science Foundation of China (Grant No. 61802394 and 61902396) and the Youth Innovation Promotion Association. This work is also supported by the Program of Key Laboratory of Network Assessment Technology, the Chinese Academy of Sciences and Program of Beijing Key Laboratory of Network Security and Protection Technology.
comment
1st Xiaoyu Wang
dept. name of organization (of Aff.)
name of organization (of Aff.)
City, Country
email address or ORCID
2nd Given Name Surname
dept. name of organization (of Aff.)
name of organization (of Aff.)
City, Country
email address or ORCID
3rd Given Name Surname
dept. name of organization (of Aff.)
name of organization (of Aff.)
City,
arXiv
Linking Threat Tactics, Techniques, and Patterns with Defensive Weaknesses, Vulnerabilities and Affected Platform Configurations for Cyber Hunting
arxiv_fulltext·2021-02-10·CVSS 8.8
CVE-2017-11882 [HIGH] Linking Threat Tactics, Techniques, and Patterns with Defensive Weaknesses, Vulnerabilities and Affected Platform Configurations for Cyber Hunting
Top 10 Most Exploited Vulnerabilities 2016-2019
(https://us-cert.cisa.gov/ncas/alerts/aa20-133a)
.83fcdec8a329824466f140a2e6cdfeec473a9ee2 .0
longtable[]@lllllll@
& CVSS Score & Number of Tactics & Number of Techniques &
Number of CAPECs & Number of CWEs & Number of CPEs
CVE-2017-11882 & 8.55 & 0 & 0 & 12 & 1 & 4
CVE-2017-0199 & 8.55 & 0 & 0 & 0 & 0 & 9
CVE-2017-5638 & 10.0 & 1 & 3 & 51 & 1 & 53
CVE-2012-0158 & 9.3 & 0 & 0 & 3 & 1 & 29
CVE-2019-0604 & 8.65 & 1 & 3 & 51 & 1 & 4
CVE-2017-0143 & 0.0 (not listed in BRON but NVD says high severity)
& 0 & 0 & 0 & 0 & 0
CVE-2018-4878 & 8.65 & 0 & 0 & 0 & 1 & 3
CVE-2017-8759 & 8.55 & 1 & 3 & 51 & 1 & 8
CVE-2015-1641 & 9.3 & 0 & 0 & 0 & 1 & 11
CVE-2018-7600 & 8.65 & 1 & 3 & 51 & 1 & 4
longtable
4 out of Top 10 Vulnerabilities share the follow
arXiv
Gathering Cyber Threat Intelligence from Twitter Using Novelty Classification
arxiv_fulltext·2019-09-05
Gathering Cyber Threat Intelligence from Twitter Using Novelty Classification
Gathering Cyber Threat Intelligence from Twitter Using Novelty Classification
Ba-Dung Le
School of Computer Science
University of Adelaide
Adelaide, Australia
[email protected]
Guanhua Wang
School of Computer Science
University of Adelaide
Adelaide, Australia
[email protected]
Mehwish Nasim
School of Mathematical Sciences
University of Adelaide
Adelaide, Australia
[email protected]
M. Ali Babar
School of Computer Science
University of Adelaide
Adelaide, Australia
[email protected]
## Abstract
Preventing organizations from Cyber exploits needs timely intelligence about Cyber vulnerabilities and attacks, referred to as threats.
Cyber threat intelligence can be extracted from various sources including social media platforms where users
http://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-without-macros-cve-2017-11882http://www.securityfocus.com/bid/101757http://www.securitytracker.com/id/1039783https://0patch.blogspot.com/2017/11/did-microsoft-just-manually-patch-their.htmlhttps://0patch.blogspot.com/2017/11/official-patch-for-cve-2017-11882-meets.htmlhttps://github.com/0x09AL/CVE-2017-11882-metasploithttps://github.com/embedi/CVE-2017-11882https://github.com/rxwx/CVE-2017-11882https://github.com/unamer/CVE-2017-11882https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882https://researchcenter.paloaltonetworks.com/2017/12/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/https://web.archive.org/web/20181104111128/https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about/https://www.exploit-db.com/exploits/43163/https://www.kb.cert.org/vuls/id/421280http://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-without-macros-cve-2017-11882http://www.securityfocus.com/bid/101757http://www.securitytracker.com/id/1039783https://0patch.blogspot.com/2017/11/did-microsoft-just-manually-patch-their.htmlhttps://0patch.blogspot.com/2017/11/official-patch-for-cve-2017-11882-meets.htmlhttps://github.com/0x09AL/CVE-2017-11882-metasploithttps://github.com/embedi/CVE-2017-11882https://github.com/rxwx/CVE-2017-11882https://github.com/unamer/CVE-2017-11882https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882https://researchcenter.paloaltonetworks.com/2017/12/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/https://web.archive.org/web/20181104111128/https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about/https://www.exploit-db.com/exploits/43163/https://www.kb.cert.org/vuls/id/421280https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-11882
2017-11-15
Published
2021-11-03
Added to CISA KEV
Exploited in the wild