Viry a Červi

Follow us down this deep rabbit hole of privacy policy after privacy policy

Feature  In April, attorney Christine Dudley was listening to a book on her iPhone while playing a game on her Android tablet when she started to see in-game ads that reflected the audiobooks she recently checked out of the San Francisco Public Library.…

For starters: Crypto, import tariffs, and Microsoft shipping out staff

Kettle  It's been a fairly troubling week in terms of the relationship between China and the Western world.…

Feds scoff at blockchain integrity while software bug said to have been at heart of the matter

The US Department of Justice has booked two brothers on allegations that they exploited open source software used in the Ethereum blockchain world to bag $25 million (£20 million).…

Throw another healthcare biz on the barby, mate

Australian prescriptions provider MediSecure is the latest healthcare org to fall victim to a ransomware attack, with crooks apparently stealing patients' personal and health data.…

Your local nail tech could be a secret agent for Kim’s cunning plan

Three individuals accused of helping North Korea fund its weapons programs using US money are now in handcuffs.…

TLDR: Peace in our time is really really hard

Interview  On Wednesday the FBI and international cops celebrated yet another cybercrime takedown – of ransomware brokerage site BreachForums – just a week after doxing and imposing sanctions on the LockBit ransomware crew's kingpin, and two months after compromising the gang's website.…

Spoiler alert: it's not really IT support controlling your device

A cybercrime gang has been abusing Microsoft's Quick Assist application in social engineering attacks that ultimately allow the crew to infect victims with Black Basta ransomware.…

Has social media biz done enough to comply with Digital Services Act? Maybe not

The European Commission has opened formal proceedings to assess whether Meta, the provider of Facebook and Instagram, may have breached the Digital Services Act (DSA) in areas linked to the protection of minors.…

Annual conference of cyber intel unit shows UK's alarm over China blaring louder than ever

CyberUK  Regular attendees of CYBERUK, the annual conference hosted by British intelligence unit the National Cyber Security Centre (NCSC), will know that in addition to the expected conference panels, there is usually an interwoven theme to proceedings.…

It may take ten years but vendors must be held accountable for the vulnerabilities they introduce

CYBERUK  National Cyber Security Centre (NCSC) CTO Ollie Whitehouse kicked off day two of Britain's cyber watchdog's annual shindig, CYBERUK, with a tirade about the tech market, pulling it apart to demonstrate why he believes it's at fault for many of the security problems the industry is facing today. …

No more illicit gains, for a while at least

The FBI, in combination with police around the world, have taken control of the website and Telegram channel of ransomware brokerage site BreachForums.…

More government data allegedly stolen by prolific criminals

An extortionist claims to have stolen files from the US Army Aviation and Missile Command in August 2023, and now claims they are selling access to a $75 billion aerospace and defense company.…

Developing an effective strategy is a continuous process which requires recurring evaluation and refinement

Partner Content  A cyber defense strategy outlines policies, procedures, and technologies to prevent, detect, and respond to cyber attacks. This helps avoid financial loss, reputational damage, and legal repercussions.…

Plus: Google Chrome, Apple bugs also exploited in the wild

Happy May Patch Tuesday. We've got a lot of vendors joining this month's patchapalooza, which includes a handful of bugs that have been exploited — either in the wild or at Pwn2Own — and now fixed by Microsoft, Apple, Google and VMware.…

Agency is on the lookout for a Prince among men

The US Federal Communications Commission has named its first robocall gang, dubbing the crew "Royal Tiger," and detailed its operations in an attempt to encourage international action against the scammers.…

In early April 2024, we decided to take a closer look at the Windows DWM Core Library Elevation of Privilege Vulnerability CVE-2023-36033, which was previously discovered as a zero-day exploited in the wild. While searching for samples related to this exploit and attacks that used it, we found a curious document uploaded to VirusTotal on April 1, 2024. This document caught our attention because it had a rather descriptive file name, which indicated that it contained information about a vulnerability in Windows OS. Inside we found a brief description of a Windows Desktop Window Manager (DWM) vulnerability and how it could be exploited to gain system privileges, everything written in very broken English. The exploitation process described in this document was identical to that used in the previously mentioned zero-day exploit for CVE-2023-36033, but the vulnerability was different. Judging by the quality of the writing and the fact that the document was missing some important details about how to actually trigger the vulnerability, there was a high chance that the described vulnerability was completely made up or was present in code that could not be accessed or controlled by attackers. But we still decided to investigate it, and a quick check showed that this is a real zero-day vulnerability that can be used to escalate privileges. We promptly reported our findings to Microsoft, the vulnerability was designated CVE-2024-30051, and a patch was released on May 14, 2024, as part of Patch Tuesday.

After sending our findings to Microsoft, we began to closely monitor our statistics in search of exploits and attacks that exploit this zero-day vulnerability, and in mid-April we discovered an exploit for this zero-day vulnerability. We have seen it used together with QakBot and other malware, and believe that multiple threat actors have access to it.

We are going to publish technical details about CVE-2024-30051 once users have had time to update their Windows systems.

Kaspersky products detect the exploitation of CVE-2024-30051 and related malware with the verdicts:

• PDM:Exploit.Win32.Generic;
• PDM:Trojan.Win32.Generic;
• UDS:DangerousObject.Multi.Generic;
• Trojan.Win32.Agent.gen;
• Trojan.Win32.CobaltStrike.gen.

Kaspersky would like to thank Microsoft for their prompt analysis of the report and patches.

Guidebook aims to undermine the criminal business model

The latest effort to reduce the number of ransom payments sent to cybercriminals in the UK involves the country's National Cyber Security Centre (NCSC) locking arms with insurance associations.…

Drama between two of the leading secure messaging services

Telegram CEO Pavel Durov issued a scathing criticism of Signal, alleging the messaging service is not secure and has ties to US intelligence agencies.…

After years of people being victimized, it's about time

Google and Apple are rolling out an anti-stalking feature for Android 6.0+ and iOS 17.5 that will issue an alert if some scumbag is using a gadget like an AirTag or similar to clandestinely track the user.…

Incident response analyst report 2023

As an information security company, our services include incident response and investigation, and malware analysis. Our customer base spans Russia, Europe, Asia, South and North America, Africa and the Middle East. Our annual Incident Response Report presents anonymized statistics on the cyberattacks we investigated in 2023. All data is derived from working with organizations that requested our expertise in carrying out incident response (IR) or assisting their in-house expert team.

Distribution of incidents by region and industry

The geography of the service has changed somewhat of late, with the share of requests in Russia and the CIS (47.27%) continuing to rise. At the same time, 2023 is notable for the significant increase in the number of IR requests in the second-place Americas region (21.82%).

Geographic distribution of IR requests, 2023

Looking at the distribution of incidents by industry, we see that in 2023 the majority of requests came from government agencies (27.89%) and industrial enterprises (17.01%).

Distribution of organizations that requested IR assistance, by industry, 2023

2023 trends: ransomware and supply chain attacks

In 2023, ransomware remained the most prevalent threat, despite a drop in share to 33.3%, down from 39.8% in 2022. Ransomware targeted organizations indiscriminately, regardless of industry. The most common families we came across in our investigations were LockBit (27.78%), BlackCat (12.96%), Phobos (9.26%) and Zeppelin (9.26%).

Another important trend we observed in 2023 was the significant rise in the number of attacks through trusted relationships with contractors and service providers. This attack vector was among the three most frequently seen in 2023. This is not surprising, for it allows threat actors to carry out large-scale attacks with a great deal more efficiency than if they targeted each victim individually. For many organizations such attacks can be devastating, and detecting them takes a lot longer because the attackers’ actions can be hard to distinguish from those of employees working for a contractor.

Report contents

The full report covers:

• IR statistics: what events prompted organizations to request IR services, at what stages attacks were detected, how long it took on average to respond to them;
• Common tactics, techniques and procedures employed by threat actors at different stages of attack development;
• Legitimate tools used in attacks, with examples of their use in real-world incidents;
• Vulnerabilities most often exploited by threat actors.

Recommendations for preventing cyberincidents

To reduce the risk of a successful cyberattack on your organization, or minimize the damage if attackers do penetrate your infrastructure, we recommend:

• Enforcing a strict password policy and protecting key resources with multi-factor authentication;
• Closing remote management ports to outside access;
• Promptly updating software and deploying additional security measures for services at the network perimeter;
• Cybersecurity awareness training and related activities for employees;
• Restricting the use of legitimate tools that may be utilized for attacks on the corporate network, and creating rules for detecting such tools;
• Conducting regular cyber drills focused on common attacker techniques;
• Backing up data on a regular basis;
• Protecting endpoints with EDR solutions;
• Subscribing to an IR service guaranteed under an SLA.

Read the full 2023 Incident Response Report (PDF).