January 2024: ransomware attack on Toronto Zoo
One of the first major ransomware incidents of 2024 was the January attack on Canada’s biggest zoo, located in Toronto. The zoo’s management was quick to reassure the public that no systems related to animal care were impacted. Indeed, its website and ticketing service were also unaffected, so the zoo continued to welcome visitors as usual.
The official Toronto Zoo website reports a cyberattack and assures that all animals are fine. Source
It soon transpired that the attackers had stolen a significant amount of zoo employees’ personal information — dating back to 1989. This incident served as yet another reminder that even organizations far removed from critical sectors can become targets of ransomware attacks.
February 2024: $3.09 billion attack on UnitedHealth
February’s attack on the U.S. healthcare insurance giant UnitedHealth would easily claim the “ransomware incident of the year” award if such existed. The attack was in fact carried out on Optum Insight, a UnitedHealth subsidiary that provides technology-enabled services.
Getting granular here, the direct target was Change Healthcare, which has been part of Optum since 2022. This company’s platform serves as a financial intermediary between payers, patients, and healthcare providers. The attack took down over a hundred different Optum digital services. As a result, UnitedHealth was able to process neither electronic payments nor medical applications. Essentially, the company couldn’t perform its core function — causing chaos across the U.S. healthcare system.
The attack’s repercussions were so extensive that UnitedHealth even set up a dedicated website to provide updates about the process of restoring the company’s affected IT systems. The bulk of the restoration work was carried out in the first months after the attack. However, almost a year on, the site continues to post regular updates, and some systems still have the “service partially available” status.
A few days after the attack, the ransomware gang BlackCat/ALPHV claimed responsibility. In addition, they reported stealing 6TB of confidential data — including medical records, financial documents, personal data of U.S. civilians and military personnel, and a wealth of other sensitive information.
UnitedHealth ended up paying the gang a $22 million ransom. And it’s rumored that the company had to pay up again when BlackCat’s accomplices from the RansomHub group claimed they hadn’t received their share and began leaking the stolen data into the public domain.
However, compared to the total financial losses caused by the incident, the ransom was a mere drop in the ocean. UnitedHealth’s own financial reports estimate the damage in Q1 alone at $872 million. As for the total damage for the year 2024, it reached an eye-watering $3.09 billion.
According to the latest reports, the attackers stole medical data of more than 100 million patients, which is approximately one in three U.S. residents!
March 2024: Panera Bread’s week-long outage
In March, ransomware attackers targeted U.S. food-chain giant Panera Bread. The incident knocked out many of its IT systems, including the online ordering service, offline payment system, telephony, website and mobile apps, loyalty program, various internal systems for employees, and other services.
Stub message on the Panera Bread website. Source
Over 2000 restaurants in the Panera Bread chain continued to operate after the attack — but in stone-age conditions: payment was by cash only; subscription offers (such as unlimited drinks for $14.99 per month) were temporarily unavailable; loyalty program points weren’t awarded; and restaurant staff had to manually coordinate their work schedules with managers. The outage lasted about a week.
During the attack, as we learned three months later, the personal data of Panera Bread employees was stolen. By the looks of it, the company ended up paying a ransom to keep that data from being published.
April 2024: Hunters International attack on Hoya Corporation
Early April saw an attack on Hoya Corporation, the major Japanese optics manufacturer. In an official statement, the company said that the systems of some manufacturing plants, plus the ordering system for several products had been affected.
Hunters International demanded a ransom of $10 million (151.56 BTC at the then exchange rate) from Hoya Corporation. Source
A week after the incident, it was confirmed as a ransomware attack. The Hunters International ransomware-as-a-service group’s website reported that the attackers had stolen 1.7 million files from Hoya (around 2TB), and demanded a ransom of $10 million.
May 2024: Major disruptions at U.S. healthcare network Ascension
In early May, Ascension, one of the largest healthcare networks in the United States, had some of its systems taken offline due to a “cybersecurity event”. The “event” in question was soon revealed to be a ransomware attack on the organization’s IT infrastructure. The disruption affected electronic medical records, telephony, and systems for ordering tests, procedures, and medications.
As a result, some hospitals run by Ascension couldn’t admit emergency patients, and had to divert ambulances to other facilities. Healthcare workers also reported having to switch to pen and paper and writing out medical referrals from memory.
Restoring the affected electronic systems took over a month. The Black Basta ransomware group claimed responsibility for the attack. The investigation revealed that the root cause of the attack was an employee who downloaded a malicious file onto a company device.
It was revealed in late 2024 that the cybercriminals had stolen the personal data of 5.6 million patients and hospital staff. This data included medical records, payment details, insurance information, social security and ID numbers, addresses, dates of birth, and more. As compensation, Ascension offered all those affected a free two-year subscription to its identity-theft protection service.
June 2024: Ransomware attack on healthcare provider hits London hospitals
In early June, news broke of a ransomware attack on Synnovis, a UK company providing pathology and diagnostic services to several major London hospitals. As a result, over 800 surgeries were canceled and some patients diverted to other facilities.
Major outage reported on the website of Synnovis, a healthcare provider for several major London hospitals. Source
One of the worst consequences of the attack was that doctors were unable to match donor and patient blood types, forcing them to use the universal blood type O. This quickly led to a shortage.
July 2024: Los Angeles County Superior Court shut down by ransomware
The Los Angeles County Superior Court, the largest single unified trial court in the United States, suspended all 36 courthouses in the county due to a ransomware attack. Both external services (such as the court’s website and the jury duty portal) and internal resources (including the case management system) were impacted.
The Los Angeles courts reopened two days later, but restoring publicly-accessible electronic services took about a week longer. After that, however, the Superior Court stopped updating the public about the incident, so it’s unknown how long it took to restore the courts’ internal systems. It also remains a mystery whether the court paid a ransom or what data the attackers may have gotten away with.
August 2024: Ransomware attack on vodka maker Stoli
In August, a ransomware attack targeted Stoli Group, the producer of Stolichnaya vodka and multiple other beverages. The incident had a serious impact on the company’s IT infrastructure and operations: an ERP system failure meant that all internal processes, including accounting, had to be transferred to manual mode.
In particular, the incident meant that Stoli Group companies couldn’t submit financial statements to creditors — which alleged that the Stoli companies failed to repay a debt of $78 million. Stoli Group had to file for bankruptcy in December.
September 2024: Highline Public Schools closure due to ransomware
In early October, Highline Public Schools, a public school district in the U.S. state of Washington, temporarily closed all 34 of its member schools, which serve more than 17,000 students and employ around 2000 staff. The cyberattack halted all educational activities, including sports events and meetings, for four school days.
About a month after the incident, Highline’s management confirmed that the attack was ransomware-related. Unfortunately, Highline Public Schools officials never disclosed whether any personal information of staff or students had been compromised. As a precaution, however, the district offered all Highline employees one year of free credit and identity monitoring services.
Although the schools were quite quick to reopen, it took a long time to restore the IT infrastructure back to normal operation. Regretfully, more than a month passed before employees and students were finally urged to change their passwords and reinstall the operating system on all school-supplied devices.
October 2024: Ransomware attack on Casio
In early October, Japan’s Casio, the renowned electronics manufacturer, reported unauthorized access to its network. According to its statement, the incident resulted in failure of IT systems and unavailability of certain unspecified services.
Five days later, the ransomware group Underground claimed responsibility for the attack. The group also stole data during the hack, which it posted on its website — including confidential documents, patent information, employees’ personal data, legal and financial documents, project information, and so on. The very next day, Casio confirmed the data theft.
In early 2025, Casio released more details about the number of people whose data had been stolen. According to the company, a total of 8500 people were affected, of which around 6500 were employees, and 2000 were business partners. At the same time, Casio reported not paying a ransom to the attackers and announced that most (but not all) services were already back up and running.
Interestingly, in that same October 2024, Casio was the victim of another successful attack, unrelated to the above ransomware incident.
November 2024: Ransomware attack on Bologna FC
In November, ransomware claimed a rather atypical victim — the Italian soccer club Bologna FC. The club posted on its website an official statement about a ransomware attack, warning that “it is a serious criminal offence” to store or distribute stolen data.
The Italian soccer club Bologna FC website reports a ransomware attack. Source
The RansomHub group claimed responsibility for the hack. Later, it published the stolen data after the club refused to pay the ransom. According to the attackers, the leaked information included sponsorship contracts, the club’s complete financial history, personal and confidential player data, medical records, transfer strategies, confidential data of fans and club employees, and much more.
December 2024: Ransomware attacks medical tissue and equipment supplier Artivion
In December, Artivion, a global supplier of tissues and equipment for cardiac surgery, announced that its IT infrastructure had been compromised by a cyberattack. The attackers encrypted some of the company’s systems and stole data from affected computers.
According to Artivion, the incident caused “disruptions to some order and shipping processes”, as well as corporate operations. The company also reported being insured against such incidents, but the policy may not fully cover the damage caused by the attack.
How to defend against ransomware attacks
Ransomware continues to evolve, and every year the attacks take on new, complex forms. Therefore, in today’s world, effective protection against ransomware requires a comprehensive approach. We recommend the following security measures:
- Provide training courses for employees so they can learn about the basics of cybersecurity.
- Implement proper data storage and employee access
- Back up data regularly, and keep the backups in network-isolated storage.
- Install reliable protection on all corporate devices.
- Use an XDR solution to monitor suspicious network activity.
- Outsource threat detection and response to a specialist company if your in-house information-security service lacks the resources for it.
Are there viruses for macOS?
Yes — and plenty of ’em. Here are some examples of Mac malware we’ve previously covered on Kaspersky Daily and Securelist:
- A crypto-wallet-stealing Trojan disguised as pirated versions of popular macOS apps.
This Trojan’s malicious payload is stored in the “activator”. The cracked app won’t work until it’s launched.Source
- Another crypto-stealing Trojan, this one masquerading as a PDF document titled “Crypto-assets and their risks for financial stability”.
- A Trojan that used infected Macs to create a network of illegal proxy servers for routing malicious traffic.
- The Atomic stealer, distributed as a fake Safari update.
We could go on with this list of past threats, but let’s instead now focus on one of the latest attacks targeting macOS users, namely – the Banshee stealer…
What the Banshee stealer does
Banshee is a fully-fledged infostealer. This is a type of malware that searches the infected device (in our case, a Mac) for valuable data and sends it to the criminals behind it. Banshee is primarily focused on stealing data related to cryptocurrency and blockchain.
Here’s what this malware does once it’s inside the system:
- Steals logins and passwords saved in various browsers: Google Chrome, Brave, Microsoft Edge, Vivaldi, Yandex Browser, and Opera.
- Steals information stored by browser extensions. The stealer targets over 50 extensions – most of which are related to crypto wallets, including Coinbase Wallet, MetaMask, Trust Wallet, Guarda, Exodus, and Nami.
- Steals 2FA tokens stored in the Authenticator.cc browser extension.
- Searches for and extracts data from cryptocurrency wallet applications, including Exodus, Electrum, Coinomi, Guarda, Wasabi, Atomic, and Ledger.
- Harvests system information and steals the macOS password by displaying a fake password entry window.
Banshee compiles all this data neatly into a ZIP archive, encrypts it with a simple XOR cipher, and sends it to the attackers’ command-and-control server.
In its latest versions, Banshee’s developers have added the ability to bypass the built-in macOS antivirus, XProtect. Interestingly, to evade detection, the malware uses the same algorithm that XProtect uses to protect itself, encrypting key segments of its code and decrypting them on the fly during execution.
How the Banshee stealer spreads
The operators of Banshee primarily used GitHub to infect their victims. As bait, they uploaded cracked versions of expensive software such as Autodesk AutoCAD, Adobe Acrobat Pro, Adobe Premiere Pro, Capture One Pro, and Blackmagic Design DaVinci Resolve.
The creators of Banshee used GitHub to spread the malware under the guise of pirated software. Source
The attackers often targeted both macOS and Windows users at the same time: Banshee was often paired with a Windows stealer called Lumma.
Another Banshee campaign, discovered after the stealer’s source code was leaked (more on that below), involved a phishing site offering macOS users to download “Telegram Local” – supposedly designed to protect against phishing and malware. Of course, the downloaded file was infected. Interestingly, users of other operating systems wouldn’t even see the malicious link.
A phishing site offers to download Banshee disguised as “Telegram Local”, but only to macOS users (left). Source
The past and future of Banshee
Let’s now turn to Banshee’s history, which is really quite interesting. This malware first appeared in July 2024. Its developers marketed it as a malware-as-a-service (MaaS) subscription, charging $3000 per month.
Business must not have been great, as by mid-August they’d slashed the price by 50% – bringing the monthly subscription down to $1500.
A hacker site ad announcing a discount on Banshee: $1500 instead of $3000 per month. Source
At some point, the creators either changed their strategy, or decided to add an affiliate program to their portfolio. They began recruiting partners for joint campaigns. In these campaigns, Banshee’s creators provided the malware, and the partners executed the actual attack. The developers’ idea was to split the earnings 50/50.
However, something must have gone very wrong. In late November, Banshee’s source code was leaked and published on a hacker forum – thus ending the malware’s commercial life. The developers announced they were quitting the business – but not before attempting to sell the entire project for 1BTC, and then for $30,000 (most likely having learned of the leak).
Thus, for several months now, this serious stealer for macOS has been available to essentially anyone completely free of charge. Even worse, with the source code also available, cybercriminals can now create their own modified versions of Banshee.
And judging from the evidence, this is already happening. For example, the original versions of Banshee stopped working if the operating system was running in the Russian language. However, one of the latest versions has removed the language check, meaning Russian-speaking users are now also at risk.
How to protect yourself from Banshee and other macOS threats
Here are some tips for macOS users to stay safe:
- Don’t install pirated software on your Mac. The risk of running into a Trojan by doing so is very high, and the consequences can be severe.
- This is especially true if you use the same Mac for cryptocurrency transactions. In this case, the potential financial damage could significantly exceed any savings you make on purchasing genuine software.
- In general, avoid installing unnecessary applications, and remember to uninstall programs you no longer use.
- Be cautious with browser extensions. They may seem harmless at first glance, but many extensions have full access to the contents of all web pages, making them just as dangerous as full-fledged apps.
- And of course, be sure to install a reliable antivirus on your Mac. As we’ve seen, malware for macOS is a very real threat.
Finally, a word on Kaspersky security products. They can detect and block many Banshee variants with the verdict Trojan-PSW.OSX.Banshee. Some new versions resemble the AMOS stealer, so they can also be detected as Trojan-PSW.OSX.Amos.gen.
]]>This post explains what scareware is and why this threat is dangerous. We also give tips for avoiding falling for scarewarers’ tricks, and protecting you and your family from such attacks.
What is scareware?
Scareware is a type of digital fraud that weaponizes users’ fears. The aim is to frighten the victim into visiting a malicious site and downloading something they shouldn’t. Scareware usually mimics antiviruses, system optimizers, registry cleaners, and the like. But other, more exotic types also exist.
The user is not so subtly informed that no fewer than five viruses have been found on their computer. However, the window header contains a small misprint: “Threaths detected” Source
To display their alarming messages, scammers tend to deploy browser pop-up windows and notifications, banner ads, and on occasion even good-old email.
Scareware creators use a variety of social engineering tricks to instill a sense of danger in the user. Often, threatening messages appear at the most unexpected moment — catching the victim off guard.
And scammers frequently hurry the victim into taking rash actions — not giving them time to think things over. Then, when the target has been properly prepared (that is, put into a state of panic), the attackers offer a simple solution to the problem: just install such-and-such software and all your troubles will be gone.
Fake antiviruses pretend to search for malware in the user’s system. Source
Upon receiving a scareware notification, in the best case scenario the victim will install a useless but harmless program on their device and pay a relatively small sum for the pleasure. But sometimes an attack can have more serious consequences. Under the guise of an “antivirus” or “system optimizer”, the victim may be fed proper malware that encrypts data or steals money from online bank accounts.
Sextortion scareware
Sometimes scammers employ a hybrid scheme: scareware combined with sextortion. It may go as follows: the user receives an intimidating email saying they’ve been caught in a compromising video.
To see for themselves, the victim is invited to visit a website where they can watch the footage. However, to view the video, they first need to install a special player. This, of course, is malware in disguise.
Faulty screen caused by a virus
In a new variant of the scareware scheme, the user is told that a virus has infected their smartphone. Nothing unusual so far — mobile versions of scareware have been around for ages. Here, however, the focus is artfully placed on what perhaps all smartphone owners fear the most: a faulty screen:
The scareware simulates screen damage caused by a virus that must be removed.Source
Curiously, the “faulty” display — which also blinks for added alarm — is capable of clearly showing the message about the supposed virus infection. How this window is able to float above a damaged screen is a mystery… To “fix” the screen, you just need to tap the button in the box and purchase the offered “antivirus”.
How to protect against scareware
Of course, the best defense against fake “protection” is the real thing. To defeat scareware, install a bona fide antivirus from a reputable developer, keep a close eye on its notifications, and always heed its recommendations.
Also bear in mind that it’s seniors who are most likely to fall victim. So it’s worth helping your older relatives get the right protection since it can be a challenge for them.
]]>Server and enterprise applications are often configured to trust — and be accessible to — all intranet-based hosts, making it easier to find and exploit new vulnerabilities, and extract, encrypt, or destroy important data.
Often, VPN access is granted to company contractors too. If a contractor violates the information security requirements while being granted standard VPN access with extensive privileges in the corporate network, attackers can penetrate the network by compromising the contractor, and gain access to information through the latter’s accounts and privileges. And their activities can go unnoticed for a long time.
A radical solution to these network security issues requires a new approach in terms of network organization — one whereby each network connection is analyzed in detail, and participants’ credentials and access rights are checked. Any of them lacking explicit permission to work with a particular resource are denied access. This approach applies to both internal network services as well as public and cloud-based ones. Last year, cybersecurity agencies in the United States, Canada and New Zealand released joint guidance on how to migrate to this security model. It consists of the following tools and approaches.
Zero trust
The zero trust model seeks to prevent unauthorized access to data and services through granular access control. Each request for access to a resource or microservice is analyzed separately, and the decision is based on a role-based access model and the principle of least privilege. During operation, every user, device, and application must undergo regular authentication and authorization — processes which are, of course, made invisible to the user by technical means. See our dedicated post for more about zero trust and its implementation.
Secure service edge
Secure service edge (SSE) is a set of tools for securing applications and data regardless of users’ and their devices’ location. SSE helps implement zero trust, adapt to the realities of hybrid cloud infrastructure, protect SaaS applications, and simplify user verification. SSE components include zero trust network access (ZTNA), cloud secure web gateway (CSWG), cloud access security broker (CASB) and firewall-as-a-service (FWaaS).
Zero trust network access
ZTNA provides secure remote access to a company’s data and services based on strictly defined access policies in line with zero trust principles. Even if intruders compromise an employee’s device, their ability to develop an attack is limited. For ZTNA, an agent application is deployed that checks the identity of the user or service, and access rights, then matches them with the policies and user-requested actions. Other factors that can be monitored are the security level of the client device (software versions, security solution database updates), the client’s location, and the like. The agent can also be used in multifactor authentication. Periodic reauthentication occurs during user sessions. If the user requires access to new resources and applications, the authentication and authorization process is repeated in full. However, depending on the solution settings, this may be transparent to the user.
Cloud secure web gateway
CSWG protects both users and devices from online threats and helps enforce network policies. Features include filtering web connections by URL and content, controlling access to web services, and analyzing encrypted TLS/SSL connections. It’s also involved in user authentication and provides analytics on web application usage.
Cloud access security broker
CASB helps enforce access policies for cloud SaaS applications — bridging them to their users, as well as manage data transferred between different cloud services. This makes it possible to detect threats targeting cloud services and unauthorized attempts to access cloud data, as well as to bring control of various SaaS applications under a single security policy.
Firewall-as-a-service
Cloud-based FWaaS performs the functions of a traditional firewall — except that traffic analysis and filtering take place in the cloud instead of on a separate device in the company’s office. Besides the convenience of scalability, FWaaS makes it easier to protect a distributed infrastructure consisting of cloud and on-premises data centers, offices, and branches.
Secure access service edge
Combining software-defined networks (SD-WAN) with full SSE functionality, SASE delivers the most effective integration of network control and security management. There are several advantages for companies in terms of not only security, but also cost efficiency:
- Reducing the cost of setting up a distributed network and combining different communication channels to increase speed and reliability
- Taking advantage of centralized network management, high visibility, and extensive analysis capabilities
- Lower administration costs due to automatic configuration and failure response
- All SSE functions (SWG, CASB, ZTNA, NGFW) can be integrated into the solution, giving defenders full visibility of all servers, services, users, ports, and protocols — plus automatic application of security policies when deploying new services or network segments
- Simplifying administration and policy enforcement with a centralized management interface
The SASE architecture allows all traffic to be routed dynamically and automatically, taking into account speed, reliability and security requirements. With information security requirements integrated deep into the network architecture, there is granular control over all network events — traffic is classified and inspected at multiple levels, including the application level. This delivers automatic access control as prescribed by zero trust, with granularity extending to a single application function and user rights in the current context.
The use of a single platform dramatically boosts monitoring performance and speeds up and improves incident response. SASE also simplifies updates and general management of network devices, which is another security benefit.
Migration technicalities
Deploying the above solutions would help your company replace the traditional “perimeter behind firewall plus VPN” approach with a more secure, scalable, and cost-effective model, which factors in cloud solutions and employee mobility. At the same time, cybersecurity agencies that recommend this set of solutions warn that each case requires an in-depth analysis of a company’s requirements and current state of affairs, plus a risk analysis and step-by-step migration plan. When switching from VPN to SSE/SASE-based solutions, you must:
- Strictly limit access to the network control plane
- Separate and isolate the interface for managing the solution and the network
- Update the VPN solution and analyze its telemetry in detail to rule out the possibility of compromise
- Test the user authentication process and explore ways to simplify it, such as authentication in advance
- Use multifactor authentication
- Implement version control of the management configuration, and keep track of changes
In this article, we explore the pros and cons of metadata and how to remove it.
What is metadata and what’s it for?
To put it simply, metadata is additional information about a file’s content. Such data is added to files by applications that create or process them, operating systems, or users themselves. In most cases, metadata is created and updated automatically. For example, for files, this can include the creation date, last modified date, type, owner, and so on. In the case of photos, metadata can include the date and location, exposure settings, camera or smartphone model, and so on, recorded in Exif format. Specifically which data is stored depends on the camera/smartphone model and settings.
Some metadata is “visible” and easy to edit. For example, audio files contain special tags describing the content — author, artist, album, track name, genre, etc. — that can be easily changed in any media player.
Other metadata is less evident. Did you know, for example, that from the metadata of an office document you can easily discover who edited it, when, for how long, and using which programs? In some cases, you can even restore the entire edit history from the first keystroke.
Of course, metadata wasn’t originally designed to be “the perfect stalking tool”, but simply a useful feature. However, you can end up sharing more than you intended; for example, your employer or client could find out how much time you actually spent working on a document, and the Exif data of a selfie you post online can reveal what smartphone you use and where you were at the time. Metadata can also help catch criminals or uncover fraudulent schemes.
For example, in 2019, U.S. law enforcement managed to arrest the fraudster Hicham Kabbaj, who’d been sending his former employer invoices for equipment supplies from a shell company called Interactive Systems for four years. Of course, no equipment was actually supplied, but a total of six million dollars was transferred into Interactive System’s accounts. The fraudster was eventually caught out because of simple oversight: four of the 52 invoices were in the MS Word .doc format, and the metadata listed the author as KABBAJ.
Besides the police, malicious actors can also use metadata. In 2016, we conducted an experiment to try to determine a person’s location from a single photo. For us, this was just a fun exercise, but criminals could have very different motives.
Or consider a slightly more complex scenario: your innocent PDF file somehow ends up in the hands of a malicious actor. How it got there doesn’t matter — let’s say they introduced themselves as your colleague. In this case, the contents of the file may be of no interest to the criminal. What’s important to them, however, is that you’ve already taken the bait (so the attack can continue) and leaked the PDF’s metadata — revealing the software and version you used to create it. With this knowledge, the attacker can send you malware specifically designed to exploit a vulnerability in your particular system. Protecting yourself from this kind of scenario requires a combination of measures: ignoring suspicious messages, removing metadata, and updating your software promptly.
How to remove metadata
You can remove metadata using built-in tools or third-party programs and services. We recommend the former, as then your metadata won’t end up in the hands of third parties this way. Third-party tools act as an extra layer between you and the “cleaned” file. This layer could potentially retain metadata, which criminals could somehow get hold of.
So now let’s look at how to remove metadata from photos and videos, and DOC and PDF files using built-in tools.
Photos and videos
On Windows
In File Explorer, right-click on the file, select Properties, and go to the Details tab. At the bottom of the screen, click Remove Properties and Personal Information, and in the window that opens, either keep the default option Create a copy with all possible properties removed, or manually select the properties you want to remove, and click OK.
On macOS and iOS.
Apple operating systems let you remove or modify the date, time, and geolocation. However, location data is only recorded for photos and videos taken with geolocation services enabled.
To remove or modify metadata on a macOS device, open the Photos app, go to the Image menu, select Location, and click Hide Location. Here you can also Revert to Original Location — which raises the question of where this data is actually stored — or Assign Location to one or more photos after you Copy Location from another photo. Additionally, in the Image menu, you can Adjust Date and Time of the capture.
On an iPhone or iPad, open the Photos app, select the photo to edit, and tap the ⓘ info button, or simply swipe up on the photo. Here, you can Adjust the date, time, and location. For location, you can either select No Location or assign any other location to the photo. (This is useful if you’re posting photos taken in a studio near your home, while pretending to be in, say, Maldives.) To edit multiple photos at once, select them all, tap the three-dot button (…), then choose Adjust Date & Time or Adjust Location.
On Android
On Android devices, you can remove or modify location data using the Google Photos app. Select the photo or video, tap the three-dot More icon, select Edit, and tap Remove location.
DOC files
If you’re using Word, go to the File tab and select Info. Then click Check for Issues, followed by Inspect Document and Inspect. Under Document Properties and Personal Information, click Remove All.
Windows users can also remove DOC file metadata using File Explorer, just as they would with photos and videos.
PDF files
If you’re using Adobe Acrobat, go to File, then Document properties, and select Description. In the window that opens, you can manually edit the author, subject, keywords, and title of the document. Clicking Additional Metadata opens a window displaying all the document’s metadata.
You can also remove PDF metadata using File Explorer in the same way as for photos and videos.
Security Measures
So, what’s the main way to protect yourself from malicious actors exploiting your metadata? Two words: exercising caution. In addition, for maximum security, follow these extra precautions:
- Set your social media profiles to private. This way, attackers won’t be able to use the metadata from your old photos and videos.
- Use a comprehensive security solution. It will act as a safety net — protecting your payment and personal data even if you fall victim to a cybercriminal.
- Remove metadata regularly. At first, this may seem like a lot of extra work just to send a simple selfie, but over time, removing metadata will become second nature.
What is Mark-of-the-Web?
The Mark-of-the-Web (MOTW) mechanism involves placing a special metadata mark on files obtained from the internet. If such a mark is present, the Windows operating system considers such a file to be potentially dangerous. If the file is executable, the user sees a warning that it can cause harm when trying to execute it. Also, some programs limit the functionality of a file with this mark (for example, MS Office applications block the execution of macros in them). When an archive is downloaded from the internet, when it is unpacked, all the files should inherit this Mark-of-the-Web.
Malefactors have repeatedly been trying to get rid of the MOTW in order to mislead the user. In particular, several years ago we wrote that the BlueNoroff APT group had adopted methods to bypass this mechanism. According to the MITRE ATT&CK matrix classification, bypassing the MOTW mechanism belongs to sub-technique T1553.005: Subvert Trust Controls: Mark-of-the-Web Bypass.
What is the CVE-2025-0411 vulnerability, and how is it dangerous?
CVE-2025-0411 allows attackers to create an archive in such a way that when it’s unpacked by 7-Zip, the files won’t inherit the MOTW mark. As a result, an attacker can exploit this vulnerability to launch malicious code with user privileges. Of course, such a vulnerability is dangerous not in and of itself, but as part of a complex attack. In addition, to exploit it, the user must launch a malicious file manually. However, as we’ve already mentioned above, attackers often try to remove this mark, so giving them an extra way to do this is clearly a big no-no.
Researchers discovered CVE-2025-0411 back in November last year, and immediately reported it to the author of 7-Zip. This is why version 24.09, published on November 29, 2024, is no longer vulnerable.
How to stay safe
First of all, you should update 7-Zip to version 24.09 or newer. If this file archiver is used in your organization, we recommend updating it centrally (if there are appropriate tools), or at least notifying that it needs urgently updating. Kaspersky products for home users can check a number of widely used software products (including 7-Zip) and update them automatically.
In addition, we recommend all internet users to handle files received from the internet with exceptional caution, and not to open them on computers without a reliable security solution.
]]>General recommendations
First, the good news: any Kaspersky apps you’ve already installed from Google Play will continue to work on your device. But they’ll automatically receive only antivirus database updates — not app or security feature improvements. If you uninstall an app, you won’t be able to reinstall it from Google Play.
Therefore, we recommend not deleting the apps already installed from Google Play, but to download and install over them the versions from these alternative stores:
- Samsung Galaxy Store
- Huawei AppGallery
- Vivo V-Appstore
You’ll find the same set of Kaspersky apps in all these stores, and the download methods are also alike:
- Open the store app.
- Enter “kaspersky” in the search bar (you may need to tap the magnifying glass icon to open the bar).
- Find the app you want in the search results.
- Depending on the store, tap Get, Install, Download or Update, or simply touch the download icon next to the name of the app.
If our apps are already installed on your device and you then download them from alternative stores, your device will retain all settings, and you won’t have to reactivate the license. What’s more, the apps can be updated automatically by enabling auto-update in the settings of the alternative store. Below is a how-to guide for all the recommended stores.
You can also install apps by downloading the APK files from our website. When you install over existing apps, all settings and licenses are retained. However, apps installed this way will not be updated automatically — you’ll need to track down new versions yourself, download them as APK files, and install them on your device manually. Because this is less convenient, we’ll soon be adding a feature to update apps automatically via their APK files, and will notify you when new updates come out. In the meantime, we recommend using the alternative app stores mentioned above.
What to do if your smartphone only has Google Play
If you only have Google Play on your smartphone, you first need to install an alternative app store, for example, Huawei AppGallery. Here’s how to do it:
- Open this link in your browser.
- Tap Download.
- Follow the on-screen instructions, tapping OK in response to any system warnings.
You can now download Kaspersky apps. More detailed instructions are available on the Huawei AppGallery website.
How to enable auto-update for Kaspersky apps in alternative stores
To make sure you always have the latest version, after installing an app from an alternative store you need to enable auto-update in the store settings. We have step-by-step instructions for all stores — just follow one of the links below to go to the one you need:
Samsung Galaxy Store
To enable auto-update of apps in the Samsung Galaxy Store:
- Open the menu (three horizontal lines).
- Go to Settings by tapping the gear icon in the top-right corner of the screen.
- On the screen that opens, find Auto update apps, and select Using Wi-Fi or mobile data.
How to enable auto-update of apps in the Samsung Galaxy Store
Huawei AppGallery
To enable auto-update of apps in Huawei AppGallery:
- Tap Me at the bottom right of the screen.
- Go to Settings.
- Tap Auto-update apps, and select On.
How to enable auto-update of apps in Huawei AppGallery
Vivo V-Appstore
To enable auto-update of apps in Vivo V-Appstore:
- Go to Manage by tapping the icon in the bottom right corner of the screen.
- Go to Settings by tapping the gear icon at the top of the screen.
- Tap Notifications and upgrades.
- Enable App auto-update.
How to enable auto-update of apps in Vivo V-Appstore
How to install Kaspersky apps from APK files
First, you need to download the APK files from your My Kaspersky account or from our website by following the corresponding link:
- Download the Kaspersky for Android APK file
- Download the Kaspersky VPN Secure Connection APK file
- Download the Kaspersky Password Manager APK file
- Download the Kaspersky Safe Kids APK file
Your device may warn you that the file isn’t safe to download. If this happens, confirm your action by tapping Keep or Download.
Once the download is complete, go to My files → Downloads, and tap the downloaded file. When installing it, you’ll need to allow installation of unknown apps from a new source. Here’s how to do it: Go to Settings → Apps → Additional → Special app access → Install unknown apps, find your browser in the list, and toggle the switch “Allow app installs” to On. That done, the Kaspersky app will continue to install. See here for more detailed instructions.
Granting permission to install unknown apps from Google Chrome
After installing our apps, make sure to turn this feature Off, since it can pose a security risk and so should only be used when absolutely necessary. To find out why we insist on this, see this Kaspersky Daily post.
How to buy a Premium subscription in your Kaspersky app
You can buy a subscription — for example, Kaspersky Premium — directly in the app itself. To do this, navigate to Profile, and under the Kaspersky Free icon tap Let’s go. Then select one of the three subscription tiers — Kaspersky Standard, Kaspersky Plus, or Kaspersky Premium and the number of devices you want to protect, and check out.
How to activate an existing license in your Kaspersky app
If you installed any of our apps from an alternative store or from an APK file over one already installed from Google Play, there’s no need to reactivate your license.
If you bought a Kaspersky app on Google Play and connected it to your My Kaspersky account, but then uninstalled it and downloaded a new one from an APK file or an alternative store, your previously purchased license will work without any problems. See our detailed activation instructions.
If you uninstalled a Kaspersky app that was purchased from Google Play but not connected to your My Kaspersky account, then installed a new one according to the instructions in this post, please contact technical support to reactivate your license. They’ll be happy to assist.
If you have a license for multiple devices, the easiest way to activate apps on additional devices is to install them using the links in My Kaspersky — this way they’ll be activated automatically. You can also install Kaspersky apps from an alternative store or APK file as described above, and follow the instructions to activate the license.
]]>Mathematicians
Although the respected American mathematician Peter Shor meant to create neither hype nor panic, it was he who, back in 1994, proposed the idea of an entire family of algorithms for solving computationally complex mathematical problems on a quantum computer. Chief among these was the problem of factoring into prime numbers. For sufficiently large numbers, a classical computer would need… centuries to find a solution — which serves as the foundation of cryptographic algorithms like RSA. However, a powerful quantum computer using Shor’s algorithm could solve this problem much faster. Although such a computer was still a dream in 1994, Shor’s idea captured the imagination of hackers, physicists, and of course, journalists. Shor recalls that when he first presented his idea at a conference in 1994, he hadn’t yet completely solved the factorization problem — the final version of his research was only published in 1995. Nevertheless, just five days after his presentation, people were confidently proclaiming that the factorization problem had been solved.
Startups
For many years, the quantum threat was considered just a distant possibility. The number of quantum bits (qubits) required to break cryptography was estimated to be in the thousands or millions, while experimental quantum computers were still in single digits. The situation changed in 2007, when the Canadian company D-Wave Systems demonstrated the “first commercial quantum computer”, boasting 28 qubits, with a plans to scale up to 1024 qubits by the end of 2008. The company predicted that by 2009 it would be possible to rent quantum computers for cloud computations — using them for risk analysis in insurance, modeling in chemistry and materials science, as well as for “government and military needs”. By 2009, D-Wave expected to achieve quantum supremacy — when a quantum computer could solve a problem faster than a classical one.
The quantum community had to spend years dealing with the company’s claims. The principle of quantum annealing, used in D-Wave systems, wasn’t even considered a quantum effect, and its existence was only proven in 2013 — albeit with serious reservations. Meanwhile, the magnitude (and even the existence) of quantum supremacy continued to be a subject of debate even longer. In any case, D-Wave systems can run neither Shor, nor Grover’s algorithms, making them unsuitable for cryptanalysis tasks. The company continues to build computers (or, rather, “quantum annealers”) with ever-increasing numbers of qubits, but their practical application remains very limited.
Cyber agencies
When the U.S. National Security Agency (NSA) issues warnings and advice on a problem, it’s a good reason to take that problem seriously. That’s why the NSA’s 2015 recommendation urging companies and governments to begin transitioning to quantum-resistant encryption was taken as a signal that the arrival of practical quantum computers might just be round the corner. This warning came as a surprise: at the time, the largest number that had been factored using Shor’s algorithm on a quantum computer was… 21. This fueled speculation that the NSA knew something about quantum computers that the rest of the world didn’t.
Now, nearly a decade later, we can be fairly confident that the NSA was sincere in its subsequent explanations, released six months later: they were simply warning of a potential danger ahead of time. After all, equipment purchased for government agencies tends to remain in service for decades, so systems should be upgraded well in advance to avoid future vulnerabilities. Around the same time, NIST announced a competition to develop a standardized set of quantum-resistant algorithms. In 2024, this new standard was adopted.
Internet giants
Many major IT companies, such as Google and IBM, have shown interest in quantum computing — and invested in it. At the end of the 20th century, IBM labs created the first working quantum computer with two qubits. But it was Google that, in 2019, announced the long-awaited achievement of quantum supremacy. Their experimental 53-qubit computer, Sycamore, could reportedly solve a problem in not much over three minutes that would take a classical supercomputer 10,000 years. However, IBM disputed this claim, arguing that this problem was purely synthetic, designed for quantum computers specifically, and having no real-world application. For a supercomputer to solve the same problem, it would simply have to simulate a quantum one, which would be quite useless — not to mention slow. IBM further stated that with sufficient disk space, a classical supercomputer could solve the same problem with greater accuracy and in a relatively short time: no more than 2.5 days.
Even the original creator of the term “quantum supremacy”, Professor John Preskill, criticized Google’s excessive use of the phrase, noting its popularity with journalists and marketers. As a result, its intended technical use has been obscured.
Governments
Security experts, including the NSA, have repeatedly emphasized that the quantum threat is a reality — even in the absence of a practical quantum computer. One possible scenario is well-resourced malefactors storing an encrypted copy of valuable data today in order to decrypt it in the future when quantum computers become viable. Such an attack, known as harvest now, decrypt later, is often mentioned in the context of the “quantum race”, and in 2022, the U.S. government created quite a stir by claiming to already be facing SNDL attacks. Experts from the post-quantum security firm QuSecure also referred to SNDL attacks as a “common practice” in an article ominously titled Quantum apocalypse.
Meanwhile, the White House coined the term CRQC (Cryptanalytically Relevant Quantum Computer) and ordered U.S. agencies to switch to post-quantum encryption algorithms no later than 2035.
Enthusiasts
Quantum computers are complex, unique physical devices that often require extreme cooling. As a result, small firms and individual researchers have a hard time keeping up in the quantum race; however, that doesn’t stop some from trying. In 2023, statements from a researcher named Ed Gerck, founder of a company called Planalto Research, created a small buzz. According to Gerck, his company managed to perform quantum computations on a commercial Linux desktop with capital costs of less than a thousand dollars and without using cryogenics. The author claimed to have broken a 2048-bit RSA key despite these limitations. Interestingly, Gerck allegedly developed his own algorithm to do this, rather than using Shor’s. Cryptographers and developers of quantum computers have repeatedly demanded proof of Gerck’s claims but received only excuses in response. Gerck’s paper has in fact been published; however, experts note serious methodological flaws and speculative elements.
And, of course, the press
A study by researchers at Shanghai University directly linking quantum computing to encryption cracking was published in China in September 2024. However, it only caused a splash worldwide after a November article in the South China Morning Post. This article claimed that the Chinese scientists had successfully broken “military-grade encryption”, and this headline was carelessly replicated by other media outlets.
In fact, the authors of the study did target encryption, but solved a much more modest problem — they cracked 50-bit ciphers related to AES (Present, Gift-64, and Rectangle). Interestingly, they used one of the latest models from the very same D-Wave, using classical algorithms to compensate for its limitations compared to a full-fledged quantum computer. This study is scientifically novel, but its practicality in breaking real-world encryption is highly questionable. In addition to the deficit of qubits, the incredibly long classical pre-calculations required to crack real 128 or 256-bit keys remains an obstacle.
This wasn’t the first time researchers have claimed success in breaking encryption, but an earlier, similar announcement in 2022 received little attention.
Internet giants (yes, again)
A new round of speculation began with Google’s recent announcement of its Willow chip. The developers have claimed that they’ve managed to solve one of the key problems in scaling quantum computing — error correction. This problem arises because it’s extremely challenging to read the state of a qubit without making errors or disturbing its entanglement with other qubits. Therefore, calculations are often run multiple times, and many “noisy” physical qubits are combined into a single “perfect” logical one. Despite these measures, as the number of qubits increases, errors grow exponentially, making the system increasingly fragile. In contrast, the new chip demonstrates the opposite behavior — as the number of qubits increases, errors are reduced.
Willow has 105 physical qubits. Of course, this is far from enough to break modern encryption. According to the Google researchers themselves, their computer would need millions of qubits to become a CRQC.
But such trifles didn’t stop other researchers from declaring the imminent death of modern cryptography. For example, researchers at the University of Kent have estimated that advances in quantum computing could require the Bitcoin network to shut down for 300 days in order to update to quantum-resistant algorithms.
Welcome to reality
Leaving the mathematical and technical aspects aside, it’s worth emphasizing that, as of right now, cracking modern encryption using quantum computers is still impossible, and this is unlikely to change in the near future. However, sensitive data that will remain valuable for years to come should be encrypted with quantum-resistant (post-quantum) algorithms today to avoid potential future risks. Several major IT regulators have already issued recommendations on transitioning to post-quantum cryptography, which should be studied and gradually implemented.
]]>We’ve picked out the top trending announcements at CES 2025, with a focus on what new cyberthreats to expect as the latest innovations hit the shelves.
NVIDIA Project DIGITS: your own mini supercomputer for running AI locally
NVIDIA founder Jensen Huang unveiled the company’s Mac-Mini-sized supercomputer to CES visitors. Powered by the GB10 Grace Blackwell “superchip” with a minimum 128 GB of memory, the device is capable of running large language models (LLMs) with 200 billion parameters. Connect two such computers, and you can run even larger models with up to 400 billion parameters! However, the US$3000 price tag will limit the buyer audience.
Cybersecurity aspect: running LLMs locally stops confidential information from leaking to OpenAI, Google Cloud, and other such services. Until now, this wasn’t very practical: on offer were either greatly simplified models that struggled to run on gaming computers, or solutions deployed on powerful servers in private clouds. “NVIDIA Project DIGITS” now made it easier for both small companies and wealthy hobbyists to run powerful local LLMs.
The GB10 Grace Blackwell superchip, 128 GB of RAM, and 4 TB of SSD storage make this NVIDIA offer a decent platform for a local neural network. Source
Roborock Saros Z70: a “handy” vacuum cleaner
The inability of robot vacuum cleaners to cope with stairs and other obstacles, including things lying around, greatly limits their usefulness. Roborock’s new model solves the latter issue with an extensible arm that picks up small and light objects from the floor.
Cybersecurity aspect: the Saros Z70’s object-rearranging ability is very limited, and Roborock has not been involved in any major cybersecurity scandals. So we’re unlikely to see any game-changing risks compared to existing vacuum cleaners. But later models or competitors’ products can theoretically be used in cyberphysical attacks such as burglary. For instance, researchers recently showed how to hack Ecovacs robot vacuums.
But the Saros Z70 is notable for more than just its mechanical hand. Another of its officially announced features is video surveillance. The vendor claims that camera footage never leaves the device, but we’ll believe that when we see it. After all, you’ll probably at least need a separate device to view the footage. The StarSight 2.0 system, due with a later software update, will let you train the robot to recognize specific household objects (for example, favorite toys) so that it can show where it last saw them on a map of your home. As to whether this handy feature works entirely on the device — or data about things in your home gets fed to the cloud — press releases are maintaining a tactful silence.
The Roborock Saros Z70 can lift and carry objects weighing up to 300 grams. Source
Bosch Revol: preying on parental fear
How did a baby rocker manage to take home the “Least private” mock award for gadgets at CES 2025, as judged by Electronic Frontier Foundation and iFixIt? The Bosch Revol Smart Crib not only automatically rocks the crib, but continuously collects video and audio data, while simultaneously scanning the baby’s pulse and breathing rate using millimeter-wave radar. It also monitors temperature, humidity and fine-particle pollution levels. The camera is equipped with object recognition to detect toys, blankets and other potentially dangerous objects near the infant’s face. All data is instantly streamed to a parental smartphone and to the cloud, where it remains.
Cybersecurity aspect: other vendors’ video baby monitors have been dogged by scandals, and hacked to conduct nasty pranks and spy on parents. In the case of the Revol, not only video, but medical data could end up in cybercriminal hands. When it comes to child and health-related tech, a cloud-free setup as part of a well-protected smart home is the way to go.
TP-Link Tapo DL130: in the same vein?
Among the many smart locks unveiled at CES 2025, it was TP-Link’s model that stood out for a feature that’s still quite rare — biometrics based not only on face/fingerprint recognition, but also on palm veins matching. Simply wave your hand in front of the sensor, and the system will identify you as the owner with high accuracy. Unlike more common biometric factors, this method doesn’t depend on lighting conditions, and works well even with wet and dirty hands. Plus, it’s more difficult to fake.
Cybersecurity aspect: smart locks can be integrated into your home network and interact with your smart home (such as Alexa or Google Home), which creates a wide cyberattack surface. Given the numerous critical vulnerabilities in other TP-Link equipment, there’s a risk that flaws in smart locks will allow attackers to open them in unconventional ways.
Security researchers are sure to put TP-Link’s smart lock under the microscope once it goes on sale. Source
Google Home + Matter: a cloud-free sky home
A major update to Google’s smart home hubs means they can now control curtains, sockets, light bulbs and other devices via the Matter protocol without connecting to a cloud server. At the heart of your smart home can be a Google Nest — an Android 14 smart TV or even a Chromecast device. Tell Google Assistant to “switch on the bedroom light”, and the command will be carried out even without an internet connection, and with minimal delay.
If a staunch advocate of a cloud-based future like Google has implemented such offline scenarios, the demand for such functionality must be huge.
Cybersecurity aspect: local control of your smart home reduces the risk of compromise and improves privacy — less data about what goes on in your home will leak to equipment vendors.
Halliday Glasses: improve your AI-sight
We chose Halliday AR glasses for the innovative image projection system that makes them lighter and more compact — though our takeaways also apply to dozens of other smart glasses presented at CES 2025. While some models address a simple and specific issue — such as combining glasses with a hearing aid or serving as a near-eye display for computer users on board a plane — quite a few of them come equipped with an AI assistant, camera, ChatGPT integration, and other features that potentially can be used to spy on you. They’re used for live translation, teleprompting and other productivity-boosting tasks.
Cybersecurity aspect: all AI features involve shifting large amounts of data to the makers’ servers for processing, so local AI in glasses is still a long way off. But unlike with computers and smartphones, the voices, photos and videos of all those around you will be included in the information flow generated by the glasses. From an ethical or legal standpoint, wearers of such glasses may have to continuously ask permission from everyone around to record them. And those who don’t want to pose for Sam Altman should look out for wearers of smart glasses among their peers.
Sony Honda AFEELA: I feel it’s going to be driving by subscription
This luxury electric car from two Japanese giants is available to preorder — but only to California residents and with rollout scheduled for 2026 or later. Nevertheless, the Japanese vision could become the envy even of Google: the price of the vehicle includes a “complimentary three-year subscription” to a variety of in-car features, including Level 2+ ADAS driver-assist and an AI-powered personal assistant, and a choice of interactive car design and entertainment features such as augmented reality and “virtual worlds”.
At the CES 2025 demonstration, the car was summoned onstage by the voice command “Come on out, Afeela” — but it remains unclear whether this handy feature will be available to drivers.
Cybersecurity aspect: we’ve spotlighted the risks and vulnerabilities of “connected” cars many times. Whether manufacturers will be able to keep the security bar high, not only for vehicles, but also for telematics systems (especially critical if smart driving becomes subscription-based), is a big question for the future. Those who don’t like the idea of their car suddenly turning into an iron pumpkin pending a software update or after a cyberattack are advised to refrain from splashing out… at least for another decade or so.
BenjiLock: a biometric padlock
Now you can lock up your bike (or barn or whatever) without memorizing a code or carrying around a key. As the name suggests, the BenjiLock Outdoor Fingerprint Padlock is a padlock that stores and recognizes fingerprints — up to ten of them. No smartphone or Wi-Fi required, all the magic happens inside the lock itself. The device is resistant to both moisture and dust, and (according to the manufacturer) works on one charge for up to a year.
Cybersecurity aspect: only real-world tests can prove resistance to old-school lock picking and inexpensive fingerprint faking. Smart locks are often vulnerable to both.
]]>Attacking developers: OAuth abuse
To inject trojan functionality into popular Chrome extensions, cybercriminals have developed an original phishing scheme. They send developers emails disguised as standard Google alerts claiming that their extension violates Chrome Web Store policies and needs a new description. The text and layout of the message mimic typical Google emails, so the victim is often convinced. Moreover, the email is often sent from a domain set up to attack a specific extension and containing the name of the extension in the actual domain name.
Clicking the link in the email takes the user to a legitimate Google authentication page. After that, the developer sees another standard Google screen prompting to sign in via OAuth to an app called “Privacy Policy Extension”, and to grant certain permissions to it as part of the authentication process. This standard procedure takes place on legitimate Google pages, except that the “Privacy Policy Extension” app requests permission to publish other extensions to the Chrome Web Store. If this permission is granted, the creators of “Privacy Policy Extension” are able to publish updates to the Chrome Web Store on behalf of the victim.
In this case, there’s no need for the attackers to steal the developer’s password or other credentials, or to bypass multi-factor authentication (MFA). They simply abuse Google’s system for granting permissions to trick developers into authorizing the publication of updates to their extensions. Judging by the long list of domains registered by the attackers, they attempted to attack far more than 35 extensions. In cases where the attack was successful, they released an updated version of the extension, adding two files for stealing Facebook cookies and other data (worker.js and content.js).
Attacking users
Chrome extensions typically receive updates automatically, so users who switched on their machines between December 25 and December 31, and opened Chrome, may have received an infected update of a previously installed extension.
In this event, a malicious script runs in the victim’s browser and sends data needed for compromising Facebook business accounts to the attackers’ server. In addition to Facebook identifiers and cookies, the malware steals information required to log in to the target’s advertising account, such as the user-agent data to identify the user’s browser. On facebook.com, even mouse-click data is intercepted to help the threat actors bypass CAPTCHA and two-factor authentication (2FA). If the victim manages ads for their company or private business on Meta, the cybercriminals get to spend their advertising budget on their own ads — typically promoting scams and malicious sites (malvertising). On top of the direct financial losses, the targeted organization faces legal and reputational risks, as the fake ads are published under its name.
The malware can conceivably steal data from other sites too, so it’s worth checking your browser even if you don’t manage Facebook ads for a company.
What to do if you installed an infected extension update
To stop the theft of information from your browser, the first thing you need to do is to uninstall the compromised extension or update it to a patched version. See here for a list of all known infected extensions with their current remediation status. Unfortunately, simply uninstalling or updating the infected extension is not enough. You should also reset any passwords and API keys that were stored in the browser or used during the incident period.
Then, check the available logs for signs of communication with the attackers’ servers. IoCs are available here and here. If communication with malicious servers was made, look for traces of unauthorized access in all services that were opened in the infected browser.
After that, if Meta or any other advertising accounts were accessed from the infected browser, manually check all running ads, and stop any unauthorized advertising activity you find. Lastly, deactivate any compromised Facebook account sessions on all devices (Log out all other devices), clear the browser cache and cookies, log in to Facebook again, and change the account password.
Incident takeaways
This incident is another example of supply-chain attacks. In the case of Chrome, it’s made worse by the fact that updates are installed automatically without notifying the user. While updates are usually a good thing, here the auto-update mechanism allowed malicious extensions to spread quickly. To mitigate the risks of this scenario, companies are advised to do the following:
- Use group policies or the Google Admin console to restrict the installation of browser extensions to a trusted list;
- Create a list of trusted extensions based on business needs and information security practices used by the developers of said extensions;
- Apply version pinning to disable automatic extension updates. At the same time, it’ll be necessary to put in place a procedure for update monitoring and centralized updating of approved extensions by administrators;
- Install an EDR solution on all devices in your organization to protect against malware and monitor suspicious events.
Companies that publish software, including web extensions, need to ensure that permission to publish is granted to the minimum number of employees necessary — ideally from a privileged workstation with additional layers of protection, including MFA and tightly configured application launch control and website access. Employees authorized to publish need to undergo regular information security training, and be familiar with the latest attacker tactics, including spear phishing.
]]>