How to set up Apple Shortcuts in VPN & Antivirus by Kaspersky for iOS | Kaspersky official blog

The Kaspersky for iOS app now supports Apple Shortcuts and Siri. In this post, we discuss the new possibilities this gives our users, and how to configure Shortcuts to work with the Kaspersky app.

How to give voice commands to Kaspersky

You can now turn the VPN on and off in the Kaspersky for iOS app using voice commands. Setting this up is very quick and easy: just activate Siri and say, “Siri, turn on Kaspersky VPN”. The system will then ask if you really want to enable commands — tap the blue Turn On button.

If you’ve just installed Kaspersky on your iPhone or iPad and have never turned the VPN on before, you’ll need to open the app and activate the VPN manually to accept all the necessary user agreements. After that, everything will work smoothly.

To activate voice commands for Kaspersky VPN, launch Siri and say, “Siri, turn on Kaspersky VPN”

Now all you have to do is say, “Siri, turn on Kaspersky VPN” to establish a VPN connection or “Siri, turn off Kaspersky VPN” to disconnect — it’s as easy as pie.

To turn on Kaspersky VPN, say, “Siri, turn on Kaspersky VPN”. To turn it off, say, “Siri, turn off Kaspersky VPN”

How to turn VPN on and off using Shortcuts

But that’s just the beginning. You can also use Apple Shortcuts to place “Turn on VPN” and “Turn off VPN” shortcuts on your iPhone’s Home Screen. To do this, find and open the Shortcuts app; the easiest way to do this is through search — especially if you rarely use this app.

To set up Kaspersky VPN Home Screen shortcuts, open the Shortcuts app and select Kaspersky

Next, find the Kaspersky app in Shortcuts and tap it. If it’s difficult to find due to an over-abundance of icons, you can use the search function. To do this, tap All Shortcuts and type “Turn” in the search field. In both cases, the necessary shortcuts will now appear on the screen.

To find Kaspersky VPN shortcuts in Shortcuts, you can use the search function

Simply tapping the shortcut will immediately activate it — turning the VPN on or off. To add a shortcut to the Home Screen, tap and hold the shortcut. A pop-up menu will appear — select Add to Home Screen.

On the next screen, you can choose the icon and color of the shortcut. By default, iOS suggests blue, but we recommend choosing green for “Turn on VPN”, and red for “Turn off VPN”. This way, you’ll instantly know which shortcut does what, making them convenient to use.

How to add “Turn on VPN” and “Turn off VPN” shortcuts to the Home Screen

All done! Now you have handy shortcuts on your Home Screen that let you quickly turn the VPN on or off in the Kaspersky for iOS app with just a single tap.

Now you can turn Kaspersky VPN on and off with one tap

How to trigger Kaspersky VPN activation when launching apps

And that’s still not all! You can also use Shortcuts to automatically trigger VPN activation in Kaspersky for iOS. For example, you can automatically establish a VPN connection when launching a particular app.

To do this, open the Shortcuts app, go to the Automation tab, and tap the large blue New Automation button (or the + in the upper right corner of the screen if you’ve created automation scripts before). On the page that opens, scroll down to the App option and tap it.

You can use Shortcuts to automate Kaspersky VPN activation — for example, when launching a particular app

Next, tap Choose to select an app, check the box at the bottom of the screen next to Run Immediately so the system doesn’t ask unnecessary questions, and tap Next.

Select the desired app and check the box next to “Run Immediately”

On the next screen, use the search to find the familiar Turn on VPN shortcut and select it. Done! Now a VPN connection will be established automatically when you launch the app you’ve selected.

Tap “Next” and find the “Turn on VPN” shortcut

By the way, you can also configure the VPN connection to automatically disconnect when you close this app. To do this, repeat all the steps described above, but change the condition to Is Closed, and select the Turn off VPN shortcut.

You can also automatically disconnect the VPN when closing an app: create a new automation script, change the condition to “Is Closed”, and select the “Turn off VPN” shortcut

How to trigger Kaspersky VPN activation when connecting to Wi-Fi networks

Another possibility is to activate the VPN automatically when connecting to any Wi-Fi network — or a specific network that you don’t fully trust but have to use frequently. To do this, create a new automation script, scroll down to Wi-Fi, and select it.

To turn the VPN on automatically when connecting to Wi-Fi, create a new automation script and select “Wi-Fi” from the list

In the window that opens, click Choose to select a network — either a specific one or Any Network. As before, check the box next to Run Immediately so you don’t have to confirm this action each time.

Select the desired network or “Any Network”, and check the box next to “Run Immediately”

Next, click Next and select the Turn on VPN shortcut. You can also create an additional script to close the VPN connection automatically when disconnecting from Wi-Fi.

The features described in this post are available to users with Kaspersky Plus and Kaspersky Premium subscriptions.

Other useful features of Kaspersky for iOS

Of course, the VPN is by no means the only thing in our super app Kaspersky for iOS. It also includes anti-phishing, an ad and tracker blocker, a password manager, automatic personal data-leak checking, home network protection from strangers, and much more.

To enhance the security of your device, simply tap “Security Scan”

By the way, the updated Kaspersky for iOS app features a convenient Security Scan button at the top of the main screen, allowing you to run a security check and improve your device’s protection with a single tap.

Kaspersky official blog – ​Read More

Pseudo-exploit for CVE-2024-6387 aka regreSSHion | Kaspersky official blog

An archive containing malicious code is being distributed on the social network X (formerly known as Twitter), under the guise of an exploit for the recently discovered CVE-2024-6387 aka regreSSHion. According to our experts, this may be an attempt to attack cybersecurity specialists. In this post we explain what actually is in the archive and how attackers are trying to lure researchers into a trap.

The legend behind the archive

Presumably, there is a server that has a working exploit for the CVE-2024-6387 vulnerability in OpenSSH. Moreover, this server actively uses this exploit to attack a list of IP addresses. The archive, offered to anyone wishing to investigate this attack, allegedly contains a working exploit, a list of IP addresses and some kind of payload.

Real contents of the malicious archive

In fact, the archive contains some source code, a set of malicious binaries and scripts. The source code looks like a slightly edited version of a non-functional proof-of-concept for this vulnerability, which was already distributed in the public domain.

One of the scripts, written in Python, simulates the exploitation of a vulnerability on servers located at IP addresses from the list. In reality, it launches a malicious file called exploit — a malware that serves to achieve persistence in the system and to retrieve additional payload from a remote server. The malicious code is saved in a file located at the /etc/cron.hourly directory. In order to achieve persistence, it modifies the ls file and writes a copy of itself into it, repeating the execution of malicious code every time it is launched.

How to Stay Safe

Apparently, the authors of the attack are counting on the fact that, when working with obviously malicious code, researchers tend to disable security solutions and focus on analyzing the exchange of data between the malware and a server vulnerable to CVE-2024-6387. Meanwhile, completely different malicious code will be used to compromise the researchers’ computers.

Therefore, we remind all information security experts and other persons who like to analyze suspicious code not to work with malware outside of a specially prepared isolated environment, from which external infrastructure is inaccessible.

Kaspersky products detect elements of this attack with the following verdicts:

UDS:Trojan-Downloader.Shell.FakeChecker.a
UDS:Trojan.Python.FakeChecker.a
HEUR:Trojan.Linux.Agent.gen
Virus.Linux.Lamer.b
HEUR:DoS.Linux.Agent.dt

As for the regreSSHion vulnerability, as we wrote earlier, its practical exploitation is far from being simple.

Kaspersky official blog – ​Read More

Why you need to remove the Polyfill.io script from your website

If your website uses the script from Polyfill.io, we recommend removing it ASAP: the service is sending malicious code to your visitors. This article explains what Polyfill.io is for, why it’s become dangerous to use, and what you should do about it if you do use it.

What polyfills and Polyfill.io are

A polyfill is a piece of code that implements features otherwise unsupported by certain browser versions. This is typically JavaScript code that adds support for HTML5, CSS3, JavaScript API and other standards and technologies that spare web developers the headache of supporting exotic or outdated browsers. Polyfills saw their heyday in the 2010s as HTML5 and CSS3 gradually took over the Web.

Polyfill.io is a service that helps automatically deliver polyfills that a browser requires for displaying a particular website.

The service gained popularity both for its efficiency (only the polyfills you need are loaded) and for its regular updates to the technologies and standards used. Straightforward implementation was a factor as well: all the developer needed to start using Polyfill.io was to add a short string to the website code in order to enable the service’s script.

Polyfill.io was originally created by the Financial Times web development team. In February 2024, the service, along with the associated domain and GitHub account, was sold to the Chinese CDN provider Funnull. It wasn’t six months before trouble began.

Malicious code from cdn.polyfill.io

On June 25, 2024, researchers at Sansec discovered that cdn.polyfill.io had begun to deliver malicious code to users of websites that used Polyfill.io. The code used a typosquatted domain pretending to be Google Analytics — [code] www.googie-anaiytics.com[/code] — to redirect users to a Vietnamese sports betting site.

The malicious code redirected the users of compromised sites to a sports betting site written in Vietnamese

According to the researchers, this wasn’t the first time that Polyfill.io had been caught spreading malicious code. Those who had noticed the dangerous behavior earlier tried complaining (archived link) in GitHub comments, but the new owners of Polyfill.io quickly removed all the criticisms (here’s another example from the Internet Archive).

The potentially harmful script is allegedly present on more than 100,000 websites — some of them rather big ones.

Google Ads: one more reason to remove Polyfill.io

In case visitors getting a malicious script doesn’t sound too worrying, Google Ads is giving website operators a further valid reason to hurry up and get the problem fixed.

Google’s advertising service has suspended the display of ads linking to websites that spread malicious scripts from several services. Besides Polyfill.io, the list includes Bootcss.com, Bootcdn.net and Staticfile.org.

A Google Ads suspension warning due to the website using a malicious script downloaded from Polyfill.io, Bootcss.com, Bootcdn.net or Staticfile.org. Source

You’d be wise to stop using the aforementioned services on your website, or else you risk losing traffic due to users being led away by the malicious scripts and because of Google Ads no longer promoting you.

Protecting against the Polyfill.io attack

Here are a few steps to take about the attack:

Remove the Polyfill.io script from your website as soon as you can — along with ones from Bootcss.com, Bootcdn.net and Staticfile.org.
Consider dropping polyfills altogether. The Polyfill.io developer, which recommends doing just that, says that polyfills are no longer relevant.

The Polyfill.io developer recommends removing Polyfill.io and dropping polyfills altogether as these are no longer relevant. Source

If you can’t follow that advice for some reason, use the alternatives by Cloudflare or Fastly.
All in all, try cutting down on the number of external scripts your website uses. Each of those is a potential vulnerability.

Kaspersky official blog – ​Read More

Transatlantic Cable podcast episode 354 | Kaspersky official blog

Episode 353 of the Transatlantic Cable podcast kicks off with an ‘interesting’ story involving Microsoft, real-time software recording and sex-toy retailers. To go into more details would just be a spoiler.  From there, the team talk about how Facebook are the next business to face EU’s DMA (Digital Market’s Act) legislation.

To wrap up conversation moves to how residents in local town meetings across America were being terrorised by people ‘zoom bombing’ calls and town meetings. The final story revolves around Google’s Threat Analysis Group (TAG) thwarts over 10,000 attempts by Chinese influence operators.

If you like what you heard, please consider subscribing.

Lawsuit Claims Microsoft Tracked Sex Toy Shoppers With ‘Recording in Real Time’ Software
Facebook and Instagram’s ‘pay or consent’ ad model violates the DMA, says the EU
‘Local Residents’ Terrorizing City Council Meetings Were Actually Overseas, Feds Allege
Google Thwarts Over 10,000 Attempts by Chinese Influence Operator

Kaspersky official blog – ​Read More

Inside the workings of fraud-as-a-service | Kaspersky official blog

A scammer these days doesn’t need to know how to write malware or think up sophisticated digital fraud schemes. Today’s scams come prepackaged in the form of fraud-as-a-service (FaaS). The average scammer only needs to search for victims and then drain their wallets — the operator takes care of the rest.

Today, we look at a group that specializes in classifieds-website scams to explain what turnkey phishing is, and how best to defend against it.

Who provides the service?

A gang’s key person is the founder, or topic starter. This guy manages everyone else:

Coders, who are responsible for Telegram channels, chats and bots
Refunders, or fake support agents
Carders, who withdraw money from the victim’s bank account
Workers, who find ads, respond, and persuade victims to open a phishing link

That’s what the core lineup of almost any gang looks like. Especially sophisticated outfits also include marketers, motivators and mentors. These run promotional campaigns for the project, and provide moral support to, and training for, workers

The members of a scam gang chiefly communicate via private groups and chats in Telegram. The channel we investigated had around 15,000 members, with just five of them being mentors. Virtually everyone else was a worker — a pawn in this scheme. Read the investigative story on Securelist to find out more about other roles the members of a scam gang have.

The Telegram bot as the workers’ main weapon

Bots help gangs automate most of the scamming process. For example, scammers can use these to create unique, personalized phishing ads. A Telegram bot we discovered churns out as many as 48 ads at a time, in four languages, for six classifieds websites and in two versions: seller scam (2.0) and buyer scam (1.0).

A bot creates links for two types of scam at a time: seller scam (2.0) and buyer scam (1.0)

Next, a worker uses the Telegram bot to automatically send the links to the victim’s email, instant messaging account or SMS inbox. As soon as a phishing link is opened, the bot displays a message that says “Mammoth online”. This tells the worker that the scam has all but succeeded: the victim has no protection, so the gang is about to pocket their money.

The bot tells the worker everything the victim does — in detail

Instant notifications about anything that happens is one of Telegram bots’ killer features. Thus, if the victim takes the bait, paying for the “goods” or “delivery”, the worker learns immediately. The bot computes the worker’s share of the booty and shares the name of the carder who’ll withdraw the funds.

“Another one duped!” — the new workers’ anthem

This is the extent of what the worker needs to do, as the money will be credited to their account automatically — unless they’re scammed by their own gangmates, which isn’t unheard of.

How much scam gangs make

The workers are the gang’s cash cows: they pay commissions to the mastermind, mentor, carder and refunder. This project is no doubt a moneymaker: the gang earned more than two million US dollars between August 2023 and June 2024. That’s what the scammers say anyway, but they can declare whatever figures they want, no matter how inflated, in their internal chat to motivate the workers.

A bad day for the scammers — but a happy one for the whole humanity

The scam factory’s profits are restricted by banks’ transaction limits. The gang we’re looking at operates out of Switzerland, and local banking rules prevent it from stealing more than 15,000 Swiss francs (approximately 16,700 US dollars) at a time. The workers have a minimum withdrawal amount: they won’t bother with cards if there are less than 300 Swiss francs (333 US dollars) in the associated account; otherwise the costs would exceed the earnings.

Avoiding the trap

Being attacked by turnkey phishing (as opposed to “regular” phishing) makes no difference to the target: the scammers are still scammers, trying all kinds of ways to swindle victims out of their money. But, since FaaS makes the scammers’ work so much easier, this kind of scam is on the rise. Accordingly, the protection tips remain the same as for other types of phishing:

Use reliable security to keep you from following phishing links.
Take a look at our safe online selling rules.
Restrict your chats with sellers and buyers to the classifieds sites; to prevent workers from seeing your personal details, don’t switch to instant messaging apps.
Pay for your online purchases only with virtual cards that have transaction limits, and don’t store significant amounts in the accounts linked to those.
Read about how other scams work to stay on top of trends.

Kaspersky official blog – ​Read More

CVE-2024-6387 aka regreSSHion – root cause, risks, mitigation

A vulnerability has been discovered in OpenSSH, a popular set of tools for remote management of *nix systems. The bug allows an unauthenticated attacker to execute arbitrary code on the affected system and gain root privileges. The vulnerability was named regreSSHion, and assigned the ID CVE-2024-6387. Given that sshd, the OpenSSH server, is integrated into most operating systems and many IoT devices as well as firewalls, the description of the vulnerability sounds like the beginning of a new epidemic on the scale of WannaCry and Log4Shell. In practice, the situation is somewhat more complex. Widespread exploitation of the vulnerability is unlikely. Nevertheless, all server administrators using OpenSSH must urgently address the vulnerability.

Where OpenSSH is Used

The OpenSSH utility set is almost ubiquitous. It is a popular implementation of the SSH (secure shell) protocol, and is integrated into most Linux distributions, OpenBSD and FreeBSD, macOS, as well as specialized devices like those based on Junos OS. Since many TVs, smart doorbells, baby monitors, network media players, and even robotic vacuum cleaners are based on Linux systems, OpenSSH is often used in them as well. Starting with Windows 10, OpenSSH is also available in Microsoft’s OSs, although it’s an optional component not installed by default. It’s no exaggeration to say that sshd runs on tens of millions of devices.

How to trigger the regreSSHion vulnerability

During an SSH authentication attempt, the user has a time limit to complete the process, with the default setting being 120 seconds. If authentication does not occur, the sshd server asynchronously calls the special “sigalarm” function, which in turn invokes system-level memory management functions. This was done in a manner unsafe for asynchronous execution. Under certain conditions, and with a small probability, this can trigger a race condition, leading to memory boundary violations and arbitrary code execution.

To exploit this vulnerability, an attacker needs to make approximately 10,000 attempts on average, and the target system must be based on Linux versions using the GNU C Library (glibc), such as all Debian variants. Additionally, attackers need to prepare memory structures tailored to the specific version of glibc and Linux. Researchers have reproduced the attack on 32-bit Linux systems but, theoretically, it’s possible to exploit on 64-bit systems as well — albeit with a lower success rate. Address Space Layout Randomization (ASLR) slows down the exploitation process but does not provide complete protection.

Interestingly, this bug was already fixed by the OpenSSH team in 2006, when it was assigned CVE-2006-5051. Therefore, the new bug is a regression — the reappearance of an already known defect due to some changes introduced in the code. This is where the name for the new vulnerability, regreSSHion, comes from.

The likelihood of CVE-2024-6387 being exploited in the wild

The vulnerability was discovered by researchers and responsibly disclosed to the development team. Therefore, immediate exploitation is unlikely. Moreover, the technical complexities described above make mass exploitation impractical. Ten thousand authentication attempts with standard OpenSSH settings would take six to eight hours per server. Additionally, one needs to know which version of Linux the server is running. If the server has any protection against brute force attacks and DDoS, these measures would likely block the attack.

Despite all this, targeted exploitation is quite possible. Patient attackers can conduct reconnaissance and then make low-frequency attempts from different IPs, and sooner or later they might succeed.

How to protect your servers against exploitation

Versions of OpenSSH up to 4.4p1, plus versions from 8.5p1 to 9.7p1 running on glibc-Linux, are vulnerable. OpenBSD-based servers are not affected, so admins of those can breathe easier; however, everyone else should update sshd to version 9.8.

If for some reason immediate updating is not possible, administrators can set the login timeout to zero (LoginGraceTime=0 in sshd_config) as a temporary mitigation. However, developers warn that this makes the SSH server more susceptible to DDoS attacks.

Another possible mitigation is stricter access control for SSH — implemented using firewalls and other network security tools.

Kaspersky official blog – ​Read More

Kaspersky Expertise Centers | Kaspersky official blog

When writing about threats, vulnerabilities, high-profile investigations or technologies, we often mention our experts of various specializations. Generally speaking, Kaspersky’s experts are highly qualified employees specialized in their particular field who research new cyberthreats, invent and implement breakthrough methods to combat them, and also help our clients and to deal with the most serious of incidents. There are many fields for using their talents; most of them fall within the competence of one of our five so-called “centers of expertise”.

Kaspersky Global Research and Analysis Team (GReAT)


Our best known team in the cybersecurity industry is the Global Research and Analysis Team (GReAT). It’s a tightly knit collective of top-notch cybersecurity researchers specializing in studying APT attacks, cyber espionage campaigns, and trends in international cybercrime. Representatives of this international team are strategically located in our offices around the world to ensure immersion into regional realities and provide the company with a global perspective of the most advanced threats emerging in cyberspace. In addition to identifying sophisticated threats, GReAT experts also analyze cyber-incidents related to APT attacks, and monitor the activity of more than 200 APT groups. As a result of their work, our clients receive improved tools to combat advanced threats, as well as exclusive Kaspersky APT and Crimeware Intelligence reports, containing tactics, techniques and procedures (TTP), and indicators of compromise (IoC) useful for building reliable protection.

Kaspersky Threat Research

Kaspersky Threat Research are the experts whose work lies at the foundation of our products’ protective mechanisms – as they study all the details of attackers’ tactics, techniques and procedures, and drive the development of new cybersecurity technologies. These experts are primarily engaged in analyzing new cyberthreats and are responsible for ensuring that our products successfully identify and block them (detection engineering). Threat Research includes (i) Anti-Malware Research (AMR), whose experts deal with software (including malware, LolBins, greyware, etc.) used by cyberattackers; and (ii) Content Filtering Research (CFR), which is responsible for analysis of threats associated with communication via the internet (such as phishing schemes and spam mailings).

Attackers work hard to circumvent protective technologies, which is why we pay special attention to the security of our own products. The Threat Research expertise center also includes the Software Security team, which mitigates the risks of vulnerabilities in Kaspersky solutions. In particular, they’re responsible for the secure software development life cycle (SSDLC) process, bug bounty program, and for ensuring that our secure-by-design solutions (our own operating system – KasperskyOS – and products based on it) really are truly secure.

Kaspersky AI technology research


We all know how hyped AI technology is today, and how popular the topics of AI in cybersecurity and Secure AI are on the market. Our team provides a range of options in our solutions from ML (machine learning) and AI-enhanced threat discovery and triage alerts to prototype GenAI-driven Threat Intelligence.

For over two decades, our products and services have incorporated aspects of artificial intelligence to enhance security, privacy, and business protection. Kaspersky AI Technology Research applies data science and machine learning to detect various cyberthreats, including malware, phishing and spam on a large scale – contributing to detection of more than 400,000 malicious objects daily.

To detect more complex, targeted attacks, you have to juggle massive numbers of events and alerts coming from different levels of the IT infrastructure. Proper aggregation and prioritization of these alerts are crucial. Without AI-powered automation, it’s easy for a security-operations-center analyst to get overwhelmed and overlook critical alerts amid the multitude of security notifications. Better alert triage and prioritization – especially with machine learning – is top priority for our detection and response solutions (EDR, SIEM, XDR and MDR services).

Generative AI (GenAI) technologies open up new possibilities in cybersecurity. Kaspersky researchers are working on applying GenAI to various tasks in products ranging from XDR to Threat Intelligence to help cybersecurity analysts cope with the daily deluge of information, automate routine tasks, and get faster insights, amplifying their analytical capabilities and enabling them to focus more on investigating complex cases and researching complex threats.

We also use artificial intelligence to protect complex industrial systems. Our Kaspersky Machine Learning for Anomaly Detection (MLAD) solution enables our products to detect anomalies in industrial environments – helping identify early signs of potential compromise.

As AI systems are inherently complex, Kaspersky AI Technology Research also works on identifying potential risks and vulnerabilities in AI systems – from adversarial attacks to new GenAI attack vectors.

Kaspersky Security Services


Kaspersky Security Services experts provide complimentary services for information security departments at the largest enterprises worldwide. Its service portfolio is built around the main task of security departments – addressing incidents and their impact: detection, response, exercises, and process-wise operations excellence.

Whenever organizations face a security crisis, our team is dedicated to building a complete picture of the identified attack, and sharing recommendations for response and impact minimization. Our Global Emergency Response Team is located on all continents and is involved in hundreds of incident responses yearly.

For organizations that require continuous incident detection, there’s our Managed Detection and Response service. The Kaspersky SOC experts behind this service monitor suspicious activity in the customer’s infrastructure, and help to timely respond to incidents and minimize impact. Our MDR operates worldwide and is top-rated by customers.

Developing and measuring security maturity, preparing for real-world attacks, discovering vulnerabilities and more are the goals of our various Security Assessment services. Among other things, they can: evaluate SOC readiness to protect critical business functions with attack simulations (red teams); assess attackers’ chances of penetrating your network and gaining access to critical business assets with penetration testing service; and identify critical vulnerabilities by deeply analyzing complex software solutions with our application security service.

If a company needs to build its own SOC, or assess the maturity level or development capabilities of an existing one, our SOC Consulting experts share their vast experience in security operations gained while working with different industries, organizations of different sizes and with different budgets.

Before, during and after an attack, cybercriminals leave traces of their activities outside the attacked organization. Our Digital Footprint Intelligence experts identify suspicious activities on cybercriminal marketplaces, forums, instant messengers and other sources to timely notify an organization about compromised credentials, or someone selling access to their internal corporate network or data from their internal databases, and so on.

Kaspersky ICS CERT

Our industrial systems cybersecurity research center (Kaspersky ICS CERT) is a global project whose main goal is assisting manufacturers, owners and operators, and research teams in ensuring the cybersecurity of industrial automation systems and other M2M (machine-to-machine) solutions (building automation systems, transportation, medical systems and so on).

Kaspersky ICS CERT experts constantly analyze various products and technologies, evaluate their security level, report information about vulnerabilities to their manufacturers, and inform users of vulnerable solutions about the corresponding risks. In addition to searching for zero-day vulnerabilities, our CERT team analyzes publicly available information on vulnerabilities in ICS products, finds and eliminates multiple inaccuracies in it, and adds its own recommendations for reducing the risks to end-users.

Also, Kaspersky ICS CERT specialists identify and study attacks on organizations in the industrial sector, provide assistance in incident response and digital forensics, and share analytical information about attacks as well as indicators-of-compromise data feeds based on the results of their research.

In addition, our experts contribute to the engineering of sectoral and governmental regulations in the field of industrial cybersecurity, transportation, and the industrial Internet of Things; develop and conduct training for information-security specialists and employees of industrial organizations; and provide various consulting services.

Kaspersky spends huge amounts of resources – including a significant portion of its profits – on developing its expertise. Our experts research cyberthreats relevant to even the most remote corners of the globe, and understand the specific needs of all customers – no matter where they are. Thanks to the contribution of the above-listed centers of expertise, our services and solutions are constantly being improved and so always remain ready to counter the most non-trivial of attacks and identify the latest cyberthreats.

Kaspersky official blog – ​Read More

Hijacking GitHub accounts using phishing emails | Kaspersky official blog

We recently wrote about how attackers have learned to use legitimate social media infrastructure to deliver plausible-looking warnings about the blocking of business accounts, leading to password theft. It turns out that for several months now, a very similar method has been used to attack developer accounts on GitHub, which is a cause for concern for corporate information security teams (especially if developers have administrative access to corporate related repositories on GitHub). Let’s explore how this attack works.

GitHub account hijacking

Victims of this attack receive emails sent from a genuine GitHub email address. The emails claim that the GitHub team is looking for an experienced developer and offering attractive conditions — $180,000 per year plus a generous benefits package. If interested in the position, the recipient is invited to apply via a link.

The attack begins with an email: GitHub is supposedly seeking a developer for a $180,000 annual salary. Source

These emails do come from notifications@github.com, which really belongs to the service. However, an astute recipient might wonder why the HR team is using the notification address for job offers. They might also be puzzled that the email subject has nothing to do with the job offer, and instead ends with a list of several GitHub usernames.

However, the email’s authors send it out en masse, so they probably aren’t too worried about losing a few potential targets here. The attackers are satisfied with the small number of recipients who’ll be too distracted by the salary to notice the discrepancies.

Clicking the link in the email takes the recipient to a page that pretends to be the GitHub career site. Specifically, the addresses githubtalentcommunity[.]online and githubcareers[.]online have been used in this campaign — but these phishing sites are no longer available.

On the linked site, recipients are asked to authorize a malicious OAuth application. Source

On the site, developers interested in the position are asked to log in to their GitHub account and authorize a new OAuth application. This application requests numerous permissions — including access to private repositories, personal data, and discussions, as well as the ability to delete any repository managed by the targeted user.

The OAuth application requests a number of dangerous permissions. Source

Besides job offers, another type of email has been observed, claiming that GitHub had been hacked and the GitHub security team requires the user’s authorization to eliminate the consequences of the hack.

Phishing email variant warning of a GitHub hack. Source

The next thing: repository wipe and ransom demand

If an inattentive developer grants the malicious OAuth application all the requested permissions, the attackers begin exploiting them. They empty all the victim’s repositories and then rename them — leaving behind only a single README.me file.

Hijacked and emptied repositories on GitHub with ransom notes left by the attackers. Source

The file contains a message stating that the data has been compromised, but that a backup has been made. To restore the data, the victim is instructed to contact a user named Gitloker on Telegram.

It appears that these emails are sent using the GitHub discussion system. That is, the attackers use already compromised accounts to create messages with the email text under various topics, tagging several users. As a result, all the tagged users receive emails from the notifications@github.com address. These messages are likely deleted immediately after sending.

How to protect against such attacks on GitHub accounts

Experienced users and developers often consider themselves to be immune to phishing attacks. However, as this story shows, they can also be caught off guard: the operators of this phishing campaign have already managed to compromise and wipe dozens of repositories.

To prevent your developers from falling victim to this attack, give them the following recommendations:

Always carefully check all details of an email and compare its subject, text, and sender address. Any discrepancies are almost certainly signs of a phishing attempt rather than accidental errors.
If you receive a similar email from GitHub, don’t click any links in it, and report the email to GitHub support.
Never authorize unknown OAuth applications — this story shows how serious the consequences can be.
Periodically review the list of authorized OAuth applications in your GitHub account, and remove any suspicious ones.

We recommend the following to companies:

Use a reliable security solution with phishing protection on all devices, which will warn of dangers and block malicious sites in time.
Conduct regular information security training for employees, including developers. Experience with IT systems doesn’t guarantee safety; the necessary skills must be developed specifically. For example, you can use our interactive educational platform, the Kaspersky Automated Security Awareness Platform.

Kaspersky official blog – ​Read More

Meta AI plans to use the personal data of its users to train generative AI | Kaspersky official blog

The internet in recent weeks has been abuzz with talk of Meta’s new security policy. The company behind Facebook, Instagram, and WhatsApp informed a portion of its user base that, starting June 26, their personal data is to be used to train the generative artificial intelligence developed by its subdivision Meta AI.

To find out what data is affected, whether or not you can opt out, and how to stay digitally safe, read on.

Will Meta use Facebook and Instagram content to train its AI?

Meta AI has been around for over nine years already. Training its neural networks requires data — lots and lots of it — and it appears that the content generated by users of the world’s largest social networks might soon become Meta’s AI knowledge base.

It all started in May 2024, when posts about changes to Meta’s security policies began circulating online. The rumor was that, starting late June, the company planned to use content from Facebook and Instagram for generative AI training. However, these notifications weren’t sent to everyone — only to a select group of users in the EU and US.

Following a wave of outrage, Meta issued an official statement to EU residents. However, this seemed to generate more questions than answers. There was no press release explicitly stating, “As of this date, Meta AI will use your data for training”. Instead, a new page titled Generative AI at Meta appeared, detailing what data the company plans to use to develop artificial intelligence, and how. Again, with no specific dates.

Will Meta read my private messages?

According to company representatives — no, Meta AI won’t be reading your private messages. Chief Product Officer Chris Cox made clear that only public user photos posted on Facebook and Instagram would be used for AI training. “We don’t train on private stuff”, Cox is on the record as saying.

The executive’s statement is echoed on the company’s official page dedicated to generative AI. It states that the company will solely utilize publicly available data from the internet, licensed information, and information shared by users within Meta products and services. Furthermore, it explicitly mentions, “We do not use the content of your private messages with friends and family to train our AIs”.

Be that as it may, Meta AI has been scraping users’ public posts for at least a year now. This data, however, is depersonalized: according to company claims, the generative AI doesn’t link your Instagram photos with your WhatsApp statuses or Facebook comments.

How to opt out of having your data fed into Meta AI

Sadly, there’s no nicely labeled “I prohibit the use of my data to train Meta AI” button; instead, the opt-out mechanism is rather complicated. Users are required to fill out a lengthy form on Facebook or Instagram providing a detailed reason for opting out. This form is hidden within the maze of privacy settings for EU residents: Menu → Settings and privacy → Settings → Security policy. Alternatively, you can find it on the new Meta Privacy Center page, under Privacy and Generative AI.

The link is so well hidden it’s almost as if Meta doesn’t want you to find it. But we did the digging for you: here’s the form to opt out of Meta AI training on your personal data, although the official title is deliberately more vague: “Data subject rights for third-party information used for AI at Meta”.

But even armed with our direct link to this form, don’t get your hopes up: regardless of which of the three options you choose, a most convoluted and confusing form-filling process awaits.

Note the rather curious disclaimer in the description: “We don’t automatically fulfill requests sent using this form. We review them consistent with your local laws”. In other words, even if you opt out, your data might still be opted-in. It’s crucial to correctly state your reasons for wanting to opt out, and be a citizen of a country in which the GDPR is in effect. This data protection regulation can serve as the basis for deciding in favor of the user — not Meta AI. It stipulates that Meta must obtain explicit consent to participate in voluntary data sharing, and not just publish a hidden opt-out form.

This situation has caught the attention of NOYB (None Of Your Business) – the European Center for Digital Rights. Its human rights advocates have filed 11 complaints against Meta in courts across Europe (Austria, Belgium, France, Germany, Greece, Ireland, Italy, the Netherlands, Norway, Poland, and Spain) and, seeking to protect the personal data of their citizens.

The Irish Data Protection Commission took note of these claims and issued an official request to Meta to address the lawsuits. The tech giant’s reaction could have been predicted without any algorithms: the company publicly accused the plaintiffs of hindering the development of generative AI in Europe. Meta stated they believe their initial approach to be legally sound, and so will likely continue their attempts to integrate AI into users’ lives.

The bottom line

So far, the saga appears to be just another spat between Meta and the media. The latter claim that Meta wants to process personal data — including the most intimate messages and photos, while Meta bosses are trying to pour cold water on the allegations.

Remember: you are primarily responsible for your own digital security. Be sure to use reliable protection, read privacy policies carefully, and always stay informed about your rights regarding the use of your data.

Kaspersky official blog – ​Read More

Transatlantic Cable podcast episode 353 | Kaspersky official blog

Episode 353 of the Transatlantic Cable podcast kicks off with news around ransomware attacks, both in the UK and the US. From there, the team discuss updates around the EU’s new DMA (Digital Market’s Act) and how Apple could be a test case for record fines, if they’re found to have abused their market position.

To wrap up, the team look at how some of the biggest names in music are joining forces to sue start up generative A.I companies, who have alleged that they’re infringing copyright on a massive scale.

If you liked what you heard, please consider subscribing.

Don’t blame us for people suffering – London hospital hackers
LockBit Ransomware Claims 33 TB of US Federal Reserve Data for Ransom
Apple in breach of law on App Store, says EU
World’s biggest music labels sue over AI copyright

Kaspersky official blog – ​Read More