Everything is connected to security

Everything is connected to security

Welcome to this week’s edition of the Threat Source newsletter.

Hello friends! Joe here again! I have just returned from the frozen northern tundra of Fargo, North Dakota. This was my first real visit to the frigid climates of the Midwest, and I have to say, they take cold to a new level. I was invited to present on cybersecurity at the 32nd Crop Insurance Conference, hosted by North Dakota State University (go Bisons!).

If you’re wondering why I or anyone would care to discuss cybersecurity in such a niche industry, the answer is simple: Everything is connected to security, even something you wouldn’t think would nominally matter. Agriculture and adjacent industries are roughly 6 percent of our GDP and account for about 10 percent of all U.S. jobs. The trillions of dollars that industry generates are targets for cyber-crime-motivated threat actors and nation-states who would seek to degrade it.

Agriculture is also a deeply underserved community and industry with regard to cybersecurity. And that’s both in general security literacy and security investments. So, I have a soft spot for folks up against threat actors who seek to exploit the most vulnerable, like agriculture industries. If the knowledge I can share will help them and their businesses stay more secure, it’s always worth it.

Pro-tip: If you ever find yourself at a conference, maybe to give a presentation, stay and listen beyond your time on the stage. For security conferences, sure, but for super niche or industry-specific conferences? Even better. I’m not a farmer or in agriculture, but I learned a lot in North Dakota. So, sit through other presentations – the further away from cyber security it is, the better. There’s more to this industry than malware analysis, threat actor cluster tracking, and incident response. For example, at this conference, I learned about climate change affecting agriculture, trade tariffs, agronomics, and insurance. You never know when that knowledge will pay dividends down the road for cybersecurity research. Stay curious, be a forever student, and keep learning.

The one big thing

Remember the old meme ‘Good luck, I’m behind seven proxies? Well, it still holds up in this Talos blog post. Proxy chains are something that hit our radar as old as VPNFilter, back in 2018. It’s a smart way to do business if your obscurity is your primary goal. TOR or other proxy solutions may have weaknesses that expose your operations to risk, and that’s why they’re getting more and more crafty about it. And we’ve moved far past generic VPN services for obscurity. Network defenders can find themselves between a rock and a hard place forensically when determining malicious connections to their networks.

Why do I care?

This is always going to be a sore point for network defenders. Adversaries are absolutely going to use and abuse any kind of proxy service to launch their attacks from. It’s an absolute given. It goes off the rails when it’s your own employees too. As per the blog post “Organizations need to realize that attacks can come from anywhere, even the same IP space that your employees connect to their VPNs, so plan accordingly.”

So now what?

Using additional controls and forensic data is a must here. Identity and access management, combined with a mobile device management/application solution is key here. Control as much of your ecosystem as you absolutely can. This isn’t cheap, but it’s most certainly a step up from implementing MFA and hoping for the best.

Top security headlines of the week

  • Hold onto your seats – Mirai came in super-hot with a massive 5.6 Tbps DDoS attack. So far, the largest ever recorded. (Hacker News)
  • Here’s some sobering statistics about healthcare data breaches. “Between 2009 and 2023, 5,887 healthcare data breaches of 500 or more records were reported to OCR [sic] Office of Civil Rights. Those breaches have resulted in the exposure or impermissible disclosure of 519,935,970 healthcare records. That equates to more than 1.5x the population of the United States.” (HIPAA Journal
  • Businesses are folding a lot more due to cyber-attacks, and mostly at small and medium-sized businesses, which absolutely jives with what we see at Talos. Ransomware cartels love to target the small business. Cyber Insurance may be the saving grace here. (Bloomberg Law

Can’t get enough Talos?

  • My colleague Martin Lee did an amazing Net Academy series on threat intelligence 101. If you’re a NetAcad member, I highly suggest you watch it! And if not, sign up. It’s free!
  • In running the biggest scam ever, I still get to be on Talos podcasts. Listen to myself and my colleagues discuss crossword puzzles and why Pauly Shore gets a bad rap.

Upcoming events where you can find Talos 

Cisco Live EMEA (February 9-14, 2025) 
Amsterdam, Netherlands

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5
MD5: ff1b6bb151cf9f671c929a4cbdb64d86
VirusTotal: https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
Typical Filename: endpoint.query
Claimed Product: Endpoint-Collector
Detection Name: W32.File.MalParent

 

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Detection Name: Simple_Custom_Detection

 

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
MD5: 71fea034b422e4a17ebb06022532fdde
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Coinminer:MBT.26mw.in14.Talos

 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

 

Cisco Talos Blog – ​Read More

CERT-UA Warns of Malicious AnyDesk Requests Under the Pretext of Phony “Security Audits”  

AnyDesk

Overview 

Government entities and organizations in Ukraine are on high alert after the Computer Emergency Response Team of Ukraine (CERT-UA) uncovered a social engineering campaign targeting unsuspecting users with malicious AnyDesk requests.    

The attackers are impersonating CERT-UA, a legitimate government agency, to trick victims into granting remote access to their computers using AnyDesk, a popular remote desktop application.    

Here’s a breakdown of the attack and how to stay safe: 

Deceptive Tactics 

  • Impersonation: Attackers are using the CERT-UA name, logo, and even a specific AnyDesk ID (1518341498, though this may change) to establish trust with potential victims.    
  • Pretext for Access: The attackers claim to be conducting a “security audit” to check the level of protection on the target’s device.    

CERT-UA’s Clarification 

CERT-UA has confirmed that it may use remote access tools like AnyDesk in specific situations. However, they emphasize that such actions only occur “with prior approval” established through official communication channels. 

Indicators of Compromise 

  • Unsolicited AnyDesk connection requests, particularly those mentioning a security audit.    
  • AnyDesk requests from users named “CERT-UA” or with the AnyDesk ID 1518341498 (be wary of variations).    

Recommendations to Stay Safe 

  • Be Wary of Unsolicited Requests: Never grant remote access to your device unless you have initiated the request and can confirm the identity of the person on the other end. 
  • Multi-Factor Authentication: Enable multi-factor authentication on any remote access software you use for an extra layer of security. 
  • Verification is Key: If you’re unsure about the legitimacy of a remote access request, contact the organization the requester claims to represent through a verified communication channel (e.g., phone number from the official website). 
  • Only Use When Needed: Disable remote access software when not in use to minimize the attack surface
  • Report Suspicious Activity: If you encounter a suspicious AnyDesk request claiming to be from CERT-UA, report it to the agency immediately. 

By following these steps, you can significantly reduce the risk of falling victim to this impersonation attempt and protect your devices from unauthorized access. 

By staying informed about common social engineering tactics and implementing strong security practices, especially during these times of heightened geopolitical tensions, you can make it significantly harder for attackers to gain a foothold in your systems. 

References: 

https://cert.gov.ua/article/6282069

The post CERT-UA Warns of Malicious AnyDesk Requests Under the Pretext of Phony “Security Audits”   appeared first on Cyble.

Blog – Cyble – ​Read More

Aircraft Collision Avoidance Systems Hit by High-Severity ICS Vulnerability 

ICS Vulnerability 

Overview 

A pair of vulnerabilities in the Traffic Alert and Collision Avoidance System (TCAS) II for avoiding midair collisions were among 20 vulnerabilities reported by Cyble in its weekly Industrial Control System (ICS) Vulnerability Intelligence Report. 

The midair collision system flaws have been judged at low risk of being exploited, but one of the vulnerabilities does not presently have a fix. They could potentially be exploited from adjacent networks. 

Other ICS vulnerabilities covered in the January 15-21 Cyble report to subscribers include flaws in critical manufacturing, energy and other critical infrastructure systems. The full report is available for subscribers, but Cyble is publishing information on the TCAS vulnerabilities in the public interest. 

TCAS II Vulnerabilities 

The TCAS II vulnerabilities were reported to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) by European researchers and defense agencies. CISA in turn disclosed the vulnerabilities in a January 21 advisory

The vulnerabilities are still undergoing analysis by NIST, but Cyble vulnerability researchers said the weaknesses “underscore the urgent need for enhanced input validation and secure configuration controls in transportation systems.” 

TCAS airborne devices function independently of ground-based air traffic control (ATC) systems, according to the FAA, and provide collision avoidance protection for a range of aircraft types. TCAS II is a more advanced system for commercial aircraft with more than 30 seats or a maximum takeoff weight of more than 33,000 pounds. TCAS II offers advanced features such as recommended escape maneuvers for avoiding midair collisions. 

The first vulnerability, CVE-2024-9310, is an “Untrusted Inputs” vulnerability in TCAS II that presently carries a CVSS 3.1 base score of 6.1. 

CISA notes that “By utilizing software-defined radios and a custom low-latency processing pipeline, RF signals with spoofed location data can be transmitted to aircraft targets. This can lead to the appearance of fake aircraft on displays and potentially trigger undesired Resolution Advisories (RAs).” 

The second flaw, CVE-2024-11166, is an 8.2-severity External Control of System or Configuration Setting vulnerability. TCAS II systems using transponders compliant with MOPS earlier than RTCA DO-181F could be attacked by threat actors impersonating a ground station to issue a Comm-A Identity Request, which can set the Sensitivity Level Control (SLC) to the lowest setting and disable the Resolution Advisory (RA), leading to a denial-of-service condition. 

“After consulting with the Federal Aviation Administration (FAA) and the researchers regarding these vulnerabilities, it has been concluded that CVE-2024-11166 can be fully mitigated by upgrading to ACAS X or by upgrading the associated transponder to comply with RTCA DO-181F,” CISA said, adding that there is currently no mitigation available for CVE-2024-9310. 

CISA said the vulnerabilities in the TCAS II standard were exploited in a lab environment. 

“However, they require very specific conditions to be met and are unlikely to be exploited outside of a lab setting,” the agency said. “Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.” 

No known publicly available exploit targeting the vulnerabilities has been reported at this time. 

Recommendations for Mitigating ICS Vulnerabilities  

The full Cyble report recommended a number of controls for mitigating ICS vulnerabilities and improving the overall security of ICS systems. The measures include: 

  1. Staying on top of security advisories and patch alerts issued by vendors and regulatory bodies like CISA. A risk-based approach to vulnerability management is recommended, with the goal of reducing the risk of exploitation. 

  1. Implementing a Zero-Trust Policy to minimize exposure and ensuring that all internal and external network traffic is scrutinized and validated. 

  1. Developing a comprehensive patch management strategy that covers inventory management, patch assessment, testing, deployment, and verification. Automating these processes can help maintain consistency and improve efficiency. 

  1. Proper network segmentation can limit the potential damage caused by an attacker and prevent lateral movement across networks. This is particularly important for securing critical ICS assets. 

  1. Conducting regular vulnerability assessments and penetration testing to identify gaps in security that might be exploited by threat actors

  1. Establishing and maintaining an incident response plan, and ensuring that the plan is tested and updated regularly to adapt to the latest threats. 

  1. Ongoing cybersecurity training programs should be mandatory for all employees, especially those working with Operational Technology (OT) systems. Training should focus on recognizing phishing attempts, following authentication procedures, and understanding the importance of cybersecurity practices in day-to-day operations. 

Conclusion 

The TCAS II flaws and other ICS vulnerabilities show the danger that vulnerabilities in critical infrastructure environments can pose, with the potential to disrupt operations, compromise sensitive data, and cause physical damage with potentially tragic outcomes. Staying on top of ICS vulnerabilities and applying good cybersecurity hygiene and controls can limit risk. 

To access the full report on ICS vulnerabilities observed by Cyble, along with additional insights and details, click here. By adopting a comprehensive, multi-layered security approach that includes effective vulnerability management, timely patching, and ongoing employee training, organizations can reduce their exposure to cyber threats. With the right tools and intelligence, such as those offered by Cyble, critical infrastructure can be better protected, ensuring its resilience and security in an increasingly complex cyber landscape. 

The post Aircraft Collision Avoidance Systems Hit by High-Severity ICS Vulnerability  appeared first on Cyble.

Blog – Cyble – ​Read More

How to Prevent a Ransomware Attack on a Business: A Lynx Malware Use Case

Lost documents, stolen code, exposed customer data, and a falling stock price are all common consequences of just one click on a ransomware file. To avoid this problem, you need proper security tools and, most importantly, knowledge of how ransomware attacks are carried out. 

This quick guide will explain how ransomware works and the simple steps you can take to protect your business.

What is ransomware

Ransomware is a type of malicious software designed to block access to a computer system or data until a sum of money (ransom) is paid. It typically encrypts the victim’s files, making them inaccessible, and demands payment to provide the decryption key. The ransom demands can range from hundreds to thousands of dollars, often paid in cryptocurrencies like Bitcoin to maintain anonymity.

What is double extortion ransomware

Double extortion is a technique where attackers not only encrypt the victim’s data but also exfiltrate (steal) it. They threaten to leak the stolen data publicly if the ransom is not paid, adding an additional layer of pressure on the victim to comply. 

This technique increases the likelihood of payment, as victims face both data loss and potential reputational damage or legal consequences from data breaches.

Why your company may become a target of ransomware

The chance of your company to become a potential target of ransomware depends on several factors:

  • Size and Industry: Larger organizations and those in critical industries like healthcare, finance, and government are often targeted due to their sensitive data and higher likelihood of paying substantial ransoms.
  • Cybersecurity Posture: Companies with weak or outdated cybersecurity measures are more vulnerable. This includes lack of regular software updates, inadequate backup strategies, and insufficient employee training on cybersecurity best practices.
  • Data Value: Organizations that handle valuable or sensitive data, such as personal information, intellectual property, or confidential business data, are more attractive targets.
  • Public Profile: High-profile companies or those with a significant public presence may be targeted for the potential reputational damage that a data breach could cause.
  • Previous Incidents: Companies that have experienced cybersecurity incidents in the past may be seen as easier targets, especially if they have not adequately addressed the vulnerabilities that led to the previous attacks.

How criminals prepare and deliver ransomware 

Setup process

Most criminals use ready-made ransomware-as-a-service builders to create and configure their malware. These builders allow them to specify various parameters of the ransomware, such as the ransom message, amount, and Bitcoin address for payment.

Consider the Chaos ransomware, which provides a builder that allows the operator to set up their custom variant of the malware by clicking a few buttons.

View analysis of the Chaos builder

The Chaos ransomware builder opened in the ANY.RUN sandbox

To safely examine the Chaos builder and its executable, we need to upload it to a cloud sandbox like ANY.RUN.

As shown by Nico Knows Tech in this YouTube video, attackers can configure their Chaos build to choose the ransom message and amount, as well as set the extension for the encrypted files.

The logo of the malicious file can be changed to any image set by the attacker

As a means of disguise, attackers can change the logo of the main malicious executable file to a PDF one. Coupled with the hidden extension, this can trick users into opening it, thinking it is a standard document.

Advanced options of the ransomware builder provide detection evasion capabilities

To avoid detection by antivirus and other security solutions, the builder makes it possible to enable deleting shadow copies, disabling system recovery, and overwriting files to make them unrecoverable.

Delivery

After this quick setup process, the criminals are ready to distribute the ransomware among their targets. There are many delivery methods, but here are three common ones:

  • Emails that include malicious file attachments, such as PDFs or Word documents, which execute ransomware when opened.
  • Emails that contain links to compromised websites or malicious downloads, manipulating users into downloading and executing ransomware.
  • Malicious advertisements on websites like Google that redirect users to sites hosting ransomware.

A Ransomware Attack Example: Lynx

Let’s now see what happens once the malware file arrives at the target’s system.

For this, we can take a look at the Lynx ransomware, which was recently reviewed by PC Security Channel

The operators behind this threat maintain a public website containing a list of their victims along with samples of stolen documents. One of the latest cases was a large electricity provider from Romania, Electric Group, that serves over 3.8 million people.

Lynx Ransomware analyzed in the ANY.RUN sandbox

Thanks to ANY.RUN’s Interactive Sandbox, we can study the entire chain of attack and see exactly how this threat operates in a safe virtual environment.

View sandbox analysis of Lynx

The FIles modification tab shows all the file system activity logged during the analysis

As soon as we upload and launch the malicious executable file in ANY.RUN’s cloud-based sandbox, the malware begins encrypting files on the system and changing their extension to .LYNX.

It also drops a ransom note and replaces the desktop wallpaper with the ransom text, which contains a link to a TOR site via which the attackers expect the victim to contact them. 

Strengthen proactive threat analysis in your company
with ANY.RUN’s Interactive Sandbox 



Get 14-day free trial


The ransom note features .onion addresses used for communication with the attackers

ANY.RUN’s interactivity lets us manually open the README.txt dropped by Lynx to see the message.

ANY.RUN analysis of the Lynx process

The ANY.RUN sandbox detects all the malicious activities performed by Lynx and marks them with signatures.

ANY.RUN’s report on the Lynx sample

The sandbox also generates a comprehensive report on the analyzed threat sample that can be shared with all the stakeholders in the company.

How Sandboxing Helps Businesses Prevent Ransomware Attacks

As demonstrated by the Lynx analysis, sandbox tools like ANY.RUN provide you with a safe, secure, and private environment for detonating and exploring all the suspicious files and URLs you may come across in your day-to-day activities.

Whether it is a phishing email, an unusual executable, or an office document asking you to enable macros, uploading these to ANY.RUN’s Interactive Sandbox is the best course of action you can take to check these files for any possible threat and quickly make a decision on whether to engage with them further on your own system.

More than 500,000 security professionals use ANY.RUN for proactive analysis to:

  • Simplify and speed up threat analysis for SOC team members at all levels, saving time and increasing productivity.
  • Accelerate the alert triage process and reduce the workload through fast operation speeds, a user-friendly interface, and smart automation.
  • Safely examine sensitive data in a private mode, ensuring compliance with cybersecurity and data protection requirements.
  • Gain access to detailed insights into malware’s behavior and better understand threats to streamline incident response.
  • Collaborate with team members, share results, and coordinate efforts efficiently during incident handling.
  • Optimize the cost of responding to incidents by accessing detailed data with ANY.RUN’s interactive analysis, which helps in developing new detection and protection methods.


ANY.RUN cloud interactive sandbox interface

What is Enterprise plan?

Discover all features of the Enterprise plan designed for businesses and large security teams.



Conclusion

Taking proactive measures to understand and mitigate ransomware threats is vital for business security. Tools like ANY.RUN’s Interactive Sandbox offer a fast, simple, and effective solution for analyzing potential threats, enabling businesses to prevent attacks from compromising their infrastructure. By integrating such tools into your security strategy, you can enhance your cybersecurity posture and protect your business from the far-reaching consequences of ransomware attacks.

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post How to Prevent a Ransomware Attack on a Business: A Lynx Malware Use Case appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

CVE-2025-0411 – vulnerability in 7-Zip | Kaspersky official blog

The vulnerability CVE-2025-0411 has been discovered in the popular 7-Zip file archiver software, allowing attackers to bypass the Mark-of-the-Web protection mechanism. CVE-2025-0411 has a 7.0 CVSS rating. The vulnerability was quickly fixed, but since the program doesn’t have an automatic update mechanism, some users may still have a vulnerable version. That’s why we recommend immediately updating the archiver.

What is Mark-of-the-Web?

The Mark-of-the-Web (MOTW) mechanism involves placing a special metadata mark on files obtained from the internet. If such a mark is present, the Windows operating system considers such a file to be potentially dangerous. If the file is executable, the user sees a warning that it can cause harm when trying to execute it. Also, some programs limit the functionality of a file with this mark (for example, MS Office applications block the execution of macros in them). When an archive is downloaded from the internet, when it is unpacked, all the files should inherit this Mark-of-the-Web.

Malefactors have repeatedly been trying to get rid of the MOTW in order to mislead the user. In particular, several years ago we wrote that the BlueNoroff APT group had adopted methods to bypass this mechanism. According to the MITRE ATT&CK matrix classification, bypassing the MOTW mechanism belongs to sub-technique T1553.005: Subvert Trust Controls: Mark-of-the-Web Bypass.

What is the CVE-2025-0411 vulnerability, and how is it dangerous?

CVE-2025-0411 allows attackers to create an archive in such a way that when it’s unpacked by 7-Zip, the files won’t inherit the MOTW mark. As a result, an attacker can exploit this vulnerability to launch malicious code with user privileges. Of course, such a vulnerability is dangerous not in and of itself, but as part of a complex attack. In addition, to exploit it, the user must launch a malicious file manually. However, as we’ve already mentioned above, attackers often try to remove this mark, so giving them an extra way to do this is clearly a big no-no.

Researchers discovered CVE-2025-0411 back in November last year, and immediately reported it to the author of 7-Zip. This is why version 24.09, published on November 29, 2024, is no longer vulnerable.

How to stay safe

First of all, you should update 7-Zip to version 24.09 or newer. If this file archiver is used in your organization, we recommend updating it centrally (if there are appropriate tools), or at least notifying that it needs urgently updating. Kaspersky products for home users can check a number of widely used software products (including 7-Zip) and update them automatically.

In addition, we recommend all internet users to handle files received from the internet with exceptional caution, and not to open them on computers without a reliable security solution.

Kaspersky official blog – ​Read More

How Threat Intelligence Lookup Helps Enterprises

The growing dependence on digital technology of modern businesses makes them vulnerable to cyber threats. For three years in a row, manufacturing has stayed the sector most targeted by cyberattacks, IBM reports. Industrial companies suffered from more than 25% of security incidents recorded last year, the majority of them being ransomware attacks.

Investing in comprehensive cybersecurity infrastructure helps prevent substantial financial loss and reputation damage. But enforcing the perimeter is not enough: a proactive approach to threat management is essential.  

What is Threat Intelligence

Cyber Threat Intelligence (CTI) is about gathering and analyzing data to spot, understand, and stop current and future threats. Even with strong security teams, just reacting to threats is not enough. Using current, detailed information from outside sources is key to responding effectively.

Cyber threat intelligence provides security teams with data about threats, attacks, and adversaries. It powers decision-making on all levels: operational, tactical, and strategic.  

By analyzing threat indicators, tactics, techniques, and procedures of attackers, companies can anticipate attacks rather than just react to them. Vulnerabilities get identified before they can be exploited.

Why Companies Need Threat Intelligence 

There are plenty of reasons why industrial enterprises and manufacturing companies may require threat intelligence. Mostly, these reasons relate to the critical role of such companies in the economy on one hand and their specific risks and vulnerabilities on the other:  

  1. They are part of critical infrastructure 
    Many manufacturing companies are involved in critical infrastructure (e.g., energy, transportation, defense supply chains). Attacking these industries can disrupt essential services, exert political or economic pressure, or fulfill geopolitical goals. 
  1. They are part of important supply chains 
    A successful attack can ripple across industries, causing widespread delays and impacting multiple organizations. In 2021, an attack on Colonial Pipeline disrupted fuel distribution, causing trouble to manufacturing and transportation sectors. 
  1. They have high ransom potential 
    Companies rely on continuous operations and cannot afford prolonged downtime. Attacked by ransomware, they are often willing to pay to resume production quickly and avoid financial losses. 
  1. They collect consumer data and possess intellectual property 
    A bunch of valuable data is an irresistible honeypot for hackers. Trade secrets, patents, blueprints, and proprietary technologies. Sensitive data about customers, employees, and supply chains. Stolen data can be sold, used for fraud, espionage, and other outlaw activities. 
  1. They depend on legacy systems 
    Outdated systems and technologies are not designed with modern cybersecurity in mind. For example, older programmable logic controllers (PLCs) in factories often lack encryption or authentication, making them easy targets. 
  1. They are in the midst of digitalization and IoT adoption 
    Manufacturing is embracing Industry 4.0, integrating IoT devices, cloud computing, and automation. More connected devices and networks introduce more vulnerabilities. 

Time is Money, Downtime is No Money 

A sadly large share of enterprise companies prioritizes operational efficiency over cybersecurity due to limited budgets, lack of expertise, and a focus on physical security. But it is a short-sighted approach.  
 
Industrial companies have low tolerance for downtime: in the case of a ransomware attack they often prefer to pay adversaries than to permit a production halt. Research by Siemens in 2022 found that unplanned downtime costs Fortune Global 500 companies about US$1.5tn, which is 11% of their yearly turnover.  


Enrich your threat knowledge with TI Lookup

Learn to Track Emerging Cyber Threats

Check out expert guide to collecting intelligence on emerging threats with TI Lookup



Threat Intelligence Lookup at the Service of Enterprises 

TI Lookup results for RAT malware operating in Colombia

Threat Intelligence Lookup is a key tool in the cybersecurity stockpile. It is a special-purpose search engine that helps navigate and research threat data.  
 
The data is extracted from malware samples uploaded via ANY.RUN’s Interactive Sandbox by over 500,000 security professionals.

TI Lookup key features:

  • Fast interactive search across over 40 different threat data types, including system events and indicators of compromise (IOCs), indicators of behavior (IOBs), and indicators of attack (IOAs). 
  • Continuously updated database with new indicators and samples. 
  • Customizable queries that support combining multiple indicators, wildcards, YARA and Suricata rules. 
  • Integration with sandbox to view sessions where particular indicators or events were discovered.  
  • Real-time updates on relevant threats and indicators to ensure ongoing monitoring
     

TI Lookup in Action: A Recent Example 

One of the latest and most dangerous malware campaigns that targeted the industrial sector unfolded this autumn. The attack was based on Lumma and Amadey malware.  
 
Analysts in ANY.RUN explored the attack’s anatomy with the aid of the Interactive Sandbox found a number of IOCs associated with the malware. These IOCs can be used as TI Lookup search requests to analyze the attack further in pursuit of actionable insights for arming corporate security systems against it.     
 
The following query consists of the name of the malware and the path to one of the malicious files used in the attack:  

filePath:”dbghelp.dll” AND threatName:”lumma” 

Results displayed by TI Lookup for the query 

TI Lookup finds files associated with an attack and shows sandbox sessions featuring analysis of samples belonging to the same campaign.

Collect threat intelligence with TI Lookup to supercharge your security 



Get 50 free requests


How Threat Intel Research Helps Strengthen Enterprise Security 

By investigating, collecting, and analyzing threat data, security experts and management ensure:  

Early detection and prevention of threats. By knowing what IOCs to look for, companies can set up systems to monitor these signs continuously. Early detection can lead to quicker response times before significant damage occurs. 

Improved Incident Response. Security teams can more rapidly identify when an incident has occurred or is in progress. This speeds up the process of containment, eradication, and recovery. 

Enhanced threat hunting. IOC research lets focus threat-hunting efforts by looking for signs of similar or related threats that might not have been detected by automated systems. It also helps to distinguish benign anomalies from actual threats and reduce the noise from false positives, which can overwhelm security teams. 

Validation of security measures. Indicators can be used to test the effectiveness of current security controls by simulating or analyzing known threat patterns for fine-tuning security solutions. 

Understanding of vulnerabilities and attack vectors. IOCs provide insights into the tactics, techniques, and procedures (TTPs) used by attackers, allowing companies to better understand where they are vulnerable and how adversaries operate. 

Prioritization of security efforts and recourse management on the basis of understanding which threats are most likely to impact the organization. 

Forensic Analysis. Post-incident analysis facilitates understanding the scope of the compromise, how the attack was executed, what was accessed, and how to prevent similar attacks in the future. 

Training and awareness. Threat Intelligence Lookup can be used in training programs for educating staff to watch for suspicious activities or anomalies in system behavior. 

Cyber Threat Intelligence and Business Performance 

Threat intelligence objectives are closely connected with key business goals and metrics. 

ROI and Cost Optimization 

Significant cost savings can be achieved by preventing data breaches and minimizing mitigation efforts. By avoiding data losses and leaks, businesses can sidestep the expenses associated with incident response, legal fees, and regulatory fines.  

Informed Decision-Making 

Threat analysis by tools like ANY.RUN’s TI Lookup provides insights that allow to focus the resources and security efforts on the most relevant threats, critical areas, topical vulnerabilities.   

Operational Viability 

A pillar of enterprise efficiency, operational stability suffers immensely from even a brief downtime. Threat intelligence tools and methods like TI Lookup help automate threat detection, make it both wider and more accurate, and reduce downtime caused by breaches. 

Compliance and Reporting 

In manufacturing and industrial enterprises, regulatory compliance is critically important. Besides, such businesses often operate in multiple jurisdictions with varying rules and requirements. Plants and manufacturing facilities can be located in different countries with their own laws. Apart from improved threat detection, TI helps document incidents, enrich security reports, and meet requirements for frameworks like GDPR, HIPAA, and PCI. 

Brand Reputation Defense 

Customer and counterparty trust is one of the most valuable business assets in enterprise or elsewhere. Early detection of threats reduces the likelihood of incidents that could damage a company’s name and negatively impact shareholder value. 

Conclusion 

Cyber resilience must be a business priority for enterprise companies with their critical role in the economy, low tolerance for downtime and complex digital environments. Threat intelligence builds a basis for proactive threat management and informed decisions, helps allocate resources, and avoid ineffective costs. Professional solutions like ANY.RUN’s Threat Intelligence Lookup power security teams for meeting the demands of business security.  

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post How Threat Intelligence Lookup Helps Enterprises appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Australian Cyber Security Centre Targets Bulletproof Hosting Providers to Disrupt Cybercrime Networks

Cyble Australian Cyber Security Centre Targets Bulletproof Hosting Providers to Disrupt Cybercrime Networks

Overview

The Australian Cyber Security Centre (ACSC) has issued a detailed warning regarding Bulletproof Hosting Providers (BPH). These illicit infrastructure services play a critical role in supporting cybercrime, allowing malicious actors to conduct their operations while remaining largely undetectable. The Australian government’s growing efforts to combat cybercrime highlight the increasing difficulty for cybercriminals to maintain secure, resilient, and hidden infrastructures.

BPH services are an integral part of the Cybercrime-as-a-Service (CaaS) ecosystem, which provides a range of tools and services enabling cybercriminals to carry out their attacks. From ransomware campaigns to data theft, cybercriminals rely on BPH providers to host illicit websites, deploy malware, and execute phishing scams. These hosting services help criminals stay out of the reach of law enforcement and avoid detection, making it harder to track down those behind cyberattacks.

The term “bulletproof” is somewhat misleading, as it is more of a marketing ploy than a reflection of the actual capabilities of these providers. Despite the branding, BPH providers remain vulnerable to disruption just like other infrastructure providers. What sets them apart is their blatant disregard for legal requests to shut down services, as they refuse to comply with takedown orders or abuse complaints from victims or law enforcement. This allows cybercriminals to continue their activities with little fear of being interrupted or exposed.

How Bulletproof Hosting Providers Operate

BPH providers typically lease virtual or physical infrastructure to cybercriminals, offering them a platform to run their operations. These services often include leasing IP addresses and servers that obscure the true identities of their customers. Many BPH providers achieve this by utilizing complex network switching methods, making it difficult to trace activity back to its source. In some cases, these providers even lease IP addresses from legitimate data centers or Internet Service Providers (ISPs), many of whom may remain unaware that their infrastructure is being used for criminal purposes.

A key strategy employed by BPH providers is frequently changing the internet-facing identifiers associated with their customers. This could include altering IP addresses or domain names, further complicating efforts to track criminal activity. These techniques frustrate cybersecurity efforts and investigative agencies, hindering their ability to identify, apprehend, and disrupt criminal activity.

Another distinctive feature of BPH providers is their location. They often operate from countries with permissive cyber regimes, where local laws either lack the framework to tackle malicious cyber activities or are weakly enforced. This makes it even more challenging for law enforcement, such as the ACSC, to take decisive action.

BPH Providers’ Impact on Australian Cybersecurity

The consequences of BPH’s involvement in cybercrime are damaging, with Australian businesses and individuals often finding themselves targeted by cybercriminals using these services. Ransomware attacks, data extortion, and the theft of sensitive customer information are just some of the incidents that have been traced back to BPH providers.

The presence of these illicit services is not only a local problem but a global one. As these networks expand and evolve, they provide cybercriminals with an easy-to-use platform to launch attacks on a global scale. A single BPH provider can facilitate the activities of hundreds or even thousands of cybercriminals, allowing them to target victims across the globe.

Collaborative Efforts to Combat Cybercrime

In response to this growing threat, law enforcement agencies, including the ACSC, have been stepping up their efforts to identify and dismantle BPH providers. Through enhanced collaboration with global law enforcement, governments, and private sector cybersecurity experts, authorities are targeting these malicious services with increasing frequency. This collective effort aims to disrupt the underlying infrastructure that allows cybercriminals to thrive while complicating their ability to operate securely.

One of the primary methods being employed to target BPH providers is defensive measures, such as proactively blocking internet traffic originating from known BPH services. By identifying and isolating the infrastructure that facilitates cybercrime, investigators can reduce the impact of cybercriminal activities on Australian networks and businesses. In addition, legitimate ISPs and upstream infrastructure providers are being encouraged to adopt practices that prevent BPH providers from accessing their networks.

While BPH providers are a crucial part of the Cybercrime-as-a-Service landscape, they are not the only providers enabling malicious cyber activities. Other illicit services in this underground ecosystem allow cybercriminals to purchase malware, tools for evading security measures, and access to compromised networks. The removal of these services is critical to dismantling the cybercriminal ecosystem and reducing the scope of attacks targeting Australia.

Conclusion

The Australian Cyber Security Centre’s efforts to target Bulletproof Hosting Providers (BPH) highlight the need for a coordinated approach to disrupt the infrastructure enabling cybercrime. By addressing vulnerabilities in BPH services, authorities can disrupt cybercriminal operations and bolster overall cybersecurity resilience.

Australia’s organizations are urged to stay vigilant by updating software, strengthening security protocols, and using multi-layered defenses. Collaboration with law enforcement and cybersecurity experts is essential for detecting and preventing attacks from BPH providers.

To further protect against cyber threats, Cyble, a leader in threat intelligence, offers AI-powered solutions like Cyble Vision to provide real-time insights and enhance cybersecurity efforts. By integrating Cyble’s tools, businesses can strengthen their defenses and stay protected against cybercriminals.

The post Australian Cyber Security Centre Targets Bulletproof Hosting Providers to Disrupt Cybercrime Networks appeared first on Cyble.

Blog – Cyble – ​Read More

Cyble Finds Thousands of Security Vendor Credentials on Dark Web

Cyble Finds Thousands of Security Vendor Credentials on Dark Web

Overview

Account credentials from some of the largest cybersecurity vendors can be found on the dark web, a result of the growing problem of infostealers, according to an analysis of Cyble threat intelligence data.

The credentials – available for as little as $10 in cybercrime marketplaces – span internal accounts and customer access across web and cloud environments, including internal security company enterprise and development environments that could pose substantial risks.

The accounts ideally would have been protected by multifactor authentication (MFA), which would have made any attack more difficult. However, the leaked credentials underscore the importance of dark web monitoring as an early warning system for keeping such leaks from becoming much bigger cyberattacks.

Leaked Security Company Credentials

Leaked credentials have an inherent time value – the older the credentials, the more likely the password has been changed – so Cyble researchers looked only at credentials leaked since the start of the year.

Cyble looked at 13 of the largest enterprise security vendors—along with some of the bigger consumer security companies like McAfee—and found credentials from all of them on the dark web. The credentials were likely pulled from info stealer logs and then sold in bulk on cybercrime marketplaces.

Most of the credentials appear to be customer credentials that protect access to sensitive management and account interfaces, but all the security vendors Cyble examined had access to internal systems leaked on the dark web, too.

Security vendors had credentials leaked to potentially critical internal systems such as Okta, Jira, GitHub, AWS, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle, and Zoom, plus several other password managers, authentication systems, and device management platforms.

Cyble did not attempt to determine whether any of the credentials were valid, but many were for easily accessible web console interfaces, SSO logins, and other web-facing account access points.

The vendors Cyble looked at included a range of network and cloud security providers, including some of the biggest makers of SIEM systems, EDR tools, and firewalls. The vendors included:

  • CrowdStrike
  • Palo Alto Networks
  • Fortinet
  • Zscaler
  • SentinelOne
  • RSA Security
  • Exabeam
  • LogRhythm
  • Rapid7
  • Trend Micro
  • Sophos
  • McAfee
  • Qualys
  • Tenable

All have had data exposures just since the start of the year that ideally were addressed quickly, or at least required additional authentication steps for access.

Trend Micro and Sophos have large consumer security businesses, as does McAfee, which exited the enterprise business in 2021. McAfee, for example, has had more than 600 credential leaks since the start of the year, almost all for consumers’ account access, likely harvested from info stealer attacks on the consumers’ personal devices.

CrowdStrike has had more than 300 credentials exposed since the start of the year, although some of those may be duplicates offered for sale across multiple forums. Most of those appear to be customer Falcon account credentials, again likely harvested from info stealers on customer endpoints. As some of those customers are high-tech companies and others with sensitive data, including a pharmaceutical giant and a large financial firm, they have a strong interest in keeping those accounts secure.

Some internal CrowdStrike accounts also appear to have been exposed this year, but those largely appear to be web marketing accounts, data that would likely have value only for competitors.

Palo Alto Networks and some other vendors Cyble looked at may have more sensitive accounts exposed, as company email addresses are listed among the credentials for several sensitive accounts, including developer and product account interfaces and customer data. Depending on the privileges granted to those accounts, the exposure could be substantial. Palo Alto has had nearly 400 credential exposures so far this year, most of them from customer leaks.

Credential Leaks Could Aid in Hacker Reconnaissance

Even if all the exposed accounts were protected by other means, as ideally, they were, such leaks are concerning for one other reason: They can help threat actors conduct reconnaissance by giving them an idea of the systems that a potential target uses, including locations of sensitive data and potential vulnerabilities to exploit.

Other sensitive information exposed by info stealers could include URLs of management interfaces that are unknown to the public, which would give hackers further recon information.

Conclusion: Dark Web Monitoring is Critical for Everyone

Dark web monitoring is an underappreciated and cost-effective security tool for one very big reason: Credential leaks frequently come before much bigger security incidents like data breaches and ransomware attacks.

Leaked credentials for security tools and other important systems are important to monitor not only to prevent breaches but also to keep hackers from learning important information about an organization’s systems and how to access them.

If the largest security vendors can be hit by info-stokers, so can any organization. Basic cybersecurity practices like MFA, zero trust, vulnerability management, and network segmentation are important for minimizing—and ideally preventing—data breaches, ransomware, and other cyberattacks.

The post Cyble Finds Thousands of Security Vendor Credentials on Dark Web appeared first on Cyble.

Blog – Cyble – ​Read More

 JoCERT Issues Warning on Exploitable Command Injection Flaws in HPE Aruba Products

Cyble JoCERT Issues Warning on Exploitable Command Injection Flaws in HPE Aruba Products

Overview

JoCERT has issued an alert regarding critical command injection vulnerabilities discovered in HPE Aruba’s 501 Wireless Client Bridge. The vulnerabilities, tracked as CVE-2024-54006 and CVE-2024-54007, allow authenticated attackers with administrative privileges to execute arbitrary commands on the device’s underlying operating system.

These flaws have been rated as high severity (CVSS score: 7.2) and pose a significant risk if left unaddressed.

A publicly released proof-of-concept (PoC) exploit further amplifies the urgency for organizations using affected devices to take immediate action.

Vulnerabilities Overview

HPE Aruba Networking has confirmed the existence of multiple command injection vulnerabilities in the web interface of the 501 Wireless Client Bridge. Below is a detailed breakdown of these vulnerabilities:

  • CVE-2024-54006: Exploitation enables attackers to execute arbitrary commands as privileged users.
  • CVE-2024-54007: Similarly, this flaw allows attackers to run commands remotely with administrative credentials.

Both vulnerabilities:

  • Require administrative authentication credentials to exploit.
  • Allow attackers to gain full control over the device upon successful exploitation.
  • Impact the confidentiality, integrity, and availability of the device.

Affected Software Versions

The vulnerabilities affect the following software versions:

  • HPE Aruba 501 Wireless Client Bridge: Versions V2.1.1.0-B0030 and below.

Devices running software versions higher than V2.1.2.0-B0033 are not impacted. Any other HPE Aruba Networking products not explicitly mentioned remain unaffected.

Severity and Exploitability

  • Severity: High (CVSS score: 7.2)
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • Exploitability: Exploitation requires authenticated administrative credentials. However, once exploited, attackers gain full control of the device, potentially enabling malicious activities such as data exfiltration, lateral movement, and network disruption.
  • Public Discussion: A proof-of-concept exploit script has been released publicly, making these vulnerabilities more accessible to attackers.

Mitigation and Recommendations

To safeguard against these vulnerabilities, organizations should follow these steps:

  1. Upgrade to a Fixed Version:
    • Update affected devices to software version V2.1.2.0-B0033 or later. The fixed software can be downloaded from the HPE Networking Support Portal.

  2. Restrict Management Interfaces:
    • Limit access to the Command Line Interface (CLI) and web-based management interfaces to a dedicated Layer 2 VLAN or secure them with Layer 3 firewall policies.

  3. Audit Network Devices:
    • Conduct a thorough security audit of all Aruba devices within your network to identify any unauthorized access or misconfigurations.

  4. Strengthen Authentication Mechanisms:
    • Enforce strong administrative passwords.
    • Regularly rotate administrative credentials to minimize the risk of unauthorized access.

  5. Monitor for Suspicious Activity:
    • Implement robust monitoring to detect any unusual or unauthorized access attempts to the 501 Wireless Client Bridge.

  6. Stay Informed:
    • Subscribe to HPE’s Security Bulletin alerts to receive updates about future vulnerabilities and patches.

Technical Details of the Vulnerabilities

CVE-2024-54006

  • Description: Multiple command injection vulnerabilities exist in the web interface of the 501 Wireless Client Bridge, allowing attackers to execute arbitrary commands as a privileged user. Exploitation requires administrative authentication credentials.
  • CVSS Base Score: 7.2
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2024-54007

  • Description: Similar to CVE-2024-54006, this vulnerability allows authenticated attackers to execute commands on the device’s underlying operating system via the web interface.
  • CVSS Base Score: 7.2
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Both vulnerabilities were discovered and reported by Nicholas Starke of HPE Aruba Networking SIRT and Hosein Vita.

Workarounds

For organizations unable to immediately update to the fixed version, the following workarounds are recommended:

  • Restrict Network Access: Isolate the device management interfaces to a secure VLAN or subnet.
  • Firewall Rules: Configure Layer 3 and above firewall policies to limit access to the management interfaces.
  • Monitoring and Logging: Enable detailed logging to monitor for unusual administrative activities.

These workarounds are temporary and should not replace patching, which is the most effective mitigation strategy.

Final Notes

These command injection vulnerabilities in HPE Aruba’s 501 Wireless Client Bridge underline the importance of proactive cybersecurity practices. With the rise of publicly disclosed exploits, organizations must act quickly to mitigate risks by updating vulnerable devices, monitoring for threats, and enforcing strict access controls.

Failure to address these vulnerabilities could result in compromised devices, data breaches, and disrupted operations. Take immediate action to protect your network and maintain the integrity of your systems.

Source: https://jocert.ncsc.jo/EN/ListDetails/Security_Alerts__Advisorites/1203/87

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04763en_us&docLocale

The post  JoCERT Issues Warning on Exploitable Command Injection Flaws in HPE Aruba Products appeared first on Cyble.

Blog – Cyble – ​Read More

How to download, install, and update Kaspersky apps for Android | Kaspersky official blog

Our security solutions for Android are temporarily unavailable in the official Google Play store. To install Kaspersky apps on Android devices, we recommend using alternative app stores. You can also install our apps manually from the APK files available on our website or in your My Kaspersky account. This post gives in-depth instructions for installing Kaspersky on Android in 2025.

General recommendations

First, the good news: any Kaspersky apps you’ve already installed from Google Play will continue to work on your device. But they’ll automatically receive only antivirus database updates — not app or security feature improvements. If you uninstall an app, you won’t be able to reinstall it from Google Play.

Therefore, we recommend not deleting the apps already installed from Google Play, but to download and install over them the versions from these alternative stores:

You’ll find the same set of Kaspersky apps in all these stores, and the download methods are also alike:

  • Open the store app.
  • Enter “kaspersky” in the search bar (you may need to tap the magnifying glass icon to open the bar).
  • Find the app you want in the search results.
  • Depending on the store, tap Get, Install, Download or Update, or simply touch the download icon next to the name of the app.

If our apps are already installed on your device and you then download them from alternative stores, your device will retain all settings, and you won’t have to reactivate the license. What’s more, the apps can be updated automatically by enabling auto-update in the settings of the alternative store. Below is a how-to guide for all the recommended stores.

You can also install apps by downloading the APK files from our website. When you install over existing apps, all settings and licenses are retained. However, apps installed this way will not be updated automatically — you’ll need to track down new versions yourself, download them as APK files, and install them on your device manually. Because this is less convenient, we’ll soon be adding a feature to update apps automatically via their APK files, and will notify you when new updates come out. In the meantime, we recommend using the alternative app stores mentioned above.

What to do if your smartphone only has Google Play

If you only have Google Play on your smartphone, you first need to install an alternative app store, for example, Huawei AppGallery. Here’s how to do it:

  • Open this link in your browser.
  • Tap Download.
  • Follow the on-screen instructions, tapping OK in response to any system warnings.

You can now download Kaspersky apps. More detailed instructions are available on the Huawei AppGallery website.

How to enable auto-update for Kaspersky apps in alternative stores

To make sure you always have the latest version, after installing an app from an alternative store you need to enable auto-update in the store settings. We have step-by-step instructions for all stores — just follow one of the links below to go to the one you need:

Samsung Galaxy Store

To enable auto-update of apps in the Samsung Galaxy Store:

  • Open the menu (three horizontal lines).
  • Go to Settings by tapping the gear icon in the top-right corner of the screen.
  • On the screen that opens, find Auto update apps, and select Using Wi-Fi or mobile data.
How to enable auto-update of apps in the Samsung Galaxy Store

How to enable auto-update of apps in the Samsung Galaxy Store

Huawei AppGallery

To enable auto-update of apps in Huawei AppGallery:

  • Tap Me at the bottom right of the screen.
  • Go to Settings.
  • Tap Auto-update apps, and select On.
How to enable auto-update of apps in Huawei AppGallery

How to enable auto-update of apps in Huawei AppGallery

Vivo V-Appstore

To enable auto-update of apps in Vivo V-Appstore:

  • Go to Manage by tapping the icon in the bottom right corner of the screen.
  • Go to Settings by tapping the gear icon at the top of the screen.
  • Tap Notifications and upgrades.
  • Enable App auto-update.
How to enable auto-update of apps in Vivo V-Appstore

How to enable auto-update of apps in Vivo V-Appstore

How to install Kaspersky apps from APK files

First, you need to download the APK files from your My Kaspersky account or from our website by following the corresponding link:

Your device may warn you that the file isn’t safe to download. If this happens, confirm your action by tapping Keep or Download.

Once the download is complete, go to My files → Downloads, and tap the downloaded file. When installing it, you’ll need to allow installation of unknown apps from a new source. Here’s how to do it: Go to Settings → Apps → Additional → Special app access → Install unknown apps, find your browser in the list, and toggle the switch “Allow app installs” to On. That done, the Kaspersky app will continue to install. See here for more detailed instructions.

Granting permission to install unknown apps from Google Chrome

Granting permission to install unknown apps from Google Chrome

After installing our apps, make sure to turn this feature Off, since it can pose a security risk and so should only be used when absolutely necessary. To find out why we insist on this, see this Kaspersky Daily post.

How to buy a Premium subscription in your Kaspersky app

You can buy a subscription — for example, Kaspersky Premium — directly in the app itself. To do this, navigate to Profile, and under the Kaspersky Free icon tap Let’s go. Then select one of the three subscription tiers — Kaspersky Standard, Kaspersky Plus, or Kaspersky Premium and the number of devices you want to protect, and check out.

How to activate an existing license in your Kaspersky app

If you installed any of our apps from an alternative store or from an APK file over one already installed from Google Play, there’s no need to reactivate your license.

If you bought a Kaspersky app on Google Play and connected it to your My Kaspersky account, but then uninstalled it and downloaded a new one from an APK file or an alternative store, your previously purchased license will work without any problems. See our detailed activation instructions.

If you uninstalled a Kaspersky app that was purchased from Google Play but not connected to your My Kaspersky account, then installed a new one according to the instructions in this post, please contact technical support to reactivate your license. They’ll be happy to assist.

If you have a license for multiple devices, the easiest way to activate apps on additional devices is to install them using the links in My Kaspersky — this way they’ll be activated automatically. You can also install Kaspersky apps from an alternative store or APK file as described above, and follow the instructions to activate the license.

Kaspersky official blog – ​Read More