Kaspersky Team – Kaspersky official blog https://www.kaspersky.com/blog The Official Blog from Kaspersky covers information to help protect you against viruses, spyware, hackers, spam & other forms of malware. Wed, 07 Feb 2024 12:26:39 +0000 en-US hourly 1 https://wordpress.org/?v=6.4.3 https://media.kasperskydaily.com/wp-content/uploads/sites/92/2019/06/04074830/cropped-k-favicon-new-150x150.png Kaspersky Team – Kaspersky official blog https://www.kaspersky.com/blog 32 32 What kind of education does a cybersecurity specialist need? | Kaspersky official blog https://www.kaspersky.com/blog/formal-education-cybersecurity/50512/ Wed, 07 Feb 2024 11:42:27 +0000 https://www.kaspersky.com/blog/?p=50512 The labor market has long experienced a shortage of cybersecurity experts. Often, companies in need of information-security specialists can’t find any – at least, those with specialized formal education and the necessary experience. In order to understand how important it is for a company to have specialists with a formal education in this area, and how well such education meets modern needs, our colleagues conducted a study in which they interviewed more than a thousand employees from 29 countries in different regions of the world. Among the respondents were specialists of various levels: from beginners with two years of experience, to CIOs and SOC managers with 10. And judging by the respondents’ answers, it looks like classical education isn’t keeping up with InfoSec trends.

First and foremost, the survey showed that not all specialists have a higher education: more than half (53%) of InfoSec workers have no post-graduate education. But as to those with it, every second worker doubts that their formal education really helps them perform their job duties.

Cybersecurity is a rapidly changing industry. The threat landscape is changing so fast that even a couple of months lag can be critical – while it can take four to five years to obtain an academic degree. During this time, attackers can modernize their tactics and methods in such a way that a graduate InfoSec “specialist” would have to quickly read all the latest articles about threats and defense methods in the event of an actual attack.

InfoSec specialists with real life experience argue that educational institutions in any case don’t provide enough practical knowledge – and don’t have access to modern technologies and equipment. Thus, to work in the InfoSec field and to fight real cyberthreats, some additional education is required anyway.

All this, of course, doesn’t mean that cybersecurity professionals with higher education are less competent than their colleagues without it. Ultimately, passion and the ability to continually improve are of the utmost importance in professional development. Many respondents noted that they received more theoretical than practical knowledge in traditional educational institutions, but felt that formal education was still useful since, without a solid theoretical basis, absorption of new knowledge would progress more slowly. On the other hand, specialists who don’t have post-graduate education at all, or who came to information security from another IT industry, can also become effective specialists in protecting against cyberthreats. It really does all depend on the individual.

How to improve the labor market situation

In order for the market to attract a sufficient number of information security experts, the situation needs to be balanced on both sides. First, it makes sense for universities to consider partnering with cybersecurity companies. This would allow them to provide students with more practically applicable knowledge. And second, it’s a good idea for companies to periodically increase the expertise of their employees with the help of specialized educational courses.


You can read the part of the report devoted to InfoSec educational problems on the webpage of the first chapter – Educational background of current cybersecurity experts.

]]>
full large medium thumbnail
Kaspersky Standard wins Product of the Year award from AV-Comparatives | Kaspersky official blog https://www.kaspersky.com/blog/kaspersky-product-of-the-year-2023-av-comparatives/50292/ Tue, 23 Jan 2024 11:12:15 +0000 https://www.kaspersky.com/blog/?p=50292 Great news! The latest generation of our security solutions for home users has received a Product of the Year 2023 award. It’s the result of extensive multi-stage testing conducted by independent European test lab AV-Comparatives over the course of 2023, which examined and evaluated 16 security solutions from popular vendors. Here’s what this victory means, what it consists of, how the testing was done, and what other awards we picked up.

Kaspersky Standard named Product of the Year 2023 by AV-Comparatives

Our Kaspersky Standard security solution was named Product of the Year 2023 after in-depth testing by AV-Comparatives

What does “Product of the Year” actually mean?

The tests were carried out on our basic security solution for home users — Kaspersky Standard — but its outstanding results apply equally to all our endpoint products. The reason is simple: all our solutions use the same detection and protection technologies stack that was thoroughly tested by AV-Comparatives.

Thus, this top award, Product of the Year 2023, applies equally to our more advanced home protection solutions — Kaspersky Plus and Kaspersky Premium — and also our business products, such as Kaspersky Endpoint Security for Business and Kaspersky Small Office Security.

So what does it take to earn the coveted Product of the Year title?

A security solution needs to take part in seven tests throughout the year and consistently achieve the highest Advanced+ score in each of them. These tests examine the quality of protection against common threats and targeted attacks, resistance to false positives, and the impact on overall system performance. This golden triad of metrics forms the basis of a comprehensive evaluation of security solution performance.

That the testing is continuous over the course of a year is important since malware developers hardly sit around twiddling their thumbs — new threats emerge all the time, and existing ones evolve with breathtaking speed. Consequently, security solution developers must keep moving forward at the same pace. That’s why assessing performance at a single point in time is misleading — to get a true picture of a solution’s effectiveness requires extensive and repeated testing all year long. Which is precisely what AV-Comparatives does.

AV-Comparatives examined 16 security solutions from the largest vendors in its tests. Winning such a significant contest clearly demonstrates the highest level of protection provided by our products.

AV-Comparatives 2023 Test Participants

The seven rounds of tests — some of which individually lasted several months — that our protection took part in to eventually win the Product of the Year award were the following:

  1. March 2023: Malware Protection Test spring series
  2. April 2023: Performance Test spring series
  3. February–May 2023: Real-World Protection Test first series
  4. September 2023: Malware Protection Test autumn series
  5. September–October 2023: Advanced Threat Protection Test
  6. October 2023: Performance Test autumn series
  7. July–October 2023: Real-World Protection Test second series

To earn AV-Comparatives’ Product of the Year title, a security solution needs to get the highest score in each stage of testing. And our product rose to the challenge: in each of the tests listed above, Kaspersky Standard scooped the top score — Advanced+.

AV-Comparatives awards received by Kaspersky in 2023 interim tests

The Product of the Year award went to Kaspersky Standard based on top marks in all seven of a series of AV-Comparatives’ tests in 2023

How AV-Comparatives tests security solutions

Now for a closer look at AV-Comparatives’ testing methodology. The different tests evaluate the different capabilities of the security solutions taking part.

Malware Protection Test

AV-Comparatives awards received by Kaspersky in 2023 interim Malware Protection tests

This test examines the solution’s ability to detect prevalent malware. In the first phase of the test, malicious files (AV-Comparatives uses just over 10,000 malware samples) are written to the drive of the test computer, after which they’re scanned by the tested security solution — at first offline, without internet access, and then online. Any malicious files that were missed by the protective solution during static scanning are then run. If the product fails to prevent or reverse all the malware’s actions within a certain time, the threat is considered to have been missed. Based on the number of threats missed, AV-Comparatives assigns a protection score to the solution.

Also during this test, the security solutions are evaluated for false positives. High-quality protection shouldn’t mistakenly flag clean applications or safe activities. After all, if one cries wolf too often, the user will begin to ignore the warnings, and sooner or later malware will strike. Not to mention that false alarms are extremely annoying.

The final score is based on these two metrics. An Advanced+ score means reliable protection with a minimum of false positives.

Real-World Protection Test

AV-Comparatives awards received by Kaspersky in 2023 interim Real-World Protection tests

This test focuses on protection against the most current web-hosted threats at the time of testing. Malware (both malicious files and web exploits) is out there on the internet, and the solutions being tested can deploy their whole arsenals of built-in security technologies to detect the threats. Detection and blocking of a threat with subsequent rollback of all changes can occur at any stage: when opening a dangerous link, when downloading and saving a malicious file, or when the malware is already running. In any of these cases, the solution is marked a success.

As before, both the number of missed threats and also the number of false positives are taken into account for the final score. Advanced+ is awarded to products that minimize both these metrics.

Advanced Threat Protection Test

AV-Comparatives award received by Kaspersky in the 2023 Advanced Threat Protection Test

This test assesses the ability of the solution to withstand targeted attacks. To this end, AV-Comparatives designs and launches 15 attacks to simulate real-world ones, using diverse tools, tactics and techniques, with various initial conditions and along different vectors.

A test for false positives is also carried out. This checks whether the solution blocks any potentially risky, but not necessarily dangerous, activity (such as opening email attachments), which increases the level of protection at the expense of user convenience and productivity.

Performance Test

AV-Comparatives awards received by Kaspersky in 2023 interim Performance tests

Another critical aspect of a security solution’s evaluation is its impact on system performance. Here, the lab engineers emulate a number of typical user scenarios to evaluate how the solution under test affects their run time. The list of scenarios includes:

  • Copying and recopying files
  • Archiving and unpacking files
  • Installing and uninstalling programs
  • Starting and restarting programs
  • Downloading files from the internet
  • Web browsing

Additionally, system-performance drops are measured against the PCMark 10 benchmark.

Based on these measurements, AV-Comparatives calculates the total impact of each solution on system performance (the lower this metric, the better), then applies a statistical model to assign a final score to the products: Advanced+, Advanced, Standard, Tested, Not passed. Naturally, Advanced+ means minimal impact on computer performance.

What other AV-Comparatives awards did Kaspersky pick up in 2023?

Besides Kaspersky Standard being named Product of the Year, our products received several other important awards based on AV-Comparatives’ tests in 2023:

  • Real World Protection 2023 Silver
  • Malware Protection 2023 Silver
  • Advanced Threat Protection Consumer 2023 Silver
  • Best Overall Speed 2023 Bronze
  • Lowest False Positives 2023 Bronze
  • Certified Advanced Threat Protection 2023
  • Strategic Leader 2023 for Endpoint Prevention and Response Test 2023
  • Approved Enterprise Business Security 2023

We have a long-standing commitment to using independent research by recognized test labs to impartially assess the quality of our solutions and address identified weaknesses when upgrading our technologies. For 20 years now, the independent test lab AV-Comparatives has been putting our solutions through their paces, confirming time and again our quality of protection and conferring a multitude of awards.

Throughout the whole two decades, we’ve received the highest Product of the Year award seven times; no other vendor of security solutions has had such a number of victories. And if we add to this all the Outstanding Product and Top Rated awards we’ve also received over the years, it turns out that Kaspersky security solutions have received top recognitions from AV-Comparatives’ experts a full 16 times in 20 years!

Besides this, AV-Comparatives has also awarded us:

  • 57 Gold, Silver, and Bronze awards in a variety of specialized tests
  • Two consecutive Strategic Leader awards in 2022 and 2023, for high results in protection against targeted attacks by the Kaspersky EDR Expert solution
  • Confirmation of 100% anti-tampering protection (Anti-Tampering Test 2023)
  • Confirmation of 100% protection against LSASS attacks (LSASS Credential Dumping Test 2022)
  • Confirmation of top-quality Network Array Storage protection (Test of AV solution for Storage)
  • and numerous other awards

Learn more about the awards we’ve received, and check out our performance dynamics in independent tests from year to year by visiting our TOP 3 Metrics page.

]]>
full large medium thumbnail
Why you should start the year with a digital cleanup | Kaspersky official blog https://www.kaspersky.com/blog/new-year-resolutions-digital-cleanup/50208/ Thu, 11 Jan 2024 10:33:06 +0000 https://www.kaspersky.com/blog/?p=50208 What’s one of the best ways to kick things off to ensure a positive, fruitful 2024? We suggest doing some spring winter cleaning in your digital world — as this will certainly help you spend this year more productively. We’ve put together a few tips on how to: get rid of stuff you don’t need, turn off distractions and annoyances, and improve your digital hygiene.

1. Delete unnecessary files

Let’s start with the basics: deleting files you no longer need. This stage might seem easy, but it can actually take a while — simply because we all have an awful lot of files. So, it’s important not to get overwhelmed by the task. Try breaking it down into small steps, for example, deleting 10, 20 or 50 files each day — or even several times a day.

The main places to look for junk files are:

  • The desktop. An obvious candidate for where to begin your digital cleanup. Once you’ve cleared your desktop of ancient shortcuts and files, you’ll not only have more storage space, but should also gain a sense of order, which may boost your productivity, lift your spirits, and help you tackle the next steps of your digital cleanup!
  • The “Old Desktop” folder. Most likely, you have such a folder somewhere on your computer’s SSD (or something similar, like “Old Disk Drive” or “Old Computer Files”). And inside it, there’s often another “Old Desktop”, and within that, another, and so on. It may seem daunting, but time has come to finally deal with this abyss of nested directories.
Get rid of the Old Desktop nested folders

Get rid of the Old Desktop nested folders

  • The downloads folder. Ancient documents, installation files from long-deleted programs, saved images dating back a decade, and other digital relics — chances are you no longer need them and can simply delete them all. And, don’t forget to clean the downloads folder not only on your computer but also on your smartphone (and on your tablet if you have one).
  • Your smartphone’s photo gallery. If you delete all duplicate photos, screenshots taken for unclear reasons, and videos your pocket decided to take all on its own, you might find you can postpone buying a new smartphone with more memory for another year or two. Special apps come to the rescue here, seeking either exact duplicates or similar files — for example, a series of identical shots, of which you only need to keep one or two. Look for them in app stores using the keyword “duplicate”.
  • Your cloud storage. This similar to the Old Desktop folder, but in the cloud. Sure, you can pay for extra disk space and accumulate files for a few more years. But might it be better to just get rid of them?
  • Large files and duplicates on your computer. If you need to quickly free up space on your hard drive/SSD, the easiest way is to either delete a few large-sized files or get rid of identical files, thoughtfully scattered across different folders. To automatically search for large files, you can use the Large Files feature on the Performance tab of the Kaspersky app. By specifying the minimum size and search area — the entire computer or selected folders — in a few minutes you’ll receive a complete list of files whose size exceeds the limit. Then, you can choose to delete them either in bulk or individually.

Also on the Performance tab, you can find and remove duplicate files. Used together, these features (available in Kaspersky Standard, Kaspersky Plus and Kaspersky Premium subscriptions) might save you from having to buy a new hard drive or SSD.

Once you’ve finished removing unnecessary files, don’t forget to empty the Recycle Bin — or the “Deleted photos” folder, if it’s your smartphone’s photo gallery.

2. Clean up your email and messengers

The next important stage in your digital cleanup is to sort out your email and messaging apps. This will reduce the amount of space your correspondence takes up and, most importantly, improve your experience of using your email and messengers. What to do first?

  • Get rid of unread messages. Those scary numbers in red circles hovering above your messenger app icons can really get on your nerves and prevent you from dealing with new incoming messages on time. This could cause you to overlook something important, get your priorities wrong, miss a deadline or meeting, and so on. Like cleaning up files, sorting through unread emails and messages can take some time. That’s why a steady, systematic approach works best here: try to break the process up into small steps. And aim to always have fewer unread items at the end of each day — sooner or later, you’ll hit zero.
Lots of unread messages aren't not good for productivity

Looks familiar? Help yourself: try to gradually sort out all your unreads

  • Unsubscribe from unnecessary email newsletters and messenger channels. This step can help you with the previous task, too. Weeding out unneeded information feeds will reduce the number of new unread items, so you can reach that golden zero even faster. You need to be decisive here: instead of simply ignoring another uninteresting message or email, unsubscribe immediately.
  • Delete old messenger chats. Correspondence with a realtor about the apartment you moved out of three years ago, communication with couriers, and other similar priceless messages will some day form the basis of your memoirs. Just kidding, of course: delete all of it without hesitation.
  • Delete emails with large attachments. Is your email provider sending you annoying messages telling you you’re about to run out of storage space? The easiest way to quickly clean up your inbox is to delete old emails with large attachments. Most providers and email programs allow you to find them without much difficulty. It’s easiest with Gmail — to find all emails bigger than 10 megabytes, just enter “size:10000000” in the search bar.
How to find all large emails in Gmail

The easiest way to quickly clean up your inbox: find and delete all large emails

  • Clear out the spam folder. Individual spam emails typically don’t take up much space. But if you haven’t checked your spam folder in a while, you might have accumulated a ton of messages. Deleting them will push you away from your mailbox limit even further.

3. Close old tabs

Now it’s time to deal with the program we all use the most: your browser. Old tabs left open for months, if not years, not only eat through your device’s memory, but also make it difficult to find the relevant information you actually need. Moreover, an abundance of tabs can pose a serious obstacle to updating the browser — which, by the way, is one of the most important digital hygiene procedures there is.

So try to get rid of unnecessary tabs in all the browsers you use — including on your smartphone. There are two approaches here: either act quickly and decisively, ruthlessly closing all tabs without concern for what they contain; or do it gradually and cautiously, closing tabs in batches of 10–20 at a time and checking along the way if there’s anything important among them. You can add the ones you actually need to bookmarks or tab groups.

Too many tabs open in the browser

Close all unnecessary tabs in your browser — it’ll be easier to find important ones

And while we’re still on about the browser, also clear its cache. If you haven’t done this before, you’ll be surprised at how much space it takes up. Also, it’s a good idea to review all the extensions installed in your browser: if you’re not using something, now’s the perfect time to remove it.

4. Cancel unnecessary subscriptions

Almost every online service nowadays offers some type of paid subscription — if not several. And these subscriptions can start to pile up beyond all reasonable limits. How much does it all cost? Who knows?! Seriously, people often have no idea about how much they pay for all their digital subscriptions, typically underestimating the total expenses several times compared to reality.

So not only does canceling unnecessary subscriptions bring immediate financial benefit — but this benefit is probably greater than you imagine. On the other hand, the task isn’t that simple: you need to remember all your subscriptions, gather and organize information about them, sort out what’s what — and only then will you understand what you should unsubscribe from. There also might be family subscriptions, with duplicates on the various devices of your family members.

The good news is that there’s a special app for managing subscriptions: SubsCrab. It can organize information about all your subscriptions, calculate monthly expenses, show you a handy schedule and warn you about payment days in advance, tell you what needs to be done to cancel a particular subscription, and even propose alternative subscription options or promo codes and discounts for renewals.

SubsСrab app for managing paid subscriptions

The SubsСrab app will help sort out paid subscriptions and cancel unnecessary ones

5. Remove unused applications

You probably have apps on your smartphone that you haven’t used in over a year. Or maybe even ones you’ve never opened at all. Not only do they take up your device’s memory, but they can also slowly consume internet traffic and battery power and, most importantly, they clog up your interface and may continue to collect data about your smartphone — and you.

It’s time to finally get rid of them! If you delete at least one unused app a day, within a month or so they’ll all be gone, and order will be restored on your smartphone’s home screen.

However, there is a way to immediately detect all unnecessary apps — both on Windows computers and Android smartphones — with the help of the Unused Apps feature included in Kaspersky Standard, Kaspersky Plus and Kaspersky Premium subscriptions. It will show you the apps you rarely use and allow you to delete them all in one fell swoop.

There are some protected Android apps which are impossible to uninstall, even if you don’t need them at all — all due to the whim of the smartphone manufacturer. These may include a proprietary browser or an unused social network client. However, there are special methods to uninstall such apps, which we’ve covered in detail in this comprehensive guide.

6. Turn off unnecessary notifications

One of the main obstacles to digital peace of mind can be the endless stream of notifications flowing from almost every app these days — whether it’s a fitness tracker or a calculator. But, fortunately, we’re not at the mercy of our phones in this case. So go through the list of apps that are allowed to send notifications and thin it out.

Notification settings and Focus mode in Android

Notification settings and Focus mode in Android

There are two possible solutions here. The first one is radical: disable notifications for all apps except the most essential ones — banking apps, work tools, and messengers. The second is moderate: identify apps that blatantly abuse notifications — firing them out for no good reason — and disable these pests.

It’s also helpful to disable notifications in messengers for less important contacts, channels, and chats. Also, take a closer look at the focus mode settings. They’re available in all modern operating systems — such as Android, iOS/iPadOS, Windows and macOS — and allow you to limit the number of notifications and other digital noise for a set period.

Notification settings and Focus mode in iOS

Notification settings and Focus mode in iOS

Also, don’t forget that these days it’s not just apps sending notifications; many websites use browser-integrated notification systems for this purpose, too. So make sure to disable all unnecessary notifications there as well. By the way, we have a separate guide on how to stop browsers from bothering you with trivial stuff.

7. Delete unused accounts

Accounts with online services — even the less important ones — always pose a potential risk. If an account gets hacked, it could be used for fraud, laundering stolen goods, attacks on other users, and more — and all in your name. And if a bank card is linked to such an account, there could be damaging consequences.

It’s therefore best not to leave your accounts to fate: if you no longer need a particular account, it’s wise to delete it. This part of the cleanup might be especially challenging: first, you’ll need to recall which accounts you’ve created, then remember your login credentials, and only then can you delete them. But it’s really worth doing!

To avoid getting overwhelmed, try deleting at least one unnecessary account per week. And while we’re at it, I recommend adding all your accounts to a password manager. That way, they’ll all be in one place, their passwords will be securely stored, and you’ll be able to log in with just a few clicks — so the next time you’re cleaning up, it won’t be such a hassle.

Plus, if any of the services you use is compromised, you’ll receive a notification from the password manager and can promptly take action — either by changing the password or by deleting the account.

8. Change unsafe passwords

If you enter your account details into Kaspersky Password Manager, the application shows you any passwords that might be unsafe, either due to data breaches, or because you use these passwords across multiple accounts at once.

Warning about unsafe passwords in Kaspersky Password Manager

Kaspersky Password Manager tells you which passwords are unsafe and need to be changed

The danger of the first scenario — when a password has already been compromised — goes without saying: if malicious actors know your password, the security of the corresponding account is directly threatened.

As for using the same password for different platforms, the risk here is that if one of these services is breached and attackers find out the password, they’ll certainly try to use it to access other accounts — a technique known as credential stuffing. Thus, using the same password everywhere puts you at risk of having multiple accounts hijacked at once — most unpleasant.

Unsafe passwords need to be changed, and the sooner the better. Passwords that have already been compromised should be replaced immediately. When changing passwords that you’re using in multiple places, you can afford to take the process step-by-step, editing a couple of accounts at a time.

By the way, Kaspersky Password Manager helps you create truly secure and unique character combinations using a random password generator (so you don’t have to come up with new complex passwords yourself), and stores them safely in encrypted form — synchronizing passwords across all your devices. The only password you’ll need to remember in this case is the main password for Kaspersky Password Manager: it encrypts the entire password database and isn’t stored anywhere except in your head.

And to streamline all these digital cleanup processes, we recommend using Kaspersky Premium, which includes comprehensive protection, productivity enhancement tools, a password manager, and many other features necessary for effective digital housekeeping across all your family’s devices.

]]>
full large medium thumbnail
Operation Triangulation: talk on 37С3 | Kaspersky official blog https://www.kaspersky.com/blog/triangulation-37c3-talk/50166/ Thu, 28 Dec 2023 16:47:31 +0000 https://www.kaspersky.com/blog/?p=50166 At the 37th Chaos Communication Congress (37C3) held right now in Hamburg, our experts from the Kaspersky Global Research and Analysis Team (GReAT) Boris Larin, Leonid Bezvershenko and Grigoriy Kucherin gave a talk called “Operation Triangulation: what you get when attack iPhones of researchers”. They described the chain of the attack in detail and talked about all of the vulnerabilities involved in it. Among other things, they for the first time presented exploitation details of the CVE-2023-38606 hardware vulnerability.

We will not repeat all the nuts and bolts of this report — you can find technical details in a post on the Securelist blog or you can listen the recording of the talk on the conference’s official website. Here we will briefly describe the main points.

Operation Triangulation attack chain

  • As we already have written in the beginning of this summer, the attack started with an invisible iMessage, which contained a malicious attachment that was processed without the user’s knowledge. This attack did not require any actions from the user at all.
  • Our experts were able to detect the attack by monitoring a corporate Wi-Fi network using our own SIEM system Kaspersky Unified Monitoring and Analysis Platform (KUMA).
  • The attack employed four zero-day vulnerabilities that affected all iOS devices up to version 16.2: CVE-2023-32434, CVE-2023-32435, CVE-2023-41990 and the aforementioned CVE-2023-38606.
  • The obfuscated Triangulation exploit could work both on modern versions of the iPhone and on fairly old models. And if attacking newer iPhones it could bypass Pointer Authentication Code (PAC).
  • The CVE-2023-32434 vulnerability used by this exploit, allowed attackers access to the entire physical memory of the device at the user level, both for reading and writing.
  • Thanks to the exploitation of all four vulnerabilities, the malware could gain full control over the device and run any malware needed, but instead it launched the IMAgent process and used it to remove all traces of the attack from the device. It also launched the Safari process in the background and redirected it to the attacker’s web page with exploit for Safari.
  • This Safari exploit got root rights and launched further stages of attacks (which we already talked about them in our previous publications).
  • Vulnerability CVE-2023-38606 allowed bypassing of the built-in memory protection mechanism using undocumented and unused in the firmware processor registers. According to our experts, this hardware function probably was created for debugging or testing purposes, and then for some reason remained enabled.

The only remaining mystery — how exactly did the attackers knew how to use this undocumented function and where did they find information about it at all.

]]>
full large medium thumbnail
Digital gifts for Christmas and New Year | Kaspersky official blog https://www.kaspersky.com/blog/christmas-and-new-year-digital-gifts/50098/ Thu, 21 Dec 2023 12:37:12 +0000 https://www.kaspersky.com/blog/?p=50098 The festive season is upon us, and that means it’s time to think about presents again. And not just for close friends and loved ones, but everyone else in your world: coworkers, relatives, and so on. And that means figuring out what to buy for them all, then heading to the stores in the pre-Christmas crush to do battle with fellow shoppers.

Can’t spare the time for this seasonal ritual? Digital gifts could be the solution. This post talks about the benefits of doing so — with tips on the best options.

Six reasons to go digital

Let’s take a look at six good reasons why digital gifts are increasingly popular, and why they could be a great choice for you this Christmas and New Year.

  1. You can give remotely. You won’t have time to see everyone in the flesh, but you still want to give something special and/or useful. Some folks you might not even especially want to see in person, but for whatever reason they still need a present. No problem: you can send them a digital gift even if they live at the South Pole.
  2. No need to wait in line. An obvious advantage of digital gifts is that they are, by definition, sold online. So you don’t have to brave the endless traffic jams and waiting lines with the other pre-holiday masochists. You can sit at home in a comfy armchair, sip hot tea, and order everything in a few clicks.
  3. Always in stock. Sure, you can try to order something physical from an online store, but the closer you are to Christmas and New Year, the more likely it is that all the good stuff has sold out. This isn’t an issue with digital gifts: the supply is endless, so there’s something for everyone.
  4. Instant (and free!) delivery. Another problem with pre-holiday online shopping for physical purchases is delivery. If you don’t sort out gifts in advance, chances are they won’t arrive in time. No such hassle with digital gifts: they get delivered in milliseconds. Beat that, Santa.
  5. Environmentally friendly. Let’s be honest: the Christmas and New Year tradition of gift-giving is not all that great for the environment. Millions of Christmas reindeer sweaters to be worn a couple of times (if at all) — and squillions of pairs of “funny” socks that go straight in the trash — do not help save the planet. Again, no such problem with digital gifts. Even if the gift wasn’t a hit, it’s okay: no need to recycle it.
  6. Can be very last-minute. Christmas is tomorrow (yikes!), and you’ve forgotten to buy someone a present or couldn’t get to the store before closing time? A digital gift will save the day! As mentioned, it’s ready in milliseconds after clicking or tapping that Pay button. So you can buy and give in real time.

Top-5 digital gifts for Christmas and New Year

Now that we’ve established why digital presents are good, let’s talk about what those digital presents can be.

  1. Movies. Blockbusters, documentaries, sporting events, TV shows, educational videos, cartoons, yoga classes — these days just about everyone, young and old, eats a slice of digital video content on a daily basis. So a subscription to an online movie theater or streaming service is an excellent gift that can’t fail to raise a smile.
  2. Music. Digital music is another gift you can’t go wrong with. Sure, you might not know exactly which album or artist to pick, but there’s no need! Just gift a subscription to a digital music service, and the lucky recipient can listen to whatever they want.
  3. Games. Although not everyone would describe themselves as a gamer, that same everyone likely plays games. It’s just that some do it on a souped-up computer brimming with all the bells and whistles, while others opt for a regular laptop, tablet, or smartphone. Therefore, a subscription or gift card to a gaming platform or app store could be just the ticket. By the way, gaming stores often have wishlists where you can see what someone wants to play and make that a gift.
  4. E-books. In the 20th century, it was often said that books make the best gifts. But in the 21st , you can give not just one book, but an entire library — and there’s no need to break the bank in doing so. So the best gift for an e-bookworm is a subscription to an online library.
  5. Digital life protection. All our devices, and especially the valuable data they hold, need to be protected. There a several gift options here: for example, a subscription to a quick and reliable VPN, or to a secure password manager. Or you can give all this (and more) in one — with a subscription to our Kaspersky Premium.
]]>
full large medium thumbnail
Scamming investors through apps from official stores | Kaspersky official blog https://www.kaspersky.com/blog/online-investment-dangerous-apps/50057/ Mon, 18 Dec 2023 13:19:08 +0000 https://www.kaspersky.com/blog/?p=50057 As the popularity of online investing grows, so does the number of related online scams. A few months back, we took a look at some fake investment apps that we’d found in the App Store. After that, we decided to dig a little deeper and see where else such apps are lurking. And our search yielded much more curious results than we expected.

This post is about our most interesting findings: fake “gas” apps in Android store recommendations; “oil investment” apps in the App Store and on Google Play; as well as a series of fake videos in which “Erdogan”, “Musk”, and other famous people promote non-existent investment platforms.

Gas scammers in Android app stores

First of all, let’s outline the scale of the problem. We discovered several hundred scam apps in different languages — more than 300 in total — offering investments in natural resources, “quantum investment algorithms”, and other fancy things that purport to turn a small sum into untold riches.

Such apps can be found crawling all over stores that are pre-installed on phones of various brands: for example, GetApps on Xiaomi smartphones, or Palm Store on Tecno devices.

Hundreds of scam investment apps in GetApps and Palm Store for Android

Hundreds of scam investment apps in GetApps and Palm Store for Android

One of the stores even included a number of scam apps in the list of recommendations shown to the user when they open it, and those apps were even pre-checked — so the store itself encourages the user to install them!

Scam investment apps in Palm Store's recommended list

Scam investment apps in Palm Store’s recommended list

Some Android advertising apps were found to contain ads for either “gas” and “quantum” apps, or scam sites offering the same: natural resources, investment algorithms, and other sure-fire ways of earning hundreds of dollars a day without lifting a finger.

Ad for scam apps

Ad for “gas” and “quantum” scam apps for Android

Fake videos: “Musk” and “Erdogan” advertise investment platforms

Besides such apps and sites themselves, we uncovered some massive information campaigns promoting various “investment platforms”.

In particular, these spread fake news about how ordinary users got rich through investments, and each campaign was tailored to the target region in the style of leading local media and featuring the names of famous politicians and businesspeople.

Fake stories about successful investments

Fake news content about earnings on investment platforms

Also discovered were many (around 800) fake videos, localized for almost all regions of the world and “starring” well-known politicians, actors, businesspeople, and others.

Naturally, the media persons themselves don’t even suspect that their images are being exploited for such purposes. The creators of the videos use real footage of an official nature — interviews with national TV stations, public speeches and the like that are familiar to the regional target audience. In this way, the scammers maximize the number of victims likely to be persuaded by such fakes.

The videos, it must be said, are made quite well. Overlaid on top of the edited video footage are audio tracks that sound very convincing — strongly suggesting the use of audio deepfakes. The audio is also carefully subtitled, so the videos can be watched without sound.

In addition, the scammers use company names similar to ones everyone’s heard of. For instance, a Russian-language video promotes the “Tesla X investment platform”, allegedly created by Elon Musk as a by-product of developing a vehicle autopilot system. The operating principle of this investment algorithm is “like a multicooker: you put in the ingredients and get a ready dinner” (indirect quote).

Scam video with Musk, DiCaprio, and the

Scam video with Musk, DiCaprio, and the “Tesla X investment platform”

In another video in Turkish, the main character is… the president of Türkiye, who appears to unveil an “investment platform” promising big bucks. All it takes is to “invest” just 5000 lira (around $170, or €160) in supposed shares of a Turkish state-owned oil-and-gas pipeline company.

Fake video featuring the president of Türkiye

“Recep Tayyip Erdoğan” offers a get-rich opportunity by “investing” just 5000 lira

Next up is a video in Spanish. In it, Mexican billionaire Carlos Slim “advises” his fellow citizens to invest in oil through an “investment platform” called Oil Profit.

Fake video with Carlos Slim and Oil Profit

Carlos Slim appears to promote an “investment” app called Oil Profit

Such videos, created for a host of countries and regions, are myriad, and most give the impression of being endorsed by national or regional heads, who “encourage” investing money in large public and private projects — which, of course, in reality goes straight into the scammers’ pockets.

Citizens of Moldova are promised a juicy rate of return from Moldindconbank, because “payments are guaranteed by the head of the Central Bank!” Citizens of Kazakhstan are advised to “invest” in KazMunayGas, and citizens of Romania — in Romgaz; in both videos, the lead character is the country’s president. Meanwhile, Korean citizens are invited to invest in a fake “national-level investment platform” seemingly from Samsung, and Bulgarian citizens — in a no-less fake scheme from Bulgarian Energy Holding. And the list goes on…

Not by gas alone: “oil” scammers in the App Store and on Google Play

Researching the case of Carlos Slim seemingly promoting investments in oil, we discovered several more apps in the App Store and on Google Play with the name “Oil Profit” in the title (the creators’ own spelling and punctuation are retained):

  • Oil Profit – Trading Insignts [sic]
  • Oil – Profit, Trade, News
  • Oil Profit – News & Help
  • Oil Profit : Ai Technology
Scam Oil Profit apps on Google Play and in the App Store

Scam Oil Profit apps on Google Play and in the App Store

These “oil” apps work in roughly the same way as their “gas” cousins, only in English — although analysis of the code points to the campaign being aimed at Arab countries, Mexico, France, Italy, and Poland. First, the potential victim is shown videos promising out-of-this-world enrichment. Next, they’re asked to complete a survey in the form of a conversation with a chatbot (“the Oil Profit system’s AI”), after which they’re told to expect a whopping rate of return of $777 per day!

What goes on in the scam Oil Profit app

The internal mechanics of the scam Oil Profit app: an enticing video, a survey with the promise of vast riches, and an offer to take a call from a “representative”

This, naturally, is followed by an offer to take another call, this time from a “specialist” who’ll be in touch within one business day. During this call, of course, the victim is persuaded to part with their money under one pretext or another.

How to stay protected

When someone offers you a pile of cash for nothing, it’s a sure sign you’ll end up giving them money rather than the other way round. To guard against scam apps and mobile malware, secure all your devices with comprehensive protection, such as our Kaspersky Premium.

]]>
full large medium thumbnail
How to hack Android, macOS, iOS, and Linux through a Bluetooth vulnerability | Kaspersky official blog https://www.kaspersky.com/blog/bluetooth-vulnerability-android-ios-macos-linux/50038/ Mon, 11 Dec 2023 13:22:47 +0000 https://www.kaspersky.com/blog/?p=50038 A severe vulnerability has been found in the implementations of the Bluetooth protocol across several popular operating systems: Android, macOS, iOS, iPadOS, and Linux. This bug potentially allows remote hacking of vulnerable devices without any particular actions required on the part the user. Let’s dive into the details.

The Bluetooth vulnerability allows you to connect a fake keyboard

The essence of the problem is that a vulnerable device can be forced to connect to a fake Bluetooth keyboard without requiring user confirmation — bypassing the operating system’s checks responsible for the Bluetooth protocol. The unauthenticated connection feature is specified in the Bluetooth protocol, and issues with certain implementations of the Bluetooth stack in popular operating systems provide attackers with the opportunity to exploit this mechanism.

The attackers can then use this connection to input commands, allowing them to execute any action as if they were the user — without requiring additional authentication such as a password or biometrics (like a fingerprint or face scan). According to the security researcher Marc Newlin who discovered this vulnerability, no special equipment is needed for a successful attack — just a Linux laptop and a standard Bluetooth adapter.

As you might guess, the attack is inherently limited by the Bluetooth interface: an attacker needs to be in close proximity to the victim. This naturally rules out mass exploitation of the vulnerability in question. However, malicious actors exploiting this vulnerability could still be a worry for specific individuals of special interest to those actors.

Which devices and operating systems are vulnerable?

This vulnerability affects a range of operating systems and several classes of devices based on them — albeit with some variations. Depending on the OS used, devices may be more or less vulnerable.

Android

Android devices were the most thoroughly examined for the presence of the aforementioned vulnerability. Marc Newlin tested seven smartphones with different OS versions — Android 4.2.2, Android 6.0.1, Android 10, Android 11, Android 13, and Android 14 — and found that all of them were vulnerable to the Bluetooth hack. Furthermore, concerning Android, all that’s required for this hack is for Bluetooth to be enabled on the device.

The researcher informed Google of the discovered vulnerability in early August. The company has already released patches for Android versions 11 through 14, and sent them to manufacturers of smartphones and tablets based on this OS. These manufacturers now have the task of creating and distributing the necessary security updates to their customers’ devices.

Of course, these patches must be installed as soon as they become available for devices running on Android 11/12/13/14. Until then, to protect against hacking, it’s advisable to keep Bluetooth turned off. For devices running older Android versions, there’ll be no updates — they’ll remain vulnerable to this attack indefinitely. Thus, the advice to turn Bluetooth off will remain relevant for them until the end of their service life.

MacOS, iPadOS, and iOS

As for Apple’s operating systems, the researcher didn’t have such a wide range of test devices. Nonetheless, he was able to confirm that the vulnerability is present in iOS 16.6, as well as in two versions of macOS — Monterey 12.6.7 (x86) and Ventura 13.3.3 (ARM). It’s safe to assume that in fact a wider range of macOS and iOS versions — as well as related systems like iPadOS, tvOS, and watchOS — are vulnerable to the Bluetooth attack.

Another piece of bad news is that the enhanced security mode introduced by Apple this year — the so-called “Lockdown Mode” — doesn’t protect against attacks exploiting this Bluetooth vulnerability. This applies to both iOS and macOS.

How to disable Bluetooth in iOS and iPadOS

Just in case, we remind you how to properly turn off Bluetooth in iOS and iPadOS: this should be done not through the Control Center but through the Settings

Fortunately, a successful attack on Apple’s operating systems requires an additional condition besides having Bluetooth enabled: the device must be paired with an Apple Magic Keyboard.

This means that Bluetooth attacks primarily pose a threat to Macs and iPads used with a wireless keyboard. The likelihood of an iPhone being hacked through this vulnerability appears to be negligible.

The researcher reported the discovered bug to Apple around the same time as Google, but so far there’s been no information from the company regarding security updates, or a detailed list of vulnerable OS versions.

Linux

This attack also works for BlueZ — the Bluetooth stack included in the official Linux kernel. Mark Newlin confirmed the presence of the Bluetooth vulnerability in Ubuntu Linux versions 18.04, 20.04, 22.04, and 23.10. The bug that made the attack possible was discovered and fixed back in 2020 (CVE-2020-0556). However, this fix was, by default, disabled in most popular Linux distributions, and is only enabled in ChromeOS (according to Google).

The Linux vulnerability discovered by the researcher was assigned the number CVE-2023-45866, and a CVSS v3 score of 7.1 out of 10, according to Red Hat. For successful exploitation of this vulnerability, only one condition needs to be met: the Linux device must be discoverable and connectable through Bluetooth.

The good news is that a patch for this vulnerability in Linux is already available, and we recommend installing it as soon as possible.

]]>
full large medium thumbnail
Is macOS as secure as its users think? | Kaspersky official blog https://www.kaspersky.com/blog/macos-users-cyberthreats-2023/50018/ Fri, 08 Dec 2023 13:17:40 +0000 https://www.kaspersky.com/blog/?p=50018 Many Apple users believe the macOS operating system is so secure that no cyberthreats can harm them, so they don’t need to worry about protecting their devices. However, this is far from the case: while there is less malware for macOS, it’s still much more common than Apple device owners would like to think.

In this post, we discuss current threats facing macOS users and how to effectively protect your Mac. To illustrate the fact that viruses for macOS do exist, we’ll look at three recent studies on several malware families that have been published over the past few weeks.

BlueNoroff attacks macOS users and steals cryptocurrency

In late October 2023, our researchers discovered a new macOS Trojan that’s believed to be associated with BlueNoroff, the “commercial wing” of the Lazarus APT group. This subgroup specializes in financial attacks and specifically focuses on two things: firstly, attacks on the SWIFT system — including the notorious heist of the Bangladesh Central Bank — and secondly, stealing cryptocurrencies from organizations and individuals.

The discovered macOS Trojan downloader is distributed within malicious archives. It’s disguised as a PDF document titled “Crypto-assets and their risks for financial stability”, with an icon that mimics a preview of this document.

BlueNoroff/RustBucket: decoy PDF cover page

Cover page of the deceptive PDF that the Trojan downloads and shows to the user when launching the file from an infected archive. Source

Once the user clicks on the Trojan (masquerading as a PDF), a script is executed that actually downloads the corresponding PDF document from the internet and opens it. But, of course, that’s not all that happens. The Trojan’s main task is to download another virus, which gathers information about the infected system, sends it to the C2, and then waits for a command to perform one of two possible actions: self-deletion or saving to a file and executing malicious code sent in response from the server.

Proxy Trojan in pirated software for macOS

In late November 2023, our researchers discovered another malware instance that threatens Mac users — a proxy Trojan, distributed alongside pirated software for macOS. Specifically, this Trojan was added to the PKG files of cracked video editing programs, data recovery tools, network utilities, file converters, and various other software. The full list of infected installers discovered by our experts can be found at the end of the report published on Securelist.

As mentioned earlier, this malware belongs to the category of proxy Trojans — malware that sets up a proxy server on the infected computer, essentially creating a host to redirect internet traffic. Subsequently, cybercriminals can use such infected devices to build a paid network of proxy servers, earning money from those seeking such services.

Alternatively, the Trojan’s owners might directly use the infected computers to carry out criminal activities in the victim’s name — whether it’s attacking websites, companies or other users, or purchasing weapons, drugs or other illegal goods.

Atomic stealer in fake Safari browser updates

Also in November 2023, a new malicious campaign was discovered to spread another Trojan for macOS, known as Atomic and belonging to the category of stealers. This type of malware searches for, extracts, and sends to its creators all kinds of valuable information found on the victim’s computer, particularly data saved in browsers. Logins and passwords, bank card details, crypto wallet keys, and similar sensitive information are of particular value to stealers.

The Atomic Trojan was first discovered and described back in March 2023. What’s new is that now the attackers have started using fake updates for the Safari and Chrome browsers to spread the Atomic Trojan. These updates are downloaded from malicious pages that very convincingly mimic the original Apple and Google websites.

Fake Safari browser updates with the stealer Trojan inside

A site with fake Safari browser updates that actually contain the Atomic stealer. Source

Once running on a system, the Atomic Trojan attempts to steal the following information from the victim’s computer:

  • cookies
  • logins, passwords, and bank card details stored in the browser
  • passwords from the macOS password storage system (Keychain)
  • files stored on the hard drive
  • stored data from over 50 popular cryptocurrency extensions

Zero-day vulnerabilities in macOS

Unfortunately, even if you don’t download any suspicious files, you avoid opening attachments from unknown sources, and generally refrain from clicking on anything suspicious, this doesn’t guarantee your security. It’s important to remember that any software always has vulnerabilities that attackers can exploit to infect a device, and which require little or no active user action. And the macOS operating system is no exception to this rule.

Recently, two zero-day vulnerabilities were discovered in the Safari browser — and according to Apple’s announcement, cybercriminals were already exploiting them by the time they were discovered. By simply luring the victim to a malicious webpage, attackers can infect their device without any additional user action, thereby gaining control over the device and the ability to steal data from it. These vulnerabilities are relevant for all devices using the Safari browser, posing a threat to both iOS/iPadOS users and Mac owners.

This is a common scenario: as Apple’s operating systems share many components, vulnerabilities often apply not just to one of the company’s opertaing systems but to all of them. Thus, it’s a case of Macs being betrayed by the iPhone’s popularity: iOS users are the primary targets, but these vulnerabilities can just as easily be used to attack macOS.

A total of 19 zero-day vulnerabilities were discovered in Apple’s operating systems in 2023 that are known to have been actively exploited by attackers. Of these, 17 affected macOS users — including over a dozen with high-risk status, and one classified as critical.

Zero-day vulnerabilities in iOS and macOS: CVE-2023-42917, CVE-2023-42916, CVE-2023-42824, CVE-2023-41993, CVE-2023-41992, CVE-2023-41991, CVE-2023-41064, CVE-2023-41061, CVE-2023-38606, CVE-2023-37450, CVE-2023-32439, CVE-2023-32435, CVE-2023-32434, CVE-2023-32409, CVE-2023-32373, CVE-2023-28204, CVE-2023-28206, CVE-2023-28205, CVE-2023-23529

Zero-day vulnerabilities in macOS, iOS, and iPadOS discovered in 2023, which were actively exploited by cybercriminals

Other threats and how to protect your Mac

What’s important to remember is that there are numerous cyberthreats that don’t depend on the operating system but that can be no less dangerous than malware. In particular, pay attention to the following threats:

  • Phishing and fake websites. Phishing emails and websites work the same way for both Windows users and Mac owners. Alas, not all fake emails and websites are easily recognizable, so even experienced users often face the risk of having their login credentials stolen.
  • Web threats, including web skimmers. Malware can infect not only the user’s device but also the server it communicates with. For example, attackers often hack poorly protected websites, especially online stores, and install web skimmers on them. These small software modules are designed to intercept and steal bank card data entered by visitors.
  • Malicious browser extensions. These small software modules are installed directly into the browser and operate within it, so they don’t depend on the OS being used. Despite being seemingly harmless, extensions can do a lot: read the content of all visited pages, intercept information entered by the user (passwords, card numbers, keys to crypto wallets), and even replace displayed page content.
  • Traffic interception and man-in-the-middle (MITM) attacks. Most modern websites use encrypted connections (HTTPS), but you can still sometimes come across HTTP sites where data exchange can be intercepted. Cybercriminals use such interception to launch MITM attacks, presenting users with fake or infected pages instead of legitimate ones.

To protect your device, online service accounts and, most importantly, the valuable information they contain, it’s crucial to use comprehensive protection for both Mac computers and iPhones/iPads. Such protection must be able to counteract the entire range of threats — for example solutions like our Kaspersky Premium, whose effectiveness has been confirmed by numerous awards from independent testing laboratories.

]]>
full large medium thumbnail
Vulnerability in crypto wallets created online in the early 2010s | Kaspersky official blog https://www.kaspersky.com/blog/vulnerability-in-hot-cryptowallets-from-2011-2015/49943/ Wed, 29 Nov 2023 10:00:18 +0000 https://www.kaspersky.com/blog/?p=49943 Researchers have discovered several vulnerabilities in the BitcoinJS library that could leave Bitcoin wallets created online a decade ago prone to hacking. The basic issue is that the private keys for these crypto wallets were generated with far greater predictability than the library developers expected.

Randstorm vulnerabilities and consequences

Let’s start at the beginning. Researchers at Unciphered, a company specializing in crypto wallet access recovery, discovered and described a number of vulnerabilities in the BitcoinJS JavaScript library used by many online cryptocurrency platforms. Among these services are some very popular ones — in particular, Blockchain.info, now known as Blockchain.com. The researchers dubbed this set of vulnerabilities Randstorm.

Although the vulnerabilities in the BitcoinJS library itself were fixed back in 2014, the problem extends to the results of using this library: crypto wallets created with BitcoinJS in the early 2010s may be insecure — in the sense that it’s far easier to find their private keys than the underlying Bitcoin cryptography assumes.

The researchers estimate that several million wallets, totaling around 1.4 million BTC, are potentially at risk due to Randstorm. Among the potentially vulnerable wallets, according to the researchers, 3–5% of them are actually vulnerable to real attacks. Based on the approximate Bitcoin exchange rate of around $36,500 at the time of posting, this implies total loot of $1.5-2.5 billion for attackers who can successfully exploit Randstorm.

The researchers claim that the Randstorm vulnerabilities can indeed be used for real-world attacks on crypto wallets. What’s more, they successfully exploited these vulnerabilities to restore access to several crypto wallets created on Blockchain.info before March 2012. For ethical reasons, they didn’t publish a proof-of-concept of the attack, as this would have directly exposed tens of thousands of crypto wallets to the risk of theft.

The researchers have already contacted the online cryptocurrency services known to have used vulnerable versions of the BitcoinJS library. In turn, these services notified customers who could potentially be affected by Randstorm.

The nature of Randstorm vulnerabilities

Let’s look in more detail at how these vulnerabilities actually work. At the heart of Bitcoin wallet security lies the private key. Like any modern cryptographic system, Bitcoin relies on this key being secret and uncrackable. Again, as in any modern cryptographic system, this involves the use of very long random numbers.

And for the security of any data protected by the private key, it must be as random as can possibly be. If the number used as a key is highly predictable, it makes it easier and quicker for an attacker armed with information about the key-generation procedure to brute-force it.

Bear in mind that generating a truly random number is no stroll in the park. And computers by their very nature are extremely unsuited to the task since they’re too predictable. Therefore, what we usually have are pseudo-random numbers, and to increase the entropy of the generation (cryptographer-speak for the measure of unpredictability) we rely on special functions.

Now back to the BitcoinJS library. To obtain “high-quality” pseudo-random numbers, this library uses another JavaScript library called JSBN (JavaScript Big Number), specifically its SecureRandom function. As its name suggests, this function was designed to generate pseudo-random numbers that qualify for use in cryptography. To increase their entropy, SecureRandom relies on the browser function window.crypto.random.

Therein lies the problem: although the window.crypto.random function existed in the Netscape Navigator 4.x browser family, these browsers were already obsolete by the time web services began actively using the BitcoinJS library. And in the popular browsers of those days — Internet Explorer, Google Chrome, Mozilla Firefox, and Apple Safari — the window.crypto.random function was simply not implemented.

Unfortunately, the developers of the JSBN library failed to make provision for any kind of check or corresponding error message. As a result, the SecureRandom function passed over the entropy increment step in silence, effectively handing the task of creating private keys to the standard pseudo-random number generator, Math.random.

This is bad in and of itself because Math.random is not cut out for cryptographic purposes. But the situation is made even worse by the fact that the Math.random implementation in the popular browsers of 2011–2015 —  in particular Google Chrome — contained bugs that resulted in even less random numbers than should have been the case.

In turn, the BitcoinJS library inherited all the above-mentioned issues from JSBN. As a result, platforms that used it to generate private keys for crypto wallets got much fewer random numbers from the SecureRandom function than the library developers expected. And since these keys are generated with great predictability, they’re much easier to brute-force — allowing vulnerable crypto wallets to be hijacked.

As mentioned above, this isn’t a theoretical danger, but rather a practical one — the Unciphered team was able to exploit these vulnerabilities to restore access to (in other words, ethically hack) several old crypto wallets created on Blockchain.info.

Randstorm: who’s at risk?

BitcoinJS utilized the vulnerable JSBN library right from its introduction in 2011 through 2014. Note, however, that some cryptocurrency projects may have been using an older-than-latest version of the library for some time. As for the bugs afflicting Math.random in popular browsers, by 2016 they’d been fixed by changing the algorithms for generating pseudo-random numbers. Together, this gives an approximate time frame of 2011–2015 for when the potentially vulnerable crypto wallets were created.

The researchers emphasize that BitcoinJS was very popular back in the early 2010s, so it’s difficult to compile a full list of services that could have used a vulnerable version of it. Their report gives a list of platforms they were able to identify as at risk:

  • BitAddress — still operational.
  • BitCore (BitPay) — still operational.
  • Bitgo — still operational.
  • info — still operational as Blockchain.com.
  • Blocktrail — redirects to https://btc.com or https://blockchair.com .
  • BrainWallet — dead.
  • CoinKite — now sells hardware wallets.
  • CoinPunk — dead.
  • Dark Wallet — redirects to https://crypto-engine.org .
  • DecentralBank — dead.
  • info (Block.io) — still operational.
  • EI8HT — dead.
  • GreenAddress — redirects to https://blockstream.com/green/ .
  • QuickCon — dead.
  • Robocoin — dead.
  • Skyhook ATM — redirects to https://yuan-pay-group.net .

Besides Bitcoin wallets, Litecoin, Zcash, and Dogecoin wallets may also be at risk, since there are BitcoinJS-based libraries for these cryptocurrencies, too. It seems natural to assume that these libraries could be used to generate private keys for the respective crypto wallets.

The Unciphered report describes a host of other intricacies associated with Randstorm. But what it all basically boils down to is that wallets created between 2011 and 2015 using the vulnerable library may be vulnerable to varying degrees — depending on the particular circumstances.

How to protect against Randstorm

As the researchers themselves rightly state, this isn’t a case where fixing the vulnerability in the software would suffice: “patching” wallet owners’ private keys and replacing them with secure ones just isn’t doable. So, despite the fact that the bugs have long been fixed, they continue to affect the crypto wallets that were created when the above-discussed errors plagued the BitcoinJS library. This means that vulnerable wallet owners themselves need to take protective measures.

Because the task of drawing up a complete list of cryptocurrency platforms that used the vulnerable library is difficult, it’s better to play it safe and consider any crypto wallet created online between 2011 and 2015 to be potentially insecure (unless you know for sure that it’s not). And naturally, the fatter the wallet — the more tempting it is to criminals.

The obvious (and only) solution to the problem is to create new crypto wallets and move all funds from potentially vulnerable wallets to them.

And since you have to do this anyway, it makes sense to proceed with the utmost caution this time. Crypto protection is a multi-step process, for which reason we’ve put together a comprehensive checklist for you with loads of additional information accessible through links:

  1. Explore the main crypto threats and protection methods in detail.
  2. Understand the differences between hot and cold crypto wallets, and the most common ways they are attacked.
  3. Use a hardware (cold) wallet for long-term storage of core crypto assets, and a hot wallet with minimal funds for day-to-day transactions.
  4. Before transferring all funds from the old wallet to the new one, equip all your devices with reliable protection. It will guard your smartphone or computer against Trojans looking to steal passwords and private keys or clippers that substitute crypto wallet addresses in the clipboard, as well as protect your computer from malicious crypto miners and unauthorized remote access.
  5. Never store a photo or screenshot of your seed phrase on your smartphone, never post your seed phrase in public clouds, never send it through messengers or email, and don’t enter it anywhere except when recovering a lost private key.
  6. Securely store your private key and the seed phrase for its recovery. This can be done using the Identity Protection Wallet in Kaspersky Premium, which encrypts all stored data using AES-256. The password for it is stored nowhere except in your head (unless, of course, it’s on a sticky note attached to your monitor) and is unrecoverable — so the only one with access to your personal documents is you.
  7. Another option is to use a cold crypto wallet that doesn’t require a seed phrase to back up the private key. This is how, for example, the Tangem hardware wallet works.
]]>
full large medium thumbnail
WhatsApp spyware modifications in Telegram | Kaspersky official blog https://www.kaspersky.com/blog/whatsapp-mods-canesspy/49656/ Thu, 16 Nov 2023 13:47:20 +0000 https://www.kaspersky.com/blog/?p=49656 Over the past decade, messaging apps such as WhatsApp and Telegram have become an integral part of life for almost every internet user. Billions of people use them to chat with loved ones, share funny pictures and videos with friends, communicate with coworkers, catch up on the news, and so on. Just try to imagine modern life without messengers. Hard, isn’t it? Unfortunately, these indispensable apps sometimes contain hidden threats.

WhatsApp and Telegram mods: the whats and whys

Some people think that the official WhatsApp and Telegram apps lack functionality — be that additional options to customize the interface or something more specific; for example, the ability to hide chats, automatically translate messages, or view messages deleted by chat partners. And the list of “missing” features is a very long one.

Third-party developers create modifications, or mods of standard WhatsApp and Telegram apps to satisfy even the most peculiar user needs, and there are a great many such mods.

The problem with installing any of them is that the user must entrust their correspondence not only to the original messenger developers but also to the mod developers, who can easily hide malicious modules in them; mod distributors can also add something of their own.

In the case of WhatsApp, the situation with mods is further complicated by its owners. They don’t approve of modifications and so hinder their distribution. From time to time, WhatsApp’s owners try to prohibit folks from using mods — albeit unsuccessfully thus far. Meanwhile they have had some success in barring alternative clients for WhatsApp from the official stores like Google Play and App Store.

As a consequence, users of WhatsApp mods are accustomed to downloading them from just about anywhere. APK files are boldly downloaded, settings are switched to allow installation from unknown sources, and mods are then run on phones. And cybercriminals exploit this carelessness by embedding malware in the mods.

Our experts recently found several such infected mods, which we’ll take a look at in this post.

Infected WhatsApp mods on Telegram

The WhatsApp mods that caught our experts’ attention hadn’t previously shown any malicious activity. Now, however, they contain a spy module, which our security solutions detect as Trojan-Spy.AndroidOS.CanesSpy.

After installation on the victim’s smartphone, an infected WhatsApp mod waits for the phone to be turned on or put on charge before launching the spy module. It contacts one of the C2 servers from the respective list and uploads various information about the device to it, such as phone number, IMEI, cellular network code, and so on. What’s more, the spy Trojan sends information about the victim’s contacts and accounts to the server every five minutes, all the while waiting for commands.

Leaving service commands aside, the spy module’s capabilities are essentially reduced to two functions:

  • Search the device and send its operators files contained in the smartphone’s memory (to be precise, in its non-system part, or “external storage” in Android terminology)
  • Record sound from the built-in microphone and, as before, send the recordings to C2

As for how the spyware was distributed, infected WhatsApp modifications were found in several Arab and Azerbaijani Telegram channels under the names of popular mods: GBWhatsApp, WhatsApp Plus, and AZE PLUS — a WhatsApp Plus version with the interface translated into Azerbaijani.

Infected WhatsApp mods in Telegram channels

WhatsApp mods infected with spyware were distributed mostly in Azerbaijani and Arabic Telegram channels

In addition, our experts discovered APK files infected with the spy module on WhatsApp mod download websites.

In October, our security solutions detected and prevented more than 340,000 attacks by this spyware in more than 100 countries. Note that we’re talking about attacks intercepted by our solutions. The total number (accounting for phones on which our solutions aren’t installed) is likely much higher.

Although the geographic spread of the threat is extensive, the largest number of infection attempts — by a wide margin — was registered in Azerbaijan, followed by several Arab countries: Yemen, Saudi Arabia, and Egypt; as well as Turkey.

Geography of infection attempts by Trojan-Spy.AndroidOS.CanesSpy

Top-20 countries where WhatsApp spy mods were distributed

How to protect yourself against messenger spyware

This isn’t the first case in 2023 of malicious modules being found in modified messenger apps. A few months ago we wrote about a string of infected mods for Telegram, WhatsApp, and even the secure messenger Signal. So there’s every reason to remain vigilant:

  • Use only the official WhatsApp and Telegram apps. As we’ve seen, messenger mods are prone to malware.
  • Install apps only from official stores: Apple App Store, Google Play, Huawei AppGallery, and the like. These aren’t immune to malware, but still way safer than third-party websites, which often have no security measures in place at all.
  • Before installing any app, first study its page in the store and make sure it’s not fake — bad actors often create clones of popular apps.
  • Read user reviews of the app, paying special attention to negative ones. There you’ll probably find out if it demonstrates suspicious activity.
  • Be sure to install reliable protection on all your devices. This will detect malicious code inside a seemingly harmless app, and warn you in time.
  • Remember that in the free version of our Kaspersky: Antivirus & VPN app, you have to run the scan manually.
  • If you use the premium version of our protection for Android — which comes included in the Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium subscriptions — you can sit back and relax: scanning for threats takes place automatically.
]]>
full large medium thumbnail