April 2023 - Ophtek

Wiper Malware is Quickly Becoming a Major Threat

Backup, Cyber Security, email security, Ophtek, segmenting network, Wiper Malwarebackup, Cyber Security, email security, Ophtek, segmenting network, wiper malwareOphtek, LLC

Apr 2023

The world of malware evolves rapidly, sometimes from one day to another, but one of the most recent surges in popularity has been found in wiper malware.

You may not be familiar with wiper malware, but it’s a form of attack which has been steadily generating headlines over the last year. And the most recent data from FortiGuard Labs shows there was a 53% in wiper malware activity between Q3 to Q4 in 2022. Any increase in malware activity should be a concern, but anything which is over 50% represents a significant threat. This threat becomes magnified further when you consider the impact of wiper malware. Accordingly, there’s never been a more pressing time to learn about wiper malware.

What is Wiper Malware?

Wiper malware gets its name from its purpose of completely erasing all data from hard drives. Although it may seem similar to ransomware, wiper malware typically demands a fee in exchange for data recovery, but in reality, there is no chance of retrieving the data from the attackers. This type of cyber-attack is highly destructive and can cause harm not only to security but also to IT infrastructures.

Why is Wiper Malware Surging?

The initial surge in wiper malware, first observed in the first half of 2022, was attributed to the war in Ukraine. Most of this activity was the result of advanced persistent threat (APT) hacking groups from Russia supporting their governments campaign in Ukraine. And, as this conflict is still ongoing, the wiper malware threat has remained.

However, Fortinet has observed that the range of threat actors implementing wiper malware has now widened. So, as well as APT groups, wiper malware is also being unleashed by threat actors seeking financial gain and hacktivists looking to push political agendas. The research conducted by Fortinet also indicates that this surge currently shows no signs of slowing down, so it’s a threat which appears here to stay.

How Do You Combat Wiper Malware?

You may not feel as though your organization is a typical target for wiper malware, but this could quickly change due to the increased adoption of wiper malware. Therefore, you need to make sure you’re prepared for this type of attack:

Act promptly: In the event of a wiper malware attack, it’s crucial to begin segmenting your network to minimize the malware’s spread. This approach may not protect all your data, but it can help salvage significant portions. Additionally, keep a constant eye on your network for any unusual activities to prompt you into launching contingency efforts in such situations.

Ensure Careful Backups: one of the best ways to reduce the impact of a wiper malware attack is by taking proper backup measures. As malware can easily spread through networks, it’s essential to keep backups on isolated networks. Furthermore, it’s important to have multiple backups stored on different mediums to safeguard your data.

Beware of Email Threats: Malware distribution through email is a common method, and it’s easy to become a victim of such attacks. Even a momentary lapse in attention, such as not verifying a link correctly, can lead to an infection. Therefore, always hover over links to confirm their destination and, if in doubt, seek assistance from an IT professional.

For more ways to secure and optimize your business technology, contact your local IT professionals.

GoDaddy Was Hacked for Three Years Straight

breach, Go Daddy, Hacking, malware, Ophtek, Web hostingbreach, go daddy, hacking, malware, Ophtek, web hostingOphtek, LLC

Apr 2023

In an admission which will severely damage their reputation, web hosting force GoDaddy has revealed its servers were under attack for several years.

With a userbase of 21 million users, GoDaddy is one of the major players when it comes to providing web hosting services. Given this popularity, GoDaddy’s servers are used by major organizations all over the world such as news outlets, bloggers and e-commerce brands to deliver content and services. And this means there’s a lot of data on the GoDaddy servers, data which is both confidential and valuable. Therefore, to a threat actor, it provides an irresistible target.

Due to the GoDaddy breach, and the business world’s reliance on websites, it’s crucial we understand the mechanics of this stealthy threat.

What Happened to GoDaddy?

The GoDaddy breach first came to its owner’s attentions in December 2022, but it soon became apparent this breach was related to similar breaches in November 2021 and October 2019. However, far from being isolated incidents, these attacks were all part of the same campaign and remained hidden within the IT infrastructure of GoDaddy.

The most recent attack, in December 2022, found the cPanel hosting servers used by GoDaddy customers compromised by threat actors. This gave the attackers full access to the settings involved in how the customers’ websites work and direct traffic. As a result of this breach, visitors to the affected websites were intermittently redirected to malicious websites. Although there is no evidence that it occurred, unauthorized access to the cPanel would also give the threat actors the opportunity to disable access to a website.

What if Your Website is Hosted by GoDaddy?

Given that the initial attacks on GoDaddy’s servers compromised login credentials and secure SSL keys for websites, the latest attack is highly embarrassing for GoDaddy. After all, which organization would want to align themselves with a web host whose servers had regularly been hacked? Nonetheless, GoDaddy has sought to reassure customers that their infrastructure is now secure and security has been enhanced.

Naturally, customers using GoDaddy’s services are going to remain wary, so it’s important they:

Monitor network activity: one of the hallmarks of the GoDaddy hack involves the redirection of traffic from the target website to malicious websites. Therefore, it’s vital you monitor the internet traffic hitting your site and analyze whether it’s reaching the intended pages or being redirected elsewhere. If you detect something unusual, it’s best to start digging deeper and get in touch with GoDaddy’s support team.

Change your password: if you’re a GoDaddy customer, it’s recommended you change your password. In fact, regardless of which web hosting service you use, it’s important that you regularly change your password to avoid falling victim to stolen login credentials.

Assess your website: due to the access which the GoDaddy breach gave the threat actors, it makes sense to go through your website and ensure nothing is amiss. For example, are your links still directing traffic to where they should be? And are there any unusual popups prompting visitors to “click here”? It may take time to complete a full sweep of your website, but it will be worth it to protect your brand and your customers.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Malware Makes Its Way into Search Engine Ads

Google, google ads, malware, Online Security, Ophtekgoogle, Google ads, malware, Ophtek, securityOphtek, LLC

Apr 2023

Search engines are the gateway to the internet, but there’s a very real chance they may just be serving up malware each time you use them.

We all use search engines on a daily basis – with Google being the most popular choice – and, to be honest, we probably take them for granted in terms of security. However, the FBI is now warning that search engine results may represent a significant threat to the security of your PC. As with most security threats, this new technique relies on deception; in this instance, the threat actors are harnessing the power of search engine advertisements.

Due to our reliance on search engines, it’s important we understand the nature of this latest threat. And, to help you protect your IT infrastructure, we’re going to take you through the basics of this attack.

Malware by Advertising

Whenever you put a search request into, for example, Google, you will receive a long list of search results. The higher a result is, the more clicks it’s likely to get from people searching for that term. Search engines understand the importance of ranking high in their results and, therefore, they make it possible for people to pay to advertise at the very top of the search results. These advertisements look almost identical to the organic search results, with only a small “Ad” tag next to them. Accordingly, these can easily be mistaken for organic search results.

Despite many of these advertisements being legitimate, and merely paying to skip to the top of the search results page, the FBI has discovered many of these advertisements are linked to malware. Threat actors are purchasing advertising space which appears to be for genuine companies, such as finance platforms, and using very similar URLs to tempt people into clicking their link. However, these links are simply a way to redirect people to sites looking to distribute malware. Worse still, the advertisements used will often display a URL to a genuine site, but redirect you to an altogether different site.

Stay Safe from Fake Ads

The last thing you want to do is fall victim to a fake ad, after all you may simply be searching for somewhere to go and have lunch. Therefore, it pays to stay safe and know how to protect yourself from fake search engine ads. You can do this by practicing the following:

Check that top result: remember, it’s important you know what you’re clicking on, so make sure you double check any results at the top of Google. While, for example, it may look like a search result for Bank of America, the actual URL within the result may be slightly different e.g bank0famerica.com. And, if you click on it, you could quickly find yourself on a malicious site.

Always hover: the simplest way to determine the true destination of a link within search engine results is by hovering your mouse cursor over it. This will bring up a pop-up message which displays exactly where the link is going to take you.

Block Google ads: it’s possible to block Google ads from appearing in the search engine results page, all you have to do is install an ad-blocker such as Blockzilla. These apps filter incoming web pages – including search engines – and ensure any intrusive ads or promoted posts are blocked.

For more ways to secure and optimize your business technology, contact your local IT professionals.

IceBreaker Malware Uses New Social Engineering Angle

Gambling, Gamers, IceBreaker, malware, Ophtek, social engineeringGambling, Gamers, IceBreaker, malware, Ophtek, social engineeringOphtek, LLC

Apr 2023

Social engineering has been a threat for some time, so threat actors have been looking for new ways to deceive PC users. And this is what IceBreaker does.

A backdoor threat, IceBreaker is a new malware variant whose origins are currently unknown. However, regardless of who’s behind IceBreaker, the fact remains that it’s a very real and dangerous threat to PC users. Currently, IceBreaker’s presence has mostly been observed in the gaming and gambling industries. The chances of IceBreaker moving into other industries is, as ever, highly likely.

It’s early days for IceBreaker – with the malware’s first detection coming in September 2022 – so it’s high time you get acquainted with it and put up your defenses.

What is IceBreaker?

As with all social engineering attacks, IceBreaker starts with a threat actor directly contacting an organization they have targeted. This contact is initiated through a live chat session, usually hosted on the organization’s website. Posing as a customer who is having technical problems, the threat actor eventually offers to send the chat agent a screenshot of the problem they are experiencing.

This screenshot – usually hosted on a fake website (or sometimes DropBox) – appears to be a .jpg file but is actually a .zip file. Contained within this .zip file is a shortcut file which, once clicked, downloads the IceBreaker malware. Cleverly, the shortcut file is still disguised as a picture file to deceive the target. Clicking this shortcut will not only download IceBreaker but also install and activate it, all without any user prompts.

With IceBreaker activated, the threat actor can use the malware’s JavaScript processes to conduct a number of attacks. Processes observed in attacks so far have included data harvesting, activating background processes and running scripts from remote locations to maximize the damage. So, as you can tell, IceBreaker is a significant problem.

How Do You Tackle IceBreaker?

Currently, one of the major problems with the IceBreaker attack is that many anti-malware tools fail to recognize it as dangerous. In fact, as of this time of writing, VirusTotal reports only 4 out of 60 scanners will detect IceBreaker. However, this doesn’t mean you can’t protect yourself from IceBreaker and similar attacks, just make sure you do following:

Monitor compromised tools: if you suspect you have been attacked with IceBreaker then it’s a good idea to monitor the PC tools it can compromise. Therefore, check for new shortcut files, search for unusual activity involving msiexec.exe and any unauthorized use of tsocks.exe. Anything discovered which relates to these tools is a potential indicator of IceBreaker being active.

Combat social engineering: your staff need to be educated on the dangers of social engineering, even those who are simply manning your live chat. Clicking links from unknown parties is a major no-no when it comes to cybersecurity and should never be considered. Even if the person urging your staff member to click a link which appears harmless, it could easily compromise your entire IT infrastructure.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Monthly Archives: April 2023