The global cybersecurity market is flourishing. Experts at Gartner predict that the end-user spending for the information security and risk management market will grow from $172.5 billion in 2022 to $267.3 billion in 2026.
One big area of spending includes the art of putting cybersecurity defenses under pressure, commonly known as security testing. MarketsandMarkets forecasts the global penetration testing (pentesting) market size is expected to grow at a Compound Annual Growth Rate (CAGR) of 13.7% from 2022 to 2027. However, the costs and limitations involved in carrying out a penetration test are already hindering the market growth, and consequently, many cybersecurity professionals are making moves to find an alternative solution.
Pentests aren’t solving cybersecurity pain points
Pentesting can serve specific and important purposes for businesses. For example, prospective customers may ask for the results of one as proof of compliance. However, for certain challenges, this type of security testing methodology isn’t always the best fit.
1 — Continuously changing environments
Securing constantly changing environments within rapidly evolving threat landscapes is particularly difficult. This challenge becomes even more complicated when aligning and managing the business risk of new projects or releases. Since penetration tests focus on one moment in time, the result won’t necessarily be the same the next time you make an update.
2 — Rapid growth
It would be unusual for fast-growing businesses not to experience growing pains. For CISOs, maintaining visibility of their organization’s expanding attack surface can be particularly painful.
According to HelpNetSecurity, 45% of respondents conduct pentests only once or twice per year and 27% do it once per quarter, which is woefully insufficient given how quickly infrastructure and applications change.
3 — Cybersecurity skills shortages
As well as limitations in budgets and resources, finding the available skillsets for internal cybersecurity teams is an ongoing battle. As a result, organizations don’t have the dexterity to spot and promptly remediate specific security vulnerabilities.
While pentests can offer an outsider perspective, often it is just one person performing the test. For some organizations, there is also an issue on trust when relying on the work of just one or two people. Sándor Incze, CISO at CM.com, gives his perspective:
“Not all pentesters are equal. It’s very hard to determine if the pentester you’re hiring is good.”
4 — Cyber threats are evolving
The constant struggle to stay up to date with the latest cyberattack techniques and trends puts media organizations at risk. Hiring specialist skills for every new cyber threat type would be unrealistic and unsustainable.
HelpNetSecurity reported that it takes 71 percent of pentesters one week to one month to conduct a pentest. Then, more than 26 percent of organizations must wait between one to two weeks to get the test results, and 13 percent wait even longer than that. Given the fast pace of threat evolution, this waiting period can leave companies unaware of potential security issues and open to exploitation.
5 — Poor-fitting security testing solutions for agile environments
Continuous development lifecycles don’t align with penetration testing cycles (often performed annually.) Therefore, vulnerabilities mistakenly created during long security testing gaps can remain undiscovered for some time.
Bringing security testing into the 21st-century Impact
A proven solution to these challenges is to utilize ethical hacker communities in addition to a standard penetration test. Businesses can rely on the power of these crowds to assist them in their security testing on a continuous basis. A bug bounty program is one of the most common ways to work with ethical hacker communities.
What is a bug bounty program?
Bug bounty programs allow businesses to proactively work with independent security researchers to report bugs through incentivization. Often companies will launch and manage their program through a bug bounty platform, such as Intigriti.
Organizations with high-security maturity may leave their bug bounty program open for all ethical hackers in the platform’s community to contribute to (known as a public program.) However, most businesses begin by working with a smaller pool of security talent through a private program.
How bug bounty programs support continuous security testing structures
While you’ll receive a certificate to say you’re secure at the end of a penetration test, it won’t necessarily mean that’s still the case the next time you make an update. This is where bug bounty programs work well as a follow-up to pentests and enable a continuous security testing program.
The impact of bug bounty program on cybersecurity
By launching a bug bounty program, organizations experience:
More robust protection: Company data, brand, and reputation have additional protection through continuous security testing.
Enabled business goals: Enhanced security posture, leading to a more secure platform for innovation and growth.
Improved productivity: Increased workflow with fewer disruptions to the availability of services. More strategic IT projects that executives have prioritized, with fewer security “fires” to put out.
Increased skills availability: Internal security team’s time is freed by using a community for security testing and triage.
Clearer budget justification: Ability to provide more significant insights into the organization’s security posture to justify and motivate for an adequate security budget.
Improved relationships: Project delays significantly decrease without the reliance on traditional pentests.
Want to know more about setting up and launching a bug bounty program?
Intigriti is the leading European-based platform for bug bounty and ethical hacking. The platform enables organizations to reduce the risk of a cyberattack by allowing Intigriti’s network of security researchers to test their digital assets for vulnerabilities continuously.
If you’re intrigued by what you’ve read and want to know about bug bounty programs, simply schedule a meeting today with one of our experts.
Users locking their accounts is a common problem, it’s one of the top calls to the helpdesk.
What is frustrating is when you unlock a user’s account and it keeps randomly locking. The user could be logged into multiple devices (phone, computer, application, and so on) and when they change their password it will cause ongoing lock-out issues.
This guide will help you to track down the source of those lockouts.
Check it out:
Step 1: Enabling Auditing Logs
The first step to tracking down the source of account lockouts is to enable auditing. If you do not turn on the proper auditing logs then the lockout events will not be logged.
Here are the steps to turn on the audit logs:
1. Open Group Policy Management Console
This can be from the domain controller or any computer that has the RSAT tools installed.
2. Modify Default Domain Controllers Policy
Browse to the Default Domain Controllers Policy, right-click, and select edit. You can also create a new GPO on the “Domain Controllers” OU if you prefer to not edit the default GPO.
Enable Success and Failure for “Audit Kerberos Authentication Service.”
Auditing is now turned on and event 4740 will be logged in the security events logs when an account is locked out. In addition, the Kerberos logs are enabling which will log authentication failures with the lockout. Sometimes event 4740 does not log the source computer and the Kerberos logs provide additional details.
Step 2: Using the User Unlock GUI Tool to Find the Source of Account Lockouts
This step uses the User Unlock Tool to find the event ID 4740 and other event IDs that will help troubleshoot lockouts.
I created this tool to make it super easy for any staff member to unlock accounts, reset passwords and find the source of account lockouts. It also has some additional features to help find the source of lockouts.
Click on the “User Unlock” tool in the left side menu.
Step 2. Select Troubleshoot Lockouts
Select Troubleshoot lockouts and click run
You will now have a list of events that will show the source of a lockout or the source of bad authentication attempts.
In the above screenshot, you can see the account “robert.allen” lockout came from computer PC1.
There will be times when event 4740 does not show the source computer. When that happens you can use the other logged events to help troubleshoot log out events. For example, if the above screenshot had no event 4740 I can look at 4771 and see the failed authentication attempt was from a computer with the IP 192.168.100.20.
In addition, you can unlock the account and reset the password all from one tool. The tool will display all locked accounts, you can select a single account or multiple accounts to unlock.
This will display the caller computer name of the lockout. This is the source of the user account lockout.
You can also open the event log and filter the events for 4740
Although this method works it takes a few manual steps and can be time consuming. You may also have staff that is not familiar with PowerShell and need to perform other functions like unlock or reset the user’s account.
That is why I created the Active Directory User Unlock GUI tool. This tool makes it super easy for staff to find all locked users and the source of account lockouts.
I hope you found this article useful. If you have questions or comments let me know by posting a comment below.
There are times when you need to determine which domain controller you have authenticated to. This can be helpful for a number of reasons such as troubleshooting group policy, slow logins, application issues, map network drives or printers, and so on.
For example, recently I ran into an issue where single sign-on was not working for multiple applications. I was troubleshooting the issue on multiple virtual desktops and noticed that single sign on was working on one of them. I thought this was strange considering all the virtual desktops were the exact same. That is when I checked which domain controller it authenticated against and noticed it was DC2 and all the others were DC1.
How to Check Logon Server
You can check the logon server with either the command line or PowerShell.
Option 1 – Using the Command Line
Open the command line, type the command below, and press enter
set l
In the screenshot above I authenticated to the DC2 domain controller. The set l command displays everything from the set command that starts with l so it’s displaying the localappdata also. You could just type set logon to see only the logonserver.
Option 2 – Using PowerShell
Open PowerShell, type the command below, and press enter
$env:LOGONSERVER
Find Domain Controller Group Policy Was Applied From
If you need to know which domain controller a computer or user applied its group policy settings from then run the gpresult /r command.
gpresult /r
You can see in the above screenshot the group policy was applied from DC2.
Make sure you check the user settings section as the policy could apply from a different domain controller.
Recommended Tool: Permissions Analyzer for Active Directory
This FREE tool lets you get instant visibility into user and group permissions and allows you to quickly check user or group permissions for files, network, and folder shares.
You can analyze user permissions based on an individual user or group membership.
In this tutorial, I will demonstrate moving Active Directory users from one domain to another.
I’m going to move 2747 users from one domain (running server 2019) to a new domain running server 2022. You can move accounts to an existing domain or a new one.
The tools used in this guide will work with domain controllers running 2008 and later operating systems. Also, you can move accounts in the same domain forest, a different forest, domain trust, or no trust.
Reasons for moving users:
Creating a test environment
Merging with another company
Moving or upgrading to a new server
No trust between domains
Moving users to a single domain (consolidating domains)
Steps for Moving Users From One Domain To Another Domain
To complete the move I will use some PowerShell scripts to re-create the OUs and groups. I’ll then use the export and import tool from the AD Pro Toolkit to move the accounts.
Note
This method does not migrate computer user profiles or SID history. It will move user data from Active Directory such as OUs, group membership, and user fields (address, manager, phone number, state, etc).
With the export tool, you can select to export from the entire domain, an OU or group.
You can also change the columns to preserve user settings when moving to the new domain.
Below is a screenshot of the CSV file exported from my source domain. I exported 2747 users and it includes 31 columns of user properties. Again, you can use the attribute selector to add or remove columns. These user properties will be preserved and imported into the other domain.
2. Modify CSV File for the new domain
To import these accounts into the new domain you will need to add a password column. If it is a different domain you will also need to modify the OU path. I’m going from ad.activedirectorypro.com to ad2.activedirectorypro.com so I’ll need to update the ou path. You can easily do this in excel with a search and replace.
You can change additional details in the CSV to reflect the new domain. For example, you can change proxyAddresses to the new domain name or change the userPrincipalName.
Now I’m ready to import all 2747 accounts into the new domain. This will import them into the new domain, add them into the OUs, add to groups and keep their user settings from the old domain.
3. Import Users Into the New Domain (or existing domain)
If you are moving the users to an existing domain you probably don’t need to create OUs or groups. If it’s a new domain and you want to replicate the AD structure of the source domain then you can use some PowerShell scripts. See the links below for step by step instructions.
Select the CSV file, your import options, and click run.
When the import is complete you can check the logs and Active Directory to verify the import.
Above you can see a screenshot of the source and the new domain. All of the accounts are imported into the same OUs and groups.
Using the export and import tool makes it really easy to move users to a new domain while keeping their group membership and user properties from Active Directory. It also is very flexible as you can move users from an old domain such as 2008 to a newer server like 2019 or later.
You also don’t have to worry about trust relationships or connections between the two domains.
Below are some PowerShell commands to help you verify the numbers in Active Directory.
Count the Number of Active Directory Objects using PowerShell
Here are some PowerShell commands I used to count the number of objects in the source domain.
Get the number of AD users
(Get-ADUser -filter *).count
The above command gets the count for all users in the domain. To get the count for just an OU use this command. Change the SearchBase to the path of your root OU.
2747 is the number of users in my source domain so this means all the users imported into the new domain successfully.
Get the number of AD Computers
(Get-ADComputer -Filter *).count
Get the number of Organizational Units
(Get-ADOrganizationalUnit -filter *).count
Get the number of AD Security groups
(Get-ADGroup -Filter *).Count
Conclusion
That’s how you move users from one domain to another using tools from the AD Pro Toolkit and PowerShell. An alternative to moving users to another domain is by using the Microsoft Active Directory Migration Tool. The ADMT (Active Directory Migration Tool) will migrate SID and computer profiles. The only problem with this tool is it is not updated, has no support, and often fails. It also is not as flexible as the method I demonstrated in this guide.
A list of the best Active Directory tools to help you simplify and automate Microsoft Active Directory management tasks.
The native Windows Administrative Tools are missing many features that administrators need to effectively do their jobs. Things like bulk operations and automation are just not possible with the Active Directory users and computer consoles.
The good news is there are many useful Active Directory Tools to choose from that can help you manage domain users, groups, and computers, generate reports, find security weaknesses, and more.
The Bulk Import tool makes it easy to import new user accounts into Active Directory from CSV. Includes a CSV template, sets multiple user attributes, and adds users to groups during the import. Automate the creation of new user accounts and simplify the user account provisioning process.
Active Directory Explorer is a browser to navigate the AD database, objects, permissions, and schema objects within Active Directory. The interface is similar to Active Directory users and computers but allows you to view advanced settings. This is not a tool you would use on a daily basis, this would be used for very specific tasks such as viewing an object’s attributes and security sessions.
Another neat feature is the ability to save a snapshot of the AD database. You can then load it for offline viewing and explore it like it was a live database. Again not a common use case.
Adaxes is a premium product that automates many AD management tasks, like user provisioning, assigning permissions, creating mailboxes, delegation, and much more. All management tasks are done from a web interface and can be accessed from laptops, tablets, and phones. The web interface is fully customizable so you can view just want you to need. Also includes a user self service portal and a password self service portal.
The user export tool lets you export all uses plus all common user fields to a CSV. Over 40 user fields can be added to the export by clicking the change columns button. This is a great tool if you need a report of all users, the groups they are a member of, OU, and more.
Key Features
Find users TRUE last logon date from all domain controllers
This tool lets you bulk update user account properties from CSV file. Some popular use cases are bulk updating user’s proxyaddresses, employeeid, addresses, manager, addresses, state, country, and so on.
All changes are sent to a log file which lets you keep track of changes and check for errors. This is a very popular tool!
The AD Cleanup tool searches your domain for stale and inactive user accounts based on the account’s lastlogon attribute. You can also find disabled, expired, accounts that have never been used and empty groups.
It is recommended to run a cleanup process on your domain at least once a month, this tool can help simplify that cleanup process and secure your domain.
This utility was designed to Monitor Active Directory and other critical services like Azure, DNS, and DHCP. It will quickly spot domain controller issues, replication, performance issues with cloud services, failed logon attempts, and much more.
This is a premium tool that has a big price tag but it’s an incredible product. You can monitor all resources including applications, hardware, processes, and cloud systems. Everything is accessed from a single web console, you can get email alerts based on various thresholds.
If you want a simple tool to monitor your Active Directory services then this is a great tool.
Check the health of your domain controllers with this easy to use tool. Runs 27 health checks on your servers to check for critical errors. Click on any failed test to quickly see the details.
Also includes an option to test DNS and check event logs for critical events.
Find all locked users with the click of a button. Unlock, reset passwords or show advanced details like the source of the lockout and more. To pull the source computer you need to have auditing enabled, check the administrator guide for how to enable this.
Bulk add or remove users to Active Directory groups. You can bulk add users to a single group or multiple groups all at once. Very easy to use and saves a lot of time. Just add the users to the CSV template and the name of the group or groups you want to add them to.
The last logon reporter will get the user’s TRUE last logon time from all domain controllers in your domain. You can limit the search to the entire domain, organizational unit, or groups.
AD FastReporter has a large list of pre-built reports to pick from. Report on users, computers, groups, contacts, printers, group policy objects, and organizational units. Very easy to use but does have an older style interface.
Here is a small example of the reports you can run:
All users
Deleted Users
Users with a home directory
users without logon script
All computers
All domain controllers
Computers created in the last 30 days
Users created in the last 30 days
13. Local Group Report
This tool gets the local groups and group members on remote computers. You can quickly sort or filter the groups to get a list of all users and groups that have local administrator rights.
Report and export group membership has never been easier, select from the entire domain, groups, or organizational unit. This tool also helps to find nested security groups.
Key Features
The fastest way to get all domain gruops and group membership
Dovestones AD Reporting tool contains a large number of pre built reports. You can customize the report by selecting user attributes and defining which users to export.
Get the uptime and last boot of remote computers. Report on the entire domain or select from an OU or group.
Very helpful during maintenance days to verify if computers have rebooted.
17. SolarWinds Permissions Analyzer
This FREE tool lets you get instant visibility into user and group permissions. Quickly check user or group permissions for files, network, and folder shares.
Analyze user permissions based on an individual user or group membership.
The NTFS permissions tool will report folder security for local, remote, and UNC folder permissions. The grid view comes with a powerful filter so you can search and limit the results to find specific permissions such as Active Directory groups.
Windows PowerShell is a very powerful tool that can automate many Active Directory and Windows tasks. The problem is it can be complex to learn some of the advanced functions. With that said there are plenty of cmdlets that can be used in a single line of code to do some pretty cool things in Windows.
Create new user account: New-Aduser
Create computer account: New-ADComputer
Create a security group: New-ADGroup
Create a organizational unit: New-ADOrganizationalUnit
Get domain details: Get-ADDomin
Get domain password policy: Get-ADDefaultDomainPasswordPolicy
Get group policy: get-GPO -all
Get all services: get-service
Find locked user accounts: Search-ADAccount -LockedOut
The Sysinternals is a suite of small GUI programs and command line utilities designed to troubleshoot and diagnose your Windows systems and applications. They are all portable, which means you don’t need to install them, you can just run the exe or commands with no installation required.
These utilities were created way back in 1996 by Mark Russinovich and then later acquired by Microsoft. There are a bunch of tools included I will list some of the popular ones.
Process Monitor – Shows real time file system, registry and process activity.
PsExec – Lets you execute programs on a remote system
PsKill – Kill local and remote processes
Sysmon – Logs system activity about process creations, network connection and changes to files
Psinfo – Shows info about a local or remote computer
All-in-one Active Directory Toolkit
Our AD Pro Toolkit includes 12 Active Directory tools in a single interface.
The main benefit is it will save you time and make managing Active Directory easier. One of the most popular tasks of working with Active Directory is to create new user accounts. The built-in tools provide no options for bulk importing new accounts so it becomes very time-consuming. With the AD Pro Toolkit you can easily bulk import, bulk update, and disable user accounts.
Below is a picture of how you would create an account with the built-in (ADUC) Active Directory Users and Computers console. Everything has to be manually entered and you have to go back and add users to groups.
Using Active Directory tools like the AD Bulk Import tool, you can bulk import thousands of accounts at once. Plus you can automatically set user accounts fields and add users to groups. Let me show you how easy it is.
Step 1: Fill out the provided CSV template.
The template includes all the common user fields you need to create a new account. Just fill out what you need and save the file.
Step 2: Import new account
With this tool just select your CSV file and click run. This will import all of the account information from the CSV and automatically bulk create new Active Directory user accounts.
You can watch the import process and when complete you have a log file of the import.
You will at some point be asked to export users to a CSV and again there is no easy built in option for this. When I was an administrator at a large organization I would get this request at least once a week and it was a pain. When I developed the user export tool this process became so easy I was able to have other staff members take it over.
The above picture is from the user export tool. This tool lets you easily export all users from the entire domain, an OU, or a group.
The ease of use is another benefit as many people don’t have time to learn PowerShell. PowerShell is a great tool and can do many things but it can be complex and time-consuming to learn. The AD Pro Toolkit has a very simple interface and you can start using it right away to perform many advanced tasks in your domain.
Frequently Asked Questions
Below are questions and answers regarding the AD Pro Toolkit.
Does the AD Pro Tool support multiple domains?
Yes. It will auto-detect your domains based on current credentials. You can click the domain button to change authentication and connect to other domains or domain controllers.
Do you have a tool to help with account lockouts?
Yes, the user unlock tool can quickly display all locked users and the source of the lockout.
What is required to use the toolkit?
To create and bulk modify users you will need these rights in your Active Directory domain. This is often done by putting your account in the domain administrator group but can also be done by delegating these rights. Some tools like the last logon reporter, export, and group membership require no special permissions.
Do I need to know PowerShell or scripting?
No. All tools are very easy to use and require no scripting or PowerShell experience.
Is there a way to bulk update the manager, telephone numbers, and other user fields?
Yes, this is exactly what the bulk updater tool was created for. You can easily bulk update from a large list of user fields.
Can I bulk export or import on a scheduled task?
We are working on this right now. AD Cleanup, bulk import, update, and export tools will include an option to run on a scheduled task or from a script.
I was just hired and Active Directory is a mess. Can the Pro toolkit help?
The AD Cleanup tool can help you find old user and computer accounts and bulk disable or move them. We have many customers that use this tool to cleanup their domain environments.
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
Quarterly figures
According to Kaspersky Security Network, in Q2 2022:
Kaspersky solutions blocked 1,164,544,060 attacks from online resources across the globe.
Web Anti-Virus recognized 273,033,368 unique URLs as malicious. Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 100,829 unique users.
Ransomware attacks were defeated on the computers of 74,377 unique users.
Number of unique users attacked by financial malware, Q2 2022 (download)
Geography of financial malware attacks
To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of Kaspersky users who faced this threat during the reporting period as a percentage of all users of our products in that country or territory.
Geography of financial malware attacks, Q2 2022 (download)
TOP 10 countries and territories by share of attacked users
Country or territory*
%**
1
Turkmenistan
4.8
2
Afghanistan
4.3
3
Tajikistan
3.8
4
Paraguay
3.1
5
China
2.4
6
Yemen
2.4
7
Uzbekistan
2.2
8
Sudan
2.1
9
Egypt
2.0
10
Mauritania
1.9
* Excluded are countries and territories with relatively few Kaspersky product users (under 10,000). ** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.
TOP 10 banking malware families
Name
Verdicts
%*
1
Ramnit/Nimnul
Trojan-Banker.Win32.Ramnit
35.5
2
Zbot/Zeus
Trojan-Banker.Win32.Zbot
15.8
3
CliptoShuffler
Trojan-Banker.Win32.CliptoShuffler
6.4
4
Trickster/Trickbot
Trojan-Banker.Win32.Trickster
6
5
RTM
Trojan-Banker.Win32.RTM
2.7
6
SpyEye
Trojan-Spy.Win32.SpyEye
2.3
7
IcedID
Trojan-Banker.Win32.IcedID
2.1
8
Danabot
Trojan-Banker.Win32.Danabot
1.9
9
BitStealer
Trojan-Banker.Win32.BitStealer
1.8
10
Gozi
Trojan-Banker.Win32.Gozi
1.3
* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.
Ransomware programs
Quarterly trends and highlights
In the second quarter, the Lockbit group launched a bug bounty program. The cybercriminals are promising $1,000 to $1,000,000 for doxing of senior officials, reporting web service, Tox messenger or ransomware Trojan algorithm vulnerabilities, as well as for ideas on improving the Lockbit website and Trojan. This was the first-ever case of ransomware groups doing a (self-promotion?) campaign like that.
Another well-known group, Conti, said it was shutting down operations. The announcement followed a high-profile attack on Costa Rica’s information systems, which prompted the government to declare a state of emergency. The Conti infrastructure was shut down in late June, but some in the infosec community believe that Conti members are either just rebranding or have split up and joined other ransomware teams, including Hive, AvosLocker and BlackCat.
While some ransomware groups are drifting into oblivion, others seem to be making a comeback. REvil’s website went back online in April, and researchers discovered a newly built specimen of their Trojan. This might have been a test build, as the sample did not encrypt any files, but these events may herald the impending return of REvil.
Kaspersky researchers found a way to recover files encrypted by the Yanluowang ransomware and released a decryptor for all victims. Yanluowang has been spotted in targeted attacks against large businesses in the US, Brazil, Turkey, and other countries.
Number of new modifications
In Q2 2022, we detected 15 new ransomware families and 2355 new modifications of this malware type.
Geography of attacks by ransomware Trojans, Q2 2022 (download)
TOP 10 countries and territories attacked by ransomware Trojans
Country or territory*
%**
1
Bangladesh
1.81
2
Yemen
1.24
3
South Korea
1.11
4
Mozambique
0.82
5
Taiwan
0.70
6
China
0.46
7
Pakistan
0.40
8
Angola
0.37
9
Venezuela
0.33
10
Egypt
0.32
* Excluded are countries and territories with relatively few Kaspersky users (under 50,000). ** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country.
* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data. ** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans.
Miners
Number of new miner modifications
In Q2 2022, Kaspersky solutions detected 40,788 new modifications of miners. A vast majority of these (more than 35,000) were detected in June. Thus, the spring depression — in March through May we found a total of no more than 10,000 new modifications — was followed by a record of sorts.
Number of new miner modifications, Q2 2022 (download)
Number of users attacked by miners
In Q2, we detected attacks using miners on the computers of 454,385 unique users of Kaspersky products and services worldwide. We are seeing a reverse trend here: miner attacks have gradually declined since the beginning of 2022.
TOP 10 countries and territories attacked by miners
Country or territory*
%**
1
Rwanda
2.94
2
Ethiopia
2.67
3
Tajikistan
2.35
4
Tanzania
1.98
5
Kyrgyzstan
1.94
6
Uzbekistan
1.88
7
Kazakhstan
1.84
8
Venezuela
1.80
9
Mozambique
1.68
10
Ukraine
1.56
* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000). ** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country.
Vulnerable applications used by criminals during cyberattacks
Quarterly highlights
During Q2 2022, a number of major vulnerabilities were discovered in the Microsoft Windows. For instance, CVE-2022-26809 critical error allows an attacker to remotely execute arbitrary code in a system using a custom RPC request. The Network File System (NFS) driver was found to contain two RCE vulnerabilities: CVE-2022-24491 and CVE-2022-24497. By sending a custom network message via the NFS protocol, an attacker can remotely execute arbitrary code in the system as well. Both vulnerabilities affect server systems with the NFS role activated. The CVE-2022-24521 vulnerability targeting the Common Log File System (CLFS) driver was found in the wild. It allows elevation of local user privileges, although that requires the attacker to have gained a foothold in the system. CVE-2022-26925, also known as LSA Spoofing, was another vulnerability found during live operation of server systems. It allows an unauthenticated attacker to call an LSARPC interface method and get authenticated by Windows domain controller via the NTLM protocol. These vulnerabilities are an enduring testament to the importance of timely OS and software updates.
Most of the network threats detected in Q2 2022 had been mentioned in previous reports. Most of those were attacks that involved brute-forcing access to various web services. The most popular protocols and technologies susceptible to these attacks include MS SQL Server, RDP and SMB. Attacks that use the EternalBlue, EternalRomance and similar exploits are still popular. Exploitation of Log4j vulnerability (CVE-2021-44228) is also quite common, as the susceptible Java library is often used in web applications. Besides, the Spring MVC framework, used in many Java-based web applications, was found to contain a new vulnerability CVE-2022-22965 that exploits the data binding functionality and results in remote code execution. Finally, we have observed a rise in attacks that exploit insecure deserialization, which can also result in access to remote systems due to incorrect or missing validation of untrusted user data passed to various applications.
Vulnerability statistics
Exploits targeting Microsoft Office vulnerabilities grew in the second quarter to 82% of the total. Cybercriminals were spreading malicious documents that exploited CVE-2017-11882 and CVE-2018-0802, which are the best-known vulnerabilities in the Equation Editor component. Exploitation involves the component memory being damaged and a specially designed script, run on the target computer. Another vulnerability, CVE-2017-8570, allows downloading and running a malicious script when opening an infected document, to execute various operations in a vulnerable system. The emergence of CVE-2022-30190or Follina vulnerability also increased the number of exploits in this category. An attacker can use a custom malicious document with a link to an external OLE object, and a special URI scheme to have Windows run the MSDT diagnostics tool. This, in turn, combined with a special set of parameters passed to the victim’s computer, can cause an arbitrary command to be executed — even if macros are disabled and the document is opened in Protected Mode.
Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2022 (download)
Attempts at exploiting vulnerabilities that affect various script engines and, specifically, browsers, dipped to 5%. In the second quarter, a number of critical RCE vulnerabilities were discovered in various Google Chrome based browsers: CVE-2022-0609, CVE-2022-1096, and CVE-2022-1364. The first one was found in the animation component; it exploits a Use-After-Free error, causing memory damage, which is followed by the attacker creating custom objects to execute arbitrary code. The second and third vulnerabilities are Type Confusion errors associated with the V8 script engine; they also can result in arbitrary code being executed on a vulnerable user system. Some of the vulnerabilities discovered were found to have been exploited in targeted attacks, in the wild. Mozilla Firefox was found to contain a high-risk Use-After-Free vulnerability, CVE-2022-1097, which appears when processing NSSToken-type objects from different streams. The browser was also found to contain CVE-2022-28281, a vulnerability that affects the WebAuthn extension. A compromised Firefox content process can write data out of bounds of the parent process memory, thus potentially enabling code execution with elevated privileges. Two further vulnerabilities, CVE-2022-1802 and CVE-2022-1529, were exploited in cybercriminal attacks. The exploitation method, dubbed “prototype pollution”, allows executing arbitrary JavaScript code in the context of a privileged parent browser process.
As in the previous quarter, Android exploits ranked third in our statistics with 4%, followed by exploits of Java applications, the Flash platform, and PDF documents, each with 3%.
Attacks on macOS
The second quarter brought with it a new batch of cross-platform discoveries. For instance, a new APT group Earth Berberoka (GamblingPuppet) that specializes in hacking online casinos, uses malware for Windows, Linux, and macOS. The TraderTraitor campaign targets cryptocurrency and blockchain organizations, attacking with malicious crypto applications for both Windows and macOS.
TOP 20 threats for macOS
Verdict
%*
1
AdWare.OSX.Amc.e
25.61
2
AdWare.OSX.Agent.ai
12.08
3
AdWare.OSX.Pirrit.j
7.84
4
AdWare.OSX.Pirrit.ac
7.58
5
AdWare.OSX.Pirrit.o
6.48
6
Monitor.OSX.HistGrabber.b
5.27
7
AdWare.OSX.Agent.u
4.27
8
AdWare.OSX.Bnodlero.at
3.99
9
Trojan-Downloader.OSX.Shlayer.a
3.87
10
Downloader.OSX.Agent.k
3.67
11
AdWare.OSX.Pirrit.aa
3.35
12
AdWare.OSX.Pirrit.ae
3.24
13
Backdoor.OSX.Twenbc.e
3.16
14
AdWare.OSX.Bnodlero.ax
3.06
15
AdWare.OSX.Agent.q
2.73
16
Trojan-Downloader.OSX.Agent.h
2.52
17
AdWare.OSX.Bnodlero.bg
2.42
18
AdWare.OSX.Cimpli.m
2.41
19
AdWare.OSX.Pirrit.gen
2.08
20
AdWare.OSX.Agent.gen
2.01
* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.
As usual, the TOP 20 ranking for threats detected by Kaspersky security solutions for macOS users is dominated by various adware. AdWare.OSX.Amc.e, also known as Advanced Mac Cleaner, is a newcomer and already a leader, found with a quarter of all attacked users. Members of this family display fake system problem messages, offering to buy the full version to fix those. It was followed by members of the AdWare.OSX.Agent and AdWare.OSX.Pirrit families.
Geography of threats for macOS, Q2 2022 (download)
TOP 10 countries and territories by share of attacked users
Country or territory*
%**
1
France
2.93
2
Canada
2.57
3
Spain
2.51
4
United States
2.45
5
India
2.24
6
Italy
2.21
7
Russian Federation
2.13
8
United Kingdom
1.97
9
Mexico
1.83
10
Australia
1.82
* Excluded from the rating are countries and territories with relatively few users of Kaspersky security solutions for macOS (under 10,000). ** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.
In Q2 2022, the country where the most users were attacked was again France (2.93%), followed by Canada (2.57%) and Spain (2.51%). AdWare.OSX.Amc.e was the most common adware encountered in these three countries.
IoT attacks
IoT threat statistics
In Q2 2022, most devices that attacked Kaspersky traps did so using the Telnet protocol, as before.
Telnet
82,93%
SSH
17,07%
Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2022
The statistics for working sessions with Kaspersky honeypots show similar Telnet dominance.
Telnet
93,75%
SSH
6,25%
Distribution of cybercriminal working sessions with Kaspersky traps, Q2 2022
TOP 10 threats delivered to IoT devices via Telnet
Verdict
%*
1
Backdoor.Linux.Mirai.b
36.28
2
Trojan-Downloader.Linux.NyaDrop.b
14.66
3
Backdoor.Linux.Mirai.ek
9.15
4
Backdoor.Linux.Mirai.ba
8.82
5
Trojan.Linux.Agent.gen
4.01
6
Trojan.Linux.Enemybot.a
2.96
7
Backdoor.Linux.Agent.bc
2.58
8
Trojan-Downloader.Shell.Agent.p
2.36
9
Trojan.Linux.Agent.mg
1.72
10
Backdoor.Linux.Mirai.cw
1.45
* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.
The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums.
TOP 10 countries and territories that serve as sources of web-based attacks
The following statistics show the distribution by country or territory of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.
To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.
In Q2 2022, Kaspersky solutions blocked 1,164,544,060 attacks launched from online resources across the globe. A total of 273,033,368 unique URLs were recognized as malicious by Web Anti-Virus components.
Distribution of web-attack sources by country and territory, Q2 2022 (download)
Countries and territories where users faced the greatest risk of online infection
To assess the risk of online infection faced by users around the world, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.
Note that these rankings only include attacks by malicious objects that fall under the Malware class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.
Country or territory*
%**
1
Taiwan
26.07
2
Hong Kong
14.60
3
Algeria
14.40
4
Nepal
14.00
5
Tunisia
13.55
6
Serbia
12.88
7
Sri Lanka
12.41
8
Albania
12.21
9
Bangladesh
11.98
10
Greece
11.86
11
Palestine
11.82
12
Qatar
11.50
13
Moldova
11.47
14
Yemen
11.44
15
Libya
11.34
16
Zimbabwe
11.15
17
Morocco
11.03
18
Estonia
11.01
19
Turkey
10.75
20
Mongolia
10.50
* Excluded are countries and territories with relatively few Kaspersky users (under 10,000). ** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.
On average during the quarter, 8.31% of the Internet users’ computers worldwide were subjected to at least one Malware-class web attack.
Geography of web-based malware attacks, Q2 2022 (download)
Local threats
In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).
In Q2 2022, our File Anti-Virus detected 55,314,176 malicious and potentially unwanted objects.
Countries and territories where users faced the highest risk of local infection
For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries and territories.
Note that these rankings only include attacks by malicious programs that fall under the Malware class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.
Country or territory*
%**
1
Turkmenistan
47.54
2
Tajikistan
44.91
3
Afghanistan
43.19
4
Yemen
43.12
5
Cuba
42.71
6
Ethiopia
41.08
7
Uzbekistan
37.91
8
Bangladesh
37.90
9
Myanmar
36.97
10
South Sudan
36.60
11
Syria
35.60
12
Burundi
34.88
13
Rwanda
33.69
14
Algeria
33.61
15
Benin
33.60
16
Tanzania
32.88
17
Malawi
32.65
18
Venezuela
31.79
19
Cameroon
31.34
20
Chad
30.92
* Excluded are countries with relatively few Kaspersky users (under 10,000). ** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.
Earlier this year, we discovered a malicious campaign that employed a new technique for installing fileless malware on target machines by injecting a shellcode directly into Windows event logs. The attackers were using this to hide a last-stage Trojan in the file system.
The attack starts by driving targets to a legitimate website and tricking them into downloading a compressed RAR file that is booby-trapped with the network penetration testing tools Cobalt Strike and SilentBreak. The attackers use these tools to inject code into any process of their choosing. They inject the malware directly into the system memory, leaving no artifacts on the local drive that might alert traditional signature-based security and forensics tools. While fileless malware is nothing new, the way the encrypted shellcode containing the malicious payload is embedded into Windows event logs is.
The code is unique, with no similarities to known malware, so it is unclear who is behind the attack.
WinDealer’s man-on-the-side spyware
We recently published our analysis of WinDealer: malware developed by the LuoYu APT threat actor. One of the most interesting aspects of this campaign is the group’s use of a man-on-the-side attack to deliver malware and control compromised computers. A man-on-the-side attack implies that the attacker is able to control the communication channel, allowing them to read the traffic and inject arbitrary messages into normal data exchange. In the case of WinDealer, the attackers intercepted an update request from completely legitimate software and swapped the update file with a weaponized one.
The malware does not contain the exact address of the C2 (command-and-control) server, making it harder for security researchers to find it. Instead, it tries to access a random IP address from a predefined range. The attackers then intercept the request and respond to it. To do this, they need constant access to the routers of the entire subnet, or to some advanced tools at ISP level.
The vast majority of WinDealer’s targets are located in China: foreign diplomatic organizations, members of the academic community, or companies active in the defense, logistics or telecoms sectors. Sometimes, though, the LuoYu APT group will infect targets in other countries: Austria, the Czech Republic, Germany, India, Russia and the US. In recent months, they have also become more interested in businesses located in other East Asian countries and their China-based offices.
ToddyCat: previously unknown threat actor attacks high-profile organizations in Europe and Asia
In June, we published our analysis of ToddyCat, a relatively new APT threat actor that we have not been able to link to any other known actors. The first wave of attacks, against a limited number of servers in Taiwan and Vietnam, targeted Microsoft Exchange servers, which the threat actor compromised with Samurai, a sophisticated passive backdoor that typically works via ports 80 and 443. The malware allows arbitrary C# code execution and is used alongside multiple modules that let the attacker administer the remote system and move laterally within the targeted network. In certain cases, the attackers have used the Samurai backdoor to launch another sophisticated malicious program, which we dubbed Ninja. This is probably a component of an unknown post-exploitation toolkit exclusively used by ToddyCat.
The next wave saw a sudden surge in attacks, as the threat actor began abusing the ProxyLogon vulnerability to target organizations in multiple countries, including Iran, India, Malaysia, Slovakia, Russia and the UK.
Subsequently, we observed other variants and campaigns, which we attributed to the same group. In addition to affecting most of the previously mentioned countries, the threat actor targeted military and government organizations in Indonesia, Uzbekistan and Kyrgyzstan. The attack surface in the third wave was extended to desktop systems.
SessionManager IIS backdoor
In 2021, we observed a trend among certain threat actors for deploying a backdoor within IIS after exploiting one of the ProxyLogon-type vulnerabilities in Microsoft Exchange. Dropping an IIS module as a backdoor enables threat actors to maintain persistent, update-resistant and relatively stealthy access to the IT infrastructure of a target organization — to collect emails, update further malicious access or clandestinely manage compromised servers.
We published our analysis of one such IIS backdoor, called Owowa, last year. Early this year, we investigated another, SessionManager. Developed in C++, SessionManager is a malicious native-code IIS module. The attackers’ aim is for it to be loaded by some IIS applications, to process legitimate HTTP requests that are continuously sent to the server. This kind of malicious modules usually expects seemingly legitimate but specifically crafted HTTP requests from their operators, triggers actions based on the operators’ hidden instructions and then transparently passes the request to the server for it to be processed just as any other request.
As a result, these modules are not easily spotted through common monitoring practices.
SessionManager has been used to target NGOs and government organizations in Africa, South America, Asia, Europe and the Middle East.
We believe that this malicious IIS module may have been used by the GELSEMIUM threat actor, because of similar victim profiles and the use of a common OwlProxy variant.
Other malware
Spring4Shell
Late in March, researchers discovered a critical vulnerability (CVE-2022-22965) in Spring, an open-source framework for the Java platform. This is a Remote Code Execution (RCE) vulnerability, allowing an attacker to execute malicious code remotely on an unpatched computer. The vulnerability affects the Spring MVC and Spring WebFlux applications running under version 9 or later of the Java Development Kit. By analogy with the well-known Log4Shell vulnerability, this one was dubbed “Spring4Shell”.
By the time researchers had reported it to VMware, a proof-of-concept exploit had already appeared on GitHub. It was quickly removed, but it is unlikely that cybercriminals would have failed to notice such a potentially dangerous vulnerability.
You can find more details, including appropriate mitigation steps, in our blog post.
Actively exploited vulnerability in Windows
Among the vulnerabilities fixed in May’s “Patch Tuesday” update was one that has been actively exploited in the wild. The Windows LSA (Local Security Authority) Spoofing Vulnerability (CVE-2022-26925) is not considered critical per se. However, when the vulnerability is used in a New Technology LAN Manager (NTLM) relay attack, the combined CVSSv3 score for the attack-chain is 9.8. The vulnerability, which allows an unauthenticated attacker to force domain controllers to authenticate with an attacker’s server using NTLM, was already being exploited in the wild as a zero-day, making it a priority to patch it.
Follina vulnerability in MSDT
At the end of May, researchers with the nao_sec team reported a new zero-day vulnerability in MSDT (the Microsoft Support Diagnostic Tool) that can be exploited using a malicious Microsoft Office document. The vulnerability, which has been designated as CVE-2022-30190 and has also been dubbed “Follina”, affects all operating systems in the Windows family, both for desktops and servers.
MSDT is used to collect diagnostic information and send it to Microsoft when something goes wrong with Windows. It can be called up from other applications via the special MSDT URL protocol; and an attacker can run arbitrary code with the privileges of the application that called up the MSD: in this case, the permissions of the user who opened the malicious document.
Kaspersky has observed attempts to exploit this vulnerability in the wild; and we would expect to see more in the future, including ransomware attacks and data breaches.
BlackCat: a new ransomware gang
It was only a matter of time before another ransomware group filled the gap left by REvil and BlackMatter shutting down operations. Last December, advertisements for the services of the ALPHV group, also known as BlackCat, appeared on hacker forums, claiming that the group had learned from the errors of their predecessors and created an improved version of the malware.
The BlackCat creators use the ransomware-as-a-service (RaaS) model. They provide other attackers with access to their infrastructure and malicious code in exchange for a cut of the ransom. BlackCat gang members are probably also responsible for negotiating with victims. This is one reason why BlackCat has gained momentum so quickly: all that a “franchisee” has to do is obtain access to the target network.
The group’s arsenal comprises several elements. One is the cryptor. This is written in the Rust language, allowing the attackers to create a cross-platform tool with versions of the malware that work both in Windows and Linux environments. Another is the Fendr utility (also known as ExMatter), used to exfiltrate data from the infected infrastructure. The use of this tool suggests that BlackCat may simply be a re-branding of the BlackMatter faction, since that was the only known gang to use the tool. Other tools include the PsExec tool, used for lateral movement on the victim’s network; Mimikatz, the well-known hacker software; and the Nirsoft software, used to extract network passwords.
Yanluowang ransomware: how to recover encrypted files
The name Yanluowang is a reference to the Chinese deity Yanluo Wang, one of the Ten Kings of Hell. This ransomware is relatively recent. We do not know much about the victims, although data from the Kaspersky Security Network indicates that threat actor has carried out attacks in the US, Brazil, Turkey and a few other countries.
The low number of infections is due to the targeted nature of the ransomware: the threat actor prepares and implements attacks on specific companies only.
Our experts have discovered a vulnerability that allows files to be recovered without the attackers’ key — although only under certain conditions — with the help of a known-plaintext attack. This method overcomes the encryption algorithm if two versions of the same text are available: one clean and one encrypted. If the victim has clean copies of some of the encrypted files, our upgraded Rannoh Decryptor can analyze these and recover the rest of the information.
There is one snag: Yanluowang corrupts files slightly differently depending on their size. It encrypts small (less than 3 GB) files completely, and large ones, partially. So, the decryption requires clean files of different sizes. For files smaller than 3 GB, it is enough to have the original and an encrypted version of the file that are 1024 bytes or more. To recover files larger than 3 GB, however, you need original files of the appropriate size. However, if you find a clean file larger than 3 GB, it will generally be possible to recover both large and small files.
A description of how various groups share more than half of their components and TTPs, with the core attack stages executed identically across groups.
A cyber-kill chain diagram that combines the visible intersections and common elements of the selected ransomware groups and makes it possible to predict the threat actors’ next steps.
A detailed analysis of each technique with examples of how various groups use them, and a comprehensive list of mitigations.
SIGMA rules based on the described TTPs that can be applied to SIEM solutions.
Ransomware trends in 2022
Ahead of the Anti-Ransomware Day on May 12, we took the opportunity to outline the tendencies that have characterized ransomware in 2022. In our report, we highlight several trends that we have observed.
First, we are seeing more widespread development of cross-platform ransomware, as cybercriminals seek to penetrate complex environments running a variety of systems. By using cross-platform languages such as Rust and Golang, attackers are able to port their code, which allows them to encrypt data on more computers.
Second, ransomware gangs continue to industrialize and evolve into real businesses by adopting the techniques and processes used by legitimate software companies.
Third, the developers of ransomware are adopting a political stance, involving themselves in the conflict between Russia and Ukraine.
Finally, we offer best practices that organizations should adopt to help them defend against ransomware attacks:
Keep software updated on all your devices.
Focus your defense strategy on detecting lateral movements and data exfiltration.
Enable ransomware protection for all endpoints.
Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents.
Provide your SOC team with access to the latest threat intelligence.
Emotet’s return
Emotet has been around for eight years. When it was first discovered in 2014, its main purpose was stealing banking credentials. Subsequently, the malware underwent numerous transformations to become one of the most powerful botnets ever. Emotet made headlines in January 2021, when its operations were disrupted through the joint efforts of law enforcement agencies in several countries. This kind of “takedowns” does not necessarily lead to the demise of a cybercriminal operation. It took the cybercriminals almost ten months to rebuild the infrastructure, but Emotet did return in November 2021. At that time, the Trickbot malware was used to deliver Emotet, but it is now spreading on its own through malicious spam campaigns.
Recent Emotet protocol analysis and C2 responses suggest that Emotet is now capable of downloading sixteen additional modules. We were able to retrieve ten of these, including two different copies of the spam module, used by Emotet for stealing credentials, passwords, accounts and emails, and to spread spam.
You can read our analysis of these modules, as well as statistics on recent Emotet attacks, here.
Emotet infects both corporate and private computers all around the world. Our telemetry indicates that in the first quarter of 2022, targeted: it mostly targeted users in Italy, Russia, Japan, Mexico, Brazil, Indonesia, India, Vietnam, China, Germany and Malaysia.
Moreover, we have seen a significant growth in the number of users attacked by Emotet.
Mobile subscription Trojans
Trojan subscribers are a well-established method of stealing money from people using Android devices. These Trojans masquerade as useful apps but, once installed, silently subscribe to paid services.
The developers of these Trojans make money through commissions: they get a cut of what the person “spends”. Funds are typically deducted from the cellphone account, although in some cases, these may be debited directly to a bank card. We looked at the most notable examples that we have seen in the last twelve months, belonging to the Jocker, MobOk, Vesub and GriftHorse families.
Normally, someone has to actively subscribe to a service; providers often ask subscribers to enter a one-time code sent via SMS, to counter automated subscription attempts. To sidestep this protection, malware can request permission to access text messages; where they do not obtain this, they can steal confirmation codes from pop-up notifications about incoming messages.
Some Trojans can both steal confirmation codes from texts or notifications, and work around CAPTCHA: another means of protection against automated subscriptions. To recognize the code in the picture, the Trojan sends it to a special CAPTCHA recognition service.
Some malware is distributed through dubious sources under the guise of apps that are banned from official stores, for example, masquerading as apps for downloading content from YouTube or other streaming services, or as an unofficial Android version of GTA5. In addition, they can appear in these same sources as free versions of popular, expensive apps, such as Minecraft.
Other mobile subscription Trojans are less sophisticated. When run for the first time, they ask the user to enter their phone number, seemingly for login purposes. The subscription is issued as soon as they enter their number and click the login button, and the amount is debited to their cellphone account.
Other Trojans employ subscriptions with recurring payments. While this requires consent, the person using the phone might not realize they are signing up for regular automatic payments. Moreover, the first payment is often insignificant, with later charges being noticeably higher.
You can read more about this type of mobile Trojan, along with tips on how to avoid falling victim to it, here.
The threat from stalkerware
Over the last four years, we have published annual reports on the stalkerware situation, in particular using data from the Kaspersky Security Network. This year, our report also included the results of a survey on digital abuse commissioned by Kaspersky and several public organizations.
Stalkerware provides the digital means for a person to secretly monitor someone else’s private life and is often used to facilitate psychological and physical violence against intimate partners. The software is commercially available and can access an array of personal data, including device location, browser history, text messages, social media chats, photos and more. It may be legal to market stalkerware, although its use to monitor someone without their consent is not. Developers of stalkerware benefit from a vague legal framework that still exists in many countries.
In 2021, our data indicated that around 33,000 people had been affected by stalkerware.
The numbers were lower than what we had seen for a few years prior to that. However, it is important to remember that the decrease of 2020 and 2021 occurred during successive COVID-19 lockdowns: that is, during conditions that meant abusers did not need digital tools to monitor and control their partners’ personal lives. It is also important to bear in mind that mobile apps represent only one method used by abusers to track someone — others include tracking devices such as AirTags, laptop applications, webcams, smart home systems and fitness trackers. KSN tracks only the use of mobile apps. Finally, KSN data is taken from mobile devices protected by Kaspersky products: many people do not protect their mobile devices. The Coalition Against Stalkerware, which brings together members of the IT industry and non-profit companies, believes that the overall number of people affected by this threat might be thirty times higher — that is around a million people!
Stalkerware continues to affect people across the world: in 2021, we observed detections in 185 countries or territories.
Just as in 2020, Russia, Brazil, the US and India were the top four countries with the largest numbers of affected individuals. Interestingly, Mexico had fallen from fifth to ninth place. Algeria, Turkey and Egypt entered the top ten, replacing Italy, the UK and Saudi Arabia, which were no longer in the top ten.
We would recommend the following to reduce your risk of being targeted:
Use a unique, complex password on your phone and do not share it with anyone.
Try not to leave your phone unattended; and if you have to, lock it.
Download apps only from official stores.
Protect your mobile device with trustworthy security software and make sure it is able to detect stalkerware.
Remember also that if you discover stalkerware on your phone, dealing with the problem is not as simple as just removing the stalkerware app. This will alert the abuser to the fact that you have become aware of their activities and may precipitate physical abuse. Instead, seek help: you can find a list or organizations that can provide help and support on the Coalition Against Stalkerware site.
In H1 2022, malicious objects were blocked at least once on 31.8% of ICS computers globally.Percentage of ICS computers on which malicious objects were blocked
For the first time in five years of observations, the lowest percentage in the first half of the year was observed in March. During the period from January to March, the percentage of attacked ICS computers decreased by 1.7 p.p.Percentage of ICS computers on which malicious objects were blocked, January – June 2020, 2021, and 2022
Among regions, the highest percentage of ICS computers on which malicious objects were blocked was observed in Africa (41.5%). The lowest percentage (12.8%) was recorded in Northern Europe.Percentage of ICS computers on which malicious objects were blocked, in global regions
Among countries, the highest percentage of ICS computers on which malicious objects were blocked was recorded in Ethiopia (54.8%) and the lowest (6.8%) in Luxembourg.15 countries and territories with the highest percentage of ICS computers on which malicious objects were blocked, H1 202210 countries and territories with the lowest percentage of ICS computers on which malicious objects were blocked, H1 2022
Threat sources
The main sources of threats to computers in the operational technology infrastructure of organizations are internet (16.5%), removable media (3.5%), and email (7.0%).Percentage of ICS computers on which malicious objects from different sources were blocked
Regions
Among global regions, Africa ranked highest based on the percentage of ICS computers on which malware was blocked when removable media was connected.Regions ranked by percentage of ICS computers on which malware was blocked when removable media was connected, H1 2022
Southern Europe leads the ranking of regions by percentage of ICS computers on which malicious email attachments and phishing links were blocked.Regions ranked by percentage of ICS computers on which malicious email attachments and phishing links were blocked, H1 2022
Industry specifics
In the Building Automation industry, the percentage of ICS computers on which malicious email attachments and phishing links were blocked (14.4%) was twice the average value for the entire world (7%).Percentage of ICS computers on which malicious email attachments and phishing links were blocked, in selected industries
In the Oil and Gas industry, the percentage of ICS computers on which threats were blocked when removable media was connected (10.4%) was 3 times the average percentage for the entire world (3.5%).Percentage of ICS computers on which threats were blocked when removable media was connected
In the Oil and Gas industry, the percentage of ICS computers on which malware was blocked in network folders (1.2%) was twice the world average (0.6%).Percentage of ICS computers on which threats were blocked in network folders
Diversity of malware
Malware of different types from 7,219 families was blocked on ICS computers in H1 2022.Percentage of ICS computers on which the activity of malicious objects from different categories was prevented
Ransomware
In H1 2022, ransomware was blocked on 0.65% of ICS computers. This is the highest percentage for any six-month reporting period since 2020.Percentage of ICS computers on which ransomware was blocked
The highest percentage of ICS computers on which ransomware was blocked was recorded in February (0.27%) and the lowest in March (0.11%). The percentage observed in February was the highest in 2.5 years of observations.Percentage of ICS computers on which ransomware was blocked, January – June 2022
East Asia (0.95%) and the Middle East (0.89%) lead the ransomware-based ranking of regions. In the Middle East, the percentage of ICS computers on which ransomware was blocked per six-month reporting period has increased by a factor of 2.5 since 2020.Regions ranked by percentage of ICS computers on which ransomware was blocked, H1 2022
Building Automation leads the ranking of industries based on the percentage of ICS computers attacked by ransomware (1%).Percentage of ICS computers on which ransomware was blocked, in selected regions, H1 2022
Malicious documents
Malicious documents (MSOffice+PDF) were blocked on 5.5% of ICS computers. This is 2.2 times the percentage recorded in H2 2021. Threat actors distribute malicious documents via phishing emails and actively use such emails as the vector of initial computer infections.Percentage of ICS computers on which malicious documents (MSOffice+PDF) were blocked
In the Building Automation industry, the percentage of ICS computers on which malicious office documents were blocked (10.5%) is almost twice the global average.Percentage of ICS computers on which malicious office documents (MSOffice+PDF) were blocked, in selected industries
Spyware
Spyware was blocked on 6% of ICS computers. This percentage has been growing since 2020.Percentage of ICS computers on which spyware was blocked
Building Automation leads the ranking of industries based on the percentage of ICS computers on which spyware was blocked (12.9%).Percentage of ICS computers on which spyware was blocked, in selected industries
Malware for covert cryptocurrency mining
The percentage of ICS computers on which malicious cryptocurrency miners were blocked continued to rise gradually.Percentage of ICS computers on which malicious cryptocurrency miners were blocked
Building Automation also leads the ranking of selected industries by percentage of ICS computers on which malicious cryptocurrency miners were blocked.Percentage of ICS computers on which malicious cryptocurrency miners were blocked, in selected industries
Microsoft said it’s tracking an ongoing large-scale click fraud campaign targeting gamers by means of stealthily deployed browser extensions on compromised systems.
“[The] attackers monetize clicks generated by a browser node-webkit or malicious browser extension secretly installed on devices,” Microsoft Security Intelligence said in a sequence of tweets over the weekend.
The tech giant’s cybersecurity division is tracking the developing threat cluster under the name DEV-0796.
Attach chains mounted by the adversary commence with an ISO file that’s downloaded onto a victim’s machine upon clicking on a malicious ad or comments on YouTube. The ISO file, when opened, is designed to install a browser node-webkit (aka NW.js) or rogue browser extension.
It’s worth noting that the ISO file masquerades as hacks and cheats for the Krunker first-person shooter game. Cheats are programs that help gamers gain an added advantage beyond the available capabilities during gameplay.
Also used in the attacks are DMG files, which are Apple Disk Image files primarily used to distribute software on macOS, indicating that the threat actors are targeting multiple operating systems.
The findings arrive as Kaspersky disclosed details of another campaign that lures gamers looking for cheats on YouTube into downloading self-propagating malware capable of installing crypto miners and other information stealers.
“Malware and unwanted software distributed as cheat programs stand out as a particular threat to gamers’ security, especially for those who are keen on popular game series,” the Russian cybersecurity firm said in a recent report.
by Or Katz and Jim Black Data analysis by Gal Kochner and Moshe Cohen
Executive summary
Akamai researchers have analyzed malicious DNS traffic from millions of devices to determine how corporate and personal devices are interacting with malicious domains, including phishing attacks, malware, ransomware, and command and control (C2).
Akamai researchers saw that 12.3% of devices used by home and corporate users communicated at least once to domains associated with malware or ransomware.
63% of those users’ devices communicated with malware or ransomware domains, 32% communicated with phishing domains, and 5% communicated with C2 domains.
Digging further into phishing attacks, researchers found that users of financial services and high tech are the most frequent targets of phishing campaigns, with 47% and 36% of the victims, respectively.
Consumer accounts are the most affected by phishing, with 80.7% of the attack campaigns.
Tracking 290 different phishing toolkits being reused in the wild, and counting the number of distinct days each kit was reused over Q2 2022, shows that 1.9% of the tracked kits were reactivated on at least 72 days. In addition, 49.6% of the kits were reused for at least five days, demonstrating how many users are being revictimized multiple times. This shows how realistic-looking and dangerous these kits can be, even to knowledgeable users.
The most used phishing toolkit in Q2 2022 (Kr3pto, a phishing campaign that targeted banking customers in the United Kingdom, which evades multi-factor authentication [MFA]) was hosted on more than 500 distinct domains.
Introduction
“It’s always DNS.” Although that is a bit of a tongue-in-cheek phrase in our industry, DNS can give us a lot of information about the threat landscape that exists today. By analyzing information from Akamai’s massive infrastructure, we are able to gain some significant insights on how the internet behaves. In this blog, we will explore these insights into traffic patterns, and how they affect people on the other end of the internet connection.
Akamai traffic insights
Attacks by category
Based on Akamai’s range of visibility across different industries and geographies, we can see that 12.3% of protected devices attempted to reach out to domains that were associated with malware at least once during Q2 2022. This indicates that these devices might have been compromised. On the phishing and C2 front, we can see that 6.2% of devices accessed phishing domains and 0.8% of the devices accessed C2-associated domains. Although these numbers may seem insignificant, the scale here is in the millions of devices. When this is considered, along with the knowledge that C2 is the most malignant of threats, these numbers are not only significant, they’re cardinal.
Comparing 2022 Q2 results with 2022 Q1 results (Figure 1), we can see a minor increase in all categories in Q2. We attribute those increases to seasonal changes that are not associated with a significant change in the threat landscape.
Fig. 1: Devices exposed to threats — Q1 vs. Q2
In Figure 2, we can see that of the 12.3% potentially compromised devices, 63% were exposed to threats associated with malware activity, 32% with phishing, and 5% with C2. Access to malware-associated domains does not guarantee that these devices were actually compromised, but provides a strong indication of increased potential risk if the threat wasn’t properly mitigated. However, access to C2-associated domains indicates that the device is most likely compromised and is communicating with the C2 server. This can often explain why the incidence of C2 is lower when compared with malware numbers.
Fig. 2: Potentially compromised devices by category
Phishing attack campaigns
By looking into the brands that are being abused and mimicked by phishing scams in Q2 2022, categorized by brand industry and number of victims, we can see that high tech and financial brands led with 36% and 47%, respectively (Figure 3). These leading phishing industry categories are consistent with Q1 2022 results, in which high tech and financial brands were the leading categories, with 32% and 31%, respectively.
Fig. 3: Phishing victims and phishing campaigns by abused brands
When taking a different view on the phishing landscape–targeted industries by counting the number of attack campaigns being launched over Q2 2022, we can see that high tech and financial brands are still leading, with 36% and 41%, respectively (Figure 3). The correlation between leading targeted brands when it comes to number of attacks and number of victims is evidence that threat actors’ efforts and resources are, unfortunately, effectively working to achieve their desired outcome.
Akamai’s research does not have any visibility into the distribution channels used to deliver the monitored phishing attacks that led to victims clicking on a malicious link and ending up on the phishing landing page. Yet the strong correlation between different brand segments by number of attack campaigns and the number of victims seems to indicate that the volume of attacks is effective and leads to a similar trend in the number of victims. The correlation might also indicate that the distribution channels used have minimal effect on attack outcome, and it is all about the volume of attacks that lead to the desired success rates.
Taking a closer look at phishing attacks by categorization of attack campaigns — consumers vs. business targeted accounts— we can see that consumer attacks are the most dominant, with 80.7% of the attack campaigns (Figure 4). This domination is driven by the massive demand for consumers’ compromised accounts in dark markets that are then used to launch fraud-related second-phase attacks. However, even with only 19.3% of the attack campaigns, attacks against business accounts should not be considered marginal, as these kinds of attacks are usually more targeted and have greater potential for significant damage. Attacks that target business accounts may lead to a company’s network being compromised with malware or ransomware, or to confidential information being leaked. An attack that begins with an employee clicking a link in a phishing email can end up with the business suffering significant financial and reputational damages.
Fig. 4: Phishing targeted accounts — consumers vs. business
Phishing toolkits
Phishing attacks are an extremely common vector that have been used for many years. The potential impacts and risks involved are well-known to most internet users. However, phishing is still a highly relevant and dangerous attack vector that affects thousands of people and businesses daily. Research conducted by Akamai explains some of the reasons for this phenomenon, and focuses on the phishing toolkits and their role in making phishing attacks effective and relevant.
Phishing toolkits enable rapid and easy creation of fake websites that mimic known brands. Phishing toolkits enable even non–technically gifted scammers to run phishing scams, and in many cases are being used to create distributed and large-scale attack campaigns. The low cost and availability of these toolkits explains the increasing numbers of phishing attacks that have been seen in the past few years.
According to Akamai’s research that tracked 290 different phishing toolkits being used in the wild, 1.9% of the tracked kits were reused on at least 72 distinct days over Q2 2022 (Figure 5). Further, 49.6% of the kits were reused for at least five days, and when looking into all the tracked kits, we can see that all of them were reused no fewer than three distinct days over Q2 2022.
Fig. 5: Phishing toolkits by number of reused days Q2 2022
The numbers showing the heavy reuse phenomenon of the observed phishing kits shed some light on the phishing threat landscape and the scale involved, creating an overwhelming challenge to defenders. Behind the reuse of phishing kits are factories and economic forces that drive the phishing landscape. Those forces include developers who create phishing kits that mimic known brands, later to be sold or shared among threat actors to be reused over and over again with very minimal effort.
Further analysis on the most reused kits in Q2 2022, counting the number of different domains used to deliver each kit, shows that the Kr3pto toolkit was the one most frequently used and was associated with more than 500 domains (Figure 6). The tracked kits are labeled by the name of the brand being abused or by a generic name representing the kit developer signature or kit functionality.
In the case of Kr3pto, the actor behind the phishing kit is a developer who builds and sells unique kits that target financial institutions and other brands. In some cases, these kits target financial firms in the United Kingdom, and they bypass MFA. This evidence also shows that this phishing kit that was initially created more than three years ago is still highly active and effective and being used intensively in the wild.
Fig. 6: Top 10 reused phishing toolkits
The phishing economy is growing, kits are becoming easier to develop and deploy, and the web is full of abandoned, ready-to-be-abused websites and vulnerable servers and services. Criminals capitalize on these weaknesses to establish a foothold that enables them to victimize thousands of people and businesses daily.
The growing industrial nature of phishing kit development and sales (in which new kits are developed and released within hours) and the clear split between creators and users means this threat isn’t going anywhere anytime soon. The threat posed by phishing factories isn’t just focused on the victims who risk having valuable accounts compromised and their personal information sold to criminals — phishing is also a threat to brands and their stakeholders.
The life span of a typical phishing domain is measured in hours, not days. Yet new techniques and developments by the phishing kit creators are expanding these life spans little by little, and it’s enough to keep the victims coming and the phishing economy moving.
Summary
This type of research is necessary in the fight to keep our customers safer online. We will continue to monitor these threats and report on them to keep the industry informed.
The best way to stay up to date on this and other research pieces from the Akamai team is to follow Akamai Security Research on Twitter.
Fig. 1: Devices exposed to threats — Q1 vs. Q2
Fig. 2: Potentially compromised devices by category
Fig. 3: Phishing victims and phishing campaigns by abused brands
Fig. 4: Phishing targeted accounts — consumers vs. business
Fig. 5: Phishing toolkits by number of reused days Q2 2022
Fig. 6: Top 10 reused phishing toolkits
