Cyberattackers often view small and medium-sized businesses (SMBs) as easier targets, assuming their security measures are less robust than those of larger enterprises. In fact, attacks through contractors, also known as trusted relationship attacks, remain one of the top three methods used to breach corporate networks. With SMBs generally being less protected than large enterprises, this makes them especially attractive to both opportunistic cybercriminals and sophisticated threat actors.

At the same time, AI-driven attacks are becoming increasingly common, making phishing and malware campaigns easier to prepare and quickly adapt, thus increasing their scale. Meanwhile, cybersecurity regulations are tightening, adding more compliance pressure on SMBs.

Improving your security posture has never been more critical. Kaspersky highlights key attack vectors every SMB should be aware of to stay protected.

How malware and potentially unwanted applications (PUAs) are disguised as popular services

Kaspersky analysts have used data from the Kaspersky Security Network (KSN) to explore how frequently malicious and unwanted files and programs are disguised as legitimate applications commonly used by SMBs. The KSN is a system for processing anonymized cyberthreat-related data shared voluntarily by opted-in Kaspersky users. For this research, only data received from the users of Kaspersky solutions for SMBs were analyzed. The research focused on the following applications:

• ChatGPT
• Cisco AnyConnect
• Google Drive
• Google Meet
• DeepSeek
• Microsoft Excel
• Microsoft Outlook
• Microsoft PowerPoint
• Microsoft Teams
• Microsoft Word
• Salesforce
• Zoom

Between January and April 2025 alone, nearly 8,500 SMB users encountered cyberattacks in which malware or PUAs were disguised as these popular tools.

Among the detected threats, the highest number (1652) of unique malicious and potentially unwanted files mimicked Zoom, the widely used video conferencing platform. This accounted for nearly 41% of all unique files detected, a 14-percentage point increase compared to 2024. Microsoft Office applications remained frequent targets for impersonation: Outlook and PowerPoint each accounted for 16%, Excel for nearly 12%, while Word and Teams made up 9% and 5%, respectively.

Share of unique files with names mimicking the nine most popular legitimate applications in 2024 and 2025 (download)

A comparison of the threat landscape in 2024 and 2025 reveals a clear shift: with the growing popularity of AI services, cyberattackers are increasingly disguising malware as various AI tools. According to our analysis, the number of unique malicious files mimicking ChatGPT grew by 115%, reaching 177 in the first four months of 2025. This contributed to a three-percentage-point increase in the tool’s share among the most mimicked applications. DeepSeek, a large language model launched only in 2025, has immediately appeared on the list of impersonated tools.

Another cybercriminal tactic to watch for in 2025 is the growing use of collaboration platform brands to trick users into downloading or launching malware and PUAs. As mentioned above, the share of threats disguised as Zoom increased by 14 percentage points, reaching 1652 unique files, while Microsoft Teams and Google Drive saw increases of over three and one percentage points, respectively, with 206 and 132 cases. This pattern likely reflects the normalization of remote work and geographically distributed teams, which has made these platforms integral to business operations across industries.

Attackers are clearly leveraging the popularity and credibility of these services to increase the success rate of their campaigns.

The total number of unique malicious and unwanted files imitating legitimate applications slightly declined year-over-year, from 5,587 in 2024 to 4,043 in 2025.

Main types of threats affecting the SMB Sector, 2025 (download)

The top threats targeting SMBs in 2025 included downloaders, Trojans, and adware.

Leading the list are downloaders, potentially unwanted applications designed to install additional content from the internet, often without clearly informing the user of what’s being downloaded. While not inherently malicious, these tools are frequently exploited by attackers to deliver harmful payloads to victims’ devices.

Trojans ranked next. These are malicious programs that carry out unauthorized actions such as deleting, blocking, modifying, or copying data, or disrupting the normal operation of computers and networks. Trojans are among the most prevalent forms of malware, and cyberattackers continue to use them in a wide range of malicious campaigns.

Adware also made the top three list. These programs are designed to display advertisements on infected computers or substitute a promotional website for the default search engine in a browser. Adware often comes bundled with freeware or shareware, effectively serving as the price for using the free software. In some cases, Trojans silently download and install adware onto the victim’s machine.

Among other common types of threats were DangerousObject, Trojan-Dropper, Backdoor, Trojan-Downloader, HackTool, Trojan-PSW, and PSW-Tool. For instance, we recently identified a campaign involving a Trojan-Downloader called “TookPS“, which was distributed through fake websites imitating legitimate remote access and 3D modeling software.

How scammers and phishers trick victims into giving up accounts and money

We continue to observe a wide range of phishing campaigns and scams targeting SMBs. Attackers aim to steal login credentials for various services, from delivery platforms to banking systems, or manipulate victims into sending them money.

To do this, cyberattackers use a variety of lures, often imitating landing pages from brands commonly used by SMBs. One example is a phishing attempt targeting Google business accounts. The bait lures victims with the promise of promoting their company on X. It requires them to first log in to a dedicated platform using their Google account with credentials that will end up in cyberattackers’ hands.

Another fake landing page impersonated a bank that offered business loans: a “Global Trust Bank”. Since legitimate organizations with that name exist in multiple countries, this phishing attempt may have seemed believable. The attackers tried to lure users with favorable business loan terms – but only after victims submitted their online banking credentials, giving the criminals access to their accounts.

We also saw a range of phishing emails targeting SMBs. In one recent case detected by our systems, the attacker sent a fake notification allegedly from DocuSign, an electronic document-signing service.

SMBs can even find themselves targeted by classic Nigerian scams. In one recent example, the sender claimed to represent a wealthy client from Turkey who wanted to move $33 million abroad to allegedly avoid sanctions, and invited the recipient to handle the funds. In Nigerian scams, fraudsters typically cajole money. They may later request a relatively small payment to a manager or lawyer compared to the amount originally promised.

Beyond these threats, SMBs are bombarded daily with hundreds of spam emails. Some promise attractive deals on email marketing or loans; others offer services like reputation management, content creation, or lead generation. In general, these offers are crafted to reflect the typical needs of small businesses. Not surprisingly, AI has also made its way into the spam folder – with offers to automate various business processes.

We have also seen spammers offering dubious deals like purchasing a database of over 400,000 businesses for $100, supposedly to be used for selling the company’s B2B products, or manipulating reviews on a review platform.

Security tips

SMBs can reduce risks and ensure business continuity by investing in comprehensive cybersecurity solutions and increasing employee awareness. It is essential to implement robust measures such as spam filters, email authentication protocols, and strict verification procedures for financial transactions and the handling of sensitive information.

Another key step toward cyber resilience is promoting awareness about the importance of comprehensive security procedures and ensuring they are regularly updated. Regular security training sessions, strong password practices, and multi-factor authentication can significantly reduce the risk of phishing and fraud.

It is also worth noting that searching for software through search engines is an insecure practice, and should be prohibited in the organization. If you need to implement new tools or replace existing ones, make sure they are downloaded from official sources and installed on a centralized basis by your IT team.

Cybersecurity Action Plan for SMBs

1. Define access rules for corporate resources such as email accounts, shared folders, and online documents. Monitor and limit the number of individuals with access to critical company data. Keep access lists up to date and revoke access promptly when employees leave the company. Use cloud access security brokers to monitor and control employee activities within cloud services and enforce security policies.
2. Regularly back up important data to ensure the preservation of corporate information in case of emergencies or cyberincidents.
3. Establish clear guidelines for using external services and resources. Create well-defined procedures for coordinating specific tasks, such as implementing new software, with the IT department and other responsible managers. Develop short, easy-to-understand cybersecurity guidelines for employees, with a special focus on account and password management, email protection, and safe web browsing. A well-rounded training program will equip employees with the knowledge they need and the ability to apply it in practice.
4. Implement specialized cybersecurity solutions that provide visibility and control over cloud services, such as Kaspersky Next.

securelist.com/smb-threat-repo…

What has the EDRis network been up to over the past two weeks? Find out the latest digital rights news in our bi-weekly newsletter. In this edition: The case for a spyware ban, EDRi 2025-2030 strategy, EU must reassess Israel’s adequacy status, & more!

The post EDRi-gram, 25 June 2025 appeared first on European Digital Rights (EDRi).

Last week, the EDRi network expressed shared concerns about the introduction of new rules at EU level on the retention of data by service providers for law enforcement purposes.

The post Joint civil society response to the Commission’s call for evidence: Impact assessment on data retention by service providers for criminal proceedings appeared first on European Digital Rights (EDRi).

Can a 3D Minecraft implementation be done entirely in CSS and HTML, without a single line of JavaScript in sight? The answer is yes!

True, this small clone is limited to playing with blocks in a world that measures only 9x9x9, but the fact that [Benjamin Aster] managed it at all using only CSS and pure HTML is a fantastic achievement. As far as proofs of concept go, it’s a pretty clever one.

The project consists of roughly 40,000 lines of HTML radio buttons and labels, combined with fewer than 500 lines of CSS where the real work is done. In a short thread on X [Benjamin] explains that each block in the 9x9x9 world is defined with the help of tens of thousands of <label> and <input type="radio"> elements to track block types and faces, and CSS uses that as a type of display filter. Clicking a block is clicking a label, and changing a block type (“air” or no block is considered a type of block) switches which labels are visible to the user.

Viewing in 3D is implemented via CSS animations which apply transforms to what is displayed. Clicking a control starts and stops the animation, resulting in a view change. It’s a lot of atypical functionality for plain HTML and CSS, showing what is possible with a bit of out-of-the-box thinking.

[Simon Willison] has a more in-depth analysis of CSS-Minecraft and how it works, and the code is on GitHub if you want a closer look.

Once you’re done checking that out and hungry for more cleverness, don’t miss Minecraft in COBOL and Minecraft Running in… Minecraft.

hackaday.com/2025/06/25/minecr…

The EDRi network adopted its 2025-2030 strategy at the General Assembly in Paris in May 2025. In this blogpost, EDRi’s Executive Director, Claire Fernandez, lays out the year-long journey and the work on many people it took to get us to this important milestone, and some highlights from our objectives and approach moving forward.

The post The EDRi network adopts its 2025-2030 Strategy appeared first on European Digital Rights (EDRi).

Un grave attacco informatico ha colpito l’Alto Adige nella giornata di martedì 24 giugno, provocando un blackout diffuso che ha interessato diversi servizi telematici, sia pubblici che privati.

Lo riporta il notiziario l’Adige.it, che Le prime interruzioni sono state registrate già nelle prime ore del mattino del 24 giugno e hanno coinvolto aziende, media locali, infrastrutture strategiche e cittadini comuni, impedendo l’accesso a numerosi portali e reti operative.

Nel corso del pomeriggio, il presidente della Provincia autonoma di Bolzano, Arno Kompatscher, ha confermato che il malfunzionamento è stato causato da un attacco informatico. L’intrusione ha compromesso alcuni sistemi della pubblica amministrazione e ha reso temporaneamente inaccessibili vari servizi digitali, scatenando immediatamente l’allerta nelle istituzioni locali.

Tra i settori più colpiti figurano i sistemi telefonici, o parti di essi, del Centro provinciale per le informazioni sul traffico, della Centrale unica di emergenza, della centrale del Corpo permanente dei vigili del fuoco e del Servizio radio provinciale sono attualmente soggetti a disfunzioni tecniche.

È stata avviata un’indagine per chiarire le dinamiche dell’attacco informatico che ha colpito la provincia. Le prime ricostruzioni fanno pensare a un’azione a scopo estorsivo: la stessa amministrazione ha confermato che è stata avanzata una richiesta economica alle strutture coinvolte, specificando però che non verrà intrapresa alcuna trattativa con gli autori dell’attacco.

Durante un incontro con i referenti dei settori colpiti dal blocco digitale, le autorità locali hanno comunicato che l’origine del problema è stata identificata e contenuta tempestivamente, limitando così danni più gravi. È stato inoltre precisato che non vi è stata alcuna compromissione dei dati personali dei cittadini e che i numeri per le emergenze restano pienamente funzionanti.

Al momento dal monitoraggio delle underground criminali, ancora non emergono segnali di compromissione da parte di cyber gang ransomware.

L'articolo Cyberattacco in Alto Adige: blackout informatico paralizza servizi pubblici e privati proviene da il blog della sicurezza informatica.

Gli aggressori stanno sfruttando una vulnerabilità critica nell’escalation dei privilegi nel tema WordPress Motors, che consente loro di hackerare gli account degli amministratori e assumere il controllo completo del sito di destinazione.

L’attività dannosa è stata scoperta da Wordfence, che il mese scorso ha segnalato una grave vulnerabilità, la CVE-2025-4322, che colpisce tutte le versioni del tema Motors fino alla 5.6.67. Questo tema, sviluppato da StylemixThemes, ha totalizzato 22.460 vendite su Envato Market ed è molto popolare tra i proprietari di siti web dedicati al settore automobilistico.

Il problema è legato al widget Registro di accesso e alla convalida errata dell’identità dell’utente durante l’aggiornamento di una password, che consente ad aggressori non autenticati di modificare le password dell’amministratore. Pertanto, per sfruttare il bug, un aggressore deve prima trovare l’URL in cui si trova il widget controllando /login-register, /account, /reset-password, /signin, ecc. utilizzando richieste POST speciali. Tali richieste contengono caratteri UTF-8 non validi nel valore hash_check, il che porta a confronti hash errati durante la reimpostazione di una password.

Il corpo del POST contiene il valore stm_new_password, che reimposta la password dell’utente in base agli ID che in genere appartengono agli amministratori del sito.

A maggio, gli sviluppatori di StylemixThemes hanno rilasciato la versione 5.6.68, che corregge CVE-2025-4322, ma molti utenti non hanno ancora installato gli aggiornamenti e potrebbero ora essere vulnerabili agli attacchi.

Gli analisti di Wordfence hanno segnalato che gli attacchi alla nuova vulnerabilità sono iniziati già il 20 maggio, appena un giorno dopo la divulgazione del problema. Attacchi più estesi sono iniziati dopo il 7 giugno 2025 e Wordfence afferma di aver già bloccato oltre 23.100 tentativi di hacking contro i suoi clienti.

Secondo gli esperti, le password utilizzate dagli aggressori negli attacchi includono:

• Prova prova123!@#;
• rzkkd$SP3znjrn;
• Curdo@Kurd12123;
• owm9cpXHAZTk;

Una volta ottenuto l’accesso, gli aggressori accedono alla dashboard di WordPress come amministratori e creano account amministrativi aggiuntivi per mettere piede sulla risorsa hackerata. Gli esperti scrivono che la comparsa improvvisa di tali account, unita al blocco degli account amministratore esistenti (le password non funzionano più), è un segno sicuro dello sfruttamento di CVE-2025-4322. Si consiglia agli utenti di Motors di aggiornare il tema il prima possibile.

L'articolo 22.000 siti a rischio: nuova vulnerabilità Motors WordPress consente l’hacking totale proviene da il blog della sicurezza informatica.

Gli sviluppatori del ransomware Qilin (da noi intervistati recentemente) hanno offerto ai loro partner l’aiuto e la consulenza di un team di avvocati, in modo da poter fare pressione sulle vittime e costringerle a pagare il riscatto. La pubblicità del nuovo servizio è stata notata dagli specialisti dell’azienda israeliana di sicurezza informatica Cybereason.

Secondo loro, nel pannello dei partner del ransomware è comparsa l’opzione “Chiama un avvocato”.

Si sostiene inoltre che il gruppo abbia ormai una squadra di giornalisti a tempo pieno in grado di collaborare con l’ufficio legale per preparare pubblicazioni volte ad aumentare la pressione sulle vittime.

Inoltre, Qilin ha recentemente aggiunto 1 petabyte di spazio su disco al suo pannello partner (in parte per uso personale dei partner e in parte per l’archiviazione dei dati delle vittime), la possibilità di distribuire spam tramite e-mail e telefono e strumenti per lanciare attacchi DDoS, registrati per la prima volta nell’aprile 2025.

Ricordiamo che il ransomware Qilin è apparso nell’agosto 2022 e inizialmente si chiamava Agenda, per poi cambiare nome un mese dopo. Secondo i ricercatori, solo nell’aprile 2025, il sito ransomware ha registrato 72 nuove vittime e, a maggio, gli esperti lo hanno collegato a 55 attacchi. Gli esperti hanno motivo di ritenere che alcuni partner di RansomHub siano passati a Qilin, il che ha contribuito all’aumento dell’attività malware negli ultimi mesi.

“Oltre a una presenza crescente su forum e tracker dedicati al ransomware, Qilin vanta un’infrastruttura tecnicamente avanzata. Offre payload scritti in Rust e C, loader con funzionalità di elusione avanzate e un pannello di partner che offre esecuzione in modalità provvisoria, propagazione in rete, pulizia dei log e strumenti per negoziazioni automatizzate”, scrivono gli analisti di Cybereason.

Per quanto riguarda la nuova funzionalità di chiamata dell’avvocato, questa potrebbe essere utilizzata per invitare un consulente legale a parlare con la vittima, il quale offrirà assistenza professionale su questioni quali:

• valutazione legale dei dati rubati dai partner di Qilin;
• un certificato attestante quali leggi e regolamenti specifici la vittima ha violato divulgando tali dati;
• una stima dei potenziali costi associati alla risoluzione dell’incidente se la vittima decide di non pagare il riscatto.

Si ritiene che gli avvocati possano anche intervenire nel processo di negoziazione e dialogare direttamente con la vittima, spiegando all’azienda danneggiata che il rifiuto di pagare potrebbe comportare perdite ancora maggiori. Come sottolineano i ricercatori di Tripwire, è probabile che queste affermazioni non siano altro che una trovata di marketing.

“Non fatevi illusioni. Il loro obiettivo è attrarre più partner, aumentare la percentuale di attacchi di riscatto riusciti e cercare di convincere le vittime di avere a che fare con criminali esperti”, affermano gli esperti. Tuttavia, Va da se che Qilin sta diventando uno dei gruppi di ransomware dominanti nel ransomware-as-a-service (RaaS). I suoi ex concorrenti, tra cui LockBit, ALPHV, Everest e RansomHub (che si vociferava fosse stata acquisita da DragonForce), hanno tutti perso influenza negli ultimi anni per vari motivi, in particolare a causa delle forze dell’ordine.

L'articolo Studio legale Qilin & Associati: Il Ransomware assume Avvocati e lancia il “pacchetto intimidazione” proviene da il blog della sicurezza informatica.

As cars increasingly become computers on wheels, the attack surface for digital malfeasance increases. [PCAutomotive] has shared its exploit for turning the 2020 Nissan Leaf into 1600 kg RC car. [PDF via Electrek]

Starting with some scavenged infotainment systems and wiring harnesses, the group built test benches able to tear into vulnerabilities in the system. An exploit was found in the infotainment system’s Bluetooth implementation, and they used this to gain access to the rest of the system. By jamming the 2.4 GHz spectrum, the attacker can nudge the driver to open the Bluetooth connection menu on the vehicle to see why their phone isn’t connecting. If this menu is open, pairing can be completed without further user interaction.

Once the attacker gains access, they can control many vehicle functions, such as steering, braking, windshield wipers, and mirrors. It also allows remote monitoring of the vehicle through GPS and recording audio in the cabin. The vulnerabilities were all disclosed to Nissan before public release, so be sure to keep your infotainment system up-to-date!

If this feels familiar, we featured a similar hack on Tesla infotainment systems. If you’d like to hack your Leaf for the better, we’ve also covered how to fix some of the vehicle’s charging flaws, but we can’t help you with the loss of app support for early models.

youtube.com/embed/56VreoKtStw?…

hackaday.com/2025/06/24/hack-t…