The IT Nerd

Kaspersky is pretty much banned in the US because of the fact that it’s a Russian company, and the US and Russia don’t have the best relationship. So it appears that due to that, anyone who runs Kaspersky might have this happen to them:

Starting Thursday, Russian cybersecurity company Kaspersky deleted its anti-malware software from customers’ computers across the United States and automatically replaced it with UltraAV’s antivirus solution.

This comes after Kaspersky decided to shut down its U.S. operations and lay off U.S.-based employees in response to the U.S. government adding Kaspersky to the Entity List, a catalog of “foreign individuals, companies, and organizations deemed a national security concern” in June.

And:

In early September, Kaspersky also emailed customers, assuring them they would continue receiving “reliable cybersecurity protection” from UltraAV (owned by Pango Group) after Kaspersky stopped selling software and updates for U.S. customers.

However, those emails failed to inform users that Kaspersky’s products would be abruptly deleted from their computers and replaced with UltraAV without warning.

If I woke up one morning and my anti virus software were just replaced randomly. I would be really freaked out by that. I can look at this both ways. On one hand, Kaspersky needed to do the right thing to make sure that their customers in the US are secure. But on the other hand, the way they did it doesn’t really sit right with me. So as a result, I really don’t know how to feel about this. But strangely, I’m not done yet:

To make things worse, while some users could uninstall UltraAV using the software’s uninstaller, those who tried removing it using uninstall apps saw it reinstalled after a reboot, causing further concerns about a potential malware infection.

Some also found UltraVPN installed, likely because they had a Kaspersky VPN subscription.

This doesn’t exactly inspire confidence. Neither does this:

Not much is known about UltraAV besides being part of Pango Group, which controls multiple VPN brands (e.g., Hotspot Shield, UltraVPN, and Betternet) and Comparitech (a VPN software review website).

This seems a bit suspect to me. Personally, if I were affected by this, I’d be removing this software as quickly as possible possible and replacing it with some other anti virus software that I could trust. Because to be honest, I am not sure that I can trust these guys.

Last week the US banned Kaspersky saying that it’s a national security risk. At the time, I could not find a response from the Russian software company. But clearly I didn’t look hard enough because now I have. Here’s what they said in part:

Kaspersky is aware of the decision of the Department of the Treasury’s Office of Foreign Assets Control (OFAC) to place members of the company’s executive and senior leadership team on the sanctions list. The current step will not affect the company’s resilience as neither Kaspersky nor its subsidiary companies nor its CEO were designated by the OFAC. 

We regard the move as unjustified and baseless, being a continuation of recent U.S. government decisions based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of company’s products and operations. Neither Kaspersky nor its management team has any ties to any government, and we consider the allegations quoted by the OFAC as pure speculation, which lacks concrete evidence of a threat posed to U.S. national security. None of the listed members have any ties to the Russian military and intelligence authorities or have anything to do with the Russian government’s cyber intelligence objectives.

John Gunn, CEO, Token had this to say:

Banning the use of Kaspersky software is a prudent and informed action. Kaspersky’s majority owner and CEO is a Russian national who lives in Russia and is subject to the jurisdiction of the Russian government. People who don’t do what Putin wants have a bad habit of falling out of windows. The code for many mature security applications is so complex that finding a designed-in vulnerability would be very challenging, and a “clean” version today could be updated to a malicious version at any time. Operating on a promise of trust from a country that is attacking us constantly would be bad strategy.

Here’s the thing. If you can’t trust the tools that you use to defend yourself against attackers, you shouldn’t use them. Which is why this ban makes sense despite the fact that some will find this as an over reaction by the US government. Will this ban make you stop using Kaspersky products? Sound off in the comments with your thoughts.

Now some of you reading this headline will be thinking “wait, didn’t the US already ban Kaspersky?” The answer is sort of. They were banned on federal government networks. But you and I could still get a copy of the anti-virus software for example. Well, that has changed as the Biden administration has banned them outright:

Yesterday, the Department of Commerce issued a final determination pursuant to Executive Order (E.O.) 13873 prohibiting Kaspersky Lab, Inc., its affiliates, subsidiaries and parent companies directly or indirectly from providing anti-virus software and cybersecurity products or services in the United States or to U.S. persons. Commerce reached this determination after an investigation found transactions involving the products and services of Kaspersky Lab, Inc. and its corporate family pose unacceptable risk to U.S. national security or the safety and security of U.S. persons, as outlined in E.O. 13873. 

In addition, the Department of Commerce has designated AO Kaspersky Lab and OOO Kaspersky Group (Russia), and Kaspersky Labs Limited (United Kingdom) on the Entity List for their cooperation with Russian military and intelligence authorities in support of the Russian government’s cyber intelligence objectives. These activities are contrary to U.S. national security and foreign policy interests.

Damir J. Brescic, CISO, Inversion6 had this comment:

The reason that the U.S. government took such a stance is due to the concerns that Kaspersky could/has complied with the Russian government in what could be seen as assisting in cyber espionage or other malicious activity. The concern is obviously heightened by some of the controversial laws Russia has in general regarding cybersecurity; where they require companies to assist the government in intelligence gathering activities. Similar to other nation-state threat actors, such as China, Iran and North Korea. 

There are a few key aspects that companies and even government agencies need to take into consideration when assessing the impact of a software tool, such as Kaspersky. The major concern is that the Kaspersky antivirus solution, when implemented in an organization, requires extensive system privileges to function correctly, as most solutions of its kind do. This type of technology can provide a threat actor the potential to exploit and gain access to a systems configuration, sensitive data, and network connections.

If an organization is currently utilizing the Kaspersky antivirus software, they should look to conduct the following steps:

• Deactivate the Kaspersky software immediately on all their host systems

• Conduct a thorough risk assessment of the organizational use of this Kaspersky software; this should include the potential impact of compromise, as well as the likelihood of such an event

• Start evaluating alternative solutions from a trusted vendor 

• Implement robust monitor detection

• Review incident response capabilities and plans, and potentially run a tabletop exercise 

• For advanced measures, look to implement network segmentation to limit the spread of any malware and reduce the overall impact from potential threat and compromise

All of this is good advice as unlike the when the US government network ban came into effect, Kaspersky sued the government, I can’t find any statements or any other reaction from the Russian software company. Their silence suggests a lot in my opinion.

In a report published yesterday,  Kaspersky identifies the environmental factors leading to APT attacks in industrial sectors:

As we analyze what caused an incident, we often see:

• numerous systems with security solution databases that haven’t been updated for a long time;
• systems on which the staff forgot to add a license key, although it had been purchased;
• systems on which a user can remove a license key (and those on which a user has actually removed one);
• systems on which a user has shut down the security solution or disabled its components that provide protection from modern threats;
• systems in which too much is excluded from scanning and protection.

And:

Finally, on some OT networks, protection is not installed on many endpoints at all. There can be a number of reasons for this. Sometimes engineers believe that their ICS systems are completely isolated from other network segments. In other cases, engineers are simply afraid of installing anything new because of the principle “if it isn’t broken, don’t fix it”. The choice of a security solution can be further complicated in situations where industrial equipment vendors require that only software certified by them be installed on ICS systems, threatening to cancel the warranty of systems that don’t meet this requirement.

None of that inspires confidence. But I must admit that I do see a lot of that in my travels. Willy Leichter, VP, Cyware has this comment:

“Unfortunately, many OT operators still rely on an outdated and dangerous assumption that their systems are isolated and effectively air gapped. Combine this with outdated equipment, and a constant fear of downtime and we have an ongoing recipe for disaster. IT and OT systems are inevitably intertwined – connected by people, and networks that are vulnerable. All these systems need the same levels of visibility, oversight, and robust security controls.”

This Kaspersky report should be required reading for every security professional and sysadmin. I say that because there is no excuse for this when threat actors are so advanced, they don’t need help like this to get into networks to do bad things.

Yesterday was Anti-Ransomware Day. And instead of offering accolades to named cyber attackers, as published by Kaspersky in their report New ransomware trends in 2023, here are the leading methods they use year-after-year to exploit public facing vulnerabilities (42.9%) and compromised accounts and malicious emails:

• PowerShell to collect data 
• Mimikatz to escalate privileges 
• PsExec to execute commands remotely 
• or frameworks like Cobalt Strike for all attack stages

Furthermore, in a another report, Kaspersky experts highlighted three key ransomware trends ransomware groups are incorporating:

1. self-spreading functionality or imitations into their malware
2. exploiting vulnerabilities in antivirus drivers
3. adopting capabilities from leaked or purchased code
   
   “What we’ve been watching throughout the last one and a half years is that they are gradually turning their services into full-fledged businesses. This fact makes even amateur attackers quite dangerous,” said Dmitry Galov, Senior Security Researcher at Kaspersky’s Global Research and Analysis Team.

Roy Akerman, Co-Founder & CEO, Rezonate had this to say:

   “We know that 80% of the attacks are using 20% of the same techniques and same vulnerabilities. Every year CISA produces a report indicating the top exploited vulnerabilities and every year we see a very similar list of vulnerabilities we saw the year prior where most are 2 years and older. Same for the attack techniques used, from encoded PowerShell commands, Mimikatz and Cobalt Strike, to ransomware specific techniques such as vulnerable and publicly accessible RDP protocol. Getting to the basics and establishing a strong foundation is critical to combat 80% of the attacks used today in the wild.”

Companies need to make sure that known vulnerabilities are addressed in their environment to take away all the easy routes for threat actors to pwn you. That way you solve most of your security problems right off the top. If you need guidance, this report from Kaspersky will help you to make sure you’re on the good side of being secure.

Yesterday, Kaspersky revealed ‘Fleckpe’, a new global, Android malware disguised as legitimate apps that generates unauthorized charges by subscribing users to premium services. It was discovered that there were over 600,000 downloads of 11 Fleckpe trojan apps impersonating image editors, photo libraries, premium wallpapers, and more on Google Play.

Upon installation, the malicious app requests access to notification content needed to capture subscription confirmation codes on various premium services. It then decodes a hidden payload which is then executed all while the app maintains promised usability, evading suspicions.

All 11 apps have been removed from the marketplace but there is concern that others have been deployed and yet to be undiscovered. Those who have installed the bad apps to obviously remove them and run an AV scan cleanse any hidden malicious code remaining.

Roy Akerman, Co-Founder & CEO, Rezonate had this comment:

   “Rogue apps that find their way to app stores present a real risk since users have complete trust that those are safe and verified. For the past several years there has been an increase in mobile threats from  dedicated malware at the application and device level, mostly part for financial gain as in the case of Fleckpe, but in many cases for the purpose of bypassing traditional MFA of SMS OTP. Google and Apple have and still are investing a lot to further strengthen their testing of new applications, yet as consumers we should all still remain warry of new applications before downloading.”

This illustrates why you need to be careful with the apps that you install, and what permissions you give them. Otherwise, you might be in for a lot of trouble.

Researchers at Kaspersky have found a malicious campaign that used Windows event logs stored in malware, a new technique for attacks in the wild. This method enables threat actors to plant fileless malware in the file system, enabling the attack activity to be as stealthy as possible:

The initial infection of the system was carried out through the dropper module from an archive downloaded by the victim. The attacker used a variety of unparalleled anti-detection wrappers to keep the last stage Trojans even less visible. To further avoid detection, some modules were signed with a digital certificate.

The attackers employed two types of Trojans for the last stage. These were used to gain further access to the system, commands from control servers are delivered in two ways: over HTTP network communications and engaging the named pipes. Some Trojans versions managed to use a command system containing dozens of commands from C2.

The campaign also included commercial pentesting tools, namely SilentBreak and CobaltStrike. It combined well-known techniques with customized decryptors and the first observed use of Windows event logs for hiding shellcodes onto the system.

Saryu Nayyar, CEO and Founder of Gurucul had this comment:

“Emerging techniques such as these continue to highlight the importance of incorporating behavioral-based analytics, which constantly monitor users, endpoints and other security solutions in the enterprise, to further augment anomaly detection and investigation capabilities.”

“Detection evasion is the name of the game these days, so identifying and alerting on anomalous behavior during early stages of an attack is critical for any effective security program.”

This is truly next level stuff from these threat actors. Which means that your response to these threats has to be next level as well. In the meantime the Kaspersky report does offer some mitigation strategies that are well worth implementing.

Kaspersky may be a company that is under some degree of pressure at the moment. But that hasn’t stopped them from uncovering new threats. Kaspersky threat researchers today published a blog detailing the BlackCat ransomware group and their efforts to target industrial companies. In addition, Kaspersky has found links between the teams of BlackCat, ALPHV, Noberus and BlackMatter. These teams have used a data exfiltration cool called Fendr and ExMatter to target oil, gas, mining, construction and industrial sites. 

Just lovely.

Saryu Nayyar, CEO and Founder, Gurucul had this comment:

“Threat actor groups are now sharing methods and colluding to target organizations, in this case, industrial and critical infrastructure for stealing design information, but also information on controls, presumably to find those systems and cause potential damage or encrypt key files as part of a subsequent ransomware campaign. This shows that attackers are implementing different tactics and techniques, even when using known tools like Fendr for malicious purposes. Current XDR and SIEM solutions, primarily using rule-based ML/AI, will be hard pressed to detect these attacks out of the gate, leaving too many systems widely exposed to threat actors. Organizations must be enabled to ingest more telemetry from even proprietary industrial machines and apply advanced analytics with self-trained machine learning models to stay ahead of ever-changing variants and attack methods that evade defenses and current security operations tools easily. Threat actors partnering in their efforts makes it critical that organizations push the envelope in moving past most vendor claims to evaluate solutions that are best of breed in their capabilities and customizable as IT and security needs evolve.”

There seems to be a never ending stream of these groups going after the targets of their choice. That means that you need to be on point with your security strategy along with your incident response should it come to that.

Russian security company Kaspersky is not having a good time of it since Russia invaded Ukraine. Currently Germany has suggested that German companies dump Kaspersky products. And when that happened, I said this:

These accusations are not new as Kaspersky has been in the crosshairs of various countries because they are a Russian company. But given the current political climate, and the likelihood that this warning will be echoed by the US and other countries, it is safe to say that Kaspersky is in trouble. And I would go further to say that they will not survive this.

Guess what? The US has waded into this as Kaspersky has been added to the Covered List. That means that they are seen to be an unacceptable risk to U.S. national security. Kaspersky services covered by this decision include information security products, solutions, and services supplied by Kaspersky or any linked companies, including subsidiaries or affiliates.

That’s not good. But this is just as bad. HackerOne has announced that it has kicked Kaspersky’s bug bounty program off its platform. HackerOne has posted this in a FAQ regarding sanctions against Russia published last week. And this was confirmed via a Tweet from Kaspersky:

Kaspersky now asks researchers who find vulnerabilities in its products to report them using its self-hosted bug bounty program. I am not sure that I would want to participate in that seeing as they are Russian. But if you do want to participate, you do you.