Full Report
Kaspersky Compromise Assessment specialists analyze trends from the service's 2025 projects and provide tips on how to enhance your organization's security.
Analysis Summary
# Incident Report: Kaspersky Compromise Assessment Findings 2025
## Executive Summary
This report summarizes the aggregate findings from Kaspersky’s 2024–2025 Compromise Assessment projects. It highlights a landscape where attackers prioritize the exploitation of public-facing applications and the use of legitimate administrative tools ("living off the land") to evade detection. The assessments revealed that many organizations suffer from prolonged dwell times and inadequate logging, emphasizing the need for proactive hunting.
## Incident Details
- **Discovery Date:** Ongoing (Reported Feb 2025)
- **Incident Date:** 2024–2025
- **Affected Organizations:** Multiple global entities (Aggregate Data)
- **Sector:** Cross-sector (Government, Industrial, Finance targeted most frequently)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Variable (Initial access persists for months in many cases)
- **Vector:** Exploitation of vulnerabilities in public-facing applications (38.5%) and compromised accounts.
- **Details:** Attackers frequently targeted unpatched edge devices and web servers to gain a foothold.
### Lateral Movement
- Attackers utilized legitimate credentials harvested via Mimikatz or LSASS dumps.
- Movement was facilitated through standard protocols like RDP and SMB to reach Domain Controllers.
### Data Exfiltration/Impact
- **Data Stolen:** Corporate sensitive data, credentials, and financial records.
- **Impact:** Significant operational disruption in cases involving ransomware or data wiping.
### Detection & Response
- **Discovery:** Most incidents were discovered during proactive Kaspersky Compromise Assessments rather than by internal EDR/SIEM alerts.
- **Response:** Isolation of compromised hosts, full password resets, and patching of identified vulnerabilities.
## Attack Methodology
- **Initial Access:** Exploiting public-facing applications; use of leaked credentials.
- **Persistence:** Creation of new administrative accounts; scheduled tasks; web shells.
- **Privilege Escalation:** Exploitation of local vulnerabilities (e.g., PrintNightmare-related) and credential dumping.
- **Defense Evasion:** Clearing Windows Event Logs; using "living off the land" binaries (LoLBins) like PowerShell and Certutil.
- **Credential Access:** Harvesting from LSASS, registry hives, and browser password stores.
- **Discovery:** Network scanning via built-in tools (net.exe, ipconfig, AdFind).
- **Lateral Movement:** RDP sessions, PsExec, and WinRM.
- **Collection:** Archiving data using WinRAR or 7-Zip before exfiltration.
- **Exfiltration:** Use of cloud storage services (Mega[.]nz, Dropbox) and FTP/HTTP(S).
- **Impact:** System downtime, encryption (ransomware), or silent data theft.
## Impact Assessment
- **Financial:** High remediation costs due to long-term attacker dwell time.
- **Data Breach:** High volume of PII and internal strategic documents compromised.
- **Operational:** Disruption of services during cleanup and system hardened-reinstatement.
- **Reputational:** Varies by industry; high for financial or governmental sectors.
## Indicators of Compromise
- **Network:** Connections to unusual cloud storage IPs (e.g., `87[.]236[.]176[.]x`).
- **File:** Presence of `Mimikatz`, `AdFind.exe`, and unauthorized `AnyDesk` or `TeamViewer` installations.
- **Behavioral:** Spikes in PowerShell execution with encoded commands; massive log clearing events (Event ID 1102).
## Response Actions
- **Containment:** Disabling compromised AD accounts and blocking identified C2 IPs.
- **Eradication:** Removal of persistence mechanisms (web shells/scheduled tasks) and malware.
- **Recovery:** Restoring systems from clean backups and enforcing Multi-Factor Authentication (MFA).
## Lessons Learned
- **Visibility Gaps:** Many organizations lacked sufficient log retention (less than 30 days), making forensic reconstruction difficult.
- **Patch Management:** Delayed patching of edge devices remains the primary entry point for high-tier threat actors.
- **MFA Failures:** Compromised credentials were often effective because MFA was either not implemented or bypassed via "push fatigue."
## Recommendations
1. **Implement MFA:** Mandate Multi-Factor Authentication for all external-facing services and VPNs.
2. **Patching:** Prioritize "Critical" and "High" vulnerabilities on internet-facing assets within 24–48 hours.
3. **Log Retention:** Increase SIEM/Event Log retention to at least 90 days to assist in incident investigation.
4. **Hunt Proactively:** Conduct annual compromise assessments to catch "silent" intruders that bypass automated defenses.
5. **Restrict Tools:** Implement AppLocker or similar policies to block the execution of unauthorized administrative tools (e.g., PsExec, AdFind) by non-admin users.