Viry a Červi

US Congress goes bang, bang, on TikTok sale-or-ban plan

The Register - Anti-Virus - 14 Březen, 2024 - 02:46
Bill proposes to do to China what China already does to the US – make life hard for foreign social networks

The United States House of Representatives on Wednesday passed the Protecting Americans from Foreign Adversary Controlled Applications Act – a law aimed at forcing TikTok's Chinese parent ByteDance to sell the app's US operations or face the prospect of a ban.…

Kategorie: Viry a Červi

Nissan to let 100,000 Aussies and Kiwis know their data was stolen in cyberattack

The Register - Anti-Virus - 14 Březen, 2024 - 01:32
Akira ransomware crooks brag of swiping thousands of ID documents during break-in

Over the next few weeks, Nissan Oceania will make contact with around 100,000 people in Australia and New Zealand whose data was pilfered in a December 2023 attack on its systems – perhaps by the Akira ransomware gang.…

Kategorie: Viry a Červi

Poking holes in Google tech bagged bug hunters $10M

The Register - Anti-Virus - 13 Březen, 2024 - 19:00
A $2M drop from previous year. So … things are more secure?

Google awarded $10 million to 632 bug hunters last year through its vulnerability reward programs.…

Kategorie: Viry a Červi

Cryptocurrency laundryman gets hung out to dry

The Register - Anti-Virus - 13 Březen, 2024 - 17:45
Bitcoin Fog washed hundreds of millions for criminals

The operator of the world's longest-running Bitcoin money laundering service faces a 50-year prison sentence after being found guilty in a US court.…

Kategorie: Viry a Červi

Microsoft Copilot for Security prepares for April liftoff

The Register - Anti-Virus - 13 Březen, 2024 - 17:00
Automated AI helper intended to make security more manageable

Microsoft Copilot for Security, a subscription AI security service, will be generally available on April 1, 2024, the company announced on Wednesday.…

Kategorie: Viry a Červi

Stanford University failed to detect ransomware intruders for 4 months

The Register - Anti-Virus - 13 Březen, 2024 - 13:05
27,000 individuals had data stolen, which for some included names and social security numbers

Stanford University says the cybersecurity incident it dealt with last year was indeed ransomware, which it failed to spot for more than four months.…

Kategorie: Viry a Červi

What’s in your notepad? Infected text editors target Chinese users

Kaspersky Securelist - 13 Březen, 2024 - 12:29

“Malvertising” is a popular way of attracting victims to malicious sites: an advertisement block is placed at the top of the search results, increasing the likelihood of users clicking the link. Sites at the top of search results also tend to be more trusted by users. A year ago, our experts discussed a malvertising campaign that spread the RedLine stealer via Google Ads. Using typosquatting and other techniques, the attackers tried to make their resources look as similar as possible to the official websites of popular programs.

This time, a similar threat has affected users of one of the most popular search engines in the Chinese internet. We’ve discovered two related cases where modified versions of popular text editors were distributed in this system: in the first case, the malicious resource appeared in the advertisement section; in the second case, at the top of the search results. We have not yet been able to establish all the details of the threat, so this material may be updated later.

Malicious sites in search results

The screenshots below show two searches which the search engine responds to with malicious links:

Malicious link in the advertisement section for the search notepad++ (left) and search results for vnote (right)

The malicious site found in the notepad++ search is distributed through an advertisement block. Opening it, an attentive user will immediately notice an amusing inconsistency: the website address contains the line vnote, the title offers a download of Notepad‐‐ (an analog of Notepad++, also distributed as open-source software), while the image proudly shows Notepad++. In fact, the packages downloaded from here contain Notepad‐‐.

Page with fake NotePad++

This site offers installers for three popular platforms (Windows, Linux, macOS); however, there are only two malicious links here, leading to download pages for the macOS and Linux versions. The link to the Windows version leads to the official repository and is not malicious:

Application download links, linked to buttons on the malicious Notepad‐‐ download page

The screenshot shows that the source of the malicious installation packages is the resource vnote-1321786806[.]cos[.]ap-hongkong[.]myqcloud[.]com.

Meanwhile, the second page, found in the vnote search, tries to imitate the official website of the program:

Fake (above) and the original (below) VNote site

Unfortunately, at the time of this investigation, the links to the potentially malicious versions of VNote were no longer functioning; however, they led to the same resource as the Notepad‐‐ links:

Application download links, linked to buttons on the fake VNote site

Text editor with malicious payload

Since we have samples of the fake Notepad‐‐ for Linux and macOS, we can take a closer look at them.

The downloaded applications have several differences from the original versions, and the malicious Linux and macOS versions are similar in functionality. Next, we will examine the macOS version (MD5: 00fb77b83b8ab13461ea9dd27073f54f). It is a disk image in DMG format, whose contents are identical to the original (version 2.0.0), except for the executable file itself, named NotePad‐‐ (MD5: 6ace1e014863eee67ab1d2d17a33d146).

Studying the contents of its main function, we discovered that just before the application is launched, the suspicious class Uplocal is initialized, which is absent in the source code of the original Notepad‐‐:

Modified section of code before application launch

This class implements only one method named run. Its purpose is to download a file to the path /tmp/updater and execute it:

Payload of the run method of the Uplocal class

The file is downloaded from the address hxxp://update[.]transferusee[.]com/onl/mac/<md5_hash>, where <md5_hash> is the MD5 hash of the device’s serial number obtained in the GetComputerUUID function by executing the following bash command:

ioreg -rd1 -c IOPlatformExpertDevice |  awk '/IOPlatformSerialNumber/ { print $3; }'

The Linux version differs slightly:

  1. The file is downloaded from the same address, but is located in the directory /onl/lnx/: hxxp://update[.]transferusee[.]com/onl/lnx/<md5_hash>
  2. <md5_hash> is the MD5 hash of the device’s MAC address:

    Obtaining and hashing the device’s MAC address

Unfortunately, at the time of our investigation, the downloaded file was no longer available on the server, and we couldn’t determine what was supposed to be there.

However, we know for sure that this server has another subdomain, dns[.]transferusee[.]com, and it is accessed by a Mach-O file named DPysMac64 (MD5: 43447f4c2499b1ad258371adff4f503f), previously uploaded to VT and not detected by any vendor at the time of the investigation:

DPysMac64 file page on VT

Moreover, this file is stored on the same server from which the mysterious updater was supposed to be downloaded:

Loading DPysMac64 from update[.]transferusee[.]com

From this, we can fairly confidently assume that the updater is an intermediate step that should ultimately lead to loading DPysMac64. The server also contains a file called DPysMacM1, the name of which implies that it is built for systems running on Apple Silicon processors; however, in reality, it is the same file as DPysMac64.

The application is a backdoor, very similar to the so-called Geacon – an open-source implementation of the CobaltStrike agent written in Go. Although the attackers removed any direct mention of Geacon from their project, we found a large number of lines, names, and code fragments of functions and modules matching implementations of geacon_plus, geacon_pro, and BeaconTool. For example, they have almost completely identical sysinfo modules, functions FirstBlood, EncryptedMetaInfo, PullCommand, and so on:

Comparison of the list of functions of the sysinfo module of DPysMac64 (left) and an instance of geacon_pro (right)

The backdoor has two launch options – normal and as a service. Communication with the C2 server dns[.]transferusee[.]com is carried out via HTTPS protocol. Interestingly, the attackers named the project which implements the functionality of executing remote commands spacex:

The name of the backdoor module contained in the lines of the DPysMac64 file

The backdoor contains the following list of commands:

Code Name Purpose 25 CmdSSH Creating an SSH connection 27 Spawn Launching a new agent 32 CmdExit Shutdown 34 SetSleep Entering sleep mode 1010 Screenshot Taking a screenshot 1020 ProcessList Getting a list of processes 1021 ProcessKill Terminating a process 1030 PortScan Scanning ports 1031 Install Adding itself to the list of services 1032 UnInstall Removing itself from the list of services 1040 CmdHashdump Getting the computer name 1044 CmdClipboard Reading clipboard content 1050 FileBrowse Getting a list of files in a directory 1051 FileDrives Getting a list of drives 1052 FileMakeDir Creating a directory 1056 FileUpload Uploading a file to the server 1057 FileExecute Executing a file 1060 FileDownload Downloading a file from the server Connection between infected applications

While we cannot be certain about the files previously downloaded from vnote[.]info, we have discovered that the sources distributing applications on both sites are the same. It’s also worth mentioning another interesting detail that we found completely by chance during the examination of the modified NotePad‐‐. In the lines of the executable file, we found text resembling an About window, but instead of a link to the official project website, it contained a link to the suspicious resource vnotepad[.]com. Below is a screenshot of the About window in the program’s user interface:

About window of modified Notepad‐‐

The link in the About window led us to a stub page:

We found it strange, so we tried to switch from HTTP to HTTPS, which made it possible to discover that this site is another copy of the VNote site, similar to the one we saw on vnote[.]info. Furthermore, when opening this site, the browser warned us that the certificate it was using was invalid because it was issued for vnote[.]info:

Certificate used by the site vnotepad[.]com

This indicates a definite connection between the two cases described, as well as the high probability that the purpose of the modified VNote editors is similar to that of NotePad‐‐, and involves delivering the next stage of infection.

Conclusion

We’re continuing to study the threat described above and are searching for intermediate stages that have not yet been discovered. In addition, we’ve established that the changes in the Linux and macOS applications are identical, suggesting the possibility of a backdoor for Linux that is similar to the one we found for macOS.

Indicators of compromise

Files:

MD5 File type File name 43447f4c2499b1ad258371adff4f503f Mach-O 64-bit DPysMac64 00fb77b83b8ab13461ea9dd27073f54f DMG Notepad‐‐v2.0.0-mac_x64_12.3.dmg 5ece6281d57f16d6ae773a16f83568db AppImage Notepad‐‐-x86_64.AppImage 6ace1e014863eee67ab1d2d17a33d146 Mach-O 64-bit NotePad‐‐ 47c9fec1a949e160937dd9f9457ec689 ELF 64-bit NotePad‐‐

Links:

dns[.]transferusee[.]com update[.]transferusee[.]com/onl/mac/ update[.]transferusee[.]com/onl/lnx/ update[.]transferusee[.]com/DPysMac64 update[.]transferusee[.]com/DPysMacM1 vnote[.]info vnote[.]fuwenkeji[.]cn vnotepad[.]com vnote-1321786806[.]cos[.]ap-hongkong[.]myqcloud[.]com

Reducing the cloud security overhead

The Register - Anti-Virus - 13 Březen, 2024 - 09:51
Why creating a layered defensive strategy that includes security by design can help address cloud challenges

Sponsored Feature  The world is filled with choices. Whether it's the 20 different types of shampoo on offer at the grocery store, or the dozens of Linux distros you can try for free, you can have it all.…

Kategorie: Viry a Červi

Whizkids jimmy OpenAI, Google's closed models

The Register - Anti-Virus - 13 Březen, 2024 - 09:34
Infosec folk aren’t thrilled that if you poke APIs enough, you learn AI's secrets

Boffins have managed to pry open closed AI services from OpenAI and Google with an attack that recovers an otherwise hidden portion of transformer models.…

Kategorie: Viry a Červi

The State of Stalkerware in 2023–2024

Kaspersky Securelist - 13 Březen, 2024 - 09:00

The State of Stalkerware in 2023 (PDF)

The annual Kaspersky State of Stalkerware report aims to contribute to awareness and a better understanding of how people around the world are impacted by digital stalking. Stalkerware is commercially available software that can be discreetly installed on smartphone devices, enabling a perpetrator to monitor an individual’s private life without their knowledge. Stalkerware requires physical access to be installed, but our report also looks at a range of remote technology that can be used for nefarious purposes.

Once installed, stalkerware makes it possible to access the smartphone from anywhere. Not only can the intruder violate their victim’s privacy by monitoring their activities, but they can also use the software to access huge volumes of personal data. Depending on the software they use, they can monitor anything from device location to text messages, social media chats, photos, browser history and more. Since stalkerware works in the background unseen, most victims are completely unaware that their every step and action is being monitored.

In most countries around the world, use of stalkerware is currently not prohibited, but installing a surveillance application on another person’s smartphone without their consent is illegal and punishable. However, it is the perpetrator who will be held responsible, not the developer.

Along with other related technologies, stalkerware is one element in tech-enabled abuse and is often used in abusive relationships. As this is a digital aspect of a wider, real-world problem, Kaspersky is working with relevant experts and organizations in the field of domestic violence, ranging from victim support services and perpetrator programs through to research and government agencies, to share knowledge and support with professionals and victims alike.

About stalkerware

Stalkerware products are typically marketed as legitimate anti-theft or parental control apps for smartphones, tablets and computers, but in reality, they are something very different. Installed without the knowledge or consent of the person being tracked, these apps operate stealthily and provide a perpetrator with the means to gain control over a victim’s life. They do not typically appear on the list of installed apps in the phone’s configuration, which makes them hard to spot. Stalkerware capabilities vary depending on the application, and whether they have been paid for or downloaded for free.

Below are some of the most common functions found in stalkerware:

  • Hiding the app icon
  • Reading SMS, MMS and call logs
  • Getting lists of contacts
  • Tracking geolocation
  • Tracking calendar events
  • Reading messages from popular instant messaging services and social networks, such as Facebook, WhatsApp, Signal, Telegram, Viber, Instagram, Skype, Google Chat, Line, Kik, WeChat, Tinder, IMO, Gmail, Tango, SnapChat, Hike, TikTok, Kwai, Badoo, BBM, TextMe, Tumblr, Weico, Reddit and others.
  • Viewing photos and pictures from phones’ image galleries
  • Taking screenshots
  • Taking pictures with the front-facing (selfie) camera
Are Android OS and iOS devices equally affected by stalkerware?

Not unlike malware, stalkerware apps are much less frequent on iPhones than on Android devices due to the proprietary and closed nature of iOS. To install such an app and give it enough permissions to monitor the victim’s activities, the perpetrator needs to “jailbreak” the iPhone, which is not that simple and requires direct physical access to the device. Nevertheless, iPhone users fearing surveillance should always keep a close eye on their device. The abuser may also jailbreak a new iPhone to install stalkerware and then give it to the victim.

The data highlights of 2023
  • In 2023, a total of 31,031 unique users were affected by stalkerware, an increase on 2022 (29,312).
  • The Kaspersky Security Network revealed that stalkerware was most commonly used in Russia, Brazil and India, and continued to be a global issue, with the largest number of affected users found in the following countries:
    • Germany, France and the United Kingdom (Europe)
    • Iran, Turkey and Yemen (Middle East and Africa)
    • India, Indonesia and Philippines (Asia-Pacific)
    • Brazil, Mexico and Colombia (Latin America)
    • United States (North America)
    • Russian Federation, Belarus and Kazakhstan (Eastern Europe excluding European Union countries, Russia and Central Asia)
  • Globally, the most popular stalkerware app was TrackView with 4,049 affected users.
  • Twenty-three percent of people worldwide said they had encountered some form of online stalking from someone they had recently started dating.
The trends of 2023 observed by Kaspersky Methodology

The data in this report was taken from aggregated threat statistics obtained from the Kaspersky Security Network, which is dedicated to processing cybersecurity-related data streams from millions of anonymous volunteer participants around the world. To calculate the statistics, data from the consumer line of Kaspersky’s mobile security solutions was reviewed according to the Coalition Against Stalkerware detection criteria. This means that the affected number of users were targeted by stalkerware only. Other types of monitoring or spyware apps that fall outside of the Coalition’s definition are not included in the statistics found here.

The statistics reflect unique mobile users affected by stalkerware, which is different from the total number of detections. The number of detections can be higher as stalkerware may have been detected several times on the same device belonging to the same unique user if they decided not to remove the app upon receiving a notification. Support organizations often recommend that victims refrain from removing the stalkerware, so as not to alert the perpetrator.

Finally, the statistics reflect only mobile users of Kaspersky’s security solutions. Some users may have another cybersecurity solution installed on their devices, while others have none.

Global detection figures: affected users

Using global and regional statistics, Kaspersky has been able to compare data collected in 2023 with the previous four years. In 2023, a total of 31,031 unique users were affected by stalkerware, an increase compared to 2022 (29,312 unique users). Diagram 1 below shows how this number varied year to year starting in 2018.

Diagram 1. Affected users by year starting in 2018

Global and regional detection figures: geography of affected users

Stalkerware continued to be a global problem. In 2023, Kaspersky detected affected users in 175 countries.

In 2023, Russia (9,890), Brazil (4,186) and India (2,492) were the top three countries with the most affected users. According to Kaspersky statistics, those three countries had held leading positions since 2019, all with an increase in detected stalkerware infections. Iran entered the top five most affected in the previous year and remains there.

When compared to 2021, there were slight changes to the top 10 affected countries, with most remaining in the same position. While Germany had dropped from seventh to 10th place, Saudi Arabia (ranked eighth in 2022) was not among the most affected countries in 2023.

Country Affected users 1 Russian Federation 9,890 2 Brazil 4,186 3 India 2,492 4 Iran 1,578 5 Turkey 1,063 6 Indonesia 871 7 United States of America 799 8 Yemen 624 9 Mexico 592 10 Germany 577

Table 1. TOP 10 countries most affected by stalkerware in 2023

The total number of unique affected European users in 2023 was 2,645, a significant decrease compared to 2022 (3,158). The three most affected countries in Europe were Germany (577), France (332) and the United Kingdom (271). Compared to 2021, the countries listed continued to feature as the most affected in Europe except for Greece, which dropped out of the rankings. Unfortunately, Portugal entered the list ranked tenth.

Country Affected users 1 Germany 577 2 France 332 3 United Kingdom 271 4 Spain 257 5 Italy 252 6 Poland 179 7 Netherlands 177 8 Switzerland 116 9 Austria 70 10 Portugal 63

Table 2. TOP 10 countries most affected by stalkerware in Europe in 2023

In Eastern Europe (excluding European Union countries), the Russian Federation and Central Asia, the total number of unique affected users in 2023 was 11,210, an increase on the previous year (9,406). The top three countries were Russia, Kazakhstan and Belarus.

Country Affected users 1 Russian Federation 9,890 2 Belarus 307 3 Kazakhstan 270 4 Ukraine 268 5 Azerbaijan 243 6 Uzbekistan 100 7 Kyrgyzstan 52 8 Moldova 49 9 Armenia 43 10 Tajikistan 30

Table 3. TOP 10 countries most affected by stalkerware in Eastern Europe (excluding EU countries), Russia and Central Asia in 2023

Looking at the Middle East and Africa region, the total number of affected users was 6,561, slightly higher than in 2022 (6,330), but there was a minor change in the top three most affected this year. While in 2022, Iran, Turkey and Saudi Arabia were the most affected countries, it was Iran, Turkey and Yemen in 2023.

Country Affected users 1 Iran 1,578 2 Turkey 1,063 3 Yemen 624 4 Egypt 569 5 Saudi Arabia 511 6 Algeria 495 7 Morocco 215 8 United Arab Emirates 184 9 Iraq 127 10 South Africa 126

Table 4. TOP 10 countries most affected by stalkerware in the Middle East and Africa in 2023

The Asia-Pacific region saw an increase in the use of stalkerware compared to the previous year, with a total of 4,575 affected users, up from 3,187 in 2022. India remained far ahead of other countries in the region, with 2,492 affected users. Indonesia occupied second place with 871 affected users; the Philippines was third with 323 affected users and Australia, fourth.

Country/territory Affected users 1 India 2,492 2 Indonesia 871 3 Philippines 323 4 Australia 168 5 Vietnam 97 6 Malaysia 88 7 Japan 85 8 Bangladesh 66 9 Hong Kong 51 10 Sri Lanka 51

Table 5. TOP 10 countries/territories most affected by stalkerware in the Asia-Pacific region in 2023

Brazil dominated the Latin America and the Caribbean region with 4,186 affected users, accounting for approximately 76 percent of the region’s total number of affected users. Brazil was followed by Mexico and Colombia. A total of 5,478 of affected users were recorded in the region, which was a minor decrease compared to 2022 (6,170).

Country Affected users 1 Brazil 4,186 2 Mexico 592 3 Colombia 149 4 Peru 138 5 Argentina 95 6 Ecuador 88 7 Chile 63 8 Venezuela 19 9 Bolivia 18 10 Paraguay 17

Table 6. TOP 10 countries most affected by stalkerware in Latin America in 2023

Finally, in North America, 77 percent of all affected users were in the United States. This is to be expected given the relative size of the population when compared to Canada. Across the North American region, 1,049 users were affected in total.

Country Affected users 1 United States of America 799 2 Canada 250

Table 7. Number of users affected by stalkerware in North America in 2023

Global detection figures – stalkerware applications

In 2023, Kaspersky detected 195 different stalkerware apps. The most commonly used stalkerware application to control smartphones around the world was TrackView, which affected 4,049 users.

Application name Affected users 1 TrackView 4,049 2 Reptilic 3,089 3 SpyPhone 2,126 4 MobileTracker 2,099 5 Cerberus 1,816 6 Wspy 1,254 7 Unisafe 981 8 Mspy 899 9 MonitorMinor 863 10 KeyLog 852

Table 8. TOP 10 stalkerware applications in 2023

Digital stalking, trust and dating

Stalkerware and digital stalking are related but not mutually exclusive. We have noted a rise in the use of legitimate technology and apps for illegitimate or nefarious purposes to track and monitor partners in recent years. To get further insights into the broader topic of digital stalking, Kaspersky commissioned Arlington Research to conduct 21,000 online interviews to get insights into digital stalking and stalkerware worldwide. The marketing research company questioned 1,000 people in each of the following countries: the UK, Germany, Spain, Serbia, Portugal, The Netherlands, Italy, France, Greece, The USA, Brazil, Argentina, Chile, Peru, Colombia, Mexico, China, Singapore, Russia, India and Malaysia. Respondents were aged 16 years and over and were either in a long-term relationship (62 percent), dating someone (16 percent) or not dating / in a relationship at the time but had been in the past (21 percent). The fieldwork took place from January 3–17, 2024.

Overview on stalking and being stalked

Twenty-three percent of respondents revealed they had encountered some form of online stalking from someone they had recently started dating. When describing their online stalking experiences, 16 percent said they had received unwanted emails or messages, 10 percent acknowledged having had their location tracked, another 10 percent had experienced unauthorized access to their social media accounts or email, and seven percent have had had stalkerware surreptitiously installed on their devices. This disconcerting scenario extended globally, with higher occurrences of online stalking reported in parts of South and Central America, and Asia. For instance, 42 percent of respondents in India, 38 percent in Mexico, and 36 percent in Argentina acknowledged having experienced some form of online stalking.

Speaking of technologies the perpetrators used, stalking through a phone app was the most prevalent (20 percent), followed by a laptop app (10 percent) and access via the webcam (10 percent). While a majority of respondents (78 percent) had never faced pressure from a partner to install monitoring apps or use special phone settings, 13 percent reported having had a partner install an app or modify settings (similar to 14 percent in 2021), and 10 percent felt pressured into installing a monitoring app (15 percent in 2021). Meanwhile, 12 percent of respondents admitted to having installed stalkerware or modified settings on a partner’s phone, and nine percent acknowledged having pressured a partner to install monitoring apps.

Awareness of stalkerware varied, with 46 percent having no knowledge, 17 percent being unsure, and only 37 percent feeling confident about knowing what stalkerware was. Among those expressing confidence, less than 10 percent could identify all the surveillance capabilities. Notably, in 2021, the levels of awareness were higher, with 40 percent knowing about stalkerware and 19 percent unsure.

Shifting perspectives on stalking in modern relationships: privacy, consent, and the reality of stalking

Most individuals (54 percent) did not endorse the idea of monitoring a partner without their knowledge, signaling a prevailing disapproval of such actions. However, the period between 2021 and 2024 saw a notable decrease by 16 p.p. from 70 percent. Interestingly, those endorsing the viewpoint that monitoring was always acceptable also had decreased, to eight percent in 2024 from 13 percent in 2021. The nuanced perspective on this matter was evident in the fact that 38 percent in 2024 found secret monitoring acceptable under certain circumstances, a substantial rise from the 17 percent reported in 2021.

When asked about their attitude toward consensual monitoring of a partner’s online activities (where the partner shared information with full knowledge and consent for a purpose such as safety), 45 percent of respondents expressed the belief that it was not acceptable, emphasizing the importance of privacy rights. Meanwhile, 27 percent advocated for full transparency in relationships, deeming consensual monitoring appropriate, and 12 percent found it acceptable only when mutual. Additionally, 12 percent concurred with such monitoring when it concerned physical safety, while four percent reluctantly agreed to it due to a partner’s insistence.

Navigating trust and boundaries: A deep dive into digital privacy issues

Half of the respondents (51 percent) expressed trust in their partners by granting them full access to their phones. Another 19 percent permitted access but with certain apps protected by additional passwords or security measures. One-fifth, while trusting their partners, opted not to provide access to their phones, five percent did not trust their partners enough to grant them access, and four percent chose not to answer. Individuals in ongoing relationships exhibited more hesitancy, with 40 percent agreeing to grant full access compared to 61 percent among those in long-term relationships.

On the flip side, 52 percent of respondents enjoyed full access to their partners’ phones, while an additional 23 percent had access but with specific apps shielded by additional passwords or security measures. Conversely, 18 percent reported not being granted access to their partners’ phones, and seven percent preferred not to disclose that information.

Insights into the complex landscape of information sharing in relationships

While a significant majority (more than 90 percent) of respondents, expressed willingness to share or consider sharing passwords for streaming services like Netflix and their photos, a more cautious approach emerged when it came to certain types of sensitive information. Interestingly, respondents exhibited heightened reluctance to share passwords for security devices, with 18 percent firmly stating they would never share access to these. Similarly, payment information was the type of data 21 percent said they would not share. Among other information respondents were most reluctant to share with partners were accounts, such as iCloud, Amazon and Google (47 percent willing, 29 percent admitting they might consider, and 24 percent unwilling) and browser history (46 percent willing, 34 percent admitting they might consider, and 20 percent unwilling).

Combatting stalkerware together

Stalkerware is not just a sort of software you do not want installed on your devices. It indicates a complex problem, which requires action from all sections of society. Kaspersky not only develops technologies to protect users from this threat but also stays in contact with non-profit organizations, industry, research and public agencies around the world to tackle the issue together.

In 2019, Kaspersky was the first-ever cybersecurity company to develop a new attention-grabbing alert that clearly notified users if stalkerware was found on their device. In 2022, as part of Kaspersky’s launch of a new consumer product portfolio, the Privacy Alert was expanded. Apart from informing the user about the presence of stalkerware on the device, it now warns them that, if stalkerware is removed, the person who installed the app will most likely be alerted. Moreover, by deleting the app, the user risks getting rid of important evidence that could be used for prosecution.

In 2019, Kaspersky also co-founded the Coalition Against Stalkerware, an international working group that brings together private IT companies, NGOs, research institutions and law enforcement agencies to stand against cyberstalking and online abuse. Over 40 organizations contribute to the Coalition, its website available in seven different languages. On this website, a person suspecting that stalkerware is installed on their devices can find help and guidance.

In 2020, Kaspersky developed an open-source tool called TinyCheck and capable of detecting stalkerware on user devices without alerting the perpetrator. In June 2022, Kaspersky launched a website dedicated to this tool. TinyCheck is available for free and can be used by non-profit organizations and police units to help with supporting victims of digital stalking. It runs on a separate device the perpetrator does not have access to, scans outgoing traffic on the user’s device via a regular Wi-Fi connection and identifies interactions with known sources related to stalkerware. Being device independent, it can check for stalkerware on any platform including iOS, Android or any other.

From 2021–2023, Kaspersky was a consortium partner of the EU project DeStalk, co-funded by the Rights, Equality and Citizenship Program of the European Union. The project trained professionals directly involved in women’s support services and perpetrator programs, and public authority representatives on how to combat digital means of gender-based violence including stalkerware. It also aimed at raising general public awareness on this topic.

As part of DeStalk, Kaspersky developed an e-learning course on cyberviolence and stalkerware within its Kaspersky Automated Security Awareness Platform. Although the project has ended, e-learning is still available on its website.

Think you are a victim of stalkerware? Here are a few tips…

Whether you are a victim of stalkerware or not, these tips can help you to better protect yourself:

  • Protect your phone with a strong unique password and do not share it with anyone including your partner or other people you trust.
  • Do not share your online account passwords with anyone.
  • Only download apps from official sources, such as Google Play or the Apple App Store.
  • Install a reliable IT security solution like Kaspersky for Android on your devices and scan them regularly. Note: if you suspect that stalkerware may have already been installed on your device, do not install any new security solutions or perform a scan until you have carefully assessed what risks you will face if the app notifies the abuser.
  • Reach out to a local support organization: the Coalition Against Stalkerware website can help you to find one.
  • Keep an eye out for warning signs. These can include a fast-draining battery, high data usage, newly installed applications with suspicious access to using and tracking your location, sending or receiving text messages, and so on. Also, check if app installation from unknown sources is enabled on the device – this may indicate that unwanted software has been installed from a third-party source. Note that all these warning signs are circumstantial and do not indicate the unequivocal presence of stalkerware on the device.
  • Do not try to erase the stalkerware, change any settings or tamper with your phone prior to developing a safety plan. The app may alert the perpetrator, which can lead to an escalation and further aggression. Removing stalkerware also means getting rid of important evidence that could be used for prosecution. Instead, take steps to determine what course of action makes the most sense and is the safest in your current situation.

For more information about our activities on stalkerware or any other request, please write to us at: [email protected].

March Patch Tuesday sees Hyper-V join the guest-host escape club

The Register - Anti-Virus - 13 Březen, 2024 - 01:16
Critical bugs galore among 61 Microsoft fixes, 56 from Adobe, a dozen from SAP, and a fistful from Fortinet

Patch Tuesday  Microsoft's monthly patch drop has arrived, delivering a mere 61 CVE-tagged vulnerabilities – none listed as under active attack or already known to the public.…

Kategorie: Viry a Červi

Meta sues ex infra VP for allegedly stealing top-secret datacenter blueprints

The Register - Anti-Virus - 12 Březen, 2024 - 23:39
Exec accused of using own work PC to swipe confidential AI and staffing docs for stealth cloud startup

An ex-Meta veep has been sued by his former bosses for "brazenly disloyal and dishonest conduct" – and by that, they mean he allegedly stole confidential documents to help him build and recruit colleagues for an AI cloud startup. …

Kategorie: Viry a Červi

Biden's budget proposal boosts CISA funding to $3B

The Register - Anti-Virus - 12 Březen, 2024 - 19:30
Plus almost $1.5b for health-care cybersecurity

US President Joe Biden has asked Congress to approve an extra $103 million in funding for the Cybersecurity and Infrastructure Security Agency, bringing CISA's total budget to $3 billion.…

Kategorie: Viry a Červi

JetBrains is still mad at Rapid7 for the ransomware attacks on its customers

The Register - Anti-Virus - 12 Březen, 2024 - 17:30
War of words wages on between vendors divided

Last week, we wrote about how security outfit Rapid7 threw JetBrains, the company behind the popular CI/CD platform TeamCity, under the bus over allegations of silent patching. Now, JetBrains has gone on the offensive.…

Kategorie: Viry a Červi

UK council yanks IT systems and phone lines offline following cyber ambush

The Register - Anti-Virus - 12 Březen, 2024 - 12:45
Targeting recovery this week, officials still trying to 'dentify the nature of the incident'

Leicester City Council says IT systems and a number of its critical service phone lines will remain down until later this week at the earliest following a "cyber incident".…

Kategorie: Viry a Červi

Top 10 web application vulnerabilities in 2021–2023

Kaspersky Securelist - 12 Březen, 2024 - 11:00

To help companies with navigating the world of web application vulnerabilities and securing their own web applications, the Open Web Application Security Project (OWASP) online community created the OWASP Top Ten. As we followed their rankings, we noticed that the way we ranked major vulnerabilities was different. Being curious, we decided to find out just how big the difference was. That’s why we set up our own rankings that reflected our take on the most widespread and critical web application vulnerabilities as viewed through a prism of eight years’ experience.

Profile of participants and applications

We collected the data from a sample of the application security assessment projects our team completed in 2021–2023. Most of the web applications were owned by companies based in Russia, China and the Middle East.

Almost half of the applications (44%) were written in Java, followed by NodeJS (17%) and PHP (12%). More than a third (39%) used the microservice architecture.

Distribution of programming languages used in writing web applications, 2021–2023 (download)

We analyzed data obtained through web application assessments that followed the black, gray and white box approaches. Almost every application assessed with gray box was analyzed with black box too, so we combined these two approaches in our statistics. Therefore, a vast majority (83%) of the web application projects used the black and gray box methods.

Discrepancies caused by the differing approaches to analysis

Since the black, gray and white box methods implied different levels of access to the applications, the types of vulnerabilities that were most likely to be found were different as well. We compared vulnerabilities discovered with and without access to application source code. As a result, four out of five most widespread vulnerabilities matched, but there were differences too.

Black/Gray Box White Box 1. Sensitive Data Exposure VS 1. Broken Access Control 2. Broken Access Control 2. SQL Injection 3. Cross-Site Scripting 3. Sensitive Data Exposure 4. Server-Side Request Forgery 4. Broken Authentication 5. Broken Authentication 5. Cross-Site Scripting

The most widespread vulnerabilities found during black/gray and white box analysis

In addition, statistics showed that the white box approach allowed finding a greater number of severe vulnerabilities, such as SQL Injection. On the average, black/gray box analysis revealed 23 vulnerabilities and white box analysis, 30.

Share of vulnerabilities of different risk levels found in per application on the average discovered using black/gray box analysis, 2021–2023 (download)

Share of vulnerabilities of different risk levels found in per application on the average discovered using white box analysis, 2021–2023 (download)

Even though the white box approach allows finding a greater number of vulnerabilities per application, the black and grey box approaches can be used to look at the application from the malicious actor’s perspective and identify the vulnerabilities that must be remediated first.

Top 10 web application vulnerabilities

We analyzed the results of web application assessment projects to identify the most widespread and severe vulnerabilities the digital world had faced during the previous three years.

The rankings are expert opinions based on the number of applications containing a specific vulnerability and the severity of the impact.

Recommendations provided in these rankings are general in nature and based on information security best practices standards and guidelines, such as OWASP and NIST.

Kaspersky Top 10 OWASP ranking 1 Broken Access Control A01 2 Sensitive Data Exposure A02 3 Server-Side Request Forgery (SSRF) A10 4 SQL Injection A03 5 Cross Site Scripting (XSS) A03 6 Broken Authentication A07 7 Security Misconfiguration A05 8 Insufficient Protection from Brute Force Attacks A07 9 Weak User Password A07 10 Using Components with Known Vulnerabilities A06 1. Broken Access Control

70% of the web applications we analyzed contained vulnerabilities associated with access control issues.

Distribution of Broken Access Control vulnerabilities by risk level, 2021–2023 (download)

Almost half of the Broken Access Control vulnerabilities carried a medium risk level, and 37%, a high risk level. High-risk vulnerabilities can cause errors in applications and affect customers’ business. In one application, inadequate validation of data being submitted let us reach internal services and potentially execute attacks leading to financial loss.

Mitigation: implement authentication and authorization controls according to the role-based access model. Unless the resource is intended to be publicly accessible, deny access by default.

2. Sensitive Data Exposure

This type of vulnerabilities is another one frequently found in web applications. Compared to Broken Access Control, Sensitive Data Exposure contained a greater number of low-risk vulnerabilities, but high-risk ones were present as well.

Distribution of Sensitive Data Exposure vulnerabilities by risk level, 2021–2023 (download)

Among the sensitive data we identified during our analysis were plaintext one-time passwords and credentials, full paths to web application publish directories and other internal information that could be used to understand the application architecture.

Mitigation: do not store files containing sensitive data, such as passwords or backups, in web application publish directories. Avoid disclosing sensitive data when accessing application functions, unless the function itself is used to access sensitive data.

3. Server-Side Request Forgery (SSRF)

The popularity of the cloud and microservice architectures is on the rise. The microservice architecture expands the attack surface for SSRF exploitation due to more services communicating over HTTP (or other lightweight protocols) when compared to the traditional architecture. More than half (57%) of the applications we analyzed contained a vulnerability that let a malicious actor communicate with the internal services after bypassing application logic: Server-Side Request Forgery.

Distribution of SSRF vulnerabilities by risk level, 2021–2023 (download)

Specifically, a malicious actor can use SSRF in a chain with other vulnerabilities to develop an attack on the web server or read the application source code.

Mitigation: if possible, create an allowlist of resources that the application can request. Prevent requests to any resources not on that list. Do not accept requests that contain complete URLs. Set firewall filters to prevent access to unauthorized domains.

4. SQL Injection

Most high-risk vulnerabilities in 2021–2023 were associated with SQL Injection. Still, we placed this category fourth as only 43% of the applications we analyzed were vulnerable to it.

Distribution of SQL Injection vulnerabilities by risk level, 2021–2023 (download)

Vulnerabilities of this type can lead to theft of sensitive information or remote code execution. During one of the projects, an SQL injection into an application that was open to signup by any internet user let us obtain the credentials of an internal system administrator.

Mitigation: use parameterized SQL queries in application source code instead of combining them with a SQL query template. If you cannot use parameterized SQL queries, make sure that no data entered by the user and used in generating SQL queries can be used to modify the query logic

5. Cross-Site Scripting (XSS)

Cross-Site Scripting vulnerabilities were discovered in 61% of the web applications we analyzed. In most cases, the vulnerability carried a medium risk level, therefore we ranked it fifth, even though it was so widespread.

Distribution of XSS vulnerabilities by risk level, 2021–2023 (download)

More than half (55%) of all XSS vulnerabilities were associated with applications used by IT companies, followed by the public sector (39%).

An XSS attack against the application’s clients can be used for obtaining user authentication information, such as cookies, phishing or spreading malware. In one attack scenario, XSS in a chain with other vulnerabilities allowed changing a user password to a known value and so obtaining access to the application with that user’s privileges.

Mitigation: provide processing of web application user input by replacing potentially insecure characters that could be used to format HTML pages to their equivalents that are not format characters. This should be done for any data obtained from external sources and displayed in a browser (including HTTP headers, like User-Agent and Referer).

6. Broken Authentication

Although almost half of the vulnerabilities we discovered in this category carried a medium risk level (47%), there were high-risk ones as well, allowing access to the web application on behalf of the customers’ clients.

Distribution of Broken Authentication vulnerabilities by risk level, 2021–2023 (download)

For example, a certain application had no JWT (Jason Web Token) signature check, so a malicious actor could modify their own JWT (by specifying another user’s ID) and use the resulting token to perform various actions inside the account.

Mitigation: implement proper validation of authentication data used for accessing the application. Verify token and session ID signatures when used. Secrets used for authentication (encryption keys, signatures and so on) should be unique and have a high degree of entropy. Do not store secrets in application code.

7. Security Misconfiguration

A little less than half of the applications we analyzed contained a Security Misconfiguration vulnerability. This category covers a spectrum of vulnerabilities from enabled debug mode to disabled authentication.

Distribution of Security Misconfiguration vulnerabilities by risk level, 2021–2023 (download)

The Nginx server of one application we analyzed allowed access to files in a parent directory (relative to the directory specified in the Alias directive). This could be used for gaining access to files that contained confidential data.

Mitigation: follow security best practices when configuring systems used in your IT-infrastructure. Automate the setup process to eliminate errors when setting up new systems. Use different credentials for test and production systems. Disable unused components.

8. Insufficient Protection from Brute-Force Attacks

Over a third of the applications we analyzed allowed brute force attacks. One-Time Passwords and authentication against various resources, such as accounts or file systems, were some of the mechanisms we found to be vulnerable.

Distribution of Insufficient Protection from Brute Force Attacks vulnerabilities by risk level, 2021–2023 (download)

Specifically, a poor OTP implementation can allow an attacker to brute-force an OTP, bypassing this authentication factor and making unauthorized access to the application easier as a result.

Mitigation: use CAPTCHA to make it harder for the attacker to brute-force credentials. You can also use prevention controls (WAF, IPS) to promptly block brute-forcing attempts both in the case of multiple failed sign-ins to the same account and multiple failed sign-ins to different accounts that originate with the same source.

9. Weak User Password

Weak passwords were set for 22% of the web applications we analyzed.

One explanation for the relatively low percentage of vulnerabilities in this category is the fact that security analysts often get to work with customer test benches rather than live systems.

Distribution of Weak User Password vulnerabilities by risk level, 2021–2023 (download)

Although the number of applications containing this type of vulnerabilities is small, the consequences of exploiting weak credentials can be significant. Depending on the account type, an attacker can get access to basic application features or administrative scenarios, which can impact business processes.

Mitigation: implement weak password checks, for example, by running new or changed passwords against a list of the 10,000 weakest passwords. Enforce password length, complexity and expiration requirements, along with other modern evidence-based password policies.

10. Using Components with Known Vulnerabilities

The last but not least widespread category is Using Components with Known Vulnerabilities.

Distribution of vulnerabilities caused by using components with known vulnerabilities by risk level, 2021–2023 (download)

Among the vulnerable components were frameworks and various application dependencies, such as libraries and modules. Some of these allowed us to get access to servers used by the applications, and thus, penetrate the customers’ internal networks.

Mitigation: take regular inventories of software components you use, and update as required. Use only trusted components that have successfully passed security tests. Disable any unused components.

Conclusions

Remediating the most widespread web application vulnerabilities described in this study will help you to protect your confidential data and avoid compromise of web applications and related systems. For improved security of web applications and timely detection of attacks, we recommend you do the following:

  • Follow the Secure Software Development Lifecycle (SSDLC).
  • Run regular application security assessment.
  • Use logging and monitoring to track application activity.

For our part, we can offer help discovering vulnerabilities not just in web applications, but also in ATMs, IT infrastructure and ICSs. Through awareness of vulnerabilities and associated threats, you can better protect your information assets.

P.S. If you want to discover vulnerabilities and help to develop protection, while this article sounded simplistic to you, you are welcome to take an interview with us.

French government sites disrupted by <i>très grande</i> DDoS

The Register - Anti-Virus - 12 Březen, 2024 - 07:26
Russia and Sudan top the list of suspects

Several French government websites have been disrupted by a severe distributed denial of service attack.…

Kategorie: Viry a Červi

White House and lawmakers increase pressure on UnitedHealth to ease providers' pain

The Register - Anti-Virus - 12 Březen, 2024 - 01:02
US senator calls cyber attack 'inexcusable,' calls for mandatory security rules

The Biden administration and US lawmakers are turning up the pressure on UnitedHealth group to ease medical providers' pain after the ransomware attack on Change Healthcare, by expediting payments to hospitals, physicians and pharmacists – among other tactics.…

Kategorie: Viry a Červi

Kremlin accuses America of plotting cyberattack on Russian voting systems

The Register - Anti-Virus - 11 Březen, 2024 - 22:58
Don't worry, we have a strong suspicion Putin's still gonna win

The Kremlin has accused the United States of meddling in Russia's upcoming presidential election, and even accused Uncle Sam of planning a cyberattack on the country's online voting system.…

Kategorie: Viry a Červi

British Library pushes the cloud button, says legacy IT estate cause of hefty rebuild

The Register - Anti-Virus - 11 Březen, 2024 - 14:30
Five months in and the mammoth post-ransomware recovery has barely begun

The British Library says legacy IT is the overwhelming factor delaying efforts to recover from the Rhysida ransomware attack in late 2023.…

Kategorie: Viry a Červi
Syndikovat obsah