In this tutorial, I will demonstrate moving Active Directory users from one domain to another.
I’m going to move 2747 users from one domain (running server 2019) to a new domain running server 2022. You can move accounts to an existing domain or a new one.
The tools used in this guide will work with domain controllers running 2008 and later operating systems. Also, you can move accounts in the same domain forest, a different forest, domain trust, or no trust.
Reasons for moving users:
Creating a test environment
Merging with another company
Moving or upgrading to a new server
No trust between domains
Moving users to a single domain (consolidating domains)
Steps for Moving Users From One Domain To Another Domain
To complete the move I will use some PowerShell scripts to re-create the OUs and groups. I’ll then use the export and import tool from the AD Pro Toolkit to move the accounts.
Note
This method does not migrate computer user profiles or SID history. It will move user data from Active Directory such as OUs, group membership, and user fields (address, manager, phone number, state, etc).
With the export tool, you can select to export from the entire domain, an OU or group.
You can also change the columns to preserve user settings when moving to the new domain.
Below is a screenshot of the CSV file exported from my source domain. I exported 2747 users and it includes 31 columns of user properties. Again, you can use the attribute selector to add or remove columns. These user properties will be preserved and imported into the other domain.
2. Modify CSV File for the new domain
To import these accounts into the new domain you will need to add a password column. If it is a different domain you will also need to modify the OU path. I’m going from ad.activedirectorypro.com to ad2.activedirectorypro.com so I’ll need to update the ou path. You can easily do this in excel with a search and replace.
You can change additional details in the CSV to reflect the new domain. For example, you can change proxyAddresses to the new domain name or change the userPrincipalName.
Now I’m ready to import all 2747 accounts into the new domain. This will import them into the new domain, add them into the OUs, add to groups and keep their user settings from the old domain.
3. Import Users Into the New Domain (or existing domain)
If you are moving the users to an existing domain you probably don’t need to create OUs or groups. If it’s a new domain and you want to replicate the AD structure of the source domain then you can use some PowerShell scripts. See the links below for step by step instructions.
Select the CSV file, your import options, and click run.
When the import is complete you can check the logs and Active Directory to verify the import.
Above you can see a screenshot of the source and the new domain. All of the accounts are imported into the same OUs and groups.
Using the export and import tool makes it really easy to move users to a new domain while keeping their group membership and user properties from Active Directory. It also is very flexible as you can move users from an old domain such as 2008 to a newer server like 2019 or later.
You also don’t have to worry about trust relationships or connections between the two domains.
Below are some PowerShell commands to help you verify the numbers in Active Directory.
Count the Number of Active Directory Objects using PowerShell
Here are some PowerShell commands I used to count the number of objects in the source domain.
Get the number of AD users
(Get-ADUser -filter *).count
The above command gets the count for all users in the domain. To get the count for just an OU use this command. Change the SearchBase to the path of your root OU.
2747 is the number of users in my source domain so this means all the users imported into the new domain successfully.
Get the number of AD Computers
(Get-ADComputer -Filter *).count
Get the number of Organizational Units
(Get-ADOrganizationalUnit -filter *).count
Get the number of AD Security groups
(Get-ADGroup -Filter *).Count
Conclusion
That’s how you move users from one domain to another using tools from the AD Pro Toolkit and PowerShell. An alternative to moving users to another domain is by using the Microsoft Active Directory Migration Tool. The ADMT (Active Directory Migration Tool) will migrate SID and computer profiles. The only problem with this tool is it is not updated, has no support, and often fails. It also is not as flexible as the method I demonstrated in this guide.
A list of the best Active Directory tools to help you simplify and automate Microsoft Active Directory management tasks.
The native Windows Administrative Tools are missing many features that administrators need to effectively do their jobs. Things like bulk operations and automation are just not possible with the Active Directory users and computer consoles.
The good news is there are many useful Active Directory Tools to choose from that can help you manage domain users, groups, and computers, generate reports, find security weaknesses, and more.
The Bulk Import tool makes it easy to import new user accounts into Active Directory from CSV. Includes a CSV template, sets multiple user attributes, and adds users to groups during the import. Automate the creation of new user accounts and simplify the user account provisioning process.
Active Directory Explorer is a browser to navigate the AD database, objects, permissions, and schema objects within Active Directory. The interface is similar to Active Directory users and computers but allows you to view advanced settings. This is not a tool you would use on a daily basis, this would be used for very specific tasks such as viewing an object’s attributes and security sessions.
Another neat feature is the ability to save a snapshot of the AD database. You can then load it for offline viewing and explore it like it was a live database. Again not a common use case.
Adaxes is a premium product that automates many AD management tasks, like user provisioning, assigning permissions, creating mailboxes, delegation, and much more. All management tasks are done from a web interface and can be accessed from laptops, tablets, and phones. The web interface is fully customizable so you can view just want you to need. Also includes a user self service portal and a password self service portal.
The user export tool lets you export all uses plus all common user fields to a CSV. Over 40 user fields can be added to the export by clicking the change columns button. This is a great tool if you need a report of all users, the groups they are a member of, OU, and more.
Key Features
Find users TRUE last logon date from all domain controllers
This tool lets you bulk update user account properties from CSV file. Some popular use cases are bulk updating user’s proxyaddresses, employeeid, addresses, manager, addresses, state, country, and so on.
All changes are sent to a log file which lets you keep track of changes and check for errors. This is a very popular tool!
The AD Cleanup tool searches your domain for stale and inactive user accounts based on the account’s lastlogon attribute. You can also find disabled, expired, accounts that have never been used and empty groups.
It is recommended to run a cleanup process on your domain at least once a month, this tool can help simplify that cleanup process and secure your domain.
This utility was designed to Monitor Active Directory and other critical services like Azure, DNS, and DHCP. It will quickly spot domain controller issues, replication, performance issues with cloud services, failed logon attempts, and much more.
This is a premium tool that has a big price tag but it’s an incredible product. You can monitor all resources including applications, hardware, processes, and cloud systems. Everything is accessed from a single web console, you can get email alerts based on various thresholds.
If you want a simple tool to monitor your Active Directory services then this is a great tool.
Check the health of your domain controllers with this easy to use tool. Runs 27 health checks on your servers to check for critical errors. Click on any failed test to quickly see the details.
Also includes an option to test DNS and check event logs for critical events.
Find all locked users with the click of a button. Unlock, reset passwords or show advanced details like the source of the lockout and more. To pull the source computer you need to have auditing enabled, check the administrator guide for how to enable this.
Bulk add or remove users to Active Directory groups. You can bulk add users to a single group or multiple groups all at once. Very easy to use and saves a lot of time. Just add the users to the CSV template and the name of the group or groups you want to add them to.
The last logon reporter will get the user’s TRUE last logon time from all domain controllers in your domain. You can limit the search to the entire domain, organizational unit, or groups.
AD FastReporter has a large list of pre-built reports to pick from. Report on users, computers, groups, contacts, printers, group policy objects, and organizational units. Very easy to use but does have an older style interface.
Here is a small example of the reports you can run:
All users
Deleted Users
Users with a home directory
users without logon script
All computers
All domain controllers
Computers created in the last 30 days
Users created in the last 30 days
13. Local Group Report
This tool gets the local groups and group members on remote computers. You can quickly sort or filter the groups to get a list of all users and groups that have local administrator rights.
Report and export group membership has never been easier, select from the entire domain, groups, or organizational unit. This tool also helps to find nested security groups.
Key Features
The fastest way to get all domain gruops and group membership
Dovestones AD Reporting tool contains a large number of pre built reports. You can customize the report by selecting user attributes and defining which users to export.
Get the uptime and last boot of remote computers. Report on the entire domain or select from an OU or group.
Very helpful during maintenance days to verify if computers have rebooted.
17. SolarWinds Permissions Analyzer
This FREE tool lets you get instant visibility into user and group permissions. Quickly check user or group permissions for files, network, and folder shares.
Analyze user permissions based on an individual user or group membership.
The NTFS permissions tool will report folder security for local, remote, and UNC folder permissions. The grid view comes with a powerful filter so you can search and limit the results to find specific permissions such as Active Directory groups.
Windows PowerShell is a very powerful tool that can automate many Active Directory and Windows tasks. The problem is it can be complex to learn some of the advanced functions. With that said there are plenty of cmdlets that can be used in a single line of code to do some pretty cool things in Windows.
Create new user account: New-Aduser
Create computer account: New-ADComputer
Create a security group: New-ADGroup
Create a organizational unit: New-ADOrganizationalUnit
Get domain details: Get-ADDomin
Get domain password policy: Get-ADDefaultDomainPasswordPolicy
Get group policy: get-GPO -all
Get all services: get-service
Find locked user accounts: Search-ADAccount -LockedOut
The Sysinternals is a suite of small GUI programs and command line utilities designed to troubleshoot and diagnose your Windows systems and applications. They are all portable, which means you don’t need to install them, you can just run the exe or commands with no installation required.
These utilities were created way back in 1996 by Mark Russinovich and then later acquired by Microsoft. There are a bunch of tools included I will list some of the popular ones.
Process Monitor – Shows real time file system, registry and process activity.
PsExec – Lets you execute programs on a remote system
PsKill – Kill local and remote processes
Sysmon – Logs system activity about process creations, network connection and changes to files
Psinfo – Shows info about a local or remote computer
All-in-one Active Directory Toolkit
Our AD Pro Toolkit includes 12 Active Directory tools in a single interface.
The main benefit is it will save you time and make managing Active Directory easier. One of the most popular tasks of working with Active Directory is to create new user accounts. The built-in tools provide no options for bulk importing new accounts so it becomes very time-consuming. With the AD Pro Toolkit you can easily bulk import, bulk update, and disable user accounts.
Below is a picture of how you would create an account with the built-in (ADUC) Active Directory Users and Computers console. Everything has to be manually entered and you have to go back and add users to groups.
Using Active Directory tools like the AD Bulk Import tool, you can bulk import thousands of accounts at once. Plus you can automatically set user accounts fields and add users to groups. Let me show you how easy it is.
Step 1: Fill out the provided CSV template.
The template includes all the common user fields you need to create a new account. Just fill out what you need and save the file.
Step 2: Import new account
With this tool just select your CSV file and click run. This will import all of the account information from the CSV and automatically bulk create new Active Directory user accounts.
You can watch the import process and when complete you have a log file of the import.
You will at some point be asked to export users to a CSV and again there is no easy built in option for this. When I was an administrator at a large organization I would get this request at least once a week and it was a pain. When I developed the user export tool this process became so easy I was able to have other staff members take it over.
The above picture is from the user export tool. This tool lets you easily export all users from the entire domain, an OU, or a group.
The ease of use is another benefit as many people don’t have time to learn PowerShell. PowerShell is a great tool and can do many things but it can be complex and time-consuming to learn. The AD Pro Toolkit has a very simple interface and you can start using it right away to perform many advanced tasks in your domain.
Frequently Asked Questions
Below are questions and answers regarding the AD Pro Toolkit.
Does the AD Pro Tool support multiple domains?
Yes. It will auto-detect your domains based on current credentials. You can click the domain button to change authentication and connect to other domains or domain controllers.
Do you have a tool to help with account lockouts?
Yes, the user unlock tool can quickly display all locked users and the source of the lockout.
What is required to use the toolkit?
To create and bulk modify users you will need these rights in your Active Directory domain. This is often done by putting your account in the domain administrator group but can also be done by delegating these rights. Some tools like the last logon reporter, export, and group membership require no special permissions.
Do I need to know PowerShell or scripting?
No. All tools are very easy to use and require no scripting or PowerShell experience.
Is there a way to bulk update the manager, telephone numbers, and other user fields?
Yes, this is exactly what the bulk updater tool was created for. You can easily bulk update from a large list of user fields.
Can I bulk export or import on a scheduled task?
We are working on this right now. AD Cleanup, bulk import, update, and export tools will include an option to run on a scheduled task or from a script.
I was just hired and Active Directory is a mess. Can the Pro toolkit help?
The AD Cleanup tool can help you find old user and computer accounts and bulk disable or move them. We have many customers that use this tool to cleanup their domain environments.
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
Quarterly figures
According to Kaspersky Security Network, in Q2 2022:
Kaspersky solutions blocked 1,164,544,060 attacks from online resources across the globe.
Web Anti-Virus recognized 273,033,368 unique URLs as malicious. Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 100,829 unique users.
Ransomware attacks were defeated on the computers of 74,377 unique users.
Number of unique users attacked by financial malware, Q2 2022 (download)
Geography of financial malware attacks
To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of Kaspersky users who faced this threat during the reporting period as a percentage of all users of our products in that country or territory.
Geography of financial malware attacks, Q2 2022 (download)
TOP 10 countries and territories by share of attacked users
Country or territory*
%**
1
Turkmenistan
4.8
2
Afghanistan
4.3
3
Tajikistan
3.8
4
Paraguay
3.1
5
China
2.4
6
Yemen
2.4
7
Uzbekistan
2.2
8
Sudan
2.1
9
Egypt
2.0
10
Mauritania
1.9
* Excluded are countries and territories with relatively few Kaspersky product users (under 10,000). ** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.
TOP 10 banking malware families
Name
Verdicts
%*
1
Ramnit/Nimnul
Trojan-Banker.Win32.Ramnit
35.5
2
Zbot/Zeus
Trojan-Banker.Win32.Zbot
15.8
3
CliptoShuffler
Trojan-Banker.Win32.CliptoShuffler
6.4
4
Trickster/Trickbot
Trojan-Banker.Win32.Trickster
6
5
RTM
Trojan-Banker.Win32.RTM
2.7
6
SpyEye
Trojan-Spy.Win32.SpyEye
2.3
7
IcedID
Trojan-Banker.Win32.IcedID
2.1
8
Danabot
Trojan-Banker.Win32.Danabot
1.9
9
BitStealer
Trojan-Banker.Win32.BitStealer
1.8
10
Gozi
Trojan-Banker.Win32.Gozi
1.3
* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.
Ransomware programs
Quarterly trends and highlights
In the second quarter, the Lockbit group launched a bug bounty program. The cybercriminals are promising $1,000 to $1,000,000 for doxing of senior officials, reporting web service, Tox messenger or ransomware Trojan algorithm vulnerabilities, as well as for ideas on improving the Lockbit website and Trojan. This was the first-ever case of ransomware groups doing a (self-promotion?) campaign like that.
Another well-known group, Conti, said it was shutting down operations. The announcement followed a high-profile attack on Costa Rica’s information systems, which prompted the government to declare a state of emergency. The Conti infrastructure was shut down in late June, but some in the infosec community believe that Conti members are either just rebranding or have split up and joined other ransomware teams, including Hive, AvosLocker and BlackCat.
While some ransomware groups are drifting into oblivion, others seem to be making a comeback. REvil’s website went back online in April, and researchers discovered a newly built specimen of their Trojan. This might have been a test build, as the sample did not encrypt any files, but these events may herald the impending return of REvil.
Kaspersky researchers found a way to recover files encrypted by the Yanluowang ransomware and released a decryptor for all victims. Yanluowang has been spotted in targeted attacks against large businesses in the US, Brazil, Turkey, and other countries.
Number of new modifications
In Q2 2022, we detected 15 new ransomware families and 2355 new modifications of this malware type.
Geography of attacks by ransomware Trojans, Q2 2022 (download)
TOP 10 countries and territories attacked by ransomware Trojans
Country or territory*
%**
1
Bangladesh
1.81
2
Yemen
1.24
3
South Korea
1.11
4
Mozambique
0.82
5
Taiwan
0.70
6
China
0.46
7
Pakistan
0.40
8
Angola
0.37
9
Venezuela
0.33
10
Egypt
0.32
* Excluded are countries and territories with relatively few Kaspersky users (under 50,000). ** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country.
* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data. ** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans.
Miners
Number of new miner modifications
In Q2 2022, Kaspersky solutions detected 40,788 new modifications of miners. A vast majority of these (more than 35,000) were detected in June. Thus, the spring depression — in March through May we found a total of no more than 10,000 new modifications — was followed by a record of sorts.
Number of new miner modifications, Q2 2022 (download)
Number of users attacked by miners
In Q2, we detected attacks using miners on the computers of 454,385 unique users of Kaspersky products and services worldwide. We are seeing a reverse trend here: miner attacks have gradually declined since the beginning of 2022.
TOP 10 countries and territories attacked by miners
Country or territory*
%**
1
Rwanda
2.94
2
Ethiopia
2.67
3
Tajikistan
2.35
4
Tanzania
1.98
5
Kyrgyzstan
1.94
6
Uzbekistan
1.88
7
Kazakhstan
1.84
8
Venezuela
1.80
9
Mozambique
1.68
10
Ukraine
1.56
* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000). ** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country.
Vulnerable applications used by criminals during cyberattacks
Quarterly highlights
During Q2 2022, a number of major vulnerabilities were discovered in the Microsoft Windows. For instance, CVE-2022-26809 critical error allows an attacker to remotely execute arbitrary code in a system using a custom RPC request. The Network File System (NFS) driver was found to contain two RCE vulnerabilities: CVE-2022-24491 and CVE-2022-24497. By sending a custom network message via the NFS protocol, an attacker can remotely execute arbitrary code in the system as well. Both vulnerabilities affect server systems with the NFS role activated. The CVE-2022-24521 vulnerability targeting the Common Log File System (CLFS) driver was found in the wild. It allows elevation of local user privileges, although that requires the attacker to have gained a foothold in the system. CVE-2022-26925, also known as LSA Spoofing, was another vulnerability found during live operation of server systems. It allows an unauthenticated attacker to call an LSARPC interface method and get authenticated by Windows domain controller via the NTLM protocol. These vulnerabilities are an enduring testament to the importance of timely OS and software updates.
Most of the network threats detected in Q2 2022 had been mentioned in previous reports. Most of those were attacks that involved brute-forcing access to various web services. The most popular protocols and technologies susceptible to these attacks include MS SQL Server, RDP and SMB. Attacks that use the EternalBlue, EternalRomance and similar exploits are still popular. Exploitation of Log4j vulnerability (CVE-2021-44228) is also quite common, as the susceptible Java library is often used in web applications. Besides, the Spring MVC framework, used in many Java-based web applications, was found to contain a new vulnerability CVE-2022-22965 that exploits the data binding functionality and results in remote code execution. Finally, we have observed a rise in attacks that exploit insecure deserialization, which can also result in access to remote systems due to incorrect or missing validation of untrusted user data passed to various applications.
Vulnerability statistics
Exploits targeting Microsoft Office vulnerabilities grew in the second quarter to 82% of the total. Cybercriminals were spreading malicious documents that exploited CVE-2017-11882 and CVE-2018-0802, which are the best-known vulnerabilities in the Equation Editor component. Exploitation involves the component memory being damaged and a specially designed script, run on the target computer. Another vulnerability, CVE-2017-8570, allows downloading and running a malicious script when opening an infected document, to execute various operations in a vulnerable system. The emergence of CVE-2022-30190or Follina vulnerability also increased the number of exploits in this category. An attacker can use a custom malicious document with a link to an external OLE object, and a special URI scheme to have Windows run the MSDT diagnostics tool. This, in turn, combined with a special set of parameters passed to the victim’s computer, can cause an arbitrary command to be executed — even if macros are disabled and the document is opened in Protected Mode.
Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2022 (download)
Attempts at exploiting vulnerabilities that affect various script engines and, specifically, browsers, dipped to 5%. In the second quarter, a number of critical RCE vulnerabilities were discovered in various Google Chrome based browsers: CVE-2022-0609, CVE-2022-1096, and CVE-2022-1364. The first one was found in the animation component; it exploits a Use-After-Free error, causing memory damage, which is followed by the attacker creating custom objects to execute arbitrary code. The second and third vulnerabilities are Type Confusion errors associated with the V8 script engine; they also can result in arbitrary code being executed on a vulnerable user system. Some of the vulnerabilities discovered were found to have been exploited in targeted attacks, in the wild. Mozilla Firefox was found to contain a high-risk Use-After-Free vulnerability, CVE-2022-1097, which appears when processing NSSToken-type objects from different streams. The browser was also found to contain CVE-2022-28281, a vulnerability that affects the WebAuthn extension. A compromised Firefox content process can write data out of bounds of the parent process memory, thus potentially enabling code execution with elevated privileges. Two further vulnerabilities, CVE-2022-1802 and CVE-2022-1529, were exploited in cybercriminal attacks. The exploitation method, dubbed “prototype pollution”, allows executing arbitrary JavaScript code in the context of a privileged parent browser process.
As in the previous quarter, Android exploits ranked third in our statistics with 4%, followed by exploits of Java applications, the Flash platform, and PDF documents, each with 3%.
Attacks on macOS
The second quarter brought with it a new batch of cross-platform discoveries. For instance, a new APT group Earth Berberoka (GamblingPuppet) that specializes in hacking online casinos, uses malware for Windows, Linux, and macOS. The TraderTraitor campaign targets cryptocurrency and blockchain organizations, attacking with malicious crypto applications for both Windows and macOS.
TOP 20 threats for macOS
Verdict
%*
1
AdWare.OSX.Amc.e
25.61
2
AdWare.OSX.Agent.ai
12.08
3
AdWare.OSX.Pirrit.j
7.84
4
AdWare.OSX.Pirrit.ac
7.58
5
AdWare.OSX.Pirrit.o
6.48
6
Monitor.OSX.HistGrabber.b
5.27
7
AdWare.OSX.Agent.u
4.27
8
AdWare.OSX.Bnodlero.at
3.99
9
Trojan-Downloader.OSX.Shlayer.a
3.87
10
Downloader.OSX.Agent.k
3.67
11
AdWare.OSX.Pirrit.aa
3.35
12
AdWare.OSX.Pirrit.ae
3.24
13
Backdoor.OSX.Twenbc.e
3.16
14
AdWare.OSX.Bnodlero.ax
3.06
15
AdWare.OSX.Agent.q
2.73
16
Trojan-Downloader.OSX.Agent.h
2.52
17
AdWare.OSX.Bnodlero.bg
2.42
18
AdWare.OSX.Cimpli.m
2.41
19
AdWare.OSX.Pirrit.gen
2.08
20
AdWare.OSX.Agent.gen
2.01
* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.
As usual, the TOP 20 ranking for threats detected by Kaspersky security solutions for macOS users is dominated by various adware. AdWare.OSX.Amc.e, also known as Advanced Mac Cleaner, is a newcomer and already a leader, found with a quarter of all attacked users. Members of this family display fake system problem messages, offering to buy the full version to fix those. It was followed by members of the AdWare.OSX.Agent and AdWare.OSX.Pirrit families.
Geography of threats for macOS, Q2 2022 (download)
TOP 10 countries and territories by share of attacked users
Country or territory*
%**
1
France
2.93
2
Canada
2.57
3
Spain
2.51
4
United States
2.45
5
India
2.24
6
Italy
2.21
7
Russian Federation
2.13
8
United Kingdom
1.97
9
Mexico
1.83
10
Australia
1.82
* Excluded from the rating are countries and territories with relatively few users of Kaspersky security solutions for macOS (under 10,000). ** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.
In Q2 2022, the country where the most users were attacked was again France (2.93%), followed by Canada (2.57%) and Spain (2.51%). AdWare.OSX.Amc.e was the most common adware encountered in these three countries.
IoT attacks
IoT threat statistics
In Q2 2022, most devices that attacked Kaspersky traps did so using the Telnet protocol, as before.
Telnet
82,93%
SSH
17,07%
Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2022
The statistics for working sessions with Kaspersky honeypots show similar Telnet dominance.
Telnet
93,75%
SSH
6,25%
Distribution of cybercriminal working sessions with Kaspersky traps, Q2 2022
TOP 10 threats delivered to IoT devices via Telnet
Verdict
%*
1
Backdoor.Linux.Mirai.b
36.28
2
Trojan-Downloader.Linux.NyaDrop.b
14.66
3
Backdoor.Linux.Mirai.ek
9.15
4
Backdoor.Linux.Mirai.ba
8.82
5
Trojan.Linux.Agent.gen
4.01
6
Trojan.Linux.Enemybot.a
2.96
7
Backdoor.Linux.Agent.bc
2.58
8
Trojan-Downloader.Shell.Agent.p
2.36
9
Trojan.Linux.Agent.mg
1.72
10
Backdoor.Linux.Mirai.cw
1.45
* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.
The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums.
TOP 10 countries and territories that serve as sources of web-based attacks
The following statistics show the distribution by country or territory of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.
To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.
In Q2 2022, Kaspersky solutions blocked 1,164,544,060 attacks launched from online resources across the globe. A total of 273,033,368 unique URLs were recognized as malicious by Web Anti-Virus components.
Distribution of web-attack sources by country and territory, Q2 2022 (download)
Countries and territories where users faced the greatest risk of online infection
To assess the risk of online infection faced by users around the world, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.
Note that these rankings only include attacks by malicious objects that fall under the Malware class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.
Country or territory*
%**
1
Taiwan
26.07
2
Hong Kong
14.60
3
Algeria
14.40
4
Nepal
14.00
5
Tunisia
13.55
6
Serbia
12.88
7
Sri Lanka
12.41
8
Albania
12.21
9
Bangladesh
11.98
10
Greece
11.86
11
Palestine
11.82
12
Qatar
11.50
13
Moldova
11.47
14
Yemen
11.44
15
Libya
11.34
16
Zimbabwe
11.15
17
Morocco
11.03
18
Estonia
11.01
19
Turkey
10.75
20
Mongolia
10.50
* Excluded are countries and territories with relatively few Kaspersky users (under 10,000). ** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.
On average during the quarter, 8.31% of the Internet users’ computers worldwide were subjected to at least one Malware-class web attack.
Geography of web-based malware attacks, Q2 2022 (download)
Local threats
In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).
In Q2 2022, our File Anti-Virus detected 55,314,176 malicious and potentially unwanted objects.
Countries and territories where users faced the highest risk of local infection
For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries and territories.
Note that these rankings only include attacks by malicious programs that fall under the Malware class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.
Country or territory*
%**
1
Turkmenistan
47.54
2
Tajikistan
44.91
3
Afghanistan
43.19
4
Yemen
43.12
5
Cuba
42.71
6
Ethiopia
41.08
7
Uzbekistan
37.91
8
Bangladesh
37.90
9
Myanmar
36.97
10
South Sudan
36.60
11
Syria
35.60
12
Burundi
34.88
13
Rwanda
33.69
14
Algeria
33.61
15
Benin
33.60
16
Tanzania
32.88
17
Malawi
32.65
18
Venezuela
31.79
19
Cameroon
31.34
20
Chad
30.92
* Excluded are countries with relatively few Kaspersky users (under 10,000). ** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.
Earlier this year, we discovered a malicious campaign that employed a new technique for installing fileless malware on target machines by injecting a shellcode directly into Windows event logs. The attackers were using this to hide a last-stage Trojan in the file system.
The attack starts by driving targets to a legitimate website and tricking them into downloading a compressed RAR file that is booby-trapped with the network penetration testing tools Cobalt Strike and SilentBreak. The attackers use these tools to inject code into any process of their choosing. They inject the malware directly into the system memory, leaving no artifacts on the local drive that might alert traditional signature-based security and forensics tools. While fileless malware is nothing new, the way the encrypted shellcode containing the malicious payload is embedded into Windows event logs is.
The code is unique, with no similarities to known malware, so it is unclear who is behind the attack.
WinDealer’s man-on-the-side spyware
We recently published our analysis of WinDealer: malware developed by the LuoYu APT threat actor. One of the most interesting aspects of this campaign is the group’s use of a man-on-the-side attack to deliver malware and control compromised computers. A man-on-the-side attack implies that the attacker is able to control the communication channel, allowing them to read the traffic and inject arbitrary messages into normal data exchange. In the case of WinDealer, the attackers intercepted an update request from completely legitimate software and swapped the update file with a weaponized one.
The malware does not contain the exact address of the C2 (command-and-control) server, making it harder for security researchers to find it. Instead, it tries to access a random IP address from a predefined range. The attackers then intercept the request and respond to it. To do this, they need constant access to the routers of the entire subnet, or to some advanced tools at ISP level.
The vast majority of WinDealer’s targets are located in China: foreign diplomatic organizations, members of the academic community, or companies active in the defense, logistics or telecoms sectors. Sometimes, though, the LuoYu APT group will infect targets in other countries: Austria, the Czech Republic, Germany, India, Russia and the US. In recent months, they have also become more interested in businesses located in other East Asian countries and their China-based offices.
ToddyCat: previously unknown threat actor attacks high-profile organizations in Europe and Asia
In June, we published our analysis of ToddyCat, a relatively new APT threat actor that we have not been able to link to any other known actors. The first wave of attacks, against a limited number of servers in Taiwan and Vietnam, targeted Microsoft Exchange servers, which the threat actor compromised with Samurai, a sophisticated passive backdoor that typically works via ports 80 and 443. The malware allows arbitrary C# code execution and is used alongside multiple modules that let the attacker administer the remote system and move laterally within the targeted network. In certain cases, the attackers have used the Samurai backdoor to launch another sophisticated malicious program, which we dubbed Ninja. This is probably a component of an unknown post-exploitation toolkit exclusively used by ToddyCat.
The next wave saw a sudden surge in attacks, as the threat actor began abusing the ProxyLogon vulnerability to target organizations in multiple countries, including Iran, India, Malaysia, Slovakia, Russia and the UK.
Subsequently, we observed other variants and campaigns, which we attributed to the same group. In addition to affecting most of the previously mentioned countries, the threat actor targeted military and government organizations in Indonesia, Uzbekistan and Kyrgyzstan. The attack surface in the third wave was extended to desktop systems.
SessionManager IIS backdoor
In 2021, we observed a trend among certain threat actors for deploying a backdoor within IIS after exploiting one of the ProxyLogon-type vulnerabilities in Microsoft Exchange. Dropping an IIS module as a backdoor enables threat actors to maintain persistent, update-resistant and relatively stealthy access to the IT infrastructure of a target organization — to collect emails, update further malicious access or clandestinely manage compromised servers.
We published our analysis of one such IIS backdoor, called Owowa, last year. Early this year, we investigated another, SessionManager. Developed in C++, SessionManager is a malicious native-code IIS module. The attackers’ aim is for it to be loaded by some IIS applications, to process legitimate HTTP requests that are continuously sent to the server. This kind of malicious modules usually expects seemingly legitimate but specifically crafted HTTP requests from their operators, triggers actions based on the operators’ hidden instructions and then transparently passes the request to the server for it to be processed just as any other request.
As a result, these modules are not easily spotted through common monitoring practices.
SessionManager has been used to target NGOs and government organizations in Africa, South America, Asia, Europe and the Middle East.
We believe that this malicious IIS module may have been used by the GELSEMIUM threat actor, because of similar victim profiles and the use of a common OwlProxy variant.
Other malware
Spring4Shell
Late in March, researchers discovered a critical vulnerability (CVE-2022-22965) in Spring, an open-source framework for the Java platform. This is a Remote Code Execution (RCE) vulnerability, allowing an attacker to execute malicious code remotely on an unpatched computer. The vulnerability affects the Spring MVC and Spring WebFlux applications running under version 9 or later of the Java Development Kit. By analogy with the well-known Log4Shell vulnerability, this one was dubbed “Spring4Shell”.
By the time researchers had reported it to VMware, a proof-of-concept exploit had already appeared on GitHub. It was quickly removed, but it is unlikely that cybercriminals would have failed to notice such a potentially dangerous vulnerability.
You can find more details, including appropriate mitigation steps, in our blog post.
Actively exploited vulnerability in Windows
Among the vulnerabilities fixed in May’s “Patch Tuesday” update was one that has been actively exploited in the wild. The Windows LSA (Local Security Authority) Spoofing Vulnerability (CVE-2022-26925) is not considered critical per se. However, when the vulnerability is used in a New Technology LAN Manager (NTLM) relay attack, the combined CVSSv3 score for the attack-chain is 9.8. The vulnerability, which allows an unauthenticated attacker to force domain controllers to authenticate with an attacker’s server using NTLM, was already being exploited in the wild as a zero-day, making it a priority to patch it.
Follina vulnerability in MSDT
At the end of May, researchers with the nao_sec team reported a new zero-day vulnerability in MSDT (the Microsoft Support Diagnostic Tool) that can be exploited using a malicious Microsoft Office document. The vulnerability, which has been designated as CVE-2022-30190 and has also been dubbed “Follina”, affects all operating systems in the Windows family, both for desktops and servers.
MSDT is used to collect diagnostic information and send it to Microsoft when something goes wrong with Windows. It can be called up from other applications via the special MSDT URL protocol; and an attacker can run arbitrary code with the privileges of the application that called up the MSD: in this case, the permissions of the user who opened the malicious document.
Kaspersky has observed attempts to exploit this vulnerability in the wild; and we would expect to see more in the future, including ransomware attacks and data breaches.
BlackCat: a new ransomware gang
It was only a matter of time before another ransomware group filled the gap left by REvil and BlackMatter shutting down operations. Last December, advertisements for the services of the ALPHV group, also known as BlackCat, appeared on hacker forums, claiming that the group had learned from the errors of their predecessors and created an improved version of the malware.
The BlackCat creators use the ransomware-as-a-service (RaaS) model. They provide other attackers with access to their infrastructure and malicious code in exchange for a cut of the ransom. BlackCat gang members are probably also responsible for negotiating with victims. This is one reason why BlackCat has gained momentum so quickly: all that a “franchisee” has to do is obtain access to the target network.
The group’s arsenal comprises several elements. One is the cryptor. This is written in the Rust language, allowing the attackers to create a cross-platform tool with versions of the malware that work both in Windows and Linux environments. Another is the Fendr utility (also known as ExMatter), used to exfiltrate data from the infected infrastructure. The use of this tool suggests that BlackCat may simply be a re-branding of the BlackMatter faction, since that was the only known gang to use the tool. Other tools include the PsExec tool, used for lateral movement on the victim’s network; Mimikatz, the well-known hacker software; and the Nirsoft software, used to extract network passwords.
Yanluowang ransomware: how to recover encrypted files
The name Yanluowang is a reference to the Chinese deity Yanluo Wang, one of the Ten Kings of Hell. This ransomware is relatively recent. We do not know much about the victims, although data from the Kaspersky Security Network indicates that threat actor has carried out attacks in the US, Brazil, Turkey and a few other countries.
The low number of infections is due to the targeted nature of the ransomware: the threat actor prepares and implements attacks on specific companies only.
Our experts have discovered a vulnerability that allows files to be recovered without the attackers’ key — although only under certain conditions — with the help of a known-plaintext attack. This method overcomes the encryption algorithm if two versions of the same text are available: one clean and one encrypted. If the victim has clean copies of some of the encrypted files, our upgraded Rannoh Decryptor can analyze these and recover the rest of the information.
There is one snag: Yanluowang corrupts files slightly differently depending on their size. It encrypts small (less than 3 GB) files completely, and large ones, partially. So, the decryption requires clean files of different sizes. For files smaller than 3 GB, it is enough to have the original and an encrypted version of the file that are 1024 bytes or more. To recover files larger than 3 GB, however, you need original files of the appropriate size. However, if you find a clean file larger than 3 GB, it will generally be possible to recover both large and small files.
A description of how various groups share more than half of their components and TTPs, with the core attack stages executed identically across groups.
A cyber-kill chain diagram that combines the visible intersections and common elements of the selected ransomware groups and makes it possible to predict the threat actors’ next steps.
A detailed analysis of each technique with examples of how various groups use them, and a comprehensive list of mitigations.
SIGMA rules based on the described TTPs that can be applied to SIEM solutions.
Ransomware trends in 2022
Ahead of the Anti-Ransomware Day on May 12, we took the opportunity to outline the tendencies that have characterized ransomware in 2022. In our report, we highlight several trends that we have observed.
First, we are seeing more widespread development of cross-platform ransomware, as cybercriminals seek to penetrate complex environments running a variety of systems. By using cross-platform languages such as Rust and Golang, attackers are able to port their code, which allows them to encrypt data on more computers.
Second, ransomware gangs continue to industrialize and evolve into real businesses by adopting the techniques and processes used by legitimate software companies.
Third, the developers of ransomware are adopting a political stance, involving themselves in the conflict between Russia and Ukraine.
Finally, we offer best practices that organizations should adopt to help them defend against ransomware attacks:
Keep software updated on all your devices.
Focus your defense strategy on detecting lateral movements and data exfiltration.
Enable ransomware protection for all endpoints.
Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents.
Provide your SOC team with access to the latest threat intelligence.
Emotet’s return
Emotet has been around for eight years. When it was first discovered in 2014, its main purpose was stealing banking credentials. Subsequently, the malware underwent numerous transformations to become one of the most powerful botnets ever. Emotet made headlines in January 2021, when its operations were disrupted through the joint efforts of law enforcement agencies in several countries. This kind of “takedowns” does not necessarily lead to the demise of a cybercriminal operation. It took the cybercriminals almost ten months to rebuild the infrastructure, but Emotet did return in November 2021. At that time, the Trickbot malware was used to deliver Emotet, but it is now spreading on its own through malicious spam campaigns.
Recent Emotet protocol analysis and C2 responses suggest that Emotet is now capable of downloading sixteen additional modules. We were able to retrieve ten of these, including two different copies of the spam module, used by Emotet for stealing credentials, passwords, accounts and emails, and to spread spam.
You can read our analysis of these modules, as well as statistics on recent Emotet attacks, here.
Emotet infects both corporate and private computers all around the world. Our telemetry indicates that in the first quarter of 2022, targeted: it mostly targeted users in Italy, Russia, Japan, Mexico, Brazil, Indonesia, India, Vietnam, China, Germany and Malaysia.
Moreover, we have seen a significant growth in the number of users attacked by Emotet.
Mobile subscription Trojans
Trojan subscribers are a well-established method of stealing money from people using Android devices. These Trojans masquerade as useful apps but, once installed, silently subscribe to paid services.
The developers of these Trojans make money through commissions: they get a cut of what the person “spends”. Funds are typically deducted from the cellphone account, although in some cases, these may be debited directly to a bank card. We looked at the most notable examples that we have seen in the last twelve months, belonging to the Jocker, MobOk, Vesub and GriftHorse families.
Normally, someone has to actively subscribe to a service; providers often ask subscribers to enter a one-time code sent via SMS, to counter automated subscription attempts. To sidestep this protection, malware can request permission to access text messages; where they do not obtain this, they can steal confirmation codes from pop-up notifications about incoming messages.
Some Trojans can both steal confirmation codes from texts or notifications, and work around CAPTCHA: another means of protection against automated subscriptions. To recognize the code in the picture, the Trojan sends it to a special CAPTCHA recognition service.
Some malware is distributed through dubious sources under the guise of apps that are banned from official stores, for example, masquerading as apps for downloading content from YouTube or other streaming services, or as an unofficial Android version of GTA5. In addition, they can appear in these same sources as free versions of popular, expensive apps, such as Minecraft.
Other mobile subscription Trojans are less sophisticated. When run for the first time, they ask the user to enter their phone number, seemingly for login purposes. The subscription is issued as soon as they enter their number and click the login button, and the amount is debited to their cellphone account.
Other Trojans employ subscriptions with recurring payments. While this requires consent, the person using the phone might not realize they are signing up for regular automatic payments. Moreover, the first payment is often insignificant, with later charges being noticeably higher.
You can read more about this type of mobile Trojan, along with tips on how to avoid falling victim to it, here.
The threat from stalkerware
Over the last four years, we have published annual reports on the stalkerware situation, in particular using data from the Kaspersky Security Network. This year, our report also included the results of a survey on digital abuse commissioned by Kaspersky and several public organizations.
Stalkerware provides the digital means for a person to secretly monitor someone else’s private life and is often used to facilitate psychological and physical violence against intimate partners. The software is commercially available and can access an array of personal data, including device location, browser history, text messages, social media chats, photos and more. It may be legal to market stalkerware, although its use to monitor someone without their consent is not. Developers of stalkerware benefit from a vague legal framework that still exists in many countries.
In 2021, our data indicated that around 33,000 people had been affected by stalkerware.
The numbers were lower than what we had seen for a few years prior to that. However, it is important to remember that the decrease of 2020 and 2021 occurred during successive COVID-19 lockdowns: that is, during conditions that meant abusers did not need digital tools to monitor and control their partners’ personal lives. It is also important to bear in mind that mobile apps represent only one method used by abusers to track someone — others include tracking devices such as AirTags, laptop applications, webcams, smart home systems and fitness trackers. KSN tracks only the use of mobile apps. Finally, KSN data is taken from mobile devices protected by Kaspersky products: many people do not protect their mobile devices. The Coalition Against Stalkerware, which brings together members of the IT industry and non-profit companies, believes that the overall number of people affected by this threat might be thirty times higher — that is around a million people!
Stalkerware continues to affect people across the world: in 2021, we observed detections in 185 countries or territories.
Just as in 2020, Russia, Brazil, the US and India were the top four countries with the largest numbers of affected individuals. Interestingly, Mexico had fallen from fifth to ninth place. Algeria, Turkey and Egypt entered the top ten, replacing Italy, the UK and Saudi Arabia, which were no longer in the top ten.
We would recommend the following to reduce your risk of being targeted:
Use a unique, complex password on your phone and do not share it with anyone.
Try not to leave your phone unattended; and if you have to, lock it.
Download apps only from official stores.
Protect your mobile device with trustworthy security software and make sure it is able to detect stalkerware.
Remember also that if you discover stalkerware on your phone, dealing with the problem is not as simple as just removing the stalkerware app. This will alert the abuser to the fact that you have become aware of their activities and may precipitate physical abuse. Instead, seek help: you can find a list or organizations that can provide help and support on the Coalition Against Stalkerware site.
In H1 2022, malicious objects were blocked at least once on 31.8% of ICS computers globally.Percentage of ICS computers on which malicious objects were blocked
For the first time in five years of observations, the lowest percentage in the first half of the year was observed in March. During the period from January to March, the percentage of attacked ICS computers decreased by 1.7 p.p.Percentage of ICS computers on which malicious objects were blocked, January – June 2020, 2021, and 2022
Among regions, the highest percentage of ICS computers on which malicious objects were blocked was observed in Africa (41.5%). The lowest percentage (12.8%) was recorded in Northern Europe.Percentage of ICS computers on which malicious objects were blocked, in global regions
Among countries, the highest percentage of ICS computers on which malicious objects were blocked was recorded in Ethiopia (54.8%) and the lowest (6.8%) in Luxembourg.15 countries and territories with the highest percentage of ICS computers on which malicious objects were blocked, H1 202210 countries and territories with the lowest percentage of ICS computers on which malicious objects were blocked, H1 2022
Threat sources
The main sources of threats to computers in the operational technology infrastructure of organizations are internet (16.5%), removable media (3.5%), and email (7.0%).Percentage of ICS computers on which malicious objects from different sources were blocked
Regions
Among global regions, Africa ranked highest based on the percentage of ICS computers on which malware was blocked when removable media was connected.Regions ranked by percentage of ICS computers on which malware was blocked when removable media was connected, H1 2022
Southern Europe leads the ranking of regions by percentage of ICS computers on which malicious email attachments and phishing links were blocked.Regions ranked by percentage of ICS computers on which malicious email attachments and phishing links were blocked, H1 2022
Industry specifics
In the Building Automation industry, the percentage of ICS computers on which malicious email attachments and phishing links were blocked (14.4%) was twice the average value for the entire world (7%).Percentage of ICS computers on which malicious email attachments and phishing links were blocked, in selected industries
In the Oil and Gas industry, the percentage of ICS computers on which threats were blocked when removable media was connected (10.4%) was 3 times the average percentage for the entire world (3.5%).Percentage of ICS computers on which threats were blocked when removable media was connected
In the Oil and Gas industry, the percentage of ICS computers on which malware was blocked in network folders (1.2%) was twice the world average (0.6%).Percentage of ICS computers on which threats were blocked in network folders
Diversity of malware
Malware of different types from 7,219 families was blocked on ICS computers in H1 2022.Percentage of ICS computers on which the activity of malicious objects from different categories was prevented
Ransomware
In H1 2022, ransomware was blocked on 0.65% of ICS computers. This is the highest percentage for any six-month reporting period since 2020.Percentage of ICS computers on which ransomware was blocked
The highest percentage of ICS computers on which ransomware was blocked was recorded in February (0.27%) and the lowest in March (0.11%). The percentage observed in February was the highest in 2.5 years of observations.Percentage of ICS computers on which ransomware was blocked, January – June 2022
East Asia (0.95%) and the Middle East (0.89%) lead the ransomware-based ranking of regions. In the Middle East, the percentage of ICS computers on which ransomware was blocked per six-month reporting period has increased by a factor of 2.5 since 2020.Regions ranked by percentage of ICS computers on which ransomware was blocked, H1 2022
Building Automation leads the ranking of industries based on the percentage of ICS computers attacked by ransomware (1%).Percentage of ICS computers on which ransomware was blocked, in selected regions, H1 2022
Malicious documents
Malicious documents (MSOffice+PDF) were blocked on 5.5% of ICS computers. This is 2.2 times the percentage recorded in H2 2021. Threat actors distribute malicious documents via phishing emails and actively use such emails as the vector of initial computer infections.Percentage of ICS computers on which malicious documents (MSOffice+PDF) were blocked
In the Building Automation industry, the percentage of ICS computers on which malicious office documents were blocked (10.5%) is almost twice the global average.Percentage of ICS computers on which malicious office documents (MSOffice+PDF) were blocked, in selected industries
Spyware
Spyware was blocked on 6% of ICS computers. This percentage has been growing since 2020.Percentage of ICS computers on which spyware was blocked
Building Automation leads the ranking of industries based on the percentage of ICS computers on which spyware was blocked (12.9%).Percentage of ICS computers on which spyware was blocked, in selected industries
Malware for covert cryptocurrency mining
The percentage of ICS computers on which malicious cryptocurrency miners were blocked continued to rise gradually.Percentage of ICS computers on which malicious cryptocurrency miners were blocked
Building Automation also leads the ranking of selected industries by percentage of ICS computers on which malicious cryptocurrency miners were blocked.Percentage of ICS computers on which malicious cryptocurrency miners were blocked, in selected industries
Microsoft said it’s tracking an ongoing large-scale click fraud campaign targeting gamers by means of stealthily deployed browser extensions on compromised systems.
“[The] attackers monetize clicks generated by a browser node-webkit or malicious browser extension secretly installed on devices,” Microsoft Security Intelligence said in a sequence of tweets over the weekend.
The tech giant’s cybersecurity division is tracking the developing threat cluster under the name DEV-0796.
Attach chains mounted by the adversary commence with an ISO file that’s downloaded onto a victim’s machine upon clicking on a malicious ad or comments on YouTube. The ISO file, when opened, is designed to install a browser node-webkit (aka NW.js) or rogue browser extension.
It’s worth noting that the ISO file masquerades as hacks and cheats for the Krunker first-person shooter game. Cheats are programs that help gamers gain an added advantage beyond the available capabilities during gameplay.
Also used in the attacks are DMG files, which are Apple Disk Image files primarily used to distribute software on macOS, indicating that the threat actors are targeting multiple operating systems.
The findings arrive as Kaspersky disclosed details of another campaign that lures gamers looking for cheats on YouTube into downloading self-propagating malware capable of installing crypto miners and other information stealers.
“Malware and unwanted software distributed as cheat programs stand out as a particular threat to gamers’ security, especially for those who are keen on popular game series,” the Russian cybersecurity firm said in a recent report.
by Or Katz and Jim Black Data analysis by Gal Kochner and Moshe Cohen
Executive summary
Akamai researchers have analyzed malicious DNS traffic from millions of devices to determine how corporate and personal devices are interacting with malicious domains, including phishing attacks, malware, ransomware, and command and control (C2).
Akamai researchers saw that 12.3% of devices used by home and corporate users communicated at least once to domains associated with malware or ransomware.
63% of those users’ devices communicated with malware or ransomware domains, 32% communicated with phishing domains, and 5% communicated with C2 domains.
Digging further into phishing attacks, researchers found that users of financial services and high tech are the most frequent targets of phishing campaigns, with 47% and 36% of the victims, respectively.
Consumer accounts are the most affected by phishing, with 80.7% of the attack campaigns.
Tracking 290 different phishing toolkits being reused in the wild, and counting the number of distinct days each kit was reused over Q2 2022, shows that 1.9% of the tracked kits were reactivated on at least 72 days. In addition, 49.6% of the kits were reused for at least five days, demonstrating how many users are being revictimized multiple times. This shows how realistic-looking and dangerous these kits can be, even to knowledgeable users.
The most used phishing toolkit in Q2 2022 (Kr3pto, a phishing campaign that targeted banking customers in the United Kingdom, which evades multi-factor authentication [MFA]) was hosted on more than 500 distinct domains.
Introduction
“It’s always DNS.” Although that is a bit of a tongue-in-cheek phrase in our industry, DNS can give us a lot of information about the threat landscape that exists today. By analyzing information from Akamai’s massive infrastructure, we are able to gain some significant insights on how the internet behaves. In this blog, we will explore these insights into traffic patterns, and how they affect people on the other end of the internet connection.
Akamai traffic insights
Attacks by category
Based on Akamai’s range of visibility across different industries and geographies, we can see that 12.3% of protected devices attempted to reach out to domains that were associated with malware at least once during Q2 2022. This indicates that these devices might have been compromised. On the phishing and C2 front, we can see that 6.2% of devices accessed phishing domains and 0.8% of the devices accessed C2-associated domains. Although these numbers may seem insignificant, the scale here is in the millions of devices. When this is considered, along with the knowledge that C2 is the most malignant of threats, these numbers are not only significant, they’re cardinal.
Comparing 2022 Q2 results with 2022 Q1 results (Figure 1), we can see a minor increase in all categories in Q2. We attribute those increases to seasonal changes that are not associated with a significant change in the threat landscape.
Fig. 1: Devices exposed to threats — Q1 vs. Q2
In Figure 2, we can see that of the 12.3% potentially compromised devices, 63% were exposed to threats associated with malware activity, 32% with phishing, and 5% with C2. Access to malware-associated domains does not guarantee that these devices were actually compromised, but provides a strong indication of increased potential risk if the threat wasn’t properly mitigated. However, access to C2-associated domains indicates that the device is most likely compromised and is communicating with the C2 server. This can often explain why the incidence of C2 is lower when compared with malware numbers.
Fig. 2: Potentially compromised devices by category
Phishing attack campaigns
By looking into the brands that are being abused and mimicked by phishing scams in Q2 2022, categorized by brand industry and number of victims, we can see that high tech and financial brands led with 36% and 47%, respectively (Figure 3). These leading phishing industry categories are consistent with Q1 2022 results, in which high tech and financial brands were the leading categories, with 32% and 31%, respectively.
Fig. 3: Phishing victims and phishing campaigns by abused brands
When taking a different view on the phishing landscape–targeted industries by counting the number of attack campaigns being launched over Q2 2022, we can see that high tech and financial brands are still leading, with 36% and 41%, respectively (Figure 3). The correlation between leading targeted brands when it comes to number of attacks and number of victims is evidence that threat actors’ efforts and resources are, unfortunately, effectively working to achieve their desired outcome.
Akamai’s research does not have any visibility into the distribution channels used to deliver the monitored phishing attacks that led to victims clicking on a malicious link and ending up on the phishing landing page. Yet the strong correlation between different brand segments by number of attack campaigns and the number of victims seems to indicate that the volume of attacks is effective and leads to a similar trend in the number of victims. The correlation might also indicate that the distribution channels used have minimal effect on attack outcome, and it is all about the volume of attacks that lead to the desired success rates.
Taking a closer look at phishing attacks by categorization of attack campaigns — consumers vs. business targeted accounts— we can see that consumer attacks are the most dominant, with 80.7% of the attack campaigns (Figure 4). This domination is driven by the massive demand for consumers’ compromised accounts in dark markets that are then used to launch fraud-related second-phase attacks. However, even with only 19.3% of the attack campaigns, attacks against business accounts should not be considered marginal, as these kinds of attacks are usually more targeted and have greater potential for significant damage. Attacks that target business accounts may lead to a company’s network being compromised with malware or ransomware, or to confidential information being leaked. An attack that begins with an employee clicking a link in a phishing email can end up with the business suffering significant financial and reputational damages.
Fig. 4: Phishing targeted accounts — consumers vs. business
Phishing toolkits
Phishing attacks are an extremely common vector that have been used for many years. The potential impacts and risks involved are well-known to most internet users. However, phishing is still a highly relevant and dangerous attack vector that affects thousands of people and businesses daily. Research conducted by Akamai explains some of the reasons for this phenomenon, and focuses on the phishing toolkits and their role in making phishing attacks effective and relevant.
Phishing toolkits enable rapid and easy creation of fake websites that mimic known brands. Phishing toolkits enable even non–technically gifted scammers to run phishing scams, and in many cases are being used to create distributed and large-scale attack campaigns. The low cost and availability of these toolkits explains the increasing numbers of phishing attacks that have been seen in the past few years.
According to Akamai’s research that tracked 290 different phishing toolkits being used in the wild, 1.9% of the tracked kits were reused on at least 72 distinct days over Q2 2022 (Figure 5). Further, 49.6% of the kits were reused for at least five days, and when looking into all the tracked kits, we can see that all of them were reused no fewer than three distinct days over Q2 2022.
Fig. 5: Phishing toolkits by number of reused days Q2 2022
The numbers showing the heavy reuse phenomenon of the observed phishing kits shed some light on the phishing threat landscape and the scale involved, creating an overwhelming challenge to defenders. Behind the reuse of phishing kits are factories and economic forces that drive the phishing landscape. Those forces include developers who create phishing kits that mimic known brands, later to be sold or shared among threat actors to be reused over and over again with very minimal effort.
Further analysis on the most reused kits in Q2 2022, counting the number of different domains used to deliver each kit, shows that the Kr3pto toolkit was the one most frequently used and was associated with more than 500 domains (Figure 6). The tracked kits are labeled by the name of the brand being abused or by a generic name representing the kit developer signature or kit functionality.
In the case of Kr3pto, the actor behind the phishing kit is a developer who builds and sells unique kits that target financial institutions and other brands. In some cases, these kits target financial firms in the United Kingdom, and they bypass MFA. This evidence also shows that this phishing kit that was initially created more than three years ago is still highly active and effective and being used intensively in the wild.
Fig. 6: Top 10 reused phishing toolkits
The phishing economy is growing, kits are becoming easier to develop and deploy, and the web is full of abandoned, ready-to-be-abused websites and vulnerable servers and services. Criminals capitalize on these weaknesses to establish a foothold that enables them to victimize thousands of people and businesses daily.
The growing industrial nature of phishing kit development and sales (in which new kits are developed and released within hours) and the clear split between creators and users means this threat isn’t going anywhere anytime soon. The threat posed by phishing factories isn’t just focused on the victims who risk having valuable accounts compromised and their personal information sold to criminals — phishing is also a threat to brands and their stakeholders.
The life span of a typical phishing domain is measured in hours, not days. Yet new techniques and developments by the phishing kit creators are expanding these life spans little by little, and it’s enough to keep the victims coming and the phishing economy moving.
Summary
This type of research is necessary in the fight to keep our customers safer online. We will continue to monitor these threats and report on them to keep the industry informed.
The best way to stay up to date on this and other research pieces from the Akamai team is to follow Akamai Security Research on Twitter.
Contemporary organizations understand the importance of data and its impact on improving interactions with customers, offering quality products or services, and building loyalty.
Data is fundamental to business success. It allows companies to make the right decisions at the right time and deliver the high-quality, personalized products and services that customers expect.
There is a challenge, though.
Businesses are collecting more data than ever before, and new technologies have accelerated this process dramatically. As a result, organizations have significant volumes of data, making it hard to manage, protect, and get value from it.
Here is where Governance, Risk, and Compliance (GRC) comes in. GRC enables companies to define and implement the best practices, procedures, and governance to ensure the data is clean, safe, and reliable across the board.
More importantly, organizations can use GRC platforms like StandardFusion to create an organizational culture around security. The objective is to encourage everyone to understand how their actions affect the business’s success.
Now, the big question is:
Are organizations getting value from their data?
To answer that, first, it’s important to understand the following two concepts.
Data quality
Data quality represents how reliable the information serves an organization’s specific needs — mainly supporting decision-making.
Some of these needs might be:
Operations – Where and how can we be more efficient?
Resource distribution – Do we have any excess? Where? And why?
Planning – How likely is this scenario to occur? What can we do about it?
Management – What methods are working? What processes need improvement?
From a GRC standpoint, companies can achieve data quality by creating rules and policies so the entire organization can use that data in the same ways. These policies could, for example, define how to label, transfer, process, and maintain information.
Data Integrity
Data integrity focuses on the trustworthiness of the information in terms of its physical and logical validity. Some of the key characteristics to ensure the usability of data are:
Consistency
Accuracy
Validity
Truthfulness
GRC’s goal for data integrity is to keep the information reliable by eliminating unwanted changes between updates or modifications. It is all about the data’s accuracy, availability, and trust.
How GRC empowers organizations achieve high-quality data
Organizations that want to leverage their data to generate value must ensure the information they collect is helpful and truthful. The following are the key characteristics of high-quality data:
Completeness: The expected data to make decisions is present.
Uniqueness: There is no duplication of data.
Timeliness: The data is up-to-date and available to use when needed.
Validity: The information has the proper format and matches the requirements.
Accuracy: The data describes the object correctly in a real-world context.
Consistency: The data must be the same across multiple databases
A powerful way to make sure the company’s data maintains these six characteristics is by leveraging the power of GRC.
Why?
Because GRC empowers organizations to set standards, regulations, and security controls to avoid mistakes, standardize tasks and guide personnel when collecting and dealing with vital information.
GRC helps organizations answer the following questions:
How is the company ensuring that data is available for internal decision and for the clients?
Is everyone taking the proper steps to collect and process data?
Overall, GRC aims to build shared attitudes and actions towards security.
Why every organization needs high-quality data and how GRC helps
Unless the data companies collect is high-quality and trustworthy, there’s no value in it — it becomes a liability and a risk for the organization.
Modern companies recognize data as an essential asset that impacts their bottom line. Furthermore, they understand that poor data quality can damage credibility, reduce sales, and minimize growth.
In today’s world, organizations are aiming to be data-driven. However, becoming a data-driven organization is tough without a GRC program.
How so?
Governance, Risk, and Compliance enable organizations to protect and manage data quality by creating standardized, controlled, and repeatable processes. This is key because every piece of data an organization process has an associated risk.
By understanding these risks, companies can implement the necessary controls and policies for handling and extracting data correctly so that every department can access the same quality information.
Organizations without structured data can’t provide any value, and they face the following risks:
Missed opportunities: Many leads are lost because of incomplete or inaccurate data. Also, incorrect data means wrong insights, resulting in missing critical business opportunities.
Lost revenue: According to 2021 Gartner’s research, the average financial impact of poor data quality on organizations is $12.9 million annually.
Poor customer experience: When data quality is poor, organizations can’t identify customers’ pain points and preferences. As a result, the offer of products or services doesn’t match customers’ needs and expectations.
Lack of compliance: In some industries where regulations control relationships or customer transactions, maintaining good-quality data can be the difference between compliance and fines of millions of dollars. GRC is vital to keep compliance in the loop as new regulations evolve worldwide.
Increased expenses: A few years ago, IBM’s research showed that businesses lost 3.1 trillion dollars in the US alone. How? Spending time to find the correct data, fixing errors, and just hunting for information and confirmed sources.
Reputational damage: In today’s world, customers spend a lot of their time reading reviews before making a decision. For instance, if a company fails to satisfy its customers, everyone will know.
Reduced efficiency: Poor data quality forces employees to do manual data quality checks, losing time and money.
To sum up:
Having the right processes to manipulate data will prevent organizations from missing business opportunities, damaging their reputation, and doing unnecessary repetitive tasks.
How GRC supports data-driven business and what are the key benefits of clean data
Data-driven businesses embrace the use of data (and its analysis) to get insights that can improve the organization. The efficient management of big data through GRC tools helps identify new business opportunities, strengthen customer experiences, grow sales, improve operations, and more.
For example, GRC helps data-driven businesses by allowing them to create and manage the right policies to process and protect the company’s data.
More importantly, organizations can also control individual policies to ensure they have been distributed and acknowledged accordingly.
In terms of benefits, although clean data has numerous “easy-to-identify” benefits, many others are not easily identified. Trusting data not just improves efficiency and results; it also helps with fundamental, vital factors that affect business performance and success.
What are these factors?
Fundamental benefits:
Profits/Revenue
Internal communication
Employees confidence to share information
Company’s reputation
Trust
Operational benefits:
Efficiency
Business outcome
Privacy issues
Customer satisfaction
Better audience-targeting
How GRC protect the value of businesses and their data
In this contemporary world, companies should be measured not only via existing financial measurements but also by the amount of monetizable data they can capture, consume, store and use. More importantly, how the data helps the organization’s internal processes to be faster and more agile.
When people think of high-quality data and big data, they usually associate these two with big organizations, especially technology and social media platforms. However, big quality data gives organizations of any size plenty of benefits.
Data quality and integrity help organizations to:
Understand their clients
Enhance business operations
Understand industry best practices
Identify the best partnership options
Strengthen business culture
Deliver better results
Make more money
Using the right GRC platform helps companies create and control the policies and practices to ensure their data is valid, consistent, accurate, and complete — allowing them to get all these benefits.
The key to using GRC tools is that businesses can produce what customers expect on a greater scale and with higher precision and velocity.
Now, what does this have to do with value?
By protecting the value of data, organizations are protecting their overall worth. Indeed, GRC empowers companies to create a culture of value, giving everyone education and agency so they can make better decisions.
Also, GRC helps companies tell better security stories. These stories aim to build trust with customers and partners, enter new markets, and shorten sale cycles.
To summarize:
A better understanding of customers and processes — through data — will lead to better products and services, enhanced experiences, and long-lasting relationships with customers. All these represent growth and more revenue for companies.
What happens when a company’s data is not safe? Can it damage their value?
Trust is a vital component of any interaction (business or personal) and, as such, is mandatory for organizations to protect it — without trust, there is no business.
When data is not protected, the chances of breaches are higher, causing direct and indirect costs.
Direct costs are:
Fines
Lawsuits
Stolen information
Compensations
Potential business loss
Indirect costs are:
Reputation/Trust
PR activities
Lost revenue from downtime
New and better protection
Often, reputation damages can cause long-term harm to organizations, making it hard for them to acquire and maintain business. In fact, reputation loss is the company’s biggest worry, followed by financial costs, system damage, and downtime.
So, what does all this mean?
It’s not just about collecting data; it is also about how companies reduce risks and leverage and protect the data they have. GRC integrates data security, helping organizations be better prepared against unauthorized access, corruption, or theft.
Moreover, GRC tools can help elevate data security by controlling policies, regulations, and predictable issues within the organization.
The bottom line?
When companies can’t get or maintain customers because of a lack of trust, the organization’s value will be significantly lower — or even zero. Unfortunately, this is even more true for small and medium size companies.
How to use GRC to achieve and maintain high-quality data?
Many organizations have trouble managing their data, which, unfortunately, leads to poor decisions and a lack of trust from employees and customers.
Moreover, although companies know how costly wrong information is, many are not working on ensuring quality data through the right processes and controls. In fact, Harward Business Review said that 47% of newly created data records have at least one critical error.
Why is that?
Because there is a lack of focus on the right processes and systems that need to be in place to ensure quality data.
What do poor processes cause?
Human errors
Wrong data handling
Inaccurate formatting
Different sets of data for various departments
Unawareness of risks
Incorrect data input or extraction
Fortunately, GRC’s primary goal is to develop the right policies and procedures to ensure everyone in the organization appropriately manages the data.
GRC aims to create a data structure based on the proper governance that will dictate how people organize and handle the company’s information. As a result, GRC will empower companies to be able to extract value from their data.
That is not everything.
Governance, Risk, and Compliance allow organizations to understand the risks associated with data handling and guide managers to create and distribute the policies that will support any data-related activity.
The following are some of the ways GRC is used to achieve and maintain high-quality data:
Data governance: Data governance is more than setting rules and telling people what to do. Instead, it is a collection of processes, roles, policies, standards, and metrics that will lead to a cultural change to ensure effective management of information throughout the organization.
Education: Achieving good data quality is not easy. It requires a deep understanding of data quality principles, processes, and technologies. GRC facilitates the education process by allowing the organization to seamlessly implement, share, and communicate its policies and standards to every department.
Everyone is involved: Everyone must understand the organization’s goal for data quality and the different processes and approaches that will be implemented. GRC focuses on cultural change.
Be aware of threats: When managing data, each process has risks associated with it. The mission of GRC is for the organization to recognize and deal with potential threats effectively. When companies are aware of risks, they can implement the necessary controls and rules to protect the data.
One single source of truth: A single source of truth ensures everyone in the organization makes decisions based on the same consistent and accurate data. GRC can help by defining the governance over data usage and manipulation. Furthermore, GRC makes it easy to communicate policies, see who the policy creator is, and ensure employees are acting according to the standards.
Exactly how vulnerable is VMware infrastructure to Ransomware?
Historically and like most malware, ransomware has been targeting Windows operating systems primarily. However, cases of Linux and MacOS being infected are being seen as well. Attackers are being more proficient and keep evolving in their attacks by targeting critical infrastructure components leading to ransomware attacks on VMware ESXi. In this article, you’ll learn how Ransomware targets VMware infrastructure and what you can do to protect yourself.
What is Ransomware?
Ransomware are malicious programs that work by taking the user’s data hostage in exchange for a hefty ransom.
There are essentially 2 types of Ransomware (arguably 3):
Crypto Ransomware: Encrypts files so that the user cannot access them. This is the one we are dealing with in this blog.
Locker Ransomware: Lock the user out of his computer by encrypting system files.
Scareware: Arguably a third type of ransomware that is actually a fake as it only locks the screen by displaying the ransom page. Scanning the system with an Antivirus LiveCD will get rid of it quite easily.
A user computer on the corporate network is usually infected through infected USB drives or social engineering techniques such as phishing emails and shady websites. Another occurrence includes attacking a remote access server publicly exposed through brute-force attacks.
The malware then uses a public key to encrypt the victim’s data, which can span to mapped network drives as well. After which the victim is asked to make a payment to the attacker using bitcoin or some other cryptocurrency in exchange for the private key to unlock the data, hence the term Ransomware. If the victim doesn’t pay in time, the data will be lost forever.
As you can imagine, authorities advise against paying the ransom as there is no guaranty the bad actor will deliver on his end of the deal so you may end up paying the big bucks and not recover your data at all.
Can Ransomware affect VMware?
While infecting a Windows computer may yield a reward if the attacker gets lucky, chances are the OS will simply be reinstalled, no ransom is paid and the company will start tightening security measures. Game over for the bad guys.
Rather than burning bridges by locking a user’s workstation, they now try to make a lateral move from the infected workstation and target critical infrastructure components such as VMware ESXi. That way they hit a whole group of servers at once.
“VMware ESXi ransomware impact all the VMs running on the hypervisor”
From the standpoint of an attacker, infesting a vSphere host, or any hypervisor for that matter, is an “N birds, 1 stone” type of gig. Instead of impacting one workstation or one server, all the virtual machines running on the host become unavailable. Such an attack will wreak havoc in any enterprise environment!
How does a Ransomware Attack Work?
In the case of targeted attacks, the bad actor works to gain remote access to a box in the local network (LAN), usually a user computer, and then make a lateral move to access the management subnet and hit critical infrastructure components such as VMware ESXi.
There are several ways a ransomware attack on VMware ESXi can happen but reports have described the following process.
“The ransomware attack on VMware ESXi described in this blog is broken down into 5 stages”
Stage 1: Access local network
Gaining access to the LAN usually goes either of 2 ways:
A malware is downloaded in a phishing email or from a website. It can also come from an infected USB stick.
The attacker performs a Brute force attack against a remote access server exposed to the internet. This seems more unusual as it involves more resources and knowledge of the target. Brute force attacks are also often caught by DDoS protection mechanisms.
“Ransomware spread through malicious email attachments, websites, USB sticks”
Stage 2: Escalate privileges
Once the attacker has remote access to a machine on the local network, be it a workstation or a remote desktop server, he will try to escalate privileges to open doors for himself.
Several reports mentioned attackers leveraging CVE-2020-1472 which is a vulnerability in how the Netlogon secure channel connections are done. The attacker would use the Netlogon Remote Protocol (MS-NRPC) to connect to a domain controller and gain domain administrator access.
Stage 3: Access management network
Once the bad actors have domain administrator privileges, they can already deal a large amount of damage to the company. In the case of a ransomware attack on VMware ESXi, they will use it to gain access to machines on the management network, in which the vCenter servers and vSphere ESXi servers live.
Note that they might even skip this step if the company made the mistake to give user workstations access to the management network.
Stage 4: VMware ESXi vulnerabilities
When the attackers are in the management network, you can only hope that all the components in your infrastructure have the latest security patches installed and strong password policies. At this point, they are the last line of defense, unless a zero-day vulnerability is being leveraged in which case there isn’t much you can do about it.
Several remote code execution vulnerabilities have been exploited over the last year or so against VMware ESXi servers and vCenter servers.
The two critical vulnerabilities that give attackers access to vSphere hosts relate to the Service Location Protocol (SLP) used by vSphere to discover devices on the same network. By sending malicious SLP commands, the attacker can execute remote code on the host.
CVE-2019-5544: Heap overwrite issue in the OpenSLP protocol in VMware ESXi.
CVE-2020-3992: Use-after-free issue in the OpenSLP protocol in VMware ESXi.
CVE-2021-21985: Although no attack mentions it, we can assume the vCenter Plug-in vulnerability discovered in early 2021 can be a vector of attack as well. Accessing vSphere hosts is fairly easy once the vCenter is compromised.
They can then enable SSH to obtain interactive access and sometimes even change the root password or SSH keys of the hosts.
Note that the attacker may not even need to go through all that trouble if he manages to somehow recover valid vCenter of vSphere credentials. For instance, if they are stored in the web browser or retrieved from the memory of the infected workstation.
Stage 5: Encrypt datastore and request ransom
Now that the attacker has access to the VMware ESXi server, he will go through the following steps to lock your environment for good.
Uninstall Fault Domain Manager or fdm (HA agent) used to reboot VMs in case of failure.
Shut down all the virtual machines.
Encrypt all virtual machine files using an ELF executable, derived from an encrypting script that targets Linux machines. This file is usually named svc-new and stored in /tmp.
Write a ransom file to the datastore for the administrator to find.
Note that there are variations of the ransomware attack on VMware ESXi, which themselves are ever-evolving. Meaning the steps described above represent one way things can happen but your mileage may very well vary.
How to protect yourself from ransomware attacks on VMware ESXi
If you look online for testimonies, you will find that the breach never comes from a hooded IT mastermind in an ill-lit room that goes through your firewalls by frantically typing on his keyboard like in the movies.
The reality is nowhere near as exciting. 9 times out of 10, it will be an infected attachment in a phishing email or a file downloaded on a shady website. This is most often the doing of a distracted user that didn’t check the link and executed the payload without thinking twice.
Ensure at least the following general guidelines are being enforced in your environment to establish a first solid line of defense:
VMware environment-related recommendations
If you need to open internet access on your vCenter, enforce strong edge firewall rules and proxy access to specific domains. Do not expose vCenter on the internet!!! (Yes, it’s been done).
Set VMware ESXi shell and SSH to manual start and stop.
Don’t use the same password on all the hosts and out-of-band cards.
Some recommend not to add Active Directory as an Identity Source in vCenter Server. While this certainly removes a vector of attack, configuring Multi-Factor Authentication also mitigates this risk.
Industry standards
Educate your users and administrators through educational campaigns.
Ensure the latest security patches are installed as soon as possible on all infrastructure components as well as backups servers, workstations…
Segregate the management subnets from other subnets.
Connect to the management network through a jump server. It is critical that the jump server must:
Be secured and up to date
Accessible only through Multifactor authentication (MFA)
Must only allow a specific IP range.
Restrict network access to critical resources only to trained administrators.
Ensure AD is secured and users/admins are educated on phishing attacks.
Apply least privilege policy.
Use dedicated and named accounts.
Enforce strong password policies.
Segregate Admin and Domain admin accounts on AD.
Log out users on inactivity on Remote Desktop Servers.
Don’t save your infrastructure password in the browser.
Use Multi-Factor Authentication (MFA) where possible, at least on admin accounts.
Forward infrastructure logs to a Syslog server for trail auditing.
Ensure all the workstations and servers have a solid antivirus with regularly updated definitions.
Where do backups fit in all this?
While there are decryption tools out there, they will not always work. In fact, they almost never will.
Restoring from backup is essentially the only way known to date that you can use to recover from a ransomware attack on VMware ESXi. You can use Altaro VM Backup to ensure your environment is protected.
Because attackers know this well, they will try to take down the backup infrastructure and erase all the files so your only option left is to pay the ransom. Which, as mentioned previously, is no guaranty that you get your files back.
Because of it, it is paramount to ensure your backup infrastructure is protected and secure by following best practices:
Avoid Active Directory Domain integration or use multi-factor authentication (MFA).
Do not use the same credentials for access to the VMware and Backup infrastructures.
NIST controls for data integrity (National Institute of Standards and Technology)
VMware documents solutions for combatting ransomware by incorporating the National Institute of Standards and Technology (NIST) controls specific to data integrity. You can find VMware’s recommendations and implementation of the NIST in this dedicated document:
“National Institute of Standards and Technology logo”
The NIST framework is broken down into 5 functions:
In the VMware document linked above, you will find Detect, Protect and Respond recommendations that apply to various environments such as private cloud, hybrid cloud or end-user endpoints.
So How Worried Should I be?
Ransomware have always been one of the scary malware as they can deal a great amount of damage to a company, up to the point of causing some of them to go into bankruptcy. However, let us not get overwhelmed by these thoughts as you are not powerless against them. It is always best to act than to react.
In fact, there is no reason for your organization to get hit by a ransomware as long as you follow all the security best practices and you don’t cut corners. It might be tempting at some point to add an ALLOW ALL/ALL firewall rule to test something, give a user or service account full admin rights, patch a server into an extra VLAN or whatever action you know for a fact would increase your security officer’s blood pressure. In such a case, even if there is a 99.9% chance things are fine, think of the consequences it could have on the company as a whole should you hit that 0.1% lurking in the back.
If you are reading this and you have any doubts regarding the security of your infrastructure, run a full audit of what is currently in place and draw a plan to bring it into compliance with the current industry best practices as soon as possible. In any case, patch your systems as soon as possible, especially if you are behind!
The Internet of Things (IoT) is here, and we’re using it for everything from getting instant answers to random trivia questions to screening visitors at the door. According to Gartner, we were expected to use more than 25 billion internet-connected devices by the end of 2021. But as our digital lives have become more convenient, we might not yet have considered the risks involved with using IoT devices.
How can you keep yourself secure in today’s IoT world, where hackers aim to outsmart your smart home? First we’ll look at how hackers infiltrate the IoT, and then we’ll look at what you can do right now to make sure the IoT is working for you – not against you.
How hackers are infiltrating the Internet of Things
While we’ve become comfortable asking voice assistants to give us the weather forecast while we prep our dinners, hackers have been figuring out how to commandeer our IoT devices for cyber attacks. Here are just a few examples of how cyber criminals are already infiltrating the IoT.
Gaining access to and control of your camera
Have you ever seen someone with a sticker covering the camera on their laptop or smartphone? There’s a reason for that. Hackers have been known to gain access to these cameras and spy on people. This has become an even more serious problem in recent years, as people have been relying on videoconferencing to safely connect with friends and family, participate in virtual learning, and attend telehealth appointments during the pandemic. Cameras now often come with an indicator light that lets you know whether they’re being used. It’s a helpful protective measure, but not a failsafe one.
Using voice assistants to obtain sensitive information
According to Statista, 132 million Americans used a digital voice assistant once a month in 2021. Like any IoT gadget, however, they can be vulnerable to attack. According to Ars Technica, academic researchers have discovered that the Amazon Echo can be forced to take commands from itself, which opens the door to major mischief in a smart home. Once an attacker has compromised an Echo, they can use it to unlock doors, make phone calls and unauthorized purchases, and control any smart home appliances that the Echo manages.
Many bad actors prefer the quiet approach, however, slipping in undetected and stealing information. They can piggyback on a voice assistant’s privileged access to a victim’s online accounts or other IoT gadgets and make off with any sensitive information they desire. With the victim being none the wiser, the attackers can use that information to commit identity fraud or stage even more ambitious cyber crimes.
Hacking your network and launching a ransomware attack
Any device that is connected to the internet, whether it’s a smart security system or even a smart fridge, can be used in a cyber attack. Bad actors know that most people aren’t keeping their IoT gadgets’ software up to date in the same way they do their computers and smartphones, so they take advantage of that false sense of security. Once cyber criminals have gained access to an IoT device, they can go after other devices on the same network. (This is because most home networks are designed to trust devices that are already connected to them.) When these malicious actors are ready, they can launch a ransomware attack that brings your entire digital life to a halt – unless you agree to fork over a hefty sum in bitcoin, that is.
Using bots to launch a DDOS attack
Although most people never notice it, hackers can and do infect IoT devices with malware en masse, gaining control over them in the process. Having turned these zombie IoT devices into bots, the hackers then collectively use them to stage what’s called a botnet attack on their target of choice. This form of assault is especially popular for launching distributed denial of service (DDOS) attacks, in which all the bots in a botnet collectively flood a target with network requests until it buckles and goes offline.
How you can keep your Internet of Things gadgets safe from hackers
So how can you protect your IoT devices from these determined hackers? Fortunately, you can take back control by becoming just a little more cyber smart. Here are a few ways to keep your IoT gadgets safe from hackers:
Never use the default settings on your IoT devices. Although IoT devices are designed to be plug-and-play so you can start enjoying them right away, their default settings are often not nearly as secure as they should be. With that in mind, set up a unique username and strong password combination before you start using any new IoT technology. While you’re at it, see if there’s an option to encrypt the traffic to and from your IoT device. If there is, turn it on.
Keep your IoT software up to date. Chances are, you regularly install the latest software updates on your computer and phone. Hackers are counting on you to leave your IoT gadgets unpatched, running outdated software with vulnerabilities they can exploit, so be sure to keep the software on your IoT devices up to date as well.
Practice good password hygiene. We all slip into bad password habits from time to time – it’s only human – but they put our IoT security at risk. With this in mind, avoid re-using passwords and be sure to set unique, strong passwords on each of your IoT devices. Update those passwords from time to time, too. Don’t store your passwords in a browser, and don’t share them via email. A password manager can help you securely store and share your passwords, so hackers never have a chance to snatch them.
Use secure, password-protected WiFi. Cyber criminals are notorious for sneaking onto open, insecure WiFi networks. Once they’re connected, they can spy on any internet activity that happens over those networks, steal login credentials, and launch cyber attacks if they feel like it. For this reason, make sure that you and your IoT devices only use secure, password-protected WiFi.
Use multi-factor authentication as an extra layer of protection. Multi-factor authentication (MFA), gives you extra security on top of all the other measures we mentioned above. It asks you to provide one more credential, or factor, in addition to a password to confirm you are who you say you are. If you have MFA enabled and a hacker tries to log in as you, you’ll get a notification that a login attempt is in progress. Whenever you have the option to enable MFA on any account or technology, take advantage of it.
Protect your Internet of Things devices with smart password security
The IoT is making our lives incredibly convenient, but that convenience can be a little too seductive at times. It’s easy to forget that smart home devices, harmless-looking and helpful as they are, can be targeted in cyber attacks just like our computers and phones. Hackers are counting on you to leave your IoT gadgets unprotected so they can use them to launch damaging attacks. By following these smart IoT security tips, you can have the best of both worlds, enjoying your smart life and better peace of mind at the same time.
Learn how LastPass Premium helps you strengthen your password security.
Fig. 1: Devices exposed to threats — Q1 vs. Q2
Fig. 2: Potentially compromised devices by category
Fig. 3: Phishing victims and phishing campaigns by abused brands
Fig. 4: Phishing targeted accounts — consumers vs. business
Fig. 5: Phishing toolkits by number of reused days Q2 2022
Fig. 6: Top 10 reused phishing toolkits
