Archive for Kaspersky

Kaspersky Researchers Discover A New “Fileless” Malware Campaign

Posted in Commentary with tags on May 10, 2022 by itnerd

Researchers at Kaspersky have found a malicious campaign that used Windows event logs stored in malware, a new technique for attacks in the wild. This method enables threat actors to plant fileless malware in the file system, enabling the attack activity to be as stealthy as possible:

The initial infection of the system was carried out through the dropper module from an archive downloaded by the victim. The attacker used a variety of unparalleled anti-detection wrappers to keep the last stage Trojans even less visible. To further avoid detection, some modules were signed with a digital certificate.

The attackers employed two types of Trojans for the last stage. These were used to gain further access to the system, commands from control servers are delivered in two ways: over HTTP network communications and engaging the named pipes. Some Trojans versions managed to use a command system containing dozens of commands from C2.

The campaign also included commercial pentesting tools, namely SilentBreak and CobaltStrike. It combined well-known techniques with customized decryptors and the first observed use of Windows event logs for hiding shellcodes onto the system.

Saryu Nayyar, CEO and Founder of Gurucul had this comment:

“Emerging techniques such as these continue to highlight the importance of incorporating behavioral-based analytics, which constantly monitor users, endpoints and other security solutions in the enterprise, to further augment anomaly detection and investigation capabilities.”

“Detection evasion is the name of the game these days, so identifying and alerting on anomalous behavior during early stages of an attack is critical for any effective security program.”

This is truly next level stuff from these threat actors. Which means that your response to these threats has to be next level as well. In the meantime the Kaspersky report does offer some mitigation strategies that are well worth implementing.

Kaspersky Serves Up Details On The BlackCat Ransomware Group

Posted in Commentary with tags on April 7, 2022 by itnerd

Kaspersky may be a company that is under some degree of pressure at the moment. But that hasn’t stopped them from uncovering new threats. Kaspersky threat researchers today published a blog detailing the BlackCat ransomware group and their efforts to target industrial companies. In addition, Kaspersky has found links between the teams of BlackCat, ALPHV, Noberus and BlackMatter. These teams have used a data exfiltration cool called Fendr and ExMatter to target oil, gas, mining, construction and industrial sites. 

Just lovely.

Saryu Nayyar, CEO and Founder, Gurucul had this comment:

“Threat actor groups are now sharing methods and colluding to target organizations, in this case, industrial and critical infrastructure for stealing design information, but also information on controls, presumably to find those systems and cause potential damage or encrypt key files as part of a subsequent ransomware campaign. This shows that attackers are implementing different tactics and techniques, even when using known tools like Fendr for malicious purposes. Current XDR and SIEM solutions, primarily using rule-based ML/AI, will be hard pressed to detect these attacks out of the gate, leaving too many systems widely exposed to threat actors. Organizations must be enabled to ingest more telemetry from even proprietary industrial machines and apply advanced analytics with self-trained machine learning models to stay ahead of ever-changing variants and attack methods that evade defenses and current security operations tools easily. Threat actors partnering in their efforts makes it critical that organizations push the envelope in moving past most vendor claims to evaluate solutions that are best of breed in their capabilities and customizable as IT and security needs evolve.”

There seems to be a never ending stream of these groups going after the targets of their choice. That means that you need to be on point with your security strategy along with your incident response should it come to that.

Kaspersky Is Under Pressure On Multiple Fronts

Posted in Commentary with tags on March 27, 2022 by itnerd

Russian security company Kaspersky is not having a good time of it since Russia invaded Ukraine. Currently Germany has suggested that German companies dump Kaspersky products. And when that happened, I said this:

These accusations are not new as Kaspersky has been in the crosshairs of various countries because they are a Russian company. But given the current political climate, and the likelihood that this warning will be echoed by the US and other countries, it is safe to say that Kaspersky is in trouble. And I would go further to say that they will not survive this.

Guess what? The US has waded into this as Kaspersky has been added to the Covered List. That means that they are seen to be an unacceptable risk to U.S. national security. Kaspersky services covered by this decision include information security products, solutions, and services supplied by Kaspersky or any linked companies, including subsidiaries or affiliates.

That’s not good. But this is just as bad. HackerOne has announced that it has kicked Kaspersky’s bug bounty program off its platform. HackerOne has posted this in a FAQ regarding sanctions against Russia published last week. And this was confirmed via a Tweet from Kaspersky:

Kaspersky now asks researchers who find vulnerabilities in its products to report them using its self-hosted bug bounty program. I am not sure that I would want to participate in that seeing as they are Russian. But if you do want to participate, you do you.

Kaspersky Is Likely Doomed After The BSI Publishes A Warning To Not Use Their Products

Posted in Commentary with tags , on March 15, 2022 by itnerd

Russian anti-virus maker Kaspersky is likely in very deep trouble after Germany’s cyber security agency the BSI came out with a warning (translation here) for Germans not to use Kaspersky’s products:

Antivirus software, including the associated real-time capable cloud services, has extensive system authorizations and, due to the system (at least for updates), must maintain a permanent, encrypted and non-verifiable connection to the manufacturer’s servers . Therefore, trust in the reliability and self-protection of a manufacturer as well as his authentic ability to act is crucial for the safe use of such systems. If there are doubts about the reliability of the manufacturer, virus protection software poses a particular risk for the IT infrastructure to be protected.

The actions of military and/or intelligence forces in Russia and the threats made by Russia against the EU, NATO and the Federal Republic of Germany in the course of the current military conflict are associated with a considerable risk of a successful IT attack. A Russian IT manufacturer can carry out offensive operations itself, be forced to attack target systems against its will, or be spied on without its knowledge as a victim of a cyber operation, or be misused as a tool for attacks against its own customers.

These accusations are not new as Kaspersky has been in the crosshairs of various countries because they are a Russian company. But given the current political climate, and the likelihood that this warning will be echoed by the US and other countries, it is safe to say that Kaspersky is in trouble. And I would go further to say that they will not survive this.

RIP Kaspersky.

Fake Windows 11 Installers Are Spreading Malware

Posted in Commentary with tags , on July 24, 2021 by itnerd

If you want to try out Windows 11, you need to be really careful because according to Kaspersky, there are fake Windows 11 installers out there that are serving up malware:

Microsoft hasn’t yet released Windows 11, but the new operating system is already available for download and preview. Cybercriminals, of course, are exploiting that, slipping malware to users who think they’re downloading Microsoft’s new operating system.

And:

One example involves an executable file called 86307_windows 11 build 21996.1 x64 + activator.exe. With a file size as large as 1.75GB, it certainly looks plausible. In fact, though, the bulk of that space consists of one DLL file that contains a lot of useless information.

Opening the executable starts the installer, which looks like an ordinary Windows installation wizard. Its main purpose is to download and run another, more interesting executable. The second executable is an installer as well, and it even comes with a license agreement (which few people read) calling it a “download manager for 86307_windows 11 build 21996.1 x64 + activator” and noting that it would also install some sponsored software. If you accept the agreement, a variety of malicious programs will be installed on your machine.

Nasty. The article from Kaspersky tells you how to safely download Windows 11 onto a computer that already has Windows 10. But this makes it clear that you have to be careful if you want to try out Microsoft newest OS as clearly cyber criminals are out there to pwn you.

Kaspersky Lab Files Antitrust Complaint Against Apple

Posted in Commentary with tags , on March 20, 2019 by itnerd

So… It seems that Kaspersky doesn’t like the fact that Apple gets to dictate how apps should behave on its app store. And as a result of that, they’ve filed an antitrust complaint with the Russian Federal Antimonopoly Service. That I must admit seems really sketchy to me as if it were me, I would have served it up in the US. But given their relationship with the US Government at the moment, I guess that’s possible. But in any case, this is what they are arguing:

Last year, we received a notice from Apple saying that our Kaspersky Safe Kids for iOS app does not meet the requirements of paragraph 2.5.1 of the guidelines for apps hosted in the App Store. Apple had never before had any issues with Kaspersky Safe Kids; the app had been hosted in the App Store, meeting all of the guidelines, for nearly three years.

It turned out that, according to Apple, the use of configuration profiles was against App Store policy, and Apple demanded that these be removed, so that the app could pass the review and be published in the store. For us, that would mean removing two key features from Kaspersky Safe Kids: app control and Safari browser blocking.

Both features are essential. The first allows parents to specify which apps kids cannot run based on the App Store’s age restrictions. The second allows the hiding of all browsers on the device, so kids can open Web pages only in Kaspersky Safe Kids’ built-in secure browser, which protects them from unsafe content.

So, by removing these two features from Kaspersky Safe Kids for iOS, we are massively letting down parents, who expect that their kids will be able to safely use iPhones and iPads that have our app installed. We believe it is essential that all of our customers, whether they are young or old, are completely safe and get exactly what they expect.

And:

From our point of view, Apple appears to be using its position as platform owner and supervisor of the sole channel for delivering apps to users of the platform to dictate terms and prevent other developers from operating on equal terms with it. As a result of the new rules, developers of parental control apps may lose some of their users and experience financial impact. Most important, however, it is the users who will suffer as they miss out on some critical security features. The market for parental control apps will head toward a monopoly and, consequently, stagnation.

It will be interesting to see what if Apple does to respond to this. I’m going to suggest that they could care less. But who knows? They are currently trading shots with Spotify who are accusing them of something similar. And they seem to care about that enough to take a shot at them. So it is possible that they will do the same thing here.

Stay tuned!

Kaspersky Moving Core Infrastructure To Switzerland To Make Spying Concerns Go Away

Posted in Commentary with tags on May 15, 2018 by itnerd

Kaspersky has been accused of aiding the Russian government in its espionage of other countries and foreign companies. Being that the company makes security software, you can see how this would be seen as a potential threat to many.  Despite if the claims are true or not, people are not choosing Kaspersky software due to its connection with Russia, and the Russian government does have a trend of getting involved in its companies. Companies with sensitive information are not using the software. Which is why Kaspersky is moving core infrastructure to Swizerland in the hopes that people will trust them again. From Security Week:

It is to maintain or regain trust that is behind Kaspersky’s Global Transparency Initiative, announced in October 2017.

“The new measures,” the firm announced, “comprise the move of data storage and processing for a number of regions, the relocation of software assembly and the opening of the first Transparency Center,” which will be in Zurich. 

The measures in question include customer data storage and processing for most regions; and software assembly including threat detection updates. Transparency will be provided by making the source code available for review by responsible stakeholders in a dedicated Transparency Center. 

The company said that by the end of 2018, its products and threat detection rule databases (AV databases) “will start to be assembled and signed with a digital signature in Switzerland, before being distributed to the endpoints of customers worldwide.”

The firm is going further by making plans for its processes and source code to be independently supervised by a qualified third-party. To this end, it is supporting the creation of a new, non-profit organization able to assume this responsibility not just for itself, but for other partners and members who wish to join.

To me, moving to Switzerland doesn’t seem to fix this issue. I say that because all it will take is a request for the CEO to send or “Backup” their data to a Russian Data center, or to an 3rd party data-center that Russia may have access too. Assuming that Russia doesn’t just plug themselves into this environment that they’re building in Switzerland. Thus while this might be good PR, it really won’t solve the fact that people don’t trust Kaspersky.

Slingshot Router Malware Has Been Lurking For Years And Is Likely State Sponsored

Posted in Commentary with tags on March 12, 2018 by itnerd

Researchers from Kaspersky Lab have discovered a new type of malware that they have dubbed “Slingshot”. Here’s what you need to know about it:

While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity.

The initial loader replaces the victim´s legitimate Windows library ‘scesrv.dll’ with a malicious one of exactly the same size. Not only that, it interacts with several other modules including a ring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual filesystem, among others.

While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to Mikrotik routers and placed a component downloaded by Winbox Loader, a management suite for Mikrotik routers. In turn, this infected the administrator of the router.

We believe this cluster of activity started in at least 2012 and was still active at the time of this analysis (February 2018).

They key thing to note about “Slingshot” is that Kaspersky believes that a nation state was behind it and was likely used for espionage purposes. It can capture functions like logging to network, accessing the data on an infected machine’s hard drive or internal memory due to the ability to access an operating system’s kernel level. And it can avoid detection in some very clever ways. Finally, it might have been out there since 2012. That’s kind of scary. If you use the Mikrotik router (for the record, they’re a Latvian based company), updating your firmware is the best defense. Though 100 victims of “Slingshot” located in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania have been identified and it appears that they were targeted by this unknown nation state.

You can fully expect to see more attacks like these pop up into the wild.

 

Trump Bans Kaspersky… Kaspersky Then Sues Trump

Posted in Commentary with tags on December 18, 2017 by itnerd

This should be interesting to watch.

Last week, President Donald Trump signed legislation banning Kasperky and its products from use across civilian and military agencies. Now I was going to write about that, but something told me that there would be a “part 2” to that story. And today, it comes in the form of a lawsuit from Kaspersky arguing that the American government has deprived it of due process rights by banning its software from U.S. government agencies. Though given everything that has gone on to date, even if they win, which won’t happen by the way, how much of a future do they have in the US? Nobody trusts them at the moment and I don’t see that changing. Thus this has to be an attempt to keep themselves afloat in the US, or a way to grab some cash if they win. Which they won’t.

All I have to say is good luck to Kaspersky. They’re going to need it.

Kaspersky Denies It Pwned NSA Staffers Computer

Posted in Commentary with tags on November 16, 2017 by itnerd

The ongoing saga of under siege antivirus maker Kaspersky continues. When we last talked about this, the company had put out a report that said that it accidentally swiped NSA documents off a staffer’s computer. Well, they’ve now released a report that basically tries to paint a story that it wasn’t them who did the swiping. While you can read the report for the full details, the company now claims that Russian hackers installed software on the computer in question to access and steal sensitive data. On top of that, the company claims that the user of this computer disabled his Kaspersky antivirus software to install pirated software which led to additional pwnage. Thus the implication is that the US are mad at the wrong group of Russians.

I am really not sure this is going to make this issue go away as I have to think that their reputation is completely destroyed at this point. Thus while this report might make for some interesting reading for a bit, it won’t change anyone’s mind in terms of how the company is viewed.