What is a zero-click exploit? | Kaspersky official blog

Some people believe that if you don’t click on dangerous links, open suspicious files, or install programs from untrusted sources, you don’t have to worry about malware infections. Unfortunately, this isn’t entirely true. There are so-called zero-click exploits that don’t require any actions of the targeted user.

Creating zero-click exploits requires both serious expertise and significant resources. The vulnerabilities needed for zero-clicks to work are, to say the least, not easily discovered — information about such security issues can cost hundreds of thousands, if not millions of dollars on the black market.

However, this does not mean that attacks using zero-click exploits are rare. Information about vulnerabilities (including those suitable for creating zero-click exploits) is often published by researchers on the Internet, sometimes along with proof-of-concept code. That is, after some time, any cybercriminal who follows infosec news will be able to use this vulnerability in their malware. Yes, software developers try to fix such vulnerabilities ASAP, but as we know, not everyone promptly installs updates.

Also, we should not forget about vulnerabilities in IoT devices, servers, and other connected systems such as network attach storage (NAS). All this equipment operates without constant human control, and therefore exploits designed to attack them do not rely on any user action. Either way, it’s worth at least knowing about zero-click attacks; even better — to take some measures to protect your company against them.

Examples of zero-click attacks

Using real-life examples of zero-click attacks, let’s see how they work in practice, and what methods the creators of these exploits use to achieve their goals.

The Operation Triangulation espionage campaign

Not long ago, employees of our company were attacked by an unknown group using, among other things, a zero-click exploit. After discovering it, we named this espionage campaign Operation Triangulation. Using Apple’s iMessage service, the attackers sent a message to the victim’s iPhone with a special attachment containing an exploit. Thanks to a previously unknown vulnerability in iOS, this exploit, without any user input, triggered the execution of malicious code that connected to a C2 server and gradually loaded additional malicious payload. It first elevated privileges using additional exploits and then launched a full-blown APT platform.

To get around the iPhone’s internal security mechanisms, the platform operated exclusively in the device’s RAM. It allowed the attackers to collect information about the owner and launch additional plugins downloaded from С2 servers. The infection was only detected thanks to our network event monitoring and analyzing system.

Of course, Apple quickly fixed this vulnerability, but it is not the first exploitation of a bug in iMessage that allows attackers to infect an iPhone using an invisible malware. Since attackers are actively researching this service, there is no guarantee that they will not find some alternative method and use it (possibly even for mass attacks).

Intellexa Predator spyware and a zero-click vulnerability in Safari

Another fairly recent example: Apple recently released an important update for iOS, macOS, and some other software products, fixing several serious vulnerabilities. A vulnerability in the WebKit (a browser engine used by Apple Safari browser) was exploited by a zero-click exploit, part of Intellexa Predator spyware.

First, the attackers waited for the moment when the victim accessed a website whose connection didn’t use encryption (that is, HTTP rather than HTTPS). After that, they conducted a man-in-the-middle (MITM) attack by redirecting the victim to an infected site. Then, the aforementioned vulnerability in the Safari browser was exploited — it allowed the attackers to execute arbitrary code on the iPhone without any action from the victim. Subsequently, the criminals used additional vulnerabilities to install spyware on the compromised iPhone.

Researchers also discovered a similar exploit chain that the creators of Predator used to infect Android smartphones. In this case, the zero-click attack was executed in the Chrome browser.

Earlier this year, we reported other vulnerabilities of this kind in both Apple Safari and Google Chrome. All of them enable the creation of malicious web pages that, in turn, infect with malware the smartphones or computers of users who visit them — again without any additional actions on the part of the victims.

How to defend against zero-click attacks

Since the primary danger of zero-clicks lies in the fact that their creators don’t require any active action at all by the victim, the usual principles of online hygiene aren’t very helpful here. However, there are still some things you can do to protect devices:

Keep software up to date — especially the operating system and all browsers installed on it.
If you have any reason to be concerned about attacks using high-level commercial spyware (such as NSO Pegasus), see our dedicated post with recommendations on how to defend against them.
For iPhone users, it’s good to use Lockdown Mode. This mode helps partially protect against serious attacks, but should by no means be considered a panacea.
Supply all corporate devices with a reliable protective solution that will take care of security during periods when new vulnerabilities are already being exploited, but the corresponding patches haven’t yet been released.
This also applies to iOS. Yes, due to Apple’s policy, there are no full-fledged antivirus solutions for this operating system. However, Kaspersky Endpoint Security for Business includes an application that does at least block dangerous web pages, thereby reducing the likelihood of vulnerabilities being exploited in the browser.

Kaspersky official blog – ​Read More

Ransomware gang files SEC complaint about victim

In what seems to be a new twist on the ransomware theme, the notorious ALPHV/BlackCat ransomware group has filed a complaint with the US Securities and Exchange Commission (SEC) about the software company MeridianLink.

ALPHV is one of the most active ransomware-as-a-service (RaaS) operators and regularly appears in our monthly ransomware reviews. MeridianLink supplies “digital lending solutions” to banks, credit unions, fintechs, and other financial institutions.

Since September 5, 2023 the SEC has required public companies to disclose within four days all cybersecurity breaches that could impact their bottom lines. Apparently ALPHV is aware of the new rules and in this screenshot of the SEC complaint form it wrote:

“We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules.

It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.”

The referenced item (Form 8-K Item 1.05) states:

“Registrants must disclose any cybersecurity incident they experience that is determined to be material, and describe the material aspects of its:

– Nature, scope, and timing; and

– Impact or reasonably likely impact.

An Item 1.05 Form 8-K must be filed within four business days of determining an incident was material. A registrant may delay filing as described below, if the United States Attorney General (“Attorney General”) determines immediate disclosure would pose a substantial risk to national security or public safety.

Registrants must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing. “

As you can see, there are possible exceptions and for all we know, the investigation into the nature and gravity of the data breach is still ongoing. Or far from as material as ALPHV wants us to believe.

In a statement to databreaches.net MeridianLink  said:

“Safeguarding our customers’ and partners’ information is something we take seriously. MeridianLink recently identified a cybersecurity incident that took place on Nov 10. Upon discovery on the same day, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident. Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.

We have no further details to offer currently, as our investigation is ongoing.”

Apparently the ransomware operators like to pretend that what they are doing is their civic duty. This tile is posted on the landing page of the gang’s leak site.

ALPHV announces that it’s filed a complaint with the SEC

Clicking through, we found the screenshot of the form and a non-explanatory statement why they filled the form out.

“Despite this requirement, MeridianLink has not fulfilled this obligation regarding the breach it experienced a week ago. We have therefore reported this non-compliance by MeridianLink, who was involved in a material breach impacting customer data and operational information, for failure to file the required disclosure with the Securities and Exchange Commission (SEC). It appears MeridianLink reached out, but we are yet to receive a message on their end. Maybe this was their DFIR, Mandiant, who did so without authorization from their client. Whatever the reason is…..we are giving you 24 hours before we publish the data in its entirety.”

Whatever the reason is behind MeridianLink’s apparent decision not to report the cyber-incident (yet), the action taken by ALPHV certainly is something we haven’t seen before. It may be a warning or an attempt to gain extra leverage. Knowing how hard it can be to determine the scope of a cyberattack in just a few days, we can expect to see this happen more often.

How to avoid ransomware

Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.

Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.

Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.

Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.

Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.

Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Malwarebytes – ​Read More

Understanding the Kaspersky Compromise Assessment Service

A question for many businesses these days isn’t “Will we get hacked?” but rather, “Might we have already been hacked unknowingly?” The stealthy nature of advanced cyberthreats means that organizations need to be continuously vigilant. To safeguard sensitive data and critical systems, many turn to various cybersecurity services – including compromise assessment services. While compromise assessment may sound similar to incident response, penetration testing, and/or managed detection and response (MDR), it serves a distinct purpose in the realm of cybersecurity. In this post, we explore the concept of a compromise assessment service and show how it differs from these other crucial cybersecurity operations.

What is a compromise assessment service?

A compromise assessment service is a proactive cybersecurity project-based measure designed to identify signs of compromise within an organization’s IT infrastructure. This assessment focuses on detecting threats or suspicious activities that may have gone unnoticed within an organization’s environment. The primary objectives of compromise assessment are typically the following:

To perform a tool-aided indicator of compromise (IoC) scan of all hosts in the IT infrastructure
To analyze network activity, including outgoing connections to potential attackers’ command and control servers
To conduct initial incident investigation to identify tools and techniques used for the attack (if signs of network compromise were found)
To reveal suspected sources of an attack and other likely compromised systems
To provide recommendations on further remediation actions

What’s the difference between compromise assessment (CA) and incident response (IR)?

Incident response is a reactive cybersecurity process, which comes into play once a security incident has been detected. IR teams are responsible for investigating the nature and scope of a breach, containing it, eradicating the threat, and restoring normal operations. Incident response aims to minimize the impact of security incidents and prevent their reoccurrence.

Both CA and IR share common approaches and methodologies – including collection and analysis of digital forensic artifacts (Prefetch, Amcache, etc.), usage of IoC-scanners to find compromised hosts, and binary reverse engineering to prove the presence of malicious functions in certain programs or scripts.

The primary differences between CA and IR are:

Aspect
Compromise assessment
Incident response

Primary goal
To identify missed/unknown incidents
To reduce the impact of an identified security breach or an attack on your IT environment

Input data
Doesn’t require technical data for the input
Requires technical data for the input: alert from security control, suspicious file, signal about data leakage, ransom note, etc., which obviously prove that an incident has occurred

Timing
– Periodic assessment project
– Precedes IR in identifying an incident
– Can follow IR to make sure of no other compromises
– Is initiated after security incident detection
– Follows compromise assessment if a breach is detected

Scope
Broad scan across entire organization’s network to find all signs of compromise

Only the network segments affected by the reported incident

What’s the difference between compromise assessment and penetration testing?

Penetration testing – often referred to as pentesting – is a simulated cyberattack on a system, network, or application to evaluate its security vulnerabilities. The primary goal of a pentest is to identify potential weak points that malicious hackers might exploit, thereby allowing organizations to strengthen their security posture.

Both penetration testing and compromise assessment activities require skilled professionals with a deep understanding of cyberthreats and defenses. While they have different primary objectives, both are proactive measures to understand and improve security.

The key differences between a penetration test and a compromise assessment.

Aspect
Penetration testing
Compromise assessment

Objective
To identify vulnerabilities before they’re exploited
To identify instances of successful exploitation of vulnerabilities

Scope
Predefined (e.g., specific systems, applications)
Typically, the whole organization

Methodology
Simulated cyberattacks using tools and manual techniques
To examine logs, network traffic, anomalies and system behaviors

What’s the difference between compromise assessment and managed detection and response

Managed detection and response services involve continuous monitoring, threat detection, and incident response by a third-party provider. MDR combines technology, human expertise, and threat intelligence to identify and respond to security threats in real time. The focus of MDR is on providing a holistic cybersecurity solution that includes both monitoring and response capabilities.

Both CA and MDR use a combination of advanced technologies, threat intelligence, and skilled analysts to identify potential security breaches and suspicious activities within an organization’s network.

The key differences between CA and MDR are as follows:

Aspect
Compromise Assessment
MDR

Timing
-Periodic assessment project (one-time assessment)
– no SLA for notifications
– Continuous 24/7 activity (ongoing service)
– Strict SLA for notifications

Analysis focus
– Past and current attacks
– Forensic state analysis
– Current attacks
– Behavioral monitoring

Sources of data for analysis
– EDR/NTA
– SIEM
– Digital footprint intelligence (darknet)
EDR/NTA

Conclusion

As cyberthreats become increasingly sophisticated, the traditional reactive approach to cybersecurity is no longer sufficient. A compromise assessment service offers a proactive solution, ensuring that organizations aren’t just waiting for the next breach but actively seeking out and neutralizing latent threats. By conducting such assessments, you can eliminate the residual risk of being breached without notice.

A compromise assessment service plays a critical role in proactively identifying potential compromises and security weaknesses within an organization’s network. While it may share some similarities with incident response, penetration testing, and managed detection and response services, it’s a project-flow activity whose primary focus is on proactive identification of unnoticed attacks that bypassed an organization’s security systems and processes.

Understanding the differences among these cybersecurity practices is crucial for organizations seeking to build a robust defense strategy. Each service has its place in an organization’s cybersecurity posture, and they can complement one another to create a comprehensive and effective corporate security framework. You can learn more or contact our Kaspersky Compromise Assessment experts at the service’s web page.

Kaspersky official blog – ​Read More

3 benefits of ThreatDown bundles

Traditional approaches to endpoint security today have a three-fold complexity problem—with big consequences.

First, complexity in deployment causes long delays in protection, directly impacting ROI and leaving organizations vulnerable to breaches. In fact, almost 10 percent of small security teams cite such complexity as a primary reason for deployment setbacks. (Global Surveyz, 2022)

Second, lack of integrated security tools can lead security teams to overcompensate by buying and operating additional security platforms. This complexity multiplies operational overhead and creates gaps in security.

Dealing with day-to-day complexity with endpoint security is a third challenge. A survey of 200 CISOs by Global Surveyz found that nearly half (45 percent) of small IT teams flag issues like excessive alerts and multiple dashboards as chief product concerns, culminating in alert fatigue and drops in productivity.

To save time, money, and to stop more threats, it’s clear IT teams need an approach to endpoint security that resists complexity—a suite that’s easy to implement, cost-effective, and straightforward to operate.

Enter: ThreatDown bundles

ThreatDown combines the technologies and services that resource constrained IT teams need into four streamlined, cost-effective bundles that take down threats, take down complexity and take down costs:

ThreatDown Core Bundle: Next-gen AV and threat surface reduction. A simple yet superior solution integrating award-winning endpoint protection technologies.

ThreatDown Advanced Bundle: Everything included in core plus Managed Threat Hunting and Ransomware Rollback. Tailored for smaller security teams with limited resources.

ThreatDown Elite Bundle: Everything in Advanced plus 24/7/365 expert monitoring and response by Malwarebytes MDR analysts. Purpose-built for organizations with small (to non-existent) security teams that lack the resources to address all security alerts.

ThreatDown Ultimate Bundle: Everything in Elite plus protection from whole categories of malicious websites. Perfect for teams looking for a one-and-done shortcut to cybersecurity done right.

Each bundle comes with ThreatDown Security Advisor, which analyzes an organization’s cybersecurity health—such as by assessment of current inventory and which assets are vulnerable—and generates a score based off what it finds, illuminating gaps in defenses and providing actionable recommendations for improvements that can be made in minutes.

ThreatDown Nebula dashboard view. Security Advisor enables organizations to visualize and improve their organization’s security posture in just a few minutes.

1. Seamless Deployment

With the average deployment timeline for traditional EDRs stretching up to 18 months for small security teams, the need for a swifter solution is clear.

Simply put, smaller teams just can’t afford extensive learning curves, which perhaps is why, from a financial standpoint, they prioritize implementation costs (50 percent) in their endpoint security more than anything else. (Global Surveyz)

ThreatDown EDR, the cornerstone of every ThreatDown bundle excluding Core, takes the complexity out of endpoint security deployment as evidenced by an average time to become fully operational that is two times shorter than the industry average.

Cloud-hosted on the Nebula platform, ThreatDown bundle core technology can deploy within minutes and has won multiple G2 awards for its unique combination of rapid time to go live and time to ROI, all delivered via an agent deployed with a small footprint.

2. All-In-One Integration

Managing too many platforms is challenging. Each additional security tool requires its own set of configurations, updates, and management protocols, ultimately translating to longer response times, inefficient workflows, and an inability to have a unified view of the threat landscape.

According to Global Surveyz, 77 percent of small security teams ranked a ‘one-stop’ product with the ‘most integrated’ features as one of their top considerations when choosing a new security technology. In addition, 80 percent of CISOs recognize vendor consolidation as an avenue for more efficient security.

And, once you consider that over 5 percent of breaches in 2022 came from known vulnerabilities that had yet to be patched—and that the average cost of those breaches was $4.17 million—it goes without saying that Vulnerability and Patch Management needs to be part of any all-in-one security solution today.

By combining Endpoint Protection (EP), EDR, an award-winning Vulnerability and Patch Management solution, and more, ThreatDown Advanced, Elite, and Ultimate bundles give IT teams the ‘one-stop’ product they need to streamline detection and response through a single pane of glass.

Patch Management in ThreatDown Nebula.

3. Increased Protection

ThreatDown bundles don’t just simplify the deployment and administration of endpoint security; they simplify the take down of threats as well.

Traditional EDR is inherently exhausting. Without additional context, alerts become just too ambiguous to be actionable, meaning IT teams inevitably end up over-prioritizing less urgent threats while also overlooking severe ones—increasing their risk of a breach.

Starting with ThreatDown Advanced, organizations get access to next-level alert prioritization and threat protection with Managed Threat Hunting (MTH). For customers looking for 24x7x365 cybersecurity protection with proactive alert investigation and threat hunting, ThreatDown Elite and Ultimate offer Managed Detection and Response (MDR) services.

With ThreatDown bundles, organizations no longer need an advanced cybersecurity model and a well-staffed security operations center (SOC) to take down threats. Through a combination of superior EDR technology and human-delivered security, ThreatDown empowers organizations to keep up with the volume of EDR alerts and respond to threats on the fly.

ThreatDown MDR workflow.

Try ThreatDown bundles today

For IT teams plagued by the triad of complex deployment, scattered tooling, and excessive alert noise, ThreatDown bundles emerge as a superior solution that caters to the needs of today’s security teams.

Discover the difference with ThreatDown Bundles and elevate your organization’s defense against cyber threats. Get in touch for a free trial and experience the benefits of a simplified, yet robust, security framework.

Learn more about ThreatDown bundles here.

Malwarebytes – ​Read More