{"id":9848,"date":"2015-09-14T12:50:34","date_gmt":"2015-09-14T16:50:34","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/?p=9848"},"modified":"2020-02-27T03:58:53","modified_gmt":"2020-02-26T16:58:53","slug":"security-week-37","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/security-week-37\/9848\/","title":{"rendered":"Security Week 37: Bug-bugzilla, Carbanak is back, and \u0421&amp;C gone fishing"},"content":{"rendered":"<p>In the new installment of our <a href=\"https:\/\/www.kaspersky.com.au\/blog\/tag\/security-week\/\" target=\"_blank\" rel=\"noopener\">explosive hit series \u201cInfosec news\u201d<\/a>:<\/p>\n<ul>\n<li>The breach of Bugzilla serves a harsh reminder of the necessity to make passwords BOTH strong and unique.<\/li>\n<li>The Carbanak campaign which allowed the attackers to steal millions of dollars from financial organizations has resurfaced in Europe and USA.<\/li>\n<li>The research by Kaspersky Lab finds the method of enhancing the level of cyberespionage C&amp;C server secrecy from \u2018very hard to track\u2019 to \u2018Level-God hard to track\u2019.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2015\/09\/06024148\/security-week-37-glass.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-9851\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2015\/09\/06024148\/security-week-37-glass.jpg\" alt=\"Security Week 37: Bug-bugzilla, Carbanak is back, and \u0421&amp;C gone fishing\" width=\"1280\" height=\"840\"><\/a><\/p>\n<p>Once again, the rules of the road: every week the editorial team at <a href=\"https:\/\/threatpost.com\" target=\"_blank\" rel=\"noopener nofollow\">Threatpost<\/a> hand picks three top news which I ruthlessly comment.<\/p>\n<h3>The breach of the Bugzilla bug database<\/h3>\n<p><a href=\"https:\/\/threatpost.com\/attacker-compromised-mozilla-bug-system-stole-private-vulnerability-data\/114552\/\" target=\"_blank\" rel=\"noopener nofollow\">News<\/a>. <a href=\"https:\/\/ffp4g1ylyit3jdyti1hqcvtb-wpengine.netdna-ssl.com\/security\/files\/2015\/09\/bugzillafaq.pdf\" target=\"_blank\" rel=\"noopener nofollow\">FAQ<\/a> on the attack.<\/p>\n<p>Last week\u2019s installment issue, I raised the <a href=\"https:\/\/www.kaspersky.com.au\/blog\/security-week-34\/\" target=\"_blank\" rel=\"noopener\">question of responsible disclosure<\/a> and listed cases when it\u2019s desirable\/undesirable to disclose the information about the bugs one could discover. The story about Mozilla\u2019s bug tracker breach serves a perfect example when the vulnerability would have been better not disclosed.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Attacker Compromised <a href=\"https:\/\/twitter.com\/hashtag\/Mozilla?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Mozilla<\/a> Bug System, Stole Private Vulnerability Data: <a href=\"https:\/\/t.co\/FyAMl8wUyB\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/FyAMl8wUyB<\/a> via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a> <a href=\"http:\/\/t.co\/yXThX1mBlC\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/yXThX1mBlC<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/641304539791011840?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">September 8, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>It\u2019s clear that the issue has not been fixed yet. Back in August Mozilla <a href=\"https:\/\/threatpost.com\/mozilla-patches-bug-used-in-active-attacks\/114172\/\" target=\"_blank\" rel=\"noopener nofollow\">issued a patch for Firefox<\/a> which closed the bug in the built-in PDF Viewer. The bug was discovered by a user who fell victim of the exploitation and then reported the vulnerability. The entry point for the attack was a specially crafted banner which allowed a culprit to steal the user\u2019s personal data.<\/p>\n<p>I have a notion that while the developers were preparing the patch, they were already aware of the bug. Bugzilla already contained the information on the bug, although it was stored in the private part of the system. Then suspicions arose about illegitimate access and those were proven to be true last week. There was no \u2018breach\u2019 as such: the attackers identified a privileged user, found his password in another compromised database \u2013 and the password happened to match with the Bugzilla password.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2015\/09\/06024146\/security-week-37-man.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-9852\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2015\/09\/06024146\/security-week-37-man.jpg\" alt=\"Security Week 37: Bug-bugzilla, Carbanak is back, and \u0421&amp;C gone fishing\" width=\"1280\" height=\"850\"><\/a><\/p>\n<p>As a result, the attackers had access to the secret bug database starting from as early as September 2013. During this period, as noted in a very detailed FAQ on the attack, the hackers had access to the information on 185 bugs, 53 of them critical. Forty-three vulnerabilities from the compromised list had been patched by the time the culprits accessed the database.<\/p>\n<p>From the remaining bugs, information on two of them is likely to have leaked less than a week before having been patched; five, in theory, could have been exploited during a week up to a month before the patch became available. The remaining three vulns could have been used 131, 157, and 335 days before the patch was out. That was the most dreadful news about the breach; however, Mozilla\u2019s developers don\u2019t have any \u2018proof that those vulnerabilities have in fact been exploited.\u2019 From over 50 bugs, only one has been used itw.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">How strong is your <a href=\"https:\/\/twitter.com\/hashtag\/password?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#password<\/a>? Check it here: <a href=\"http:\/\/t.co\/9ILaxq503k\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/9ILaxq503k<\/a>  <a href=\"https:\/\/t.co\/P9Pm0SGc4n\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/P9Pm0SGc4n<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/internet?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#internet<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/security?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#security<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#infosec<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/634790730138054656?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 21, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Well, the moral here is simple, and this is when I feel an urge to climb on some improvised stage and proclaim: \u201cFriends! Brothers and Sisters! Ladies and Gentlemen! Please use a unique password for each separate service!\u201d However, that is not as simple as it seems: such an approach would definitely require a password manager. Even if you already have it, you have to sit down and accurately and thoroughly change passwords on all resources you actively use, ideally, on all of them. Our data proves that only 7% of people use password managers.<\/p>\n<h3>New Carbanak versions attack USA and Europe<\/h3>\n<p><a href=\"https:\/\/threatpost.com\/new-versions-of-carbanak-banking-malware-seen-hitting-targets-in-u-s-and-europe\/114522\/\" target=\"_blank\" rel=\"noopener nofollow\">News<\/a>. The February <a href=\"https:\/\/www.kaspersky.com.au\/blog\/billion-dollar-apt-carbanak\/7519\/\" target=\"_blank\" rel=\"noopener\">research<\/a> by Kaspersky Lab. A newer research by CSIS.<\/p>\n<p>Let me quote the announcement on \u2018the great theft\u2019 we made back in February:<\/p>\n<p>\u201cThe attackers were able to transfer money to their own bank accounts and manipulate the balance report in the manner which prevented the attack to be discovered by a number of robust security systems. This operation would have never succeeded if not for the control of the culprits over the banks\u2019 internal systems. That\u2019s why after the breach the culprits used a number of intelligence techniques to gather the necessary information about the way a bank infrastructure works, including video capture\u201d.<\/p>\n<p>In a joint effort with the law enforcement organizations it was discovered that the loss the banks sustained as a result of the complex, multilayer Carbanak attack totaled a billion dollars, with over a hundred of large financial institutions being victims. But it happened back in February, and in the end of August the researchers of Denmark\u2019s CSIS discovered a new modification of Carbanak.<\/p>\n<p>The differences between the new and the old versions are not significant: one of them is the use of a static IP address for C&amp;C communication instead of a domain name. As for plugins used for the data theft, they are identical to those used back in February.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">In what may be the greatest heist of the century, hackers steal billions from hundreds of banks: <a href=\"http:\/\/t.co\/W3CofvF5ta\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/W3CofvF5ta<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/567373823473745920?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 16, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to CSIS, the new version of Crabanak was targeting large companies in Europe and US.<\/p>\n<h3>Turla APT: how to hide C&amp;C with the help of satellite Internet<\/h3>\n<p><a href=\"https:\/\/threatpost.com\/turla-apt-group-abusing-satellite-internet-links\/114586\/\" target=\"_blank\" rel=\"noopener nofollow\">News<\/a>. Another <a href=\"https:\/\/threatpost.com\/epic-operation-kicks-off-multistage-turla-apt-campaign\/107612\/\" target=\"_blank\" rel=\"noopener nofollow\">news<\/a>. <a href=\"https:\/\/securelist.com\/blog\/research\/72081\/satellite-turla-apt-command-and-control-in-the-sky\/\" target=\"_blank\" rel=\"noopener\">Research<\/a>.<\/p>\n<p>The Turla APT cyberespionage campaign has long been studied by various infosec researchers, including those of Kaspersky Lab. Last year we published a very <a href=\"https:\/\/securelist.com\/analysis\/publications\/65545\/the-epic-turla-operation\/\" target=\"_blank\" rel=\"noopener\">detailed research<\/a> on the methods of breaching into the victim\u2019s computers, gathering data and sending it to C&amp;C servers.<\/p>\n<p>Each of the stages of this complex campaign relies on a number of tools, including spear phishing with infected documents exploiting 0-days; infected websites; various data mining modules hand-picked depending on the complexity of the target and the criticality of the data; and a very advanced network of C&amp;C servers. As a result, by last August, the campaign claimed several hundreds of victims in 45 countries, especially in Europe and Middle East.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">RT <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a>: Agent.btz <a href=\"https:\/\/twitter.com\/hashtag\/Malware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Malware<\/a> May Have Served as Starting Point for Red October, <a href=\"https:\/\/twitter.com\/hashtag\/Turla?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Turla<\/a> \u2013 <a href=\"http:\/\/t.co\/6x98OI4afx\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/6x98OI4afx<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/444069305643462656?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">March 13, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>This week Kaspersky\u2019s researcher <a href=\"https:\/\/twitter.com\/stefant\" target=\"_blank\" rel=\"noopener nofollow\">Stefan Tanase<\/a> published the <a href=\"https:\/\/securelist.com\/blog\/research\/72081\/satellite-turla-apt-command-and-control-in-the-sky\/\" target=\"_blank\" rel=\"noopener\">data on the final stage of the attack<\/a>, when the stolen data is sent to a C&amp;C server. To enable data mining, Turla, as many APT groups before, uses a variety of methods \u2013 for instance, abuse-resistant hosting. But as soon as the data in question lands in the particular C&amp;C hosted on a particular server, the likeability of being arrested by law enforcement or blocked by a service provider is quite high, regardless of proxies the culprits might have in place.<\/p>\n<p>And this is when the satellite Internet comes to play. The advantage here is that the server might be established or moved anywhere in the range of the satellite. But there is a rub: in order to lease a bidirectional satellite channel of decent capacity, you need to pay <strong>tons<\/strong> of money, and,besides, the paper trail will give you away easily as soon as the trace is found. Well, the method discovered by our researcher does not presuppose a lease model.<\/p>\n<p>There is a thing called \u201csatellite fishing,\u201d a lightly modified piece of software on the satellite terminal does not reject packets which are not intended for a particular user, but collects them. As a result, the \u201cfisher\u201d may gather someone else\u2019s web pages, files, and data. This method is operational under one condition: if the channel is not encrypted.<\/p>\n<p>The Turla attack employs the same method, with one slight modification: when probing the traffic, the attacker should identify the victim\u2019s IP address and make compromised machines send data to this IP belonging to a legitimate, good-willed, unknowing owner of the satellite terminal.<\/p>\n<p>During the attack, the hackers use specific communication ports which are closed by default on average systems and reject the packets by design. But those who probe the traffic might hijack this data without revealing their location.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Russian-speaking cyber spies exploit satellites <a href=\"https:\/\/t.co\/EIhfVg2aRD\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/EIhfVg2aRD<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/turla?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#turla<\/a> <a href=\"http:\/\/t.co\/b8LTv4t041\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/b8LTv4t041<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/641606357309882368?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">September 9, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>By the way, old radio phones did not encrypt the voice traffic at all, as the receiving devices able to operate on such frequency bands were quite expensive. It used to be so, but in a matter of no time various all-band receivers started to pop up here and there, priced very moderately.<\/p>\n<p>It\u2019s quite a lousy comparison, as the \u2018Turla-designed\u2019 data mining and processing solution would have cost at least a couple of thousands of dollars. But the bottom line is that satellite Internet systems have an inherent flaw leveraged by attackers. There is no action plan on closing this vulnerability, and the outcome remains unclear.<\/p>\n<p>As a result, the approximate location of Turla\u2019s C&amp;C server coincides with the range of the satellite operator:<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2015\/09\/06024208\/Turla_Map_of_Targets1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-9788\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2015\/09\/06024208\/Turla_Map_of_Targets1.png\" alt=\"Russian-speaking cyber spies from Turla APT group exploit satellites\" width=\"1468\" height=\"920\"><\/a><\/p>\n<p>And here we lose the trace.<\/p>\n<h3>What else happened:<\/h3>\n<p>Another type of <a href=\"https:\/\/threatpost.com\/new-android-ransomware-communicates-over-xmpp\/114530\/\" target=\"_blank\" rel=\"noopener nofollow\">Android ransomware was found<\/a>. It communicates with C&amp;C server via XMPP. Chats and other instant messengers have been already used for communication by various PC malware, so the news proves that mobile malware is following the same path of progress as desktop malware, only a lot faster.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/mobile?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#mobile<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/malware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#malware<\/a> New Android Ransomware Communicates over XMPP: <a href=\"https:\/\/t.co\/NaduU8sGbH\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/NaduU8sGbH<\/a> via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a> <a href=\"http:\/\/t.co\/j3sG6zS7xc\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/j3sG6zS7xc<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/639454422691655680?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">September 3, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Another series of <a href=\"https:\/\/threatpost.com\/google-patches-critical-vulnerabilities-in-chrome-45\/114509\/\" target=\"_blank\" rel=\"noopener nofollow\">patches for critical vulns in Google Chrome<\/a> were published (we advise you to update your browser and setup V45).<\/p>\n<p>Seagate\u2019s wireless hard drives happened to <a href=\"http:\/\/www.theregister.co.uk\/2015\/09\/07\/files_on_seagate_wireless_disks_can_be_poisoned_purloined\/\" target=\"_blank\" rel=\"noopener nofollow\">contain a couple of serious bugs<\/a>: unencrypted access via telnet and a hard-coded password for root access. This is quite critical, but <a href=\"https:\/\/www.kaspersky.com.au\/blog\/security-week-36\/9727\/\" target=\"_blank\" rel=\"noopener\">we discussed this topic last week<\/a> when talking about routers. The morale: everything which seeds Wi-Fi should be heavily protected. In today\u2019s reality, everything can seed Wi-Fi, ever cameras.<\/p>\n<h3>Oldies:<\/h3>\n<p>Manowar-273<\/p>\n<p>A harmless resident virus which typically plagues .COM and .EXE files when they are run (the COMMAND.COM files is infected by the Lehigh algorithm). The virus contains the text: \u201cDark Lord, I summon thee! MANOWAR\u201d.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/6POUitQf8v8?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>Iron-Maiden<\/p>\n<p>A very dangerous non-resident virus which typically infects .COM files of the current catalogue. As of August 1990, depending on timing, might erase two random sectors on hard drives. Contains the text: \u201cIRON MAIDEN\u201d.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2015\/08\/06024345\/infosec-digest-32-book1.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-9594\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2015\/08\/06024345\/infosec-digest-32-book1.jpg\" alt=\"Security Week: Doors without locks, invulnerable Microsoft, disassembler and pain\" width=\"100\" height=\"128\"><\/a><\/p>\n<p><em>Quoted from \u201cComputer viruses in MS-DOS\u201d by Eugene Kaspersky, 1992. Pages 70, 75.<\/em><\/p>\n<p><em>Disclaimer: this column reflects only the personal opinion of the author. It may coincide with Kaspersky Lab position, or it may not. Depends on luck.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the new installment of our explosive hit series &#8220;Infosec news&#8221; you&#8217;ll find: the breach of Bugzilla, Carbanak is coming back and Turla uses Level-God hard to track techniques to hide servers.<\/p>\n","protected":false},"author":53,"featured_media":9850,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2646],"tags":[499,882,1242,963,36,1203,422,1237],"class_list":{"0":"post-9848","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-apt","10":"tag-bugs","11":"tag-bugzilla","12":"tag-carbanak","13":"tag-malware-2","14":"tag-security-week","15":"tag-threats","16":"tag-turla"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/security-week-37\/9848\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/security-week-37\/5194\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/security-week-37\/5970\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/security-week-37\/6233\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/security-week-37\/6184\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/security-week-37\/6844\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/security-week-37\/6619\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/security-week-37\/8867\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/security-week-37\/9848\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/security-week-37\/6148\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/security-week-37\/8896\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/security-week-37\/8867\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/security-week-37\/9848\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/apt\/","name":"APT"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/9848","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/53"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=9848"}],"version-history":[{"count":5,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/9848\/revisions"}],"predecessor-version":[{"id":26748,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/9848\/revisions\/26748"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/9850"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=9848"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=9848"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=9848"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}