CVE-2024-6387 aka regreSSHion – root cause, risks, mitigation

A vulnerability has been discovered in OpenSSH, a popular set of tools for remote management of *nix systems. The bug allows an unauthenticated attacker to execute arbitrary code on the affected system and gain root privileges. The vulnerability was named regreSSHion, and assigned the ID CVE-2024-6387. Given that sshd, the OpenSSH server, is integrated into most operating systems and many IoT devices as well as firewalls, the description of the vulnerability sounds like the beginning of a new epidemic on the scale of WannaCry and Log4Shell. In practice, the situation is somewhat more complex. Widespread exploitation of the vulnerability is unlikely. Nevertheless, all server administrators using OpenSSH must urgently address the vulnerability.

Where OpenSSH is Used

The OpenSSH utility set is almost ubiquitous. It is a popular implementation of the SSH (secure shell) protocol, and is integrated into most Linux distributions, OpenBSD and FreeBSD, macOS, as well as specialized devices like those based on Junos OS. Since many TVs, smart doorbells, baby monitors, network media players, and even robotic vacuum cleaners are based on Linux systems, OpenSSH is often used in them as well. Starting with Windows 10, OpenSSH is also available in Microsoft’s OSs, although it’s an optional component not installed by default. It’s no exaggeration to say that sshd runs on tens of millions of devices.

How to trigger the regreSSHion vulnerability

During an SSH authentication attempt, the user has a time limit to complete the process, with the default setting being 120 seconds. If authentication does not occur, the sshd server asynchronously calls the special “sigalarm” function, which in turn invokes system-level memory management functions. This was done in a manner unsafe for asynchronous execution. Under certain conditions, and with a small probability, this can trigger a race condition, leading to memory boundary violations and arbitrary code execution.

To exploit this vulnerability, an attacker needs to make approximately 10,000 attempts on average, and the target system must be based on Linux versions using the GNU C Library (glibc), such as all Debian variants. Additionally, attackers need to prepare memory structures tailored to the specific version of glibc and Linux. Researchers have reproduced the attack on 32-bit Linux systems but, theoretically, it’s possible to exploit on 64-bit systems as well — albeit with a lower success rate. Address Space Layout Randomization (ASLR) slows down the exploitation process but does not provide complete protection.

Interestingly, this bug was already fixed by the OpenSSH team in 2006, when it was assigned CVE-2006-5051. Therefore, the new bug is a regression — the reappearance of an already known defect due to some changes introduced in the code. This is where the name for the new vulnerability, regreSSHion, comes from.

The likelihood of CVE-2024-6387 being exploited in the wild

The vulnerability was discovered by researchers and responsibly disclosed to the development team. Therefore, immediate exploitation is unlikely. Moreover, the technical complexities described above make mass exploitation impractical. Ten thousand authentication attempts with standard OpenSSH settings would take six to eight hours per server. Additionally, one needs to know which version of Linux the server is running. If the server has any protection against brute force attacks and DDoS, these measures would likely block the attack.

Despite all this, targeted exploitation is quite possible. Patient attackers can conduct reconnaissance and then make low-frequency attempts from different IPs, and sooner or later they might succeed.

How to protect your servers against exploitation

Versions of OpenSSH up to 4.4p1, plus versions from 8.5p1 to 9.7p1 running on glibc-Linux, are vulnerable. OpenBSD-based servers are not affected, so admins of those can breathe easier; however, everyone else should update sshd to version 9.8.

If for some reason immediate updating is not possible, administrators can set the login timeout to zero (LoginGraceTime=0 in sshd_config) as a temporary mitigation. However, developers warn that this makes the SSH server more susceptible to DDoS attacks.

Another possible mitigation is stricter access control for SSH — implemented using firewalls and other network security tools.

Kaspersky official blog – ​Read More

Kaspersky Expertise Centers | Kaspersky official blog

When writing about threats, vulnerabilities, high-profile investigations or technologies, we often mention our experts of various specializations. Generally speaking, Kaspersky’s experts are highly qualified employees specialized in their particular field who research new cyberthreats, invent and implement breakthrough methods to combat them, and also help our clients and to deal with the most serious of incidents. There are many fields for using their talents; most of them fall within the competence of one of our five so-called “centers of expertise”.

Kaspersky Global Research and Analysis Team (GReAT)


Our best known team in the cybersecurity industry is the Global Research and Analysis Team (GReAT). It’s a tightly knit collective of top-notch cybersecurity researchers specializing in studying APT attacks, cyber espionage campaigns, and trends in international cybercrime. Representatives of this international team are strategically located in our offices around the world to ensure immersion into regional realities and provide the company with a global perspective of the most advanced threats emerging in cyberspace. In addition to identifying sophisticated threats, GReAT experts also analyze cyber-incidents related to APT attacks, and monitor the activity of more than 200 APT groups. As a result of their work, our clients receive improved tools to combat advanced threats, as well as exclusive Kaspersky APT and Crimeware Intelligence reports, containing tactics, techniques and procedures (TTP), and indicators of compromise (IoC) useful for building reliable protection.

Kaspersky Threat Research

Kaspersky Threat Research are the experts whose work lies at the foundation of our products’ protective mechanisms – as they study all the details of attackers’ tactics, techniques and procedures, and drive the development of new cybersecurity technologies. These experts are primarily engaged in analyzing new cyberthreats and are responsible for ensuring that our products successfully identify and block them (detection engineering). Threat Research includes (i) Anti-Malware Research (AMR), whose experts deal with software (including malware, LolBins, greyware, etc.) used by cyberattackers; and (ii) Content Filtering Research (CFR), which is responsible for analysis of threats associated with communication via the internet (such as phishing schemes and spam mailings).

Attackers work hard to circumvent protective technologies, which is why we pay special attention to the security of our own products. The Threat Research expertise center also includes the Software Security team, which mitigates the risks of vulnerabilities in Kaspersky solutions. In particular, they’re responsible for the secure software development life cycle (SSDLC) process, bug bounty program, and for ensuring that our secure-by-design solutions (our own operating system – KasperskyOS – and products based on it) really are truly secure.

Kaspersky AI technology research


We all know how hyped AI technology is today, and how popular the topics of AI in cybersecurity and Secure AI are on the market. Our team provides a range of options in our solutions from ML (machine learning) and AI-enhanced threat discovery and triage alerts to prototype GenAI-driven Threat Intelligence.

For over two decades, our products and services have incorporated aspects of artificial intelligence to enhance security, privacy, and business protection. Kaspersky AI Technology Research applies data science and machine learning to detect various cyberthreats, including malware, phishing and spam on a large scale – contributing to detection of more than 400,000 malicious objects daily.

To detect more complex, targeted attacks, you have to juggle massive numbers of events and alerts coming from different levels of the IT infrastructure. Proper aggregation and prioritization of these alerts are crucial. Without AI-powered automation, it’s easy for a security-operations-center analyst to get overwhelmed and overlook critical alerts amid the multitude of security notifications. Better alert triage and prioritization – especially with machine learning – is top priority for our detection and response solutions (EDR, SIEM, XDR and MDR services).

Generative AI (GenAI) technologies open up new possibilities in cybersecurity. Kaspersky researchers are working on applying GenAI to various tasks in products ranging from XDR to Threat Intelligence to help cybersecurity analysts cope with the daily deluge of information, automate routine tasks, and get faster insights, amplifying their analytical capabilities and enabling them to focus more on investigating complex cases and researching complex threats.

We also use artificial intelligence to protect complex industrial systems. Our Kaspersky Machine Learning for Anomaly Detection (MLAD) solution enables our products to detect anomalies in industrial environments – helping identify early signs of potential compromise.

As AI systems are inherently complex, Kaspersky AI Technology Research also works on identifying potential risks and vulnerabilities in AI systems – from adversarial attacks to new GenAI attack vectors.

Kaspersky Security Services


Kaspersky Security Services experts provide complimentary services for information security departments at the largest enterprises worldwide. Its service portfolio is built around the main task of security departments – addressing incidents and their impact: detection, response, exercises, and process-wise operations excellence.

Whenever organizations face a security crisis, our team is dedicated to building a complete picture of the identified attack, and sharing recommendations for response and impact minimization. Our Global Emergency Response Team is located on all continents and is involved in hundreds of incident responses yearly.

For organizations that require continuous incident detection, there’s our Managed Detection and Response service. The Kaspersky SOC experts behind this service monitor suspicious activity in the customer’s infrastructure, and help to timely respond to incidents and minimize impact. Our MDR operates worldwide and is top-rated by customers.

Developing and measuring security maturity, preparing for real-world attacks, discovering vulnerabilities and more are the goals of our various Security Assessment services. Among other things, they can: evaluate SOC readiness to protect critical business functions with attack simulations (red teams); assess attackers’ chances of penetrating your network and gaining access to critical business assets with penetration testing service; and identify critical vulnerabilities by deeply analyzing complex software solutions with our application security service.

If a company needs to build its own SOC, or assess the maturity level or development capabilities of an existing one, our SOC Consulting experts share their vast experience in security operations gained while working with different industries, organizations of different sizes and with different budgets.

Before, during and after an attack, cybercriminals leave traces of their activities outside the attacked organization. Our Digital Footprint Intelligence experts identify suspicious activities on cybercriminal marketplaces, forums, instant messengers and other sources to timely notify an organization about compromised credentials, or someone selling access to their internal corporate network or data from their internal databases, and so on.

Kaspersky ICS CERT

Our industrial systems cybersecurity research center (Kaspersky ICS CERT) is a global project whose main goal is assisting manufacturers, owners and operators, and research teams in ensuring the cybersecurity of industrial automation systems and other M2M (machine-to-machine) solutions (building automation systems, transportation, medical systems and so on).

Kaspersky ICS CERT experts constantly analyze various products and technologies, evaluate their security level, report information about vulnerabilities to their manufacturers, and inform users of vulnerable solutions about the corresponding risks. In addition to searching for zero-day vulnerabilities, our CERT team analyzes publicly available information on vulnerabilities in ICS products, finds and eliminates multiple inaccuracies in it, and adds its own recommendations for reducing the risks to end-users.

Also, Kaspersky ICS CERT specialists identify and study attacks on organizations in the industrial sector, provide assistance in incident response and digital forensics, and share analytical information about attacks as well as indicators-of-compromise data feeds based on the results of their research.

In addition, our experts contribute to the engineering of sectoral and governmental regulations in the field of industrial cybersecurity, transportation, and the industrial Internet of Things; develop and conduct training for information-security specialists and employees of industrial organizations; and provide various consulting services.

Kaspersky spends huge amounts of resources – including a significant portion of its profits – on developing its expertise. Our experts research cyberthreats relevant to even the most remote corners of the globe, and understand the specific needs of all customers – no matter where they are. Thanks to the contribution of the above-listed centers of expertise, our services and solutions are constantly being improved and so always remain ready to counter the most non-trivial of attacks and identify the latest cyberthreats.

Kaspersky official blog – ​Read More

Hijacking GitHub accounts using phishing emails | Kaspersky official blog

We recently wrote about how attackers have learned to use legitimate social media infrastructure to deliver plausible-looking warnings about the blocking of business accounts, leading to password theft. It turns out that for several months now, a very similar method has been used to attack developer accounts on GitHub, which is a cause for concern for corporate information security teams (especially if developers have administrative access to corporate related repositories on GitHub). Let’s explore how this attack works.

GitHub account hijacking

Victims of this attack receive emails sent from a genuine GitHub email address. The emails claim that the GitHub team is looking for an experienced developer and offering attractive conditions — $180,000 per year plus a generous benefits package. If interested in the position, the recipient is invited to apply via a link.

The attack begins with an email: GitHub is supposedly seeking a developer for a $180,000 annual salary. Source

These emails do come from notifications@github.com, which really belongs to the service. However, an astute recipient might wonder why the HR team is using the notification address for job offers. They might also be puzzled that the email subject has nothing to do with the job offer, and instead ends with a list of several GitHub usernames.

However, the email’s authors send it out en masse, so they probably aren’t too worried about losing a few potential targets here. The attackers are satisfied with the small number of recipients who’ll be too distracted by the salary to notice the discrepancies.

Clicking the link in the email takes the recipient to a page that pretends to be the GitHub career site. Specifically, the addresses githubtalentcommunity[.]online and githubcareers[.]online have been used in this campaign — but these phishing sites are no longer available.

On the linked site, recipients are asked to authorize a malicious OAuth application. Source

On the site, developers interested in the position are asked to log in to their GitHub account and authorize a new OAuth application. This application requests numerous permissions — including access to private repositories, personal data, and discussions, as well as the ability to delete any repository managed by the targeted user.

The OAuth application requests a number of dangerous permissions. Source

Besides job offers, another type of email has been observed, claiming that GitHub had been hacked and the GitHub security team requires the user’s authorization to eliminate the consequences of the hack.

Phishing email variant warning of a GitHub hack. Source

The next thing: repository wipe and ransom demand

If an inattentive developer grants the malicious OAuth application all the requested permissions, the attackers begin exploiting them. They empty all the victim’s repositories and then rename them — leaving behind only a single README.me file.

Hijacked and emptied repositories on GitHub with ransom notes left by the attackers. Source

The file contains a message stating that the data has been compromised, but that a backup has been made. To restore the data, the victim is instructed to contact a user named Gitloker on Telegram.

It appears that these emails are sent using the GitHub discussion system. That is, the attackers use already compromised accounts to create messages with the email text under various topics, tagging several users. As a result, all the tagged users receive emails from the notifications@github.com address. These messages are likely deleted immediately after sending.

How to protect against such attacks on GitHub accounts

Experienced users and developers often consider themselves to be immune to phishing attacks. However, as this story shows, they can also be caught off guard: the operators of this phishing campaign have already managed to compromise and wipe dozens of repositories.

To prevent your developers from falling victim to this attack, give them the following recommendations:

Always carefully check all details of an email and compare its subject, text, and sender address. Any discrepancies are almost certainly signs of a phishing attempt rather than accidental errors.
If you receive a similar email from GitHub, don’t click any links in it, and report the email to GitHub support.
Never authorize unknown OAuth applications — this story shows how serious the consequences can be.
Periodically review the list of authorized OAuth applications in your GitHub account, and remove any suspicious ones.

We recommend the following to companies:

Use a reliable security solution with phishing protection on all devices, which will warn of dangers and block malicious sites in time.
Conduct regular information security training for employees, including developers. Experience with IT systems doesn’t guarantee safety; the necessary skills must be developed specifically. For example, you can use our interactive educational platform, the Kaspersky Automated Security Awareness Platform.

Kaspersky official blog – ​Read More

Meta AI plans to use the personal data of its users to train generative AI | Kaspersky official blog

The internet in recent weeks has been abuzz with talk of Meta’s new security policy. The company behind Facebook, Instagram, and WhatsApp informed a portion of its user base that, starting June 26, their personal data is to be used to train the generative artificial intelligence developed by its subdivision Meta AI.

To find out what data is affected, whether or not you can opt out, and how to stay digitally safe, read on.

Will Meta use Facebook and Instagram content to train its AI?

Meta AI has been around for over nine years already. Training its neural networks requires data — lots and lots of it — and it appears that the content generated by users of the world’s largest social networks might soon become Meta’s AI knowledge base.

It all started in May 2024, when posts about changes to Meta’s security policies began circulating online. The rumor was that, starting late June, the company planned to use content from Facebook and Instagram for generative AI training. However, these notifications weren’t sent to everyone — only to a select group of users in the EU and US.

Following a wave of outrage, Meta issued an official statement to EU residents. However, this seemed to generate more questions than answers. There was no press release explicitly stating, “As of this date, Meta AI will use your data for training”. Instead, a new page titled Generative AI at Meta appeared, detailing what data the company plans to use to develop artificial intelligence, and how. Again, with no specific dates.

Will Meta read my private messages?

According to company representatives — no, Meta AI won’t be reading your private messages. Chief Product Officer Chris Cox made clear that only public user photos posted on Facebook and Instagram would be used for AI training. “We don’t train on private stuff”, Cox is on the record as saying.

The executive’s statement is echoed on the company’s official page dedicated to generative AI. It states that the company will solely utilize publicly available data from the internet, licensed information, and information shared by users within Meta products and services. Furthermore, it explicitly mentions, “We do not use the content of your private messages with friends and family to train our AIs”.

Be that as it may, Meta AI has been scraping users’ public posts for at least a year now. This data, however, is depersonalized: according to company claims, the generative AI doesn’t link your Instagram photos with your WhatsApp statuses or Facebook comments.

How to opt out of having your data fed into Meta AI

Sadly, there’s no nicely labeled “I prohibit the use of my data to train Meta AI” button; instead, the opt-out mechanism is rather complicated. Users are required to fill out a lengthy form on Facebook or Instagram providing a detailed reason for opting out. This form is hidden within the maze of privacy settings for EU residents: Menu → Settings and privacy → Settings → Security policy. Alternatively, you can find it on the new Meta Privacy Center page, under Privacy and Generative AI.

The link is so well hidden it’s almost as if Meta doesn’t want you to find it. But we did the digging for you: here’s the form to opt out of Meta AI training on your personal data, although the official title is deliberately more vague: “Data subject rights for third-party information used for AI at Meta”.

But even armed with our direct link to this form, don’t get your hopes up: regardless of which of the three options you choose, a most convoluted and confusing form-filling process awaits.

Note the rather curious disclaimer in the description: “We don’t automatically fulfill requests sent using this form. We review them consistent with your local laws”. In other words, even if you opt out, your data might still be opted-in. It’s crucial to correctly state your reasons for wanting to opt out, and be a citizen of a country in which the GDPR is in effect. This data protection regulation can serve as the basis for deciding in favor of the user — not Meta AI. It stipulates that Meta must obtain explicit consent to participate in voluntary data sharing, and not just publish a hidden opt-out form.

This situation has caught the attention of NOYB (None Of Your Business) – the European Center for Digital Rights. Its human rights advocates have filed 11 complaints against Meta in courts across Europe (Austria, Belgium, France, Germany, Greece, Ireland, Italy, the Netherlands, Norway, Poland, and Spain) and, seeking to protect the personal data of their citizens.

The Irish Data Protection Commission took note of these claims and issued an official request to Meta to address the lawsuits. The tech giant’s reaction could have been predicted without any algorithms: the company publicly accused the plaintiffs of hindering the development of generative AI in Europe. Meta stated they believe their initial approach to be legally sound, and so will likely continue their attempts to integrate AI into users’ lives.

The bottom line

So far, the saga appears to be just another spat between Meta and the media. The latter claim that Meta wants to process personal data — including the most intimate messages and photos, while Meta bosses are trying to pour cold water on the allegations.

Remember: you are primarily responsible for your own digital security. Be sure to use reliable protection, read privacy policies carefully, and always stay informed about your rights regarding the use of your data.

Kaspersky official blog – ​Read More

Transatlantic Cable podcast episode 353 | Kaspersky official blog

Episode 353 of the Transatlantic Cable podcast kicks off with news around ransomware attacks, both in the UK and the US. From there, the team discuss updates around the EU’s new DMA (Digital Market’s Act) and how Apple could be a test case for record fines, if they’re found to have abused their market position.

To wrap up, the team look at how some of the biggest names in music are joining forces to sue start up generative A.I companies, who have alleged that they’re infringing copyright on a massive scale.

If you liked what you heard, please consider subscribing.

Don’t blame us for people suffering – London hospital hackers
LockBit Ransomware Claims 33 TB of US Federal Reserve Data for Ransom
Apple in breach of law on App Store, says EU
World’s biggest music labels sue over AI copyright

Kaspersky official blog – ​Read More

EU NIS 2 Directive: what it is and how to prepare for it | Kaspersky official blog

Today’s topic is the NIS 2 Directive, which aims to improve the cyber-resilience of critical infrastructure and essential and important entities. NIS 2 looks set to do for information security in the EU what GDPR did for user data privacy.

It won’t be long now before the new directive will be transposed into national law, so if your organization is not yet ready, now’s the time to take steps.

What is NIS 2?

The revised Network and Information Security Directive (NIS 2) is the EU-wide legislation on cybersecurity. NIS 2 updates and complements the original NIS Directive, adopted in 2016, and creates a legal framework to enhance the overall level of cybersecurity across the EU.

The updated NIS 2 Directive focuses on three main areas:

Expanding the scope of application: the seven sectors covered by the original NIS Directive are supplemented by a number of new ones
New mechanisms for incident reporting and information sharing: NIS 2 mandates the timely reporting of significant incidents
Tighter enforcement of compliance: the updated NIS 2 introduces specific sanctions for non-compliance, including fines of up to 2% of global annual turnover

What organizations does NIS 2 apply to?

As mentioned above, the revised directive significantly broadens the scope of application compared to the original 2016 version. In addition, NIS 2 introduces a classification that divides the covered sectors into two categories:

Sectors of high criticality (Annex I):

Energy (electricity, district heating & cooling, gas, hydrogen, oil)
Transport (air, rail, water, road)
Banking
Financial market infrastructure
Health
Drinking water
Waste water
Digital infrastructure
ICT-service management (MSP, MSSP)
Public administration entities
Space

Other critical sectors (Annex II):

Postal and courier services
Waste management
Manufacture, production, and distribution of chemicals
Production, processing, and distribution of food
Manufacturing (medical devices, computer, electronic, or optical products, electrical equipment, machinery, motor vehicles, other transport equipment)
Digital providers
Research

Besides classifying sectors, NIS 2 introduces an additional classification of specific entities. It too consists of two categories:

Essential (Article 3.1):

Large entities (annual revenue of over €50 million) in sectors of high criticality
Certification authorities, top-level domain registrars, and DNS providers, regardless of size of the business
Telecom providers, from medium-sized upwards (revenue over €10 million)
Public administration institutions
Any entity belonging to a highly critical or other critical sector that’s defined by an EU Member State as essential
Entities defined as critical under Directive (EU) 2022/2557

Important (Article 3.2):

Medium-sized entities (annual revenue of €10-50 million) in highly critical sectors
Medium and large entities in other critical sectors
Any entity that’s defined by an EU Member State as important

The category an entity belongs to has significant practical implications. The activities of entities classified as essential will be subject to much stricter and proactive oversight, including random raids, special security checks, and requests for proof of compliance. For non-compliance with NIS 2, essential entities may face a fine of up to €10 million or 2% of global annual turnover.

Entities classified as important can breathe a bit more easily — they’re subject to less stringent controls. For important entities, the penalties are slightly more modest: up to €7 million or 1.4% of global annual turnover.

NIS 2 timeline

Note that, unlike GDPR, NIS 2 is a directive, — not a regulation of the European Union. This means that EU Member States are legally required to amend their national legislation within the designated time frame. In the case of NIS 2, the deadline is set for October 17, 2024.

In addition, EU Member States will have to draw up lists of essential and important entities subject to NIS 2 by April 17, 2025.

It will be useful to revisit the timeline of the main stages of NIS 2:

July 6, 2016: adoption of Directive (EU) 2016/1148, the original NIS
May 9, 2018: deadline for EU Member States to transpose the NIS Directive into their national legislation
July 7, 2020: start of European Commission (EC) consultations on the revision of NIS
December 16, 2020: publication of the proposal for NIS2 by the EC
May 13, 2022: European Parliament vote on adoption of the NIS 2 Directive
November 10, 2022: approval of the NIS 2 Directive by the Council of the EU
December 14, 2022: publication of the NIS 2 Directive in the Official Journal of the EU under the title Directive (EU) 2022/2555
January 16, 2023: entry into force of the NIS 2 Directive
October 17, 2024: deadline for EU Member States to transpose the NIS 2 Directive into their national legislation
April 17, 2025: deadline for EU Member States to draw up lists of essential and important These lists must be updated regularly thereafter — at least every two years
October 17, 2027: review of the NIS 2 Directive

How to prepare for NIS 2 implementation?

Assess whether, and to what extent, the requirements of NIS 2 apply to your organization
Investigate how the NIS Directive was transposed into the national legislation in your EU Member State
Follow the recommendations of national cybersecurity authorities
Assess and develop technical, operational, and organizational measures for managing network and information systems; security risks

More information about the updated EU Network and Information Security Directive, and how organizations can prepare for its entry into force, is available on our dedicated NIS 2 site.

Kaspersky official blog – ​Read More

Why the AI-powered search tool Recall in Windows 11 is dangerous, and how to disable it | Kaspersky official blog

In May 2024, Microsoft introduced a new feature for Windows 11 called Recall, which “remembers” everything you’ve done on your computer over the last few months. Let’s say you want to Recall something you did on your computer recently. You enter into the search bar something like “photo of red car sent to me”, or “Korean restaurant I was recommended” — and receive answers in the form of links to apps, websites, or documents, paired with a thumbnail image of the screen captured the moment you were looking at the requested item!

Recall remembers everything you did on your computer in the last few months. Perhaps even things you’d rather forget. Source

What Recall does is take a screenshot every few seconds, which it saves in a folder on your computer. Then it analyzes all the images using AI in the background, extracts all the information from them, and places it into a database to be used for an AI-powered smart search.

Although all operations take place locally on the user’s machine, Recall sparked alarm among cybersecurity pros as soon as it was unveiled due to the many potential risks. The initial implementation of Recall was pretty much unencrypted, and available to any user of the computer. Under pressure from the infosec community, Microsoft announced improvements to the feature even before the public release, which was postponed from June 18 until around the end of the fall 2024. Yet, even with the promised tweaks, Recall remains controversial.

The dangers of Recall

All key data can be stolen in one fell swoop. The primary risk of Recall is that all sensitive data — from medical diagnoses and password-protected conversations to bank statements and private photos — ends up stored in one place on the computer. If a threat actor gains access to your computer or infects the machine with malware, all they need do is copy the contents of a single folder, and all your secrets are spilled. While tons of screenshots are a little trickier to steal due to their large size, the text part with recognized information could be snatched in a matter of seconds.

Worse still, if an attacker manages to stealthily download the screenshots, they’d be able to reconstruct everything you’ve done on your computer over the last few months — almost second by second. Recall can save up to three months of history unless it runs out of space (by default — 10% of drive capacity, but no more than 150GB).

While in the past infostealers would primarily target login credentials, crypto wallet data, and browser cookies, this list will soon be headed by Recall databases. Concerned infosec experts have wasted no time in creating a demo utility to show just how easy it is to extract data — even remotely.

Questionable data encryption. In the initial version of Recall, screenshots and databases with recognized texts were stored in open form. This prompted cybersecurity experts to demonstrate how to bypass OS restrictions and gain access to Recall databases and screenshots of any user on the computer. To address this issue, Microsoft promises additional encryption of the databases themselves with on-the-fly decryption. However, no one has seen the implementation of this feature yet, and there’s a good chance that decryption on a local computer will pose no difficulty. As with BitLocker full-disk encryption, this encryption can protect against evil-maid attacks, but it does nothing to help those who might leave their computer unlocked or put it to sleep, or who get infected with an infostealer.

Poorly policed confidential data. Microsoft states that the Recall database will store passwords, financial data, and other sensitive data that gets displayed on-screen. Unless the user has “paused” Recall, only private windows (in Edge, Chrome, Opera or Firefox) and DRM-protected data (for example, Netflix movies) are excluded from the database. Backup recovery codes for online accounts? Disappearing chat messages? An email you thought it best to delete? All this will remain in the Recall database, and you won’t be able to surgically remove individual data fragments — you’d have to clear all information over a long period. Otherwise, anyone who sits down at your unlocked computer would be able to spy on your confidential data — the kind that banks, clinics, and online services hide behind passwords and two-factor authentication. To mitigate this issue, Microsoft has issued assurances that access to the Recall application on a local computer will require additional user authentication.

Backup access recovery codes will also end up in the Recall database, wrecking the entire multi-factor authentication security model

Risks at work and at home. Detailed, easily searchable information about computer activity dating back months could cause problems for those who’ve an overly demanding boss, nosey housemate, or jealous other half. The temptation will be there to use Recall to track work performance, marital fidelity, and much more.

Default mode. Initially, Recall was supposed to be enabled by default, but under public pressure Microsoft said this would not be the case. Now, when installing Windows yourself you’re prompted to enable Recall, which is now disabled by default. However, those whose computer came with Windows 11 already configured (for example, at work) would have to check the presence and operating mode of Recall themselves.

Where to look for Recall

Currently, Microsoft claims that Recall will only be available on Copilot+ computers equipped with both a special Neural Processing Unit (NPU) and Windows 11. In practice, experts have successfully run Recall on other computers. Machines with ARM processors are best suited for this, but the feature can also be activated (albeit with some difficulties) on computers with x86 architecture — and even on virtual machines in Azure. What’s clear is that Recall requires no unique hardware to work, which means that in due course the feature will become available for all Windows computers with enough power. Given Microsoft’s practice in recent years of “offering” features by automatically activating them on users’ computers, you might get an unwanted AI assistant without even realizing it.

How to check for Recall

Recall can’t be installed on Windows 10 machines or earlier. On Windows 11, you can check for the feature by typing Recall in the Start menu search bar. If an application with this name appears in the search results, it’s installed and needs to be configured or disabled.

How to mitigate the risks posed by Recall

Some categories of users are advised to disable Recall entirely. This includes those who:

often store sensitive information on their computer
are legally obligated to strictly protect work data
share a computer with others
experience aggressive monitoring at work or home
have no need for AI searches

Fortunately, this isn’t hard to do. Open Settings, go to Privacy & Security -> Recall & snapshots, and disable Save snapshots. Then click Delete All to wipe previously taken snapshots.

Fortunately, Recall is easy to disable or customize. Source

If you don’t want to disable Recall completely, you need to at least configure it properly. The first step is to specify lists of applications and websites for which this function shouldn’t work. We recommend adding the following to Recall‘s exceptions:

all sites where you view important personal information: banks, government services, insurance and medical organizations
password manager sites and applications
sites and applications with confidential work information
sites and applications related to cryptocurrencies, if you use any
messenger apps used for confidential conversations — no matter how infrequently

If you decide to leave Recall enabled, be sure to configure the exclusion list. Source

Make sure your computer has full protection against cyberthreats, because a specialized infostealer that infects a Recall-enabled computer would be able to steal the whole history of your activity going back months prior to the infection. We can also anticipate the emergence of viruses that discreetly enable Recall for users and use it for smart recognition of all texts on your screen. After all, attackers managed to harness the Windows native encryption tool, BitLocker, using it for full-disk encryption of all information on the computer, followed by a ransom demand for decryption. We recommend Kaspersky Premium for maximum protection against malware.

In addition:

Enable BitLocker full-disk encryption
Protect your account with a strong password and biometric access
Configure the screen lock and use it when you step away from your computer
Create separate accounts for other users of the same computer, if any, or use a guest account
Subscribe to our blog and/or Telegram channel to be the first to know about new threats

Kaspersky official blog – ​Read More

How to exclude your router from surveillance via Wi-Fi positioning system | Kaspersky official blog

Every time someone with a smartphone with GPS enabled passes by near your Wi-Fi access point, the approximate geographic coordinates of your router are uploaded to the databases of Apple, Google and other tech giants. This is an integral part of the Wi-Fi Positioning System (WPS). For your router to end up in this database, you don’t even need to have a smartphone yourself — it’s enough for a neighbor or passer-by to have one.

WPS is what enables you to see your location almost immediately when you open a map app. Relying on “pure” GPS data from satellites would take a few minutes. Your smartphone checks which Wi-Fi access points are nearby, sends the list to Google or Apple, and receives either its calculated coordinates (from Google) or a list of router coordinates (from Apple) to calculate its own position.

Even devices without GPS, such as laptops, can also use this type of geolocation. As discovered by researchers at MIT, Apple places minimal restrictions on requests for access point coordinates, making it possible to create your own worldwide router map and use it to find interesting phenomena and patterns, or even track individuals.

What are the risks inherent in router surveillance?

While the approximate physical location of a router might not seem like particularly confidential data, especially for those living in your area, there are several cases when it’s best to keep this information hidden. Here are a just a few examples:

When using satellite internet terminals, such as Starlink. These provide internet access via Wi-Fi, and tracking the terminal equals tracking the user’s location. This is particularly sensitive when terminals are used in military conflict or emergency zones.
When using mobile hotspots for business and travel. If you find it convenient to share internet from a mobile router to your laptop and other devices, your pocket hotspot likely accompanies you on business trips. This creates opportunities to monitor your travel schedule, frequency and directions. The same applies to hotspots installed in RVs and yachts.
When people have moved. Often, a router moves with its owner, revealing their new address to anyone who’s previously connected to their Wi-Fi — even just once before. While this is usually harmless, it can be problematic for those relocating to escape harassment, domestic violence or other serious issues.

The limitations of WPS tracking

These are all valid concerns, but there’s good news: WPS tracking is less accurate and slower than other surveillance methods.

First of all, for a router to be added to the WPS database, it must be consistently detected in the same area over some time. MIT researchers found that a new router took between two and seven days to appear in the WPS database. If you go somewhere with a mobile router for a short period, this movement is unlikely to be recorded in the database.

Secondly, a router must be scanned by several smartphones with activated geolocation services to be included in the WPS database. Therefore, a router installed in an isolated or unpopulated area may never appear on the map.

Thirdly, the identification and further tracking of routers relies on a BSSID — an identifier broadcast by the access point. Wi-Fi standards allow for BSSID randomization, and if this feature is enabled, the identifier automatically changes at certain time intervals. This doesn’t interfere with the normal operation of devices connected to the access point, but it does make it more difficult to re-identify the router. Just like the private MAC address setting in Android, iOS and Windows reduces the risk of tracking client devices, BSSID randomization makes it much more difficult to track access points.

How to protect your router from WPS tracking

Both Apple and Google have a little-known tool that allows you to exclude an access point from WPS databases. To do this, add the suffix _nomap to the end of the access point name. For example, the access point MyHomeWifi should be renamed MyHomeWifi_nomap.

For home and office routers, an additional security measure is to rent a device from the provider rather than buying your own. Then, whenever you move, you can simply return it and rent a new router at the new location.

A more technologically advanced solution, though more complicated to implement, would be to use a router that supports BSSID randomization — such as those from Supernetworks with open-source firmware. The popular alternative firmware for routers, DD-WRT, also allows for BSSID randomization if supported by the hardware.

For those using a smartphone as an access point, we recommend reviewing the device settings. On Apple devices, enabling BSSID randomization for your hotspot is not very straightforward — there’s no such switch directly in the Personal Hotspot settings. However, if the Private Wi-Fi Address feature is enabled for at least some Wi-Fi networks (Settings → Wi-Fi → tap the name of the connected Wi-Fi network → enable Private Wi-Fi Address), then your hotspot will start randomizing the BSSID of the access point. This feature can also occasionally be found on Android smartphones, although the activation process varies by manufacturer.

According to Starlink, their terminals have also gradually been receiving a software update since early 2023 that automatically activates BSSID randomization.

Kaspersky official blog – ​Read More

Transatlantic Cable podcast episode 352 | Kaspersky official blog

Episode 352 of the Transatlantic Cable podcast kicks off with a story concerning generative AI and hackers, with the hackers taking the side of artists (or so it would seem.)  From there discussion turns to the US surgeon general calling for ‘warning labels’ on social media, mainly in part due to the worrying rise in young people’s mental health.

To wrap up, the team look at two stories – the first concerning           ransomware and hospitals, and the second looking at a recent NHS data breach and black binbags.

If you liked what you heard, please consider subscribing.

Hackers Target AI Users With Malicious Stable Diffusion Tool on GitHub to Protest ‘Art Theft’
US surgeon general wants social media warning labels
Medical-Targeted Ransomware Is Breaking Records After Change Healthcare’s $22M Payout
Student’s flimsy bin bags blamed for latest NHS data breach

Kaspersky official blog – ​Read More

How phishing using progressive web apps (PWAs) works | Kaspersky official blog

A security researcher known as mr.d0x has published a post detailing a new technique that can be used for phishing and potentially other malicious activities. The technique exploits so-called progressive web apps (PWAs). In this post, we discuss what these applications are, why they can be dangerous, how attackers can use them for their own purposes, and how to [placeholder Kaspersky Premium]protect yourself[/placeholder] against this threat.

What are progressive web apps?

PWAs are applications developed using web technologies. Essentially, they’re websites that look and function just like native applications installed on your operating system.

The general idea is similar to applications built on the Electron framework, with one key difference. Electron apps are like a “sandwich” of a website (the filling) and a browser (the bread) dedicated to running that site; that is, each Electron application has a built-in browser. In contrast, PWAs utilize the engine of the browser already installed on the user’s system to display the same website – like a sandwich without the bread.

All modern browsers support PWAs, with Google Chrome and Chromium-based browsers (including the Microsoft Edge browser that comes with Windows) offering the most comprehensive implementation.

Installing a PWA (if the respective website supports it) is very simple. Just click an inconspicuous button in the browser’s address bar and confirm the installation. Here’s how it’s done, using the Google Drive PWA as an example:

Installing PWAs only takes two clicks

After that, the PWA appears on your system almost instantly, looking just like a real application — with an icon, its own window, and all the other attributes of a fully-fledged program. It’s not easy to tell from the PWA window that it’s actually a browser displaying a website.

The Google Drive PWA looks just like a real native application

PWA-based phishing

One crucial difference between a PWA and the same website opened in a browser is evident in the screenshot above: the PWA window lacks an address bar. This very feature forms the foundation of the phishing method discussed in this post.

With no address bar in the window, attackers can simply draw their own — displaying an URL that serves their phishing goals. For example, this one:

With a PWA, you can convincingly mimic any site — for example, the Microsoft account login page. Source

Attackers can further enhance the deception by giving the PWA a familiar icon.

The only remaining hurdle is convincing the victim to install the PWA. However, this can be easily achieved with persuasive language and cleverly designed interface elements.

It’s important to note that during the PWA installation dialog, the displayed app name can be anything the attacker desires. The true origin is only revealed by the website address in the second line, which is less noticeable:

The malicious PWA installation dialog displays a name that aids the attacker’s goals. Source

The process of stealing a password using a PWA generally unfolds as follows:

The victim opens a malicious website.
The website convinces the victim to install the PWA.
Installation occurs almost instantly, and the PWA window opens.
A phishing page with a fake address bar displaying a legitimate-looking URL opens in the PWA window.
The victim enters their login credentials into the form — handing them directly to the attackers.

What phishing using a malicious PWA looks like. Source

Of course, convincing the victim to install a native application is just as straightforward, but there are a couple of nuances. PWAs install significantly faster and require much less user interaction compared to traditional app installations.

Additionally, developing PWAs is simpler, as they’re essentially phishing websites with minor enhancements. These factors make malicious PWAs a powerful tool for cybercriminals.

How to protect yourself from PWA phishing

Incidentally, the same mr.d0x previously gained recognition for devising the browser-in-the-browser phishing technique, which we wrote about a couple of years ago. Since then there have been several reported instances of attackers employing this technique not only for stealing account passwords but also for spreading ransomware.

Given this precedent, it’s highly probable that cybercriminals will adopt malicious PWAs and devise novel ways to exploit this technique beyond phishing.

What can you do to protect against this threat?

Exercise caution when encountering PWAs, and refrain from installing them from suspicious websites.
Periodically review the list of PWAs installed on your system. For instance, in Google Chrome, type chrome://apps into the address bar to view and manage installed PWAs.

To view or remove installed PWAs in Google Chrome, type chrome://apps in the address bar

Use a reliable security solution with protection against phishing and fraudulent sites, which will promptly warn you of potential dangers.

Kaspersky official blog – ​Read More