{"id":6233,"date":"2015-09-15T06:55:57","date_gmt":"2015-09-15T10:55:57","guid":{"rendered":"https:\/\/kasperskydaily.com\/uk\/?p=6233"},"modified":"2019-11-22T10:12:50","modified_gmt":"2019-11-22T10:12:50","slug":"security-week-37","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/security-week-37\/6233\/","title":{"rendered":"Security Week 37: Bug-bugzilla, Carbanak is back, and \u0421&amp;C gone fishing"},"content":{"rendered":"<p>In the new instalment of our explosive hit series \u201cInfosec news\u201d, we take a look at:<\/p>\n<p>\u2022 The breach of Bugzilla serves a harsh reminder of the necessity to make passwords both\u00a0strong AND unique.<\/p>\n<p>\u2022 The Carbanak campaign which allowed the attackers to steal millions of dollars from financial organizations has resurfaced in Europe and USA.<\/p>\n<p>\u2022 The research by Kaspersky Lab finds the method of enhancing the level of cyberespionage C&amp;C server secrecy from \u2018very hard to track\u2019 to \u2018God-level hard to track\u2019.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2015\/09\/05194835\/security-week-37-glass.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-6235\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2015\/09\/05194835\/security-week-37-glass-1024x672.jpg\" alt=\"security-week-37-glass\" width=\"1024\" height=\"672\"><\/a><\/p>\n<p>Once again, the rules of the road: every week the editorial team at <a href=\"https:\/\/threatpost.com\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Threatpost<\/a> hand pick three top news which I ruthlessly comment upon.<\/p>\n<h3>The breach of the Bugzilla bug database<\/h3>\n<p><a href=\"https:\/\/threatpost.com\/attacker-compromised-mozilla-bug-system-stole-private-vulnerability-data\/114552\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">News<\/a>. <a href=\"https:\/\/ffp4g1ylyit3jdyti1hqcvtb-wpengine.netdna-ssl.com\/security\/files\/2015\/09\/bugzillafaq.pdf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">FAQ<\/a> on the attack.<\/p>\n<p>In last week\u2019s issue, I <a href=\"https:\/\/www.kaspersky.co.uk\/blog\/security-week-34\/\" target=\"_blank\" rel=\"noopener\">raised<\/a> the question of responsible disclosure and listed cases when it\u2019s desirable or undesirable to disclose the information about the bugs one could discover. The story about Mozilla\u2019s bug tracker breach serves a perfect example of\u00a0when it would have been better not to disclose the bug.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Attacker Compromised <a href=\"https:\/\/twitter.com\/hashtag\/Mozilla?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Mozilla<\/a> Bug System, Stole Private Vulnerability Data: <a href=\"https:\/\/t.co\/FyAMl8wUyB\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/FyAMl8wUyB<\/a> via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a> <a href=\"http:\/\/t.co\/yXThX1mBlC\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/yXThX1mBlC<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/641304539791011840?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">September 8, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>It\u2019s clear that the issue has not been fixed yet. Back in August Mozilla <a href=\"https:\/\/threatpost.com\/mozilla-patches-bug-used-in-active-attacks\/114172\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">issued<\/a> a patch for Firefox which closed the bug in the built-in PDF Viewer. The bug was discovered by a user who fell victim to\u00a0the exploitation and then reported the vulnerability. The entry point for the attack was a specially crafted banner which allowed a culprit to steal the user\u2019s personal data.<\/p>\n<p>I have a notion that while the developers were preparing the patch, they were already aware of the bug. Bugzilla already contained the information on the bug, although it was stored in the private part of the system. Then suspicions arose about illegitimate access and those were proven to be true last week. There wasn\u2019t a \u2018breach,\u2019 as such: instead the attackers identified a privileged user, found his password in another compromised database and the <span style=\"text-decoration: underline\">password happened to match with the Bugzilla password<\/span>. Scary stuff, indeed.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2015\/09\/05194832\/security-week-37-man.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-6236\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2015\/09\/05194832\/security-week-37-man-1024x680.jpg\" alt=\"security-week-37-man\" width=\"1024\" height=\"680\"><\/a><\/p>\n<p>As a result, the attackers had access to the secret bug database starting from as early as September 2013. During this period, as noted in a very detailed FAQ on the attack, the hackers had access to the information on 185 bugs, 53 of them critical. Forty-three vulnerabilities from the compromised list had been patched by the time the culprits accessed the database.<\/p>\n<p>From the remaining bugs, information on two of them is likely to have leaked less than a week before having been patched; five, in theory, could have been exploited during a week up to a month before the patch became available. The remaining three vulns could have been used 131, 157, and 335 days before the patch was released. There\u2019s some mixed news that comes off the back of this: Mozilla\u2019s developers don\u2019t have any \u2018proof that those vulnerabilities have in fact been exploited.\u2019 From over 50 bugs, only one has been used itw.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">How strong is your <a href=\"https:\/\/twitter.com\/hashtag\/password?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#password<\/a>? Check it here: <a href=\"http:\/\/t.co\/9ILaxq503k\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/9ILaxq503k<\/a>  <a href=\"https:\/\/t.co\/P9Pm0SGc4n\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/P9Pm0SGc4n<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/internet?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#internet<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/security?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#security<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#infosec<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/634790730138054656?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 21, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Well, the moral here is simple, and this is when I feel an urge to climb on a soap-box and shout: \u201cFriends! Brothers and Sisters! Ladies and Gentlemen! Please use a unique password for each separate service!\u201d However, that is not as simple as it seems: such an approach would definitely require a password manager. Even if you already have it, you have to sit down and accurately and thoroughly change passwords on all resources you actively use, ideally, on all of them. Our data proves that only 7% of people use password managers.<\/p>\n<h3>New Carbanak versions attack USA and Europe<\/h3>\n<p><a href=\"https:\/\/threatpost.com\/new-versions-of-carbanak-banking-malware-seen-hitting-targets-in-u-s-and-europe\/114522\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">News<\/a>. The February <a href=\"https:\/\/www.kaspersky.com\/blog\/billion-dollar-apt-carbanak\/7519\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">research<\/a> by Kaspersky Lab. Further\u00a0research by CSIS.<\/p>\n<p>Let me quote the announcement on \u2018the great theft\u2019 we made back in February:<\/p>\n<p><em>\u201cThe attackers were able to transfer money to their own bank accounts and manipulate the balance report in the manner which prevented the attack to be discovered by a number of robust security systems. This operation would have never succeeded if not for the control of the culprits over the banks\u2019 internal systems. That\u2019s why after the breach the culprits used a number of intelligence techniques to gather the necessary information about the way a bank infrastructure works, including video capture\u201d.<\/em><\/p>\n<p>In a joint effort with the law enforcement organizations it was discovered that the loss the banks sustained as a result of the complex, multilayer Carbanak attack totaled a billion dollars, with over a hundred large financial institutions being hit. But it happened back in February, and in the end of August the researchers of Denmark\u2019s CSIS discovered a new modification of Carbanak.<\/p>\n<p>The differences between the new and the old versions are not significant: one of them is the use of a static IP address for C&amp;C communication instead of a domain name. As for plugins used for the data theft, they are identical to those used back in February.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">In what may be the greatest heist of the century, hackers steal billions from hundreds of banks: <a href=\"http:\/\/t.co\/W3CofvF5ta\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/W3CofvF5ta<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/567373823473745920?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 16, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to CSIS, the new version of Crabanak was targeting large companies in Europe and US.<\/p>\n<h3>Turla APT: how to hide C&amp;C with the help of satellite Internet<\/h3>\n<p><a href=\"https:\/\/threatpost.com\/turla-apt-group-abusing-satellite-internet-links\/114586\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">News<\/a>. Other\u00a0<a href=\"https:\/\/threatpost.com\/epic-operation-kicks-off-multistage-turla-apt-campaign\/107612\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">news<\/a>. <a href=\"https:\/\/securelist.com\/blog\/research\/72081\/satellite-turla-apt-command-and-control-in-the-sky\/\" target=\"_blank\" rel=\"noopener noreferrer\">Research<\/a>.<\/p>\n<p>The Turla APT cyberespionage campaign has long been studied by various infosec researchers, including those of Kaspersky Lab. Last year we published detailed <a href=\"https:\/\/securelist.com\/analysis\/publications\/65545\/the-epic-turla-operation\/\" target=\"_blank\" rel=\"noopener noreferrer\">research<\/a> on the methods of breaching in the victim\u2019s computers, gathering data and sending it back to C&amp;C servers.<\/p>\n<p>Each of the stages of this complex campaign relies on a number of tools, including spear phishing with infected documents exploiting 0-days; infected websites; various data mining modules hand-picked depending on the complexity of the target and the criticality of the data; and a very advanced network of C&amp;C servers. As a result, by last August, the campaign claimed several hundreds of victims in 45 countries, especially those in Europe and Middle East.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">RT <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a>: Agent.btz <a href=\"https:\/\/twitter.com\/hashtag\/Malware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Malware<\/a> May Have Served as Starting Point for Red October, <a href=\"https:\/\/twitter.com\/hashtag\/Turla?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Turla<\/a> \u2013 <a href=\"http:\/\/t.co\/6x98OI4afx\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/6x98OI4afx<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/444069305643462656?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">March 13, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>This week saw Kaspersky researcher,\u00a0<a href=\"https:\/\/securelist.com\/blog\/research\/72081\/satellite-turla-apt-command-and-control-in-the-sky\/\" target=\"_blank\" rel=\"noopener noreferrer\">Stefan Tanase publish<\/a>\u00a0the data on the final stage of the attack, when the stolen data is sent through to a C&amp;C server. To enable data mining, Turla, as many APT groups before, uses a variety of methods, for instance: abuse-resistant hosting. But as soon as the data in question lands in the particular C&amp;C hosted on a particular server, the likeability of being arrested by law enforcement or blocked by a service provider is quite high, regardless of proxies the culprits might\u00a0be using.<\/p>\n<p>And this is when the satellite Internet comes to play. The advantage here is that the server might be established or moved anywhere in the range of the satellite. But there is a rub: in order to lease a bidirectional satellite channel of decent capacity, you need to pay <strong>tons<\/strong> of money and, besides, the paper trail will give you away easily as soon as the trace is found. Well, the method discovered by our researcher does not pre-suppose a lease model.<\/p>\n<p>There is a thing called \u201csatellite fishing,\u201d a lightly modified piece of software on the satellite terminal does not reject packets which are not intended for a particular user, but collects them. As a result, the \u201cfisher\u201d may gather someone else\u2019s web pages, files, and data. This method is operational under one condition: if the channel is not encrypted.<\/p>\n<p>The Turla attack employs the same method, with one slight modification: when probing the traffic, the attacker should identify the victim\u2019s IP address and make compromised machines send data to this IP belonging to a legitimate, good-willed, unknowing owner of the satellite terminal.<\/p>\n<p>During the attack, the hackers use specific communication ports which are closed by default on average systems and reject the packets by design. But those who probe the traffic might hijack this data without revealing their location.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Russian-speaking cyber spies exploit satellites <a href=\"https:\/\/t.co\/EIhfVg2aRD\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/EIhfVg2aRD<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/turla?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#turla<\/a> <a href=\"http:\/\/t.co\/b8LTv4t041\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/b8LTv4t041<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/641606357309882368?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">September 9, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>By the\u00a0way, old radio phones did not encrypt voice traffic at all as the receiving devices was able to operate on frequency bands that were quite expensive. Whilst this was a good defence a few years ago, there are now plenty of all-band receivers at good prices making this a useless method of keeping your conversations secret.<\/p>\n<p>It\u2019s quite a lousy comparison, as the \u2018Turla-designed\u2019 data mining and processing solution would have cost at least a couple of thousands of dollars. But the bottom line is that satellite Internet systems have an inherent flaw leveraged by attackers. Sadly, there is no action plan on closing this vulnerability, and the outcome remains unclear.<\/p>\n<p>As a result, the approximate location of Turla\u2019s C&amp;C server coincides with the range of the satellite operator:<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2015\/09\/05194828\/turla_map_of_satellites_1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-6238\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2015\/09\/05194828\/turla_map_of_satellites_1-1024x841.png\" alt=\"turla_map_of_satellites_\" width=\"1024\" height=\"841\"><\/a><\/p>\n<p>And here, we lose the trail.<\/p>\n<h3>What else happened:<\/h3>\n<p>In other news, another type of Android ransomware has been\u00a0<a href=\"https:\/\/threatpost.com\/new-android-ransomware-communicates-over-xmpp\/114530\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">found<\/a>. It communicates with C&amp;C server via XMPP. Chats and other instant messengers have been already used for communication by various PC malware, so the news proves that mobile malware is following the same path of progress as desktop malware, only <em>faster.<\/em><\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/mobile?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#mobile<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/malware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#malware<\/a> New Android Ransomware Communicates over XMPP: <a href=\"https:\/\/t.co\/NaduU8sGbH\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/NaduU8sGbH<\/a> via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a> <a href=\"http:\/\/t.co\/j3sG6zS7xc\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/j3sG6zS7xc<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/639454422691655680?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">September 3, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Another series of <a href=\"https:\/\/threatpost.com\/google-patches-critical-vulnerabilities-in-chrome-45\/114509\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">patches<\/a> for critical vulns in Google Chrome were published (we advise you to update your browser and setup V45).<\/p>\n<p>Seagate\u2019s wireless hard drives happened to <a href=\"http:\/\/www.theregister.co.uk\/2015\/09\/07\/files_on_seagate_wireless_disks_can_be_poisoned_purloined\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">contain<\/a> a couple of serious bugs: unencrypted access via telnet and a hard-coded password for root access. This is quite critical, but we <a href=\"https:\/\/www.kaspersky.co.uk\/blog\/security-week-36\/9727\/\" target=\"_blank\" rel=\"noopener noreferrer\">discussed<\/a> this topic last week when talking about routers. The morale: everything which seeds Wi-Fi should be heavily protected. In today\u2019s reality, everything can seed Wi-Fi, ever cameras.<\/p>\n<h3>Oldies:<\/h3>\n<p>Manowar-273<\/p>\n<p>A harmless resident virus which typically plagues .COM and .EXE files when they are run (the COMMAND.COM files is infected by the Lehigh algorithm). The virus contains the text: \u201cDark Lord, I summon thee! MANOWAR\u201d.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/6POUitQf8v8?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>Iron-Maiden<\/p>\n<p>A very dangerous non-resident virus which typically infects .COM files of the current catalogue. As of August 1990, depending on timing, might erase two random sectors on hard drives. Contains the text: \u201cIRON MAIDEN\u201d.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2015\/08\/05194931\/infosec-digest-32-book2.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-6156\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2015\/08\/05194931\/infosec-digest-32-book2-800x1024.jpg\" alt=\"infosec-digest-32-book\" width=\"800\" height=\"1024\"><\/a><\/p>\n<p><em>Quoted from \u201cComputer viruses in MS-DOS\u201d by Eugene Kaspersky, 1992. Pages 70, 75.<\/em><\/p>\n<p><em>Disclaimer: this column reflects only the personal opinion of the author. It may coincide with Kaspersky Lab position, or it may not. Depends on luck.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the new installment of our explosive hit series \u201cInfosec news\u201d you\u2019ll find: the breach of Bugzilla, Carbanak is coming back and Turla uses Level-God hard to track techniques to hide servers.<\/p>\n","protected":false},"author":53,"featured_media":6234,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2026],"tags":[423,845,1139,1138,36,1095,529,1131],"class_list":{"0":"post-6233","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-apt","10":"tag-bugs","11":"tag-bugzilla","12":"tag-carbanak","13":"tag-malware-2","14":"tag-security-week","15":"tag-threats","16":"tag-turla"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/security-week-37\/6233\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/security-week-37\/5194\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/security-week-37\/5970\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/security-week-37\/6184\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/security-week-37\/6844\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/security-week-37\/6619\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/security-week-37\/8867\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/security-week-37\/9848\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/security-week-37\/6148\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/security-week-37\/8896\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/security-week-37\/8867\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/security-week-37\/9848\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/security-week-37\/9848\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/apt\/","name":"apt"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/6233","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/53"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=6233"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/6233\/revisions"}],"predecessor-version":[{"id":17861,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/6233\/revisions\/17861"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/6234"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=6233"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=6233"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=6233"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}