Company Blogs – Page 21 – BackBox.org News

The rapid development of AI, international tensions, and the proliferation of “smart” technologies like the internet of things (IoT) make the upcoming year particularly challenging in terms of cybersecurity. Each of us will face these challenges in one way or another, so, as per tradition, we’re here to help all our readers make a few New Year’s resolutions for a more secure 2024.

Protect your finances

E-commerce and financial technologies continue to expand globally, and successful technologies are being adopted in new regions. Instant electronic payments between individuals have become much more widespread. And, of course, criminals are devising new ways to swindle you out of your money. This involves not only fraud using instant money-transfer systems, but also advanced techniques for stealing payment data on e-commerce sites and online stores. The latest generations of web skimmers installed by hackers on legitimate online shopping sites are almost impossible to perceive, and victims only learn that their data has been stolen when an unauthorized charge appears on their card.

What to do?

Link your bank cards to Apple Pay, Google Pay, or other similar payment systems available in your country. This is not only convenient, but also reduces the likelihood of data theft when making purchases in stores.
Use such systems to make payments on websites whenever possible. There’s no need to enter your bank card details afresh on every new website.
Protect your smartphones and computers with a comprehensive security system like Kaspersky Premium. This will help protect your money, for example, from a nasty new attack in which the recipient’s details are replaced at the moment of making an instant money transfer in a banking app.
Use virtual or one-time cards for online payments if your bank supports this option. If a virtual card can be quickly reissued in the app, change it regularly — for example, once a month. Or use special services to ‘mask’ cards, generating one-time payment details for each payment session. There are many of these for different countries and payment systems.

Don’t believe everything you see

Generative artificial intelligence has dominated the news throughout 2023 and has already significantly affected the job market. Unfortunately, it’s also been used for malicious purposes. Now, just about anyone can create fake texts, photos, and videos in a matter of minutes — a labor that previously required a lot of time and skill. This has already had a noticeable impact on at least two areas of cybersecurity.

First, the appearance of fake images, audio, and video on news channels and social media. In 2023, generated images were used for propaganda purposes during geopolitical conflicts in post-Soviet countries and the Middle East. They were also used successfully by fraudsters for various instances of fake fundraising. Moreover, towards the end of the year, our experts discovered massive “investment” campaigns in which the use of deepfakes reached a whole new level: now we’re seeing news reports and articles on popular channels about famous businessmen and heads of state encouraging users to invest in certain projects — all fake, of course.

Second, AI has made it much easier to generate phishing emails, social media posts, and fraudulent websites. For many years, such scams could be identified by sloppy language and numerous typos, because the scammers didn’t have the time to write and proofread them properly. But now, with WormGPT and other language models optimized for hackers, attackers can create far more convincing and varied bait on an industrial scale. What’s more, experts fear that scammers will start using these same multilingual AI models to create convincing phishing material in languages and regions that have rarely been targeted for such purposes before.

What to do?

Be highly critical of any emotionally provocative content you encounter on social media — especially from people you don’t know personally. Make it a habit to always verify the facts on reputable news channels and expert websites.
Don’t transfer money to any kind of charity fundraiser or campaign without conducting a thorough background check of the recipient first. Remember, generating heart-breaking stories and images is literally as easy as pushing a button these days.
Install phishing and scam protection on all your devices, and enable all options that check links, websites, emails, and attachments. This will reduce the risk of clicking on phishing links or visiting fraudulent websites.
Activate banner ad protection — both Kaspersky Plus and Kaspersky Premium have this feature, as do a number of browsers. Malicious advertising is another trend for 2023-2024.

Some experts anticipate the emergence of AI-generated content analysis and labeling systems in 2024. However, don’t expect them to be implemented quickly or universally, or be completely reliable. Even if such solutions do emerge, always double-check any information with trusted sources.

Don’t believe everything you hear

High-quality AI-based voice deepfakes are already being actively used in fraudulent schemes. Someone claiming to be your “boss”, “family member”, “colleague”, or some other person with a familiar voice might call asking for urgent help — or to help someone else who’ll soon reach out to you. Such schemes mainly aim to trick victims into voluntarily sending money to criminals. More complex scenarios are also possible — for example, targeting company employees to obtain passwords for accessing the corporate network.

What to do?

Verify any unexpected or alarming calls without panic. If someone you supposedly know well calls, ask a question only that person can answer. If a colleague calls but their request seems odd — for example, asking you to send or spell a password, send a payment, or do something else unusual — reach out to other colleagues or superiors to double-check things.
Use caller identifier apps to block spam and scam calls. Some of these apps work not only with regular phone calls but also with calls through messengers like WhatsApp.

Buy only safe internet-of-things (IoT) smart devices

Poorly protected IoT devices create a whole range of problems for their owners: robot vacuum cleaners spy on their owners, smart pet feeders can give your pet an unplanned feast or a severe hunger strike, set-top boxes steal accounts and create rogue proxies on your home network, and baby monitors and home security cameras turn your home into a reality TV show without your knowledge.

What could improve in 2024? The emergence of regulatory requirements for IoT device manufacturers. For example, the UK will ban the sale of devices with default logins and passwords like “admin/admin”, and require manufacturers to disclose in advance how long a particular device will receive firmware updates. In the U.S., a security labeling system is being developed that will make it possible to understand what to expect from a “smart” device in terms of security even before purchase.

What to do?

Find out if there are similar initiatives in your country and make the most of them by purchasing only secure IoT devices with a long period of declared support. It’s likely that once manufacturers are obliged to ensure the security of smart devices locally, they’ll make corresponding changes to products for the global market. Then you’ll be able to choose a suitable product by checking, for example, the American “security label”, and buy it — even if you’re not in the U.S.
Carefully configure all smart devices using our detailed advice on creating a smart home and setting up its security.

Take care of your loved ones

Scams involving fake texts, images, and voices messages can be highly effective when used on elderly people, children, or those less interested in technology. Think about your family, friends, and colleagues — if any of them may end up a victim of any the schemes described above, take the time to tell them about them or provide a link to our blog.

What to do?

Don’t just give blanket information from our articles; look beyond our blog to find suitable cybersecurity lessons for your loved ones based on their age and temperament.
Make sure that all your family’s computers and phones are fully protected. With Kaspersky Premium, you can protect as many devices as needed, on any popular platform — Windows, macOS, Android, or iOS.

Before we say goodbye and wish you a happy and peaceful 2024, one final little whisper — last year’s New Year’s resolutions are still very relevant: the transition to password-less systems is progressing at a swift pace, so going password-free in the New Year might be a good idea, while basic cyber hygiene has become all the more crucial. Oops; nearly forgot: wishing you a happy and peaceful 2024!…

Kaspersky official blog – Read More

Operation Triangulation: talk on 37С3 | Kaspersky official blog

December 28, 2023/in Company Blogs

At the 37th Chaos Communication Congress (37C3) held right now in Hamburg, our experts from the Kaspersky Global Research and Analysis Team (GReAT) Boris Larin, Leonid Bezvershenko and Grigoriy Kucherin gave a talk called “Operation Triangulation: what you get when attack iPhones of researchers”. They described the chain of the attack in detail and talked about all of the vulnerabilities involved in it. Among other things, they for the first time presented exploitation details of the CVE-2023-38606 hardware vulnerability.

We will not repeat all the nuts and bolts of this report — you can find technical details in a post on the Securelist blog or you can listen the recording of the talk on the conference’s official website. Here we will briefly describe the main points.

As we already have written in the beginning of this summer, the attack started with an invisible iMessage, which contained a malicious attachment that was processed without the user’s knowledge. This attack did not require any actions from the user at all.
Our experts were able to detect the attack by monitoring a corporate Wi-Fi network using our own SIEM system Kaspersky Unified Monitoring and Analysis Platform (KUMA).
The attack employed four zero-day vulnerabilities that affected all iOS devices up to version 16.2: CVE-2023-32434, CVE-2023-32435, CVE-2023-41990 and the aforementioned CVE-2023-38606.
The obfuscated Triangulation exploit could work both on modern versions of the iPhone and on fairly old models. And if attacking newer iPhones it could bypass Pointer Authentication Code (PAC).
The CVE-2023-32434 vulnerability used by this exploit, allowed attackers access to the entire physical memory of the device at the user level, both for reading and writing.
Thanks to the exploitation of all four vulnerabilities, the malware could gain full control over the device and run any malware needed, but instead it launched the IMAgent process and used it to remove all traces of the attack from the device. It also launched the Safari process in the background and redirected it to the attacker’s web page with exploit for Safari.
This Safari exploit got root rights and launched further stages of attacks (which we already talked about them in our previous publications).
Vulnerability CVE-2023-38606 allowed bypassing of the built-in memory protection mechanism using undocumented and unused in the firmware processor registers. According to our experts, this hardware function probably was created for debugging or testing purposes, and then for some reason remained enabled.

The only remaining mystery — how exactly did the attackers knew how to use this undocumented function and where did they find information about it at all.

Kaspersky official blog – Read More

LogoFAIL attack via image substitution in UEFI | Kaspersky official blog

December 27, 2023/in Company Blogs

When you turn on a laptop, the manufacturer’s logo is displayed on the screen before the operating system boots. This logo can actually be changed — a function intended for the use of laptop or desktop manufacturers. But there’s nothing stopping an ordinary user from using it and replacing the default logo with a different image.

The logo is stored in the code that runs immediately after computer is turned on, in the so-called UEFI firmware. It turns out that this logo replacement function opens the way for the device to be seriously compromised — attackers can hack it and subsequently seize control of the system, and this can even be done remotely. The possibility of such an attack, named LogoFAIL, was recently discussed by specialists at Binarly. In this article, we’ll try to explain it in simple terms, but let’s first recall the dangers of so-called UEFI bootkits.

UEFI bootkits: malware loaded before the system

Historically, the program executed upon turning on a PC was called a BIOS (Basic Input/Output System). It was extremely limited in its capabilities, but it was an essential program tasked with initializing the computer’s hardware and then transferring control to the operating system loader. Since the late 2000s, BIOS gradually began to be replaced by UEFI — a more sophisticated version of the same basic program with additional capabilities, including protection against the execution of malicious code.

In particular, UEFI implemented the Secure Boot feature that employed cryptographic algorithms to check the code at each stage of the computer’s booting — from turning it on to loading the operating system. This makes it much more difficult to replace the real OS code with malicious code, for example. But, alas, even these security technologies have not completely eliminated the possibility of loading malicious code at an early stage. And if attackers manage to “smuggle” malware or a so-called bootkit into UEFI, the consequences can be extremely serious.

The issue with UEFI bootkits is that they are extremely difficult to detect from within the operating system. A bootkit can modify system files and run malicious code in an OS with maximum privileges. And the main problem is that it can survive not only a complete reinstall of the operating system, but also replacement of the hard drive. Stashed in the UEFI firmware, a bootkit isn’t dependent on the data stored on the system drive. As a result, bootkits are often used in complex targeted attacks. An example of such an attack is described in this study by our experts.

So, what do images have to do with it?

Since UEFI has fairly robust protection against the execution of malicious code, introducing a Trojan into the boot process isn’t simple. However, as it turns out, it is possible to exploit flaws in the UEFI code to execute arbitrary code at this early stage. There was good reason for the Binarly specialists to pay attention to the mechanism that allows replacing the factory logo. To display the logo, a program is launched that reads data from the graphic image file and displays this image on the screen. What if we try make this program to misbehave?

There are three major UEFI software developers: AMI, Insyde, and Phoenix. Each of them approaches logo processing differently. For example, Insyde has separate image processing programs for different formats, from JPEG to BMP. AMI and Phoenix consolidate handling of all formats into a single program. Vulnerabilities were discovered in each of them, with a total of twenty-four critical errors. The final result of exploiting one of these errors is shown in this video:

LogoFAIL attack demonstration. Source

It’s all fairly simple: the attacker can modify the image of the new logo as they please. This includes, for example, setting the logo resolution so that this parameter ends up beyond the limits defined in the handling code. This leads to a calculation error and ultimately results in data being written from the image file into the area for executable data. This data will then be executed with maximum privileges. The video above shows the seemingly harmless result of such a bootkit: a text file is saved to the Windows desktop. However, if malicious code has this level of access, the attacker can perform almost any action in the operating system.

Notably, some device models from major manufacturers were not susceptible to this attack, and for a very simple reason: replacing the logo in their UEFI is essentially blocked. Among these models are a number of Apple laptops and Dell devices.

Dangerous implications for businesses

Theoretically, this attack can even be carried out remotely: in some cases, it would be enough to inject a specially prepared image into the EFI system partition on the system disk, and it will be processed on the next reboot. The catch is that performing such an operation already require complete access to the system; that is, any data on the computer should already be available to the attackers. You might wonder then, what’s the point of implementing the LogoFAIL attack? To ensure that the malicious code survives even if the OS is reinstalled — this kind of persistence is usually highly desired by APT attack operators.

This problem will gradually be resolved by updated UEFI versions that fix errors in the image handlers. However, since not all companies diligently keep up with firmware updates, a huge number of devices will likely remain unprotected. And the list of vulnerable devices includes not only laptops but also some server motherboards. This means that Binarly’s research should be taken very seriously.

Kaspersky official blog – Read More

Is macOS as secure as its users think? | Kaspersky official blog

December 27, 2023/in Company Blogs

Many Apple users believe the macOS operating system is so secure that no cyberthreats can harm them, so they don’t need to worry about protecting their devices. However, this is far from the case: while there is less malware for macOS, it’s still much more common than Apple device owners would like to think.

In this post, we discuss current threats facing macOS users and how to effectively protect your Mac. To illustrate the fact that viruses for macOS do exist, we’ll look at three recent studies on several malware families that have been published over the past few weeks.

BlueNoroff attacks macOS users and steals cryptocurrency

In late October 2023, our researchers discovered a new macOS Trojan that’s believed to be associated with BlueNoroff, the “commercial wing” of the Lazarus APT group. This subgroup specializes in financial attacks and specifically focuses on two things: firstly, attacks on the SWIFT system — including the notorious heist of the Bangladesh Central Bank — and secondly, stealing cryptocurrencies from organizations and individuals.

The discovered macOS Trojan downloader is distributed within malicious archives. It’s disguised as a PDF document titled “Crypto-assets and their risks for financial stability”, with an icon that mimics a preview of this document.

Cover page of the deceptive PDF that the Trojan downloads and shows to the user when launching the file from an infected archive. Source

Once the user clicks on the Trojan (masquerading as a PDF), a script is executed that actually downloads the corresponding PDF document from the internet and opens it. But, of course, that’s not all that happens. The Trojan’s main task is to download another virus, which gathers information about the infected system, sends it to the C2, and then waits for a command to perform one of two possible actions: self-deletion or saving to a file and executing malicious code sent in response from the server.

Proxy Trojan in pirated software for macOS

In late November 2023, our researchers discovered another malware instance that threatens Mac users — a proxy Trojan, distributed alongside pirated software for macOS. Specifically, this Trojan was added to the PKG files of cracked video editing programs, data recovery tools, network utilities, file converters, and various other software. The full list of infected installers discovered by our experts can be found at the end of the report published on Securelist.

As mentioned earlier, this malware belongs to the category of proxy Trojans — malware that sets up a proxy server on the infected computer, essentially creating a host to redirect internet traffic. Subsequently, cybercriminals can use such infected devices to build a paid network of proxy servers, earning money from those seeking such services.

Alternatively, the Trojan’s owners might directly use the infected computers to carry out criminal activities in the victim’s name — whether it’s attacking websites, companies or other users, or purchasing weapons, drugs or other illegal goods.

Atomic stealer in fake Safari browser updates

Also in November 2023, a new malicious campaign was discovered to spread another Trojan for macOS, known as Atomic and belonging to the category of stealers. This type of malware searches for, extracts, and sends to its creators all kinds of valuable information found on the victim’s computer, particularly data saved in browsers. Logins and passwords, bank card details, crypto wallet keys, and similar sensitive information are of particular value to stealers.

The Atomic Trojan was first discovered and described back in March 2023. What’s new is that now the attackers have started using fake updates for the Safari and Chrome browsers to spread the Atomic Trojan. These updates are downloaded from malicious pages that very convincingly mimic the original Apple and Google websites.

A site with fake Safari browser updates that actually contain the Atomic stealer. Source

Once running on a system, the Atomic Trojan attempts to steal the following information from the victim’s computer:

cookies
logins, passwords, and bank card details stored in the browser
passwords from the macOS password storage system (Keychain)
files stored on the hard drive
stored data from over 50 popular cryptocurrency extensions

Zero-day vulnerabilities in macOS

Unfortunately, even if you don’t download any suspicious files, you avoid opening attachments from unknown sources, and generally refrain from clicking on anything suspicious, this doesn’t guarantee your security. It’s important to remember that any software always has vulnerabilities that attackers can exploit to infect a device, and which require little or no active user action. And the macOS operating system is no exception to this rule.

Recently, two zero-day vulnerabilities were discovered in the Safari browser — and according to Apple’s announcement, cybercriminals were already exploiting them by the time they were discovered. By simply luring the victim to a malicious webpage, attackers can infect their device without any additional user action, thereby gaining control over the device and the ability to steal data from it. These vulnerabilities are relevant for all devices using the Safari browser, posing a threat to both iOS/iPadOS users and Mac owners.

This is a common scenario: as Apple’s operating systems share many components, vulnerabilities often apply not just to one of the company’s opertaing systems but to all of them. Thus, it’s a case of Macs being betrayed by the iPhone’s popularity: iOS users are the primary targets, but these vulnerabilities can just as easily be used to attack macOS.

A total of 19 zero-day vulnerabilities were discovered in Apple’s operating systems in 2023 that are known to have been actively exploited by attackers. Of these, 17 affected macOS users — including over a dozen with high-risk status, and one classified as critical.

Zero-day vulnerabilities in macOS, iOS, and iPadOS discovered in 2023, which were actively exploited by cybercriminals

Other threats and how to protect your Mac

What’s important to remember is that there are numerous cyberthreats that don’t depend on the operating system but that can be no less dangerous than malware. In particular, pay attention to the following threats:

Phishing and fake websites. Phishing emails and websites work the same way for both Windows users and Mac owners. Alas, not all fake emails and websites are easily recognizable, so even experienced users often face the risk of having their login credentials stolen.
Web threats, including web skimmers. Malware can infect not only the user’s device but also the server it communicates with. For example, attackers often hack poorly protected websites, especially online stores, and install web skimmers on them. These small software modules are designed to intercept and steal bank card data entered by visitors.
Malicious browser extensions. These small software modules are installed directly into the browser and operate within it, so they don’t depend on the OS being used. Despite being seemingly harmless, extensions can do a lot: read the content of all visited pages, intercept information entered by the user (passwords, card numbers, keys to crypto wallets), and even replace displayed page content.
Traffic interception and man-in-the-middle (MITM) attacks. Most modern websites use encrypted connections (HTTPS), but you can still sometimes come across HTTP sites where data exchange can be intercepted. Cybercriminals use such interception to launch MITM attacks, presenting users with fake or infected pages instead of legitimate ones.

To protect your device, online service accounts and, most importantly, the valuable information they contain, it’s crucial to use comprehensive protection for both Mac computers and iPhones/iPads. Such protection must be able to counteract the entire range of threats — for example solutions like our Kaspersky Premium, whose effectiveness has been confirmed by numerous awards from independent testing laboratories.

Kaspersky official blog – Read More