Global outage of Microsoft clients due to CrowdStrike update | Kaspersky official blog

Ever heard the unspoken rule: “Never release on Friday”? We have, but CrowdStrike hasn’t. They released a tiny driver on an ordinary Friday morning, which became the cause of a huge outage all over the world.

An incorrect update for CrowdStrike’s EDR (Endpoint Detection and Response) solution has affected Windows devices around the world — giving corporate users the Blue Screen of Death (BSOD). The failure has affected, for example, airport information systems in the US, Spain, Germany, the Netherlands and other countries.

Who else was affected by CrowdStrike’s Friday release and how to roll back bricked computers — all in this post…

What happened

It all started early Friday morning with corporate users around the world reporting problems with Windows. At first, a glitch in Microsoft Azure was blamed, but later CrowdStrike confirmed that the root cause was in the csagent.sys or C-00000291*.sys driver for its CrowdStrike EDR. And it was this driver that caused an abundance of silly office photos showing off the (dreaded) blue screens.

Blue screen of death on all computers = a day off for airport linemen

If we wanted to list everyone affected by this outage, such a list sure wouldn’t fit into this post – or dozens of them. So instead we’ll briefly cover the main victims of CrowdStrike’s negligence. Airline companies, airports, and people who want to either go home or go off on a long-awaited vacation were the most affected:

London’s Heathrow Airport, like many others, announced flight delays due to a technology glitch;
Scandinavian Airlines posted a notice on its website saying, “Some customers may experience difficulties with their bookings due to an IT issue affecting several countries. SAS is fully operational but delays are expected”;
In New Zealand, banking, communications and transportation systems are experiencing problems.

Various medical centers, chain stores, the New York subway, the largest bank in South Africa and many other organizations that make lives more comfortable and convenient on a daily basis were affected. The fullest list of those affected by the outage we can find is here — and it’s growing by the minute.

How to fix it

At this stage, it’s rather problematic estimating how long it’ll take to fully restore the affected computers around the world. Things are complicated by the fact that users need to manually reboot their computers in Safe Mode. And in large corporations, this is usually impossible to do on your own without the help of a system administrator.

Nevertheless, here are the instructions for how to get rid of the blue screen of death caused by the CrowdStrike driver update:

Boot your computer in Safe Mode;
Go to C:WindowsSystem32driversCrowdStrike;
Locate and delete the csagent.sys or C-00000291*.sys file;
Restart your computer in normal mode.

And while your sysadmins are doing this, you could use a hack that’s come out of India today: employees of one of the country’s airports have started filling out boarding passes… manually.

India isn’t too worried about the global disruption. Source

How the failure could have been avoided

Avoiding this situation should have been straightforward. First, the update shouldn’t have been released on a Friday. This is as per a rule that’s been known to all in the industry since the year dot: if an error occurs, there’s too little time to fix it before the weekend, so the system administrators at all companies affected need to work over the weekend to fix things.

It’s important to be as responsible as possible about the quality of updates released. We at Kaspersky launched a program back in 2009 to prevent mass failures such as this one at our customers, and passed an SOC 2 audit, which confirms the security of our internal processes. For 15 years now, every update has been subjected to multi-level performance testing on various configurations and operating system versions. This allows us to identify potential problems in advance and resolve them on the spot.

The principle of granular releases should be followed. Updates should be distributed gradually, not all at once to all customers. This approach allows us to react instantly and stop an update if necessary. If our users have a problem, we register it, and its solution becomes a priority at all levels of the company.

As with cybersecurity incidents, in addition to fixing the visible damage, you need to find the root cause to prevent these types of problems repeating in the future. It’s necessary to check software updates on test infrastructure for operability and errors before rolling them out to the company’s “combat” infrastructure, and to implement changes gradually — continually monitoring for possible failures.

Incident handling should be based on an integrated approach to building protection from a trusted supplier with the strictest internal requirements for the security, quality and availability of its services. The basis for this work can be the Kaspersky Next line of solutions. This will help your company not only stay afloat — but also increase the efficiency of your information security system. This can be done either gradually — increasing protection step by step — or all in one go. Protect your infrastructure today with us so that the next global outage doesn’t affect your customers.

And we, for our part, can help you make this decision: switch to Kaspersky and unlock two years of Kaspersky Next EDR Optimum for the price of one. Experience the pinnacle of robust, reliable cybersecurity protection!

Kaspersky official blog – ​Read More

Transatlantic Cable podcast episode 356 | Kaspersky official blog

Episode 356 of the Transatlantic Cable Podcast kicks off with news around the AT&T ‘mega-breach’. From there the team discuss two stories related to AI – the first looks at how AI is being used to help doctors detect early-onset Alzheimer’s; the team then talk about how K-Pop are looking to use artificial intelligence to write songs and create artwork.

The final story discusses how legendary artist Bob Dylan has banned smart-phones in his upcoming gigs – just how that will pan out is anybody’s guess.

If you liked what you heard, please consider subscribing.

AT&T says hackers stole records of nearly all cellular customers’ calls and texts
New AI tool could be game-changer in battle against Alzheimer’s
Will K-pop’s AI experiment pay off?
Bob Dylan to bring ‘phone-free’ tour to Edinburgh

Kaspersky official blog – ​Read More

Intimate image abuse – Kaspersky new survey indicates alarming trends | Kaspersky official blog

In today’s digital age, our social and romantic interactions are increasingly online, and the normalization of both storing and sharing intimate images has reached concerning levels. Our recent global study – one of the largest polls ever conducted on this matter – reveals some alarming trends, and highlights the urgent need for both awareness and education on intimate image abuse, commonly known as “revenge porn”.

The digital age of intimacy

Nearly a quarter of the people surveyed in our poll have explicit images saved on their devices – with the highest rates among younger age groups. Specifically, 34% of 16–24-year-olds and 25–34-year-olds admitted storing such images. Additionally, 25% of respondents have shared intimate images with people they’re dating or chatting with online – with this figure rising to 39% among 25–34-year-olds.

Despite the widespread sharing of intimate images, only 21% of those who’ve shared an image requested its deletion from the recipient’s device. This statistic highlights a troubling lack of awareness about the long-term consequences of sharing intimate images.

The dark side of image sharing

The study also exposes a darker side of intimate image sharing. Shockingly, 8% of those who’ve shared nude or explicit material admitted to doing so for revenge, and 9% – to frighten others. Nearly half of all respondents reported that they’ve either experienced intimate image abuse themselves, or know someone who has. This issue is particularly pronounced among younger generations, with 69% of 16–24-year-olds and 64% of 25–34-year-olds reporting such experiences.

Aaliyah’s story is a stark reminder of this reality; her ex-partner maliciously shared her intimate images online, causing severe emotional and psychological impacts.

Victim blaming: a harmful misconception

One of the most disturbing findings of our study is the prevalence of victim blaming. Precisely half of the respondents believe that if you share an intimate image of yourself, it remains your fault if it ends up in the wrong hands. This harmful misconception contributes to the stigma and isolation victims feel, making it harder for them to seek help and support.

We need to emphasize this: if someone shares your intimate images without your consent, it’s not your fault. The blame lies solely with those who misuse and exploit these images and, by definition – your trust. Alice’s story illustrates this perfectly. After her partner’s death, she found intimate images of herself online — images that were secretly taken while she was sleeping, highlighting that the real culprit is the one who takes and shares these images without explicit permission.

No one should have to suffer the emotional and psychological harm caused by intimate image abuse, and it’s crucial that we all work to change the narrative around this issue.

Protect yourself online

To protect yourself from intimate image abuse, consider the following tips:

Think before you post: be mindful of who you share your data with, and consider the potential risks;
Use secure messengers: opt for messaging services with end-to-end encryption;
Report abuse: if you believe you’re a victim of intimate image abuse, keep evidence and report it to the police and the respective platforms;
Check permissions: regularly review the permission settings on your apps to control data sharing;
Use strong passwords: employ a reliable security solution to create and manage unique passwords for each account;
Utilize resources: take advantage of tools like to help prevent intimate images being shared online without your consent;
Find an organization in your country to provide you with further support.

The findings from our study make it clear that, while technology has made intimate image sharing easier, it has also increased the risk of abuse. Awareness and education are crucial in mitigating these risks and protecting individuals from the emotional and reputational harm associated with intimate image abuse.

For more information and resources, subscribe to our Telegram channel, and visit our blog and the revenge porn helpline in your country.

Kaspersky official blog – ​Read More

Hidden dangers of free VPN services | Kaspersky official blog

Regarding VPNs, a popular refrain these days goes something like: “Why bother paying for a VPN when there are tons of free ones out there?” But are free VPN services truly free? This post explains why thinking they are is misguided, and offers the optimal solution: one of the fastest and most secure VPN apps on the planet.

First there was: “There’s no such thing as a free lunch” — dating back to the 1930s. In this century, that old adage was updated and adapted for the digital age: “If you’re not paying for the product, you are the product”. Today this new axiom applies to many internet services — but especially to VPNs. After all, maintaining a network of servers across the globe, and handling encrypted traffic for thousands, if not millions of users comes at a significant cost. And if the user isn’t explicitly asked to pay for such services, there’s bound to be a catch somewhere. And that “somewhere” was recently vividly demonstrated by a couple of major incidents…

Freebie VPN and a botnet of 19 million IP addresses

In May 2024, the FBI, together with law enforcement partners, dismantled a botnet known as 911 S5. This malicious network spanned 19 million unique IP addresses across over 190 countries worldwide, making it possibly the largest botnet ever created.

But what does a gargantuan botnet have to do with free VPNs? Quite a lot actually, since the creators of 911 S5 used several free VPN services to build their brainchild; namely: MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN. Users who installed these apps had their devices transformed into proxy servers channeling someone else’s traffic.

In turn, these proxy servers were used for various illicit activities by the real clients of the botnet — cybercriminals who paid the organizers of 911 S5 for access to it. As a result, users of these free VPN services became unwitting accomplices in a whole host of crimes — cyberattacks, money laundering, mass fraud, and much more — because their devices were sucked into the botnet without their knowledge.

911 S5 botnet proxy rental prices Source

The 911 S5 botnet began its nefarious operations way back in May 2014. Disturbingly, the free VPN apps it was built upon had been circulating since 2011. In 2022, law enforcers managed to take it down for a while, but it resurfaced a mere few months later under a new alias: CloudRouter.

Finally, in May 2024, the FBI succeeded in not only dismantling the botnet infrastructure but also apprehending the masterminds, on which note the 911 S5 saga will likely end. During its operation, the botnet is estimated to have earned its creators a cool $99 million. As for the losses to victims — at least, just the confirmed ones — they amount to several billion dollars.

The FBI seized the website of PaladinVPN —one of the free VPN apps used to build the 911 S5 botnet

Infected VPN apps on Google Play

While the 911 S5 case is undoubtedly one of the largest botnet, it’s far from an isolated incident. Literally a couple of months before, in March 2024, a similar scheme was uncovered involving several dozen apps published on Google Play.

Though among them there were other apps too (such as alternative keyboards and launchers), free VPNs constituted the bulk of the infected ones. Here’s the full list:

Lite VPN
Byte Blade VPN
FastFly VPN
FastFox VPN
FastLine VPN
Quick Flow VPN
Sample VPN
Secure Thunder
ShineSecure VPN
SwiftShield VPN
TurboTrack VPN
TurboTunnel VPN
YellowFlash VPN
VPN Ultra

Oko VPN and Run VPN before being removed from Google Play Source

There were two modes of infection. Earlier versions of the apps utilized the ProxyLib library to transform devices on which the infected apps were installed into proxy servers. More recent versions employed an SDK called LumiApps, offering developers monetization by showing hidden pages on the device, but in reality doing the exact same thing — turning devices into proxy servers.

Just like in the previous case, the organizers of this malicious campaign sold access to proxy servers installed on user devices with the infected apps to other cybercriminals.

After the report was published, the infected VPN apps were, of course, removed from Google Play. However, they continue to circulate in other places; for example, they’re sometimes published in several different incarnations under different developer names in the popular alternative app store APKPure (which was infected with a Trojan a few years ago).

Oko VPN, one of the infected VPN apps booted out of Google Play, exists in multiple versions on the alternative platform

What to do if you really need a VPN

If you’re in dire need of a VPN service to protect your connection but don’t want to pay for one, consider using the free version of [placeholder ksec]. Free mode won’t allow you to select a server, plus there’s a traffic limit of 300 MB per day, but both your traffic and your device are fully secure.

The better option of course is to buy a subscription; after all a reliable VPN is a must-have app for absolutely everyone — and has been for some time. Premium access to Kaspersky VPN Secure Connection, available as a standalone purchase or as part of our Kaspersky Plus and Kaspersky Premium subscriptions, grants you access to one of the fastest VPNs in the world across all your devices, along with top-rated protection against phishing and other threats, as verified by independent researchers.

Best of all, you can enjoy a 30-day free trial of these subscriptions and experience the full functionality of our protection and VPN; that way, you can see for yourself how our VPN is one of the world’s speediest.

Kaspersky official blog – ​Read More

Zero-day vulnerability in Internet Explorer | Kaspersky official blog

As part of its latest Patch Tuesday, Microsoft has released patches for 142 vulnerabilities. Among them were four zero-day vulnerabilities. While two of them were already publicly known, the other two had been actively exploited by malicious actors.

Interestingly, one of these zero-days, which supposedly had been used to steal passwords for the past 18 months, was found in Internet Explorer. Yes — that same browser that Microsoft stopped developing back in 2015 and promised to definitively, absolutely, for-sure bury in February 2023. Unfortunately, the patient proved to be stubborn — resisting its own funeral.

Why Internet Explorer isn’t nearly as dead as we would all like

Last year, I wrote about what the latest attempt to kill off Internet Explorer actually entailed. I’ll just give a brief version here; you can find the full story at the link. With the “farewell” update, Microsoft didn’t remove the browser from the system but merely disabled it (and even then, not in all versions of Windows).

In practice, this means that Internet Explorer is still lurking within the system; users just can’t launch it as a standalone browser. Therefore, any new vulnerabilities found in this supposedly defunct browser can still pose a threat to Windows users — even those who haven’t touched Internet Explorer in years.

CVE-2024-38112: vulnerability in Windows MSHTML

Now let’s talk about the discovered vulnerability CVE-2024-38112. This is a flaw in the MSHTML browser engine, which powers Internet Explorer. The vulnerability has a rating of 7.5 out of 10 on the CVSS 3 scale, and a “high” severity level.

To exploit the vulnerability, attackers need to create a malicious file in an innocent-looking internet shortcut format (.url, Windows Internet Shortcut File), containing a link with the mhtml prefix. When a user opens this file, Internet Explorer — whose security mechanisms aren’t very good — is launched instead of the default browser.

How attackers exploited CVE-2024-38112

To better understand how this vulnerability works, let’s look at the attack in which it was discovered. It all starts with the user being sent an .url file with the icon used for PDFs and the double extension .pdf.url.

Inside the malicious .url file, you can see a link with the “vulnerable” mhtml prefix. The last two lines are responsible for changing the icon to the one used for PDFs. Source

Thus, to the user, this file looks like a shortcut to a PDF — something seemingly harmless. If the user clicks on the file, the CVE-2024-38112 vulnerability is exploited. Due to the mhtml prefix in the .url file, it opens in Internet Explorer rather than the system’s default browser.

Attempting to open the malicious file launches Internet Explorer. Source

The problem is that in the corresponding dialog box, Internet Explorer shows the name of the same .url file pretending to be a PDF shortcut. So it’s logical to assume that after clicking “Open”, a PDF will be displayed. However, in reality, the shortcut opens a link that downloads and launches an HTA file.

This is an HTML application, a program in one of the scripting languages invented by Microsoft. Unlike ordinary HTML web pages, such scripts run as full-fledged applications and can do a lot of things — for example, edit files or the Windows registry. In short, they’re very dangerous.

When this file is launched, Internet Explorer displays a not-so-informative warning in a format familiar to Windows users, which many will simply dismiss.

Instead of opening a PDF file, a malicious HTA (HTML Application) is launched, accompanied by an uninformative Internet Explorer warning. Source

When the user clicks “Allow”, infostealer malware is launched on the user’s computer, collecting passwords, cookies, browsing history, crypto wallet keys, and other valuable information stored in the browser, and sending them to the attackers’ server.

How to protect against CVE-2024-38112

Microsoft has already patched this vulnerability. Installing the update ensures that the trick with mhtml in .url files will no longer work, and such files will henceforth open in the more secure Edge browser.

Nevertheless, this incident once again reminds us that the “deceased” browser will continue to haunt Windows users for the foreseeable future. In that regard, it’s advisable to promptly install all updates related to Internet Explorer and the MSHTML engine. As well as to use reliable security solutions on all Windows devices.

Kaspersky official blog – ​Read More

Kaspersky Premium takes top spot in anti-phishing tests | Kaspersky official blog

We write a lot about phishing, and always recommend our products as the best line of defense. And for good reason — Kaspersky Premium for Windows outperformed 14 other solutions in AV-Comparatives’ 2024 Anti-Phishing Test — beating global vendors like Bitdefender, McAfee, Avast, and others.

The AV-Comparatives Approved Anti-Phishing certificate — a mark of quality in protecting users from phishing

Because Kaspersky products utilize a unified stack of security technologies, which was rigorously tested by researchers, this award equally applies to our other products and solutions — both for home users (Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium) and for business (such as Kaspersky Endpoint Security for Business and Kaspersky Small Office Security).

About the test

The independent Austrian organization AV-Comparatives has a 25-year track of record of evaluating the effectiveness of cybersecurity products and solutions. This latest test assessed how well popular cybersecurity solutions protect users from phishing threats while browsing the web and using email.

The test ran from May 17 to 28, 2024, using a selection of 275 fresh and active phishing links. The phishing URLs included sites designed to steal data from bank cards, PayPal and online banking accounts, Dropbox and eBay, social media and email accounts, online games, and other online services. To test for false positives, 250 links to legitimate online banking services worldwide were also included.

To achieve certification, security solutions had to block at least 85% of phishing addresses and avoid any false positives on legitimate websites. Kaspersky Premium for Windows blocked the highest number of phishing links among all the test’s participants — 93% — without a single false positive, securing first place. Only seven of the 15 tested solutions from other vendors met the certification criteria — albeit with lower scores: McAfee (92%), Avast (91%), Trend Micro (89%), Fortinet (89%), Bitdefender (89%), ESET (87%), and NordVPN (85%).

Comparison of AV-Comparatives’ anti-phishing test results for eight certified protection solutions

AV-Comparatives has been conducting its anti-phishing test — whose list of threats and legitimate websites is updated annually — since 2011, and our products have excelled consistently year after year. The test is performed on computers with identical hardware configurations, operating systems, and browsers, simultaneously for all security solutions put to the test. All other phishing protection mechanisms in the operating system or browser are disabled. Each tested product is configured to default settings and has unlimited internet access and the ability to update throughout the test. A visit to a phishing site is only considered as detected if the security solution warns the user that the site is unsafe.

A legacy of success

In 2023 alone, our products participated in 100 independent studies and emerged victorious 93 times. Since 2013, our products have undergone rigorous testing by independent researchers 927 times, achieving 680 first-place finishes, and placing in the top-three 779 times. This is an absolute record among all security solution vendors — both in terms of tests conducted and victories secured.

Here’s a rundown of some of our most notable recent wins:

Kaspersky Standard for Windows was recognized by AV-Comparatives as Product of the Year in 2023 based on the results of seven tests conducted over 13 months — surpassing Bitdefender, Avast, McAfee, and 12 other security solutions. Concurrently, AV-Test awarded our home user protection its annual Best Advanced Protection 2023 award based on six tests. We dedicated a separate blog post to this achievement.

Kaspersky Plus for Windows achieved a perfect score in the Total Accuracy Rating category in all of SE Labs’ Endpoint Security: Home tests conducted in 2023 and 2024 — earning the AAA rating.

Kaspersky Plus for Mac was recognized as the best security solution for macOS users by AV-Test in 2023, achieving top scores and quality certifications in all four tests conducted that year. In March 2024, the product received further acclaim from AV-Test — again earning a perfect score.
Kaspersky Plus for Android received a five-star rating in all six of Testing Ground Labs’ tests conducted in 2023, and two tests in 2024. Consistency is a sign of success!
Kaspersky Safe Kids stood out as the only product among five participants in the test of parental control and child protection solutions to receive the Approved Parental Control certification from AV-Comparatives in 2024. This recognition comes as a result of the product blocking over 98% of websites distributing pornographic content — all without any false positives.

You can check out our other awards in the TOP-3 section on our website.

Kaspersky official blog – ​Read More

SIEM benefits for medium-sized business | Kaspersky official blog

A medium-sized company is an attractive target for cybercriminals. It operates on a scale that’s large enough for the company to pay a substantial ransom if its data is taken hostage. Meanwhile, its approach to information security is often an inheritance from the time when it was much smaller. Hackers can come up with a tactic to bypass the company’s basic protection and compromise the network with little to no resistance. The damage done by such incidents averages around $100,000. The regulatory side of things also cannot be ignored: cybersecurity rules and regulations have been proliferating around the world, and so have the fines for non-compliance.

Businesses are often cognizant of these threats and willing to allocate more resources to their infosec teams. How do you take your corporate security to the next level without excessive outlay? Here’s a little spoiler: deploying a SIEM (Security Information and Event Management) system is key.

Layered protection

A company’s long-term goal should be to build layered defenses in which different tools and controls complement one another to significantly complicate attacks on the company and limit the attackers’ options. A company with 500 to 3000 employees is almost certain to have the basic tools and the initial protective layer: access control through authentication and authorization, endpoint protection (popularly known as “antivirus”), server protection including email servers, and a firewall.

The next thing to do is supplement, rather than replace, this arsenal with more advanced cybersecurity tools, such as:

A system for comprehensive monitoring and correlation of security events from a variety of data sources (computers, servers, and applications) in real time across the entire infrastructure
Tools for obtaining enhanced information about possible incidents or just suspicious activity and anomalies
Incident response tools: from investigations in accordance with regulatory requirements, to isolation of compromised hosts and accounts, vulnerability elimination, and so on
Advanced identity management tools: from centralized user management and role-based access control, to a single authentication portal with MFA
Tools for improving visibility and manageability of IT assets, attack surface management, and patch management

Having all of these at the same time is out of the question, so implementing these measures will need to be prioritized and broken down into phases. That said, comprehensive monitoring forms the basis for many other information security tools, and therefore, SIEM implementation should be close to the top of the list.

This equips defenders with brand new capabilities: detecting attackers’ malware-free activities, spotting both suspicious objects and suspicious behavior, and visualizing and prioritizing infrastructure events. Proper use of SIEM can relieve the workload on the infosec team, as it spares them the need to spend time handling isolated events, logs, and other artifacts manually.

What a SIEM system is and why a medium-sized company needs one

SIEM solutions have been used for comprehensive IT monitoring in corporate infrastructures for two decades now. These solutions are composed of a number of components that collect, store, organize, and analyze telemetry, and allow responding to incoming events. Thanks to SIEM, an infosec employee can receive most alerts in a single console, easily link different aspects of an event (such as file creation, network activity, and account login) into a single entity without having to dig through five different data sources, and respond promptly to these events. The high degree of automation saves the infosec team a great deal of time. What you used to do manually just by walking over to a coworker’s computer becomes too much effort as the company grows in size.

Key SIEM components for medium-sized businesses

The architecture may differ between SIEM systems, but the key elements are always the same:

Event sources: these aren’t part of the SIEM, but they serve as providers of information. Anything that generates logs as it runs – whether it’s an operating system, EDR agent, business application, or network device – can be a source.

Collector: this is typically a separate service that receives logs from telemetry sources for processing in the SIEM.

Log normalizer and storage: these are elements of the SIEM platform core. The normalizer transforms and adapts the logs it receives from a collector to make them suitable for use, search, and analysis. Centralized data storage significantly simplifies detection and investigation of incidents, as well as the provision of incident information to regulators.

Event correlation is the heart of SIEM systems. This is the key step where disjointed events contained in different logs are correlated, merged if found to be associated with the same activity or different stages of a single activity, and prioritized. Prioritization is driven by threat intelligence available to the defenders. This is what can serve as the basis for writing a rule that won’t ping the infosec team every time a PowerShell script runs, but will raise an alert if a script runs with command-line options characteristic of a targeted attack.

Dashboards and alerts are a purely visual but important part of the system that helps make sense of heaps of data, easily find what you’re looking for, quickly drill down into an incident, and learn about issues or suspicious events in time.

A steep price used to be a real barrier to SIEM adoption by medium-sized businesses, as the products were aimed at larger companies exclusively. This has now changed with the advent of new solutions that no longer target just the enterprise segment of the market, such as our Kaspersky Unified Monitoring and Analysis platform.

Kaspersky official blog – ​Read More

How to set up Apple Shortcuts in VPN & Antivirus by Kaspersky for iOS | Kaspersky official blog

The Kaspersky for iOS app now supports Apple Shortcuts and Siri. In this post, we discuss the new possibilities this gives our users, and how to configure Shortcuts to work with the Kaspersky app.

How to give voice commands to Kaspersky

You can now turn the VPN on and off in the Kaspersky for iOS app using voice commands. Setting this up is very quick and easy: just activate Siri and say, “Siri, turn on Kaspersky VPN”. The system will then ask if you really want to enable commands — tap the blue Turn On button.

If you’ve just installed Kaspersky on your iPhone or iPad and have never turned the VPN on before, you’ll need to open the app and activate the VPN manually to accept all the necessary user agreements. After that, everything will work smoothly.

To activate voice commands for Kaspersky VPN, launch Siri and say, “Siri, turn on Kaspersky VPN”

Now all you have to do is say, “Siri, turn on Kaspersky VPN” to establish a VPN connection or “Siri, turn off Kaspersky VPN” to disconnect — it’s as easy as pie.

To turn on Kaspersky VPN, say, “Siri, turn on Kaspersky VPN”. To turn it off, say, “Siri, turn off Kaspersky VPN”

How to turn VPN on and off using Shortcuts

But that’s just the beginning. You can also use Apple Shortcuts to place “Turn on VPN” and “Turn off VPN” shortcuts on your iPhone’s Home Screen. To do this, find and open the Shortcuts app; the easiest way to do this is through search — especially if you rarely use this app.

To set up Kaspersky VPN Home Screen shortcuts, open the Shortcuts app and select Kaspersky

Next, find the Kaspersky app in Shortcuts and tap it. If it’s difficult to find due to an over-abundance of icons, you can use the search function. To do this, tap All Shortcuts and type “Turn” in the search field. In both cases, the necessary shortcuts will now appear on the screen.

To find Kaspersky VPN shortcuts in Shortcuts, you can use the search function

Simply tapping the shortcut will immediately activate it — turning the VPN on or off. To add a shortcut to the Home Screen, tap and hold the shortcut. A pop-up menu will appear — select Add to Home Screen.

On the next screen, you can choose the icon and color of the shortcut. By default, iOS suggests blue, but we recommend choosing green for “Turn on VPN”, and red for “Turn off VPN”. This way, you’ll instantly know which shortcut does what, making them convenient to use.

How to add “Turn on VPN” and “Turn off VPN” shortcuts to the Home Screen

All done! Now you have handy shortcuts on your Home Screen that let you quickly turn the VPN on or off in the Kaspersky for iOS app with just a single tap.

Now you can turn Kaspersky VPN on and off with one tap

How to trigger Kaspersky VPN activation when launching apps

And that’s still not all! You can also use Shortcuts to automatically trigger VPN activation in Kaspersky for iOS. For example, you can automatically establish a VPN connection when launching a particular app.

To do this, open the Shortcuts app, go to the Automation tab, and tap the large blue New Automation button (or the + in the upper right corner of the screen if you’ve created automation scripts before). On the page that opens, scroll down to the App option and tap it.

You can use Shortcuts to automate Kaspersky VPN activation — for example, when launching a particular app

Next, tap Choose to select an app, check the box at the bottom of the screen next to Run Immediately so the system doesn’t ask unnecessary questions, and tap Next.

Select the desired app and check the box next to “Run Immediately”

On the next screen, use the search to find the familiar Turn on VPN shortcut and select it. Done! Now a VPN connection will be established automatically when you launch the app you’ve selected.

Tap “Next” and find the “Turn on VPN” shortcut

By the way, you can also configure the VPN connection to automatically disconnect when you close this app. To do this, repeat all the steps described above, but change the condition to Is Closed, and select the Turn off VPN shortcut.

You can also automatically disconnect the VPN when closing an app: create a new automation script, change the condition to “Is Closed”, and select the “Turn off VPN” shortcut

How to trigger Kaspersky VPN activation when connecting to Wi-Fi networks

Another possibility is to activate the VPN automatically when connecting to any Wi-Fi network — or a specific network that you don’t fully trust but have to use frequently. To do this, create a new automation script, scroll down to Wi-Fi, and select it.

To turn the VPN on automatically when connecting to Wi-Fi, create a new automation script and select “Wi-Fi” from the list

In the window that opens, click Choose to select a network — either a specific one or Any Network. As before, check the box next to Run Immediately so you don’t have to confirm this action each time.

Select the desired network or “Any Network”, and check the box next to “Run Immediately”

Next, click Next and select the Turn on VPN shortcut. You can also create an additional script to close the VPN connection automatically when disconnecting from Wi-Fi.

The features described in this post are available to users with Kaspersky Plus and Kaspersky Premium subscriptions.

Other useful features of Kaspersky for iOS

Of course, the VPN is by no means the only thing in our super app Kaspersky for iOS. It also includes anti-phishing, an ad and tracker blocker, a password manager, automatic personal data-leak checking, home network protection from strangers, and much more.

To enhance the security of your device, simply tap “Security Scan”

By the way, the updated Kaspersky for iOS app features a convenient Security Scan button at the top of the main screen, allowing you to run a security check and improve your device’s protection with a single tap.

Kaspersky official blog – ​Read More

Pseudo-exploit for CVE-2024-6387 aka regreSSHion | Kaspersky official blog

An archive containing malicious code is being distributed on the social network X (formerly known as Twitter), under the guise of an exploit for the recently discovered CVE-2024-6387 aka regreSSHion. According to our experts, this may be an attempt to attack cybersecurity specialists. In this post we explain what actually is in the archive and how attackers are trying to lure researchers into a trap.

The legend behind the archive

Presumably, there is a server that has a working exploit for the CVE-2024-6387 vulnerability in OpenSSH. Moreover, this server actively uses this exploit to attack a list of IP addresses. The archive, offered to anyone wishing to investigate this attack, allegedly contains a working exploit, a list of IP addresses and some kind of payload.

Real contents of the malicious archive

In fact, the archive contains some source code, a set of malicious binaries and scripts. The source code looks like a slightly edited version of a non-functional proof-of-concept for this vulnerability, which was already distributed in the public domain.

One of the scripts, written in Python, simulates the exploitation of a vulnerability on servers located at IP addresses from the list. In reality, it launches a malicious file called exploit — a malware that serves to achieve persistence in the system and to retrieve additional payload from a remote server. The malicious code is saved in a file located at the /etc/cron.hourly directory. In order to achieve persistence, it modifies the ls file and writes a copy of itself into it, repeating the execution of malicious code every time it is launched.

How to Stay Safe

Apparently, the authors of the attack are counting on the fact that, when working with obviously malicious code, researchers tend to disable security solutions and focus on analyzing the exchange of data between the malware and a server vulnerable to CVE-2024-6387. Meanwhile, completely different malicious code will be used to compromise the researchers’ computers.

Therefore, we remind all information security experts and other persons who like to analyze suspicious code not to work with malware outside of a specially prepared isolated environment, from which external infrastructure is inaccessible.

Kaspersky products detect elements of this attack with the following verdicts:


As for the regreSSHion vulnerability, as we wrote earlier, its practical exploitation is far from being simple.

Kaspersky official blog – ​Read More

Why you need to remove the script from your website

If your website uses the script from, we recommend removing it ASAP: the service is sending malicious code to your visitors. This article explains what is for, why it’s become dangerous to use, and what you should do about it if you do use it.

What polyfills and are

A polyfill is a piece of code that implements features otherwise unsupported by certain browser versions. This is typically JavaScript code that adds support for HTML5, CSS3, JavaScript API and other standards and technologies that spare web developers the headache of supporting exotic or outdated browsers. Polyfills saw their heyday in the 2010s as HTML5 and CSS3 gradually took over the Web. is a service that helps automatically deliver polyfills that a browser requires for displaying a particular website.

The service gained popularity both for its efficiency (only the polyfills you need are loaded) and for its regular updates to the technologies and standards used. Straightforward implementation was a factor as well: all the developer needed to start using was to add a short string to the website code in order to enable the service’s script. was originally created by the Financial Times web development team. In February 2024, the service, along with the associated domain and GitHub account, was sold to the Chinese CDN provider Funnull. It wasn’t six months before trouble began.

Malicious code from

On June 25, 2024, researchers at Sansec discovered that had begun to deliver malicious code to users of websites that used The code used a typosquatted domain pretending to be Google Analytics — [code][/code] — to redirect users to a Vietnamese sports betting site.

The malicious code redirected the users of compromised sites to a sports betting site written in Vietnamese

According to the researchers, this wasn’t the first time that had been caught spreading malicious code. Those who had noticed the dangerous behavior earlier tried complaining (archived link) in GitHub comments, but the new owners of quickly removed all the criticisms (here’s another example from the Internet Archive).

The potentially harmful script is allegedly present on more than 100,000 websites — some of them rather big ones.

Google Ads: one more reason to remove

In case visitors getting a malicious script doesn’t sound too worrying, Google Ads is giving website operators a further valid reason to hurry up and get the problem fixed.

Google’s advertising service has suspended the display of ads linking to websites that spread malicious scripts from several services. Besides, the list includes, and

A Google Ads suspension warning due to the website using a malicious script downloaded from,, or Source

You’d be wise to stop using the aforementioned services on your website, or else you risk losing traffic due to users being led away by the malicious scripts and because of Google Ads no longer promoting you.

Protecting against the attack

Here are a few steps to take about the attack:

Remove the script from your website as soon as you can — along with ones from, and
Consider dropping polyfills altogether. The developer, which recommends doing just that, says that polyfills are no longer relevant.

The developer recommends removing and dropping polyfills altogether as these are no longer relevant. Source

If you can’t follow that advice for some reason, use the alternatives by Cloudflare or Fastly.
All in all, try cutting down on the number of external scripts your website uses. Each of those is a potential vulnerability.

Kaspersky official blog – ​Read More