Kaspersky Global Research and Analysis Team (GReAT)

Our best known team in the cybersecurity industry is the Global Research and Analysis Team (GReAT). It’s a tightly knit collective of top-notch cybersecurity researchers specializing in studying APT attacks, cyber espionage campaigns, and trends in international cybercrime. Representatives of this international team are strategically located in our offices around the world to ensure immersion into regional realities and provide the company with a global perspective of the most advanced threats emerging in cyberspace. In addition to identifying sophisticated threats, GReAT experts also analyze cyber-incidents related to APT attacks, and monitor the activity of more than 200 APT groups. As a result of their work, our clients receive improved tools to combat advanced threats, as well as exclusive Kaspersky APT and Crimeware Intelligence reports, containing tactics, techniques and procedures (TTP), and indicators of compromise (IoC) useful for building reliable protection.

Kaspersky Threat Research

Kaspersky Threat Research are the experts whose work lies at the foundation of our products’ protective mechanisms – as they study all the details of attackers’ tactics, techniques and procedures, and drive the development of new cybersecurity technologies. These experts are primarily engaged in analyzing new cyberthreats and are responsible for ensuring that our products successfully identify and block them (detection engineering). Threat Research includes (i) Anti-Malware Research (AMR), whose experts deal with software (including malware, LolBins, greyware, etc.) used by cyberattackers; and (ii) Content Filtering Research (CFR), which is responsible for analysis of threats associated with communication via the internet (such as phishing schemes and spam mailings).

Attackers work hard to circumvent protective technologies, which is why we pay special attention to the security of our own products. The Threat Research expertise center also includes the Software Security team, which mitigates the risks of vulnerabilities in Kaspersky solutions. In particular, they’re responsible for the secure software development life cycle (SSDLC) process, bug bounty program, and for ensuring that our secure-by-design solutions (our own operating system – KasperskyOS – and products based on it) really are truly secure.

Kaspersky AI technology research

We all know how hyped AI technology is today, and how popular the topics of AI in cybersecurity and Secure AI are on the market. Our team provides a range of options in our solutions from ML (machine learning) and AI-enhanced threat discovery and triage alerts to prototype GenAI-driven Threat Intelligence.

For over two decades, our products and services have incorporated aspects of artificial intelligence to enhance security, privacy, and business protection. Kaspersky AI Technology Research applies data science and machine learning to detect various cyberthreats, including malware, phishing and spam on a large scale – contributing to detection of more than 400,000 malicious objects daily.

To detect more complex, targeted attacks, you have to juggle massive numbers of events and alerts coming from different levels of the IT infrastructure. Proper aggregation and prioritization of these alerts are crucial. Without AI-powered automation, it’s easy for a security-operations-center analyst to get overwhelmed and overlook critical alerts amid the multitude of security notifications. Better alert triage and prioritization – especially with machine learning – is top priority for our detection and response solutions (EDR, SIEM, XDR and MDR services).

Generative AI (GenAI) technologies open up new possibilities in cybersecurity. Kaspersky researchers are working on applying GenAI to various tasks in products ranging from XDR to Threat Intelligence to help cybersecurity analysts cope with the daily deluge of information, automate routine tasks, and get faster insights, amplifying their analytical capabilities and enabling them to focus more on investigating complex cases and researching complex threats.

We also use artificial intelligence to protect complex industrial systems. Our Kaspersky Machine Learning for Anomaly Detection (MLAD) solution enables our products to detect anomalies in industrial environments – helping identify early signs of potential compromise.

As AI systems are inherently complex, Kaspersky AI Technology Research also works on identifying potential risks and vulnerabilities in AI systems – from adversarial attacks to new GenAI attack vectors.

Kaspersky Security Services

Kaspersky Security Services experts provide complimentary services for information security departments at the largest enterprises worldwide. Its service portfolio is built around the main task of security departments – addressing incidents and their impact: detection, response, exercises, and process-wise operations excellence.

Whenever organizations face a security crisis, our team is dedicated to building a complete picture of the identified attack, and sharing recommendations for response and impact minimization. Our Global Emergency Response Team is located on all continents and is involved in hundreds of incident responses yearly.

For organizations that require continuous incident detection, there’s our Managed Detection and Response service. The Kaspersky SOC experts behind this service monitor suspicious activity in the customer’s infrastructure, and help to timely respond to incidents and minimize impact. Our MDR operates worldwide and is top-rated by customers.

Developing and measuring security maturity, preparing for real-world attacks, discovering vulnerabilities and more are the goals of our various Security Assessment services. Among other things, they can: evaluate SOC readiness to protect critical business functions with attack simulations (red teams); assess attackers’ chances of penetrating your network and gaining access to critical business assets with penetration testing service; and identify critical vulnerabilities by deeply analyzing complex software solutions with our application security service.

If a company needs to build its own SOC, or assess the maturity level or development capabilities of an existing one, our SOC Consulting experts share their vast experience in security operations gained while working with different industries, organizations of different sizes and with different budgets.

Before, during and after an attack, cybercriminals leave traces of their activities outside the attacked organization. Our Digital Footprint Intelligence experts identify suspicious activities on cybercriminal marketplaces, forums, instant messengers and other sources to timely notify an organization about compromised credentials, or someone selling access to their internal corporate network or data from their internal databases, and so on.

Kaspersky ICS CERT

Our industrial systems cybersecurity research center (Kaspersky ICS CERT) is a global project whose main goal is assisting manufacturers, owners and operators, and research teams in ensuring the cybersecurity of industrial automation systems and other M2M (machine-to-machine) solutions (building automation systems, transportation, medical systems and so on).

Kaspersky ICS CERT experts constantly analyze various products and technologies, evaluate their security level, report information about vulnerabilities to their manufacturers, and inform users of vulnerable solutions about the corresponding risks. In addition to searching for zero-day vulnerabilities, our CERT team analyzes publicly available information on vulnerabilities in ICS products, finds and eliminates multiple inaccuracies in it, and adds its own recommendations for reducing the risks to end-users.

Also, Kaspersky ICS CERT specialists identify and study attacks on organizations in the industrial sector, provide assistance in incident response and digital forensics, and share analytical information about attacks as well as indicators-of-compromise data feeds based on the results of their research.

In addition, our experts contribute to the engineering of sectoral and governmental regulations in the field of industrial cybersecurity, transportation, and the industrial Internet of Things; develop and conduct training for information-security specialists and employees of industrial organizations; and provide various consulting services.

Kaspersky spends huge amounts of resources – including a significant portion of its profits – on developing its expertise. Our experts research cyberthreats relevant to even the most remote corners of the globe, and understand the specific needs of all customers – no matter where they are. Thanks to the contribution of the above-listed centers of expertise, our services and solutions are constantly being improved and so always remain ready to counter the most non-trivial of attacks and identify the latest cyberthreats.

But the world of gaming isn’t quite as buddy-buddy as might seem at first glance, so here too cybersecurity is a must. Sure, the games themselves are (mostly) fine — the problem is the parasite scammers and cybercriminals they attract.

Kaspersky experts have dug deep to find out which games and players are most at risk, and what to do about it. See the full version of our report for answers to these, and other related questions.

Attackers love Minecraft

To fathom the threatscape facing young gamers, our experts analyzed statistics from the global Kaspersky Security Network (KSN). KSN collects huge amounts of anonymous cyberthreat intelligence data that we receive from users on a voluntary basis.

Selecting the most popular kids’ games for the study, we found the top four most-attacked titles from July 2023–July 2024 were Minecraft, Roblox, Among Us and Brawl Stars.

That’s right, more than three million attack attempts on Minecraft alone! Almost twice more than on second-place Roblox. Why? Because so many players are looking to download mods and cheats for Minecraft, and these often turn out to be malicious apps.

As for the types of threats being spread, the most common are downloaders, adware, Trojans and backdoors. For several years now, malware downloaders have been the most live threat to the gaming industry — downloaders that tout themselves as the “best Minecraft modloader you can get” often turn out to download… backdoors, Trojans and other threats.

Popular phishing scams

While it’s easy to teach your kids to download apps only from trusted sources and use security solutions, keeping them safe from phishing is more of a challenge. Here, it pays to keep your ears and eyes sharp: the more you and your kids know and read about new scams, the better placed you are to spot them. What’s more, most gaming scams tend to follow a pattern.

Free skins

Pretty much every top kids’ game these days allows (or encourages) players to customize their character with skins that can cost serious money — millions of dollars in some cases! Most kids, of course, don’t have that kind of cash under the bed, so they’re always on the lookout for flashy item giveaways.

One such act of “generosity” was uncovered by our experts. The scammers craftily exploited two things close to young gamer hearts: Valorant and MrBeast. The first is a popular shooter game, while the other is one of the world’s most successful YouTubers, with a 300 million+ subscriber base – mostly kids.

MrBeast and the makers of Valorant probably have no idea about their skin giveaway collaboration on a scam website

The scammers invite gamers to log in to the phishing site using their game account credentials and then to open a treasure chest. Of course, there is no treasure — only a hijacked account.

Free in-game currency

Most in-game economies are built on two kinds of in-game currency: soft and hard. Soft currency is usually earned through playing the game; hard or premium currency is bought with real-world money. Naturally, it’s the latter that attracts cybercriminals.

For example, one scam asks Pokémon GO players to enter their game account username. That is followed by an “I’m not a bot” verification, after which the player lands on a site promising free in-game currency.

Catchy phishing site targeting young Pokémon GO players

Such calls to action are a ruse to redirect users to a far more serious scam, where not only gaming accounts are at stake, but highly sensitive data like bank details.

Reward for in-game actions

“Do such_and_such and win a prize!” is a standard cybercriminal trick. We unearthed such a scam on a Roblox-related phishing site: victims were offered a US$100 Walmart gift card, the same amount for Taco Bell fast food outlets, and, for the especially greedy, US$25,000 in cash. But there’s a catch: first your payment details, please!

Curious reward lineup: a US$100 voucher alongside US$25,000 in cash

Since the youngest gamers don’t yet have payment details of their own, they’ll probably feed their parents’ bank card numbers to the hungry site. And you can only imagine mom and dad’s delight when the next billing statement arrives.

How young gamers can stay safe

Kids often lack basic cybersecurity skills, so can easily fall into cybercriminal traps for example, when trying to download a free game, a mod or a ‘must-have’ skin. That’s why teaching kids cyber hygiene is one of the most important missions of modern parenting.

• Help your child think up a unique strong password, and get them used to using a password manager at an early age.
• Tell your child about the risks they might face online.
• Our Kaspersky Cybersecurity Alphabet is a fun and informative way to teach your kids about new technologies and basic cyber hygiene, and refresh your own knowledge at the same time.
• Install reliable protection for gamers on all devices.
• Be in the swim of the latest scams in the gaming world and warn your kids what to watch out for.
• Use special apps to keep your kids safe — both online and offline.

For more great security tips for young gamers, check out the full version of our report.

What’s the reality? Let’s put some of these myths to the test.

Myth #1. Chatbots are hard to tell from humans

Almost half (47%) of respondents think so. At first glance it might indeed seem a tricky task to differentiate between AI and human chats, given that bots have now mastered the Turing test. Nevertheless, it is possible to tell them apart, and we turned to a chatbot to find out how. Come on, AI, tell us how to unmask you!

• Chat style. Bots tend to have a more formal or mechanical communication style, while humans may use colloquialisms, jargon and more expressive language.
• Response speed. Bots often respond very quickly and consistently, while humans may take a while to respond because they need to think through their response.
• Limited topics. Bots may have limited knowledge and fail to understand the context or nuances of a conversation the way that a human does.

Thanks, chatbot! What do you notice about the AI responses? Dry, matter-of-fact, lots of repetition, and minimal deviation from the topic. The information is spot on, and any human expert would say much the same thing… but less like a textbook.

Myth #2. My smartphone tracks my movements

Two-thirds (67%) of respondents are sure their smartphone tracks their geolocation all the time. Well, there’s no law against this opinion. In most cases, such “tracking” is voluntary: users often hand over oodles of permissions to apps, allowing them to feed data to their developers — at least for marketing purposes, but possibly also for real surveillance (albeit unlikely).

And let’s not forget about spyware: nasty little programs that like to masquerade as legitimate apps, but in fact record your calls, read your messages, and sometimes track your movements. Their nastiness is why we advise every single one of those 67% to make sure there’s no spyware on their device. And all that takes is to install reliable protection. Sure, if you’re a bona fide celeb, you can employ the life hack of Sarah Connor from Terminator — she went so far as to carry her phone in a bag of chips to block GPS, Wi-Fi and Bluetooth signals. But chips these days ain’t what they used to be…

Myth #3. Airplane mode prevents surveillance

Surprised? No less than 28% of respondents turn off their phone or switch it to airplane mode during a face-to-face conversation. Moreover, 26% do this whenever they’re in a public place. Believe us: this anti-spy method is ineffective, and here’s why.

There are Trojans that can record ambient sound — even if the infected smartphone doesn’t have internet access. And as soon as you turn off airplane mode, the malware immediately transfers the collected data to the attackers’ server. The Trojan used in Operation Triangulation, for instance, had this functionality. A far more effective way to guard against cyberespionage is to install a dedicated security solution. And leave airplane mode for flying.

Myth #4. Public Wi-Fi is safe

At least 39% of respondents globally think so — respondents, it seems, who didn’t read our study of public hotspots in Paris. In July, on the eve of the Olympics, we analyzed the security of around 25,000 unique Wi-Fi hotspots in the French capital, and found a full quarter of them to be wholly insecure — many protected by outdated security protocols. The results apply to any city in the world — things are hardly different in, say, Moscow, Berlin, Tokyo or Sao Paulo.

So avoid connecting to public Wi-Fi unless if you absolutely must, in which case:

• Don’t buy anything online.
• Don’t log in to personal accounts without two-factor authentication.
• Enable a reliable VPN on your devices, as well as a firewall on your laptop.
• Disable file-sharing and AirDrop on your devices.

Myth #5. My actions are invisible in incognito mode

Four out of ten people concur. We’re among the other six out of ten who understand that incognito mode won’t make your surfing totally private. Sure, it doesn’t save your browsing history, doesn’t remember information entered on visited sites, and doesn’t store data in the browser cache — in other words, incognito mode leaves no traces of browsing on your device. But it doesn’t hide your IP address, so someone could get a fix on your location if desired. It’s also possible to expose your identity if you’re logged in to a site.

Incognito browsing is perfect for when you want to leave minimal traces on your device. For example, when searching for gifts for family — especially if you all use the same computer and browser. This way, the browser won’t remember your actions or spoil the surprise with untimely contextual ads. For more tips on what else you should and shouldn’t do in incognito mode, see our separate post.

Five myths down – plenty more still to go…

One of the missions of Kaspersky — of our Kaspersky Daily blog in particular — is technological evangelism. We tell you all about new technologies and threats, uncover the most sophisticated scams, and do everything we can to shatter digital myths and superstitions wherever they may be.

But the contents of this post are just the tip of the digital iceberg; our original report is bursting with even more eye-popping myths. Help us bust them all by sharing this post with family and friends — especially if they’re just starting out building a cybersecure future for themselves.

But what about bicycles? They seemed to be hackproof — until recently. In mid-August 2024, researchers published a paper describing a successful cyberattack on a bike. More precisely — on one fitted with Shimano Di2 gear-shifting technology.

Electronic gears — Shimano Di2 and the like

First, a few words of clarification for those not up to speed, so to speak, with the latest trends in cycling technology. Let’s start by saying that Japan’s Shimano is the world’s largest maker of key components for bicycles; basically – the main parts that are added to a frame to make up a working bicycle, such as drivetrains, braking systems, and so on. Although the company specializes in traditional mechanical equipment, for some time now (since 2001) it has been experimenting with electronics.

Classic gear-shifting systems on bikes rely on cables that physically connect the gear-derailleurs (bike-chain guiders across sprockets) to the gear-shifters on the handlebars. With electronic systems, however, there’s no such physical connection: the shifter normally sends a command to the derailleur wirelessly, and this changes gear with the help of a small electric motor.

Electronic gear-shifting systems can also be wired. In this case, instead of a cable, a wire connects the shifter and the derailleur through which commands are transmitted. Most in vogue of late, however, are wireless systems, in which the shifter sends commands to the derailleur with a radio signal.

Shimano Di2 electronic gear-shifting systems currently dominate the high-end segment of the company’s product line. The same is happening across the model lineups of its main competitors: America’s SRAM (which introduced wireless gear shifters first) and Italy’s Campagnolo.

In other words, a great many road, gravel and mountain bikes in the upper price band have been using electronic gear shifters for quite a while already, and increasingly these are wireless.

The wireless version of the Shimano Di2 actually isn’t all that wireless. Inside the bike frame there are quite a few wires: A and B represent wires that run from the battery to the front and rear derailleurs, respectively. Source

The switch from mechanics to electronics makes sense on the face of it — among other things, electronic systems offer greater speed, precision, and ease of use. That said, going wireless does look like innovation for the sake of innovation, as the practical benefits for the cyclist aren’t all too obvious. At the same time, the smarter a system becomes, the more troubles could arise.

And now it’s time to get to the heart of this post: bike hacking…

Security study of the Shimano Di2 wireless gear-shifting system

A team of researchers from Northeastern University (Boston) and the University of California (San Diego) analyzed the security of the Shimano Di2 system. The specific groupsets they looked at were the Shimano 105 Di2 (for mid-range road bikes) and the Shimano DURA-ACE Di2 (the very top of the line for professional cyclists).

In terms of communication capabilities, these two systems are identical and fully compatible. They both use Bluetooth Low Energy to communicate with the Shimano smartphone app, and the ANT+ protocol to connect to the bike’s computers. More importantly, however, the shifters and derailleurs communicate using Shimano’s proprietary protocol on the fixed frequency of 2.478 GHz.

This communication is, in fact, rather primitive: the shifter commands the derailleur to change gear up or down, and the derailleur confirms receipt of the command; if confirmation isn’t received, the command is resent. All commands are encrypted, and the encryption key appears to be unique for each paired set of shifters and derailleurs. All looks hunky-dory save for one thing: the transmitted packets have neither a timestamp nor a one-time code. Accordingly, the commands are always the same for each shifter/derailleur pair, which makes the system vulnerable to a replay attack. This means that attackers don’t even need to decrypt the transmitted messages — they can intercept the encrypted commands and use them to shift gears on a victim’s bike.

To intercept and replay commands, the researchers used an off-the-shelf software-defined radio. Source

Using a software-defined radio (SDR), the researchers were able to intercept and replay commands, and thus gain control over the gear shifting. What’s more, the effective attack range — even without modifying the equipment or using amplifiers or directional antennas — was 10 meters, which is more than enough in the real world.

Why Shimano Di2 attacks are dangerous

As the researchers note, professional cycling is a highly competitive sport with big money involved. Cheating — especially the use of banned substances — is no stranger to the sport. And an equally underhand advantage could be gained by exploiting vulnerabilities in a competitor’s equipment. Therefore, cyberattacks in the world of professional cycling could easily become a thing.

The equipment used for such attacks can be miniaturized and hidden either on a cheating cyclist or a support vehicle, or even set up somewhere on the race track or route. Moreover, malicious commands can be sent remotely by a support group.

A command to upshift gear during a climb or sprint, for instance, could seriously affect an opponent’s performance. And an attack on the front derailleur, which changes gears more abruptly, could bring the bike to a halt. In a worst-case scenario, an unexpected and abrupt gear change could damage the chain or cause it to fly off, potentially injuring the cyclist.

Vulnerabilities in the Shimano Di2 allow an attacker to remotely control a bike’s gear shifting or carry out a DoS attack. Source

Besides malicious gear-shifting, the researchers also explored the possibility of what they call “targeted jamming” of communications between the shifters and derailleurs. The idea is to send continuous repeat commands to the victim’s bike at a certain frequency. For example, if the upshift command is repeated over and over, the gear shifter will hit top gear and stay there, no longer responding to genuine commands from the shifter (based on the rider’s selection). This is essentially a DoS attack on the gear-shifting system.

The upshot

As the authors note, they chose Shimano as the subject of their study simply because the company has the largest market share. They didn’t examine the wireless systems of Shimano’s competitors, SRAM and Campagnolo, but admit that these too may well be vulnerable to such attacks.

Shimano was informed of the vulnerability, and appears to have taken it seriously — having already developed an update. At the time of this post’s being published, however, only professional cycling teams had received it. Shimano has given assurances to make the update available to the general public later — bikes can be updated via the E-TUBE PROJECT Cyclist app.

The good news for non-professional cyclists is that the risk of exploitation is negligible. But if your bike is fitted with the Shimano Di2 wireless version, be sure to install the update when it becomes available — just in case.

This has already caught the eye of online privacy advocates, and led to headlines like “Now Mozilla too is selling user data”. The clamor got so loud that Firefox CTO, Bobby Holley, had to take to Reddit to explain to users what Mozilla actually did and why.

Now’s the time to take a closer look at what PPA is, why it’s needed in the first place, and why it’s appeared now.

Google Ad Topics and Facebook Link History

First, a bit of backstory. As you may recall, way back in 2019 the developers of the world’s most popular browser — Google Chrome — began hatching plans to completely disable support for third-party cookies.

These tiny files have been tracking user actions online for 30 years now. The technology is both the backbone of the online advertising industry, and the chief means of violating users’ privacy.

Some time ago, as a replacement, Google unveiled an in-house development called Ad Topics. With this technology, tracking is based on users’ Chrome browser history, and interaction history with Android apps. The rollout of Ad Topics was expected to be followed by the phasing out of support for third-party cookies in Chrome in H2 2024.

Another major digital advertising player to develop its own user-tracking technology is Meta, which likewise relies on third-party cookies. Called Link History, it makes sure that all external links in the Facebook mobile apps now get opened in its built-in browser — where the company can still snoop on your actions.

The bottom line is that ending support for third-party cookies hands even more control over to Google and Meta — owner of the world’s most popular browser and mobile OS, and of the world’s most popular social network, respectively — while smaller players will become even more dependent on them.

At the same time, user data continues to be collected on an industrial scale, and primarily by the usual suspects when it comes to claims of privacy violation: yes, Google and Facebook.

The question arises: is it not possible to develop some mechanism to allow advertisers to track the effectiveness of advertising without mass collection of user data? The answer comes in the shape of Privacy-Preserving Attribution.

Meet Prio, a privacy-preserving aggregation system

To better understand the history of this technology, we have to go back a bit in time — to 2017, when cryptographers Henry Corrigan-Gibbs and Dan Boneh of Stanford University presented a research paper. In it, they described a privacy-oriented system for collecting aggregated statistics, which they called Prio.

To greatly simplify matters, Prio is based on the following mechanism. Let’s say you’re interested in the average age of a certain number of users, but you want to preserve their privacy. You set up two (or more) piggy banks and ask each user to count out the number of coins corresponding to their age and, without showing them to anyone, randomly drop the coins into different money boxes.

Then you tip the coins out of the piggy banks into a pile, count them and divide by the number of users. The result is what you wanted: the average age of the users. And if at least one of the piggy banks keeps its secret (i.e., doesn’t tell anyone what went into it), then it’s impossible to determine how many coins any one user put into the boxes.

Prio’s main stages of information processing. Source

Prio overlays this basic mechanism with a lot of cryptography to protect information from interception and ensure the validity of data received. There’s no way for users to slip answers into the system, for whatever reason, that could distort the results. The main concept lies in the use of two or more aggregators that collect random shares of the sought information.

Prio’s algorithms have another key feature: they greatly improve system performance compared to previous methods of reliable anonymized data collection — by 50–100 times, say the researchers.

Distributed Aggregation Protocol

Mozilla got interested in Prio back in 2018. The first fruit of this interest was its development of the experimental system Firefox Origin Telemetry — based on Prio. Notably, this system was designed to privately gather telemetry on the browser’s ability to combat ad trackers.

Then, in February 2022, Mozilla unveiled Interoperable Private Attribution (IPA) technology, developed jointly with Meta, which, it seems, served as the prototype to PPA.

May 2022 saw the publication of a zero draft of the Prio-based Distributed Aggregation Protocol (DAP). The draft was authored by representatives of Mozilla and the Internet Security Research Group (ISRG) — a non-profit known for the Let’s Encrypt project to democratize the use of HTTPS — as well as two Cloudflare employees.

While working on the protocol, ISRG was also building a DAP-based system for collecting anonymized statistics, known as Divvi Up. This system is primarily intended to collect various technical telemetry to improve website performance, such as page load-time.

Schematic of the basic operating principle of the DAP protocol. Source

Finally, in October 2023, Divvi Up and Mozilla announced a collaboration to implement DAP in the Firefox browser. As part of this joint effort, a system of two aggregators was created — one of which operates on the Mozilla side, the other on the Divvi Up side.

How PPA works

It’s this Divvi Up/Mozilla system that’s currently being deployed with PPA technology. So far, it’s just an experiment involving a limited number of sites.

In general outline, it works as follows:

• The website asks the browser to remember instances of successful ad views.
• If the user performs some action that the site considers useful (for example, buys a product), the site queries the browser to find out if the user saw the ad.
• The browser doesn’t tell the site anything, but sends information through the DAP protocol to the aggregation servers.
• All such reports are accumulated in aggregators, and the site periodically receives a summary.

As a result, the site learns that out of X number of users who saw a certain ad, Y number of users performed actions deemed useful for the site. But neither the site nor the aggregation system knows anything about who these users were, what else they did online, etc.

Why we need PPA

In the above-mentioned statement on Reddit, Firefox’s CTO explained what Mozilla was aiming for by introducing PPA along with the new version of its browser.

The company’s reasoning is roughly the following. Online advertising, at least at this stage of the internet’s development, is a necessary evil. And it’s understandable that advertisers want to be able to measure its effectiveness. But the tools currently used for this disregard user privacy.

Meanwhile, any talk about how to somehow restrict advertisers’ tracking of users’ actions is met with protests from the former. No data collection, they argue, means they’re deprived of a tool for assessing online advertising.

Basically, PPA is an experimental tool that allows advertisers to get the feedback they need without collecting and storing data on what users did.

If the experiment shows the technology can satisfy advertisers’ needs, it will give privacy advocates a weighty argument in future dealings with regulators and lawmakers. Broadly speaking, it will prove that total online surveillance is unnecessary, and should be limited by law.

Block third-party cookies now

As it happens, almost immediately after the uproar surrounding Mozilla’s new rollout, Google announced a complete reversal of its plans to disable third-party cookies. Getting rid of stale technology can be harder than it might seem — as Microsoft found out when trying to bury Internet Explorer.

The good news is that, unlike Internet Explorer, which is indeed hard to weed out of Windows, third-party cookies are something that users can handle on their own. All modern browsers make it easy to block them — see our guide for full details.

Bear in mind that Google’s refusal to get rid of cookies doesn’t spell the end of Ad Topics — the company intends to continue the experiment. So we recommend disabling this feature too, and here’s how to do it in Chrome and Android.

And if you use the Facebook mobile app, it’s worth turning off Link History. Again, our guide explains how.

Also, you can and should make use of the Private Browsing feature in our Kaspersky Standard, Kaspersky Plus and Kaspersky Premium subscription plans to block ad trackers (by no means all of which use cookies).

Lastly, we recommend using our free Privacy Checker service, where you can find instructions on setting up privacy for the most common applications, services and social networks for different operating systems.

As for PPA, the technology looks pretty useful. If you think otherwise, here are simple instructions to disable it in Firefox. As for me, I prefer to support the development of this technology, so will continue to use it in my browser.

Valid for a limited time, this code enhances security significantly. But a magic bullet it ain’t: even with 2FA, personal accounts remain vulnerable to OTP bots — automated software that tricks users into revealing their OTPs through social engineering.

To find out what role these bots play in phishing and how they work, read on…

How OTP bots work

Controlled either through a control panel in a web browser or through Telegram, these bots impersonate legitimate organizations such as banks to trick the victim into disclosing a sent OTP. Here’s how it unfolds:

1. Having obtained the victim’s login credentials — including password (see below for this is done) — the scammer logs into the victim’s account and is asked to enter an OTP.
2. The victim receives the OTP on their phone.
3. The OTP bot calls the victim and, using a pre-recorded social engineering script, asks them to enter the received code.
4. The unsuspecting victim keys in the code right there on their phone during the call.
5. The code is relayed to the attacker’s Telegram bot.
6. The scammer gains access to the victim’s account.

The key function of the OTP bot is to call the victim, and the success of the scam hinges on how persuasive the bot is: OTPs have a short lifespan, so the chances of obtaining a valid code during a phone call are much higher than any other way. That’s why OTP bots offer numerous options for fine-tuning the call parameters.

This OTP bot boasts over a dozen features: ready-made and customized scripts in multiple languages, 12 operation modes, and even 24/7 tech support

OTP bots are a business, so to get started, scammers buy a subscription in crypto costing the equivalent of up to $420 per week. They then feed the bot with the victim’s name, number, and banking details, and select the organization they want to impersonate.

The user-friendly bot menu is accessible even to scammers with no programming skills

For plausibility, the scammers can activate the spoofing function by specifying the phone number that the call appears to come from, which is displayed on the victim’s phone. They can also customize the language, and even the voice of the bot. All voices are AI-generated, so, for example, the OTP bot can “speak” English with an Indian accent, or Castilian Spanish. If a call gets forwarded to voicemail, the bot knows to hang up. And to make sure everything is configured correctly, the fraudsters can check the OTP bot settings by making a call to their own test number before commencing an attack.

The victim needs to believe that the call is legitimate, so, before dialing the number, some OTP bots can send a text message warning about the upcoming call. This lulls the target’s vigilance since at first glance there’s nothing suspicious: you get a text notification from the “bank” about an upcoming call, and a few minutes later they do call — so it can’t possibly be a scam. But it is.

During a call, some bots may request not only an OTP, but other data as well, such as bank card number and expiry date, security code or PIN, date of birth, document details, and so on.

For a deeper dive into the inner workings of OTP bots, check out our report on Securelist.

Not by bot alone

While OTP bots are effective tools for bypassing 2FA, they’re utterly useless without the victim’s personal data. To gain account access, attackers need at least the victim’s login, phone number and password. But the more information they have on the target (full name, date of birth, address, email, bank card details), the better (for them). This data can be obtained in several ways:

• On the dark web. Hackers regularly put up databases for sale on the dark web, allowing scammers to buy login credentials — including passwords, bank card numbers, and other data. They may not be very fresh, but most users, alas, don’t change their passwords for years, and other details stay relevant for even longer. Incidentally, Kaspersky Premium promptly notifies you of any data breaches involving your phone number or email address, while Kaspersky Password Manager reports password compromise incidents.
• From open-source intelligence. Sometimes databases get leaked to the public on the “normal” web, but due to media coverage they quickly grow outdated. For example, the standard practice of a company on discovering a customer data breach is to reset the passwords for all leaked accounts and prompt users to create a new password at the next login.
• Through a phishing attack. This method has an undeniable advantage over others — the victim’s data is guaranteed to be up-to-date because phishing can take place in real time.

Phishing kits (phishkits)

are tools that allow scammers to automatically create convincing fake websites to harvest personal data. They save time and let cybercriminals collect all the user information they need in a single attack (in which case OTP bots are just one part of a phishing attack).

For example, a multi-stage phishing attack might go like this: the victim receives a message supposedly from a bank, store, or other organization, urging them to update their personal account data. Attached to this message is a phishing link. The expectation is that upon landing on a site that’s almost identical to the original, the victim will enter — and the phishers will steal — their login credentials. And the attackers will use these straight away to log in to the victim’s real account.

If the account is 2FA-protected, the scammers issue a command to the phishing kit control panel to display an OTP entry page on the phishing site. When the victim enters the code, the phishers get full access to the real account, allowing them, for example, to drain bank accounts.

But it doesn’t end there. Scammers take the opportunity to extract as much personal information as possible, pressuring the user to “confirm their credentials” as a mandatory requirement. Through the control panel, the attackers can request email address, bank card number, and other sensitive data in real time. This information can be used to attack other accounts of the victim. For example, they could attempt to access the victim’s mailbox with the phished password — after all, people often reuse the same password for many if not all their accounts! Once they get access to email, the attackers can really go to town: for example, change the mailbox password and after a brief analysis of mailbox content request a password reset for all other accounts linked to this address.

Options for requesting additional data in the phishing kit control panel

How to keep your accounts safe

• Always use Kaspersky Premium to automatically scan for data leaks affecting your accounts that are linked to email addresses and phone numbers — both yours and your family’s. If a breach is detected, follow the app’s advice for mitigation (at the very least, change your password right away).
• If you suddenly receive an OTP, be wary. Someone might be trying to hack you. For details on what to do in this case, see our instructions.
• Create strong and unique passwords for all your accounts with Kaspersky Password Manager. Scammers can’t attack you with OTP bots unless they know your password, so generate complex passwords and store them securely.
• If you receive a message with a link to enter personal data or an OTP, double-check the URL. A favorite trick of scammers is to direct you to a phishing site by substituting a couple of characters in the address bar. Always take a moment to verify that you’re on a legitimate site before entering any sensitive data. By the way, our protection blocks all phishing redirection attempts.
• Never share your OTPs with anyone or enter them on your phone keypad during a call. Remember that legitimate employees of banks, stores, or services, or even law enforcement officers will never ask for your OTP.
• Stay ahead of the game. Subscribe to our blog to make your life in cyberspace more secure.

New and refined normalizers

In between versions 2.1 and  3.0.3 of the Kaspersky Unified Monitoring and Analysis Platform, we released 99 update packages with new or improved normalizers. These include 63 updates that provide support for new event sources, and 38 that improve existing normalizers by adding support for new event types and making various refinements and fixes. The remaining updates contain continuously enhanced correlation rules, filters, and other usability-oriented resources.

Other new additions include normalizers that introduce support for the following event sources:

• Cisco Prime, for Cisco Prime 3.10 events received through syslog
• PowerDNS, for processing PowerDNS Authoritative Server 4.5 events received through syslog
• Microsoft Active Directory Federation Service (AD FS), for processing Microsoft AD FS events. The normalizer provides support for this event source starting with Kaspersky Unified Monitoring and Analysis Platform version 3.0.1
• Microsoft Active Directory Domain Service (AD DS), for processing Microsoft AD DS events. The normalizer also provides support for this event source starting with Kaspersky Unified Monitoring and Analysis Platform version 3.0.1
• NetApp ([OOTB] NetApp syslog, for processing NetApp ONTAP 9.12 events received through syslog; and [OOTB] NetApp file, for processing NetApp ONTAP 9.12 events stored in a file)
• RedCheck Desktop, for processing RedCheck Desktop 2.6 logs stored in a file
• MikroTik networking hardware
• PostgreSQL DBMS
• MySQL DBMS
• VMware ESXi
• Microsoft 365

In addition, our experts have refined the following normalizers:

• For Microsoft products: revised the normalizer structure and added support for new products and additional event types
• For PT NAD: implemented support for events of the current product version
• For UNIX-like operating systems: implemented support for additional event types
• For Juniper networking devices: made significant normalizer revisions and optimizations
• For Citrix NetScaler: implemented support for additional event types

Updated correlation rules

We’ve significantly improved the content of all existing correlation rules in the SOC Content package, while focusing on validating rule logic and refining the rules with inputs from our customers’ real-life experiences. We’ve also improved the quality of the rule descriptions, including incident description rules.

Along with updating the Russian-language SOC Content package, we’ve also released a full-fledged English-language SOC Content package, fully synchronizing its content with the Russian version. From now on, we plan to update the two packages in sync.

The platform now offers over 500 rules, along with further essential tools such as active lists, filters, and dictionaries.

Correlation rule format

We’re planning to add markup for existing rules soon in accordance with MITRE ATT&CK® tactics and techniques. This will expand the system’s capabilities to visualize the level of protection against all known threats.

When choosing avenues for development, we generally align with the MITRE ATT&CK® knowledge base – the de facto industry standard. We also consider feedback from our customers that we get during pilots, integration projects, consulting sessions, or even in emails received by account managers, as well as the experiences of our own SOC – one of the most successful and skilled teams in the industry.

How updates are delivered to the SIEM system

All the content we develop is distributed through the Kaspersky Update Servers subsystem to shorten delivery times. The subsystem requests updates and notifies of them in automated mode, but lets the operator decide on applying these. This helps administrators receive information about available updates quickly, review the contents of each update, and decide whether to introduce new resources in the infrastructure or update existing ones.

The update subsystem significantly expands the capabilities of the Kaspersky Unified Monitoring and Analysis Platform to respond rapidly to changes in the threat landscape and infrastructure. The option to use it without direct internet access ensures that data processed by the SIEM system remains secure and within the perimeter, while users can get the latest system content updates.

The complete list of event sources supported in Kaspersky Unified Monitoring and Analysis Platform 3.0.3 is available in the technical support section, where you also can find information about the correlation rules. Of course, our SIEM updates aren’t limited to new normalizers and detection logic: we recently wrote about UI enhancements and routine automation.

Vulnerabilities are becoming increasingly critical; exploits — easily available

Thanks to bug bounty programs and automation, vulnerability hunting has increased significantly in scale. This means vulnerabilities are discovered more frequently, and when researchers find an interesting attack vector, the first identified vulnerability is often followed by a whole series of others — as we recently saw with Ivanti solutions. 2023 set a five-year record for the number of critical vulnerabilities found. At the same time, vulnerabilities are becoming increasingly accessible to an ever-wider range of attackers and defenders — for more than 12% of discovered vulnerabilities’ proofs of concept (PoC) became publicly available shortly after.

Exponential growth of Linux threats

Although the myth that “no one attacks Linux” has already been dispelled, many specialists still underestimate the scale of Linux threats. Over the last year, the number of exploited CVEs in Linux and popular Linux applications increased more than threefold. The lion’s share of exploitation attempts target servers, as well as various devices based on *nix systems.

A striking example of the interest of attackers in Linux was the multi-year operation to compromise the XZ library and utilities in order to create an SSH backdoor in popular Linux distributions.

OSs contain more critical flaws, but other applications are exploited more often

Operating systems were found to contain the most critical vulnerabilities with available exploits; however,  critical defects in OSs are rarely useful for initially penetrating an organization’s information infrastructure. Therefore, if you look at the top vulnerabilities actually exploited in APT cyberattacks, the picture changes significantly.

In 2023, the top spot in the exploited vulnerabilities list changed: after many years of its being MS Office, WinRAR took its place with CVE-2023-38831 — used by many espionage and criminal groups to deliver malware. However, the second, third, and fifth places in 2023 were still occupied by Office flaws, with the infamous Log4shell joining them in fourth place. Two vulnerabilities in MS Exchange were also among the most frequently exploited.

In first quarter of 2024, the situation has changed completely: very convenient security holes in internet-accessible services have opened up for attackers, allowing mass exploitation — namely in the MSP application ConnectWise, and also Ivanti’s Connect Secure and Policy Secure. In the popularity ranking, WinRAR has dropped to third place, and Office has disappeared from the top altogether.

Organizations are too slow in patching

Only three vulnerabilities from the top 10 last year were discovered in 2023. The rest of the actively exploited CVEs date back to 2022, 2020, and even 2017. This means that a significant number of companies either selectively update their IT systems or leave some issues unaddressed for several years without applying countermeasures at all. IT departments can rarely allocate enough resources to patch everything on time, so a smart medium-term solution is to invest in products for automatic detection of vulnerable objects in IT infrastructure and software updating.

The first weeks after a vulnerability is publicly disclosed are the most critical

Attackers try to take full advantage of newly published vulnerabilities, so the first weeks after an exploit appears see the most activity. This should be considered when planning update cycles. It’s essential to have a response plan in case a critical vulnerability appears that directly affects your IT infrastructure and requires immediate patching. Of course, the automation tools mentioned above greatly assist in this.

New attack vectors

You can’t focus only on office applications and “peripheral” services. Depending on an organization’s IT infrastructure, significant risks can arise from the exploitation of other vectors — less popular but very effective for achieving specific malicious goals. Besides the already mentioned CVE-2024-3094 in XZ Utils, other vulnerabilities of interest to attackers include CVE-2024-21626 in runc — allowing escape from a container, and CVE-2024-27198 in the CI/CD tool TeamCity — providing access to software developer systems.

Protection recommendations

Maintain an up-to-date and in-depth understanding of the company’s IT assets, keeping detailed records of existing servers, services, accounts, and applications.

Implement an update management system that ensures the prompt identification of vulnerable software and patching. The Kaspersky Vulnerability Assessment and Patch Management solution combined with the Kaspersky Vulnerability Data Feed is ideal for this.

Use security solutions capable of both preventing the launch of malware and detecting and stopping attempts to exploit known vulnerabilities on all computers and servers in your organization.

Implement a comprehensive multi-level protection system that can detect anomalies in the infrastructure and targeted attacks on your organization, including attempts to exploit vulnerabilities and the use of legitimate software by attackers. For this, the Kaspersky Symphony solution, which can be adapted to the needs of companies of varying size, is perfectly suited.

Writing filter conditions and correlation rules as code

Previously, analysts had to set filters and write correlation rules by clicking the conditions they needed. In this update, the redesigned interface now allows advanced users to write rules and conditions as code. Builder mode remains: filter and selector conditions are automatically translated between builder and code modes.

Same rule condition in builder and code modes

What’s more, builder mode also lets you write conditions using the keyboard. As soon as you start entering a filter condition, Kaspersky Unified Monitoring and Analysis Platform will suggest suitable options from event fields, dictionaries, active sheets, etc. To narrow down the range of options, simply enter the appropriate prefix. For your convenience, condition types are highlighted in different colors.

Code mode lets you quickly edit correlation rule conditions, as well as select and copy conditions as code and easily transfer them between different rules or different selectors within a rule. The same code blocks can also be moved to filters (a separate system resource), which greatly simplifies their creation.

Extended event schema

Kaspersky Unified Monitoring and Analysis Platform retains Common Event Format (CEF) as the basis for the event schema, but we have added the ability to create custom fields, which means you can now implement any taxonomy. No more being limited to vendor-defined fields, you can name event fields anything you want to make it easier to write search queries. Custom fields are typed and must begin with a prefix that determines both its type and the array type. Fields with arrays can only be used in JSON and KV normalizers.

Example of normalization using CEF fields and custom fields

Automatic identification of event source

Kaspersky Unified Monitoring and Analysis Platform administrators no longer need to set up a separate collector for each event type or open ports for each collector on the firewall – in the new version we have implemented the ability to collect events of different formats with a single collector. The collector selects the correct normalizer based on the source IP address. Using a chain of normalizers is permitted. For example, the [OOTB] Syslog header normalizer accepts events from multiple servers and allows you to define a DeviceProcessName and direct bind events to the [OOTB] BIND Syslog normalizer and squid events to the [OOTB] Squid access Syslog normalizer.

Kaspersky Unified Monitoring and Analysis Platform: Event parsing

The following event normalization options are now available:

1 collector – 1 normalizer. We recommend using this method if you have many events of the same type or many IP addresses from which events of the same type may originate. In terms of SIEM performance, configuring a collector with only one normalizer would be optimal.

1 collector – multiple normalizers, based on IP addresses. This method is available for collectors with a UDP, TCP or HTTP connector. If a UDP, TCP or HTTP connector is specified in the collector at the Transport step, then at the Event Parsing step, on the Parsing settings tab, you can specify multiple IP addresses and select which normalizer to use for events arriving from those addresses. The following types of normalizers are available: JSON, CEF, regexp, Syslog, CSV, KV, XML. For Syslog or regexp normalizers, you can specify additional normalization conditions depending on the value of the DeviceProcessName field.

These are by no means the only updates to Kaspersky Unified Monitoring and Analysis Platform. There are also changes related to context tables, simplified binding of rules to correlators and other improvements. All of them are designed to improve the user experience for InfoSec professionals – see the full list here. To learn more about our SIEM system, Kaspersky Unified Monitoring and Analysis Platform, please visit the official product page.

Not so long ago, we looked at the potential dangers associated with the amount of data modern vehicles collect about their owners. Then, even more recently, an investigation revealed what this might mean in practice for drivers.

It turns out that carmakers, through specialized data brokers, are already selling telematics data to insurance companies, who are using it to raise the cost of insurance for careless drivers. Most alarming of all, however, is that car owners are often kept in the dark about all of this. Let’s investigate further.

Gamification of safe driving with far-reaching consequences

It all started in the US when owners of General Motors vehicles (parent company of the Chevrolet, Cadillac, GMC, and Buick brands) noticed a sharp rise in their auto insurance premiums compared to the previous period. The reason, it transpired, was the practice of risk profiling by data broker LexisNexis. LexisNexis works with auto insurers to supply them with driver information, usually about accidents and traffic fines. But vehicle owners hit by the premium hike had no history of accidents or dangerous driving!

The profiles compiled by LexisNexis were found to contain detailed data on all trips made in the insured vehicle, including start and end times, duration, distance and, crucially, all instances of hard acceleration and braking. And it was this data that insurers were using to increase insurance premiums for less-than-perfect drivers. Where did the data broker get such detailed information?

From General Motors’ OnStar Smart Driver. That is the name of the “safe driving gamification” feature built into General Motors vehicles and the myChevrolet, myCadillac, myGMC, and myBuick mobile apps. The feature tracks hard acceleration and braking, speeding, and other dangerous events, and rewards “good” driving with virtual awards.

The OnStar Smart Driver safe driving gamification feature is built into myChevrolet, myCadillac, myGMC, and myBuick mobile apps by General Motors. Source

What’s more, according to some car owners, they didn’t enable the feature themselves – the car dealer did it for them. Crucially, neither General Motors’ apps nor the terms of use explicitly warned users that OnStar Smart Driver data would be shared with insurance-related data brokers.

This lack of transparency extended to the privacy statement on the OnStar website. While the statement mentions the possibility of sharing collected data with third parties, insurers are not specifically listed, and the text generally aims for maximum vagueness.

Along the way, LexisNexis was discovered to be working with three other automakers besides General Motors – Kia, Mitsubishi, and Subaru – all of which have similar safe driving gamification programs under names like “Driving Score” or “Driver Feedback”.

According to the LexisNexis website, the companies that work with the data broker include General Motors, Kia, Mitsubishi, and Subaru. Source

At the same time, another data broker – Verisk – was found to be providing telematics data to car insurers. Its automotive clients include General Motors, Honda, Hyundai, and Ford.

Another broker, Verisk, lists General Motors, Honda, Hyundai, and Ford in its telematics sales service description. Source

As a result, many drivers found themselves, in effect, locked into a car insurance policy with costs based on driving habits. It’s just that such programs used to be voluntary, offering a basic discount for participation – and even then, most drivers opted out. Now it appears that carmakers are enrolling customers not only without their consent, but without their knowledge.

According to available information, this is currently only happening to drivers in the US. But what starts in the States usually migrates, so similar practices may soon appear in other regions.

How to protect yourself from data-hungry cars

Unfortunately, there is no silver bullet to stop your automobile from harvesting data. Most new vehicles already come with built-in telematics collection as standard. And the number is only going to grow so that in a year or two these cars will make up more than 90% of the market. Naturally, the maker of your car won’t make it easy or even possible to turn off telematics.

If you’re ready to consider the factor of your car collecting data on you for third parties (or, in simple words, spying), then read our post with detailed tips on how you can try to get rid of surveillance by carmakers. Spoiler alert: it’s not easy and requires careful study of the documentation, as well as sacrificing some of the benefits of connected cars, so these tips won’t work for everyone.

As for the scenario described in this post of selling driver data to insurers, our advice is to search the in-vehicle menu and mobile app for a safe driving gamification feature and disable it. It may be called “Smart Driver”, “Driving Score”, “Driver Feedback”, or something similar. US-based drivers are also advised to request their data from LexisNexis and Verisk to be prepared for nasty surprises, and to see if it’s possible to delete information that has already been collected.