Latest news with #GReAT
Zawya
19 hours ago
- Business
- Zawya
Kaspersky reveals SharePoint ToolShell vulnerabilities stem from incomplete 2020 fix
Kaspersky's Global Research and Analysis Team (GReAT) discovered that the recently exploited ToolShell vulnerabilities in Microsoft SharePoint originate from an incomplete fix for CVE-2020-1147, first reported in 2020. The SharePoint vulnerabilities have emerged as a major cybersecurity threat this year amid active exploitation. Kaspersky Security Network showed exploitation attempts worldwide, including in Egypt, Jordan, Russia, Vietnam and Zambia. The attacks target organizations across government, finance, manufacturing, forestry and agriculture sectors. Kaspersky solutions proactively detected and blocked ToolShell attacks before the vulnerabilities were publicly disclosed. Kaspersky GReAT researchers analyzed the published ToolShell exploit and found it alarmingly similar to the 2020 CVE-2020-1147 exploit. This suggests that the CVE-2025-53770 patch is, in fact, an effective fix for the vulnerability that CVE-2020-1147 attempted to address five years ago. The connection to CVE-2020-1147 became evident following the discovery of CVE-2025-49704 and CVE-2025-49706, patched on July 8. However, these fixes could be bypassed by adding a single forward slash to the exploit payload. Once Microsoft learned of active exploitation of these vulnerabilities, they responded with comprehensive patches that addressed potential bypass methods, designating the vulnerabilities as CVE-2025-53770 and CVE-2025-53771. The surge in attacks against SharePoint servers worldwide occurred during the window between initial exploitation and full patch deployment. Despite patches now being available for the ToolShell vulnerabilities, Kaspersky expects attackers will continue exploiting this chain for years to come. "Many high-profile vulnerabilities remain actively exploited years after discovery — ProxyLogon, PrintNightmare and EternalBlue still compromise unpatched systems today. We expect ToolShell to follow the same pattern: its ease of exploitation means the public exploit will soon appear in popular penetration testing tools, ensuring prolonged use by attackers," said Boris Larin, principal security researcher at Kaspersky GReAT. To stay safe, Kaspersky recommends: Organizations using Microsoft SharePoint must apply the latest security patches immediately. This applies to all high-risk vulnerabilities, as even brief exposure can lead to compromise. Deploy cybersecurity solutions that protect against zero-day exploits when patches aren't yet available. Kaspersky Next, with its Behavior Detection component, proactively blocks exploitation of such vulnerabilities. Read the full report on About Kaspersky Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky's deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect individuals, businesses, critical infrastructure, and governments around the globe. The company's comprehensive security portfolio includes leading digital life protection for personal devices, specialized security products and services for companies, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help millions of individuals and over 200,000 corporate clients protect what matters most to them. Learn more at
Channel Post MEA
21-07-2025
- Channel Post MEA
Kaspersky Uncovers GhostContainer Backdoor That Targets Microsoft Exchange Servers
Kaspersky's Global Research and Analysis Team (GReAT) has uncovered a new backdoor based on open-source tools, dubbed GhostContainer. The previously unknown highly customized malware was discovered during an incident response (IR) case, targeting Exchange infrastructure within government environments. The malware may be part of an advanced persistent threat (APT) campaign targeting high-value entities in Asia, including high-tech companies. The file detected by Kaspersky as App_Web_Container_1.dll turned out to be a sophisticated, multi-functional backdoor that leverages several open-source projects and can be dynamically extended with arbitrary functionality through additional module downloads. Once loaded, it provides attackers with full control over the Exchange server, enabling a wide range of malicious activities. To avoid detection by security solutions, it uses several evasion techniques and presents itself as a legitimate server component to blend in with normal operations. In addition, it can act as a proxy or tunnel, potentially exposing the internal network to external threats or facilitating the exfiltration of sensitive data from internal systems. Therefore, сyber espionage is suspected to be the aim of the campaign. 'Our in-depth analysis revealed that the attackers are highly skilled at exploiting Exchange systems and leveraging various open-source projects related to infiltrating IIS and Exchange environments, as well as creating and enhancing sophisticated espionage tools based on publicly available code. We will continue monitoring their activity, along with the scope and scale of these attacks, to gain a better understanding of the threat landscape,' comments Sergey Lozhkin, Head of GReAT, APAC & META. At this time, it is not possible to attribute GhostContainer to any known threat actor group, as the attackers have not exposed any infrastructure. The malware incorporates code from several publicly accessible open-source projects, which could be leveraged by hackers or APT groups worldwide. Notably, by the end of 2024, a total of 14,000 malicious packages were identified in open-source projects — a 48% increase compared to the end of 2023 — highlighting the growing threat in this area.
Zawya
13-07-2025
- Zawya
Kaspersky uncovers $500K crypto heist through malicious packages
Kaspersky GReAT (Global Research and Analysis Team) experts have discovered open-source packages that download the Quasar backdoor and a stealer designed to exfiltrate cryptocurrency. The malicious packages are intended for the Cursor AI development environment, which is based on Visual Studio Code — a tool used for AI-assisted coding. The malicious open-source packages are extensions hosted in the Open VSX repository that claim to provide support for the Solidity programming language. However, in practice, they download and execute malicious code on users' devices. During an incident response, a blockchain developer from Russia reached out to Kaspersky after installing one of these fake extensions on his computer, which allowed attackers to steal approximately $500,000 worth of crypto assets. The threat actor behind these packages managed to deceive the developer by making the malicious package rank higher than the legitimate one. The attacker achieved this by artificially inflating the malicious package's downloads count to 54,000. Search results for the query 'solidity': the malicious extension (highlighted in red) and the legitimate one (highlighted in green). After installation, the victim gained no actual functionality from the extension. Instead, malicious ScreenConnect software was installed on the computer, granting threat actors remote access to the infected device. Using this access, they deployed the open-source Quasar backdoor along with a stealer that collects data from browsers, email clients, and crypto wallets. With these tools, the threat actors were able to obtain the developer's wallet seed phrases and subsequently steal cryptocurrency from the accounts. After the malicious extension downloaded by the developer was discovered and removed from the repository, the threat actor republished it and artificially inflated its installation count to a higher number – 2 million, compared to 61,000 for the legitimate package. The extension was removed from the platform following a request from Kaspersky. 'Spotting compromised open-source packages with the naked eye is becoming increasingly difficult. Threat actors are using increasingly creative tactics to deceive potential victims, even developers who have a strong understanding of cybersecurity risks — particularly those working in the blockchain development field. As we expect adversaries to continue targeting developers, it is recommended that even experienced IT professionals deploy dedicated security solutions to safeguard sensitive data and prevent financial losses,' commented Georgy Kucherin, Security Researcher with Kaspersky's Global Research and Analysis Team. The threat actor behind the attack published not only malicious Solidity extensions but also another NPM package, solsafe, which also downloads ScreenConnect. A few months earlier, three additional malicious Visual Studio Code extensions were released — solaibot, among-eth, and blankebesxstnion — all of them have already been removed from the repository. To stay safe, Kaspersky recommends: Use a solution for monitoring the used open-source components in order to detect the threats that might be hidden inside. If you suspect that a threat actor may have gained access to your company's infrastructure, we recommend using the Kaspersky Compromise Assessment service to uncover any past or ongoing attacks. Verify package maintainers: check the credibility of the maintainer or organization behind the package. Look for consistent version history, documentation, and an active issue tracker. Stay informed on emerging threats: subscribe to security bulletins and advisories related to the open-source ecosystem. The earlier you know about a threat, the faster you can respond. More information is available in a report on About Kaspersky Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky's deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect individuals, businesses, critical infrastructure, and governments around the globe. The company's comprehensive security portfolio includes leading digital life protection for personal devices, specialized security products and services for companies, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help millions of individuals and over 200,000 corporate clients protect what matters most to them. Learn more at
Biz Bahrain
07-07-2025
- Business
- Biz Bahrain
Inside FunkSec: Kaspersky explores the evolution of AI-powered ransomware with password-gated capabilities
Kaspersky experts revealed the inner workings of FunkSec — a ransomware group that illustrates the future of mass cybercrime: AI-powered, multifunctional, highly adaptive and operating on volume with ransoms as low as $10,000 to maximize profits. Kaspersky's Global Research and Analysis Team (GReAT) constantly monitors the ransomware threat landscape, where attacks continue to rise. According to the company's latest State of Ransomware report, the share of users affected by ransomware attacks worldwide increased to 0.44% from 2023 to 2024, up by 0.02 percentage points. While this percentage may appear modest compared to other cyber threats, it reflects the fact that attackers typically prioritize high-value targets rather than mass distribution, making each incident potentially devastating. Within this evolving landscape, FunkSec has emerged as a particularly concerning threat. Active for less than a year since its emergence in late 2024, FunkSec has quickly surpassed many established actors by targeting government, technology, finance and education sectors. What sets FunkSec apart is its sophisticated technical architecture and AI-assisted development. The group packages full-scale encryption and aggressive data exfiltration into a single Rust-based executable, capable of disabling over 50 processes on victim machines and equipped with self-cleanup features to evade defenses. Beyond its core ransomware functionality, FunkSec has expanded its toolkit to include a password generator and a basic DDoS tool — both showing clear signs of code synthesis using large language models (LLMs). FunkSec's approach reflects the evolving landscape of mass cybercrime, combining advanced tools and tactics. Kaspersky's GReAT experts highlight the key features that define their operations: Password-Controlled Functionality GReAT experts discovered that FunkSec ransomware features a unique password-based mechanism that controls its operation modes. Without a password, the malware performs basic file encryption, while providing a password activates a more aggressive data exfiltration process in addition to encryption to steal sensitive data. FunkSec packs full-scale encryption, local exfiltration and self-cleanup into a single Rust binary—without a side-loader or a companion script. That level of consolidation is uncommon and gives affiliates a plug-and-play tool they can deploy almost anywhere. Use of AI in development Code analysis shows that FunkSec is actively using generative artificial intelligence to create its tools. Many parts of the code seem to be automatically generated rather than manually written. Signs of this generic placeholder comments (such as 'placeholder for actual check') and technical inconsistencies, like commands for different operating systems that don't align properly. Additionally, the presence of declared but unused functions—such as modules included upfront but never utilized — reflects how large language models combine multiple code snippets without pruning redundant elements. 'More and more, we see cybercriminals leveraging AI to develop malicious tools. Generative AI lowers barriers and accelerates malware creation, enabling cybercriminals to adapt their tactics faster. By reducing the entry threshold, AI allows even less experienced attackers to quickly develop sophisticated malware at scale,' comments Marc Rivero, Lead Security Researcher at Kaspersky's GReAT. High-volume, low-ransom strategy FunkSec demands unusually low ransom payments, sometimes as little as $10,000, and pairs this with the sale of stolen data at discounted prices to third parties. This strategy appears designed to enable a high volume of attacks, helping the group quickly establish its reputation within the cybercriminal underground. Unlike traditional ransomware groups that seek million-dollar ransoms, FunkSec employs a high-frequency, low-cost model — further underscoring its use of AI to streamline and scale operations. Expands beyond ransomware FunkSec has expanded its capabilities beyond the ransomware binary. Its dark leak site (DLS) hosts additional tools, including a Python-based password generator designed to support brute-force and password-spraying attacks, as well as a basic DDoS tool. Advanced evasion FunkSec employs advanced evasion techniques to avoid detection and complicate forensic analysis. The ransomware is capable of stopping over 50 processes and services to ensure thorough encryption of targeted files. Additionally, it includes a fallback mechanism to execute certain commands even if the user launching FunkSec lacks sufficient privileges. Kaspersky's products detect this threat as HEUR: To stay protected from ransomware attacks, Kaspersky experts recommend organizations follow these best practices to safeguard from ransomware: • Enable ransomware protection for all endpoints. There is a free Kaspersky Anti-Ransomware Tool for Business that shields computers and servers from ransomware and other types of malware, prevents exploits and is compatible with already installed security solutions. • Always keep software updated on all the devices you use to prevent attackers from exploiting vulnerabilities and infiltrating your network. • Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminals' connections to your network. Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency. • Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky Expert Security framework. • Use the latest Threat Intelligence information to stay aware of the actual Tactics, Techniques, and Procedures (TTPs) used by threat actors. • To protect the company against a wide range of threats, use solutions from Kaspersky Next product line that provide real-time protection, threat visibility, investigation and response capabilities of EDR and XDR for organizations of any size and industry. Depending on your current needs and available resources, you can choose the most relevant product tier and easily migrate to another one if your cybersecurity requirements are changing.
Biz Bahrain
11-06-2025
- Biz Bahrain
Kaspersky discovers multiple IoT devices targeted with a new Mirai botnet version
Kaspersky Global Research & Analysis Team (GReAT) researchers have found multiple IoT devices targeted with a new version of the Mirai botnet. The majority of attacked devices were located in China, Egypt, India, Brazil, Turkiye and Russia. Mirai remains one of the top threats to IoT in 2025 due to widespread exploitation of weak login credentials and unpatched vulnerabilities, enabling large-scale botnets for DDoS attacks, data theft and other malicious activities. According to Kaspersky research, there were 1.7 billion attacks on IoT devices (including those made with Mirai) coming from 858,520 devices globally in 2024. 45,708 attacks on IoT devices (including those made with Mirai) were launched from UAE in 2024, which is 54% more than in 2023. To explore IoT attacks, how such attacks are carried out and how to prevent them, Kaspersky set up so called honeypots – decoy devices used to attract the attention of the attackers and analyze their activities. In the honeypots Kaspersky detected the exploitation of the CVE-2024-3721 vulnerability to deploy a bot – it turned out to be a Mirai botnet modification. A botnet is a network of compromised devices infected by malware to perform coordinated malicious activities under the control of an attacker. This time, the focus of the attacks were digital video recorders (DVRs) – these devices are integral to security and surveillance across multiple sectors. They record footage from cameras to monitor homes, retail stores, offices and warehouses, as well as factories, airports, train stations and educational institutions, to enhance public safety and secure critical infrastructure. Attacks on DVR devices can compromise privacy, but beyond that, they can serve as entry points for attackers to infiltrate broader networks, spreading malware and creating botnets to launch DDoS attacks, as seen with Mirai. The discovered DVR bot includes mechanisms to detect and evade virtual machine (VM) environments or emulators commonly used by security researchers to analyze malware. These techniques help the bot avoid detection and analysis, allowing it to operate more stealthily and remain active on infected devices. 'The source code of the Mirai botnet was shared on the internet nearly a decade ago, and since then, it has been adapted and modified by various cybercriminal groups to create large-scale botnets mostly focused on DDoS and resource hijacking. Exploiting known security flaws in IoT devices and servers that haven't been patched, along with the widespread use of malware targeting Linux-based systems, leads to a significant number of bots constantly searching the internet for devices to infect. By analyzing public sources we identified over 50,000 exposed DVR devices online, indicating that attackers have numerous opportunities to target unpatched, vulnerable devices,' comments Anderson Leite, Security Researcher with Kaspersky's GReAT. To reduce the risk of IoT device infection, users should: • Change default credentials and use strong, unique passwords. • Regularly update DVR firmware to patch known vulnerabilities. • Disable remote access if unnecessary or use secure VPNs for management. • Segment DVRs on isolated networks. • Monitor for unusual network traffic to detect potential compromises. Read more about the latest Mirai wave at
