Company Blogs – Page 75 – BackBox.org News

The rapid development of AI, international tensions, and the proliferation of “smart” technologies like the internet of things (IoT) make the upcoming year particularly challenging in terms of cybersecurity. Each of us will face these challenges in one way or another, so, as per tradition, we’re here to help all our readers make a few New Year’s resolutions for a more secure 2024.

Protect your finances

E-commerce and financial technologies continue to expand globally, and successful technologies are being adopted in new regions. Instant electronic payments between individuals have become much more widespread. And, of course, criminals are devising new ways to swindle you out of your money. This involves not only fraud using instant money-transfer systems, but also advanced techniques for stealing payment data on e-commerce sites and online stores. The latest generations of web skimmers installed by hackers on legitimate online shopping sites are almost impossible to perceive, and victims only learn that their data has been stolen when an unauthorized charge appears on their card.

What to do?

Link your bank cards to Apple Pay, Google Pay, or other similar payment systems available in your country. This is not only convenient, but also reduces the likelihood of data theft when making purchases in stores.
Use such systems to make payments on websites whenever possible. There’s no need to enter your bank card details afresh on every new website.
Protect your smartphones and computers with a comprehensive security system like Kaspersky Premium. This will help protect your money, for example, from a nasty new attack in which the recipient’s details are replaced at the moment of making an instant money transfer in a banking app.
Use virtual or one-time cards for online payments if your bank supports this option. If a virtual card can be quickly reissued in the app, change it regularly — for example, once a month. Or use special services to ‘mask’ cards, generating one-time payment details for each payment session. There are many of these for different countries and payment systems.

Don’t believe everything you see

Generative artificial intelligence has dominated the news throughout 2023 and has already significantly affected the job market. Unfortunately, it’s also been used for malicious purposes. Now, just about anyone can create fake texts, photos, and videos in a matter of minutes — a labor that previously required a lot of time and skill. This has already had a noticeable impact on at least two areas of cybersecurity.

First, the appearance of fake images, audio, and video on news channels and social media. In 2023, generated images were used for propaganda purposes during geopolitical conflicts in post-Soviet countries and the Middle East. They were also used successfully by fraudsters for various instances of fake fundraising. Moreover, towards the end of the year, our experts discovered massive “investment” campaigns in which the use of deepfakes reached a whole new level: now we’re seeing news reports and articles on popular channels about famous businessmen and heads of state encouraging users to invest in certain projects — all fake, of course.

Second, AI has made it much easier to generate phishing emails, social media posts, and fraudulent websites. For many years, such scams could be identified by sloppy language and numerous typos, because the scammers didn’t have the time to write and proofread them properly. But now, with WormGPT and other language models optimized for hackers, attackers can create far more convincing and varied bait on an industrial scale. What’s more, experts fear that scammers will start using these same multilingual AI models to create convincing phishing material in languages and regions that have rarely been targeted for such purposes before.

What to do?

Be highly critical of any emotionally provocative content you encounter on social media — especially from people you don’t know personally. Make it a habit to always verify the facts on reputable news channels and expert websites.
Don’t transfer money to any kind of charity fundraiser or campaign without conducting a thorough background check of the recipient first. Remember, generating heart-breaking stories and images is literally as easy as pushing a button these days.
Install phishing and scam protection on all your devices, and enable all options that check links, websites, emails, and attachments. This will reduce the risk of clicking on phishing links or visiting fraudulent websites.
Activate banner ad protection — both Kaspersky Plus and Kaspersky Premium have this feature, as do a number of browsers. Malicious advertising is another trend for 2023-2024.

Some experts anticipate the emergence of AI-generated content analysis and labeling systems in 2024. However, don’t expect them to be implemented quickly or universally, or be completely reliable. Even if such solutions do emerge, always double-check any information with trusted sources.

Don’t believe everything you hear

High-quality AI-based voice deepfakes are already being actively used in fraudulent schemes. Someone claiming to be your “boss”, “family member”, “colleague”, or some other person with a familiar voice might call asking for urgent help — or to help someone else who’ll soon reach out to you. Such schemes mainly aim to trick victims into voluntarily sending money to criminals. More complex scenarios are also possible — for example, targeting company employees to obtain passwords for accessing the corporate network.

What to do?

Verify any unexpected or alarming calls without panic. If someone you supposedly know well calls, ask a question only that person can answer. If a colleague calls but their request seems odd — for example, asking you to send or spell a password, send a payment, or do something else unusual — reach out to other colleagues or superiors to double-check things.
Use caller identifier apps to block spam and scam calls. Some of these apps work not only with regular phone calls but also with calls through messengers like WhatsApp.

Buy only safe internet-of-things (IoT) smart devices

Poorly protected IoT devices create a whole range of problems for their owners: robot vacuum cleaners spy on their owners, smart pet feeders can give your pet an unplanned feast or a severe hunger strike, set-top boxes steal accounts and create rogue proxies on your home network, and baby monitors and home security cameras turn your home into a reality TV show without your knowledge.

What could improve in 2024? The emergence of regulatory requirements for IoT device manufacturers. For example, the UK will ban the sale of devices with default logins and passwords like “admin/admin”, and require manufacturers to disclose in advance how long a particular device will receive firmware updates. In the U.S., a security labeling system is being developed that will make it possible to understand what to expect from a “smart” device in terms of security even before purchase.

What to do?

Find out if there are similar initiatives in your country and make the most of them by purchasing only secure IoT devices with a long period of declared support. It’s likely that once manufacturers are obliged to ensure the security of smart devices locally, they’ll make corresponding changes to products for the global market. Then you’ll be able to choose a suitable product by checking, for example, the American “security label”, and buy it — even if you’re not in the U.S.
Carefully configure all smart devices using our detailed advice on creating a smart home and setting up its security.

Take care of your loved ones

Scams involving fake texts, images, and voices messages can be highly effective when used on elderly people, children, or those less interested in technology. Think about your family, friends, and colleagues — if any of them may end up a victim of any the schemes described above, take the time to tell them about them or provide a link to our blog.

What to do?

Don’t just give blanket information from our articles; look beyond our blog to find suitable cybersecurity lessons for your loved ones based on their age and temperament.
Make sure that all your family’s computers and phones are fully protected. With Kaspersky Premium, you can protect as many devices as needed, on any popular platform — Windows, macOS, Android, or iOS.

Before we say goodbye and wish you a happy and peaceful 2024, one final little whisper — last year’s New Year’s resolutions are still very relevant: the transition to password-less systems is progressing at a swift pace, so going password-free in the New Year might be a good idea, while basic cyber hygiene has become all the more crucial. Oops; nearly forgot: wishing you a happy and peaceful 2024!…

Kaspersky official blog – Read More

Operation Triangulation: talk on 37С3 | Kaspersky official blog

December 28, 2023/in Company Blogs

At the 37th Chaos Communication Congress (37C3) held right now in Hamburg, our experts from the Kaspersky Global Research and Analysis Team (GReAT) Boris Larin, Leonid Bezvershenko and Grigoriy Kucherin gave a talk called “Operation Triangulation: what you get when attack iPhones of researchers”. They described the chain of the attack in detail and talked about all of the vulnerabilities involved in it. Among other things, they for the first time presented exploitation details of the CVE-2023-38606 hardware vulnerability.

We will not repeat all the nuts and bolts of this report — you can find technical details in a post on the Securelist blog or you can listen the recording of the talk on the conference’s official website. Here we will briefly describe the main points.

As we already have written in the beginning of this summer, the attack started with an invisible iMessage, which contained a malicious attachment that was processed without the user’s knowledge. This attack did not require any actions from the user at all.
Our experts were able to detect the attack by monitoring a corporate Wi-Fi network using our own SIEM system Kaspersky Unified Monitoring and Analysis Platform (KUMA).
The attack employed four zero-day vulnerabilities that affected all iOS devices up to version 16.2: CVE-2023-32434, CVE-2023-32435, CVE-2023-41990 and the aforementioned CVE-2023-38606.
The obfuscated Triangulation exploit could work both on modern versions of the iPhone and on fairly old models. And if attacking newer iPhones it could bypass Pointer Authentication Code (PAC).
The CVE-2023-32434 vulnerability used by this exploit, allowed attackers access to the entire physical memory of the device at the user level, both for reading and writing.
Thanks to the exploitation of all four vulnerabilities, the malware could gain full control over the device and run any malware needed, but instead it launched the IMAgent process and used it to remove all traces of the attack from the device. It also launched the Safari process in the background and redirected it to the attacker’s web page with exploit for Safari.
This Safari exploit got root rights and launched further stages of attacks (which we already talked about them in our previous publications).
Vulnerability CVE-2023-38606 allowed bypassing of the built-in memory protection mechanism using undocumented and unused in the firmware processor registers. According to our experts, this hardware function probably was created for debugging or testing purposes, and then for some reason remained enabled.

The only remaining mystery — how exactly did the attackers knew how to use this undocumented function and where did they find information about it at all.

Kaspersky official blog – Read More