We meticulously study the techniques most frequently used by attackers, and promptly refine or add detection logic to our SIEM system to identify those technics. Specifically, in the update to the Kaspersky Unified Monitoring and Analysis Platform released in the second quarter of 2024, we supplemented and expanded the logic for detecting the technique of disabling/modifying a local firewall (Impair Defenses: Disable or Modify System Firewall T1562.004 in the MITRE classification), which ranks among the top tactics, techniques, and procedures (TTPs) used by attackers.

How attackers disable or modify a local firewall

The T1562.004 technique allows attackers to bypass defenses and gain the ability to connect to C2 servers over the network or enable an atypical application to have basic network access.

There are two common methods for modifying or disabling the host firewall: (i) using the netsh utility, or (ii) modifying the Windows registry settings. Here are examples of popular command lines used by attackers for these purposes:

Example of a registry key and value added by attackers, allowing incoming UDP traffic for the application C:Users<user>AppDataLocalTempserver.exe:

Another method attackers use to disable the Firewall is by stopping the mpssvc service. This is typically done with the net utility net stop mpssvc.

How our SIEM solution detects T1562.004

This is achieved using the new R240 rule; in particular, by detecting and correlating the following events:

Attacker stopping the local firewall service to bypass its restrictions
Attacker disabling or modifying the local firewall policy to bypass it (configuring or disabling the firewall via netsh.exe)
Attacker changing local firewall rules through the registry to bypass its restrictions (modifying rules through the Windows registry)
Attacker disabling the local firewall through the registry
Attacker manipulating the local firewall by modifying its policies

With its latest update, the platform now offers more than 605 rules, including 474 containing direct detection logic. We’ve also refined 20 existing rules by fixing or adjusting their conditions.

Why we focus on the MITRE classification

MITRE ATT&CK for Enterprise serves as the de facto industry standard guideline for classifying and describing cyberattacks and intrusions, and is made up of 201 techniques, 424 sub-techniques, and thousands of procedures. Therefore, when deciding how to further develop our SIEM platform — the Kaspersky Unified Monitoring and Analysis Platform — we rely, among other things, on the MITRE classification.

As per our plan set out in a previous post, we’ve started labeling current rules in accordance with MITRE attack methods and tactics — aiming to expand the system’s functionality and reflect the level of protection against known threats. This is important because it allows us to structure the detection logic and ensure that the rules are comprehensive — with no “blind spots”. We also rely on MITRE when developing OOTB (out-of-the-box) content for our SIEM platform. Currently, our solution covers 309 MITRE ATT&CK techniques and sub-techniques.

Other additions and improvements to the SIEM system

In addition to the detection logic for T1562.004 mentioned above, we’ve added normalizers to the Kaspersky Unified Monitoring and Analysis Platform SIEM system to support the following event sources:

[OOTB] Microsoft Products, [OOTB] Microsoft Products for Kaspersky Unified Monitoring and Analysis Platform 3, [OOTB] Microsoft Products via KES WIN: normalizers to process some events from the Security and System logs of the Microsoft Windows Server operating system. The [OOTB] Microsoft Products via KES WIN normalizer supports a limited number of audit event types transmitted to KUMA KES WIN 12.6 through syslog.
[OOTB] Extreme Networks Summit Wireless Controller: a normalizer for certain audit events from the Extreme Networks Summit wireless controller (model: WM3700, firmware version: 5.5.5.0-018R).
[OOTB] Kaspersky Security for MS Exchange SQL: a normalizer for Kaspersky Security for Exchange (KSE) version 9.0 system events stored in the database.
[OOTB] TIONIX VDI file: a normalizer supporting the processing of some TIONIX VDI (version 2.8) system events stored in the tionix_lntmov.log file.
[OOTB] SolarWinds Dameware MRC xml: a normalizer supporting the processing of some Dameware Mini Remote Control (MRC) version 7.5 system events stored in the Windows Application log. The normalizer processes events created by the “dwmrcs” provider.
[OOTB] H3C Routers syslog: a normalizer for certain types of events coming from H3C (Huawei-3Com) SR6600 network devices (Comware 7 firmware) through syslog. The normalizer supports the “standard” event format (RFC 3164-compliant format).
[OOTB] Cisco WLC syslog: a normalizer for certain types of events coming from Cisco WLC network devices (2500 Series Wireless Controllers, 5500 Series Wireless Controllers, 8500 Series Wireless Controllers, Flex 7500 Series Wireless Controllers) through syslog.
[OOTB] Huawei iManager 2000 file: a normalizer supporting the processing of some of the Huawei iManager 2000 system events stored in clientlogsrpc and clientlogsdeployossDeployment files.

Our experts have also refined the following normalizers:

For Microsoft products: the redesigned Windows normalizer is now publicly available.
For the PT NAD system: a new normalizer has been developed for PT NAD versions 11.1, 11.0.
For UNIX-like operating systems: additional event types are now supported.
For Check Point: improvements to the normalizer supporting Check Point R81.
For the Citrix NetScaler system: additional events from Citrix ADC 5550 — NS13.0 are now supported.
For FreeIPA: the redesigned normalizer is now publicly available.

In total, we now support around 250 sources, and we keep expanding this list while improving the quality of each connector. The full list of supported event sources in the Kaspersky Unified Monitoring and Analysis Platform — version 3.2, can be found in the technical support section. Information on out-of-the-box correlation rules is also available there.

Kaspersky official blog – ​Read More

In July 2024, with the latest version of its Firefox browser, Mozilla introduced a technology called Privacy-Preserving Attribution (PPA) — designed to track how effective online advertising is. The feature is enabled by default in Firefox 128.

This has already caught the eye of online privacy advocates, and led to headlines like “Now Mozilla too is selling user data”. The clamor got so loud that Firefox CTO, Bobby Holley, had to take to Reddit to explain to users what Mozilla actually did and why.

Now’s the time to take a closer look at what PPA is, why it’s needed in the first place, and why it’s appeared now.

Google Ad Topics and Facebook Link History

First, a bit of backstory. As you may recall, way back in 2019 the developers of the world’s most popular browser — Google Chrome — began hatching plans to completely disable support for third-party cookies.

These tiny files have been tracking user actions online for 30 years now. The technology is both the backbone of the online advertising industry, and the chief means of violating users’ privacy.

Some time ago, as a replacement, Google unveiled an in-house development called Ad Topics. With this technology, tracking is based on users’ Chrome browser history, and interaction history with Android apps. The rollout of Ad Topics was expected to be followed by the phasing out of support for third-party cookies in Chrome in H2 2024.

Another major digital advertising player to develop its own user-tracking technology is Meta, which likewise relies on third-party cookies. Called Link History, it makes sure that all external links in the Facebook mobile apps now get opened in its built-in browser — where the company can still snoop on your actions.

The bottom line is that ending support for third-party cookies hands even more control over to Google and Meta — owner of the world’s most popular browser and mobile OS, and of the world’s most popular social network, respectively — while smaller players will become even more dependent on them.

At the same time, user data continues to be collected on an industrial scale, and primarily by the usual suspects when it comes to claims of privacy violation: yes, Google and Facebook.

The question arises: is it not possible to develop some mechanism to allow advertisers to track the effectiveness of advertising without mass collection of user data? The answer comes in the shape of Privacy-Preserving Attribution.

Meet Prio, a privacy-preserving aggregation system

To better understand the history of this technology, we have to go back a bit in time — to 2017, when cryptographers Henry Corrigan-Gibbs and Dan Boneh of Stanford University presented a research paper. In it, they described a privacy-oriented system for collecting aggregated statistics, which they called Prio.

To greatly simplify matters, Prio is based on the following mechanism. Let’s say you’re interested in the average age of a certain number of users, but you want to preserve their privacy. You set up two (or more) piggy banks and ask each user to count out the number of coins corresponding to their age and, without showing them to anyone, randomly drop the coins into different money boxes.

Then you tip the coins out of the piggy banks into a pile, count them and divide by the number of users. The result is what you wanted: the average age of the users. And if at least one of the piggy banks keeps its secret (i.e., doesn’t tell anyone what went into it), then it’s impossible to determine how many coins any one user put into the boxes.

Prio overlays this basic mechanism with a lot of cryptography to protect information from interception and ensure the validity of data received. There’s no way for users to slip answers into the system, for whatever reason, that could distort the results. The main concept lies in the use of two or more aggregators that collect random shares of the sought information.

Prio’s algorithms have another key feature: they greatly improve system performance compared to previous methods of reliable anonymized data collection — by 50–100 times, say the researchers.

Distributed Aggregation Protocol

Mozilla got interested in Prio back in 2018. The first fruit of this interest was its development of the experimental system Firefox Origin Telemetry — based on Prio. Notably, this system was designed to privately gather telemetry on the browser’s ability to combat ad trackers.

Then, in February 2022, Mozilla unveiled Interoperable Private Attribution (IPA) technology, developed jointly with Meta, which, it seems, served as the prototype to PPA.

May 2022 saw the publication of a zero draft of the Prio-based Distributed Aggregation Protocol (DAP). The draft was authored by representatives of Mozilla and the Internet Security Research Group (ISRG) — a non-profit known for the Let’s Encrypt project to democratize the use of HTTPS — as well as two Cloudflare employees.

While working on the protocol, ISRG was also building a DAP-based system for collecting anonymized statistics, known as Divvi Up. This system is primarily intended to collect various technical telemetry to improve website performance, such as page load-time.

Finally, in October 2023, Divvi Up and Mozilla announced a collaboration to implement DAP in the Firefox browser. As part of this joint effort, a system of two aggregators was created — one of which operates on the Mozilla side, the other on the Divvi Up side.

How PPA works

It’s this Divvi Up/Mozilla system that’s currently being deployed with PPA technology. So far, it’s just an experiment involving a limited number of sites.

In general outline, it works as follows:

The website asks the browser to remember instances of successful ad views.
If the user performs some action that the site considers useful (for example, buys a product), the site queries the browser to find out if the user saw the ad.
The browser doesn’t tell the site anything, but sends information through the DAP protocol to the aggregation servers.
All such reports are accumulated in aggregators, and the site periodically receives a summary.

As a result, the site learns that out of X number of users who saw a certain ad, Y number of users performed actions deemed useful for the site. But neither the site nor the aggregation system knows anything about who these users were, what else they did online, etc.

Why we need PPA

In the above-mentioned statement on Reddit, Firefox’s CTO explained what Mozilla was aiming for by introducing PPA along with the new version of its browser.

The company’s reasoning is roughly the following. Online advertising, at least at this stage of the internet’s development, is a necessary evil. And it’s understandable that advertisers want to be able to measure its effectiveness. But the tools currently used for this disregard user privacy.

Meanwhile, any talk about how to somehow restrict advertisers’ tracking of users’ actions is met with protests from the former. No data collection, they argue, means they’re deprived of a tool for assessing online advertising.

Basically, PPA is an experimental tool that allows advertisers to get the feedback they need without collecting and storing data on what users did.

If the experiment shows the technology can satisfy advertisers’ needs, it will give privacy advocates a weighty argument in future dealings with regulators and lawmakers. Broadly speaking, it will prove that total online surveillance is unnecessary, and should be limited by law.

Block third-party cookies now

As it happens, almost immediately after the uproar surrounding Mozilla’s new rollout, Google announced a complete reversal of its plans to disable third-party cookies. Getting rid of stale technology can be harder than it might seem — as Microsoft found out when trying to bury Internet Explorer.

The good news is that, unlike Internet Explorer, which is indeed hard to weed out of Windows, third-party cookies are something that users can handle on their own. All modern browsers make it easy to block them — see our guide for full details.

Bear in mind that Google’s refusal to get rid of cookies doesn’t spell the end of Ad Topics — the company intends to continue the experiment. So we recommend disabling this feature too, and here’s how to do it in Chrome and Android.

And if you use the Facebook mobile app, it’s worth turning off Link History. Again, our guide explains how.

Also, you can and should make use of the Private Browsing feature in our Kaspersky Standard, Kaspersky Plus and Kaspersky Premium subscription plans to block ad trackers (by no means all of which use cookies).

Lastly, we recommend using our free Privacy Checker service, where you can find instructions on setting up privacy for the most common applications, services and social networks for different operating systems.

As for PPA, the technology looks pretty useful. If you think otherwise, here are simple instructions to disable it in Firefox. As for me, I prefer to support the development of this technology, so will continue to use it in my browser.

Kaspersky official blog – ​Read More

While humanity is trying to figure out how to recoup the hundreds of billions of dollars invested in generative AI, cybercriminals are already adopting the technology. For example, they’ve discovered that AI can be used to create virtual money mules — dummy accounts used to transfer stolen funds. Deepfakes allow criminals to successfully bypass customer identity verification (KYC, Know Your Customer) procedures used by financial institutions, thereby eliminating the need for living accomplices. Let’s delve into the details.

What is KYC?

The KYC procedure is a financial-sector practice for verifying a customer’s identity that’s used to combat various illegal financial activities — including fraud, money laundering, tax evasion, financing terrorism, and more.

More specifically, KYC often refers to biometric identity verification systems in fully remote services — that is, when a customer signs up online without any personal contact with employees of the financial institution.

Typically, this procedure requires the customer to upload photos of their documents and take a selfie, often holding the documents. An additional security measure has also recently become popular: the customer is asked to turn on their smartphone camera and turn their head in different directions, following instructions.

This method is sometimes also used to verify transactions, but it’s generally designed to protect against authentication using static photos that might have been stolen somehow. The problem is that criminals have already figured out how to bypass this protection: they use deepfakes.

AI tools for fraud

Not long ago, experts from the deepfake detection startup, Sensity, released an annual report describing some of the most common ways that cybercriminals maliciously use AI-generated content.

In this report, the experts publish the total number of AI content creation tools worldwide. They counted 10,206 tools for image generation, 2298 tools for replacing faces in videos and creating digital avatars, and 1018 tools for generating or cloning voices.

The report also highlights the number of specialized utilities designed specifically to bypass KYC: they counted as many as 47 such tools. These tools allow cybercriminals to create digital clones that successfully pass customer identity verification. As a result, fraudsters can remotely open accounts in financial institutions — banks, cryptocurrency exchanges, payment systems, and more.

These accounts are later used for various criminal activities — mainly for direct financial fraud, as well as laundering profits from illegal operations.

Digital clone store

Recently, 404 Media reported on an underground website selling photos and videos of people for bypassing KYC. According to the journalists, traders of digital duplicates have entire collections of such content. They find volunteers in disadvantaged countries and pay them relatively small amounts ($5-$20) for the footage.

The resulting content is then sold to anyone interested. The collections are quite extensive and include people of different ages, genders, and ethnicities. The site’s services are fairly inexpensive: for example, the journalists purchased a set for only $30. The sets include photos and videos in different clothing, as well as images with a white card and a blank sheet of paper in hand, which can be replaced with an ID or some other document.

The service is extremely customer-oriented. The website has reviews from grateful buyers, and even features a special mark for those photos and videos that have been purchased the least number of times. Such “fresh clones” are more likely to successfully pass anti-fraud system checks.

In addition to ready-made digital identities, the site’s administrators offer exclusive content sets created individually for the buyer — on demand and probably for more serious money.

AI-generated fake documents

Journalists from the same media also discovered a website specializing in selling realistic photos of fake documents created using AI.

According to an expert from a company that deals with such fraud, some services of this kind sell ready-to-use sets that include both fake documents and photos and videos of their fake owners.

Thus, AI tools and such content collections make the work of fraudsters much easier. Just a few years ago, money mules — real people who directly handled dirty money, opened accounts and made transfers or cash withdrawals — were the weakest link in criminal operations.

Now, such “physical” mules are rapidly becoming unnecessary. Criminals no longer need to interact with unreliable “flesh bags” who are vulnerable to law enforcement. It’s just a matter of creating a certain number of digital clones for the same purposes and then targeting those financial services that allow you to open accounts and conduct transactions completely remotely.

So what’s next?

In the future, the ease of bypassing current KYC procedures will likely lead to two consequences. On the one hand, financial organizations will introduce additional mechanisms for verifying photos and videos provided by remote customers based on detecting signs of AI forgeries.

On the other hand, regulators will likely tighten requirements for fully remote financial operations. So it’s quite possible that the simplicity and convenience of online financial services, which we’ve already become accustomed to, will be threatened by artificial intelligence.

Unfortunately, the problem doesn’t end there. As noted by experts, the widespread availability of AI tools for generating photo, video, and audio content fundamentally undermines trust in digital interactions between people. The higher the quality of AI creations, the harder it becomes to believe what we see on our smartphones and computers.

Kaspersky official blog – ​Read More

Infosec teams know all about cyberattacks on servers and desktop computers, and the optimal protective practices are both well-known and well-developed. But things get a lot more complicated when it comes to less “visible” devices — such as routers, printers, medical equipment, and video surveillance cameras. Yet they too are often connected to the organization’s general network along with servers and workstations. The question of which of these devices should be the top infosec priority, and what risk factors are key in each case, is the subject of the “Riskiest Connected Devices in 2024” report.

Its authors analyzed more than 19 million devices: work computers, servers, IoT devices, and specialized medical equipment. For each individual device, a risk level was calculated based on known and exploitable vulnerabilities, open ports accessible from the internet, and malicious traffic sent from or to the device. Also factored in were the importance of the device to its respective organization, and the potential critical consequences of compromise. Here are the devices that researchers found to be most often vulnerable and high-risk.

Wireless access points, routers, and firewalls

The top two places in the list of the riskiest devices in office networks — by a comfortable margin, went to network devices. Routers are typically accessible from the internet, and many of them have open management ports and services that are easy for threat actors to exploit: SSH, Telnet, SMB, plus highly specialized proprietary management services. In recent years, attackers have learned to exploit vulnerabilities in this class of equipment — especially in its administration interfaces. Much the same holds for firewalls — especially since these two functions are often combined in a single device for SMBs. Access points have insecure settings even more often than routers do, but the threat is somewhat mitigated by the fact that compromising them requires being in close proximity to the device. The initial attack vector is usually a guest Wi-Fi network, or a dedicated network for mobile devices.

Printers

Although printer exploitation by hackers isn’t that common, such cases are nearly always high-profile. The risk factors associated with printers are as follows:

They’re often connected directly to the office network and at the same time to the manufacturer’s central servers; that is — to the internet.
They often operate in a standard configuration with default passwords, allowing a potential attacker to view, delete, and add print jobs, among other things, without having to exploit any vulnerabilities.
They usually lack infosec tools, and often get added to firewall allowlists by network administrators to ensure accessibility from all computers in the organization.
Software updates are slow to appear, and installation by users is even slower — so dangerous vulnerabilities in printer software can remain exploitable for years.
The “printers” category includes not only network MFPs, but also highly specialized devices such as label and receipt printers. The latter are often directly connected to both POS terminals and privileged computers that process important financial information.
Printers are a favorite target of hacktivists and ransomware groups because a hack that prints off thousands of copies of a threatening letter can’t fail to make an impression.

VoIP devices and IP surveillance cameras

Like printers, devices in these categories are rarely updated, are very often accessible from the internet, have no built-in information security tools, and are regularly used with default, insecure settings.

Besides the risks of device compromise and hackers’ lateral movement across the network that are common to all technology, unique risks here are posed by the prospect of attackers spying on protected assets and facilities, eavesdropping on VoIP calls, or using VoIP telephony for fraudulent purposes impersonating the attacked organization. Exploiting vulnerabilities isn’t even necessary; a misconfiguration or default password will suffice.

Automatic drug dispensers and infusion pumps

The No. 1 niche devices in the hit parade are automated drug dispensers and digital infusion pumps, the compromising of which could seriously disrupt hospitals and threaten lives. According to the researchers, high-risk cases occur when such devices aren’t protected from external connections: in late 2022, 183 publicly accessible management interfaces for such devices were discovered; and by late 2023, that number had grown to 225. For a critical incident affecting patient care to arise, deep compromise of the target device is often not necessary — a denial of service or disconnection from the telecommunications network would be quite enough. Real attacks on healthcare facilities by the ransomware group LockBit have provoked such situations. Another risk is the malicious altering of drug dosage, which is made possible by both numerous device vulnerabilities and insecure settings. In some institutions, even a patient can do the altering simply by connecting to the hospital’s Wi-Fi.

How to protect vulnerable equipment in your organization

Disable all unnecessary services on the equipment and restrict access to necessary ones. Control panels and service portals should only be accessible from administrative computers on the internal subnet. This rule is critical for network hardware and any equipment accessible from the internet.
Segment the network by creating a separation between the office, production, and administrative networks. Ensure that IoT devices and other isolated resources can’t be accessed from the internet or the office network available to all employees.
Use strong and unique passwords for each administrator, with multi-factor authentication (MFA) where possible. Use unique passwords for each user, and be sure to apply MFA for access to critical resources and equipment.
If the device lacks support for sufficiently strong authentication and MFA, you can isolate it in a separate subnet, and introduce MFA access control at the network equipment level.
Prioritize rapid firmware and software updates for network equipment.
Study the network and security settings of the equipment in detail. Change default settings if they aren’t secure enough. Disable built-in default accounts and password-less access.
Study the router manual, if available, for ways to improve security (hardening); if not available, seek recommendations from reputable international organizations.
When purchasing printers, multi-function peripherals (MFPs), and similar devices, explore the standard features for improving printer security. Some corporate models offer an encrypted secure print function; some are capable of updating their firmware automatically; and some are able to export events to a SIEM system for comprehensive infosec monitoring.
Implement an all-in security system in your organization, including EDR, and comprehensive SIEM-based network monitoring.

Kaspersky official blog – ​Read More