Malware reports

IT threat evolution Q2 2019

Targeted attacks and malware campaigns

More about ShadowHammer

In March, we published the results of our investigation into a sophisticated supply-chain attack involving the ASUS Live Update Utility, used to deliver BIOS, UEFI and software updates to ASUS laptops and desktops. The attackers added a backdoor to the utility and then distributed it to users through official channels.

ASUS was not the only company used by the attackers. Other targets included several gaming companies, a conglomerate holding company and a pharmaceutical company – all located in South Korea. Either the attackers had access to the source code of the victims’ projects or they injected malware at the time of project compilation – indicating that they had already compromised the networks of those companies.

Our analysis of the sophisticated backdoor deployed by the attackers revealed that it was an updated version of the ShadowPad backdoor used in supply-chain attacks that we reported in 2017. The newly updated version used by ShadowHammer follows the same principle as before. The backdoor unwraps multiple stages of code before activating a system of plugins responsible for bootstrapping the main malicious functionality. The attackers used at least two stages of C2 servers, where the first stage would provide the backdoor with an encrypted next-stage C2 domain. We also found that ShadowHammer reused algorithms used in multiple malware samples, including PlugX – a backdoor that is quite popular among Chinese-speaking hacker groups.

This supply-chain attack is a landmark in the cyberattack landscape, indicating that even reputable vendors may suffer from the compromise of digital certificates and raising concerns about the software development infrastructure of all other software companies. The attackers behind ShadowHammer were able to add a backdoor to developer tools and inject malicious code into digitally signed binaries, subverting trust in this powerful defense mechanism. It’s important that software vendors add another line to their software build conveyor to check software for potential malware injection – even after the code has been digitally signed.

You can read more in our report.

The ongoing activities of Roaming Mantis

In February, we detected new activity of the Roaming Mantis threat actor. This group has evolved significantly in a short space of time. The activities of Roaming Mantis were first reported in 2017, when it targeted Android. Its distribution method was SMS and it concentrated on just one country – South Korea. Since then, the scope of the group’s activities have widened considerably. Roaming Mantis now supports 27 languages, targets iOS as well as Android and includes crypto-mining for PCs in its arsenal.

The key finding of our latest research is that Roaming Mantis continues to seek ways to compromise iOS devices. The group has even built a landing page for iOS users. When the victim visits this page, they see a pop-up message guiding them to the malicious iOS mobile config installation. Following installation of this mobile configuration, the phishing site automatically opens in a web browser and sends collected information from the device to the attackers’ server. This information includes DEVICE_PRODUCT, DEVICE_VERSION, UDID, ICCID, IMEI and MEID.

Our telemetry also uncovered a new wave of malicious APK files targeting Android devices. Our analysis has confirmed that this is a variant of the sagawa.apk Type A malware that was previously distributed via SMS in Japan. Roaming Mantis also continues the DNS manipulation it has used in earlier campaigns.

The countries most affected by this campaign are Russia, Japan, India, Bangladesh, Kazakhstan, Azerbaijan, Iran and Vietnam. We have detected this malware over 6,800 times for over 950 unique users during this period. However, we believe the scale of this attack wave is much bigger and that these numbers reflect only a small part of the campaign.

The muddy waters of Middle East APTs

In April, we provided an analysis of the tools used by the MuddyWater threat actor following initial infection of its targets. MuddyWater, which first surfaced in 2017, is an APT group that focuses on government bodies and telecommunications companies in the Middle East – Iraq, Saudi Arabia, Bahrain, Jordan, Turkey and Lebanon, and also a few other nearby countries – Azerbaijan, Pakistan and Afghanistan. The group uses an array of customized attack tools, mostly developed by the group itself using Python, C# and PowerShell, to compromise their victims and exfiltrate data.

MuddyWater also employs deceptive techniques to divert investigations once they have deployed attack tools inside a victim’s system, such as Chinese strings, Russian strings and impersonation of the ‘RXR Saudi Arabia’ hacking group.

This threat actor has expanded its targets and malware arsenal in recent years; and we expect the group to continue developing. However, while moderately sophisticated in terms of its tools, the group’s current OPSEC is poor, leaving details that could reveal different types of information about the attackers.

ScarCruft continues to evolve

We continue to track the activities of ScarCruft, a Korean-speaking and alleged state-sponsored threat actor that typically targets organizations with links to the Korean peninsula. This group, which has shown itself to be highly skilled and resourceful, continues to develop.

Our most recent investigation shows that throughout 2018 the group used a multi-stage process to update each of its malware modules effectively while also evading detection. The group continues to use spear-phishing and known exploits as initial attack vectors. Once they have compromised a target, the attackers install an initial dropper, which uses a known exploit for CVE-2018-8120 to bypass Windows UAC, and execute the next payload, a downloader, with higher privileges. This connects to the C2 server to download the next payload, which they hide in an image using steganography. This is a full-featured backdoor and information exfiltration RAT (Remote Access Trojan) known as ROKRAT. This malware can download additional payloads, execute Windows commands, save screenshots and audio recordings, and exfiltrate files.

We also discovered an interesting piece of rare malware created by ScarCruft – a Bluetooth device harvester. They use this to collect information directly from infected devices, including device name, class, whether it’s connected to anything else, address, authentication state and whether it’s trusted or remembered.

We believe that ScarCruft is primarily targeting intelligence for political and diplomatic purposes. Our telemetry revealed several victims of this campaign – investment and trading companies in Vietnam and Russia that we believe may have links to North Korea. ScarCruft also attacked a diplomatic agency in Hong Kong and another diplomatic agency in North Korea.

We discovered that one victim from Russia had also triggered a malware detection while staying in North Korea in the past. This target had been infected with GreezeBackdoor, a tool of the DarkHotel APT group. The victim had also been attacked using the Konni malware – malware disguised as a North Korean news item in a weaponized document called ‘Why North Korea slams South Korea’s recent defense talks with U.S-Japan.zip’. This is not the first time that we have seen an overlap of ScarCruft and DarkHotel threat actors: it is something that members of our team have discussed at security conferences and we have shared details on the overlap with our threat intelligence customers in the past. Both threat actors are Korean speaking, although they seem to have different TTPs (Tactics, Techniques and Procedures).

To learn more about our intelligence reports, or to request more information on a specific report, please contact intelreports@kaspersky.com.

The Zebrocy multi-language malware salad

We recently reported on activity by the APT threat actor Zebrocy. This is a Russian-speaking group, with roots going back to 2013, which specializes in victim profiling and access. Zebrocy shares malware artefacts and more with both the Sofacy and BlackEnergy threat actors, suggesting that the group has a supportive role as a sub-group. Sofacy is believed by many to have targeted the 2016 US elections. BlackEnergy is the group behind the 2015 attacks on the Ukrainian power grid. In addition, another threat actor, Turla, deployed spear-phishing macros that were almost identical to previous, non-public Zebrocy code in 2018. It seems that Zebrocy is used to gain an initial foothold in target systems before the other groups deploy their destructive and espionage tools.

In its most recent campaign, Zebrocy used spear-phishing to deliver a new Nim downloader to targets across the globe – including targets in Germany, the UK, Afghanistan, Kazakhstan, Kyrgyzstan, Tajikistan, Turkmenistan, Syria, Iran, Myanmar and Tanzania.

Platinum returns

In June, we came across an unusual set of samples used to target diplomatic, government and military organizations in countries in South and South East Asia. This campaign, which could date back to 2012, features a multi-stage approach. We dubbed it ‘EasternRoppels‘. The threat actor behind the campaign, which we believe to be the PLATINUM APT group, uses an elaborate, previously unseen, steganographic technique to conceal communication.

For this campaign, the operators used WMI (Windows Management Instrumentation) subscriptions to run an initial PowerShell downloader that drops a small PowerShell backdoor. We noticed that many of the initial WMI PowerShell scripts had different hardcoded C2 IP addresses, different encryption keys, salt for encryption (also different for each initial loader) and different active hours (meaning that the malware only worked during a certain period every day). The C2 addresses were located on free hosting services, and the attackers made heavy use of a large number of Dropbox accounts (for storing the payload and exfiltrated data). The purpose of the PowerShell backdoor was to perform initial fingerprinting of a system, since it supported a very limited set of commands: download or upload a file and run a PowerShell script.

We were investigating another threat at the same time, which we believe to be the second stage of the same campaign. After deeper analysis, we realized that the two threats were related: among other things, both attacks used the same domain to store exfiltrated data, and both types of malware infected some of the victims at the same time. In the second stage, all executable files were protected with a runtime cryptor and after unpacking them we found another, previously undiscovered, backdoor that is related to PLATINUM.

A couple of years ago, we predicted that more and more APT and malware developers would use steganography, and this campaign provides proof: the actors used two interesting steganography techniques in this APT. It’s also interesting that the attackers decided to implement the utilities they need as one huge set – an example of the framework-based architecture that is becoming more and more popular.

The Gaza Cybergang SneakyPastes campaign

Gaza Cybergang is a politically motivated Arabic-language threat actor that is actively targeting the Middle East and North Africa, with particular focus on the Palestinian Territories. There has been confusion surrounding the group’s activities: notwithstanding the alignment of goals, the group’s activities seemed scattered and involved different tools and malware.

Our monitoring of the group’s activities in 2018 has led us to distinguish between three attack groups that operate under the umbrella of this threat actor – they are Gaza Cybergang Group1 (aka ‘MoleRATs’), Gaza Cybergang Group2 (aka ‘Desert Falcons‘) and Gaza Cybergang Group3 (aka ‘Operation Parliament‘). We have reported the activities of the last two in previous reports. Our latest report focuses on the first, Gaza Cybergang Group1 or MoleRATs.

This is the least sophisticated of the three attack groups and relies heavily on the use of paste sites, in an operation name ‘SneakyPastes’, to gradually sneak one or more remote access Trojans (RAT) onto victims’ systems. The group has been recorded employing phishing and several chained stages to try to evade detection and extend the life of their C2 servers. The most popular targets of SneakyPastes are embassies, government entities, education, media outlets, journalists, activists, political parties or personnel, healthcare and banking. Our telemetry shows there were victims in 39 countries, with most of the 240 unique victims located in the Palestinian Territories, followed by Jordan, Israel and Lebanon.

TajMahal: a sophisticated new APT framework

In autumn 2018, we discovered a previously unknown APT framework, which we named ‘TajMahal’, that had been active for the previous five years. It is a sophisticated spyware framework that includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers; and even its own file indexer for the victim’s computer. We discovered up to 80 malicious modules stored in its encrypted Virtual File System – one of the highest numbers of plugins we have ever seen in an APT toolset.

There are two different packages, self-named ‘Tokyo’ and ‘Yokohama’ and the targeted computers we found include both packages. We think the attackers used Tokyo as the first stage infection, deploying the fully functional Yokohama package on interesting victims, and then leaving Tokyo in place for backup purposes.

The malware includes extensive functions for stealing data. This includes stealing cookies, intercepting documents in the printer queue, gathering data from backup copies of iOS devices, recording and taking screenshots of VoIP calls, stealing CD images made by the victim, indexing files, including those on external drives, and stealing data when the drive is subsequently detected again.

So far, our telemetry has revealed just a single victim, a diplomatic body from a country in Central Asia.

FIN7 cybercrime operations continue

During 2018, Europol and the US Department of Justice announced the arrest of the leader of the FIN7 and Carbanak/CobaltGoblin cybercrime groups. Some people believed that the arrest would have an impact on the group’s operations. This doesn’t seem to have been the case. In fact, CobaltGoblin and FIN7 have extended the number of groups operating under their umbrella: there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks.

The first is the now-notorious FIN7 that specializes in attacking various companies to get access to financial data or PoS infrastructure. It relies on a Griffon JScript backdoor and Cobalt/Meterpreter and, in recent attacks, PowerShell Empire. The second is CobaltGoblin/Carbanak/EmpireMonkey, which uses the same toolkit, techniques and a similar infrastructure, but targets only financial institutions and associated software and service providers.

We believe with a reasonable level of confidence that the AveMaria botnet is linked to these two groups: AveMaria targets are mostly suppliers for big companies, and the way AveMaria manages its infrastructure is very similar to FIN7. The final group is the newly discovered CopyPaste group, which has targeted financial entities and companies in one African country – leading us to believe that this group is associated with cyber-mercenaries or a training center. The links between CopyPaste and FIN7 are still very weak. It’s possible that the operators of this cluster of activity were influenced by open-source publications and don’t actually have any ties with FIN7.

All of these groups benefit greatly from unpatched systems in corporate environments and continue to use effective spear-phishing campaigns in conjunction with well-known Microsoft Office exploits generated by the framework. So far, the groups have not used any zero-day exploits. FIN7/Cobalt phishing documents may seem basic, but when combined with their extensive social engineering and focused targeting, they have proved to be quite successful.

You can read more in our FIN7 report.

Zero-day vulnerability in win32k.sys

In March, our AEP (Automatic Exploit Prevention) technology detected an attempt to exploit a vulnerability in Windows. Further analysis led to us discovering a zero-day vulnerability in ‘win32k.sys’ – the fifth consecutive exploited Local Privilege Escalation vulnerability that we had discovered in recent months. We reported the vulnerability to Microsoft on March 17, who assigned it CVE-2019-0859 and released a patch on April 9.

This is a Use-After-Free vulnerability presented in the ‘CreateWindowEx’ function. The exploit we found in the wild was used to target 64-bit versions, from Windows 7 to the latest builds of Windows 10. Exploitation of the vulnerability allows the malware to download and execute a script written by the attackers, which in the worst-case scenario could provide an attacker with full control over the infected PC. The attackers were able to gain sufficient privileges to install a PowerShell backdoor and use this to obtain full access to the compromised computer.

Plurox: a modular backdoor

Earlier this year, we came across a curious backdoor that we named Plurox. Our analysis revealed that the malware has some quite unpleasant features. It can spread over a local network using an exploit, provide access to the attacked network and install miners and other malicious software on victims’ computers. The backdoor is also modular, so the attackers can expand its functionality using plugins, as required.

The malware can install one of several crypto-currency miners, depending on the system configuration. The bot sends a package with the system configuration to the C2 server and in response it receives information about which plugin to download. In all, we counted eight mining modules.

We also found a UPnP plugin. This module receives a subnet with mask /24 from the C2 server, retrieves all IP addresses from it, and attempts to forward ports 135 (MS-RPC) and 445 (SMB) for the currently selected IP addresses on the router using the UPnP protocol. If this is successful, it reports the result to the C2 server, waits for 300 seconds (five minutes) and then deletes the forwarded ports. We assume the attackers use this plugin to attack a local network. It would take an attacker just five minutes to sort through all the existing exploits for services running on these ports. If the administrators notice the attack on the host, they will see the attack coming directly from the router, not from a local machine. This attack, if successful, will help the cybercriminals gain a foothold in the network.

There is also an SMB module that’s responsible for spreading malware over the network using the EternalBlue exploit.

Other security news

Digital doppelgangers

In April, we published the results of our investigation into Genesis, an e-shop that is trading over 60,000 stolen and legitimate digital identities. This marketplace, along with other malicious tools used by cybercriminals, is designed to abuse the machine learning-based anti-fraud approach of ‘digital masks’.

Every time we enter our financial, payment and personal information during an online transaction, anti-fraud solutions match us against a digital mask, a unique, trusted customer profile based on known device and behavior characteristics that allows the financial organization’s anti-fraud teams to determine if the transaction is legitimate.

However, a digital mask can be copied. Our investigation found that cybercriminals are actively using such ‘digital doppelgangers’ to bypass advanced anti-fraud measures. The Genesis dark net marketplace is an online shop selling stolen digital masks and user accounts at prices ranging from $5 to $200 each. Its customers simply buy previously stolen digital masks together with stolen logins and passwords to online shops and payment services, and then launch them through a browser and proxy connection to mimic real user activity. If they have the legitimate user’s account credentials, the attacker can then access their online accounts or make new, trusted transactions in their name.

Other tools enable attackers to create from scratch their own unique digital masks that will not trigger anti-fraud solutions. We investigated one such tool, a special Tenebris browser with an embedded configuration generator to develop unique fingerprints. Once created, a carder can simply launch the mask through a browser and proxy connection and conduct any operations online.

To enhance security, we recommend that businesses enable multi-factor authentication at every stage of the user validation processes, consider introducing additional methods of verification, such as biometrics, harness the most advanced analytics for user behavior and integrate threat intelligence feeds into SIEM and other security controls in order to get access to the most relevant and up-to-date threat data.

Potential problems with third-party plugins

We recently looked at plugins and some of the potential problems with plugins.

Online stores, information portals and other resources are often based on platforms that provide developers with a set of ready-made tools. Features they need are usually available as plugins, allowing them to cherry-pick the functionality they need. Plugins are small software modules that either add to, or improve, the functionality of a website, for example, to display social network widgets, harvest statistics or to create surveys and other types of content. Plugins save developers from having to reinvent the wheel every time they need a particular feature.

However, things can go wrong. Plugins run automatically and don’t make their presence known unless something goes wrong. If the creator of the plugin abandons it, or sells it to another developer, it will not necessarily be apparent. If a plugin isn’t updated for a long time, it’s likely to contain unpatched vulnerabilities that could be exploited to take control of a web site or download malware. Even when updates are available, website owners often overlook them; and vulnerable modules can remain active years after the developer has withdrawn support for them.

Some content management platforms block the download of unsupported modules. However, it is not possible for a developer to delete vulnerable plugins from users’ websites, since this could cause disruption. Moreover, abandoned plugins might be stored, not on the platform itself, but on publicly available services. When the creator discontinues support or deletes a module, a website will continue to access the container in which it was located. Cybercriminals can easily capture or clone this abandoned container, forcing the resource to download malware instead of the plugin.

This is what happened with the New Share Counts tweet counter, hosted on Amazon S3 cloud storage. The developer posted a message on their website saying that they had withdrawn support for the plugin, but more than 800 clients did not read it. When the plugin writer later closed the container on Amazon S3, the cybercriminals created their own storage with the exact same name and put a malicious script inside it. Websites still using the plugin began to load the new code, which redirected users to a phishing resource promising a prize for taking part in a survey, rather than the tweet counter. Something similar can happen if a developer decides to sell their plugin and isn’t choosy about who they sell it to.

We recommend that companies independently monitor the security of plugins on their website and take appropriate action to ensure that they are safe.

Game of threats

Torrent sites have always been the go-to places for those seeking pirated versions of games and other software, as well as Hollywood blockbusters. However, in recent years, popular TV shows have joined the list of content on such sites. This provides opportunities for cybercriminals to spread malware. One study, conducted in 2015, reported that bootlegged content accounts for 35% of files shared via BitTorrent; and more than 99% of the counterfeit files analyzed linked to either malware or scam websites.

We recently looked at threats disguised as new episodes of popular TV shows distributed through torrent sites, to see which ones were the most popular and what kinds of threats cybercriminals are distributing in this way. The total number of people who encountered malware related to a TV show in 2018 was 126,340: this is around a third less than in 2017, but still a significant number. The top three TV shows most often used as bait are Game of Thrones, The Walking Dead and Arrow. Game of Thrones accounted for 17% of pirated content, even though this was the only TV show in our list that did not screen any new episodes in 2018. The top three most popular threat categories were Trojan, Downloader and AdWare. The full details are included in our report, including our tips on how to avoid threats coming from content distributing platforms.

Many people choose to stream TV content these days. This also provides opportunities for cybercriminals who claim to provide free downloads in return for the personal data of anyone who wants to view content without paying for it, or to those who live in a region where the content is not available. This year’s Game of Thrones premiere broke records; and we saw a spike in cybercriminal activity related to the show: the number of attacks almost quadrupled following the premiere.

Large-scale SIM-swap fraud

SIM-swap fraud occurs when a criminal masquerades as a customer of a mobile phone operator and persuades the company to give them a replacement SIM. They use stolen personal details to impersonate the victim. The new SIM gives the criminal control of the victim’s mobile phone number, allowing them to assume the victim’s identity. If the victim has opted to receive one-time passcodes via SMS, the criminal can use these, with other stolen credentials, to obtain access to their online accounts, including their bank account.

We recently investigated SIM-swap fraud in Brazil and Mozambique. Mobile payments are now huge in developing countries, especially in Africa and Latin America. Mobile phone-based money transfers allow people to access financing and micro-financing services, and to easily deposit, withdraw and pay for goods and services with a mobile device. In some cases, almost half the value of some African countries’ GDP goes through mobile phones. However, criminals are using SIM-swap fraud to target mobile payments; and people are losing money on a major scale.

Fraudsters use social engineering, bribery, or even a simple phishing attack to take control of customers’ phone numbers and intercept mobile money transactions or one-time passcodes to complete a transfer of funds or steal people’s money.

In Mozambique, this sort of crime has been widely reported in the national news, with the media questioning the integrity of the banks and mobile operators, suggesting that they may be colluding in the scams. Since the reputation of the banks and operators was at stake, they had to take urgent action to protect their customers. At Mozambique’s largest bank, they had a monthly average of 17.2 cases of SIM-swap fraud, but the true impact nationwide is difficult to estimate, as most banks don’t publicly share statistics. Some of the victims were high-profile business people, who had up to US$50,000 stolen from their accounts.

In Brazil, the problem also affected politicians, ministers, governors and high-profile business people, as well as ordinary citizens. One organized gang alone in Brazil was able to SIM-swap 5,000 victims.

Our report outlines the problem faced in both countries and a local solution developed in Mozambique that drastically reduced the level of fraud.

Spyware might sound like something from a Hollywood movie, but you can buy commercial versions of such programs – known as ‘stalkerware’ – for just a few dollars. They let you spy on someone simply by installing an app on their smartphone or tablet. Once installed, such apps remain hidden and provide access to a range of personal data, including device location, browsing history, SMS messages, social media chats and more. Some even make video and voice recordings.

Such apps are usually legal, which is why we identify them formally as ‘not-a-virus: Monitor’ when alerting someone to their presence. Their developers often market them as parental control software; and significant numbers of people download and use them – in 2018, we detected stalkerware on the devices of more than 58,000 people.

Leaving aside the moral aspects of installing such apps on someone else’s device, there are several things that make them a bad idea.

Most of these apps fail to comply with the policies of official stores such as Google Play. So they tend to be found on dedicated sites that are ‘off the beaten track’; and by requiring the user to enable the installation of apps outside the official store, make the device vulnerable to attack.

Stalkerware apps often request system rights, sometimes including root access, giving the app full control of the device, including the right to install other apps. Some also insist that the person using the device allow them to deactivate or remove protection solutions.

These apps upload personal data from the device to the vendor’s server, where the person who installed the app can review it. However, the lack of security could expose that data to hackers.

Legitimate apps, unlike stalkerware, do not hide themselves on the device, deactivate security solutions or pose a threat to the privacy of their customers. They are also available in official marketplaces.

To protect yourself from stalkerware, secure your devices with a strong password and don’t disclose it to anyone, block installation of third-party apps, check installed apps regularly, delete any that you don’t need and protect your devices with a reputable security product.

The WhatsApp call that opens up a device to surveillance

A zero-day vulnerability in WhatsApp, reported in May, allowed an attacker to eavesdrop on devices running the app. The attacker could read encrypted chats, turn on the microphone and camera and install spyware to allow further surveillance, such as browsing through the victim’s photos and videos, accessing their contact list and more.

To exploit the vulnerability, the attacker simply needed to call the victim via WhatsApp. This specially crafted call triggered a buffer overflow in WhatsApp, allowing the attacker to take control of the application and execute arbitrary code in it. The attackers used this method, not only to snoop on people’s chats and calls, but also to exploit previously unknown vulnerabilities in the operating system, which allowed them to install applications on the device.

The vulnerability affects WhatsApp for Android prior to 2.19.134, WhatsApp Business for Android prior to 2.19.44, WhatsApp for iOS prior to 2.19.51, WhatsApp Business for iOS prior to 2.19.51, WhatsApp for Windows Phone prior to 2.18.348 and WhatsApp for Tizen prior to 2.18.15. WhatsApp released patches for the vulnerability on May 13. Some have suggested that the spyware may be Pegasus, developed by Israeli company NSO.

High severity bugs in VLC media player

In June, VideoLAN, the developers of the open source VLC media player, issued patches for two high-severity bugs – an out-of-bound write vulnerability and a stack-buffer-overflow bug. These were two of 33 fixes issued in the wake of a new bug bounty program funded by the European Commission as part of the Free and Open Source Software Audit (FOSSA) project. You can read more here.

Smart speakers listeners

Amazon has come under fire for its privacy policies following a report by Bloomberg that the company hires auditors to listen to Amazon Echo recordings, in an effort to improve the ability of its digital assistant to understand human speech. The team of auditors listens to voice recordings after the word ‘Alexa’ is used to wake up the device and picks a small number of interactions from a random set of users to annotate. One especially alarming aspect of the report is the suggestion that, although Amazon provides customers with an opt-out, recordings sometimes start without the device ‘hearing’ the wake-word.

Amazon recently filed a patent based on the idea of ‘voice-sniffing’ that would allow its smart speaker to eavesdrop on all conversations and analyze them. If implemented, such technology would allow the company to listen-in to unguarded conversations, undermining people’s privacy. It would also provide Amazon with a wealth of data that it could use for targeted advertising.

Growing numbers of people are taking advantage of the convenience that smart speakers offer. However, remember that they are also smart listeners. You should review the privacy settings of any smart device that you buy and disable any functionality that you’re not comfortable with.

Privacy matters

Personal information is a valuable commodity. The value of personal data is evident from the steady stream of data breaches reported in the news. Sometimes, we are tricked into exposing confidential data – maybe because we’re too eager to click on attachments or links in email messages, or because we’re not careful enough when looking for a good deal online. However, sometimes our personal information is exposed when an online provider fails to secure it properly.

There’s not much we can do to prevent the loss or theft of data from an online company. However, it’s important that we take steps to secure our online accounts and to minimize the impact of any breach – in particular, by using unique passwords for each site, by using two-factor authentication and by restricting the amount of data that we choose to share online.

Information is valuable not just to cybercriminals, but to legitimate companies. Often, it is the ‘price’ we pay for ‘free’ products and services, including browsers, email accounts and social network accounts. It’s not always clear how our data will be used by online providers, so it’s essential to check the privacy settings carefully and opt out of anything you’re not comfortable with. Of course, where it’s not possible to opt out, you may need to think again about signing up for the service, or deleting your account if you have already done so.

In May, we illustrated some of these issues by looking back at some of the scandals surrounding Facebook’s handling of personal data over the last two years.

IT threat evolution Q2 2019

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox