{"id":25899,"date":"2026-06-29T19:14:40","date_gmt":"2026-06-29T15:14:40","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/gert-three-cases-report\/25899\/"},"modified":"2026-06-29T19:14:40","modified_gmt":"2026-06-29T15:14:40","slug":"gert-three-cases-report","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/gert-three-cases-report\/25899\/","title":{"rendered":"Three real-world profiles of modern corporate cyberattacks"},"content":{"rendered":"<p>Over the past year, the Kaspersky Global Emergency Response Team and MDR service have investigated a wide range of security incidents across diverse industry verticals. The adversary tactics, techniques, and tooling uncovered during these engagements form the foundation of our <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/resources\/reports\/mdr-ir-analyst-reports\" target=\"_blank\" rel=\"noopener nofollow\">Anatomy of a Cyber World Global Report 2026<\/a>. From those findings, we\u2019ve selected three real-world case studies to demonstrate how modern threat actors operate, and, more importantly, how they\u2019ve been able to pull off these attacks.<\/p>\n<h2>Case Study #1. A single compromised account leads to data being taken hostage enterprise-wide<\/h2>\n<p><strong>What happened? <\/strong><\/p>\n<p>In an incident targeting a Latin American company, attackers gained access to an SMTP server by compromising a local administrator account. There was no advanced exploit involved\u00a0\u2014 just a simple credential theft. From there, they executed a textbook privilege escalation.<\/p>\n<ol>\n<li>Using the Mimikatz utility, the attackers dumped password hashes from memory. They then leveraged the <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/pass-the-hash-attack\/\" target=\"_blank\" rel=\"noopener\">pass-the-hash<\/a> technique with the help of the <em>Invoke-TheHash<\/em> utility to acquire user privileges.<\/li>\n<li>Next, they deployed an additional tool to elevate privileges by exploiting a vulnerable driver, which allowed them to distribute ransomware to endpoints across the corporate network.<\/li>\n<\/ol>\n<p><strong>How did this happen? <\/strong><\/p>\n<p>Most organizations still defend their networks by trying to detect explicitly malicious behavior rather than monitoring legitimate actions performed under authorized credentials. The threat actor playbook is clearly visible in the data from our aforementioned Anatomy of a Cyber World Global Report. The adversary starts by compromising a user account. The conversion metrics of attacker techniques into actual breaches break down as follows:<\/p>\n<ul>\n<li><strong>Password guessing<\/strong>\u00a0\u2014 34.8%<\/li>\n<li><strong>Valid account abuse<\/strong>\u00a0\u2014 34,5%<\/li>\n<\/ul>\n<p>Once a single account is hijacked, the attacker establishes a persistent foothold in the compromised infrastructure:<\/p>\n<ul>\n<li><strong>Local account creation<\/strong>\u00a0\u2014 34.7%<\/li>\n<li><strong>Account manipulation<\/strong>\u00a0\u2014 32.0%<\/li>\n<\/ul>\n<p>Next, the attackers begin scanning network services.<\/p>\n<ul>\n<li><strong>Network service discovery<\/strong>\u00a0\u2014 31.2%<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p>If you lack visibility into this traffic\u00a0\u2014 or fail to consider it a security incident\u00a0\u2014 you\u2019ve already lost the battle before the active phase of the attack even begins.<\/p>\n<h2>Case Study #2. When the monitoring server becomes a Trojan horse<\/h2>\n<p><strong>What happened?<\/strong><\/p>\n<p>The organization fell victim to a Black Nivas ransomware attack. Much like the previous case study, the adversary\u2019s initial entry point into the corporate network was through compromised credentials. While scanning the internal network, the attackers discovered a PRTG (Paessler Router Traffic Grapher) server\u00a0\u2014 an infrastructure monitoring tool. By leveraging that server, the adversary pivoted into the broader network, located the organization\u2019s ESXi servers, and encrypted the virtual environment in its entirety.<\/p>\n<p><strong>How did this happen?<\/strong><\/p>\n<p>Two classic mistakes were made:<\/p>\n<ol>\n<li>The monitoring server was configured with too many privileges, granting it access to all corporate assets across both physical and virtual environments.<\/li>\n<li>A user account was compromised.<\/li>\n<\/ol>\n<h2>Case Study #3. When a patch exists, but has yet to be deployed<\/h2>\n<p><strong>What happened?<\/strong><\/p>\n<p>In this scenario, the adversary deployed a wiper rather than standard ransomware, rendering the targeted data permanently unrecoverable.<\/p>\n<p>The attackers gained initial access by exploiting a known SAP NetWeaver server vulnerability, which they exploited to drop a web shell on perimeter servers. They then executed a password spraying attack to compromise higher-privileged user accounts.<\/p>\n<p>Once inside the infrastructure, the adversary leveraged Active Directory and Group Policy Objects to deploy the malware with wiper functionality across the corporate network. The malicious payload itself was sideloaded by exploiting vulnerabilities in Microsoft Defender and an e-reader application. The wiper used cryptographically secure RSA to fully encrypt small files. For medium-sized files, it used RSA for the headers and AES for the rest. Large files were truncated to 5MB, with the rest of the data replaced with zeroes. Because of this specific algorithm, complete recovery of the damaged files was mathematically impossible.<\/p>\n<p><strong>How did this happen?<\/strong><\/p>\n<p>The patch for the SAP NetWeaver vulnerability had been released several years prior to the attack. The organization simply failed to prioritize its deployment.<\/p>\n<p>Unfortunately, this isn\u2019t an isolated incident. As Konstantin Sapronov, the lead of the Global Emergency Response Team, points out: \u201cThe most frequently targeted public-facing applications so far in 2026 have been Microsoft Exchange, SharePoint, and Active Directory. Although patches for vulnerabilities in those products have long been available, organizations have consistently failed to install them in a timely manner.\u201d<\/p>\n<h2>How to keep your organization out of the headlines<\/h2>\n<p>None of the incidents described above required the adversary to possess groundbreaking technical ingenuity. They relied on recycled techniques and known vulnerabilities. To defend against cyberattacks like the ones described here, we recommend building a strategy that pairs comprehensive, specialized software with managed cybersecurity services.<\/p>\n<ul>\n<li><strong>Round-the-clock monitoring. <\/strong>If your organization lacks the resources to maintain a round-the-clock SOC\u00a0\u2014 or if you want to elevate the capabilities of your existing security operations team\u00a0\u2014 onboard a third-party MDR vendor. <a href=\"https:\/\/me-en.kaspersky.com\/enterprise-security\/managed-detection-and-response?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">Kaspersky Managed Detection and Response<\/a> delivers direct access to deep expertise and global threat intelligence, providing 24\/7 monitoring and early-stage threat detection before an attack can escalate.<\/li>\n<li><strong>Rapid incident response.<\/strong> Whether you suspect a breach has already occurred or simply want to ensure your team is prepared for that scenario, <a href=\"https:\/\/me-en.kaspersky.com\/enterprise-security\/incident-response?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">Kaspersky Incident Response (IR)<\/a> is ready to assist. Deploying MDR alongside IR grants your organization 24\/7 monitoring and detection, a round-the-clock access to IR experts, continuous threat hunting, triage of security events, rapid threat containment, attack chain reconstruction across the entire infrastructure, reverse engineering and advanced DFIR analysis, coordination and recommendations on business recovery, and finally, a custom incident report with guidance.<\/li>\n<li><strong>Patching beyond the checklist<\/strong>. The above-mentioned SAP NetWeaver vulnerability had been patched years before the actual breach occurred. If you lack visibility into which specific CVEs are critical for your infrastructure, implement routine vulnerability scanning and patch prioritization. Leverage MDR to monitor for exploitation attempts against known CVEs, and conduct a <a href=\"https:\/\/me-en.kaspersky.com\/enterprise-security\/compromise-assessment?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">Compromise Assessment<\/a> to ensure hackers haven\u2019t already capitalized on legacy vulnerabilities you might have missed.<\/li>\n<li><strong>Security audits and hardening. <\/strong>The PRTG server from Case Study #2 was granted excessive privileges\u00a0\u2014 a classic symptom of poorly defined access management and monitoring processes. Addressing these systemic issues is exactly what <a href=\"https:\/\/me-en.kaspersky.com\/enterprise-security\/soc-consulting?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kdaily_wpplaceholder_sm-team_______630b06989fa8680f\" target=\"_blank\" rel=\"noopener\">Kaspersky SOC Consulting<\/a> is built for. Backed by real-world experience and proven frameworks and methodologies, our experts help you design your security operations. We assist in architecting your SOC, developing detection use cases to flag anomalies, drafting runbooks for your team, and defining KPIs to measure your SOC\u2019s effectiveness.<\/li>\n<\/ul>\n<p>Additionally, we recommend tracking the tactics, techniques, and tooling actively deployed by threat actors. We aim to explain these complexities in plain language through our blog posts, podcasts, interviews, and industry conference presentations. Specifically, the full <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/resources\/reports\/mdr-ir-analyst-reports\" target=\"_blank\" rel=\"noopener nofollow\">Anatomy of a Cyber World Global Report 2026<\/a> outlines which threat groups are actively targeting organizations, the methods they deploy, how to detect these threats before they escalate into high-impact incidents, and where to invest to build bullet-proof cyber-resilience. Furthermore, this year\u2019s report marks the first time we\u2019ve integrated data directly from our SOC Consulting and Compromise Assessment services. It covers cyberthreat trends, high-severity incident breakdowns, and industry- and region-specific attack vectors, while delivering insights into where corporate blind spots are and why misconfigurations often fly under the radar. We also recommend watching the recording of our webinar, <a href=\"https:\/\/me-en.kaspersky.com\/enterprise-security\/resources\/reports\/mdr-ir-analyst-reports%23:~:text=Learn%20more-,Webinar,-Know%20where%20to\" target=\"_blank\" rel=\"noopener\">Anatomy of a Cyber World<\/a>, in which our experts dissect the evolving threat landscape and explain why human-operated attacks continue to pose one of the greatest risks to businesses.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"mdr-ir-special-offer\">\n","protected":false},"excerpt":{"rendered":"<p>These attacks didn&#8217;t start with sophisticated exploits. Instead, they relied on stolen passwords, too-lenient access rights, and a failure to apply long-released vulnerability patches.<\/p>\n","protected":false},"author":2799,"featured_media":25900,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916],"tags":[111,2295,2291,1882],"class_list":{"0":"post-25899","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-attacks","10":"tag-mdr","11":"tag-reports","12":"tag-services"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/gert-three-cases-report\/25899\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/gert-three-cases-report\/30861\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/gert-three-cases-report\/30701\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/gert-three-cases-report\/42130\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/gert-three-cases-report\/56030\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/gert-three-cases-report\/30809\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/gert-three-cases-report\/36369\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/gert-three-cases-report\/36259\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/mdr\/","name":"MDR"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/25899","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2799"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=25899"}],"version-history":[{"count":0,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/25899\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/25900"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=25899"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=25899"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=25899"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}