Summary Bullets:

• Huawei aims to accelerate Digital Africa with wider connectivity, 5G, and sustainability.

• Industrial 5G, especially in mining, can drive 5G monetization in Africa. This is supported by Huawei’s broad portfolio and ecosystem.

Huawei held its MBBS Africa in Cape Town, South Africa in November 2025. As one of the leading telecom network vendors, Huawei shared its regional vision – to drive ‘Digital Africa’ through wider connectivity, 5G, and sustainable solutions.

GlobalData’s Africa & Middle East Mobile Broadband Forecast shows that mobile data subscription has been growing steadily at high single-digit rates over the past several years and is expected to rise at a 7.2% CAGR over the next five years. While 5G adoption is increasing, the penetration rate is still low compared to other regions. Huawei highlighted its initiatives and broad capabilities to accelerate growth in Africa. These include multi-band massive MIMO for additional capacity, active antenna solutions for efficient and flexible deployments, FWA for new use cases, cost-efficient solutions for rural deployments, and various energy-saving technologies such as adaptive power backup. Several operators including Telkom SA, Safaricom Kenya, and Airtel Tanzania showcased how they are leveraging these technologies in their networks. Huawei is also transforming its engagement model with African operators, moving beyond the role of a network vendor to become to a digitalization partner by delivering innovative solutions aligned with business needs and monetization strategies.

As 5G deployment gathers pace, monetization will become critical for operators. GlobalData research estimates 5G users will account for 7.1% of all mobile users by the end of 2025 and will grow to 26.7% by 2030. However, 5G monetization remains a global challenge even in advanced markets. The challenge will be an even bigger hurdle for African operators due to slower overall adoption and the relatively lower spending power. This makes the importance of enterprise 5G as a key monetization engine. Horizontal services such as FWA, private 5G, and IoT are essential. These use cases can help enterprises address various needs such as increasing reliability and security for critical applications, agile connectivity for temporary sites (e.g., events, remote operations), SD-WAN underlay, and large-scale IoT deployments. Meanwhile, 5G-enabled industrial solutions represent an even larger opportunity. Mining and resources, one of the region’s largest sectors, can benefit from applications like autonomous drilling, remote operation/maintenance, and worker safety. Globally, 5G adoption in mining is maturing and widely adopted. GlobalData’s 5G & Private Network Deployment Tracker shows that 7% of global deployments are in the mining sector. Other major verticals are construction, tourism, and hospitality are among other major verticals in the region. There is a growing number of use cases including drones and surveillance, digital twins, and safety in construction; and mixed reality, robots, and smart facilities in tourism/hospitality.

While the opportunity for 5G-enabled industrial services is increasing solidly, the solutions are far more complicated. They span across broader ICT stacks and require IT-OT integrations. Nevertheless, this plays to Huawei’s strengths. The vendor has comprehensive portfolio from cellular and fixed networks, to cloud, server, end points, AI, and industrial capabilities. For example, autonomous drilling in mining requires private network, but also edge computing, AI/analytics, and vertical expertise. Besides, the company has wide partner ecosystem including industrial players and end-point manufacturers. And more importantly, Huawei has extensive references and experience delivering these solutions cost-effectively in other emerging markets like Asia and South America. It can showcase its other successful deployments to gain market trust and drive its brand share in the enterprise 5G space.

IT threat evolution in Q3 2025. Mobile statistics
IT threat evolution in Q3 2025. Non-mobile statistics

Quarterly figures

In Q3 2025:

• Kaspersky solutions blocked more than 389 million attacks that originated with various online resources.
• Web Anti-Virus responded to 52 million unique links.
• File Anti-Virus blocked more than 21 million malicious and potentially unwanted objects.
• 2,200 new ransomware variants were detected.
• Nearly 85,000 users experienced ransomware attacks.
• 15% of all ransomware victims whose data was published on threat actors’ data leak sites (DLSs) were victims of Qilin.
• More than 254,000 users were targeted by miners.

Ransomware

Quarterly trends and highlights

Law enforcement success

The UK’s National Crime Agency (NCA) arrested the first suspect in connection with a ransomware attack that caused disruptions at numerous European airports in September 2025. Details of the arrest have not been published as the investigation remains ongoing. According to security researcher Kevin Beaumont, the attack employed the HardBit ransomware, which he described as primitive and lacking its own data leak site.

The U.S. Department of Justice filed charges against the administrator of the LockerGoga, MegaCortex and Nefilim ransomware gangs. His attacks caused millions of dollars in damage, putting him on wanted lists for both the FBI and the European Union.

U.S. authorities seized over $2.8 million in cryptocurrency, $70,000 in cash, and a luxury vehicle from a suspect allegedly involved in distributing the Zeppelin ransomware. The criminal scheme involved data theft, file encryption, and extortion, with numerous organizations worldwide falling victim.

A coordinated international operation conducted by the FBI, Homeland Security Investigations (HSI), the U.S. Internal Revenue Service (IRS), and law enforcement agencies from several other countries successfully dismantled the infrastructure of the BlackSuit ransomware. The operation resulted in the seizure of four servers, nine domains, and $1.09 million in cryptocurrency. The objective of the operation was to destabilize the malware ecosystem and protect critical U.S. infrastructure.

Vulnerabilities and attacks

SSL VPN attacks on SonicWall

Since late July, researchers have recorded a rise in attacks by the Akira threat actor targeting SonicWall firewalls supporting SSL VPN. SonicWall has linked these incidents to the already-patched vulnerability CVE-2024-40766, which allows unauthorized users to gain access to system resources. Attackers exploited the vulnerability to steal credentials, subsequently using them to access devices, even those that had been patched. Furthermore, the attackers were able to bypass multi-factor authentication enabled on the devices. SonicWall urges customers to reset all passwords and update their SonicOS firmware.

Scattered Spider uses social engineering to breach VMware ESXi

The Scattered Spider (UNC3944) group is attacking VMware virtual environments. The attackers contact IT support posing as company employees and request to reset their Active Directory password. Once access to vCenter is obtained, the threat actors enable SSH on the ESXi servers, extract the NTDS.dit database, and, in the final phase of the attack, deploy ransomware to encrypt all virtual machines.

Exploitation of a Microsoft SharePoint vulnerability

In late July, researchers uncovered attacks on SharePoint servers that exploited the ToolShell vulnerability chain. In the course of investigating this campaign, which affected over 140 organizations globally, researchers discovered the 4L4MD4R ransomware based on Mauri870 code. The malware is written in Go and packed using the UPX compressor. It demands a ransom of 0.005 BTC.

The application of AI in ransomware development

A UK-based threat actor used Claude to create and launch a ransomware-as-a-service (RaaS) platform. The AI was responsible for writing the code, which included advanced features such as anti-EDR techniques, encryption using ChaCha20 and RSA algorithms, shadow copy deletion, and network file encryption.

Anthropic noted that the attacker was almost entirely dependent on Claude, as they lacked the necessary technical knowledge to provide technical support to their own clients. The threat actor sold the completed malware kits on the dark web for $400–$1,200.

Researchers also discovered a new ransomware strain, dubbed PromptLock, that utilizes an LLM directly during attacks. The malware is written in Go. It uses hardcoded prompts to dynamically generate Lua scripts for data theft and encryption across Windows, macOS and Linux systems. For encryption, it employs the SPECK-128 algorithm, which is rarely used by ransomware groups.

Subsequently, scientists from the NYU Tandon School of Engineering traced back the likely origins of PromptLock to their own educational project, Ransomware 3.0, which they detailed in a prior publication.

The most prolific groups

This section highlights the most prolific ransomware gangs by number of victims added to each group’s DLS. As in the previous quarter, Qilin leads by this metric. Its share grew by 1.89 percentage points (p.p.) to reach 14.96%. The Clop ransomware showed reduced activity, while the share of Akira (10.02%) slightly increased. The INC Ransom group, active since 2023, rose to third place with 8.15%.

Number of each group’s victims according to its DLS as a percentage of all groups’ victims published on all the DLSs under review during the reporting period (download)

Number of new variants

In the third quarter, Kaspersky solutions detected four new families and 2,259 new ransomware modifications, nearly one-third more than in Q2 2025 and slightly more than in Q3 2024.

Number of new ransomware modifications, Q3 2024 — Q3 2025 (download)

Number of users attacked by ransomware Trojans

During the reporting period, our solutions protected 84,903 unique users from ransomware. Ransomware activity was highest in July, while August proved to be the quietest month.

Number of unique users attacked by ransomware Trojans, Q3 2025 (download)

Attack geography

TOP 10 countries attacked by ransomware Trojans

In the third quarter, Israel had the highest share (1.42%) of attacked users. Most of the ransomware in that country was detected in August via behavioral analysis.

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans

* Unique Kaspersky users attacked by the specific ransomware Trojan family as a percentage of all unique users attacked by this type of threat.

Miners

Number of new variants

In Q3 2025, Kaspersky solutions detected 2,863 new modifications of miners.

Number of new miner modifications, Q3 2025 (download)

Number of users attacked by miners

During the third quarter, we detected attacks using miner programs on the computers of 254,414 unique Kaspersky users worldwide.

Number of unique users attacked by miners, Q3 2025 (download)

Attack geography

TOP 10 countries and territories attacked by miners

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.

Attacks on macOS

In April, researchers at Iru (formerly Kandji) reported the discovery of a new spyware family, PasivRobber. We observed the development of this family throughout the third quarter. Its new modifications introduced additional executable modules that were absent in previous versions. Furthermore, the attackers began employing obfuscation techniques in an attempt to hinder sample detection.

In July, we reported on a cryptostealer distributed through fake extensions for the Cursor AI development environment, which is based on Visual Studio Code. At that time, the malicious JavaScript (JS) script downloaded a payload in the form of the ScreenConnect remote access utility. This utility was then used to download cryptocurrency-stealing VBS scripts onto the victim’s device. Later, researcher Michael Bocanegra reported on new fake VS Code extensions that also executed malicious JS code. This time, the code downloaded a malicious macOS payload: a Rust-based loader. This loader then delivered a backdoor to the victim’s device, presumably also aimed at cryptocurrency theft. The backdoor supported the loading of additional modules to collect data about the victim’s machine. The Rust downloader was analyzed in detail by researchers at Iru.

In September, researchers at Jamf reported the discovery of a previously unknown version of the modular backdoor ChillyHell, first described in 2023. Notably, the Trojan’s executable files were signed with a valid developer certificate at the time of discovery.

The new sample had been available on Dropbox since 2021. In addition to its backdoor functionality, it also contains a module responsible for bruteforcing passwords of existing system users.

By the end of the third quarter, researchers at Microsoft reported new versions of the XCSSET spyware, which targets developers and spreads through infected Xcode projects. These new versions incorporated additional modules for data theft and system persistence.

TOP 20 threats to macOS

Unique users* who encountered this malware as a percentage of all attacked users of Kaspersky security solutions for macOS (download)

* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.

The PasivRobber spyware continues to increase its activity, with its modifications occupying the top spots in the list of the most widespread macOS malware varieties. Other highly active threats include Amos Trojans, which steal passwords and cryptocurrency wallet data, and various adware. The Backdoor.OSX.Agent.l family, which took thirteenth place, represents a variation on the well-known open-source malware, Mettle.

Geography of threats to macOS

TOP 10 countries and territories by share of attacked users

IoT threat statistics

This section presents statistics on attacks targeting Kaspersky IoT honeypots. The geographic data on attack sources is based on the IP addresses of attacking devices.

In Q3 2025, there was a slight increase in the share of devices attacking Kaspersky honeypots via the SSH protocol.

Distribution of attacked services by number of unique IP addresses of attacking devices (download)

Conversely, the share of attacks using the SSH protocol slightly decreased.

Distribution of attackers’ sessions in Kaspersky honeypots (download)

TOP 10 threats delivered to IoT devices

Share of each threat delivered to an infected device as a result of a successful attack, out of the total number of threats delivered (download)

In the third quarter, the shares of the NyaDrop and Mirai.b botnets significantly decreased in the overall volume of IoT threats. Conversely, the activity of several other members of the Mirai family, as well as the Gafgyt botnet, increased. As is typical, various Mirai variants occupy the majority of the list of the most widespread malware strains.

Attacks on IoT honeypots

Germany and the United States continue to lead in the distribution of attacks via the SSH protocol. The share of attacks originating from Panama and Iran also saw a slight increase.

The largest number of attacks via the Telnet protocol were carried out from China, as is typically the case. Devices located in India reduced their activity, whereas the share of attacks from Indonesia increased.

Attacks via web resources

The statistics in this section are based on detection verdicts by Web Anti-Virus, which protects users when suspicious objects are downloaded from malicious or infected web pages. These malicious pages are purposefully created by cybercriminals. Websites that host user-generated content, such as message boards, as well as compromised legitimate sites, can become infected.

TOP 10 countries that served as sources of web-based attacks

This section gives the geographical distribution of sources of online attacks (such as web pages redirecting to exploits, sites hosting exploits and other malware, and botnet C2 centers) blocked by Kaspersky products. One or more web-based attacks could originate from each unique host.

To determine the geographic source of web attacks, we matched the domain name with the real IP address where the domain is hosted, then identified the geographic location of that IP address (GeoIP).

In the third quarter of 2025, Kaspersky solutions blocked 389,755,481 attacks from internet resources worldwide. Web Anti-Virus was triggered by 51,886,619 unique URLs.

Web-based attacks by country, Q3 2025 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of malware infection via the internet for users’ computers in different countries and territories, we calculated the share of Kaspersky users in each location on whose computers Web Anti-Virus was triggered during the reporting period. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

This ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users targeted by web-based Malware attacks as a percentage of all unique users of Kaspersky products in the country/territory.
On average, over the course of the quarter, 4.88% of devices globally were subjected to at least one web-based Malware attack.

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer by infecting files or removable media, or initially made their way onto the computer in non-open form. Examples of the latter are programs in complex installers and encrypted files.

Data in this section is based on analyzing statistics produced by anti-virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media: flash drives, camera memory cards, phones, and external drives. The statistics are based on detection verdicts from the on-access scan (OAS) and on-demand scan (ODS) modules of File Anti-Virus.

In the third quarter of 2025, our File Anti-Virus recorded 21,356,075 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky users on whose computers File Anti-Virus was triggered during the reporting period. This statistic reflects the level of personal computer infection in different countries and territories around the world.

Note that this ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out File Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users on whose computers local Malware threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.
On average worldwide, local Malware threats were detected at least once on 12.36% of computers during the third quarter.

Forescout Vedere Labs published a report exposing how a pro-Russian hacktivist group was duped into thinking they had hacked a European water facility, unaware their target was in fact a carefully crafted honeypot.

This “hack” provided Forescout researchers the rare opportunity to see first-hand how these groups look for and exploit weaknesses in critical infrastructure. Attackers were able to break in with default credentials, deface the human-machine interface and tamper with PLC settings. The group, that went by TwoNet at the time, even tried to pass it off as a real-world breach by bragging about it on their telegram channel.

It’s yet another reminder to critical service providers that threat actors are actively targeting our most vulnerable services, with a honeypot last year designed to look like a healthcare clinic attracting cybercrimnals who attempted to deploy ransomware.

Forescout Vedere Labs offered the following mitigation advice:

• Eliminate weak authentication
• Remove direct internet exposure
• Segment rigorously
• Harden admin interfaces
• Require authentication on all IoT/OT admin interfaces:
  • Include web UIs and proprietary engineering ports
  • Disable anonymous/default accounts and enforce strong, unique credentials
• Monitor with IoT/OT-aware, deep packet inspection (DPI)
• DPI should have protocol-aware detection (Modbus, S7, etc.) that creates alerts for: exploitation, password guessing, unauthorized writes, and changes in human machine interfaces (HMI).
• Watch for outbound and “dual use”

To read the full account – read the team’s blog here.

The post Pro-Russian hacking group snared by Forescout Vedere Labs honeypot appeared first on IT Security Guru.

Summary Bullets:

• AWS Singapore Innovation Hub shows the company’s shift from technology-led to business-driven, turning use cases into commercial applications.

• The F1 partnership showcases AI and cloud innovation, but also AWS’ capabilities with real-time data intensive analytics and insights.

AWS held an analyst day in Singapore, showcasing its Innovation Hub and the partnership with Formula 1 (F1).

AWS Innovation Hub

At the innovation hub, AWS demonstrated a diverse range of AI and cloud enabled use cases – from document analytics and loan processing for BFSI, to preventive maintenance and AI-driven surveillance in manufacturing. The facility also houses many other industry-specific use cases with additional use cases in the pipeline. This initiative reflects AWS’ ongoing shift from a technology-focused to a business-led engagement model. While technologies remain at the core, the company is deepening collaboration with enterprise leaders beyond IT, engaging directly with business executives and functional owners. Leadership, culture, and people are key enablers of successful digital transformation. The Innovation Hub serves as a platform for enterprises to explore and co-develop use cases tailored to their business needs.

Innovation labs are not new. Many other providers like global system integrators, telcos, and tech vendors, have been opening new facilities over the last few years. It is a proven way to drive adoption of emerging technologies through solution co-development, commercialization and ecosystem expansion. Besides, innovation labs can also strengthen providers’ brand share and enable them to gain deeper market knowledge such as understanding customers’ pain points. The use cases demonstrated at the AWS facility were innovative and promising, but most are somewhat comparable to use cases found in other providers’ facilities. But what differentiates AWS is its strong execution. Over 70% of the use cases have been brought into production. This is consistent with its strategy to expand focus on outcome-led engagements, and a strong proof point that the efforts are not just conceptual but outcome-driven.

AWS x F1

In the latter part of the event, there were sessions with executives at the track sites including a visit to the F1 Event Technical Center (ETC), sharing how the AWS and F1 collaboration is driving innovation and enabling various use cases for F1, teams, drivers, fans, and viewers. Since the partnership began in 2018, AWS has evolved from providing core cloud infrastructure to powering advanced AI solutions. Early deployments include leveraging over 1,000 AWS compute cores for computational fluid dynamics (CFD) projects to design race cars. Today, the partnership extends to AI applications including real-time insights, car performance, race strategy, issue resolutions/root cause analysis, fan engagement (e.g., hyper-personalization), game strategy, and safety and reliability.

Sports, as one of the most data-intensive industries in the world, offers an ideal testbed for real-time analytics. For example, an F1 car alone carries around 300 sensors, generating over one million telemetry data points per second with a total of 600TB across entire race. Similarly, a football match generates about 3.6 million data points. Furthermore, data from sports events are often highly fragmented (structured and unstructured) and need to be processed in real-time. Apart from F1, AWS is also an official technology partner in various major global sports events such as the NFL, PGA Tour, Bundesliga, NHL, and many other sports teams. While sports in APAC are not as big as in other regions such as the US and Europe, AWS collaborations with F1 and other sports organizations show its leadership in this industry. More importantly, it can also be seen as a powerful platform to demonstrate its broad capabilities and innovation in complex and data-rich environments.

Summary Bullets:

• Vocus has launched its business-focused MVNO brand, Vocus Mobile, aiming to disrupt the market and inject fresh competition into an already hypercompetitive landscape.
• Backed by an expanded customer base from the TPG Enterprise acquisition, Vocus is well-positioned to accelerate growth with its existing client base.

Australian telecoms infrastructure provider Vocus has finally launched its own business-focused MVNO brand, Vocus Mobile. Leveraging Optus’s 4G and 5G networks the company aims to position itself as a one-stop provider for enterprise communications, offering connectivity solutions across networking, collaboration, and now mobility as it looks to stand out with a range of self-serve features to create a better user experience for its clients. Will the entrance of another MVNO challenger selling basic mobile connectivity in an already crowded market make a difference?

At launch, Vocus will offer three traditional types of mobile connectivity services, including mobile voice and data for Smartphone use, 5G data plan for broadband, and 4G backup to support business continuity when primary networks are down. Customers will be supported by its self-service mobile fleet management platform, Mobile Fleet 360, giving businesses the ability to manage their mobile fleets with near real-time dashboards, bulk activation of services, and the able to configure roaming settings, reducing the reliance on traditional support channels. Vocus’s foray into the enterprise mobile services market is not surprising following on from its acquisition of TPG Telecom’s fiber network assets and its enterprise, government, and wholesale fixed infrastructure business. It has been anticipated for many years, with the company having a long-standing wholesale agreement with Optus through its consumer and SMB brands Dodo, iPrimus, and Commander. While back in 2019, the company extended its agreement to include its various other brands to provide 5G access to support its growth strategy by expanding and growing market share in large enterprise and SMB segments.

The Australian mobile market has three mobile network operators with Telstra maintaining its superior network leadership for many years. Telstra covers 95% of the country’s population with 5G coverage and 99.7% with 4G coverage, equating to land coverage of approximately three million square kilometers, almost three times the land coverage than any of its nearest rivals. To compete against Telstra, Optus and TPG Telecom (owner of Vodafone in Australia) recently formed a network sharing agreement earlier in 2025, which extends their 5G coverage to 80.5% of the population and 4G reach to 98.4% of the Australian population with over one million square kilometers.

While the Australian enterprise telecommunications market remains in flux, with many providers struggling to achieve growth and facing revenue declines across their connectivity portfolios. The enterprise market is positioned for growth, with GlobalData expecting the business mobile market to grow 5.5% by 2029. Though service providers continue to battle it out to grow their mobile market share, with the country having three enterprise challenger brands including Aussie Broadband, Macquarie Telecom, and now Vocus all leveraging Optus’s mobile network by trying to break the incumbent’s stronghold of approximately 65% of the business mobile market. While all challengers have struggled to make a meaningful impact in the market, to date, all only offer basic mobile connectivity instead of delivering outcome-driven solutions that enterprise customers increasingly expect, such as IoT, asset tracking, and other advanced 5G innovations like network slicing.

IT threat evolution in Q2 2025. Non-mobile statistics
IT threat evolution in Q2 2025. Mobile statistics

The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kaspersky users who consented to sharing statistical data.

The quarter in numbers

In Q2 2025:

• Kaspersky solutions blocked more than 471 million attacks originating from various online resources.
• Web Anti-Virus detected 77 million unique links.
• File Anti-Virus blocked nearly 23 million malicious and potentially unwanted objects.
• There were 1,702 new ransomware modifications discovered.
• Just under 86,000 users were targeted by ransomware attacks.
• Of all ransomware victims whose data was published on threat actors’ data leak sites (DLS), 12% were victims of Qilin.
• Almost 280,000 users were targeted by miners.

Ransomware

Quarterly trends and highlights

Law enforcement success

The alleged malicious actor behind the Black Kingdom ransomware attacks was indicted in the U.S. The Yemeni national is accused of infecting about 1,500 computers in the U.S. and other countries through vulnerabilities in Microsoft Exchange. He also stands accused of demanding a ransom of $10,000 in bitcoin, which is the amount victims saw in the ransom note. He is also alleged to be the developer of the Black Kingdom ransomware.

A Ukrainian national was extradited to the U.S. in the Nefilim case. He was arrested in Spain in June 2024 on charges of distributing ransomware and extorting victims. According to the investigation, he had been part of the Nefilim Ransomware-as-a-Service (RaaS) operation since 2021, targeting high-revenue organizations. Nefilim uses the classic double extortion scheme: cybercriminals steal the victim’s data, encrypt it, then threaten to publish it online.

Also arrested was a member of the Ryuk gang, charged with organizing initial access to victims’ networks. The accused was apprehended in Kyiv in April 2025 at the request of the FBI and extradited to the U.S. in June.

A man suspected of being involved in attacks by the DoppelPaymer gang was arrested. In a joint operation by law enforcement in the Netherlands and Moldova, the 45-year-old was arrested in May. He is accused of carrying out attacks against Dutch organizations in 2021. Authorities seized around €84,800 and several devices.

A 39-year-old Iranian national pleaded guilty to participating in RobbinHood ransomware attacks. Among the targets of the attacks, which took place from 2019 to 2024, were U.S. local government agencies, healthcare providers, and non-profit organizations.

Vulnerabilities and attacks

Mass exploitation of a vulnerability in SAP NetWeaver

In May, it was revealed that several ransomware gangs, including BianLian and RansomExx, had been exploiting CVE-2025-31324 in SAP NetWeaver software. Successful exploitation of this vulnerability allows attackers to upload malicious files without authentication, which can lead to a complete system compromise.

Attacks via the SimpleHelp remote administration tool

The DragonForce group compromised an MSP provider, attacking its clients with the help of the SimpleHelp remote administration tool. According to researchers, the attackers exploited a set of vulnerabilities (CVE-2024-57727, CVE-2024-57728, CVE-2024-57726) in the software to launch the DragonForce ransomware on victims’ hosts.

Qilin exploits vulnerabilities in Fortinet

In June, news broke that the Qilin gang (also known as Agenda) was actively exploiting critical vulnerabilities in Fortinet devices to infiltrate corporate networks. The attackers allegedly exploited the vulnerabilities CVE-2024-21762 and CVE-2024-55591 in FortiGate software, which allowed them to bypass authentication and execute malicious code remotely. After gaining access, the cybercriminals encrypted data on systems within the corporate network and demanded a ransom.

Exploitation of a Windows CLFS vulnerability

April saw the detection of attacks that leveraged CVE-2025-29824, a zero-day vulnerability in the Windows Common Log File System (CLFS) driver, a core component of the Windows OS. This vulnerability allows an attacker to elevate privileges on a compromised system. Researchers have linked these incidents to the RansomExx and Play gangs. The attackers targeted companies in North and South America, Europe, and the Middle East.

The most prolific groups

This section highlights the most prolific ransomware gangs by number of victims added to each group’s DLS during the reporting period. In the second quarter, Qilin (12.07%) proved to be the most prolific group. RansomHub, the leader of 2024 and the first quarter of 2025, seems to have gone dormant since April. Clop (10.83%) and Akira (8.53%) swapped places compared to the previous reporting period.

Number of each group’s victims according to its DLS as a percentage of all groups’ victims published on all the DLSs under review during the reporting period (download)

Number of new variants

In the second quarter, Kaspersky solutions detected three new families and 1,702 new ransomware variants. This is significantly fewer than in the previous reporting period. The decrease is linked to the renewed decline in the count of the Trojan-Ransom.Win32.Gen verdicts, following a spike last quarter.

Number of new ransomware modifications, Q2 2024 — Q2 2025 (download)

Number of users attacked by ransomware Trojans

Our solutions protected a total of 85,702 unique users from ransomware during the second quarter.

Number of unique users attacked by ransomware Trojans, Q2 2025 (download)

Geography of attacked users

TOP 10 countries and territories attacked by ransomware Trojans

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans

* Unique Kaspersky users attacked by the specific ransomware Trojan family as a percentage of all unique users attacked by this type of threat.

Miners

Number of new variants

In the second quarter of 2025, Kaspersky solutions detected 2,245 new modifications of miners.

Number of new miner modifications, Q2 2025 (download)

Number of users attacked by miners

During the second quarter, we detected attacks using miner programs on the computers of 279,630 unique Kaspersky users worldwide.

Number of unique users attacked by miners, Q2 2025 (download)

Geography of attacked users

TOP 10 countries and territories attacked by miners

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.

Attacks on macOS

Among the threats to macOS, one of the biggest discoveries of the second quarter was the PasivRobber family. This spyware consists of a huge number of modules designed to steal data from QQ, WeChat, and other messaging apps and applications that are popular mainly among Chinese users. Its distinctive feature is that the spyware modules get embedded into the target process when the device goes into sleep mode.

Closer to the middle of the quarter, several reports (1, 2, 3) emerged about attackers stepping up their activity, posing as victims’ trusted contacts on Telegram and convincing them to join a Zoom call. During or before the call, the user was persuaded to run a seemingly Zoom-related utility, but which was actually malware. The infection chain led to the download of a backdoor written in the Nim language and bash scripts that stole data from browsers.

TOP 20 threats to macOS

* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky security solutions for macOS (download)

* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.

A new piece of spyware named PasivRobber, discovered in the second quarter, immediately became the most widespread threat, attacking more users than the fake cleaners and adware typically seen on macOS. Also among the most common threats were the password- and crypto wallet-stealing Trojan Amos and the general detection Trojan.OSX.Agent.gen, which we described in our previous report.

Geography of threats to macOS

TOP 10 countries and territories by share of attacked users

* Unique users who encountered threats to macOS as a percentage of all unique Kaspersky users in the country/territory.

IoT threat statistics

This section presents statistics on attacks targeting Kaspersky IoT honeypots. The geographic data on attack sources is based on the IP addresses of attacking devices.

In the second quarter of 2025, there was another increase in both the share of attacks using the Telnet protocol and the share of devices connecting to Kaspersky honeypots via this protocol.

Distribution of attacked services by number of unique IP addresses of attacking devices (download)

Distribution of attackers’ sessions in Kaspersky honeypots (download)

TOP 10 threats delivered to IoT devices

Share of each threat delivered to an infected device as a result of a successful attack, out of the total number of threats delivered (download)

In the second quarter, the share of the NyaDrop botnet among threats delivered to our honeypots grew significantly to 30.27%. Conversely, the number of Mirai variants on the list of most common malware decreased, as did the share of most of them. Additionally, after a spike in the first quarter, the share of BitCoinMiner miners dropped to 1.57%.

During the reporting period, the list of most common IoT threats expanded with new families. The activity of the Agent.nx backdoor (4.48%), controlled via P2P through the BitTorrent DHT distributed hash table, grew markedly. Another newcomer to the list, Prometei, is a Linux version of a Windows botnet that was first discovered in December 2020.

Attacks on IoT honeypots

Geographically speaking, the percentage of SSH attacks originating from Germany and the U.S. increased sharply.

The share of Telnet attacks originating from China and India remained high, with more than half of all attacks on Kaspersky honeypots coming from these two countries combined.

Attacks via web resources

The statistics in this section are based on detection verdicts by Web Anti-Virus, which protects users when suspicious objects are downloaded from malicious or infected web pages. Cybercriminals create malicious pages with a goal in mind. Websites that host user-generated content, such as message boards, as well as compromised legitimate sites, can become infected.

Countries that served as sources of web-based attacks: TOP 10

This section gives the geographical distribution of sources of online attacks blocked by Kaspersky products: web pages that redirect to exploits; sites that host exploits and other malware; botnet C2 centers, and the like. Any unique host could be the source of one or more web-based attacks.

To determine the geographic source of web attacks, we matched the domain name with the real IP address where the domain is hosted, then identified the geographic location of that IP address (GeoIP).

In the second quarter of 2025, Kaspersky solutions blocked 471,066,028 attacks from internet resources worldwide. Web Anti-Virus responded to 77,371,384 unique URLs.

Web-based attacks by country, Q2 2025 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of malware infection via the internet for users’ computers in different countries and territories, we calculated the share of Kaspersky users in each location who experienced a Web Anti-Virus alert during the reporting period. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

This ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users targeted by Malware attacks as a percentage of all unique users of Kaspersky products in the country.

On average during the quarter, 6.36% of internet users’ computers worldwide were subjected to at least one Malware web-based attack.

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer by infecting files or removable media, or initially made their way onto the computer in non-open form. Examples of the latter are programs in complex installers and encrypted files.

Data in this section is based on analyzing statistics produced by anti-virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The statistics are based on detection verdicts from the On-Access Scan (OAS) and On-Demand Scan (ODS) modules of File Anti-Virus. This includes malware found directly on user computers or on connected removable media: flash drives, camera memory cards, phones, and external hard drives.

In the second quarter of 2025, our File Anti-Virus recorded 23,260,596 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky users whose devices experienced a File Anti-Virus triggering at least once during the reporting period. This statistic reflects the level of personal computer infection in different countries and territories around the world.

Note that this ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out File Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users on whose computers Malware local threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.

Overall, 12.94% of user computers globally faced at least one Malware local threat during the second quarter.
The figure for Russia was 14.27%.

Cybersecurity researcher Noam Moshe of Claroty met up with The Security Ledger Podcast at this year's Black Hat Briefings to discuss his presentation on critical Axis IP camera vulnerabilities that could let hackers spy, manipulate video feeds, and pivot into sensitive networks—and what organizations can do to defend against these (and other) IoT threats.

The post How Hackers Take Over Security Cameras (and What You Can Do About It): A Conversation With Claroty’s Noam Moshe appeared first on The Security Ledger with Paul F. Roberts.

Modern vehicles are transforming into full-fledged digital devices that offer a multitude of features, from common smartphone-like conveniences to complex intelligent systems and services designed to keep everyone on the road safe. However, this digitalization, while aimed at improving comfort and safety, is simultaneously expanding the vehicle’s attack surface.

In simple terms, a modern vehicle is a collection of computers networked together. If a malicious actor gains remote control of a vehicle, they could be able not only steal user data but also create a dangerous situation on the road. While intentional attacks targeting a vehicle’s functional safety have not become a widespread reality yet, that does not mean the situation will not change in the foreseeable future.

The digital evolution of the automobile

The modern vehicle is a relatively recent invention. While digital systems like the electronic control unit and onboard computer began appearing in vehicles back in the 1970s, they did not become standard until the 1990s. This technological advancement led to a proliferation of narrowly specialized electronic devices, each with a specific task, such as measuring wheel speed, controlling headlight modes, or monitoring door status. As the number of sensors and controllers grew, local automotive networks based on LIN and CAN buses were introduced to synchronize and coordinate them. Fast forward about 35 years, and modern vehicle is a complex technical device with extensive remote communication capabilities that include support for 5G, V2I, V2V, Wi-Fi, Bluetooth, GPS, and RDS.

Components like the head unit and telecommunication unit are standard entry points into the vehicle’s internal infrastructure, which makes them frequent objects for security research.

From a functional and architectural standpoint, we can categorize vehicles into three groups. The lines between these categories are blurred, as many vehicles could fit into more than one, depending on their features.

Obsolete vehicles do not support remote interaction with external information systems (other than diagnostic tools) via digital channels and have a simple internal architecture. These vehicles are often retrofitted with modern head units, but those components are typically isolated within a closed information environment because they are integrated into an older architecture. This means that even if an attacker successfully compromises one of these components, they cannot pivot to other parts of the vehicle.

Legacy vehicles are a sort of transitional phase. Unlike simpler vehicles from the past, they are equipped with a telematics unit, which is primarily used for data collection rather than remote control – though two-way communication is not impossible. They also feature a head unit with more extensive functionality, which allows changing settings and controlling systems. The internal architecture of these vehicles is predominantly digital, with intelligent driver assistance systems. The numerous electronic control units are connected in an information network that either has flat structure or is only partially segmented into security domains. The stock head unit in these vehicles is often replaced with a modern unit from a third-party vendor. From a cybersecurity perspective, legacy vehicles represent the most complex problem. Serious physical consequences, including life-threatening situations, can easily result from cyberattacks on these vehicles. This was made clear 10 years ago when Charlie Miller and Chris Valasek conducted their famous remote Jeep Cherokee hack.

Modern vehicles have a fundamentally different architecture. The network of electronic control units is now divided into security domains with the help of a firewall, which is typically integrated within a central gateway. The advent of native two-way communication channels with the manufacturer’s cloud infrastructure and increased system connectivity has fundamentally altered the attack surface. However, many automakers learned from the Jeep Cherokee research. They have since refined their network architecture, segmenting it with the help of a central gateway, configuring traffic filtering, and thus isolating critical systems from the components most susceptible to attacks, such as the head unit and the telecommunication module. This has significantly complicated the task of compromising functional safety through a cyberattack.

Possible future threat landscape

Modern vehicle architectures make it difficult to execute the most dangerous attacks, such as remotely deploying airbags at high speeds. However, it is often easier to block the engine from starting, lock doors, or access confidential data, as these functions are frequently accessible through the vendor’s cloud infrastructure. These and other automotive cybersecurity challenges are prompting automakers to engage specialized teams for realistic penetration testing. The results of these vehicle security assessments, which are often publicly disclosed, highlight an emerging trend.

Despite this, cyberattacks on modern vehicles have not become commonplace yet. This is due to the lack of malware specifically designed for this purpose and the absence of viable monetization strategies. Consequently, the barrier to entry for potential attackers is high. The scalability of these attacks is also poor, which means the guaranteed return on investment is low, while the risks of getting caught are very high.

However, this situation is slowly but surely changing. As vehicles become more like gadgets built on common technologies – including Linux and Android operating systems, open-source code, and common third-party components – they become vulnerable to traditional attacks. The integration of wireless communication technologies increases the risk of unauthorized remote control. Specialized tools like software-defined radio (SDR), as well as instructions for exploiting wireless networks (Wi-Fi, GSM, LTE, and Bluetooth) are becoming widely available. These factors, along with the potential decline in the profitability of traditional targets (for example, if victims stop paying ransoms), could lead attackers to pivot toward vehicles.

Which vehicles are at risk

Will attacks on vehicles become the logical evolution of attacks on classic IT systems? While attacks on remotely accessible head units, telecommunication modules, cloud services or mobile apps for extortion or data theft are technically more realistic, they require significant investment, tool development, and risk management. Success is not guaranteed to result in a ransom payment, so individual cars remain an unattractive target for now.

The real risk lies with fleet vehicles, such as those used by taxi and carsharing services, logistics companies, and government organizations. These vehicles are often equipped with aftermarket telematics and other standardized third-party hardware that typically has a lower security posture than factory-installed systems. They are also often integrated into the vehicle’s infrastructure in a less-than-secure way. Attacks on these systems could be highly scalable and pose significant financial and reputational threats to large fleet owners.

Another category of potential targets is represented by trucks, specialized machinery, and public transit vehicles, which are also equipped with aftermarket telematics systems. Architecturally, they are similar to passenger cars, which means they have similar security vulnerabilities. The potential damage from an attack on these vehicles can be severe, with just one day of downtime for a haul truck potentially resulting in hundreds of thousands of dollars in losses.

Investing in a secure future

Improving the current situation requires investment in automotive cybersecurity at every level, from the individual user to the government regulator. The driving forces behind this are consumers’ concern for their own safety and the government’s concern for the security of its citizens and national infrastructure.

Automotive cybersecurity is already a focus for researchers, cybersecurity service providers, government regulators, and major car manufacturers. Many automotive manufacturing corporations have established their own product security or product CERT teams, implemented processes for responding to new vulnerability reports, and made penetration testing a mandatory part of the development cycle. They have also begun to leverage cyberthreat intelligence and are adopting secure development methodologies and security by design. This is a growing trend, and this approach is expected to become standard practice for most automakers 10 years from now.

Simultaneously, specialized security operations centers (SOCs) for vehicles are being established. The underlying approach is remote data collection from vehicles for subsequent analysis of cybersecurity events. In theory, this data can be used to identify cyberattacks on cars’ systems and build a database of threat information. The industry is actively moving toward deploying these centers.

For more on trends in automotive security, read our article on the Kaspersky ICS CERT website.

Summary Bullets:

• Global telcos are advancing industrial IoT with AI, 5G, and eSIM to deliversector-specific and real-time solutions at global scale.

• Strategic investments continue the shift beyond basic connectivity to intelligent, global platforms supporting logistics, energy, mobility, and public safety.

Over H1 2025, major telecom providers have redoubled their push into industrial IoT, developing tailored solutions that move well beyond connectivity to address the specific needs of sectors and use cases such as transport, utilities, and facilities management. Common threads across these efforts include the integration of AI, the evolution of connectivity through 5G, eSIM, and satellite, and a growing emphasis on real-time visibility, operational efficiency, and international scalability.

One way this evolution is evident is the way telcos are turning global networks into intelligent, responsive infrastructure. Vodafone is leveraging its infrastructure for use cases like flood detection, using its Network as a Sensor technology to monitor rainfall and provide early warnings–highlighting how IoT is being adapted to address environmental risks in addition to industrial efficiency. Vodafone also recently surpassed a milestone of 200 million connected IoT devices globally, doubling its installed base over five years. It continues to push into new regions, recently expanding coverage in the Middle East via a partnership with Mobily in Saudi Arabia.

In Germany, Deutsche Telekom is developing several new applications, from its work with Swift Navigation to expand precise satellite positioning across Eastern Europe, to residential energy efficiency projects. The operator is digitalizing heating systems for public housing in partnership with Metr, using smart IoT gateways and secure cloud hosting via Open Telekom Cloud. In parallel, Deutsche Telekom and Nordic Semiconductor launched MECC, a new embedded connectivity service designed to simplify global cellular integration for connected products.

Telefónica Tech is moving IoT deeper into industrial environments through automation and AI. Its recent collaboration with Dexory aims to automate warehouse inventory tracking using AI-driven digital twins and Telefónica’s industrial IoT integration capabilities–a good example of how telcos are embedding intelligence directly into logistics operations. Meanwhile, Orange Business has taken a different angle on public safety, unveiling a smart emergency services system as part of the Software République initiative. Designed in collaboration with firefighter units, the solution combines AI, sensors, and secure communications to improve situational awareness and response coordination in crisis scenarios.

While Verizon has made several announcements this year with new solutions like Edge Transportation Exchange for V2X, Sensor Insights, and 5G Video Insights, it also expanded its Global IoT Orchestration platform, adding Singtel and Skylo for Asia-Pacific and non-terrestrial connectivity respectively. Other telcos are also investing further in global reach, as well as expanded cellular reach within territories. AT&T, for instance, is enhancing its IoT footprint through a new global eSIM solution and support for 5G RedCap. T-Mobile, working with Thales and SIMPL IoT, is integrating eSIMs into global product deployments, while also enabling managed connectivity for international devices targeting the U.S. market. In parallel, Singtel recently announced an enhanced Multi-Domestic Connectivity solution in partnership with cloud-native provider floLIVE, offering enterprises a single, secure, and scalable platform to manage global IoT deployments across more than 190 markets–also enabled by eSIM orchestration.

Three key themes are evident so far this year. First, telcos are responding to strong demand for vertical-specific solutions, although horizontal platforms still matter. Second, AI and real-time data analytics are no longer just add-ons–they are essential to deriving business value from IoT. And third, cross-border IoT is becoming more manageable thanks to advances in eSIM orchestration, global roaming partnerships, and the addition of satellite integration with cellular networks for hard-to-reach locations.

As a whole, these recent announcements demonstrate that industrial IoT remains a strategic priority for global telecom operators that already have a stake in the market. The focus is no longer just on connecting machines–it is on optimizing how those machines work in context, at scale (increasingly globally), and in near-real time.

By Antoinette Hodes, Office of the CTO, Check Point Software Technologies.

The post How the Internet of Things (IoT) became a dark web target – and what to do about it appeared first on CyberTalk.

What is a botnet? And what does it have to do with a toaster?

We’ll get to that. First, a definition:

A botnet is a group of internet-connected devices that bad actors hijack with malware. Using remote controls, bad actors can harness the power of the network to perform several types of attacks. These include distributed denial-of-service (DDoS) attacks that shut down internet services, breaking into other networks to steal data, and sending massive volumes of spam.

In a way, the metaphor of an “army of devices” leveling a cyberattack works well. With thousands or even millions of compromised devices working in concert, bad actors can do plenty of harm. As we’ll see in a moment, they’ve done their share already.

Which brings us back to that toaster.

The pop-up toaster as we know it first hit the shelves in 1926, under the brand name “Toastmaster.”[i] With a familiar springy *pop*, it has ejected toast just the way we like it for nearly a century. Given that its design was so simple and effective, it’s remained largely unchanged. Until now. Thanks to the internet and so-called “smart home” devices.

Toasters, among other things, are all getting connected. And have been for a few years now, to the point where the number of connected Internet of Things (IoT) devices reaches well into the billions worldwide — which includes smart home devices.[ii]

Businesses use IoT devices to track shipments and various aspects of their supply chain. Cities use them to manage traffic flow and monitor energy use. (Does your home have a smart electric meter?) And for people like us, we use them to play music on smart speakers, see who’s at the front door with smart doorbells, and order groceries from an LCD screen on our smart refrigerators — just to name a few ways we’ve welcomed smart home devices into our households.

In the U.S. alone, smart home devices make up a $30-plus billion marketplace per year.[iii] However, it’s still a relatively young marketplace. And with that comes several security issues.

IoT security issues and big-time botnet attacks 

First and foremost, many of these devices still lack sophisticated security measures, which makes them easy pickings for cybercriminals. Why would a cybercriminal target that smart lightbulb in your living room reading lamp? Networks are only as secure as their least secure device. Thus, if a cybercriminal can compromise that smart lightbulb, it can potentially give them access to the entire home network it is on — along with all the other devices and data on it.

More commonly, though, hackers target smart home devices for another reason. They conscript them into botnets. It’s a highly automated affair. Hackers use bots to add devices to their networks. They scan the internet in search of vulnerable devices and use brute-force password attacks to take control of them.

At issue: many of these devices ship with factory usernames and passwords. Fed with that info, a hacker’s bot can have a relatively good success rate because people often leave the factory password unchanged. It’s an easy in.

Results from one real-life test show just how active these hacker bots are:

We created a fake smart home and set up a range of real consumer devices, from televisions to thermostats to smart security systems and even a smart kettle – and hooked it up to the internet.

What happened next was a deluge of attempts by cybercriminals and other unknown actors to break into our devices, at one stage, reaching 14 hacking attempts every single hour.

Put another way, that hourly rate added up to more than 12,000 unique scans and attack attempts a week.[iv] Imagine all that activity pinging your smart home devices.

Now, with a botnet in place, hackers can wage the kinds of attacks we mentioned above, particularly DDoS attacks. DDoS attacks can shut down websites, disrupt service and even choke traffic across broad swathes of the internet.

Remember the “Mirai” botnet attack of 2016, where hackers targeted a major provider of internet infrastructure?[v] It ended up crippling traffic in concentrated areas across the U.S., including the northeast, Great Lakes, south-central, and western regions. Millions of internet users were affected, people, businesses, and government workers alike.

Another more recent set of headline-makers are the December 2023 and July 2024 attacks on Amazon Web Services (AWS).[vi]^, [vii] AWS provides cloud computing services to millions of businesses and organizations, large and small. Those customers saw slowdowns and disruptions for three days, which in turn slowed down and disrupted the people and services that wanted to connect with them.

Also in July 2024, Microsoft likewise fell victim to a DDoS attack. It affected everything from Outlook email to Azure web services, and Microsoft Office to online games of Minecraft. They all got swept up in it.[viii]

These attacks stand out as high-profile DDoS attacks, yet smaller botnet attacks abound, ones that don’t make headlines. They can disrupt the operations of websites, public infrastructure, and businesses, not to mention the well-being of people who rely on the internet.

Botnet attacks: Security shortcomings in IoT and smart home devices 

Earlier we mentioned the problem of unchanged factory usernames and passwords. These include everything from “admin123” to the product’s name. Easy to remember, and highly insecure. The practice is so common that they get posted in bulk on hacking websites, making it easy for cybercriminals to simply look up the type of device they want to attack.

Complicating security yet further is the fact that some IoT and smart home device manufacturers introduce flaws in their design, protocols, and code that make them susceptible to attacks.[ix] The thought gets yet more unsettling when you consider that some of the flaws were found in things like smart door locks.

The ease with which IoT devices can be compromised is a big problem. The solution, however, starts with manufacturers that develop IoT devices with security in mind. Everything in these devices will need to be deployed with the ability to accept security updates and embed strong security solutions from the get-go.

Until industry standards get established to ensure such basic security, a portion of securing your IoT and smart home devices falls on us, as people and consumers.

Steps for a more secure network and smart devices 

As for security, you can take steps that can help keep you safer. Broadly speaking, they involve two things: protecting your devices and protecting the network they’re on. These security measures will look familiar, as they follow many of the same measures you can take to protect your computers, tablets, and phones.

Grab online protection for your smartphone. 

Many smart home devices use a smartphone as a sort of remote control, not to mention as a place for gathering, storing, and sharing data. So whether you’re an Android owner or iOS owner, use online protection software on your phone to help keep it safe from compromise and attack.

Don’t use the default — Set a strong, unique password. 

One issue with many IoT devices is that they often come with a default username and password. This could mean that your device and thousands of others just like it all share the same credentials, which makes it painfully easy for a hacker to gain access to them because those default usernames and passwords are often published online. When you purchase any IoT device, set a fresh password using a strong method of password creation, such as ours. Likewise, create an entirely new username for additional protection as well.

Use multi-factor authentication. 

Online banks, shops, and other services commonly offer multi-factor authentication to help protect your accounts — with the typical combination of your username, password, and a security code sent to another device you own (often a mobile phone). If your IoT device supports multi-factor authentication, consider using it there too. It throws a big barrier in the way of hackers who simply try and force their way into your device with a password/username combination.

Secure your internet router too. 

Another device that needs good password protection is your internet router. Make sure you use a strong and unique password as well to help prevent hackers from breaking into your home network. Also, consider changing the name of your home network so that it doesn’t personally identify you. Fun alternatives to using your name or address include everything from movie lines like “May the Wi-Fi be with you” to old sitcom references like “Central Perk.” Also check that your router is using an encryption method, like WPA2 or the newer WPA3, which keeps your signal secure.

Upgrade to a newer internet router. 

Older routers might have outdated security measures, which might make them more prone to attacks. If you’re renting yours from your internet provider, contact them for an upgrade. If you’re using your own, visit a reputable news or review site such as Consumer Reports for a list of the best routers that combine speed, capacity, and security.

Update your apps and devices regularly. 

In addition to fixing the odd bug or adding the occasional new feature, updates often fix security gaps. Out-of-date apps and devices might have flaws that hackers can exploit, so regular updating is a must from a security standpoint. If you can set your smart home apps and devices to receive automatic updates, that’s even better.

Set up a guest network specifically for your IoT devices. 

Just as you can offer your guests secure access that’s separate from your own devices, creating an additional network on your router allows you to keep your computers and smartphones separate from IoT devices. This way, if an IoT device is compromised, a hacker will still have difficulty accessing your other devices on your primary network, the one where you connect your computers and smartphones.

Shop smart. 

Read trusted reviews and look up the manufacturer’s track record online. Have their devices been compromised in the past? Do they provide regular updates for their devices to ensure ongoing security? What kind of security features do they offer? And privacy features too? Resources like Consumer Reports can provide extensive and unbiased information that can help you make a sound purchasing decision.

Don’t let botnets burn your toast

As more and more connected devices make their way into our homes, the need to ensure that they’re secure only increases. More devices mean more potential avenues of attack, and your home network is only as secure as the least secure device that’s on it.

While standards put forward by industry groups such as UL and Matter have started to take root, a good portion of keeping IoT and smart home devices secure falls on us as consumers. Taking the steps above can help prevent your connected toaster from playing its part in a botnet army attack — and it can also protect your network and your home from getting hacked.

It’s no surprise that IoT and smart home devices have raked in billions of dollars over the years. They introduce conveniences and little touches into our homes that make life more comfortable and enjoyable. However, they’re still connected devices. And like anything that’s connected, they must be protected.

[i] https://www.hagley.org/librarynews/history-making-toast

[ii] https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide/

[iii] https://www.statista.com/outlook/dmo/smart-home/united-states

[iv] https://www.which.co.uk/news/article/how-the-smart-home-could-be-at-risk-from-hackers-akeR18s9eBHU

[v] https://en.wikipedia.org/wiki/Mirai_(malware)

[vi] https://www.darkreading.com/cloud-security/eight-hour-ddos-attack-struck-aws-customers

[vii] https://www.forbes.com/sites/emilsayegh/2024/07/31/microsoft-and-aws-outages-a-wake-up-call-for-cloud-dependency/

[viii] https://www.bbc.com/news/articles/c903e793w74o

[ix] https://news.fit.edu/academics-research/apps-for-popular-smart-home-devices-contain-security-flaws-new-research-finds/

The post What Is a Botnet? appeared first on McAfee Blog.

Summary Bullets:

• The Internet of Things (IoT) services landscape continues to evolve with global connectivity service and solution providers announcing notable advancements and initiatives over the past several months.

• Key trends include the expansion of 5G capabilities, the integration of artificial intelligence (AI) and network application programming interfaces (APIs), and a strong emphasis on sustainability and energy efficiency.

GlobalData recently published its product assessment of 10 global IoT service providers and an accompanying competitive landscape report as well as an update to its Global Market Opportunity Forecasts to 2028: Enterprise IoT Market model. This blog focuses on key themes among new initiatives and service launches during H1 2024.

5G and Connectivity Enhancements
Potentially one of the more impactful trends is the ongoing expansion and enhancement of 5G networks, which can enable a variety of IoT use cases. AT&T, for example, has made substantial investments in the AT&T FirstNet public safety network, introducing 5G standalone capabilities to enhance voice, data, and video communications for first responders. This underscores the critical role of 5G in enabling advanced IoT applications such as high-definition video transmission during emergency operations and enhanced situational awareness through IoT data and real-time video analytics.

T-Mobile has also added support for its 5G standalone network to the T-Mobile Control Center platform, enabling advanced services like network slicing and quality on demand. This rollout is expected to significantly boost IoT deployments and critical applications across various sectors. Similarly, Deutsche Telekom’s launch (along with Tele2) of resilient SIM (rSIM) technology highlights the importance of robust and reliable connectivity for IoT devices, ensuring seamless operation even in the event of network disruptions.

AI and API Integration
Other initiatives have been launched in 2024 involving the further integration of AI – and APIs – into IoT solutions. AT&T’s new platform providing APIs to developers allows businesses to enhance their IoT applications with greater intelligence and capability, potentially enabling the creation of more sophisticated solutions for connected cars, infrastructure, home automation, and health devices. While several of its peers announced support for network APIs months before AT&T, few had highlighted IoT as a key focus of their initiatives.

Telefónica Tech’s ‘Internet of Drones’ solution exemplifies the combination of AI with IoT in enhancing urban mobility and logistics. By leveraging 5G and private network connectivity, the solution aims to ensure compliance with air traffic regulations and improve collision prevention and emergency response capabilities.

Focus on Sustainability and Energy Efficiency
Sustainability and energy efficiency are now crucial focal points for IoT service providers. Orange Business has been particularly active in this area recently, launching its ‘Control’ platform to enhance building management systems and reduce energy consumption and carbon footprints. Additionally, the Orange Flux Vision platform now includes new indicators that measure the carbon footprint of people and goods’ movement, demonstrating a commitment to leveraging IoT for environmental benefits.

The AT&T Connected Climate Initiative, which aims to reduce one gigaton of emissions by 2035, is another example of how IoT solutions are being used to address climate challenges. This initiative brings together various collaborators to innovate and implement IoT, 5G, and edge computing solutions that contribute to emissions reduction.

Strategic Partnerships and Industry Collaboration
New industry collaborations during recent months include Vodafone’s strategic partnership with Microsoft, aimed at co-developing – and potentially investing in – Vodafone’s IoT business, recently spun-off as a standalone entity. This collaboration is expected to expand Vodafone’s reach and enhance platform performance, highlighting the benefits of combining strengths from different industry leaders.

Meanwhile, Tata Communications’ expansion in the US market through its digital fabric platform and the introduction of the Tata Communications CloudLyte edge computing platform will bolster its IoT offerings and enhance its global presence as an IoT MVNO, an integrator, and a managed services provider. Both initiatives underscore the increasing importance of strategic partnerships and the role they play in driving IoT innovation (as well as potential growth for each partner).

These latest announcements from global IoT connectivity service providers underscore a few key trends that GlobalData has been monitoring for some time: the rapid expansion of 5G and network capabilities, the integration of advanced analytics and AI, a strong focus on sustainability, and the strategic importance of partnerships and collaborations. Not all providers move at the same pace in embracing these trends, but these developments highlight the dynamic nature of the IoT market and the continuous investment in innovation that is driving (and capturing) its growth.