In recent months, leading global companies producing equipment for industrial automation systems — Siemens, Rockwell Automation, Schneider Electric, ABB, and others — have reported new critical vulnerabilities in their products.
Controllers (PLCs), SCADA/HMI systems, engineering stations, network modules, and other equipment used in industrial and infrastructure facilities are at risk.

Why this matters for Kazakhstan

These solutions are widely used in Kazakhstan — in the oil and gas, energy, transport, utilities, financial sector, and even healthcare.
If these vulnerabilities are exploited by attackers, it could lead to production downtime, power outages, or disruption of urban infrastructure.

This material is prepared for cybersecurity professionals and helps prioritize vulnerability remediation. Specific applicability depends on the versions of hardware and software used at facilities.

---

Key developments from major vendors

Siemens

In August and September, the company released nearly 30 security updates. The most critical include:

• CVE-2025-40804 (CVSS 9.3) — a vulnerability in SIMATIC Virtualization as a Service. Allows an attacker to access or modify confidential data without authorization.

• CVE-2025-40746, CVE-2025-40751 — issues in SIMATIC RTLS Locating Manager enabling execution of arbitrary code with administrative privileges.

• Vulnerabilities in UMC, Simotion, Industrial Edge, and Sinamics were also fixed, which could allow remote code execution (RCE) or denial of service (DoS).

Risks: unauthorized access to engineering stations, PCS7 and WinCC failures, and manipulation of controller configurations.

---

Schneider Electric

Four critical vulnerabilities were found in EcoStruxure Power Monitoring Expert, Power Operation, and Power SCADA Operation, allowing potential remote code execution or data leakage, which is especially dangerous for energy systems.

In Modicon M340 controllers and communication modules, issues that could cause device failure via malicious FTP commands were fixed.
Vulnerabilities in Software Update allowing privilege escalation or file corruption were also corrected.

Risks: distorted monitoring and control data, and potential preparation for attacks on critical infrastructure.

---

Rockwell Automation

• CVE-2025-7353 (CVSS 9.3) — critical vulnerability in ControlLogix Ethernet modules, allowing full device control.

• CVE-2025-9364 — in FactoryTalk Analytics LogixAI, a Redis database misconfiguration could lead to data leakage and privilege escalation.

• CVE-2025-9161 — in FactoryTalk Optix, malicious plugins could be uploaded and executed via MQTT.

Risks: full controller compromise, SCADA system failures, and analytics platform compromise.

---

ABB

Critical vulnerabilities were found in ASPECT, Nexus, and Matrix, including authentication bypass and remote code execution (RCE) without authorization.
Some of these have CVSS scores up to 9.8, making them extremely dangerous. ABB recommends updating to version 3.08.04-s01 or higher or isolating vulnerable systems from the network.

Risks: remote takeover of industrial systems and compromise of critical operations.

---

Overall analysis

In recent months, there has been an increase in complex attacks where multiple vulnerabilities are exploited simultaneously.
A purely reactive approach — applying updates only after incidents — is no longer sufficient.
A shift toward a resilient architecture is required, which includes:

• Inventory of all assets and their vulnerabilities;

• Network segmentation according to the Purdue model;

• Implementation of Zero Trust principles;

• Continuous monitoring and integrity checks of systems.

---

Practical recommendations

1. Patch and update management

• Maintain an inventory of devices and their vulnerabilities.

• Evaluate how updates will affect the production process before deployment.

• Test patches in isolated environments.

• If updates are not possible, use virtual patching and disable unused services (FTP, Redis, web-debug).

• Regularly monitor vendor security advisories.

2. Network segmentation

• Segment networks by levels: corporate, DMZ, SCADA, controllers, and field devices.

• Eliminate direct Internet access.

• Use jump servers and data diodes for secure data transfer.

• Implement multi-factor authentication and minimum privileges.

• Restrict protocols and ports to only those necessary (CIP, Modbus, Profinet, etc.).

3. Monitoring and threat detection

• Deploy specialized OT network monitoring.

• Integrate data with SOC/SIEM.

• Monitor PLC and SCADA configuration integrity.

• Use Threat Intelligence to detect new attacks.

• Set up anomaly detection — e.g., suspicious FTP commands or unauthorized Redis access.

4. Incident response and training

• Update response plans for DoS, PLC compromise, etc.

• Conduct realistic drills and tabletop exercises.

• Train personnel to recognize phishing and intrusion indicators.

• Analyze every incident to continuously improve defenses.

5. Legacy systems management

• Implement application whitelisting on engineering stations and servers.

• Block unauthorized USB devices.

• Strictly control remote connections.

• Isolate legacy systems where updates are not possible.

---

Useful links

• Siemens: https://www.siemens.com/cert/advisories/

• Schneider Electric: https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp

• ABB: https://global.abb/group/en/technology/cyber-security/alerts-and-notifications

• Rockwell Automation: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1731.html

With the widespread use of digital devices connected to wireless networks — such as ticker tapes, electronic queues, information panels, self-service terminals, interactive kiosks and media screens — the vulnerability of private business infrastructure to cyber threats has increased significantly. Malfunctions in the operation of these devices caused by intruders can entail not only financial but also image losses for entrepreneurs.

Cases of hooligan hacking aimed at discrediting or temporarily disabling equipment are becoming especially relevant.In this regard, in order to increase the security of the wireless infrastructure of private business facilities and minimize the risks of unauthorized access, it is recommended to implement the following technical and organizational measures:
• Configure a wireless network using the WPA3 protocol. If it cannot be used, use WPA2 with the TKIP algorithm disabled. Prohibit the use of outdated and vulnerable encryption protocols, including WEP, WPA and WPA2-PSK. • Set a unique SSID name that does not contain information about the type of equipment or its owner.
• Enable connection logging to track the time and devices that connected to the network.
• Restrict device connections using lists of allowed MAC addresses or implement authentication based on digital certificates.
• Change factory logins and passwords on network and control equipment, including media players and controllers.
• Do not use simple and standard passwords (for example, admin / admin or 12345678). Implement the use of complex passwords (at least 12 characters, including letters in different cases, numbers and special characters), and regulate their periodic updating.
• Restrict physical access to equipment, install modules and cables in inaccessible locations, for example, in a cabinet or in a closed box.
• Block unused physical ports (USB, Ethernet) to prevent unauthorized connections.
• Restrict access to the "Reset" and "Power" buttons. Place power supplies in closed and protected technical rooms.
• Ensure regular firmware updates for routers, access points, LED screen controllers and other network components.
• Avoid using outdated equipment models that do not support current protocols and security mechanisms.

Compliance with these recommendations can increase the resilience of wireless infrastructure to external threats and ensure reliable operation of outdoor digital solutions.

 

Емханалар, коммуналдық қызметтер және жеткізу қызметтерінің атынан жасалатын телефон алаяқтығының жаңа толқыны

 

«Мемлекеттік техникалық қызмет» АҚ мамандары емханалар, коммуналдық қызметтер және жеткізу қызметтерінің атын жамылып әрекет ететін зиянкестердің бірқатар алаяқтық схемаларын тіркеді және талдады. Қылмыскерлердің мақсаты – азаматтардың жеке мәліметтеріне және мемлекеттік қосымшалардағы аккаунттарына қол жеткізу болып табылады.

Алаяқтықтың негізгі схемалары:

1.                     Емхана регистратурасының атынан жасалған алаяқтық

Алаяқ өзін нақты емхананың қызметкері ретінде таныстырып, қоңырау шалады (тіпті нақты мекенжайды және шынайы атауларды айтады).

Олар белгілі бір күннен бастап дәрігерлерге жазылу және жедел жәрдем шақыру ЖСН бойынша емес, медициналық декларацияның нөмірі бойынша жүзеге асырылатынын хабарлайды. Әрі қарай, «декларацияның нөмірін» айтып беруді сұрайды, ал шын мәнісінде ол нөмір DamuMed немесе eGov сияқты мемлекеттік қосымшаларға кіруге арналған бір реттік код болып табылады. SMS алған адамнан алты таңбалы кодты айтып беруді сұрайды, осылайша азаматтың дербес аккаунтына қол жеткізеді.

2. «Электр есептегіштерін тексеру» қызметін ұсынатын коммуналдық қызметтер атынан жасалған алаяқтық

Алаяқ өзін «Астана Энергосбыт», «Алматы Су» немесе басқа да коммуналдық ұйымның қызметкері ретінде таныстырады. «Мемлекеттік есептегіштерді ауыстыру бағдарламасына» қатысу желеуімен олар есептегіш соңғы рет қашан ауыстырылғанын сұрайды және өтінімді ашқандай болады. Содан кейін жәбірленушінің телефонына код жіберіп, оны айтып беруді сұрайды, осылайша цифрлық қызметтерге қол жеткізуге тырысад

3. Мемлекеттік органнан тапсырысты хат туралы хабарлау  

Алаяқ өзін «Қазпошта» немесе курьерлік қызметтің жұмыскері ретінде таныстырып, Салық комитетінен, ҚР МКК, ХҚКО немесе басқа ведомстволардан тапсырысты хат бар екенін хабарлайды. Мекенжайды нақтылап, 1414 немесе 1412 нөмірлерінен SMS жібереді де кодты айтып беруді немесе сілтеме бойынша өтуді сұрайды. Бұл – деректерді ұрлау немесе ЗБ орнату әрекеті.

«МТҚ» АҚ мамандары осы жағдайлардың барлығында алаяқтар сенімге ие болу үшін дербес деректерді (ТАӘ, мекенжайды) пайдаланатынын хабарлайды. Алайда, бірде-бір мемлекеттік немесе коммуналдық ұйым телефон арқылы SMS-кодты сұрамайтынын және мессенджерлерге сілтеме жібермейтінін естеріңізге саламыз. 

Ұсынымдар

-       қоңырау шалушы өзін мемлекеттік органның қызметкері ретінде таныстырса да, SMS-тағы растау кодтарын ешкімге бермеңіз;

-       телефон арқылы ЖСН және басқа да дербес деректерді хабарламаңыз;

-       SMS сілтемелер бойынша өтпеңіз, әсіресе егер сіз ұйым «өкілімен» сөйлесіп жатқан кезде сілтеме бойынша өтуші болмаңыз;

-       Әңгімені тоқтатыңыз да, ресми нөмір бойынша ұйымның өзіне қоңырау шалыңыз;

-       Күдікті қоңыраулар туралы құқық қорғау органдарына хабарлаңыз.

Every year, information technology makes our lives easier and more convenient, but at the same time, the number of threats to which both government agencies and ordinary users are exposed increases. Cyber attacks have become part of modern reality, affecting private data, finances, and even national security. The year 2024 was a year of vivid examples of how the digital age requires increased attention to cybersecurity issues. As is customary, at the beginning of each year, JSC State Technical Service presents a new issue of the cyber digest, which highlights incidents in the field of information security in Kazakhstan over the past period.

The Zaimer data leak.kz: personal data of millions is publicly available

In March 2024, Kazakhstan faced one of the largest data leaks. Microfinance organization database Zaimer.kz information including personal information of 1,947,022 citizens has been publicly available on Telegram. The data includes users’ full names, identification numbers, and contact phone numbers.

This information quickly fell into the hands of fraudsters, who used it to create fake loans, apply for loans, and steal money from customer accounts.

Why did this happen?

Cybersecurity experts point out that the organization has not provided an adequate level of database protection. The lack of regular security checks, outdated systems, and weak encryption caused the leak.

How can such cases be prevented?

Use database-level encryption.
Regularly audit security systems.
Notify clients about the risks and teach them the basics of cyber hygiene.
Cyber attack on the Ministry

In June 2024, attackers attacked the server of one of the country’s ministries. Using special utilities, they gained access to a database of employee accounts, including administrative ones. Using the data extraction technique, hackers could gain access to confidential correspondence and strategic documents.

This case has become a serious challenge to national security. Experts claim that the attack could have been organized by foreign hacker groups for the purpose of espionage.

Consequences of the attack:

The threat of data leakage related to international agreements.
The risk of deterioration of diplomatic relations.
What measures have been taken?

The compromised system was immediately disconnected from the network.

The employee credentials have been updated, and access to the server has been blocked.

Medical information system data leak: a threat to the most defenseless

Another major leak in 2024 was the compromise of data from the medical information system, which contains information about children registered in medical institutions in Kazakhstan. The children’s personal data, including their dates of birth, names and addresses, became publicly available.

Such data can be used for social engineering, creating fake profiles, or even kidnapping children. The vulnerability of the system has shown that even the most sensitive databases require more serious protection.

DDoS attack on domestic AI: an online resource under the gun

In January 2024, a domestic Internet resource became the victim of a high-intensity DDoS attack. Hackers used tens of thousands of requests from thousands of IP addresses to overload the server and make the site inaccessible.

This attack disabled the resource for several hours, resulting in reputational and financial losses.

After this incident, AI installed Cloudflare and CAPTCHA protection systems to reduce the risk of such attacks happening again.

DDoS attacks remain a popular hacker tool, and they can only be prevented by using professional traffic filtering solutions.

Global incidents: lessons for Kazakhstan

Kazakhstan was not the only country affected by digital threats. In 2024, the world faced a number of large-scale incidents that highlighted the global nature of cyber threats.

Hacking of the cryptocurrency exchange (USA): Hackers stole more than $ 1 billion due to a vulnerability in the exchange’s system.
India’s largest bank data leak: Millions of customers’ data has been published on the darknet, leading to a wave of financial fraud.
An attack on an educational platform in Europe: Hackers have compromised student data, including the personal information of minors.
These cases have shown that attacks are becoming more complex and widespread. Even the most technologically advanced companies are not ready for modern threats.

Cybersecurity is no longer just a technical challenge — it is a strategic necessity that determines the sustainability of organizations in the digital world. In 2025, an increase in the number of cyber attacks and the development of AI technologies is expected, which will require companies not only to implement advanced solutions, but also to train personnel capable of responding quickly to threats.

In 2024, GTS JSC recorded more than 41,000 incidents in the field of information security, including viruses, network worms and Trojans. The escalation of threats is associated with the use of IoT (Internet of Things) and AI in cyber attacks, which requires constant improvement of protection and improvement of user awareness on cyber hygiene issues.

Trends and forecasts: where is information security heading in 2025?

In 2025, one of the most significant threats in the field of disinformation will be the use of artificial intelligence. This poses a serious challenge to information security, as such technologies can be used to spread disinformation on a massive scale, and in the face of this threat, the need to develop and implement effective AI algorithms will become a priority for government agencies, technology companies, and international organizations.

For more information, see CYBERCODE 2024: Challenges of the Digital Age. 

Once you download the game to your smartphone, you can be left without money and even without the smartphone itself. How this happens and how to protect yourself from it, we will discuss today in our article.

In today's review, we will talk about smartphones running on the Android operating system.

The relevance of this article is due to the fact that users of the Android operating system (OS) have the opportunity to install applications and games not only from official stores (Play Market, Google Play, AppGallery, Samsung Galaxy Store and others), but also from other sources, which is not safe and carries various threats. Therefore, downloading and installing files and games from various unknown sources is highly discouraged.

Installation from unofficial and unverified sources may entail the installation of various malicious software that carries the risks of leakage of your personal data, access to your Internet banking applications, reading SMS messages, as well as your smartphone may become part of botnets and be used by hackers to carry out various cyber attacks, spam mailings, unauthorized calls and others.

So how do you protect yourself from this kind of cyberattack?

1.Disable installations from unknown sources.
To protect against accidental installation, make sure that the ability to install applications from unknown sources is disabled. As a rule, it is disabled by default, but it is better to check.

In Android version 4.0 and above, you need to go to the Security Settings section and make sure that Unknown Sources are disabled.

In previous versions of Android, click Settings – Application Settings and see if there is a check mark on the Unknown sources item.
! An important alarm signal may also be an application request for administrator rights. Thus, the owner of the application will have the right to remote access to your smartphone, which carries the above risks.

2. Install the antivirus application.
A good antivirus is able to protect your smartphone from ransomware and other cyber threats that can be hidden not only on websites, but also applications downloaded from various sources. If you accidentally click a suspicious link, download a fake app, or try to install a fraudulent add-on, the antivirus application will quarantine the virus and prevent infection of the smartphone.
! Antivirus protection is available not only for personal computers.

3. Update the operating system regularly.
Install all Android OS updates, as many of them are related to security. Of course, updates for Android smartphones are known for the fact that they often take too long to come out, so you can't rely on them alone for your security, so it's better to install an antivirus anyway.

4. Make backups of all important files that are stored on your smartphone.
Backups can be stored in the cloud, on an external hard drive, or using a third-party service.
To start the backup, follow these steps:
• In the Operating System Settings section, find the Google section.
• Next, go to the Backup section. Here you will see the Start Copying button. Below it is a list of data that will be saved to your account. These include call logs, messages, contacts, Android settings, photos and videos, as well as application data that confirms this feature.
• Click on the Start Copying button and wait for the process to finish.
Thus, you can periodically make a backup copy of your smartphone's data.

5. Be extremely careful with pop-ups.
When visiting a website or playing an online game and receiving a pop-up request to update or install an add–on, the best thing you can do is close the pop-up window.
! To protect against various pop-ups, we recommend using AdBlock-type add-ons in your browser.

6. Think twice before clicking on the link.
Phishing is still the most popular way to distribute malware and collect personal data. The number of cases of phishing attacks targeting smartphones, social networks and messengers is inexorably growing. Do not click on links that you receive in a message or email from an unknown source. Even if the source is familiar, carefully examine the sender's address and the source of the link before proceeding. If anything is in doubt, refrain from any action.

7. Use secure DNS.
Secure DNS is a free content filtering service that restricts access to malicious sites, as well as resources that are undesirable for viewing. Allows the owner to protect either all home smartphones, or choose filtering for them individually through easy-to-understand ready-made profiles. If the site is included in the Secure DNS database, the user will see a message about it.

This service is similar to the "Parental Control" service, but unlike many others it is absolutely free. Any user can connect this service, since the connection does not require special special knowledge in the field of IT.

Connecting the service for Android smartphones is possible both on a specific smartphone and using a Wi-Fi network.
To set up on your smartphone, you need to do the following: Select your Wi-Fi access point from the list of available networks => click on the Settings button => select Advanced => in the IP Settings section, change this item from DHCP to Static => enter 91.214.42.211 as DNS1 => alternative 91.214.42.212 DNS2.

Of course, it will be somewhat more convenient to configure the Wi-Fi network access point at once than each smartphone. To do this, it is enough to specify 91.214.42.211 as the preferred DNS server in the DHCP settings on the Wi-Fi access point, as well as 91.214.42.212 as an alternative. Thus, the accepted DNS settings will be automatically accepted for smartphones connected to this Wi-Fi.

The growing number of malware targeting Android poses a serious threat. But isn't it nice to know that you have the opportunity to ensure that this threat will never become a reality for your smartphone? You just need to follow the rules of cyber hygiene and install applications from trusted sources.

 

Protect your data and money on your smartphone using our recommendations!

The number of phishing attacks is increasing every year, and the methods of “phishers” are becoming more sophisticated. The victims of phishing attacks are ordinary Internet users, entrepreneurs and entire companies. There are many tricks of attackers aimed at obtaining confidential user data with their further use for selfish purposes, including withdrawing funds from bank cards.

For the first time, the concept of “phishing” was used in 1996, when attackers, posing as employees of a large American Internet provider AOL (America Online), collected user identification information (usernames and passwords). As a result, spam was sent on behalf of these people.

In order not to become a victim of fraud, KZ-CERT experts recommend following the following recommendations:

• Be suspicious of unwanted phone calls, e-mail messages, especially with links from people who request employee data or other internal information. If an unknown person claims that he is from a trusted organization, then his identity should be checked directly with the company.

• Beware of opening questionable links received in messengers and social networks.

• Do not share personal, confidential and corporate information about your organization if you are not sure that the person has the authority to receive such information.

• Do not disclose personal or financial information by email.

• Do not send confidential information over the Internet if you are not sure of the legitimacy of the Internet resource.

• If you are not sure whether an appeal or an e-mail request is legitimate, then you should check it by contacting the company directly. At the same time, do not use the contact information specified in the letter or by the link from the letter.

• Use antivirus software and update its databases in a timely manner, use email filters to reduce the number of phishing mailings received.

• Take advantage of all the anti-phishing features offered by your email client and web browser.

• Use two-factor authentication (2FA).

• Do not tell anyone the three-digit CVV/CVC code (on the back of the bank card). And do not report the incoming SMS code from the bank.

If you encounter an information security incident, please inform our specialists by toll-free number 1400 (around the clock) or send a request to the Telegram chat: https://t.me/kzcert .

JSC "State Technical Service" (JSC "GTS") announces a new section on the official website sts.kz .

The new section "Register of static addresses of data transmission networks" (RSAC) is located on the main page of the site in the lower right corner.

RSASPD is an electronic information resource that includes an established list of information about static addresses of data transmission networks, their types and categories, as well as about their owners.

RSASPD is supported by GTS JSC in accordance with paragraphs 1) paragraph 1 of Article 9-2 of the Law of the Republic of Kazakhstan "On Communications", as well as the Rules for the Formation and Maintenance of the register of static addresses of data transmission networks, approved by Order of the Minister of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan No. 400/NK dated October 28, 2022.

The order comes into force on November 18 of this year.

Contacts for consultations: 1400, e-mail: rsaspd@sts.kz

We would like to inform you that on 4 September 2023, from 18:00 to 22:00, technical work is scheduled to be carried out on the Synaq web portal. As a result of this update, temporary unavailability of the portal is expected.

We apologize for any inconvenience caused by the temporary unavailability of our portal.

Thank you for your understanding!

Sincerely, STS JSC

In September of this year, in order to analyze and further eliminate the IS incident in the networks of government agencies, the National Computer Incident Response Service of the State Technical Service JSC (KZ-CERT Service) received information from a Kazakhstani company about a file with Agent Tesla and DarkTortilla, which together represent an infostealer.

According to the company’s information, the file, in which the e-mail addresses of Kazakhstani citizens were found (Figure 1), was used by hackers for spying purposes.

Specialists of KZ CERT Service analyzed the received file and recreated the algorithm of actions of infostealer. Thus, it turned out that the attacker sent the file to the user, and after opening the file, the infostealer was launched, which collected confidential information from the computer, including website addresses with logins and passwords.  In parallel, the infostealer took screenshots every 20 minutes and tracked users’ keystrokes according to the attacker’s prescribed requests.

After receiving the detected sample, the file name: “New Order Request #_41869009.exe” and the original name: oasaesasaaaaa.exe became known (Fig 2).

 

AGENT TESLA and DARKTORTILLA

In the world of cybercrime, the number of tools that hackers use is increasing every day. In this case, we will reveal the tactics of one of the most sophisticated cyber threats of our time – DarkTortilla.

Here’s a bit of background on DarkTortilla. It is a versatile tool for cybercriminals, it is based on .NET and has settings associated with the RATs Crew. In addition, there may be similarities to the Gameloader malware.

Agent Tesla, which was used in conjunction with DarkTortilla, is an infostealer capable of stealing personal data from web browsers, email clients and FTP servers: passwords, keys and other sensitive data. The latest versions of Agent Tesla are also capable of mining personal data from VPN clients.

CODE ANALYSIS AND IMPORTANT FEATURES OF DARKTORTILLA

DarkTortilla uses the steganography method to hide its configuration. In this case, the sample configuration is stored in 14 files (images).

*Steganography is the technique of hiding information within images or other media files so that this information remains invisible to normal visual analysis.

DarkTortilla uses an anti-analysis technique to bypass attempts to analyse and detect malicious code. More specifically, it checks the equality of the file name with “ystem32” and the current folder with “scan”. If both of these conditions are valid, the execution of the programme is prematurely terminated. This mechanism represents part of DarkTortilla’s obfuscation and self-protection. Detection of “system32” and “scan” may indicate an attempt to analyze or dynamically decompile the code. If these conditions are detected, the malware stops working, making it difficult to analyze and investigate. This is one of the ways DarkTortilla ensures its persistence and “hiding” in the system.

DarkTortilla copies itself to the %appdata%\\random_name\\random_name folder after infecting the system.

This is one of the tactics that malware can use to ensure a long-term stay on the system.

DarkTortilla uses the Qb63() function with the XOR algorithm to decrypt the payload.

PAYLOADS

In the next step, DarkTortilla presents the decrypted payload. It checks for network availability using the InternetGetConnectedState function and, if no network is available, terminates execution. The sample also obtains the IP address of the current computer using the api[.]ipify[.]org service.

The infostealer also includes keylogger functionality to track keystrokes using the SetWindowsHookEx() function. Its main task is to exfiltrate sensitive data such as passwords, keys and settings of user programs including browsers, email clients, VPN and FTP clients and more. Moreover, the sample regularly creates screenshots of the screen using Graphics.CopyFromScreen() at 20-minute intervals.

                                                                                                                            DATA EXFILTRATION

All collected sensitive data is transmitted using the SMTP protocol. An email is generated with “elihans@uroener.online” as the sender and “log@ld-didectic.de” as the recipient. The password used to access the account is: cooldown2013@@@. The mail server used for sending is: premium185.web-hosting.com. The email is sent as an HTML attachment with a name in the format yyyy_MM_dd_HHH_mm_ss.html.

MAIN FUNCTIONALITY

The main tasks of DarkTortilla are collecting sensitive data from user programs, keylogging, system profiling and creating screenshots of the screen. This multifaceted tool is capable of remaining invisible in the system, as well as continuously collecting and transmitting sensitive data to cybercriminals.

Based on the analysis, KZ CERT Service specialists report that DarkTortilla and its related software Agent Tesla pose a serious threat to the security of data and personal information.

 KZ CERT has sent cyber hygiene recommendations and notices to Kazakhstani users who were attacked.

We strongly recommend using complex passwords and not opening suspicious files, as well as taking general cyber security measures to protect your systems from similar cyber threats.

If you have experienced an information security incident, please report it to us on the toll-free number 1400 (24 hours a day), via telegram bot @KZ_CERT_chat_bot or email: incident@cert.gov.kz.

 

JSC "State Technical Service" informs that in September of this year, over 19 million cyber attacks were blocked using the Unified Internet Access Gateway (ESDI).

The most common types of botnet in the networks of state, local executive bodies, organizations of quasi-public and private sectors of the Republic of Kazakhstan have become Mariposa.Botnet, andromeda.Botnet and Mozi.Botnet.

Compared to the previous month, in September, GTS JSC recorded an increase in the number of cases related to the spread of malicious software (VPO) by 12%. The largest number is registered with local executive bodies.

During the analysis of spam reports received from the Unified E-Mail Gateway (ESEP) equipment, as well as during the processing of information security incidents received from Kazakhstani users, an increase in spam-related mailings with malicious attachments was recorded in government agencies, critical information and communication infrastructure facilities and local executive bodies in September 2023, emails with fraudulent content and a link to phishing/fraudulent resources by 28.6%. Spam mailings and malicious email attachments detected as a result of the analysis of the e-mail logs have been quarantined and have not been delivered to the target recipients. In order to eliminate malicious activity, alerts have been sent to the owners of Internet resources and foreign organizations in the countries where the sources of malicious activity are located.

We should add that the recorded incidents of information security such as "Phishing on the Internet" are mainly related to clones of Internet resources and authorization forms.

If you encounter an information security incident, please let us know by toll-free number 1400 (around the clock), by following the link to the telegram bot @KZ_CERT_chat_bot or by email: incident@cert.gov.kz