Latest news with #GReAT


Channel Post MEA
2 days ago
- Channel Post MEA
Kaspersky Uncovers GhostContainer Backdoor That Targets Microsoft Exchange Servers
Kaspersky's Global Research and Analysis Team (GReAT) has uncovered a new backdoor based on open-source tools, dubbed GhostContainer. The previously unknown highly customized malware was discovered during an incident response (IR) case, targeting Exchange infrastructure within government environments. The malware may be part of an advanced persistent threat (APT) campaign targeting high-value entities in Asia, including high-tech companies. The file detected by Kaspersky as App_Web_Container_1.dll turned out to be a sophisticated, multi-functional backdoor that leverages several open-source projects and can be dynamically extended with arbitrary functionality through additional module downloads. Once loaded, it provides attackers with full control over the Exchange server, enabling a wide range of malicious activities. To avoid detection by security solutions, it uses several evasion techniques and presents itself as a legitimate server component to blend in with normal operations. In addition, it can act as a proxy or tunnel, potentially exposing the internal network to external threats or facilitating the exfiltration of sensitive data from internal systems. Therefore, сyber espionage is suspected to be the aim of the campaign. 'Our in-depth analysis revealed that the attackers are highly skilled at exploiting Exchange systems and leveraging various open-source projects related to infiltrating IIS and Exchange environments, as well as creating and enhancing sophisticated espionage tools based on publicly available code. We will continue monitoring their activity, along with the scope and scale of these attacks, to gain a better understanding of the threat landscape,' comments Sergey Lozhkin, Head of GReAT, APAC & META. At this time, it is not possible to attribute GhostContainer to any known threat actor group, as the attackers have not exposed any infrastructure. The malware incorporates code from several publicly accessible open-source projects, which could be leveraged by hackers or APT groups worldwide. Notably, by the end of 2024, a total of 14,000 malicious packages were identified in open-source projects — a 48% increase compared to the end of 2023 — highlighting the growing threat in this area.


Zawya
13-07-2025
- Zawya
Kaspersky uncovers $500K crypto heist through malicious packages
Kaspersky GReAT (Global Research and Analysis Team) experts have discovered open-source packages that download the Quasar backdoor and a stealer designed to exfiltrate cryptocurrency. The malicious packages are intended for the Cursor AI development environment, which is based on Visual Studio Code — a tool used for AI-assisted coding. The malicious open-source packages are extensions hosted in the Open VSX repository that claim to provide support for the Solidity programming language. However, in practice, they download and execute malicious code on users' devices. During an incident response, a blockchain developer from Russia reached out to Kaspersky after installing one of these fake extensions on his computer, which allowed attackers to steal approximately $500,000 worth of crypto assets. The threat actor behind these packages managed to deceive the developer by making the malicious package rank higher than the legitimate one. The attacker achieved this by artificially inflating the malicious package's downloads count to 54,000. Search results for the query 'solidity': the malicious extension (highlighted in red) and the legitimate one (highlighted in green). After installation, the victim gained no actual functionality from the extension. Instead, malicious ScreenConnect software was installed on the computer, granting threat actors remote access to the infected device. Using this access, they deployed the open-source Quasar backdoor along with a stealer that collects data from browsers, email clients, and crypto wallets. With these tools, the threat actors were able to obtain the developer's wallet seed phrases and subsequently steal cryptocurrency from the accounts. After the malicious extension downloaded by the developer was discovered and removed from the repository, the threat actor republished it and artificially inflated its installation count to a higher number – 2 million, compared to 61,000 for the legitimate package. The extension was removed from the platform following a request from Kaspersky. 'Spotting compromised open-source packages with the naked eye is becoming increasingly difficult. Threat actors are using increasingly creative tactics to deceive potential victims, even developers who have a strong understanding of cybersecurity risks — particularly those working in the blockchain development field. As we expect adversaries to continue targeting developers, it is recommended that even experienced IT professionals deploy dedicated security solutions to safeguard sensitive data and prevent financial losses,' commented Georgy Kucherin, Security Researcher with Kaspersky's Global Research and Analysis Team. The threat actor behind the attack published not only malicious Solidity extensions but also another NPM package, solsafe, which also downloads ScreenConnect. A few months earlier, three additional malicious Visual Studio Code extensions were released — solaibot, among-eth, and blankebesxstnion — all of them have already been removed from the repository. To stay safe, Kaspersky recommends: Use a solution for monitoring the used open-source components in order to detect the threats that might be hidden inside. If you suspect that a threat actor may have gained access to your company's infrastructure, we recommend using the Kaspersky Compromise Assessment service to uncover any past or ongoing attacks. Verify package maintainers: check the credibility of the maintainer or organization behind the package. Look for consistent version history, documentation, and an active issue tracker. Stay informed on emerging threats: subscribe to security bulletins and advisories related to the open-source ecosystem. The earlier you know about a threat, the faster you can respond. More information is available in a report on About Kaspersky Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky's deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect individuals, businesses, critical infrastructure, and governments around the globe. The company's comprehensive security portfolio includes leading digital life protection for personal devices, specialized security products and services for companies, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help millions of individuals and over 200,000 corporate clients protect what matters most to them. Learn more at


Biz Bahrain
07-07-2025
- Business
- Biz Bahrain
Inside FunkSec: Kaspersky explores the evolution of AI-powered ransomware with password-gated capabilities
Kaspersky experts revealed the inner workings of FunkSec — a ransomware group that illustrates the future of mass cybercrime: AI-powered, multifunctional, highly adaptive and operating on volume with ransoms as low as $10,000 to maximize profits. Kaspersky's Global Research and Analysis Team (GReAT) constantly monitors the ransomware threat landscape, where attacks continue to rise. According to the company's latest State of Ransomware report, the share of users affected by ransomware attacks worldwide increased to 0.44% from 2023 to 2024, up by 0.02 percentage points. While this percentage may appear modest compared to other cyber threats, it reflects the fact that attackers typically prioritize high-value targets rather than mass distribution, making each incident potentially devastating. Within this evolving landscape, FunkSec has emerged as a particularly concerning threat. Active for less than a year since its emergence in late 2024, FunkSec has quickly surpassed many established actors by targeting government, technology, finance and education sectors. What sets FunkSec apart is its sophisticated technical architecture and AI-assisted development. The group packages full-scale encryption and aggressive data exfiltration into a single Rust-based executable, capable of disabling over 50 processes on victim machines and equipped with self-cleanup features to evade defenses. Beyond its core ransomware functionality, FunkSec has expanded its toolkit to include a password generator and a basic DDoS tool — both showing clear signs of code synthesis using large language models (LLMs). FunkSec's approach reflects the evolving landscape of mass cybercrime, combining advanced tools and tactics. Kaspersky's GReAT experts highlight the key features that define their operations: Password-Controlled Functionality GReAT experts discovered that FunkSec ransomware features a unique password-based mechanism that controls its operation modes. Without a password, the malware performs basic file encryption, while providing a password activates a more aggressive data exfiltration process in addition to encryption to steal sensitive data. FunkSec packs full-scale encryption, local exfiltration and self-cleanup into a single Rust binary—without a side-loader or a companion script. That level of consolidation is uncommon and gives affiliates a plug-and-play tool they can deploy almost anywhere. Use of AI in development Code analysis shows that FunkSec is actively using generative artificial intelligence to create its tools. Many parts of the code seem to be automatically generated rather than manually written. Signs of this generic placeholder comments (such as 'placeholder for actual check') and technical inconsistencies, like commands for different operating systems that don't align properly. Additionally, the presence of declared but unused functions—such as modules included upfront but never utilized — reflects how large language models combine multiple code snippets without pruning redundant elements. 'More and more, we see cybercriminals leveraging AI to develop malicious tools. Generative AI lowers barriers and accelerates malware creation, enabling cybercriminals to adapt their tactics faster. By reducing the entry threshold, AI allows even less experienced attackers to quickly develop sophisticated malware at scale,' comments Marc Rivero, Lead Security Researcher at Kaspersky's GReAT. High-volume, low-ransom strategy FunkSec demands unusually low ransom payments, sometimes as little as $10,000, and pairs this with the sale of stolen data at discounted prices to third parties. This strategy appears designed to enable a high volume of attacks, helping the group quickly establish its reputation within the cybercriminal underground. Unlike traditional ransomware groups that seek million-dollar ransoms, FunkSec employs a high-frequency, low-cost model — further underscoring its use of AI to streamline and scale operations. Expands beyond ransomware FunkSec has expanded its capabilities beyond the ransomware binary. Its dark leak site (DLS) hosts additional tools, including a Python-based password generator designed to support brute-force and password-spraying attacks, as well as a basic DDoS tool. Advanced evasion FunkSec employs advanced evasion techniques to avoid detection and complicate forensic analysis. The ransomware is capable of stopping over 50 processes and services to ensure thorough encryption of targeted files. Additionally, it includes a fallback mechanism to execute certain commands even if the user launching FunkSec lacks sufficient privileges. Kaspersky's products detect this threat as HEUR: To stay protected from ransomware attacks, Kaspersky experts recommend organizations follow these best practices to safeguard from ransomware: • Enable ransomware protection for all endpoints. There is a free Kaspersky Anti-Ransomware Tool for Business that shields computers and servers from ransomware and other types of malware, prevents exploits and is compatible with already installed security solutions. • Always keep software updated on all the devices you use to prevent attackers from exploiting vulnerabilities and infiltrating your network. • Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminals' connections to your network. Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency. • Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky Expert Security framework. • Use the latest Threat Intelligence information to stay aware of the actual Tactics, Techniques, and Procedures (TTPs) used by threat actors. • To protect the company against a wide range of threats, use solutions from Kaspersky Next product line that provide real-time protection, threat visibility, investigation and response capabilities of EDR and XDR for organizations of any size and industry. Depending on your current needs and available resources, you can choose the most relevant product tier and easily migrate to another one if your cybersecurity requirements are changing.


Biz Bahrain
11-06-2025
- Biz Bahrain
Kaspersky discovers multiple IoT devices targeted with a new Mirai botnet version
Kaspersky Global Research & Analysis Team (GReAT) researchers have found multiple IoT devices targeted with a new version of the Mirai botnet. The majority of attacked devices were located in China, Egypt, India, Brazil, Turkiye and Russia. Mirai remains one of the top threats to IoT in 2025 due to widespread exploitation of weak login credentials and unpatched vulnerabilities, enabling large-scale botnets for DDoS attacks, data theft and other malicious activities. According to Kaspersky research, there were 1.7 billion attacks on IoT devices (including those made with Mirai) coming from 858,520 devices globally in 2024. 45,708 attacks on IoT devices (including those made with Mirai) were launched from UAE in 2024, which is 54% more than in 2023. To explore IoT attacks, how such attacks are carried out and how to prevent them, Kaspersky set up so called honeypots – decoy devices used to attract the attention of the attackers and analyze their activities. In the honeypots Kaspersky detected the exploitation of the CVE-2024-3721 vulnerability to deploy a bot – it turned out to be a Mirai botnet modification. A botnet is a network of compromised devices infected by malware to perform coordinated malicious activities under the control of an attacker. This time, the focus of the attacks were digital video recorders (DVRs) – these devices are integral to security and surveillance across multiple sectors. They record footage from cameras to monitor homes, retail stores, offices and warehouses, as well as factories, airports, train stations and educational institutions, to enhance public safety and secure critical infrastructure. Attacks on DVR devices can compromise privacy, but beyond that, they can serve as entry points for attackers to infiltrate broader networks, spreading malware and creating botnets to launch DDoS attacks, as seen with Mirai. The discovered DVR bot includes mechanisms to detect and evade virtual machine (VM) environments or emulators commonly used by security researchers to analyze malware. These techniques help the bot avoid detection and analysis, allowing it to operate more stealthily and remain active on infected devices. 'The source code of the Mirai botnet was shared on the internet nearly a decade ago, and since then, it has been adapted and modified by various cybercriminal groups to create large-scale botnets mostly focused on DDoS and resource hijacking. Exploiting known security flaws in IoT devices and servers that haven't been patched, along with the widespread use of malware targeting Linux-based systems, leads to a significant number of bots constantly searching the internet for devices to infect. By analyzing public sources we identified over 50,000 exposed DVR devices online, indicating that attackers have numerous opportunities to target unpatched, vulnerable devices,' comments Anderson Leite, Security Researcher with Kaspersky's GReAT. To reduce the risk of IoT device infection, users should: • Change default credentials and use strong, unique passwords. • Regularly update DVR firmware to patch known vulnerabilities. • Disable remote access if unnecessary or use secure VPNs for management. • Segment DVRs on isolated networks. • Monitor for unusual network traffic to detect potential compromises. Read more about the latest Mirai wave at


Tahawul Tech
27-05-2025
- Business
- Tahawul Tech
Kaspersky shares cybersecurity trends for the META region
Kaspersky's Global Research & Analysis Team shared insights on the cyber threat landscape in the Middle East, Türkiye, and Africa (META) region for the first quarter of 2025. The data revealed that Türkiye and Kenya recorded the highest number of users impacted by web-based threats (26.1% and 20.1% respectively), followed by Qatar at 17.8%. Meanwhile, Jordan, Egypt, UAE and Saudi Arabia reported the lowest share of users targeted by web-borne attacks across the META region. Ransomware remains one of the most destructive cyberthreats this year. According to Kaspersky data, the share of users affected by ransomware attacks increased by 0.02 p.p to 0.44% from 2023 to 2024 globally. In the Middle East the growth is 0.07 p.p. to 0.72%, in Africa: 0.01 p.p. growth to 0.41%, in Türkiye 0,06 p.p. growth to 0.46%. Attackers often don't distribute this type of malware on a mass scale, but prioritize high-value targets, which reduces the overall number of incidents. While the ransomware is not increasing largely, that doesn't mean that it becomes less dangerous. In the Middle East ransomware affected a higher share of users due to rapid digital transformation, expanding attack surfaces and varying levels of cybersecurity maturity. Ransomware is less prevalent in Africa due to lower levels of digitisation and economic constraints, which reduce the number of high-value targets. However, as countries like South Africa and Nigeria expand their digital economies, ransomware attacks are on the rise, particularly in the manufacturing, financial and government sectors. Limited cybersecurity awareness and resources leave many organisations vulnerable, though the smaller attack surface means the region remains behind global hotspots. Ransomware trends AI tools are increasingly being used in ransomware development , as demonstrated by FunkSec, a ransomware group that emerged in late 2024 and quickly gained notoriety by surpassing established groups like Cl0p and RansomHub with multiple victims claimed in December alone. Operating under a Ransomware-as-a-Service (RaaS) model, FunkSec employs double extortion tactics — combining data encryption with exfiltration — targeting sectors such as government, technology, finance, and education in Europe and Asia. The group's heavy reliance on AI-assisted tools sets it apart, with its ransomware featuring AI-generated code, complete with flawless comments, likely produced by Large Language Models (LLMs) to enhance development and evade detection. Unlike typical ransomware groups demanding millions, FunkSec adopts a high-volume, low-cost approach with unusually low ransom demands, further highlighting its innovative use of AI to streamline operations. , as demonstrated by FunkSec, a ransomware group that emerged in late 2024 and quickly gained notoriety by surpassing established groups like Cl0p and RansomHub with multiple victims claimed in December alone. Operating under a Ransomware-as-a-Service (RaaS) model, FunkSec employs double extortion tactics — combining data encryption with exfiltration — targeting sectors such as government, technology, finance, and education in Europe and Asia. The group's heavy reliance on AI-assisted tools sets it apart, with its ransomware featuring AI-generated code, complete with flawless comments, likely produced by Large Language Models (LLMs) to enhance development and evade detection. Unlike typical ransomware groups demanding millions, FunkSec adopts a high-volume, low-cost approach with unusually low ransom demands, further highlighting its innovative use of AI to streamline operations. In 2025, ransomware is expected to evolve by exploiting unconventional vulnerabilities , as demonstrated by the Akira gang's use of a webcam to bypass endpoint detection and response systems and infiltrate internal networks. Attackers are likely to increasingly target overlooked entry points like IoT devices, smart appliances or misconfigured hardware in the workplace, capitalising on the expanding attack surface created by interconnected systems. As organisations strengthen traditional defences, cybercriminals will refine their tactics, focusing on stealthy reconnaissance and lateral movement within networks to deploy ransomware with greater precision, making it harder for defenders to detect and respond in time. , as demonstrated by the Akira gang's use of a webcam to bypass endpoint detection and response systems and infiltrate internal networks. Attackers are likely to increasingly target overlooked entry points like IoT devices, smart appliances or misconfigured hardware in the workplace, capitalising on the expanding attack surface created by interconnected systems. As organisations strengthen traditional defences, cybercriminals will refine their tactics, focusing on stealthy reconnaissance and lateral movement within networks to deploy ransomware with greater precision, making it harder for defenders to detect and respond in time. The proliferation of LLMs tailored for cybercrime will further amplify ransomware's reach and impact. LLMs marketed on the dark web lower the technical barrier to creating malicious code, phishing campaigns and social engineering attacks, allowing even less skilled actors to craft highly convincing lures or automate ransomware deployment. As more innovative concepts such as RPA (Robotic Process Automation ) and LowCode, which provide an intuitive, visual, AI-assisted drag-and-drop interface for rapid software development, are quickly adopted by software developers, we can expect ransomware developers to use these tools to automate their attacks as well as new code development, making the threat of ransomware even more prevalent. 'Ransomware is one of the most pressing cybersecurity threats facing organisations today, with attackers targeting businesses of all sizes and across every region, including META. Ransomware groups continue to evolve by adopting techniques, such as developing cross-platform ransomware, embedding self-propagation capabilities and even using zero-day vulnerabilities that were previously affordable only for APT actors. There is also shift toward exploiting overlooked entry points — including IoT devices, smart appliances, and misconfigured or outdated workplace hardware. These weak spots often go unmonitored, making them prime targets for cybercriminals', said Sergey Lozhkin, Head of META and APAC regions in Global Research and Analysis Team at Kaspersky. 'To stay secure, organisations need a layered defence: up-to-date systems, network segmentation, real-time monitoring, robust backups, and continuous user education'. Kaspersky experts continuously monitor highly sophisticated cyberattacks, including the activity of 25 advanced persistent threat (APT) groups currently operating in the META region. Among these are well-known actors such as SideWinder, Origami Elephant, and MuddyWater. Kaspersky has observed a growing use of creative exploits targeting mobile devices, along with ongoing advancements in techniques designed to evade detection – key trends shaping today's targeted attack landscape. Kaspersky encourages organisations to follow these best practices to safeguard their digital assets: Always keep software updated on all the devices you use to prevent attackers from exploiting vulnerabilities and infiltrating your network. Focus your defence strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to outgoing traffic to detect cybercriminals' connections to your network. Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. Use the latest Threat Intelligence information to stay aware of the actual Tactics, Techniques, and Procedures (TTPs) used by threat actors. To protect the company against a wide range of threats, use solutions from the Kaspersky Next product line that provide real-time protection, threat visibility, investigation and response capabilities of EDR and XDR for organisations of any size and industry. Depending on your current needs and available resources, you can choose the most relevant product tier and easily migrate to another one if your cybersecurity requirements are changing. Image Credit: Kaspersky