The public availability of new exploit packages has fueled millions of new attacks on popular applications during the second quarter of 2017, a recent report from Kaspersky Lab reveals.
The Moscow-based security company said that it blocked more than five million attacks involving in-the-wild exploits during the three-month period, but the actual number of incidents should be significantly higher. Highly effective as they don’t usually require user interaction, attacks leveraging exploits can result in malicious code being delivered to the targeted machines without the user suspecting anything.
According to Kaspersky’s IT threat evolution Q2 2017 report, the publication by the Shadow Brokers hacker group of several tools and exploits supposedly associated with the National Security Agency had grave consequences during the quarter. Included in the leak were exploits such as EternalBlue and EternalRomance, which fueled a large wave of malicious attacks.
Despite the fact that Microsoft had patched the vulnerabilities exploited by these tools one month before they were made public, “in the second quarter of 2017 only Kaspersky Lab blocked more over five million attempted attacks involving network exploits from the archive. And the average number of attacks per day was constantly growing: 82% of all attacks were detected in the last 30 days,” the security company says.
The figure is not surprising, considering that EternalBlue was used in a massive, global WannaCry ransomware attack in May. In June, the same exploit was used for lateral movement in an attack involving the NotPetya wiper, which resulted in hundreds of millions in losses. The exploit was employed in various other malware attacks as well.
One other exploit that fueled a large number of attacks was leveraging the CVE-2017-0199 vulnerability in Microsoft Office. Initially a zero-day abused by threat actors, Microsoft addressed the bug in early April, but cybercriminals discovered new ways to leverage it: through the use of PowerPoint Slide Shows. Despite the fix, the number of attacked users peaked at 1.5 million in April, Kaspersky says.
The security company says it detected and repelled 342,566,061 malicious attacks from online resources located in 191 countries during Q2, and that it also identified 33,006,783 unique malicious URLs. In Q1, the company detected 479,528,279 malicious attacks.
Kaspersky also detected attempted infections with financial malware on 224,675 user computers (down from 288,000 during the previous three months), and blocked crypto-ransomware attacks on 246,675 unique computers (up from 240,799 in Q1). The security firm detected 185,801,835 unique malicious and potentially unwanted objects in Q2 (up from 174,989,956 the previous quarter).
In terms of banking malware attacks, Germany emerged as the most affected country in Q2 (these incidents include banking Trojans and ATM and POS-malware). Zbot, Nymaim, and Emotet were the top 3 banking malware families in the timeframe. WannaCry, Locky, and Cerber were the most spread cryptor families.
Mobile malware was also active in the timeframe. The security firm discovered a Trojan called Dvmap being distributed via Google Play, and also observed attackers attempting to upload new apps containing the malicious Ztorg module to the storefront. The Svpeng banking Trojan remained the most popular mobile threat.
Overall, Kaspersky detected 1,319,148 malicious installation packages during Q2, and reveals that adware registered the biggest growth during the timeframe. Trojan-SMS malware experienced the second-highest growth rate, while spyware registered the biggest decline. Iran was the top country attacked by mobile malware, followed by China, while the United States emerged as the most attacked by mobile ransomware.
“The threat landscape of Q2 provides yet another reminder that a lack of vigilance is one of the most significant cyber dangers. While vendors patch vulnerabilities on a regular basis, many users don’t pay attention to this, which results in massive-scale attacks once the vulnerabilities are exposed to the broad cybercriminal community,” Alexander Liskin, security expert at Kaspersky Lab, said.
Related: Kaspersky Details APT Trends for Q2 2017