Protecting Android, Windows, and Linux devices against being tracked via the Find My network | Kaspersky official blog

AirTags are a popular tracking device used by anyone from forgetful key owners to those with malicious intent, such as jealous spouses and car thieves. Using AirTags for spying is simple: a tag is discreetly placed on the target to allow their movements to be conveniently monitored using Apple Find My. We’ve even added protection from AirTag-based tracking to our products for Android.

But a recent study by security researchers has surprisingly found that remote tracking doesn’t even depend on buying an AirTag or ever being physically near the target. If you manage to sneak special malware onto someone’s Windows, Android, or Linux device (like a computer or phone), it could use the device’s Bluetooth to send out a signal that nearby Apple devices would think is coming from an AirTag. Essentially, for Apple devices, the infected phone or computer effectively becomes an oversized AirTag – trackable via the Find My network, which boasts over a billion Apple phones and tablets.

Anatomy of the attack

The attack exploits two features of the Find My technology.

Firstly, this network uses end-to-end encryption – so participants don’t know whose signals they’re relaying. To exchange information, an AirTag and its owner’s phone rely on a pair of cryptographic keys. When a lost AirTag broadcasts its “callsigns” via Bluetooth, Find My network “detectors” (that is, any Apple device with Bluetooth and internet access, regardless of who owns it) simply transmit AirTag’s geolocation data to Apple servers. The data is encrypted with the lost AirTag’s public key.

Then, any device can ask for the encrypted location data from the server. And because it’s encrypted, Apple doesn’t know who the signal belongs to, or which device asked for it. The crucial point here is that one can only decrypt the data and find out both whose AirTag it is and its exact location by having the corresponding private key. Therefore, this data is only useful to the owner of the smartphone paired with this AirTag.

Another feature of Find My is that detectors don’t verify whether the location signal indeed originated with an Apple device. Any devices that support Bluetooth Low Energy (BLE) can broadcast it.

To exploit these features, the researchers came up with the following method:

  1. They install malware on a computer, phone, or some other device running Android, Windows, or Linux, and check the Bluetooth adapter address.
  2. The attackers’ server receives the information and uses powerful video cards to generate a pair of encryption keys specific to the device’s Bluetooth address and compatible with Apple’s Find My
  3. The public key is sent back to the infected device, and the malware then starts transmitting a Bluetooth message that mimics AirTag signals and includes this key.
  4. Any nearby Apple device connected to the internet receives the Bluetooth message and relays it to the Find My
  5. The attackers’ server uses the private key to request the location of the infected device from Find My and decrypt the data.

How well does the tracking work?

The more Apple devices nearby and the slower the victim’s movement, the better the accuracy and speed of the location tracking. In typical urban environments like homes or offices, the location is typically pinpointed within six to seven minutes and with an accuracy of around three meters. Even in extreme situations, such as being on an airplane, tracking can still occur because internet access is now widely available on flights. The researchers obtained 17 geolocation points throughout a 90-minute flight, allowing them to reconstruct the aircraft’s flight path quite accurately.

Naturally, the success of the attack hinges on whether the victim can be infected with malware, and the details are slightly different depending on the platform. On Linux devices, the attack only requires infecting the victim’s gadget due to the specific Bluetooth implementation. By contrast, Android and Windows employ Bluetooth address randomization, meaning the attacker needs to infect two nearby Bluetooth devices: one as the tracking target (the one that mimics an AirTag), and another to obtain its adapter address.

The malicious application needs Bluetooth access, but this isn’t hard to get. Many common app categories – like media players, file sharing tools, and even payment apps – often have legitimate reasons to request it. It’s likely that a convincing and functional bait application will be created for this type of attack, or even that an existing application will be trojanized. The attack requires neither administrative permissions nor root access.

Importantly, we’re not just talking about phones and computers: the attack is effective across a range of devices – including smart TVs, virtual-reality glasses, and other household appliances – as Android and Linux are common operating systems in many of them.

Another key part of the attack involves calculating cryptographic keys on the server. Due to the complexity of this operation – which requires leasing hardware with modern video cards – the cost of generating a key for a single  victim is estimated at around $2.2. For this reason, we find mass-tracking scenarios that target, say, visitors inside a shopping center, to be unlikely. However, targeted attacks at this price point are accessible to virtually anyone, including scammers or nosy co-workers and spouses.

Apple’s response

The company patched the Find My network vulnerability in December 2024 in iOS 18.2, visionOS 2.2, iPadOS 17.7.3 (for older devices) and 18.2 (for newer ones), watchOS 11.2, tvOS 18.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2, and macOS Sequoia 15.2. Unfortunately, as is often the case with Apple, the details of the updates have not been disclosed. The researchers emphasize that this tracking method will remain technically feasible until all Apple users update to at least the above versions, though fewer devices will be able to report a tracked device’s location. And it’s not impossible that the Apple patch could be defeated by another engineering trick.

How to protect yourself from the attack

  • Turn off Bluetooth when you’re not using it if your device has the option.
  • When installing apps, stick to trusted sources only. Verify that the app has been around for a long time, and has many downloads and a high rating in its latest version.
  • Only grant Bluetooth and location access to apps if you’re certain you need those features.
  • Regularly update your device: both the OS and main apps.
  • Make sure you have comprehensive malware protection enabled on all your devices. We recommend Kaspersky Premium.

Besides this rather unusual and as-yet-unseen-in-the-wild tracking method, there are numerous other ways your location and activities can be tracked. What methods are being used to spy on you? Read these for the details:

… and other posts.

Kaspersky official blog – ​Read More

Money Laundering 101, and why Joe is worried

Money Laundering 101, and why Joe is worried

Welcome to this week’s edition of the Threat Source newsletter. 

Howdy friends! One of things I learned early on in cyber security is that crime does, in fact, pay. It can pay very well, actually. If it didn’t, we wouldn’t have ransomware cartels raking in obscene amounts of money year after year. Ransomware victims pay ransoms with cryptocurrency — typically Bitcoin. A criminal who has their ill-gotten BTC gains then needs to introduce it into a banking system that lets them spend that crypto currency with no questions asked.  

You might be unsurprised to learn that that isn’t as easy as it sounds, but it’s also not a new problem. In the 1980s, South American drug cartels had a similar issue. They were making obscene amounts of money and had massive piles of cash. However, one cannot show up and start dropping massive amounts of money buying very expensive things without drawing legal attention. Plus, it turns out, cash was the preferred way to bribe corrupt officials. As a result, they found legal and banking loopholes, and less than reputable financial practices in the U.S and in other countries to inject ill-gotten money into a legitimate banking system where they could access the funds.  

This is called money laundering, and it is at the heart of every successful organized crime organization. Money Laundering 101 is done in three basic steps: Placement, Layering, and Integration.  

  1. Placement: You need to get your money into the financial system(s). 
  2. Layering: You need to move the money around so it’s harder to trace and to link it to the crime.  
  3. Integration: Now that the connection to the crime is obfuscated, you can spend that money. You can invest it, buy expensive cars, or whatever. That money is now in someone else’s pocket. I used to joke that Ferrari dealerships don’t exactly accept cryptocurrency, but it turns out that joke is now on me. More and more businesses now accept cryptocurrency as a direct means of payment it seems.  

We often think of the crime of ransomware attacks at the point of impact and victimization, but rarely do we think of the reverse — the money that is paid out that flows back into the cartel and its affiliates. Cryptocurrency is fantastic for money laundering. It lags far behind regulatory standards, is largely anonymous, and can be “mixed” and directed to decentralized exchanges where Know Your Customer (KYC) and Anti-Money Laundering (AML) controls are not applied.  

So why am I bringing this up? Well, law enforcement attacking money laundering infrastructure really works. If you can impact how criminals launder their money, you put the brakes on the crime itself happening. After all, what good are the spoils of crime If you can’t do anything with it? 

My fear is that regulatory climates have shifted, which will allow laundering to more easily happen. Time will tell if I’m right, and I don’t want to be.

The one big thing 

I’m a huge fanboy for clever evasion tactics. Cascading Style Sheets (CSS) evasion tactics in spam emails is just a wicked cool trick. Game knows game, and I have to say, this is super smart. Spam filters play a constant cat and mouse game against adversaries. It goes to show that the threat actors are always innovating neat tricks to exploit victims. 

Why do I care? 

Spam emails account for a massive threat footprint, especially in enterprise email security. Any attack that sneaks malicious spam emails through a spam filter is worth paying attention to. 

So now what? 

Knowing is half the battle. Time to look at your email defenses and shore them up. Consider an email proxy service or something similar to help augment your email threat defense.

Top security headlines of the week 

Airport outages: Malaysia PM says country rejected $10 million ransom demand (The Record

Satellites! I am an absolute sucker for space hacking. ENISA released a great guide on securing commercial space assets. (ENISA)  

One-click phishing attacks: Google hastily patched a Chrome zero-day vulnerability exploited by an APT. (Dark Reading

Can’t get enough Talos? 

  • Patch Tuesday was a doozy this time. Check out our blog post here
  • Also, keep your eyes peeled: Talos’ 2024 Year in Review will be available for download on Monday, Mar. 31. 

Upcoming events where you can find Talos 

  • RSA (April 28 – May 1, 2025) San Francisco, CA 
  • PIVOTcon (May 7 – 9) Malaga, Spain 
  • CTA TIPS 2025 (May 14 – 15, 2025) Arlington, VA 
  • Cisco Live U.S. (June 8 – 12, 2022) San Diego, CA

Most prevalent malware files from Talos telemetry over the past week  

SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5 
MD5: ff1b6bb151cf9f671c929a4cbdb64d86  
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
Typical Filename: endpoint.query 
Claimed Product: Endpoint-Collector 
Detection Name: W32.File.MalParent     

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
MD5: 71fea034b422e4a17ebb06022532fdde   
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
Typical Filename: VID001.exe  
Claimed Product: N/A    
Detection Name: Coinminer:MBT.26mw.in14.Talos  

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
MD5: 7bdbd180c081fa63ca94f9c22c457376   
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0  
Typical Filename: c0dwjdi6a.dll   
Claimed Product: N/A    
Detection Name: Trojan.GenericKD.33515991   

SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe  
Detection Name: Simple_Custom_Detection 

Cisco Talos Blog – ​Read More

AI technologies in Kaspersky SIEM | Kaspersky official blog

It’s a rare company these days that doesn’t boast about using artificial intelligence (AI). And often no explanation is forthcoming as to why AI is needed or, more importantly, how it’s implemented — just the mere presence of AI, it seems, is enough to make a product more valuable, innovative and high-tech. Kaspersky advocates a different approach: we don’t just say “we use AI”, but explain exactly how we deploy machine learning (ML) and AI technologies in our solutions. It’d take too long to list all our AI technologies in a single post given that we have an entire expertise center — Kaspersky AI Technology Research — that deals with all aspects of AI. So my sole focus here will be on those technologies that make life easier for SIEM analysts working with the Kaspersky Unified Monitoring and Analysis Platform.

SIEM AI Asset Risk Scoring

In traditional systems, one of the most resource-intensive tasks of the SIEM analyst is prioritizing alerts — especially if the system has just been installed and works out of the box with default correlation rules not yet fine-tuned to the infrastructure of a specific company. Big data analytics and AI systems can help here. Armed with SIEM AI Asset Risk Scoring, monitoring and response teams can prioritize alerts and prevent potential damage. The module assesses asset risks by analyzing historical data and prioritizing incoming alerts, allowing to speed up triage and generate hypotheses that can be used for proactive searches.

SIEM AI Asset Risk Scoring

Based on information about activated correlation rule chains, SIEM AI Asset Risk Scoring lets you build patterns of normal activity on endpoints. Then, by comparing daily activity with these patterns, the module identifies anomalies (for example, sudden traffic spikes or multiple service requests) that may signal a real incident and prompt the analyst to take a deeper look into these alerts. This way, the problem is detected early, before any damage is done.

AI-Powered OSINT IoCs

Analysts working with the Kaspersky Unified Monitoring and Analysis Platform also have the option to use additional contextual information from open sources through the Kaspersky Threat Intelligence Portal. After the latest update, the portal now provides access to threat intelligence collected using a generative AI model.

It works as follows: let’s say you’ve found a suspicious file during a threat hunt. You can take this file’s hash and look it up on the site, and if someone else has already encountered it during an incident investigation and published something about it, the technology will instantly show you indicators of compromise (IoC) and key facts about the threat. Without such an automation system, it can take the analyst many hours to find and review this information — especially if there are lots of materials and they’re written in different languages. Our system, built on an internal LLM model, can automate this process: it analyzes all reports and mentions of the threat whatever the language, extracts the essence, and presents a summary: the nature of the threat, the date it was detected first, cybercriminal groups associated with it, industries most often targeted using the file, and so on. This saves the analyst an enormous amount of time on searching and researching.

What’s more, the analyst has access to other Kaspersky Threat Intelligence data, including information generated using AI technologies and big data analytics. Our threat intelligence databases are continuously updated with the results of manual APT research, live data from the darknet, information from the Kaspersky Security Network, and regular analysis of new malware. All of these technologies help users minimize the potential damage from cyber-incidents and reduce the Mean Time to Respond (MTTR) and the Mean Time to Detect (MTTD).

 

We continue to improve the usability and performance of our SIEM system, with a focus on deploying AI to free information security employees from even more routine tasks. Follow updates of the Kaspersky Unified Monitoring and Analysis Platform on the official product page.

Kaspersky official blog – ​Read More

How We Enrich TI Lookup and Feeds with Fresh Threat Data from 15,000 Organizations

Cyber threat intelligence is all about data: its collection, exploration and research, extracting actionable insight. If you employ any intelligence solution, it is vital to understand what data sources it relies on and what kind of information they deliver.  

In ANY.RUN’s Threat Intelligence Lookup and TI Feeds, we leverage fresh data from millions of sandbox analyses performed by thousands of organizations and hundreds of thousands of researchers.

Here is how it works. 

Where Threat Intelligence Comes From 

TI Lookup lets you access fresh threat intelligence on active malware and phishing attacks

Over 500,000 security professionals worldwide, including SOC teams from 15,000 companies, use ANY.RUN’s Interactive Sandbox daily to analyze suspicious links and files related to the latest cyber attacks. They check alleged phishing emails, explore potential breach attempts, investigate incidents, and collect critical insights into malicious behavior. 

Thanks to ANY.RUN’s proprietary technology, we extract IOCs, IOAs, IOBs, and TTPs from the analyzed samples and enrich Threat Intelligence Lookup and TI Feeds with a continuous inflow of threat data which is: 

  • Real and Exclusive: Companies submit files and URLs related to actual attacks on their infrastructure. The data extracted from these submissions is often unique and cannot be found in any other sources.   
  • Up-to-date: The data belongs to recent or ongoing cyber attacks, including active campaigns and emerging malware.  
  • Actionable: SOC teams often submit samples as part of proactive threat hunting or incident response, contributing to a dataset that helps you predict and prevent future attacks. 

Fuel your proactive defense with top threat intelligence
Get 50 trial requests in ANY.RUN’s TI Lookup 



Try now


How Data From 15,000 Businesses Helps Yours 

ANY.RUN provides free TI Feeds samples in STIX and MISP

The wealth of data on the latest cyber threats available in Threat Intelligence Lookup and TI Feeds enables organizations like yours to:  

  • Quickly Detect and Prevent Attacks avoiding operational disruption and further damage. 
  • Enhance SOC Efficiency providing teams with access to current and relevant data and enabling them to defend company’s assets and infrastructure proactively.  
  • Boost Mitigation and Response minimizing the cost of incident, financial and reputational losses. 

You can investigate, search, and get a direct stream of IOCs, IOAs, and IOBs in your company to strengthen your proactive defenses against ongoing malware and phishing attacks.  

Expand threat coverage in your organization
Integrate TI Feeds from ANY.RUN 



Start with demo sample


Examples of Unique Threat Intelligence on Active Cyber Attacks 

One of the scenarios where threat data from companies serves other companies through the agency of ANY.RUN’s tools is industry-wide malware campaigns. Organizations that were the first to face incidents help others to anticipate and prevent them.  

1. Interlock Ransomware Attacks on US Healthcare  

In late 2024, the Interlock ransomware group launched targeted attacks against multiple healthcare facilities in the United States, causing significant disruptions and exposing sensitive patient data.

Threat Intelligence Lookup had data on the threat almost one month before the first reports emerged. This helped our users take preventative measures long before public alerts were raised. For example, one of the malicious domains that distributed the ransomware appeared in submitted samples in September.

domainName:”apple-online.shop$” 

The earliest samples with Interlock ransomware found via TI Lookup 

Beside gathering IOCs for monitoring, detection and alerts, the security teams were able to see inside sandbox emulations how malicious websites and pages looked like and train employees to recognize and avoid similar threats in the future. 

Malicious website opened in the Interactive Sandbox

Finally, ANY.RUN’s data managed to enrich the understanding of attacks and their evolution.  

ANY.RUN reports with analysis of Interlock’s fake updater programs 

While reports stated that the attackers used malware disguised as a Google Chrome updater, ANY.RUN uncovered additional tactics, such as mimicking MSTeams and MicrosoftEdge updates (evident in filenames like MSTeamsSetup.exe and MicrosoftEdgeSetup.exe).


Enrich your threat knowledge with TI Lookup

Learn to Track Emerging Cyber Threats

Check out expert guide to collecting intelligence on emerging threats with TI Lookup



2. Nitrogen Ransomware Attacks on Fintech 

Financial services have been one of cybercriminals’ most targeted sectors in recent years. The case with the Nitrogen ransomware group is pretty much similar to that with Interlock in healthcare. Thanks to thousands of companies using ANY.RUN, the information on the new threat appeared quickly in our services, and more companies had the opportunity to protect themselves, set up detection and alerts.  

The group was first reported about half a year ago, months after the attack unfolded, and the information about it is still scarce. The more valuable is this data from Threat Intelligence Lookup, which allows users to interconnect, contextualize, and further explore it.   

For example, the first analytic report on Nitrogen group from StreamScan mentions the file truesight.sys in their attack dissection. This is a legitimate driver, one of those that are often abused by malefactors to bypass detection. The StreamScan report, however, does not contain or link to any malware samples and analyses that feature the abuse of this driver.

We can use the following query in TI Lookup to find relevant samples:

commandLine:”truesight.sys”

TI Lookup contains numerous samples belonging to Nitrogen attacks

We can search for this file via TI Lookup, find dozens of analysis tasks where the driver was spotted, see how the malware behaves, and what IOCs are associated with truesight.sys abuse. And of course we can find other malware with similar mechanics.  

Conclusion 

Threat Intelligence Lookup and TI Feeds offer a wealth of threat data on the latest cyber attacks. From IOCs, IOAs, IOBs to TTPs, you can easily gain valuable context on any piece of intelligence and get a constant stream of up-to-date indicators directly to your detection systems. With ANY.RUN, you get actionable threat intelligence to help your businesses build strong, scalable, and efficient protection against ongoing and emerging threats.  

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post How We Enrich TI Lookup and Feeds with Fresh Threat Data from 15,000 Organizations appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

How to hack an Eight Sleep smart mattress “Pod” | Kaspersky official blog

For a while after we wrote about hacking a bicycle, it seemed it couldn’t be beat as the most unlikely hack target ever. However, developers’ imagination seems to know no bounds — and hackers aren’t far behind in their ingenuity…

And so, here’s introducing the internet-connected mattress system — or “Pod” as it’s called — made by the company Eight Sleep, along with several ways it can be hacked as discovered by security researcher Dylan Ayrey.

Smart mattress Pod? What’s that?

Perhaps we should start by explaining what an Eight Sleep Pod is and why someone might want to buy this futuristic piece of tech. The Eight Sleep designers position their product as an “Intelligent Bed Cooling System”. The primary target audience is people with various sleep problems: insomnia, poor sleep quality, snoring, and similar issues that can significantly impact quality of life.

The Pod is made up of a sheet-like “high-tech layer” (“Cover”), and an external unit (“Hub”); optionally there’s also a motorized “Base”. It allows users to adjust the temperature of the bed — heating it up or cooling it down as instructed by the owner. It can do it automatically too — more on this later. There’s a network of tubes with water circulating through them built into it. The external unit connected to this system handles the heating and cooling. The Eight Sleep Pod is divided into two independent zones of a double-bed — each with its own settings. The temperature range is fairly broad: from 12 to 43°C.

Eight Sleep Pod 4 Ultra smart mattress

At $4699, the Eight Sleep Pod 4 Ultra package is the most expensive version of the system made by the company Source

But wait: there’s more to it! The Pod has several dozen “clinical-grade sensors” that track users’ sleep quality. It also has vibration motors to wake you up, and sensors for ambient temperature and humidity. The ultimate version — the Pod 4 Ultra — comes with a transformable, electronically-controlled bed base.

It goes without saying that the system connects to the internet. It does this via a Wi-Fi receiver in the Hub. Eight Sleep Pods are configured and controlled almost exclusively via an app. We say “almost”, because the latest (and most expensive) generation — Pod 4 — has pressure-sensitive areas on the sides that you can tap to control certain functions.

Autopilot and sleep by subscription

The main software component of an Eight Sleep Pod is the “Autopilot” system, which uses sensors built into the Cover to collect lots of statistics about the quality and quantity of users’ sleep, and generate detailed reports for them. In addition, Autopilot has a number of other interesting options. For example, the system can detect when the user starts snoring and change the geometry of the Base to fix the problem.

Eight Sleep Autopilot combats snoring

Autopilot uses vibration sensors to track snoring, and combats it by adjusting the geometry of the bed base Source

The Pod also has a physical alarm clock that wakes the user by changing the temperature of the bed and turning on vibration. However, the key Autopilot feature (and the one Eight Sleep touts the most) is, well, autopilot mode. What this does is continuously monitor the users’ sleep quality — automatically adjusting the temperature to ensure the deepest and most comfortable sleep possible.

In case you thought this was an Eight Sleep Pod ad, let’s look at this product’s numerous flaws…

To start with, these things are eye-wateringly expensive: retail prices start at $3000, and the top-of-the-line Pod 4 Ultra costs a whopping $4700.

Eight Sleep Autopilot only works with a subscription

An Autopilot subscription would set you back at least $200 per year — without it, the most exciting features simply won’t work Source

But the outlay doesn’t end there: the user will almost certainly have to pay for a subscription that costs between $200 and $300 per year. In theory, you could choose not to pay it, but without the subscription most of the smart features remain inactive.

Also, like any modern tech company, Eight Sleep constantly collects data about its users. CEO Matteo Franceschetti talks quite openly about this on X:

Eight Sleep collects user data

Eight Sleep has accumulated data on almost a billion hours of their users’ sleep Source

Smart mattress hack No. 1: developer backdoor

Now let’s shift the focus to why this post was written: hacking this smart-mattress system. Dylan Ayrey, a security researcher, decided to look into Eight Sleep’s security — simply out of curiosity, he said, as Dylan is the happy owner of an Eight Sleep Pod, which helps him with his insomnia.

You might remember Dylan for his other notable investigations, such as the possibility of using phantom corporate accounts uncontrollable by workspace admins, or attacking Google OAuth via abandoned domains.

To begin analyzing the Pod’s security, Ayrey needed a copy of its firmware. Security-conscious vendors don’t just give their firmware away, so trying to find a copy often becomes a quest unto itself. Not so with Eight Sleep. The update server lets anyone who follows the link download the firmware for any of the company’s Pod models, no questions asked.

While examining the code, Dylan found a number of noteworthy things, including an API for remote connection via SSH. Given that an Eight Sleep Pod is essentially a computer running Linux (as many other modern devices are), a connection like this allows running arbitrary code remotely on the mattress pad Hub.

Remote access API in the Eight Sleep Pod firmware

The Eight Sleep Pod firmware was found to contain an API for remote access to the smart mattress Source

Judging by the email address associated with the SSH public key found in the firmware code, all (or at least many) Eight Sleep engineers could have remote access to any Pod.

SSH public key and associated email address

Judging by the email address associated with the SSH public key, every Eight Sleep engineer has remote access to any Pod Source

One could use an SSH connection like this to spy on the Pod’s owner — to find out when they’re sleeping or when they spend the night away from home. It would even be possible to check if there’s one person in bed or two. Having this type of control could also let someone play pranks on the owner by changing the temperature of the Pod, turning the alarm clock on or off, adjusting the geometry of the bed base, and so on.

Nothing like that seems to have happened to Eight Sleep Pod owners yet, but something like it could; theoretical possibilities like this sometimes do materialize. This is what recently happened with Ecovacs robot vacuums: pranksters used vulnerabilities in these devices to harass their owners.

Smart mattress hack No. 2: an AWS key in the firmware

While still looking at the Eight Sleep Pod firmware, Dylan discovered a valid AWS (Amazon Web Services) key in its code — used to continuously upload telemetry to the cloud. Again this is only theoretical, but if the key fell into the wrong hands it could lead to serious violations of user privacy.

AWS key in the firmware of the Eight Sleep smart mattress

(Not the) best practices for programming smart devices: hardcoded AWS key in the firmware accessible to anyone Source

For better or for worse, the full truth about the presence of an Amazon key won’t come out. Dylan notified Eight Sleep, and by the time his research was published the key had already been revoked. However, the mere presence of the key within the firmware, where it was accessible to anyone, was clear evidence that user security and privacy were taken lightly.

Dylan further adds that the key could have, at the very least, been used to cause financial damage to the company by sending a large number of meaningless requests to the AWS cloud.

Smart mattress hack No. 3: jailbreaking with the help of an aquarium chiller

Clearly inspired by his earlier findings, Dylan decided to attempt jailbreaking the Pod — that is, detaching it from Eight Sleep’s cloud services. Dylan took a drastic approach: he disconnected the external unit (with all its smart electronics and internet connectivity).

Physical hack of the Eight Sleep smart mattress achieved with an aquarium chiller

Detaching an Eight Sleep smart mattress from the cloud using a $150 aquarium chiller Source

Dylan replaced the Eight Sleep Hub with… a common aquarium chiller. This system, in contrast, doesn’t require an app or a subscription fee, collects no user data, comes without any backdoors, and runs perfectly well without an internet connection. What it does do is effectively adjust the temperature of your bed, and, just as importantly, it costs only $150.

For those who prefer a less radical approach to the issue of Eight Sleep products being tied to the vendor cloud, Free Sleep offers a solution. This is an open-source software suite that allows you to take control of your smart mattress.

Want to know what other unexpected devices have been successfully hacked? Here you go!…

Kaspersky official blog – ​Read More

CVE-2025-2783 in Operation ForumTroll APT | Kaspersky official blog

Our exploit detection and prevention technologies have detected a new wave of cyberattacks with previously unknown malware. While analyzing it, our Global Research and Analysis Team (GReAT) experts realized that we’re dealing with a technically sophisticated targeted attack, which suggests that a state-sponsored APT group is behind it. The attack exploited a zero-day vulnerability in the Chrome browser, which we immediately reported to Google; the company promptly released a patch to fix it.

What is the Operation ForumTroll APT attack?

The attack starts with an email with a phishing invitation to the Primakov Readings international economic and political science forum. There are two links in the email’s body, which pretend to lead to the program of the event and the registration form for participants, but which actually lead to the malefactor’s website. If a Windows PC user with the Google Chrome browser (or any other browser based on the Chromium engine) clicks them, their computer gets infected with no additional action required from the victim’s side.

Next, the exploit for the CVE-2025-2783 vulnerability comes into play — helping to circumvent the Chrome browser’s defense mechanism. It’s too early to talk about technical details, but the essence of the vulnerability comes down to an error in logic at the intersection of Chrome and the Windows operating system that allows bypassing the browser’s sandbox protection.

A slightly more detailed technical description of the attack along with the indicators of compromise can be found on our Securelist blog. Our GReAT experts will publish a thorough technical analysis of the vulnerability and APT attack once the majority of browser users install the newly-released patch.

Who are the targets of the Operation ForumTroll APT attack?

Fake event invitations containing personalized links were sent to Russian media representatives, employees of educational institutions and governmental organizations. According to our GReAT experts the goal of the attackers was espionage.

How to stay safe

At the time of writing this post, the attack was no longer active: the phishing link redirected users to the legitimate Primakov Readings website. However, the malefactors could reactivate the exploit delivery mechanism at any time and start the next wave of the attack.

Thanks to our experts’ analysis, Google Chrome’s developers have promptly fixed the CVE-2025-2783 vulnerability today, and thus we advise you to check that your organization uses the browser updated to at least the 134.0.6998.177/.178 version.

In addition, we recommend using reliable security solutions equipped with modern exploit detection and prevention technologies on all internet-connected corporate devices. Our products successfully detect all exploits and other malware used in this APT attack.

Kaspersky official blog – ​Read More

GorillaBot: Technical Analysis and Code Similarities with Mirai

Editor’s note: The current article is authored by Mohamed Talaat, a cybersecurity researcher and malware analyst. You can find Mohamed on X and LinkedIn. 

In this article, we’re diving into GorillaBot, a newly discovered botnet built on Mirai’s code. It’s been spotted launching hundreds of thousands of attacks across the globe, and it’s got some interesting tricks up its sleeve.  

We’ll walk through how it talks to its command-and-control (C2) servers, how it receives instructions, and the methods it uses to carry out attacks.  

Overview 

“GorillaBot” is a newly discovered Mirai-based botnet that has been actively targeting systems in over 100 countries. According to the NSFOCUS Global Threat Hunting team, the botnet issued more than 300,000 attack commands between September 4 and September 27. 

This malware variant poses a serious cyber threat, affecting a wide range of industries — including telecommunications, financial institutions, and even the education sector — prompting an urgent need for response and mitigation. 

Key Takeaways 

  • GorillaBot is a Mirai-based botnet that reuses core logic while adding custom encryption and evasion techniques. 
  • It targets a wide range of industries and has launched over 300,000 attacks across more than 100 countries. 
  • The botnet uses raw TCP sockets and a custom XTEA-like cipher for secure C2 communication. 
  • GorillaBot includes anti-debugging and anti-analysis checks, exiting immediately in containerized or honeypot environments. 
  • The malware authenticates to its C2 server using a SHA-256-based token generated from a hardcoded array and server-provided value. 
  • Attack commands are encoded and hashed, then passed to a Mirai-style attack_parse function for execution. 

Technical Analysis  

In this section, we will examine the technical details of GorillaBot, focusing on its C2 communication protocol and how it receives information about its targets and the attack methods it’s instructed to use. 

Anti-Debugging  

Before proceeding with its main activity, GorillaBot performs checks to detect the presence of debugging tools. One of its first actions is to read the /proc/self/status file and inspect the TracerPid field. This field indicates whether the process is being traced – a value of 0 means it’s not, while a non-zero value suggests a debugger is attached. 

Learn more about evasion in malware

The process of reading the /proc/self/status file and inspect the TracerPid field 

Another technique that “GorillaBot” uses to detect debuggers is to register a callback function that will pause and then exit upon receiving a SIGTRAP signal. 

Detection of debuggers by Gorillabot 

Environment check  

GorillaBot is highly selective about the environment it runs in. It first ensures that it is operating on a legitimate target machine rather than inside a honeypot or container. To do this, it performs several checks for system-level artifacts that may not be present in those scenarios. 

The code shows that it initially checks for access to the “/proc” file system – a virtual file system that provides user-space processes with information about the kernel and running processes.  

In a typical Linux environment, the presence of the “/proc” file system is expected. If it’s missing, GorillaBot assumes it is being analyzed in a honeypot and exits immediately. 

/proc check to detect non-standard environments 

GorillaBot uses another check to detect Kubernetes containerization by examining a specific file in the “/proc” directory, namely “/proc/1/cgroup.” It looks for the string “kubepods.” If this string is found, GorillaBot recognizes that it is running in a container and terminates its execution to avoid detection. 

Containerization checks by GorillaBot 

Encryption & Decryption Algorithms  

One of the more intriguing features of this Mirai-based botnet is its use of encryption and decryption techniques to obscure key strings and hide internal configuration data.

Researchers observed that GorillaBot uses a simple Caesar cipher with a shift of 3 to decrypt specific strings. In addition, it employs a custom block cipher – which we’ll examine later in this article – to decrypt more complex internal configurations. These methods help the malware avoid static detection and make reverse engineering more difficult. 

The use of Caesar cipher by GorillaBot 

Network Communication  

Initial C2 Communication  

Like many other Mirai-based botnets, GorillaBot uses raw TCP sockets for command-and-control (C2) communication, rather than higher-level protocols like HTTP or HTTPS.  

Learn to analyze malware’s network traffic

The process begins with the malware establishing a connection to its C2 server – the server’s IP address is decrypted at runtime using what appears to be a custom implementation of the XTEA (Extended Tiny Encryption Algorithm).  

The cipher closely resembles TEA or XTEA, employing a 128-bit (16-byte) hardcoded key for both encryption and decryption. 

During each iteration of the algorithm, a delta value is subtracted from the sum. 

Decryption of C2 IP using custom XTEA-like algorithm

The function begins by calculating the length of the provided data. It does this by iterating until it encounters the first NULL character.  

Once the length is known, it proceeds to pack the key. Since the key is given as a serialized sequence of bytes, it must be organized into an array of four 32-bit words before the function can perform either encryption or decryption. 

Key packing and data length calculation before encryption/decryption 

After the key is prepared and the data length calculated, the function checks a mode parameter to decide whether to encrypt or decrypt. It then enters a loop to iterate over the data for either process.

Mode parameter check 

GorillaBot authentication mechanism with the C2 server   

After successfully connecting to the C2 server, the malware initiates the authentication process to identify itself to the server.  

This process begins with the malware sending a 1-byte TCP probe packet to the C2 server. In response, the server replies with a 4-byte TCP packet that includes a “magic” 4-byte value. This value is then used to generate the bot ID for the authentication process. 

View analysis in ANY.RUN’s Interactive Sandbox

C2 communication shown in ANY.RUN’s Interactive Sandbox

The process begins with a returned 4-byte magic value, which is combined with a 32-byte encrypted array to generate the bot ID or authentication token.  

A key aspect of this process is the method used to combine the 32-byte array with the 4-byte magic value to create the token.  

Submit suspicious files and URLs to ANY.RUN
for proactive analysis of threats targeting your company 



Get 14-day free trial


The same cipher previously described is applied to decrypt the 32-byte hardcoded array. Once decrypted, the data is copied into a separate buffer and concatenated with the 4-byte magic value. 

The combined data is then hashed using SHA-256 before being sent back to the command and control (C2) server as the identification token. 

Decrypted array and magic value combined, then hashed with SHA-256 

In the screenshot below, you can see the generated SHA-256 token, which is created by combining the 4-byte magic value received from the C2 server with the decrypted 32-byte hardcoded array. 

The generated SHA-256 token 

The C2 (Command and Control) communication process continues after the C2 server authenticates the botnet.  

In response, the server sends a packet that appears to be a flag, labeled “01,” to confirm the bot’s authenticity. On the C2 server side, most likely a list of hashes representing botnet IDs, such as SHA-256, is maintained. This list is used to verify the received ID, ensuring that the connection is from a legitimate bot instance rather than an unauthorized source attempting to interact with the C2 infrastructure. 

C2 server responds with 0x01 flag to confirm bot authentication 

In the screenshot above, after successfully sending the SHA-256 hash (bot ID), the bot receives a 1-byte response. This response is checked against “01,” which indicates successful authentication. Following this, the bot replies with a 4-byte packet containing the bytes “00 00 00 01.” This is likely the bot acknowledging receipt of the flag packet. 

After, GorillaBot exhibits behavior similar to the original Mirai bot. The malware calculates the length of a provided 32-byte ID buffer and sends this length to the command and control (C2) server. Once the length is successfully sent, the malware transmits the actual ID buffer to the server. 

Mirai code snippet 

The code snippet above is taken from the leaked Mirai source and includes a check for the number of arguments. If a second argument is provided, it is copied to “id_buf,” which has a length of exactly 32 bytes.  

This behavior is consistent with that observed in the Mirai-based variant “GorillaBot.” During its initial communication with the command-and-control (C2) server, GorillaBot first sends the length of the buffer, followed by the buffer itself – mirroring the original Mirai implementation. 

GorillaBot mimics Mirai by sending buffer length, then the buffer 

The screenshot below summarizes the initial C2 communication, validating the connection to ensure it comes from the intended source. This is crucial so that only authenticated connections receive attack commands. 

Summary of initial C2 communication 


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis



Processing Attack Commands  

Once the bot has been authenticated, the next stage in the C2 communication process involves receiving a packet containing attack target information – essentially, instructions to initiate an attack. 

In the example screenshot below, we can see that the first step taken is to read the length of the packet. This confirms the malware’s ability to retrieve data over the socket from the command and control (C2) server.  

After successfully reading the length, the malware proceeds with execution. It reads the expected length of the attack packet, then uses that length to read the corresponding number of bytes from the C2 server, which constitutes the attack packet. 

Reading packet length from C2 server to begin data retrieval 

Attack Command packet structure  

Below is the structure of the received attack packet along with the corresponding packet capture bytes. The time gap in receiving the length of the entire packet (highlighted in red in the capture) and the actual attack packet is minimal. As a result, it may seem as if they were concatenated into one packet and received simultaneously; however, they were actually received separately. 

The packet structure is quite simple. First, there is a 32-byte hash of the entire received packet, referred to as SHA-256 (highlighted in yellow). Following this, the encoded bytes represent the attack command (highlighted in blue), which will be decoded using the same Caesar shift cipher mentioned earlier before being parsed. 

Struct attack_pkt { 

uint16_t expected_pkt_length; 

char encoded_cmd_sha256_hash[SHA256_BLOCK_SIZE]; 

char encoded_cmd[ENCODED_CMD_LENGTH]; 

};
Attack packet

Once the integrity of the encoded attack command is verified, it is decoded and passed to “attack_parse.” This function is responsible for extracting target information, determining the specific attack method, and then handing off control to the appropriate attack function for execution.

Decoded attack command passed to attack_parse 

The “attack_parse” function closely resembles the original Mirai code, as it processes the provided buffer containing the attack command in a similar manner. Notably, it supports attack commands both with and without options, just like the original Mirai. 

Mirai vs. GorillaBot

Conclusion 

GorillaBot may not reinvent the wheel, but it’s a strong reminder that old code can still pack a punch when reused in clever ways. By building on Mirai’s foundation and adding its own tweaks to communication, encryption, and evasion techniques, GorillaBot proves that legacy malware lives on and evolves. 

To better understand threats like GorillaBot, the use of malware analysis tools like ANY.RUN’s Interactive Sandbox is important. It lets you dive into live malware behavior: from unpacking encrypted payloads to monitoring C2 communication in real time. 

Curious to see it in action? Try ANY.RUN now to explore malware samples like GorillaBot hands-on and uncover the tactics they use during attacks to strengthen your defenses. 

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

Indicators Of Compromise  

Hashes 

b482c95223df33f43b7cfd6a0d95a44cc25698bf752c4e716acbc1ac54195b55 (View sandbox analysis)  

IP Addresses and Domains  

http://193[.]143[.]1[.]70 (C2 server) 

193[.]143[.]1[.]59 (C2 server) 

The post GorillaBot: Technical Analysis and Code Similarities with Mirai appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

The best private browser in 2025: where to flee from Chrome, Edge, and Firefox | Kaspersky official blog

Over the past few weeks, there’s been a series of unpleasant news items on advertising and user privacy in with regard to every major browser developer — except Apple: Google allowing ad tracking through digital fingerprinting; powerful ad blockers ceasing to work in both Edge and Chrome, and Mozilla revising its license agreement seemingly showing far more interest in user data than it used to. What does each of these new developments mean, and how can we now achieve a high level of privacy?

Google greenlights tracking fingerprints

Driven by regulators and user pressure, the internet giant spent years working on ways to track ad performance and deliver relevant ads without using the outdated and much-hated tracking methods: third-party cookies and browser fingerprinting. Google proposed FLoC, Ad Topics, and Privacy Sandbox as replacements, but they’ve probably have fallen short of the target. Therefore, the company backtracked on removing support for third-party cookies from Chrome. Meanwhile, Google’s ad network, the world’s most expansive, has allowed the collection of digital fingerprint data — including the user’s IP address — when displaying ads, as of February 2025. What this implies is that user browsers can be identified irrespective of cookie settings, incognito mode, or similar privacy measures. Digital fingerprinting is highly precise, and altering or disabling a fingerprint is a challenge.

Chrome and Edge pull the plug on extensions that block ads and tracking

Chrome is based on the open-source Chromium browser, which is fully financed by Google. You could say that Chrome is Chromium with Google services built into it, but dozens of other browsers — including Edge and Opera — are also based on Chromium.

Chromium developers have been gradually transitioning the browser extension platform from the Manifest V2 framework to the new Manifest V3 for years. The platform consists of several components, but the most important is the complete list of functions and capabilities provided to the extension by the browser.

V3 has several advantages, but it also cuts Chrome/Edge/Opera/Vivaldi extensions off from certain useful features that are vital for content blockers. Although popular plug-ins such as uBlock Origin and Adblock Plus already have a Manifest V3 implementation, only the V2 version does a good of job blocking ads.

The Chrome Web Store has long stopped approving extensions based on Manifest V2. Since late fall of 2024, new versions of Chrome first started displaying warnings that installed Manifest V2 extensions had to be disabled, and then began to deactivate them automatically. The user can still re-enable them, but it obviously won’t last long.

Microsoft Edge was caught doing the same thing in February. If Google’s current plan holds, even enterprise Chrome users will see Manifest V2 extensions shut down by June 2025, which likely will be followed by Manifest V2 support pulled entirely from Chromium.

What are the developers of dozens of Chromium-based browsers going to do? Well, they’ll inevitably have to kill Manifest V2 support. And without it, your favorite ad blockers and privacy enhancers will stop working.

Mozilla sets its sights on the ad market, too

The non-profit Mozilla Foundation and its subsidiary Mozilla Corporation have always been in an awkward position, as their main source of income was partnerships with search engines — primarily Google. The current Mozilla management mainly consists of alumni from companies like Meta and eBay, which mainly rely on advertising for their revenue. It’s hardly surprising that as of late, Firefox development updates have increasingly angered fans of the browser’s privacy features.

Since version 128, Firefox has incorporated the Privacy-Preserving Attribution (PPA) system, which it’s testing in partnership with Facebook. And at the end of February 2025, the following notice appeared in the updated Firefox Terms of Use: “When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to help you navigate, experience, and interact with online content as you indicate with your use of Firefox”.

Users were furious. They interpreted this clause as explicit permission to resell their data and introduce other forms of tracking. Under public pressure, Mozilla amended the language to “You give Mozilla the rights necessary to operate Firefox”. The company’s argument that it had merely codified something the browser was already doing — and actually always had — left users unconvinced. After all, suspicious changes also occurred in other parts of the FAQ: for example, clauses that promised Firefox would never sell data to advertisers were removed.

That said, there were no actual changes to any of the browser’s relevant functionality. So it’s still safe to use Firefox for the time being. However, keep a close eye on any new features in each update. Consider disabling them or looking for an alternative to Firefox. If you want to be the first to know, subscribe to our blog, or follow our Telegram channel.

Nothing changes with Apple’s Safari

The vast majority of Apple users use the stock Safari browser, based on the WebKit engine. It has its own extension system — available through the App Store and utilizing Apple’s special mechanisms for blocking content in the browser. While Safari might miss out on the most powerful extensions like uBlock Origin and NoScript, robust day-to-day tools for blocking ads and tracking are available both in the form of Safari’s standard settings and extensions such as Ghostery.

Apple continues to emphasize privacy as its key differentiator from other platforms, so no alarming concessions to the advertising industry have been observed in Safari. Unfortunately, although you can still install this browser on Windows, it stopped updating back in 2010, so Windows users face a tough choice in the next section…

The best browser for privacy protection in 2025

Starting in June, the popular browsers Chrome and Edge will become largely ineffective for privacy-minded users — no matter what extensions or settings they may have used. The same is true for most other Chromium-based browsers.

As for Firefox, despite Mozilla’s dubious statements, the browser still supports Manifest V2 extensions, and the developers have said they’d maintain this support for the foreseeable future. Still, if you want to stop worrying about controversial features like “attribution” being turned on semi-covertly, you could always migrate to a browser that uses the Firefox source code but is more focused on keeping things private. The main options here are Tor Browser, and popular Firefox forks such as Waterfox and LibreWolf.

Despite its “dark-web browser” image, Tor Browser is also perfectly suitable for viewing ordinary websites — although its default privacy settings are so stringent they can cause many websites to display oddly or be partially non-functional. This is easy to fix by switching the cookie and script settings to a less paranoid mode.

Waterfox is a reasonable middle-of-the-road between Firefox and Tor Browser: no developer telemetry, no built-in services like Pocket, and Firefox ESRs (extended support releases) are used as the source code. The downsides include a small development team, so Waterfox lags behind Mozilla in terms of security patches (although not by much).

Focused on privacy, LibreWolf is positioned as Firefox without all the extras. The browser never “calls home” (it excludes all types of manufacturer reports and telemetry), and it features the popular ad blocker uBlock Origin out of the box. LibreWolf closely follows Firefox in terms of updates, and it’s available on Windows, macOS, and several flavors of Linux.

The Chromium-based Brave browser, which has built-in privacy tools even before you add any extensions, remains a popular option. Its developers have pledged to keep a number of key Manifest V2 extensions on life support: AdGuard AdBlocker, NoScript, uBlock Origin, and uMatrix. However, Brave has several controversial extras, such as a built-in crypto wallet and an AI assistant named “Leo”.

In short, there’s no such thing as a perfect browser, but if you try ranking these options from the most private but least user-friendly to the easiest to use but still private, your chart should look like this: Tor Browser, LibreWolf, Waterfox, Brave, and Firefox.

Any browser, except Tor and LibreWolf, will require a secure configuration and a couple of the aforementioned extensions to block trackers and scripts for maximum privacy.

In Brave and Firefox, you can also enable “Tell websites not to sell or share my data” — a feature established under the new Global Privacy Control initiative. Certain jurisdictions, such as the European Union, the United Kingdom, California, Colorado, and Connecticut, legally require websites to respect this flag, but this safeguard is administrative rather than technical in nature.

Your easiest option, and one that significantly enhances online privacy when using any browser, is installing a Kaspersky security solution for home users and activating Private Browsing. By default, the feature runs in detection mode only, without blocking anything: it detects, counts, and logs attempts at collecting data. If you activate blocking mode, data collection is blocked by default on all sites, with the following exceptions:

  • webites you’ve added as exclusions
  • Kaspersky and its partner websites
  • websites that we know may be rendered inoperable as a result of tracking services being blocked

You can still configure the component to block data collection on the above sites too. Private Browsing has certain limitations. You can manage it both from the Kaspersky application and using the Kaspersky Protection extension for most browsers.

Want to learn more about how browsers track your activity and how to minimize this tracking? More on the topic:

Kaspersky official blog – ​Read More

Fog ransomware publishes victim’s IP | Kaspersky official blog

We closely monitor changes in the tactics of various cybercriminal groups. Recently, experts from Kaspersky’s Global Research and Analysis Team (GReAT) noted that, after attacks with Fog ransomware, malefactors were publishing not only victim’s data, but also the IP addresses of the attacked computers. We haven’t seen this tactic used by ransomware groups before. In this post, we explain why it’s important and what the purpose of this tactic is.

Who is the Fog ransomware group, and what’s it known for?

Since the ransomware business began to turn into a full-fledged industry, the involved cybercriminals have been splitting themselves up into various specializations. Nowadays, the creators of the ransomware and the people directly behind the attacks are most often not connected in any way — the former develop the malware along with a platform for attacks and subsequent blackmailing, while the latter simply buy access to the code and infrastructure under the ransomware-as-a-service (RaaS) model.

Fog ransomware is one such platform — first noticed in early 2024. The malware is used to attack computers running either Windows or Linux. As is customary among ransomware operators in recent years, the affected data is not only encrypted, but also uploaded to the attackers’ servers, and then, if the victim refuses to pay, published on a TOR site.

Attacks using Fog were carried out against companies working in the fields of education, finance, and recreation. Often, criminals used previously leaked VPN access credentials to penetrate the victim’s infrastructure.

Why they are publishing IP addresses?

Our experts believe that the main purpose of publishing IP addresses is to increase the psychological pressure on victims. Firstly, it increases the traceability and visibility of an incident. The effect of publishing the name of a victim company is less impressive, while the IP address can quickly tell not only who the victim was — but also what exactly was attacked (whether it was a server or a computer in the infrastructure). And the more visible the incident, the more likely it is to face lawsuits over data leakage and fines from regulators. Therefore, it’s more likely that the victim will make a deal and pay the ransom.

In addition, publishing an IP address sends a signal to other criminal groups, which can use the leaked data. They become aware of the address of a knowingly vulnerable machine, and have access to the information downloaded from it, which can be studied and used for further attacks on the infrastructure of the same company. This, in turn, makes the consequences of publication even more unpleasant, and therefore becomes an additional deterrent to ignoring the blackmailer’s demands.

How to stay safe

Since most ransomware attacks still start with employee error, we first recommend periodically raising staff awareness about modern-day cyberthreats (for example, using the online training platform.)

In order not to lose access to critical data, we, as usual, recommend making backups and keeping them in storage isolated from the main network. To prevent the ransomware from running on the company’s computers, it’s necessary that each corporate device with access to the network be equipped with an effective security solution. We also recommend that large companies monitor activity in the infrastructure using an XDR class solution, and, if necessary, involve third-party experts in detection and response activities.

Kaspersky official blog – ​Read More

Tomorrow, and tomorrow, and tomorrow: Information security and the Baseball Hall of Fame

Tomorrow, and tomorrow, and tomorrow: Information security and the Baseball Hall of Fame

Welcome to this week’s edition of the Threat Source newsletter. 

“Tomorrow, and tomorrow, and tomorrow / Creeps in this petty pace from day to day / To the last syllable of recorded time.” – Shakespeare’s Macbeth 

“But I am very poorly today and very stupid and I hate everybody and everything. One lives only to make blunders.” – Charles Darwin’s letter to Charles Lyell 
 
“Another day, another box of stolen pens.” – Homer Simpson 

Some people are blessed with the ability to deal with monotony, and some are maddened beyond all recourse by it. In the worlds of both information security and baseball, the ability to overcome tedium is paramount. To be great — not just very good — requires the kind of devotion that many people cannot fathom. 

Ichiro Suzuki is one the greatest players in baseball history and a phenomenal hitter. His dedication led him to practice his swing every day, taking hundreds of swings from both sides of the plate even though he solely batted from the left. He practiced from the right side simply to stay in balance. Ichiro understood that changing your perspective enhances your strengths. 

In cybersecurity, the ability to track and defend against living-off-the-land binaries (LoL bins) is the kind of tedium that garners Hall of Fame results. Cybercriminals and state-sponsored actors exploit built-in tools across all platforms, hiding in the noise of trusted and normal traffic. Once logged in, often with valid credentials, detecting and countering their activity becomes a much more challenging and tedious game, especially for newly minted junior analysts.  

Take some time each day to look at the correlated data from a different source, a different perspective. If you normally look at reconnaissance activity from specific devices, take a few moments to trace the path attackers took across non-security devices for a fuller understanding.  

Ultimately, it comes down to knowing your environment, just as Ichiro worked through the tedium to know his swing. Take the time to learn it from several angles instead of simply banging away from the same view. When all else fails, take a break, walk away, and breathe before getting back in the batter’s box and taking another 500 swings at the tee to become a .300 hitter.

Pssst! The devil on William’s shoulder here. Want to procrastinate and avoid today’s tedium? Curious about what Talos does and how we defend organizations from the latest cyber attacks? Check out this new animated video. From threat hunting, detection building, vulnerability discoveries and incident response, we show up every day to try and make the internet a safer place.

The one big thing 

Cisco Talos released a blog highlighting research into UAT-5918 which has been targeting critical infrastructure entities in Taiwan. UAT-5918’s post-compromise activity, tactics, techniques, and procedures (TTPs), and victimology overlaps the most with Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit intrusions we’ve observed in the past.

Why do I care? 

Understanding the actions of motivated and capable threat actors is at the core of defending against them. Threat actors continue to leverage a plethora of open-source tools for network reconnaissance to move through the compromised enterprise, and we see this with UAT-59128. UAT-5918’s intrusions harvest credentials to obtain local and domain level user credentials and the creation of new administrative user accounts to facilitate additional channels of access, such as RDP to endpoints of significance to the threat actor.  

Typical tooling used by UAT-5918 includes networking tools such as FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg. They harvest credentials by dumping registry hives, NTDS, and using tools such as Mimikatz and browser credential extractors. These credentials are then used to perform lateral movement via either RDP, WMIC (PowerShell remoting), or Impacket.

So now what? 

Use the IOCs associated with the campaign in the blog post to search for evidence of incursion within your own environment. Use this exercise as a means of verifying that you have visibility of the systems on your network and that you are able to search for known malicious IOCs across platforms and datasets.

Top security headlines of the week

New ChatGPT attacks: Attackers are actively exploiting a flaw in ChatGPT that allows them to redirect users to malicious URLs from within the artificial intelligence (AI) chatbot application. There were more than 10,000 exploit attempts in a single week originating from a single malicious IP address (DarkReading)  

Not your usual spam: Generative AI spammers are brute forcing social media and search algorithms with nightmare-fuel videos, and it’s working. (404 media

Zero-day Windows vulnerability: An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017. (The Hacker News)

Can’t get enough Talos? 

Upcoming events where you can find Talos 

Amsterdam 2025 FIRST Technical Colloquium Amsterdam (March 25-27, 2025) Amsterdam, NL 
RSA (April 28-May 1, 2025)  San Francisco, CA   
CTA TIPS 2025 (May 14-15, 2025) Arlington, VA  
Cisco Live U.S. (June 8 – 12, 2025) San Diego, CA

Most prevalent malware files from Talos telemetry over the past week  

SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5
MD5: ff1b6bb151cf9f671c929a4cbdb64d86 
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5 
Typical Filename: endpoint.query
Claimed Product: Endpoint-Collector
Detection Name: W32.File.MalParent   

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
MD5: 71fea034b422e4a17ebb06022532fdde  
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 
Typical Filename: VID001.exe 
Claimed Product: N/A   
Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0 
Typical Filename: c0dwjdi6a.dll  
Claimed Product: N/A   
Detection Name: Trojan.GenericKD.33515991 

SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Typical Filename: VID001.exe 
Detection Name: Simple_Custom_Detection 

Cisco Talos Blog – ​Read More