Kaspersky Compromise Assessment specialists analyze trends from the service's 2025 projects and provide tips on how to enhance your organization's security.
securelist.com
52% of high-severity compromises went undetected for over 90 days, and one incident had persisted for four years.
Key findings:
- Dwell time drives severity. Incidents detected within 30 days show balanced severity distribution. By 60-90 days, 71% are high-severity. Beyond 90 days, 52% are still high-severity. The four-year case involved NSABuffMiner crypto-mining on domain controllers via EternalBlue (MS17-010), with malicious files hidden in C:\Windows\Fonts\Mysql and persistence via services named MicrosoftMysql and MicrosoftFonts, plus scheduled tasks At1 and At2.
- Post-IR checkups produced the highest proportion of high-severity findings (40.7%), exposing what contained IR misses. One case found a cron job re-downloading a PHP web shell from GitHub, a live bash reverse shell running as the apache user, a ClipBanker variant persisting under HKU\...\Run\9Er6IIp, and a WMI event consumer aliasing Invoke-Expression as "Kaspersky."
- 40% of discovered web shells lived in backups. Asset inventory gaps (25% of engagements) meant cloud Linux servers outside AD never got scanned, and backup restores reintroduced the threat repeatedly.
- Without 24/7 monitoring or threat hunting, 84-86% of incidents were medium or high severity.