Ever heard the unspoken rule: “Never release on Friday”? We have, but CrowdStrike hasn’t. They released a tiny driver on an ordinary Friday morning, which became the cause of a huge outage all over the world.

An incorrect update for CrowdStrike’s EDR (Endpoint Detection and Response) solution has affected Windows devices around the world — giving corporate users the Blue Screen of Death (BSOD). The failure has affected, for example, airport information systems in the US, Spain, Germany, the Netherlands and other countries.

Who else was affected by CrowdStrike’s Friday release and how to roll back bricked computers — all in this post…

What happened

It all started early Friday morning with corporate users around the world reporting problems with Windows. At first, a glitch in Microsoft Azure was blamed, but later CrowdStrike confirmed that the root cause was in the csagent.sys or C-00000291*.sys driver for its CrowdStrike EDR. And it was this driver that caused an abundance of silly office photos showing off the (dreaded) blue screens.

If we wanted to list everyone affected by this outage, such a list sure wouldn’t fit into this post – or dozens of them. So instead we’ll briefly cover the main victims of CrowdStrike’s negligence. Airline companies, airports, and people who want to either go home or go off on a long-awaited vacation were the most affected:

London’s Heathrow Airport, like many others, announced flight delays due to a technology glitch;
Scandinavian Airlines posted a notice on its website saying, “Some customers may experience difficulties with their bookings due to an IT issue affecting several countries. SAS is fully operational but delays are expected”;
In New Zealand, banking, communications and transportation systems are experiencing problems.

Various medical centers, chain stores, the New York subway, the largest bank in South Africa and many other organizations that make lives more comfortable and convenient on a daily basis were affected. The fullest list of those affected by the outage we can find is here — and it’s growing by the minute.

How to fix it

At this stage, it’s rather problematic estimating how long it’ll take to fully restore the affected computers around the world. Things are complicated by the fact that users need to manually reboot their computers in Safe Mode. And in large corporations, this is usually impossible to do on your own without the help of a system administrator.

Nevertheless, here are the instructions for how to get rid of the blue screen of death caused by the CrowdStrike driver update:

Boot your computer in Safe Mode;
Go to C:WindowsSystem32driversCrowdStrike;
Locate and delete the csagent.sys or C-00000291*.sys file;
Restart your computer in normal mode.

And while your sysadmins are doing this, you could use a hack that’s come out of India today: employees of one of the country’s airports have started filling out boarding passes… manually.

How the failure could have been avoided

Avoiding this situation should have been straightforward. First, the update shouldn’t have been released on a Friday. This is as per a rule that’s been known to all in the industry since the year dot: if an error occurs, there’s too little time to fix it before the weekend, so the system administrators at all companies affected need to work over the weekend to fix things.

It’s important to be as responsible as possible about the quality of updates released. We at Kaspersky launched a program back in 2009 to prevent mass failures such as this one at our customers, and passed an SOC 2 audit, which confirms the security of our internal processes. For 15 years now, every update has been subjected to multi-level performance testing on various configurations and operating system versions. This allows us to identify potential problems in advance and resolve them on the spot.

The principle of granular releases should be followed. Updates should be distributed gradually, not all at once to all customers. This approach allows us to react instantly and stop an update if necessary. If our users have a problem, we register it, and its solution becomes a priority at all levels of the company.

As with cybersecurity incidents, in addition to fixing the visible damage, you need to find the root cause to prevent these types of problems repeating in the future. It’s necessary to check software updates on test infrastructure for operability and errors before rolling them out to the company’s “combat” infrastructure, and to implement changes gradually — continually monitoring for possible failures.

Incident handling should be based on an integrated approach to building protection from a trusted supplier with the strictest internal requirements for the security, quality and availability of its services. The basis for this work can be the Kaspersky Next line of solutions. This will help your company not only stay afloat — but also increase the efficiency of your information security system. This can be done either gradually — increasing protection step by step — or all in one go. Protect your infrastructure today with us so that the next global outage doesn’t affect your customers.

And we, for our part, can help you make this decision: switch to Kaspersky and unlock two years of Kaspersky Next EDR Optimum for the price of one. Experience the pinnacle of robust, reliable cybersecurity protection!

Kaspersky official blog – ​Read More

In today’s digital age, our social and romantic interactions are increasingly online, and the normalization of both storing and sharing intimate images has reached concerning levels. Our recent global study – one of the largest polls ever conducted on this matter – reveals some alarming trends, and highlights the urgent need for both awareness and education on intimate image abuse, commonly known as “revenge porn”.

The digital age of intimacy

Nearly a quarter of the people surveyed in our poll have explicit images saved on their devices – with the highest rates among younger age groups. Specifically, 34% of 16–24-year-olds and 25–34-year-olds admitted storing such images. Additionally, 25% of respondents have shared intimate images with people they’re dating or chatting with online – with this figure rising to 39% among 25–34-year-olds.

Despite the widespread sharing of intimate images, only 21% of those who’ve shared an image requested its deletion from the recipient’s device. This statistic highlights a troubling lack of awareness about the long-term consequences of sharing intimate images.

The dark side of image sharing

The study also exposes a darker side of intimate image sharing. Shockingly, 8% of those who’ve shared nude or explicit material admitted to doing so for revenge, and 9% – to frighten others. Nearly half of all respondents reported that they’ve either experienced intimate image abuse themselves, or know someone who has. This issue is particularly pronounced among younger generations, with 69% of 16–24-year-olds and 64% of 25–34-year-olds reporting such experiences.

Aaliyah’s story is a stark reminder of this reality; her ex-partner maliciously shared her intimate images online, causing severe emotional and psychological impacts.

Victim blaming: a harmful misconception

One of the most disturbing findings of our study is the prevalence of victim blaming. Precisely half of the respondents believe that if you share an intimate image of yourself, it remains your fault if it ends up in the wrong hands. This harmful misconception contributes to the stigma and isolation victims feel, making it harder for them to seek help and support.

We need to emphasize this: if someone shares your intimate images without your consent, it’s not your fault. The blame lies solely with those who misuse and exploit these images and, by definition – your trust. Alice’s story illustrates this perfectly. After her partner’s death, she found intimate images of herself online — images that were secretly taken while she was sleeping, highlighting that the real culprit is the one who takes and shares these images without explicit permission.

No one should have to suffer the emotional and psychological harm caused by intimate image abuse, and it’s crucial that we all work to change the narrative around this issue.

Protect yourself online

To protect yourself from intimate image abuse, consider the following tips:

Think before you post: be mindful of who you share your data with, and consider the potential risks;
Use secure messengers: opt for messaging services with end-to-end encryption;
Report abuse: if you believe you’re a victim of intimate image abuse, keep evidence and report it to the police and the respective platforms;
Check permissions: regularly review the permission settings on your apps to control data sharing;
Use strong passwords: employ a reliable security solution to create and manage unique passwords for each account;
Utilize resources: take advantage of tools like StopNCII.org to help prevent intimate images being shared online without your consent;
Find an organization in your country to provide you with further support.

The findings from our study make it clear that, while technology has made intimate image sharing easier, it has also increased the risk of abuse. Awareness and education are crucial in mitigating these risks and protecting individuals from the emotional and reputational harm associated with intimate image abuse.

For more information and resources, subscribe to our Telegram channel, and visit our blog and the revenge porn helpline in your country.

Kaspersky official blog – ​Read More

As part of its latest Patch Tuesday, Microsoft has released patches for 142 vulnerabilities. Among them were four zero-day vulnerabilities. While two of them were already publicly known, the other two had been actively exploited by malicious actors.

Interestingly, one of these zero-days, which supposedly had been used to steal passwords for the past 18 months, was found in Internet Explorer. Yes — that same browser that Microsoft stopped developing back in 2015 and promised to definitively, absolutely, for-sure bury in February 2023. Unfortunately, the patient proved to be stubborn — resisting its own funeral.

Why Internet Explorer isn’t nearly as dead as we would all like

Last year, I wrote about what the latest attempt to kill off Internet Explorer actually entailed. I’ll just give a brief version here; you can find the full story at the link. With the “farewell” update, Microsoft didn’t remove the browser from the system but merely disabled it (and even then, not in all versions of Windows).

In practice, this means that Internet Explorer is still lurking within the system; users just can’t launch it as a standalone browser. Therefore, any new vulnerabilities found in this supposedly defunct browser can still pose a threat to Windows users — even those who haven’t touched Internet Explorer in years.

CVE-2024-38112: vulnerability in Windows MSHTML

Now let’s talk about the discovered vulnerability CVE-2024-38112. This is a flaw in the MSHTML browser engine, which powers Internet Explorer. The vulnerability has a rating of 7.5 out of 10 on the CVSS 3 scale, and a “high” severity level.

To exploit the vulnerability, attackers need to create a malicious file in an innocent-looking internet shortcut format (.url, Windows Internet Shortcut File), containing a link with the mhtml prefix. When a user opens this file, Internet Explorer — whose security mechanisms aren’t very good — is launched instead of the default browser.

How attackers exploited CVE-2024-38112

To better understand how this vulnerability works, let’s look at the attack in which it was discovered. It all starts with the user being sent an .url file with the icon used for PDFs and the double extension .pdf.url.

Thus, to the user, this file looks like a shortcut to a PDF — something seemingly harmless. If the user clicks on the file, the CVE-2024-38112 vulnerability is exploited. Due to the mhtml prefix in the .url file, it opens in Internet Explorer rather than the system’s default browser.

The problem is that in the corresponding dialog box, Internet Explorer shows the name of the same .url file pretending to be a PDF shortcut. So it’s logical to assume that after clicking “Open”, a PDF will be displayed. However, in reality, the shortcut opens a link that downloads and launches an HTA file.

This is an HTML application, a program in one of the scripting languages invented by Microsoft. Unlike ordinary HTML web pages, such scripts run as full-fledged applications and can do a lot of things — for example, edit files or the Windows registry. In short, they’re very dangerous.

When this file is launched, Internet Explorer displays a not-so-informative warning in a format familiar to Windows users, which many will simply dismiss.

When the user clicks “Allow”, infostealer malware is launched on the user’s computer, collecting passwords, cookies, browsing history, crypto wallet keys, and other valuable information stored in the browser, and sending them to the attackers’ server.

How to protect against CVE-2024-38112

Microsoft has already patched this vulnerability. Installing the update ensures that the trick with mhtml in .url files will no longer work, and such files will henceforth open in the more secure Edge browser.

Nevertheless, this incident once again reminds us that the “deceased” browser will continue to haunt Windows users for the foreseeable future. In that regard, it’s advisable to promptly install all updates related to Internet Explorer and the MSHTML engine. As well as to use reliable security solutions on all Windows devices.

Kaspersky official blog – ​Read More

A medium-sized company is an attractive target for cybercriminals. It operates on a scale that’s large enough for the company to pay a substantial ransom if its data is taken hostage. Meanwhile, its approach to information security is often an inheritance from the time when it was much smaller. Hackers can come up with a tactic to bypass the company’s basic protection and compromise the network with little to no resistance. The damage done by such incidents averages around $100,000. The regulatory side of things also cannot be ignored: cybersecurity rules and regulations have been proliferating around the world, and so have the fines for non-compliance.

Businesses are often cognizant of these threats and willing to allocate more resources to their infosec teams. How do you take your corporate security to the next level without excessive outlay? Here’s a little spoiler: deploying a SIEM (Security Information and Event Management) system is key.

Layered protection

A company’s long-term goal should be to build layered defenses in which different tools and controls complement one another to significantly complicate attacks on the company and limit the attackers’ options. A company with 500 to 3000 employees is almost certain to have the basic tools and the initial protective layer: access control through authentication and authorization, endpoint protection (popularly known as “antivirus”), server protection including email servers, and a firewall.

The next thing to do is supplement, rather than replace, this arsenal with more advanced cybersecurity tools, such as:

A system for comprehensive monitoring and correlation of security events from a variety of data sources (computers, servers, and applications) in real time across the entire infrastructure
Tools for obtaining enhanced information about possible incidents or just suspicious activity and anomalies
Incident response tools: from investigations in accordance with regulatory requirements, to isolation of compromised hosts and accounts, vulnerability elimination, and so on
Advanced identity management tools: from centralized user management and role-based access control, to a single authentication portal with MFA
Tools for improving visibility and manageability of IT assets, attack surface management, and patch management

Having all of these at the same time is out of the question, so implementing these measures will need to be prioritized and broken down into phases. That said, comprehensive monitoring forms the basis for many other information security tools, and therefore, SIEM implementation should be close to the top of the list.

This equips defenders with brand new capabilities: detecting attackers’ malware-free activities, spotting both suspicious objects and suspicious behavior, and visualizing and prioritizing infrastructure events. Proper use of SIEM can relieve the workload on the infosec team, as it spares them the need to spend time handling isolated events, logs, and other artifacts manually.

What a SIEM system is and why a medium-sized company needs one

SIEM solutions have been used for comprehensive IT monitoring in corporate infrastructures for two decades now. These solutions are composed of a number of components that collect, store, organize, and analyze telemetry, and allow responding to incoming events. Thanks to SIEM, an infosec employee can receive most alerts in a single console, easily link different aspects of an event (such as file creation, network activity, and account login) into a single entity without having to dig through five different data sources, and respond promptly to these events. The high degree of automation saves the infosec team a great deal of time. What you used to do manually just by walking over to a coworker’s computer becomes too much effort as the company grows in size.

Key SIEM components for medium-sized businesses

The architecture may differ between SIEM systems, but the key elements are always the same:

Event sources: these aren’t part of the SIEM, but they serve as providers of information. Anything that generates logs as it runs – whether it’s an operating system, EDR agent, business application, or network device – can be a source.

Collector: this is typically a separate service that receives logs from telemetry sources for processing in the SIEM.

Log normalizer and storage: these are elements of the SIEM platform core. The normalizer transforms and adapts the logs it receives from a collector to make them suitable for use, search, and analysis. Centralized data storage significantly simplifies detection and investigation of incidents, as well as the provision of incident information to regulators.

Event correlation is the heart of SIEM systems. This is the key step where disjointed events contained in different logs are correlated, merged if found to be associated with the same activity or different stages of a single activity, and prioritized. Prioritization is driven by threat intelligence available to the defenders. This is what can serve as the basis for writing a rule that won’t ping the infosec team every time a PowerShell script runs, but will raise an alert if a script runs with command-line options characteristic of a targeted attack.

Dashboards and alerts are a purely visual but important part of the system that helps make sense of heaps of data, easily find what you’re looking for, quickly drill down into an incident, and learn about issues or suspicious events in time.

A steep price used to be a real barrier to SIEM adoption by medium-sized businesses, as the products were aimed at larger companies exclusively. This has now changed with the advent of new solutions that no longer target just the enterprise segment of the market, such as our Kaspersky Unified Monitoring and Analysis platform.

Kaspersky official blog – ​Read More

An archive containing malicious code is being distributed on the social network X (formerly known as Twitter), under the guise of an exploit for the recently discovered CVE-2024-6387 aka regreSSHion. According to our experts, this may be an attempt to attack cybersecurity specialists. In this post we explain what actually is in the archive and how attackers are trying to lure researchers into a trap.

The legend behind the archive

Presumably, there is a server that has a working exploit for the CVE-2024-6387 vulnerability in OpenSSH. Moreover, this server actively uses this exploit to attack a list of IP addresses. The archive, offered to anyone wishing to investigate this attack, allegedly contains a working exploit, a list of IP addresses and some kind of payload.

Real contents of the malicious archive

In fact, the archive contains some source code, a set of malicious binaries and scripts. The source code looks like a slightly edited version of a non-functional proof-of-concept for this vulnerability, which was already distributed in the public domain.

One of the scripts, written in Python, simulates the exploitation of a vulnerability on servers located at IP addresses from the list. In reality, it launches a malicious file called exploit — a malware that serves to achieve persistence in the system and to retrieve additional payload from a remote server. The malicious code is saved in a file located at the /etc/cron.hourly directory. In order to achieve persistence, it modifies the ls file and writes a copy of itself into it, repeating the execution of malicious code every time it is launched.

How to Stay Safe

Apparently, the authors of the attack are counting on the fact that, when working with obviously malicious code, researchers tend to disable security solutions and focus on analyzing the exchange of data between the malware and a server vulnerable to CVE-2024-6387. Meanwhile, completely different malicious code will be used to compromise the researchers’ computers.

Therefore, we remind all information security experts and other persons who like to analyze suspicious code not to work with malware outside of a specially prepared isolated environment, from which external infrastructure is inaccessible.

Kaspersky products detect elements of this attack with the following verdicts:

UDS:Trojan-Downloader.Shell.FakeChecker.a
UDS:Trojan.Python.FakeChecker.a
HEUR:Trojan.Linux.Agent.gen
Virus.Linux.Lamer.b
HEUR:DoS.Linux.Agent.dt

As for the regreSSHion vulnerability, as we wrote earlier, its practical exploitation is far from being simple.

Kaspersky official blog – ​Read More