Why the AI-powered search tool Recall in Windows 11 is dangerous, and how to disable it | Kaspersky official blog

/in

In May 2024, Microsoft introduced a new feature for Windows 11 called Recall, which “remembers” everything you’ve done on your computer over the last few months. Let’s say you want to Recall something you did on your computer recently. You enter into the search bar something like “photo of red car sent to me”, or “Korean restaurant I was recommended” — and receive answers in the form of links to apps, websites, or documents, paired with a thumbnail image of the screen captured the moment you were looking at the requested item!

Recall remembers everything you did on your computer in the last few months. Perhaps even things you’d rather forget. Source

What Recall does is take a screenshot every few seconds, which it saves in a folder on your computer. Then it analyzes all the images using AI in the background, extracts all the information from them, and places it into a database to be used for an AI-powered smart search.

Although all operations take place locally on the user’s machine, Recall sparked alarm among cybersecurity pros as soon as it was unveiled due to the many potential risks. The initial implementation of Recall was pretty much unencrypted, and available to any user of the computer. Under pressure from the infosec community, Microsoft announced improvements to the feature even before the public release, which was postponed from June 18 until around the end of the fall 2024. Yet, even with the promised tweaks, Recall remains controversial.

The dangers of Recall

All key data can be stolen in one fell swoop. The primary risk of Recall is that all sensitive data — from medical diagnoses and password-protected conversations to bank statements and private photos — ends up stored in one place on the computer. If a threat actor gains access to your computer or infects the machine with malware, all they need do is copy the contents of a single folder, and all your secrets are spilled. While tons of screenshots are a little trickier to steal due to their large size, the text part with recognized information could be snatched in a matter of seconds.

Worse still, if an attacker manages to stealthily download the screenshots, they’d be able to reconstruct everything you’ve done on your computer over the last few months — almost second by second. Recall can save up to three months of history unless it runs out of space (by default — 10% of drive capacity, but no more than 150GB).

While in the past infostealers would primarily target login credentials, crypto wallet data, and browser cookies, this list will soon be headed by Recall databases. Concerned infosec experts have wasted no time in creating a demo utility to show just how easy it is to extract data — even remotely.

Questionable data encryption. In the initial version of Recall, screenshots and databases with recognized texts were stored in open form. This prompted cybersecurity experts to demonstrate how to bypass OS restrictions and gain access to Recall databases and screenshots of any user on the computer. To address this issue, Microsoft promises additional encryption of the databases themselves with on-the-fly decryption. However, no one has seen the implementation of this feature yet, and there’s a good chance that decryption on a local computer will pose no difficulty. As with BitLocker full-disk encryption, this encryption can protect against evil-maid attacks, but it does nothing to help those who might leave their computer unlocked or put it to sleep, or who get infected with an infostealer.

Poorly policed confidential data. Microsoft states that the Recall database will store passwords, financial data, and other sensitive data that gets displayed on-screen. Unless the user has “paused” Recall, only private windows (in Edge, Chrome, Opera or Firefox) and DRM-protected data (for example, Netflix movies) are excluded from the database. Backup recovery codes for online accounts? Disappearing chat messages? An email you thought it best to delete? All this will remain in the Recall database, and you won’t be able to surgically remove individual data fragments — you’d have to clear all information over a long period. Otherwise, anyone who sits down at your unlocked computer would be able to spy on your confidential data — the kind that banks, clinics, and online services hide behind passwords and two-factor authentication. To mitigate this issue, Microsoft has issued assurances that access to the Recall application on a local computer will require additional user authentication.

Backup access recovery codes will also end up in the Recall database, wrecking the entire multi-factor authentication security model

Risks at work and at home. Detailed, easily searchable information about computer activity dating back months could cause problems for those who’ve an overly demanding boss, nosey housemate, or jealous other half. The temptation will be there to use Recall to track work performance, marital fidelity, and much more.

Default mode. Initially, Recall was supposed to be enabled by default, but under public pressure Microsoft said this would not be the case. Now, when installing Windows yourself you’re prompted to enable Recall, which is now disabled by default. However, those whose computer came with Windows 11 already configured (for example, at work) would have to check the presence and operating mode of Recall themselves.

Where to look for Recall

Currently, Microsoft claims that Recall will only be available on Copilot+ computers equipped with both a special Neural Processing Unit (NPU) and Windows 11. In practice, experts have successfully run Recall on other computers. Machines with ARM processors are best suited for this, but the feature can also be activated (albeit with some difficulties) on computers with x86 architecture — and even on virtual machines in Azure. What’s clear is that Recall requires no unique hardware to work, which means that in due course the feature will become available for all Windows computers with enough power. Given Microsoft’s practice in recent years of “offering” features by automatically activating them on users’ computers, you might get an unwanted AI assistant without even realizing it.

How to check for Recall

Recall can’t be installed on Windows 10 machines or earlier. On Windows 11, you can check for the feature by typing Recall in the Start menu search bar. If an application with this name appears in the search results, it’s installed and needs to be configured or disabled.

How to mitigate the risks posed by Recall

Some categories of users are advised to disable Recall entirely. This includes those who:

often store sensitive information on their computer
are legally obligated to strictly protect work data
share a computer with others
experience aggressive monitoring at work or home
have no need for AI searches

Fortunately, this isn’t hard to do. Open Settings, go to Privacy & Security -> Recall & snapshots, and disable Save snapshots. Then click Delete All to wipe previously taken snapshots.

Fortunately, Recall is easy to disable or customize. Source

If you don’t want to disable Recall completely, you need to at least configure it properly. The first step is to specify lists of applications and websites for which this function shouldn’t work. We recommend adding the following to Recall‘s exceptions:

all sites where you view important personal information: banks, government services, insurance and medical organizations
password manager sites and applications
sites and applications with confidential work information
sites and applications related to cryptocurrencies, if you use any
messenger apps used for confidential conversations — no matter how infrequently

If you decide to leave Recall enabled, be sure to configure the exclusion list. Source

Make sure your computer has full protection against cyberthreats, because a specialized infostealer that infects a Recall-enabled computer would be able to steal the whole history of your activity going back months prior to the infection. We can also anticipate the emergence of viruses that discreetly enable Recall for users and use it for smart recognition of all texts on your screen. After all, attackers managed to harness the Windows native encryption tool, BitLocker, using it for full-disk encryption of all information on the computer, followed by a ransom demand for decryption. We recommend Kaspersky Premium for maximum protection against malware.

In addition:

Enable BitLocker full-disk encryption
Protect your account with a strong password and biometric access
Configure the screen lock and use it when you step away from your computer
Create separate accounts for other users of the same computer, if any, or use a guest account
Subscribe to our blog and/or Telegram channel to be the first to know about new threats

Kaspersky official blog – ​Read More

How to exclude your router from surveillance via Wi-Fi positioning system | Kaspersky official blog

/in

Every time someone with a smartphone with GPS enabled passes by near your Wi-Fi access point, the approximate geographic coordinates of your router are uploaded to the databases of Apple, Google and other tech giants. This is an integral part of the Wi-Fi Positioning System (WPS). For your router to end up in this database, you don’t even need to have a smartphone yourself — it’s enough for a neighbor or passer-by to have one.

WPS is what enables you to see your location almost immediately when you open a map app. Relying on “pure” GPS data from satellites would take a few minutes. Your smartphone checks which Wi-Fi access points are nearby, sends the list to Google or Apple, and receives either its calculated coordinates (from Google) or a list of router coordinates (from Apple) to calculate its own position.

Even devices without GPS, such as laptops, can also use this type of geolocation. As discovered by researchers at MIT, Apple places minimal restrictions on requests for access point coordinates, making it possible to create your own worldwide router map and use it to find interesting phenomena and patterns, or even track individuals.

What are the risks inherent in router surveillance?

While the approximate physical location of a router might not seem like particularly confidential data, especially for those living in your area, there are several cases when it’s best to keep this information hidden. Here are a just a few examples:

When using satellite internet terminals, such as Starlink. These provide internet access via Wi-Fi, and tracking the terminal equals tracking the user’s location. This is particularly sensitive when terminals are used in military conflict or emergency zones.
When using mobile hotspots for business and travel. If you find it convenient to share internet from a mobile router to your laptop and other devices, your pocket hotspot likely accompanies you on business trips. This creates opportunities to monitor your travel schedule, frequency and directions. The same applies to hotspots installed in RVs and yachts.
When people have moved. Often, a router moves with its owner, revealing their new address to anyone who’s previously connected to their Wi-Fi — even just once before. While this is usually harmless, it can be problematic for those relocating to escape harassment, domestic violence or other serious issues.

The limitations of WPS tracking

These are all valid concerns, but there’s good news: WPS tracking is less accurate and slower than other surveillance methods.

First of all, for a router to be added to the WPS database, it must be consistently detected in the same area over some time. MIT researchers found that a new router took between two and seven days to appear in the WPS database. If you go somewhere with a mobile router for a short period, this movement is unlikely to be recorded in the database.

Secondly, a router must be scanned by several smartphones with activated geolocation services to be included in the WPS database. Therefore, a router installed in an isolated or unpopulated area may never appear on the map.

Thirdly, the identification and further tracking of routers relies on a BSSID — an identifier broadcast by the access point. Wi-Fi standards allow for BSSID randomization, and if this feature is enabled, the identifier automatically changes at certain time intervals. This doesn’t interfere with the normal operation of devices connected to the access point, but it does make it more difficult to re-identify the router. Just like the private MAC address setting in Android, iOS and Windows reduces the risk of tracking client devices, BSSID randomization makes it much more difficult to track access points.

How to protect your router from WPS tracking

Both Apple and Google have a little-known tool that allows you to exclude an access point from WPS databases. To do this, add the suffix _nomap to the end of the access point name. For example, the access point MyHomeWifi should be renamed MyHomeWifi_nomap.

For home and office routers, an additional security measure is to rent a device from the provider rather than buying your own. Then, whenever you move, you can simply return it and rent a new router at the new location.

A more technologically advanced solution, though more complicated to implement, would be to use a router that supports BSSID randomization — such as those from Supernetworks with open-source firmware. The popular alternative firmware for routers, DD-WRT, also allows for BSSID randomization if supported by the hardware.

For those using a smartphone as an access point, we recommend reviewing the device settings. On Apple devices, enabling BSSID randomization for your hotspot is not very straightforward — there’s no such switch directly in the Personal Hotspot settings. However, if the Private Wi-Fi Address feature is enabled for at least some Wi-Fi networks (Settings → Wi-Fi → tap the name of the connected Wi-Fi network → enable Private Wi-Fi Address), then your hotspot will start randomizing the BSSID of the access point. This feature can also occasionally be found on Android smartphones, although the activation process varies by manufacturer.

According to Starlink, their terminals have also gradually been receiving a software update since early 2023 that automatically activates BSSID randomization.

Kaspersky official blog – ​Read More

Transatlantic Cable podcast episode 352 | Kaspersky official blog

/in

Episode 352 of the Transatlantic Cable podcast kicks off with a story concerning generative AI and hackers, with the hackers taking the side of artists (or so it would seem.)  From there discussion turns to the US surgeon general calling for ‘warning labels’ on social media, mainly in part due to the worrying rise in young people’s mental health.

To wrap up, the team look at two stories – the first concerning           ransomware and hospitals, and the second looking at a recent NHS data breach and black binbags.

If you liked what you heard, please consider subscribing.

Hackers Target AI Users With Malicious Stable Diffusion Tool on GitHub to Protest ‘Art Theft’
US surgeon general wants social media warning labels
Medical-Targeted Ransomware Is Breaking Records After Change Healthcare’s $22M Payout
Student’s flimsy bin bags blamed for latest NHS data breach

Kaspersky official blog – ​Read More

How phishing using progressive web apps (PWAs) works | Kaspersky official blog

/in

A security researcher known as mr.d0x has published a post detailing a new technique that can be used for phishing and potentially other malicious activities. The technique exploits so-called progressive web apps (PWAs). In this post, we discuss what these applications are, why they can be dangerous, how attackers can use them for their own purposes, and how to [placeholder Kaspersky Premium]protect yourself[/placeholder] against this threat.

What are progressive web apps?

PWAs are applications developed using web technologies. Essentially, they’re websites that look and function just like native applications installed on your operating system.

The general idea is similar to applications built on the Electron framework, with one key difference. Electron apps are like a “sandwich” of a website (the filling) and a browser (the bread) dedicated to running that site; that is, each Electron application has a built-in browser. In contrast, PWAs utilize the engine of the browser already installed on the user’s system to display the same website – like a sandwich without the bread.

All modern browsers support PWAs, with Google Chrome and Chromium-based browsers (including the Microsoft Edge browser that comes with Windows) offering the most comprehensive implementation.

Installing a PWA (if the respective website supports it) is very simple. Just click an inconspicuous button in the browser’s address bar and confirm the installation. Here’s how it’s done, using the Google Drive PWA as an example:

Installing PWAs only takes two clicks

After that, the PWA appears on your system almost instantly, looking just like a real application — with an icon, its own window, and all the other attributes of a fully-fledged program. It’s not easy to tell from the PWA window that it’s actually a browser displaying a website.

The Google Drive PWA looks just like a real native application

PWA-based phishing

One crucial difference between a PWA and the same website opened in a browser is evident in the screenshot above: the PWA window lacks an address bar. This very feature forms the foundation of the phishing method discussed in this post.

With no address bar in the window, attackers can simply draw their own — displaying an URL that serves their phishing goals. For example, this one:

With a PWA, you can convincingly mimic any site — for example, the Microsoft account login page. Source

Attackers can further enhance the deception by giving the PWA a familiar icon.

The only remaining hurdle is convincing the victim to install the PWA. However, this can be easily achieved with persuasive language and cleverly designed interface elements.

It’s important to note that during the PWA installation dialog, the displayed app name can be anything the attacker desires. The true origin is only revealed by the website address in the second line, which is less noticeable:

The malicious PWA installation dialog displays a name that aids the attacker’s goals. Source

The process of stealing a password using a PWA generally unfolds as follows:

The victim opens a malicious website.
The website convinces the victim to install the PWA.
Installation occurs almost instantly, and the PWA window opens.
A phishing page with a fake address bar displaying a legitimate-looking URL opens in the PWA window.
The victim enters their login credentials into the form — handing them directly to the attackers.

What phishing using a malicious PWA looks like. Source

Of course, convincing the victim to install a native application is just as straightforward, but there are a couple of nuances. PWAs install significantly faster and require much less user interaction compared to traditional app installations.

Additionally, developing PWAs is simpler, as they’re essentially phishing websites with minor enhancements. These factors make malicious PWAs a powerful tool for cybercriminals.

How to protect yourself from PWA phishing

Incidentally, the same mr.d0x previously gained recognition for devising the browser-in-the-browser phishing technique, which we wrote about a couple of years ago. Since then there have been several reported instances of attackers employing this technique not only for stealing account passwords but also for spreading ransomware.

Given this precedent, it’s highly probable that cybercriminals will adopt malicious PWAs and devise novel ways to exploit this technique beyond phishing.

What can you do to protect against this threat?

Exercise caution when encountering PWAs, and refrain from installing them from suspicious websites.
Periodically review the list of PWAs installed on your system. For instance, in Google Chrome, type chrome://apps into the address bar to view and manage installed PWAs.

To view or remove installed PWAs in Google Chrome, type chrome://apps in the address bar

Use a reliable security solution with protection against phishing and fraudulent sites, which will promptly warn you of potential dangers.

Kaspersky official blog – ​Read More

Hackers can crack 59% of passwords in an hour | Kaspersky official blog

/in

Although World Password Day, held annually on the first Thursday in May, has passed, our — and we hope your — fascination with password security continues. Instead of analyzing artificial “test-tube” passwords created for lab studies, we stayed in the real world — examining actual passwords leaked on the dark web. The results were alarming: 59% of these passwords could be cracked in less than an hour — and all it takes is a modern graphics card and a bit of know-how.

Today’s post explains how hackers crack passwords and how to counter it (spoiler alert: use reliable protection and automatically check your passwords for leaks).

The usual way to crack passwords

First, let’s clarify what we mean by “cracking a password”. We’re talking about cracking the password’s hash — a unique sequence of characters representing the password. Companies typically store user passwords in one of three ways:

This is the simplest and clearest way: if a user’s password is, say, qwerty12345, then it’s stored on the company server as qwerty12345. If a data breach occurs, the hacker needs only enter the password with the corresponding username to log in. That is, of course, if there’s no two-factor authentication (2FA), but even then, cybercriminals can sometimes intercept one-time passwords.
This method utilizes hashing algorithms like MD5 and SHA-1 to transform each password into a unique hash value in the form of a fixed-length string of characters, which is stored on the server. When the user enters their password, the system converts the input sequence of characters into a hash, and compares it to the one stored on the server. If they match, the password is correct. Here’s an example: if your password is that same qwerty12345, then “translated” into SHA-1, it looks like this: 4e17a448e043206801b95de317e07c839770c8b8. Hackers obtaining this hash would need to decrypt it back to qwerty12345 (this is the “password cracking” part), for example, by using rainbow tables. A cracked password can then be used to access not only the compromised service but potentially other accounts where the password was reused.
Hashed with salt. Nothing to do with a tasty dish from a takeaway, this method adds a random sequence of data, known as a salt, to each password before hashing. A salt can be static or generated dynamically. A password+salt sequence is fed into the algorithm, which results in a different hash. Thus, pre-computed rainbow tables become useless to hackers. Using this method of storing passwords makes them much more difficult to crack.

For our study, we formed a database of 193 million leaked passwords in plaintext. Where did we get them all from? You have to know where to look. We found them on the dark web, where such “treasures” are often freely available. We used this database to check user passwords for possible leaks — but rest assured we don’t store or even see any passwords. You can read more about the internal structure of the password vault in our Kaspersky Password Manager and how, without knowing your passwords, we match them against leaked ones.

The cost of password cracking

Modern GPUs are the best tool for analyzing a password’s strength. For example, the RTX 4090 paired with the password recovery tool hashcat achieves a rate of 164 billion hashes per second (GH/s) for salted MD5 hashes.

Let’s imagine an 8-character password using both Latin letters (either all lowercase or all uppercase) and digits (36 possible characters per position). The number of possible unique combinations is 2.8 trillion (calculated by raising 36 to the power of eight). A powerful CPU boasting processing power of 6.7 GigaHashes per second (GH/s), could brute-force such a password in seven minutes. But the aforementioned RTX 4090 manages it in just 17 seconds.

While such a hi-end GPU costs slightly south of US$2,000, even attackers unable to get hold of one can easily rent computing power for just a few dollars per hour. But what if they rent a dozen RTX 4090s all at once? That would pack enough power to process massive hash database leaks with ease.

59% of passwords crackable in under an hour

We tested password strength using both brute-force and smart-guessing algorithms. While brute force iterates through all possible combinations of characters in order until it finds a match, smart guessing algorithms are trained on a passwords data-set to calculate the frequency of various character combinations and make selections first from the most common combinations and down to the rarest ones. You can read more about used algorithms in the full version of our research on Securelist.

The results were unnerving: a staggering 45% of the 193 million real-world passwords we analyzed (that is, 87 million passwords!) could be cracked by the smart algorithm in less than a minute, 59% within an hour, 67% within a month, and a mere 23% of passwords could be considered truly strong — needing more than a year to crack.

Cracking time
Percentage of passwords crackable using the given method

Brute force
Smart guessing

Under a minute
10%
45%

1 minute to 1 hour
+10% (20%)
+14% (59%)

1 hour to 1 day
+6% (26%)
+8% (67%)

1 day to 1 month
+9% (35%)
+6% (73%)

1 month to 1 year
+10% (45%)
+4% (77%)

Over 1 year
+55% (100%)
+23% (100%)

It’s important to note that cracking all passwords in the database doesn’t take much more time than cracking just one (!). At each iteration, having calculated the hash for the next combination of characters, the attacker checks whether the same one exists in the general database. If it does, the password in question is marked as “cracked”, after which the algorithm continues to guess other passwords.

Why smart guessing algorithms are so effective

Humans are predictable. We rarely choose truly random passwords, and our attempts at generating them pale in comparison to machines. We rely on common phrases, dates, names, and patterns – precisely what smart cracking algorithms are designed to exploit.

Moreover, the human brain is such that if you ask a sample of folks to pick a number between one and a hundred, most will choose… the same numbers! The YouTube channel Veritasium surveyed more than 200,000 people and found the most popular numbers to be 7, 37, 42, 69, 73, and 77.

Results of the Veritasium survey. Source

Even when attempting random character strings, we tend to favor keys in the middle of the keyboard. Around 57% of all the passwords we analyzed were found to contain a dictionary word or frequent symbol combination. Worryingly, 51% of these passwords could be cracked in less than a minute, 67% in under an hour, and only 12% took more than a year. However, at least just a few passwords consisted of a dictionary word only (which could be cracked within a minute). See the Securelist post for more about the password patterns we encountered.

Smart algorithms make short work of most passwords that contain dictionary sequences. And they even catch character substitutions — so writing “pa$$word” instead of “password” or “@dmin” instead of “admin” won’t make the password much stronger. Using popular words and number sequences is equally risky. In 4% of the passwords we examined, the following cropped up somewhere:

12345
123456
love
12345678
123456789
admin
team
qwer
54321
password

Recommendations

The takeaways from our hands-on study:

Many user passwords aren’t strong enough; 59% of them can be cracked in an hour.
Using meaningful words, names, and standard character sequences in your password significantly reduces password guessing time.
The least secure password is one that consists entirely of numbers or only words.

To keep your accounts safe, consider the following simple recommendations:

Generate strong passwords using Kaspersky Password Manager.
If you decide to create a password yourself, use mnemonic passphrases rather than meaningful word combinations, names, or dictionary sequences.
Never reuse passwords across different sites, because not all companies store user data securely.
Never save passwords in browsers.
Keep your passwords safely stored in a password manager and create a crack-proof primary password for it.
Check how crack-resistant your password is with Password Checker or directly in your Kaspersky Password Manager. It will identify weak and duplicate passwords, check all your passwords against compromised databases, and alert you if a match is found.
Utilize Kaspersky Premium to continually monitor in the background all accounts linked to your and family members’ phones or email addresses for data leaks.
Enable 2FA wherever possible. Incidentally, Kaspersky Password Manager also lets you save 2FA tokens and generate one-time codes.

Kaspersky official blog – ​Read More

Vulnerabilities of ZKTeco biometric terminals | Kaspersky official blog

/in

Organizations are adopting biometric authentication to optimize access control and to add a primary or auxiliary authentication factor for accessing corporate information systems. Biometrics are perfect for the job: such data can’t be forgotten like a password, or lost like a keypass, and is very hard to forge. Security no longer has to deal with lost or forgotten cards, and the IT security team doesn’t need to come up with OTP systems. However, there are a number of “buts” to consider when evaluating such implementations:

Risks associated with storing and processing biometric information (regulated by law in many countries);
Practical difficulties related to false positives and negatives (strongly dependent on the type of biometrics and means of verification);
Risks of authentication bypass;
Risks of cyberattacks through vulnerabilities in the biometric terminal.

The first two points are usually covered by security personnel, but the rest are often underestimated. Yet, as our in-depth study of popular ZKTeco biometric terminals shows, by no means are they far-fetched. These terminals were found to harbor 24 vulnerabilities that allow threat actors to effortlessly bypass authentication, hijack the device, read or modify the list of users, download their photos and other data, and exploit access to the device to develop an attack on the corporate network. Here’s how attackers can use these vulnerabilities.

ZKTeco terminal

QR code instead of a face

The biometric terminal model studied by our experts can store a database of users locally and authenticate them in one of several ways: password, QR code, face photo biometrics, or electronic pass. As it turned out, simply scanning a QR code containing the trivial SQL injection is enough to validate authentication on the device and open the doors. And if too much data is embedded in the QR code, the terminal reboots. To carry out these attacks, an attacker only needs to approach the device with a phone or even a paper card.

Insecure network access

The terminal can be managed either locally or over the network using SSH or a proprietary network protocol using the TCP port 4370. The protocol requires authentication, but the procedure’s implementation contains serious errors. The password is an integer from 0 to 999999, which is easy to brute-force, and its default value is, of course, zero. The message authentication code (MAC) uses reversible operations, making it easy to analyze network traffic and, if necessary, recover the password through it. SSH access is available to root and zkteco users whose passwords could be recovered through accessing the device memory.

Device hijacking

The manufacturer provides the ability to access user data remotely, download photos, upload new users, and so on. Given the insecure implementation of the proprietary protocol, this creates a risk of personal data leakage, including biometrics. Threat actors can also add third parties to the database and exclude legitimate employees.

On top of that, errors in processing protocol commands give attackers even more options, such as injecting Unix shell system commands into image processing commands and reading arbitrary system files on the terminal, right down to the password-containing /etc/shadow.

What’s more, buffer overflow vulnerabilities in the firmware update command allow arbitrary code execution on the device. This creates attractive opportunities for attackers to expand their presence in the network. Since the biometric terminal will have no EDR agent or other security tools, it’s well suited for reconnaissance operations and routing traffic between compromised devices — if, of course, the terminal itself is connected to the internal network without additional restrictions.

How to reduce the risks of attacks through biometric terminals

ZKTeco devices are used worldwide under different brand names. If the devices in the illustration look like those in your office, it’s worth updating the firmware and scrutinizing the settings to make them more secure. Either way, various flaws in biometric terminals need to be taken into account regardless of the specific manufacturer. We recommend the following measures:

Choose a biometric terminal supplier carefully. Conduct preliminary analysis of previously known vulnerabilities in its equipment and the time taken to eliminate them. Request information about the supplier’s software engineering practices, giving preference to manufacturers that use a secure development lifecycle (SDL). Also request a detailed description of how information is stored, including biometrics.
Master the equipment settings and use the most secure configuration. We recommend disabling unnecessary and insecure authentication methods as well as unused services and features. Change all default credentials to strong and unique passwords for all biometric terminal administrators and users.
Physically block unnecessary connectors and interfaces on the terminal to eliminate certain attack vectors.
Include terminals in update and vulnerability management processes.
Isolate the network. If terminals are connected to the local network and linked to a management server, we recommend moving them to a separate physical or virtual subnet (VLAN) to rule out access to terminals from regular computers and servers, and vice versa. To configure access, we advise using a privileged access workstation isolated from regular network activity.
Consider telemetry from terminals as a source of information for the SIEM system and other deployed monitoring tools.

Kaspersky official blog – ​Read More

Euro 2024: Common cyberthreats | Kaspersky official blog

/in

Fraudsters love hype and all-things-trending. Ah, so Toncoin is becoming very popular? Let’s build a cryptocurrency pyramid scheme. Artificial intelligence has hit the next level? Perfect for making voice deepfakes. The Euros have started? Get ready for a month of soccer scams…

The UEFA Euro 2024 tournament will gather over 2.7 million people in stadiums, and another 12 million in fan zones across Germany, while the total number of folks who’ll be following the year’s biggest soccer tournament boggles the mind. Alas, many of these spectators and viewers could make easy targets for scammers. That’s why it’s important to take the right precautions, understand the potential cyberthreats in the soccer world, and learn how to watch your favorite team’s matches safely.

Fake tickets

A typical threat before any major offline event is ticket fraud. In short: buy tickets only from the official UEFA website, or at the stadium box office – not from third parties or any other websites.

What could go wrong otherwise? Here are a few common scenarios:

Payment data compromise. This can happen if you pay by card on a fake (phishing) website. So before attempting to buy a ticket online, make sure there are no typos in the website’s address and that the domain wasn’t registered just a couple of weeks ago.
Personal data compromise. This scenario is also possible when buying from a phishing site — fraudsters may ask for not just your bank details but also your name, address, phone number and email. Be cautious if buying tickets requires an unusual amount of personal data.
Malware downloads. Fraudsters may offer to sell Euro 2024 tickets via a “special app”. This seemingly harmless app could turn out to be a stealer, miner, or something even worse. If you come across an offer to “download this app to buy tickets”, ignore it — it’s a scam.

All these scenarios have the same potential outcome — no tickets actually purchased, financial loss, and a very grumpy mood. If you want to make sure your data hasn’t already been compromised, install Kaspersky Premium — it will protect your devices from viruses, keep you safe from phishing and malicious links while surfing the web, and automatically check for data leaks from your accounts tied to email and phone numbers.

Pirate streams

Even if you plan on watching the entire tournament online — remain vigilant. Some attractively priced streaming services may turn out to be pirated, and a subscription that seems like a great deal could empty your bank account.

The risks here are the same as with tickets — payment and personal data can be stolen, and malicious scripts can be embedded in the streaming site pages, allowing attackers to control your browser and system. That’s why we don’t recommend storing passwords in your browser — use a password manager.

Pirate streaming service for watching Euro Cup matches

Illegal betting

Another popular type of soccer fraud is betting with illegal, fraudulent bookmakers offering fantastic odds. These outfits lure gamblers with attractive odds, and then disappear within a couple of weeks. As a result, the fans lose their money and, yet again, their payment data ends up in grubby hands. If you want to place a bet on a soccer match, use the official website or app of a bookmaker licensed to operate in your country.

Fake stores

Any soccer tournament involving national teams inevitably causes a surge in the popularity of stores selling fan merchandise: jerseys, scarves, T-shirts and so on. Among the plethora of such shops, it’s best to choose official or offline stores — that way you won’t get scammed.

Fake store selling soccer paraphernalia

Fraudsters attract buyers with big discounts, low prices and free shipping, but in reality, these are classic scammer scenarios: without reliable protection, your payment and personal data can be stolen and you’ll never receive your favorite team’s jersey.

Recommendations

Watch soccer matches only on official channels/sites and don’t pay distributors of pirated content.
Use reliable protection that warns you when you’re about to visit a phishing site.
Pay using a virtual card with a set limit. Before purchasing a ticket or subscription, transfer only the amount needed for that one transaction. This way, fraudsters won’t be able to get their hands on anything extra.
Don’t buy tickets on the second-hand market— such tickets may be invalidated by UEFA. It’s better to use the organization’s official website.
Buy fan merchandise only from official stores— otherwise you risk encountering fraudsters.

Kaspersky official blog – ​Read More

How ShrinkLocker ransomware leverages BitLocker | Kaspersky official blog

/in

While investigating a cybersecurity incident, Kaspersky’s experts discovered new ransomware they’ve dubbed “ShrinkLocker”. An interesting feature of this malware is that its creators artfully use the built-in capabilities of Windows to lock down computers the malware has infected. In particular, ShrinkLocker uses the standard full-disc encryption utility BitLocker to block access to the data.

What makes ShrinkLocker dangerous?

Like most ransomware today, ShrinkLocker encrypts the victim’s local drives to block access to their contents. What it essentially does is activate a standard security feature — BitLocker.

ShrinkLocker shrinks the computer’s drive partitions by 100 megabytes — hence its name — and uses the freed-up space to create a boot partition for itself. While it’s at it, it disables every BitLocker key-recovery mechanism, and sends the key that was used for the drives’ encryption to the attacker’s server.

After the user restarts the computer, they’re presented with the standard BitLocker password prompt. Since the user is now unable to start the system, ShrinkLocker changes the labels of all system drives to the attacker’s email address instead of leaving a ransom note.

How ShrinkLocker works

ShrinkLocker is implemented as a complex VBScript. It starts by gathering information about the operating system — primarily, its version. If the script finds that it’s running on Windows 2000, XP, 2003, or Vista, it shuts down. For newer editions of Windows, it runs parts of its code that are optimized for the relevant operating system.

Next, it runs preparatory operations on the local drives as mentioned above, and modifies several registry keys to configure the system for running BitLocker smoothly with the settings that the attacker requires.

ShrinkLocker writes the attacker’s email address to the volume label

Then it disables and removes all default BitLocker protectors to prevent key recovery, and enables the numerical password-protector option.

The script then generates this password and initiates encryption of all local drives using the newly created password. After this, ShrinkLocker sends an HTTP POST request containing the password and system information to the attacker’s command-and-control server.

To mask the actual server address, the threat actor uses several trycloudflare.com subdomains. This is a legitimate domain owned by CloudFlare and designed for website developers to test website traffic tunneling capabilities.

In its final stages, ShrinkLocker covers its tracks by removing its files from the drive, clearing Windows PowerShell logs, and so on. Finally, the script restarts the system.

If the user tries choosing a recovery option while the machine is booting up, they get a message stating that no BitLocker recovery options are available.

ShrinkLocker has blocked access to the drive with BitLocker, and no recovery options are available

Regarding the geographical distribution of infections, our researchers have observed ShrinkLocker and its modifications in Indonesia, Jordan, and Mexico. You can find more details about the ShrinkLocker modus operandi in our report on Securelist.

How to protect yourself from ShrinkLocker

Here are some tips for how to protect against ShrinkLocker and other ransomware threats:

Apply the principle of least privilege. In particular, users should not be given permissions to modify the registry or enable full-volume encryption.
Enable traffic monitoring. In addition to HTTP GET requests, it’s also helpful to log HTTP POST. In case of infection, requests to the attacker’s C&C server may contain passwords and keys.
Monitor events associated with VBS and PowerShell execution. Save scripts and commands you discover to external storage, as the malware may delete your local logs.
Back up your data regularly. Use offline storage for backups and verify their integrity.
Use a reliable security solution on all corporate devices. For example, Kaspersky Endpoint Security for Business detects ShrinkLocker with the verdicts Trojan.VBS.SAgent.gen, Trojan-Ransom.VBS.BitLock.gen, and Trojan.Win32.Generic.
Use EDR (Endpoint Detection and Response) solutions to monitor suspicious activity on your corporate network.

Kaspersky official blog – ​Read More

Transatlantic Cable podcast episode 351 | Kaspersky official blog

/in

Episode 351 of the Transatlantic Cable podcast begins with discussion around Microsoft’s controversial ‘Recall’ feature. Following from there, news turns to discussion around Elon Musk’s frustration around Apple’s decision to include ChatGPT in the upcoming iOS 18.

To wrap up, the team discuss two news stories. The first covers the arrest of 2 suspects in relation to a smishing campaign, and what the police are calling “an illegitimate telephone mast,” converted into a “text message blaster.”  The finals story looks at how a 27-year-old Tamagotchi mystery has finally been solved.

If you liked what you heard, please consider subscribing.

Microsoft ‘recalls’ screenshot feature after outcry
Elon Musk threatens to ban Apple devices from his companies over Apple’s ChatGPT integrations
Two cuffed over suspected smishing campaign using ‘text message blaster’
A 27-Year Old Tamagotchi Mystery Has Been Solved

Kaspersky official blog – ​Read More

Notifications from FB and theft of business account passwords

/in

Cybercriminals in the password theft business are constantly coming up with new ways to deliver phishing emails. Now they’ve learned to use a legitimate Facebook mechanism to send fake notifications threatening to block Facebook business accounts. We explore how the scheme works, what to pay attention to, and what measures to take to protect business accounts on social networks.

Anatomy of the phishing attack on Facebook business accounts

It all starts with a message sent by the social network itself to the email address linked to the victim’s Facebook business account. Inside is a menacing icon with an exclamation mark, and an even more menacing text: “24 Hours Left To Request Review. See Why.”

Email with a fake warning about account problems, sent by Facebook itself

Added to this are other words which, combined with the above text, look odd. But a manager responsible for Facebook may, in haste or in panic, fail to spot these irregularities and follow the link by clicking the button in the email or manually open Facebook in a browser and check for the notifications.

Either way, they’ll end up on Facebook. After all, the email is real, so the buttons really do point to the social network’s site. A notification is waiting there — with the now familiar orange icon and same threatening words: “24 Hours Left To Request Review. See Why.”

Phishing notification informing the victim their account will be blocked for non-compliance with the terms of service

The notification contains more details, alleging that the account and page are to be blocked because someone complained about their non-compliance with the terms of service. The victim is then prompted to follow a link to dispute the decision to block their account.

If they do, a website opens (this time, bearing the Meta logo, not Facebook) with roughly the same message as in the notification, but the time granted to resolve the issue has been halved to 12 hours. We suspect that scammers use the Meta logo this time because they try similar schemes on other Meta platforms — we found at least one “location” on Instagram with the same name: “24 Hours Left To Request Review. See Why.”

On a phishing page outside Facebook, the victim is prompted to appeal the block

After clicking the Start button, through a series of redirects the visitor lands on a page with a form asking initially for relatively innocent data: page name, first and last names, phone number, date of birth.

] The second screen asks the victim to enter certain personal data

It’s the next screen where things get juicy: here you need to enter the email address or phone number linked to your Facebook account and your password. As you might guess, it’s this data that the attackers are after.

The attackers don’t waste any time in requesting your Facebook account credentials

How the phishing scheme exploits real Facebook infrastructure

Now let’s see how threat actors get Facebook to send phishing notifications on their behalf. They do so by using hijacked Facebook accounts. The account name is changed straight away to the most troubling title: “24 Hours Left To Request Review. See Why.” They also change the profile pic so that the preview shows an orange icon with the exclamation mark already familiar to us from the email and notification.

Attackers change the name and profile picture of the hijacked Facebook account

That done, the message about the account block is posted from the account. At the bottom of this message, a mention of the victim’s page appears after a few dozen empty lines. By default it’s hidden, but on clicking the “See more” link in the phishing post, the mention becomes visible.

The trick is the hard-to-spot mention of the targeted Facebook business account at the bottom of the post

Threat actors post such messages from the hijacked account in bulk all at once, each of which mentions one of the target Facebook business accounts.

Hijacked accounts generate a slew of posts, each of which mentions the account of a targeted organization

As a result, Facebook diligently sends notifications to all accounts mentioned in these posts, both within the social network itself and to the email addresses linked to these accounts. And because delivery is via the actual Facebook infrastructure, these notifications are guaranteed to reach their intended recipients.

How to protect business social media accounts from hijacking

We should note that phishing isn’t the only threat to business accounts. There exists an entire class of malware specially created for password theft; such programs are known as password stealers. For this same purpose, attackers can also use browser extensions — see our recent post about their use in hijacking Facebook business accounts.

Here’s what we recommend for protecting the social media accounts of your business:

Always use two-factor authentication wherever possible.
Pay close attention to notifications about suspicious login attempts.
Make sure all your passwords are both strong and unique. To generate and store them, it’s best to use a password manager.
Carefully check the addresses of pages asking for account credentials: if there’s even the slightest suspicion that a site is fake, do not enter your password.
Equip all work devices with reliable protection that will warn of danger ahead of time and block the actions of both malware and browser extensions.

Kaspersky official blog – ​Read More