Authored by Neil Tyagi

On 23 August 2023, NIST disclosed a critical RCE vulnerability CVE-2023-38831. It is related to an RCE vulnerability in WinRAR before version 6.23. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the harmless file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file.

Our intelligence shows that this vulnerability is being exploited as early as April 2023. Let’s look at a sample exploiting this vulnerability (Hash: bc15b0264244339c002f83e639c328367efb1d7de1b3b7c483a2e2558b115eaa)

  • The image below shows that the archive is named trading_system, which hints that it is used to target traders

  • We can also see that the threat actor can craft the archive so that folder and file names are the same.
  • This is interesting as Windows doesn’t allow files and folders to have the same name in the same path.
  • This shows that it was weaponized after creating a regular zip by changing the bytes to make the file and folder name the same.
  • Also, note there is a trailing space at the end of the file and folder name (in yellow).
  • When we look inside the folder, we see many files, but the most important file is highlighted, which is a bat file containing a malicious script.
  • The bat file also has the same name as the benign file outside the folder.

  • When we check the script, we see it launches cmd in the minimized state, then goes to the temp folder where WinRAR will extract the files, then tries to find the file, which is present inside the folder and executes it using wmic and then exits.
  • Checking we find that it is a CAB SFX file.
  • We extract it to check what is inside.
  • We found a PE file, some ActiveX control objects, and two text files.
  • AMD.exe is a visual basic compiled file whose main job is to extract the dll hidden in a blob of data inside pc.txt and execute the ActiveX controls.
  • Inside add.txt, we find the registry keys it will try to manipulate
  • The first control is responsible for registering a COM object in Windows. During registration, registry keys are imported from the “add.txt” file. As a result, a specific COM object with a unique CLSID is registered in the infected system. The default value of the InprocServer32 key is populated with the path to a malicious DLL named “Core.ocx”.
  • Wmic process executes

  • AMD.exe extracts the encrypted dll file inside pc.txt and writes it in the romaing\nvidia folder.

  • Here, we observe AMD.exe calls reg.exe on registry keys inside add.txt
  • Timeout is also called to slow down the activities of the infection chain.
  • AMD.exe Calls rundll32 on the clsid that is registered in the registry

  • We can see successful tcp connection to threat actors C2.( ip 37[.]120[.]158[.]229)

Global Heatmap where this vulnerability is being seen in the wild(based on McAfee telemetry data)

Infection chain

How does the vulnerability work?

  • Here, we will analyze the issue causing WinRAR to execute the script instead of opening the image.
  • We will compare how WinRAR behaves when we execute an image file from a weaponized zip vs. a normal zip. So we fire up ProcMon First.

  • The above image shows that the first logical bug is how WinRAR is extracting files in the temp folder before executing them. In the case of a regular zip, only the clean image file is extracted to the temp folder, whereas in the case of a weaponized zip, even the files present inside the folder are extracted to the temp folder along with the clean image file. This is due to the same file names we have given, which makes WinRAR extract those in temp.
  • Verifying the same in the temp folder

Normal Zip

Weaponized Zip

  • In Logs, when we dig deep, we can see Winrar searches for our filename with an *, which causes it to iterate over our bat file as it has the same name, which in turn gets executed.

  • To see what’s happening under the hood, we hook a debugger and launch WinRAR by manipulating the “image file Execution options” registry key.
  • When we execute the rar file, we see the debugger getting attached to the winrar process so that we can do just-in-time debugging.
  • We put a breakpoint on the ShellExecuteExW function to see what parameters are passed to it just after clicking the jpeg file.
  • When we double-click on the image file, we can see the debugger is opened, and after a few clicks, we hit our breakpoint.

Normal zip

  • In this case, the correct parameter is passed to the ShellExecuteExW function as the file exists at this exact path.

Weaponized zip

  • In this case, an incorrect parameter is passed to the ShellExecuteExW function as the parameter contains a trailing space, and such a file does not exist on the disk.
  • When we dig deep, we find that later, it calls PathUnquoteSpacesA API call, as per MSDN. It “Removes quotes from the beginning and end of a path.”
  • As quotes are removed from the end of the path, ShellExecuteExW executes “simple_image.jpg .cmd” instead of “simple_image.jpg.”


Sha256 Detection
bc15b0264244339c002f83e639c328367efb1d7de1b3b7c483a2e2558b115eaa Trojan:Archive/2023_38831.NEAA



  • .( ip 37[.]120[.]158[.]229)
  • REG keys



  • WinRAR users should immediately update to the latest version. WinRAR archiver, a powerful tool to process RAR and ZIP files (
  • Use a licensed and updated McAfee+ subscription to stay protected.
  • Stay informed about common cyber threats and tactics used by cybercriminals. This knowledge can help you recognize potential risks and avoid scams.
  • Be very cautious when dealing with attachments from unknown sources. Only run attachments that come from trusted sources.
  • Protect your accounts by using multi-factor authentication.

Introducing McAfee+

Identity theft protection and privacy for your digital life

#Exploring #Winrar #Vulnerability #CVE202338831 #McAfee #Blog

In large companies, as a rule the average employee isn’t often asked for an opinion on their career aspirations, areas of interest, or accomplishments outside their job description. It tends to happen once a year — for the performance review. However, many would like to share their thoughts with management much more often. So, when an invitation to take a self-evaluation lands in the inbox, they jump at the chance without hesitation. And this is what cybercriminals exploit in the latest spear-phishing campaign.

Phishing email with invitation

Seemingly from HR, an email arrives containing an elaborate description of the employee self-evaluation procedure, which “promotes candid dialogue between staff members and their managers/supervisors”. It goes on to say that “you can learn a lot about your strengths and shortcomings … to reflect on your successes, areas for development, and career objectives”. All in all, quite a convincing piece of corporate spiel.

Email to employees inviting them to undergo a self-evaluation

Email to employees inviting them to undergo a self-evaluation

Convincing it may be, but all the same the email does contain a few identifiable red flags regarding phishing. For starters, take a look at the domain name in the sender’s address. That’s right, it doesn’t match the name of the company. Of course, it’s possible that your HR department might be using a contractor unknown to you — but why would “Family Eldercare” be providing such services? Even if you don’t know that this is a non-profit organization that helps families care for elderly relatives, the name should ring an alarm bell.

What’s more, the email says that the survey is “COMPULSORY for EVERYONE”, and must be completed “by End Of Day”. Even if we leave aside the crude and faulty capitalization, the focus on urgency is always a reason to stop and think — and check with the real HR department whether they sent it.

Fake self-evaluation form

Those who miss the flags and click through to the form are faced with a set of questions that may actually have something to do with assessing their performance. But the crux of the phishing operation lies in the last three of those questions — which ask the victim to provide their email address, and enter their password for authentication and then re-enter it for confirmation.

Last three questions of the fake questionnaire

Last three questions of the fake questionnaire

This is actually a smart move on the phishers’ part. Typically, phishing of this type leads straight from the email to a form for entering corporate credentials on a third-party site, which puts many on their guard straight away. Here, however, the request for a password and email address (which commonly doubles up as a username) is disguised as part of the form — and at the very end. By this stage the victim’s vigilance is well and truly lulled.

Also note how the word “password” is written: two letters are replaced with asterisks. This is to bypass automatic filters set to search for “password” as a keyword.

How to stay safe

To stop company employees falling for phishing, keep them informed of all the latest tricks (for example, by forwarding our posts about phishing ploys). If you prefer a more systematic approach, carry out regular trainings and checks, for example with our Kaspersky Automated Security Awareness Platform.

Ideally, employees should never even see most phishing thanks to technical means: install security solutions with anti-phishing technology both at the corporate mail gateway level and on all work devices used for internet access.

#phishing #selfevaluation #questionnaire #Kaspersky #official #blog

Your teacher was right. Spelling counts, particularly to scammers.

Enter the world of typosquatting scams. Also known as URL hijacking, typosquatting scams target internet users who incorrectly type a website address into their web browser.

Scammers have long used typosquatting techniques to capture traffic from those butterfingers moments we all have when typing on our keyboards. And the butterthumbs moments on our phones.

For example, say you type “websiteaddresss dot-com” instead of “websiteaddress dot-com.” More than just a mistake, a mistyped address might land you on a malicious site designed to steal personal information, make money, or spread malware.

The scam sites you might land on vary. Some serve up a screenload of spammy ads. Others host malicious download links, and yet more lead to stores full of cheap, knockoff goods. In other cases, scammers take it up a notch. We’ve seen typosquatting sites evolve into clever copycats of legitimate sites. Some look like real banking and e-commerce sites that they steal traffic from, complete with stolen logos and familiar login screens. With this, scammers hope to trick you into entering your passwords and other sensitive information.

Companies are well aware of this practice. Many purchase URLs with those common misspellings and redirect them to their proper sites. Further, many brands put up anti-fraud pages on their sites that list the legitimate addresses they use to contact customers. Here at McAfee, we have an anti-fraud center of our own.

The fact remains, people make mistakes. And that can lead to risky scam sites. However, you can still avoid typosquatting attacks quite easily.

The big business of typosquatting

For starters, it helps to know that typosquatting is often big business. In many cases, larger cybercrime organizations set up entire flights of malicious sites that can number into the dozens to the hundreds.

Let’s check out a few examples and see just how sophisticated typosquatting scams can be:

“” scams

In 2018, researchers found a host of addresses that were registered in the names of well-known sites, but ending in  “.cm”, instead of “.com”. These copycat addresses included financial websites, such as “Chase dot-cm” and “Citicards dot-cm,” as well as social and streaming sites.

Scammers used the .cm sites to advertise promotions and surveys used to collect users’ personal information. What’s more, more than 1,500 of them were registered to the same email address, indicating that someone was trying to turn typosquatting into a serious business.

“” scams

Similarly, 2016 saw the advent of malicious dot-om sites, that mimicked big names like “linkedin dot-om” and “walgreens dot-om.” Even the interesting typo found in “youtubec dot-om” cropped up. Of note, single entities registered these sites in batches. Researchers found that individuals or companies registered anywhere from 18 to 96 of them. Again, signs of serious business.

Big brand and voice assistant typosquatting scams

Recently, security researchers further found an increase in the number of typosquatting sites. An increase of 10% from 2021 to 2022. These sites mimic popular app stores, Microsoft addresses, services like TikTok, Snapchat, PayPal, and on and on.

Further, scammers have gotten wise to the increased use of personal assistants to look up web addresses on phones and in homes. Typosquatting now includes soundalike names in addition to lookalike names. With that, they can capitalize when an assistant doesn’t quite hear a command properly.

How to protect yourself from typosquatting

No doubt, slip-ups happen when browsing. Yet you can minimize how often with a few steps—and give yourself an extra line of defense if a mistake still slips through.

  • Whether you type in a web address to the address field, or a search engine, be careful that you spell the address correctly before you hit “return”.
  • If you are going to a website where you might share private information, look for the green lock symbol in the upper left-hand corner of the address bar. This indicates that the site uses encryption to secure the data that you share.
  • Be suspicious of websites with low-quality graphics or misspellings. These are telltale signs of fake websites.
  • Consider bookmarking sites you visit regularly to make sure you get to the right site, each time.
  • Don’t click on links in emails, text messages, and popup messages unless you know and trust the sender.
  • Consider using a safe browsing tool such as McAfee Web Protection, which can help you avoid dangerous links, bad downloads, malicious websites, and more.​
  • Always use comprehensive online protection software like ours on your computers and devices to protect you from malware and other online threats.

Introducing McAfee+

Identity theft protection and privacy for your digital life

#Typosquatting #Scams #Work #McAfee #Blog

QR codes are all around us. They offer a quick way to take part in surveys, download useful stuff, and visit websites of interest. After all, pointing your phone at a picture is far easier than typing in an annoyingly long URL.

But their very convenience hides a significant drawback. With regular links, it’s possible to spot a trap with the naked eye. The red flags are well-known: typos or extra characters in the site address, a disguised redirect, strange domain zones, and so on. But as for QR codes, where that jumble of black squares might take you is anyone’s guess.

With a compelling example, in this post we explain how those harmless-looking squares can pose a threat, and how not to fall victim to scammers. The example in question is the story of a woman who lost US$20,000 by scanning a QR code when buying bubble tea.

20,000-dollar bubble tea

Many have encountered coffee-shop promos when visitors are invited to take a short survey in exchange for a free drink or a discount on a purchase. This often requires you to scan a QR code at the counter — a familiar, almost routine action. What could possibly go wrong?

That’s what a 60-year-old Singaporean must have thought, too. To get a free cup of bubble tea, she scanned the QR code sticker on the glass of the coffee shop door. As it turned out later, the sticker had been pasted on by cybercriminals. The scam code contained a link to download a third-party Android app in order, she believed, to take a survey. However, the app was malicious.

Once installed, the program requested access to the camera and microphone, and to enable Android Accessibility services. This built-in Android service allows criminals to view and control the victim’s screen, as well as to disable facial and fingerprint recognition — this way attackers can force the victim to type their banking app password manually, if needed. The scammers had only to wait for her to log in, intercept the credentials, and later use them to transfer all the money to their own accounts.

How not to fall victim

Since it’s impractical (and not really necessary) to avoid scanning QR codes altogether, we recommend the following:

  • Check the addresses of sites that are linked inside QR codes carefully, and look for typical red flags.
  • Make sure that the expected and actual content match up. For example, if the code was supposed to lead to a survey, logically there should be some kind of form with answer options. If not, close the site immediately. But even if the page arouses no suspicion, you should still be careful — it may be a high-quality fake (see the first point, and read our post about how to spot a bogus site).
  • Don’t download apps via QR codes. As a rule, bona fide apps can always be found on Google Play, the App Store, or any other official platform. Apps from third-party sources shouldn’t be installed in any case.
  • Protect your devices with a reliable security solution. A built-in QR scanner lets you check the link buried in the maze of squares. Also, our solution blocks attempts to visit malicious sites and protects you from the profusion of other threats out there in cyberspace.

#codes #dangerous #Kaspersky #official #blog

There are lots of websites with tempting offers of quick and easy money working from home. But in reality, they’re likely to be from scammers looking to get gullible users to work for them for free and advertise their “business.” This post demonstrates the operation principle of several such schemes and gives tips on how to avoid falling victim to them.

Many scams in one

Who wouldn’t want to earn money for doing regular online stuff: taking surveys, watching videos, playing games and other simple tasks? That’s how scammers lure victims to one of the sites.

Home page of a scam website offering part-time work doing regular online activities

Home page of a scam website offering part-time work doing regular online activities

The home page of the “platform” is overflowing with offers of easy-earning jobs. Scammers promise new recruits a whopping US$200 a day. Plus a US$25 signing-up bonus!

Of course, there are numerous reviews from grateful “users” who have already become rich. But if you bother to read them, you’ll spot a lot of grammatical mistakes.

Reviews from

Reviews from “users” who supposedly struck gold

To earn money on the “platform”, you are asked to complete various tasks, such as testing apps, playing games, sharing a link to the site with friends, and the like.

Tasks you get paid for

Tasks you get paid for

In fact, all these “tasks” are just links to other scam resources. By visiting them, users create traffic to cybercriminals’ sites. This improves their position in search results. And also, cybercriminals may have their own footfall KPIs (key performance indicators).

When the victim tries to get their “money” (the home page promises that this can be done through popular services like Cash App, Venmo, PayPal and others), they discover that they must first earn at least US$200.

Message saying you need to earn US$200 to withdraw funds

Message saying you need to earn US$200 to withdraw funds

Sure, you won’t see any payout even if you do “earn” 200 bucks.

Nor can it be ruled out that the scammers’ domain won’t simply be blocked before user even try — such sites have very short lifespan. After getting blocked, the scammers will get another domain and launch the whole scheme again with new victims.

The scam itself is quite international. Besides English, the cybercriminals’ website is available in nine other languages. Although these versions look less professional.

Share it with the whole world

Now let’s talk about a similar site with a more primitive design, but with a different mechanism for making money from naive users.

The victims are offered two ways to earn. The first is to share the link and invite “referrals” to the website: you get US$1 for every 100 people. What’s more, the site supposedly lets you withdraw funds after accumulating just US$20. To earn this amount through inviting referrals, you need to attract 1500 users to the site (you get US$5 for signing-up).

Home page of a site that pays you to share its link

Home page of a site that pays you to share its link

Sounds hard, but things aren’t all that bad, you have a chance to earn US$50 right away. But for this you’ll have to play the scammers’ game — by endlessly refreshing the page so that the two images match. They won’t of course.

Scammers' game

Scammers’ game

When the victim goes to the site, they are immediately asked for permission to display browser notifications. Through these, the cybercriminals distribute ads for various other scams or relatively legit adult sites. That’s the main objective: to lure as many victims as possible who will give this permission.

And the image-matching game helps the scammers boost traffic to their own site and improve its search visibility.

How to avoid falling victim?

To avoid falling for online job scams:

  • Don’t believe promises of easy money.
  • Don’t enter payment information on dubious websites.
  • Read our post on how to spot scammers.
  • Use a robust security solution that will warn you before visiting suspicious sites and keep your money and data out of cybercriminals’ hands.

#Scam #websites #offering #jobs #Kaspersky #official #blog

Panaliti Cyberthreat nembé nyéépkeun alarem ngeunaan paningkatan bahaya deepfakes. Khususna, aranjeunna mamatahan henteu percanten kana ceuli anjeun: dina jaman digital intelijen buatan, sora dina tungtung jalur sanés sanés milik anu anjeun pikir éta. Ku jalan kitu, nebak naon anu sieun jalma leuwih ti saratus taun ka tukang? Dina éta umur mékanis pamanggihan ilmiah, aranjeunna waspada, enya – percanten Ceuli maranéhanana. Barina ogé, sora di tungtung séjén-éta bener jalma maranéhanana mikir? Teu percaya? Teras tingali dina kasus maling identitas nganggo téknologi canggih jaman ayeuna pikeun maok artos tina rekening bank anu digambarkeun dina film anu ditémbak taun 1915! Wilujeng sumping di dunya séri pilem jempé Perancis Les Vampires.

Vampir Palajaran

Spoiler gancang: saha waé anu milarian monster nyusu getih gaib bakal kuciwa. Tokoh utama, wartawan Philippe Guérande, nyanghareupan geng kriminal anu wani anu nyebut dirina Vampir. Sanajan umur terhormat na, pilem ieu boga loba tawaran lamun datang ka kaamanan informasi. Ngan nyandak adegan kahiji, nu illustrates naha aksés luar kana dokumén gawé téh no-go.

Vampires sorangan digambar ngagunakeun naon dipaké pikeun jadi métode high-tech. Kalolobaan episode tilu (The Red Codebook) dikintunkeun ka cryptanalysis: Guérande milarian pola dina rékaman énkripsi penjahat. Jeung episode 7 (Iblis) diwangun sabudeureun usaha nyalin identitas batur. Tapi kumaha batur ngalakukeun maling identitas kalayan ngan hiji gun dina 20s mimiti maranéhananath– Téknologi abad?

Maling identitas dina 1915

Pondokna, skéma kriminal nyaéta kieu. Vampir éta diajar yén hartawan AS George Baldwin nuju ka Paris, dimana aranjeunna mutuskeun pikeun ngabebaskeun anjeunna tina artos. Jang ngalampahkeun kitu, aranjeunna nyetél serangan cascading. Kahiji, aranjeunna ngatur pikeun millionaire diwawancara ku salah sahiji sorangan, Lily Kembang, posing salaku wartawan. Awéwé Modern majalah. Anjeunna ngawartoskeun Baldwin yén majalah na diterbitkeun kutipan selebritis unggal bulan, sarta ménta anjeunna nulis sababaraha kecap dina notebook a, lajeng tanggal jeung asup aranjeunna.

Salajengna, hiji saleswoman ngaku ti Universal Phonograph Company ngadatangan millionaire jeung marvel téhnologis anyar: phonograph sabenerna – alat munggaran pikeun ngarekam jeung baranahan sora. Anjeunna ngajelaskeun ka Baldwin yén éta mangrupikeun kabijakan perusahaanna pikeun ngarékam sora jalma-jalma anu kasohor di Paris. Ditipu, anjeunna didikte hiji-hijina frasa anu anjeunna tiasa nyarios dina basa Perancis: “Awéwé Paris anu paling menawan anu kuring kantos ningali,” nambahan “Muhun!” dina basa Inggris tungtungna.

Sifat pinuh tina tipu daya ieu lajeng wangsit ka pemirsa. Tujuan tina tahap kahiji nyaéta, tangtosna, pikeun maok tanda tangan taipan. Handapeun lambaran dimana Baldwin ditinggalkeun tanda tangan na aya sababaraha jenis kertas karbon, bearing tanda tangan jeung tanggal. Di luhureun ieu, crooks nulis pesen palsu obliging New American Bank mayar Lily (wartawan) AS $ 100.000 (jumlah tinggi kiwari; bayangkeun yén abad ka tukang!).

Salajengna, aranjeunna nyulik operator telepon hotél Baldwin, sarta ngirimkeun antek sejen pikeun ngaganti anjeunna kalawan catetan: “Kuring gering, kirimkeun misan kuring salaku diganti a.” manajemén hotél swallowed trik primitif ieu sarta nempatkeun hiji muhrim lengkep jawab telepon.

Samentara éta, Lily indit ka bank jeung pesenan pembayaran palsu. Kasir mutuskeun pikeun pariksa legitimasi urus jeung nelepon hotél dimana Baldwin ieu tetep. Di dinya, operator telepon gaya sorangan muterkeun hiji kaset tina jutawan ngucapkeun catchphrase na, nu convinces kasir mayar.

Kumaha meujeuhna skéma ieu?

Kalolobaan éta omong kosong, tangtu. Kumaha kasir Parisian di bank AS di 1915 terang tanda tangan, sumawona sora, sababaraha jutawan Amérika? Henteu nyebatkeun kanyataan yén jalur telepon harita sigana bakal ngaganggu sora anu teu dikenal. Kitu cenah, skéma éta sorangan nyaéta palaksanaan klasik tina serangan man-in-the-middle (MitM) – kasir percaya yén sora éta milik Baldwin, anu dina gilirannana nyangka yén anjeunna, sateuacana, dipasihkeun ka “perusahaan fonograf. ”.

Naon deui, pilem na nunjukkeun jalan pintas 2FA: maling tandatangan sareng konfirmasi sora palsu. Pasti, sadayana ieu ayeuna dilakukeun nganggo téknologi digital, tapi skenario serangan inti tetep sami. Ku kituna, countermeasures utama bisa dirumuskeun leuwih ti abad ka tukang:

  • Entong masihan aksés ka luar kana saluran komunikasi (operator telepon palsu).
  • Entong bagikeun data pribadi rahasia ka saha waé — kantos (biometrik sora sareng tanda tangan).
  • Upami aya ragu, pariksa deui legitimasi parentah (frasa “Awéwé Paris anu paling menawan anu kuring kantos ningali” sanés verifikasi anu paling kuat).

Kiwari, anjeun tiasa ningali sorangan séri pilem anu luar biasa ieu dina Wikipedia. Nanging, upami karyawan anjeun henteu siap nampi tip kaamanan maya ti bioskop jempé, kami nyarankeun ngagunakeun Platform Kasadaran Kaamanan Otomatis Kaspersky interaktif kami.

#Maling #identitas #dina #Blog #resmi #Kaspersky

Pos dinten ieu ngeunaan serangan anyar dina chip DRAM, anu tiasa mangaruhan PC, server sareng smartphone. Anu rada pas, sabab ulikan anyar parantos diterbitkeun anu nalungtik metode serangan DRAM énggal anu disebat RowPress. Ieu ngakibatkeun hammering baris DRAM sababaraha kali, ngabalukarkeun bitflips dina (fisik) baris pangdeukeutna. Gagasan éta sanés énggal – hal anu sami disayogikeun ampir dasawarsa ka tukang dina nami RowHammer. Nanging, RowPress mangrupikeun téknik anu langkung efektif. Tapi ke heula, hayu urang terang naon hartosna “hammering”.

Kumaha RAM jalan

chip RAM pernah bisa relied kana. Pondokna, unggal sél memori, dimana hiji bit informasi disimpen, mangrupakeun batré mini. Nalika urang ngecas, urang nyerat “hiji” kana sél. Upami teu aya biaya, éta “nol”. Sareng éta kajadian… jutaan kali per detik! Dina microchip modern, sél ieu dipak pageuh kana gelar fenomenal: sadayana milyaran aranjeunna dikandung dina kristal ukuran kuku jari. Kalawan laju update tinggi na miniaturization ekstrim komponén éléktronik, sooner atanapi engké kagagalan téh bisa dilawan – mini “batré” bakal leungit muatan maranéhanana, sarta salah sahijina bakal enol. Kadang gagalna disababkeun ku faktor éksternal, contona, lamun chip memori kakeunaan panas atawa malah sinar kosmik.

Gagal sapertos kitu tiasa nyababkeun kasalahan kritis. Bayangkeun program anu nyimpen alamat dina RAM anu kedah diaksés nalika kaayaan anu dicumponan. Lamun sababaraha bit dina alamat ieu spontaneously flip ti hiji nepi ka enol, tinimbang kode anjeun, euweuh nétélakeun naon anu bakal dieksekusi. Seueur téknologi anu dianggo pikeun ngahindarkeun kagagalan; contona, update kapaksa eusi sél memori: bacaan / nulis informasi sequentially – sanajan teu CPU atawa program butuh eta langsung. Prosés maca data téh destructive, jadi sanggeus diakses, informasi kudu overwriting. Aya ogé mékanisme koréksi kasalahan: mémori nyimpen data sareng inpormasi sacara misah pikeun mariksa kabeneran data. Kadé ngartos yen kapadetan luhur sél memori dina komputer modern mangrupa fitur fundamental; aranjeunna moal jalan sagala cara séjén.

serangan RowHammer

Tapi deui ka laporan RowHammer 2014. Peneliti ti Carnegie Mellon Universitas sarta Intel nunjukkeun kumaha mangpaatkeun fitur ditétélakeun di luhur RAM dinamis diropéa pikeun megatkeun. Upami maca data rusak sareng dituturkeun ku nimpa, kumaha upami urang nyerat program anu maca puluhan atanapi ratusan rébu kali per detik? prosés ieu téh naon peneliti nelepon “hammering”.

Répréséntasi skéma tina struktur sél RAM

Répréséntasi skéma tina struktur sél RAM. Sumber

Sél mémori dikelompokeun salaku matriks, sareng unggal operasi dina sél tinangtu ngalibatkeun aksés kana sakabéh array na. Tétéla yén aksés berurutan sareng terus-terusan kana jajar sél mangaruhan barisan tatangga. Lamun operasi ieu dipigawé seueur teuing, nu hiji jeung nol dina sél jajar tatangga bisa dibalikkeun. Panaliti taun 2014 nunjukkeun yén serangan sapertos kitu mungkin dina modul memori DDR3 standar.

Naha éta bahaya? Bayangkeun hacker tiasa ngaéksekusi sababaraha kode sawenang dina sistem anu dituju, tapi tanpa hak husus. Dina kasus anu ekstrim, éta tiasa janten kode halaman wéb, kalayan tautan anu dikirim ka korban. Upami kode ieu diidinan “pencét” daérah RAM anu tangtu, éta tiasa nyababkeun gangguan maca dina sél tatangga, dimana, sebutkeun, data sistem operasi tiasa disimpen.

Dina 2015, panalungtik Google nunjukkeun kumaha RowHammer tiasa dianggo pikeun kéngingkeun aksés anu teu terbatas kana RAM komputer. Ieu mangrupikeun serangan anu kompleks sareng seueur anu teu dipikanyaho: éta tetep kedah asup kana mémori anu leres sareng nyababkeun korupsi data anu “leres” supados komputer henteu ngadat sareng program henteu ngadat. Tapi, kamungkinan téoritis serangan sapertos kitu parantos dikonfirmasi.

BlackSmith: bypass panyalindungan RowHammer

Kumaha ngajaga data tina serangan RowHammer? Cara pangbasajanna nyaéta maksakeun apdet inpormasi dina baris tatangga saatos pamundut maca data tina séri sél mémori. Ieu sacara signifikan ngirangan kamungkinan korupsi data. Sapertos dina kasus kerentanan hardware dina CPU, engké atanapi engké masalah kapanggih dina unggal metode panyalindungan.

Dina taun 2021, panaliti nunjukkeun serangan BlackSmith, anu nunjukkeun yén dina kaayaan anu tangtu, kagagalan tiasa kajantenan sanajan ku panyalindungan RowHammer. Kumaha kahayang maranéhna ngalakukeun ieu? Kumaha lamun, tinimbang “smashing” jajar sél memori gigireun udagan, batur nyobian kombinasi béda: interogasi garis luhur jeung handap target ratusan rébu kali, atawa narajang opat garis sakaligus dina urutan nu tangtu? Éta digawé. Naha? Kusabab masalah dasarna (dénsitas sél mémori anu luhur) henteu kamana waé!

RowPress: ningkatkeun efektivitas serangan

Serangan RowPress anyar malah langkung efektif, sanaos ngagunakeun prinsip dasar anu sami – kalayan hiji perobahan anu alit tapi penting: panyerang nyobian ngantepkeun barisan sél kabuka pikeun dibaca salami mungkin. Panaliti junun mendakan fitur standar anu sanés ngeunaan kumaha chip mémori sareng pengontrol beroperasi anu nyababkeun langkung seueur gangguan anu mangaruhan jajar sél mémori anu padeukeut. Dina watesan efektivitas (diukur ku jumlah “hammers” diperlukeun – nu kirang, nu hadé), RowPress sapuluh atawa malah ratusan kali leuwih kuat batan RowHammer. Dina sababaraha kasus marginal, bitflip nu dipikahoyong kahontal sanggeus hiji operasi maca dina data tatangga.

Bagan aliran tés pikeun nalungtik operasi modul RAM.

Bagan aliran tés pikeun nalungtik operasi modul RAM. Sumber

Kumaha serius masalah ieu? Kasempetan serangan RowHammer, Blacksmith atanapi RowPress ka pangguna bumi pisan langsing. Résiko nyaéta perusahaan. Dina tiori, serangan ieu bisa nargétkeun server memori ngajalankeun on awan umum. Barina ogé, panyadia masihan aksés ka serverna, nyayogikeun jinis mesin virtual pikeun pangguna pikeun ngajalankeun kode naon waé anu dipikahoyong. Aranjeunna kedah mastikeun yén mesin-mesin ieu teu aya jalan kabur ti lingkungan virtualna sareng kéngingkeun aksés kana data palanggan anu sanés. Sacara kasar, sistem virtual sapertos kitu mangrupikeun program anu tiasa maca sareng nyerat data kana RAM server; dina basa sejen – platform siap dijieun pikeun raiding memori server fisik.

Kumaha téoritis serangan sapertos kitu tiasa ditingali tina poto pangaturan tés anu dianggo pikeun diajar RowPress. modul memori geus dipindahkeun ka dewan misah. Dihubungkeun sareng éta mangrupikeun jinis alat debug pikeun nyéépkeun operasi RAM. Sababaraha sistem panyalindungan geus ditumpurkeun. Paling importantly, pamanas dipasang dina modul jeung chip memori, naekeun hawa ku 50 atawa malah 80 darajat Celsius, nu sorangan ngaronjatkeun likelihood tina korupsi data kahaja atawa ngahaja.

spésifikasi serangan hardware

Ngabandingkeun RowPress ka RowHammer sateuacanna, kami dasarna ningali modifikasi sakedik kana metode aksés mémori anu ngamungkinkeun panyerang jalan-jalan (kalebet sistem nyata, tanpa pemanasan atanapi “curang”) panyalindungan anu dilaksanakeun ku produsén modul. Para panalungtik ngusulkeun solusi sorangan pikeun masalah ieu, anu untungna ngagaduhan sakedik pangaruh kana kinerja. Nanging, sapertos sabagéan ageung kerentanan hardware, ngaleungitkeunana lengkep henteu realistis. Ngurangan dénsitas chip memori ayeuna sanés pilihan. Gantina, kapasitas maranéhanana ngan tumuwuh sarta expands.

Ngalaksanakeun koreksi kasalahan “dipercaya” moal ngabéréskeun masalah ogé, sabab éta bakal nyandak sapertilu tina RAM. Métode tradisional dumasar kana kode koréksi kasalahan (ECC) ngajantenkeun serangan kirang efektif, tapi henteu ngaleungitkeunana. Saatos nyarios kitu, éta aman pikeun nyarios yén RowPress moal janten serangan “palu” anu terakhir anu urang tingali.

Di sisi tambah, studi sapertos, pikeun ayeuna, tetep sakitu legana latihan téoritis. Panaliti mendakan vektor serangan énggal, sareng produsén alat ngadamel pertahanan énggal. Tangtosna, kamungkinan yén aranjeunna tiasa ngahaja mendakan kerentanan anu berpotensi pikeun eksploitasi massal. Sanajan kitu, ditilik ku sajarah studi misalna dina dékade panungtungan, ieu sigana saperti teu mirip.

Tapi panalungtikan sapertos kitu henteu kedah dianggap murni téoritis sareng abstrak: naon anu tiasa dilakukeun ku para ahli dumasar laboratorium ayeuna, penjahat cyber nyata tiasa ngalakukeun énjing – atanapi dina lima atanapi sapuluh taun. Sedengkeun pikeun panyadia ladenan awan, maranéhanana kudu up to date jeung kamajuan panganyarna kiwari, sarta emphatically ngasupkeun kana model kaamanan maranéhanana.

#RowPress #RAM #Serangan #Blog #resmi #Kaspersky

Caangkeun Zurich sareng NEXT Kaspersky

Dina 27 Juni, NEXT balik deui dina kakuatan pinuh, waktos ieu di Zurich kalayan acara fisik pasca-pandémik anu munggaran. Wartawan sareng ahli ti sakumna dunya ngumpul pikeun ngajalajah wawasan kritis ngeunaan masa depan cybersecurity, kalebet bot AI, pamanggihan Darknet, Grup Lazarus, sareng nganjang ka Pusat Data sareng Transparansi Éropa unggulan.

Zurich Kota Héjo Data Center, Kaspersky MORE

Zurich Kota Héjo Data Center, Kaspersky MORE

Lima Taun tina Inisiatif Transparansi Global

Taun ieu, urang ngagungkeun ulang taun kalima tina inisiatif Transparansi Global groundbreaking urang, GTI dibayangkeun pikeun ngamajukeun transparansi cybersecurity. Tujuan utama GTI nyaéta: migrasi data ka pusat data Swiss, muka langkung seueur Pusat Transparansi di sakuliah dunya, audit rutin sareng manajemén kerentanan. Diréktur Urusan Umum, Yuliya Shlychkova, ngadawuh: “Komitmen kami pikeun transparansi aya hubunganana sareng organisasi di sakumna dunya, nyorot [our] pendekatan visioner”.

Salaku tambahan, Yuliya nyarios yén mimitian Juli 2023, kami parantos mutuskeun pikeun ngabagikeun sadaya kode sumber solusi di premis sareng para nasabah sareng mitra perusahaan di pusat, ngajantenkeun transparansi langkung ti ngan saukur kecap konci.

Pusat Transparansi Komputer, Kaspersky NEXT

Pusat Transparansi Komputer, Kaspersky NEXT

Pananjung Korban: Napigasi dina Darknet Labyrinth

Pindah ti prakarsa transparansi kami, proyék munggaran anu diluncurkeun di NEXT nyaéta inisiatif ‘Penemuan Korban’. Hal ieu dipingpin ku Yuliya Novikova, kapala Tim Digital Footprint Intelligence urang.

Gagasanna saderhana: sapanjang taun 2022, inisiatif ngalacak postingan wéb poék anu nunjukkeun kagiatan jahat, sapertos aksés ilegal kana pangkalan data perusahaan atanapi kompromi infrastruktur. Hasilna, tim junun bandéra 258 pausahaan global héran, alerting aranjeunna kana insiden serius. Tapi anu héran nyaéta réaksi ti perusahaan anu waspada. Langkung ti sapertilu teu gaduh kontak pikeun kajadian sapertos kitu, sareng 28 persén anu pikahariwangeun katingalina teu acuh atanapi nampik. Sanajan kitu, sababaraha direspon proactively – 22 persén éta dina resiko, sarta 5 persén éta sadar breach nu.

Kitu ceuk Yuliya “Sanaos réaksi kana béwara kami dicampur, ngan ukur sapertilu anu ngaréspon cekap, kami yakin ngawaskeun Darkweb parantos kabuktosan janten alat anu penting pikeun profésional cybersecurity. Hal ieu ngamungkinkeun urang pikeun ngaréspon gancang sareng nyegah poténsi ngalanggar data.

Yuliya Novikova, Kepala Digital Footprint Intelligence, Kaspersky NEXT - Poto: Mattias Nutt

Yuliya Novikova, Kepala Digital Footprint Intelligence, Kaspersky NEXT – Poto: Mattias Nutt

Unraveling the Dark Thread: Carita Andariel sareng EarlyRat

Saatos Yuliya, Jornt van der Wiel ti Tim Tanggapan & Analisis Global urang (GReAT) narékahan énggal: tim éta ngungkabkeun panemuan énggal ngeunaan Andariel, subgrup Lazarus anu kondang, sareng mendakan ancaman malware anu teu dipikanyaho sateuacana disebut EarlyRat. .

Andariel geus wreaking malapetaka pikeun leuwih dasawarsa, ngagunakeun Log4j mangpaatkeun pikeun initiate inféksi, nu lajeng ngundeur malware tambahan. Narikna, kapanggih yén paréntah dieksekusi sacara manual ku operator manusa – anu katingalina teu ngalaman, tinangtu jumlah typo sareng kasalahan anu dilakukeun. Pindahkeun, tPanalungtikan tim urang uncovers EarlyRat. Sapertos Trojans Remote Access anu sanés, éta ngumpulkeun inpormasi sistem sareng ngirimkeunana ka server paréntah-sareng-kontrol na. Sanaos kesederhanaan, éta mirip pisan sareng MagicRat, malware anu sanés dianggo ku Lazarus.

Jornt Van der Wiel ngagambarkeun papanggihan maranéhanana, nyebutkeun, “Dina dunya cybercrime anu lega sareng kompleks, grup sering ngadopsi kode ti batur, ngagentos antara jinis malware anu béda. Usaha konsentrasi kami pikeun mendakan taktik sareng téknik parantos ngirangan waktos atribusi sareng ngamungkinkeun urang ngadeteksi poténsi serangan dina tahap awalna.

Jornt van der Wiel, Peneliti Kaamanan Principal, Kaspersky NEXT - Poto: Mattias Nutt

Jornt van der Wiel, Panaliti Kaamanan Utama, Kaspersky NEXT – Poto: Mattias Nutt

Kebangkitan AI Bots: Boon atanapi Kutukan pikeun Cybersecurity?

Dina panutupanana, Maher Yamout, panalungtik kaamanan anu kasohor ti Global Response & Analytics Team, ningali kana industri Artificial Intelligence sareng cybersecurity, kalebet diskusi ngeunaan deteksi ancaman, bug, sareng padamelan.

Maher Yamout, Panaliti Kaamanan Senior, Kaspersky NEXT - Poto: Mattias Nutt

Maher Yamout, Panaliti Kaamanan Senior, Kaspersky NEXT – Poto: Mattias Nutt

Bot AI, kalayan kamampuan ngolah data anu gancang, nyiptakeun gelombang cybersecurity, tapi naha urang hoyong aranjeunna ngajagaan kahirupan digital urang? Yamout lebet kana ieu sacara rinci, sareng ningali sababaraha kauntungan anu dibawa AI, sapertos deteksi kerentanan sareng pangurangan kasalahan, sareng ngabandingkeunana sareng sababaraha hal anu teu tiasa dilakukeun ku AI (ayeuna), sapertos pertimbangan manusa. A

Diskusi anu teu bisa dihindari ngeunaan leungitna padamelan mangrupikeun perhatian, sanaos ngagentos panyusun kaputusan sareng pamecah masalah dina cybersecurity tetep janten titik anu moot, sabab ayeuna teu mungkin AI bakal ngagentos manusa pikeun seueur peran kaamanan.

Pamustunganana, pesen Yamout jelas: bari peran AI dina cybersecurity naék, penting pisan pikeun napigasi jalur ieu sacara saksama, nyaimbangkeun kauntungan poténsial sareng kamungkinan résiko.

Pikiran Akhir: Ningali Ka hareup ka Masa Depan

Nalika urang nutup tirai dina édisi NEXT ieu, waktosna pikeun ngeunteung deui acara anu luar biasa ieu. Ieu mangrupikeun hajatan anu ageung, khususna anu nandaan ulang taun kalima Global Transparency Initiative (GTI).

Tina misteri Darknet dugi ka padamelan jero grup Lasarus, dugi ka poténsi bot AI, konperénsi ieu ngahijikeun sababaraha pikiran anu paling terang dina kaamanan, industri sareng téknologi, nyayogikeun platform pikeun wacana wawasan ngeunaan panalungtikan panganyarna sareng anu bakal datang. . kamungkinan sarta ngajajah rupa-rupa jejer metot.

Éta ngajangjikeun masa depan dimana kaamanan digital mangrupikeun norma, transparansi mangrupikeun standar, sareng ukuran kaamanan anu kuat dilaksanakeun.

Tetep aman tur tetep katala!

#Kaspersky #Wawasan #konci #Blog #resmi #Kaspersky