October 2023 - Ophtek

SapphireStealer: The Threat of Open Source Malware

antivirus software, firewall, Open Source Malware, Ophtek, Phishing, SapphireStealerAntivirus software, firewall, open source malware, Ophtek, phishing, SapphirStealerOphtek, LLC

Oct 2023

Malware which can be enhanced always poses a huge risk to PC users, and the rise of open source malware like SapphireStealer is magnifying this problem.

Open source programs are those which have had their source code put online and made available not only for use, but also modification. This approach is usually chosen with the main objective being public, open collaboration between coders, and the resulting programs made available to the public for free. It’s the very definition of what the internet was created for, but this doesn’t mean these intentions are always well meaning. And the story of SapphireStealer makes for the perfect evidence.

What is SapphireStealer?

The name of SapphireStealer is somewhat of a giveaway in terms of what this malware does, it’s an information stealer. SapphireStealer was first published to GitHub (an online and public source code repository) towards the end of 2022. And it proved to be a hit. As well as being simple enough for basic hackers to launch attacks, SapphireStealer was open source and could be tinkered with by fellow hackers.

SapphireStealer originally started life with a basic set of capabilities, it would grab popular files – such as Word documents and image files – before emailing them to the hacker behind the attack. However, it wasn’t perfect, and there was plenty of room for improvement. It was a fantastic opportunity for the hacking community to see how they could enhance SapphireStealer. And this was exactly what they did.

By January 2023, new variants of SapphireStealer were detected which could steal a wider range of files, and this stolen data could now be relayed through Discord and Telegram servers. And, as it remained open source, anyone on the internet could now access these more robust and dangerous variants. SapphireStealer appears to infect victims through a variety of methods:

Infected email attachments
Malvertising
Social engineering
Illegal downloads

Minimizing the Threat of SapphireStealer

At present, SapphireStealer is relatively basic in terms of the threat it carries. It isn’t going to cause financial damage like, for example, ransomware will. However, it has evolved rapidly in less than a year, and its risk level is only going to rise higher. The fact that open source malware is proving so popular also indicates that more threat actors are going to enter the digital arena. Therefore, you need to make sure you IT infrastructures are heavily guarded:

Use a firewall: a tried and trusted security measure, a firewall puts a digital barrier between your organization and the internet. This means that you can monitor incoming and outgoing traffic and put filters in place to mitigate attacks and allow access to trusted users.
Make sure your employees are aware: SapphireStealer relies on a number of well-known infection methods, but these aren’t necessarily well-known to the average PC user. Accordingly, your employees need to understand the most basic attack methods and how to identify them e.g. the telltale signs of a phishing email.
Install antivirus software: it may seem like a no-brainer, but many organizations fail to put an effective antivirus suite at the forefront of their defenses. Even free antivirus software, such as Kaspersky Free, can make a significant difference to your digital safety.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Healthcare Organizations Targeted by new Lazarus Attack

Backup Strategies, Data Security, Lazarus, North Korea, Ophtek, Phishing, QuiteRATbackup, North Korea, Ophtek, phishing, QuiteRAT, security, updatesOphtek, LLC

Oct 2023

Healthcare organizations across the United States and Europe have recently found themselves targeted by Lazarus, the North Korean hacking group.

Lazarus, who are believed to have ties to the North Korean government, are well known in the world of cybersecurity. In 2022, Lazarus were rumored to have stolen a total of $1.7 billion worth of cryptocurrency across the year. So, yes, Lazarus is a force to be reckoned with. As their latest attack targets organizations rich in sensitive data, it’s important to understand their methods and determine the lessons that can be learned.

What Is Lazarus’ Latest Campaign?

At the heart of this new attack by Lazarus is the ManageEngine ServiceDesk. This management suite is used to help organizations manage their entire IT infrastructure. From networks and servers through to mobile devices and applications, ManageEngine helps make life easier for IT teams. It’s a highly popular management suite, with numerous Fortune 100 businesses implementing it. For healthcare organizations, it’s a crucial service which allows them to stay productive and support their IT systems.

However, as with all, applications, ManageEngine is not 100% secure. The CVE-2022-47966 vulnerability, which was discovered in January 2023, was first exploited by threat actors in February of the same year. This vulnerability allowed the deployment of QuiteRAT, a new and complex brand of malware. QuiteRAT let the threat actors steal data relating to the compromised device and, cleverly, allowed QuiteRAT to “sleep” in order to appear dormant and stay off the radars of security professionals.

Another part of the attack also involves a new strain of malware dubbed CollectionRAT, which has the ability to perform typical remote access trojan tasks such as executing commands on a compromised system. As with previous campaigns, this latest strike utilizes many of the trademark Lazarus tactics and innovations. For example, by using open-source tools to create CollectionRAT, the threat actors are able to launch their attacks more quickly and without raising the alarm immediately.

How Do You Protect Your Organization from Lazarus?

Naturally, the most obvious way to protect your IT infrastructure from Lazarus is to be prompt with installing software patches. Lazarus appears to have infiltrated these healthcare organizations due to a known vulnerability, so patching any holes within your IT systems is essential. Luckily, many updates, such as Windows, can be set to automatic and ensures that your applications are as secure as they can be.

Hacking groups, however, don’t rely solely on vulnerabilities to launch their attacks. In fact, they will deploy almost every technique you can think of to launch an attack. The best practices to stay safe from these are:

Create backups: when confronted with any form of malware, there’s a good chance that your business data will be at risk or being compromised or even permanently erased. Therefore, it’s important that your organization creates regular backups to preserve your data and productivity. One of the most comprehensive methods you should use is the 3-2-1 backup method.
Educate your staff on phishing: staff awareness of phishing is crucial due to the rising risk of phishing and social engineering attacks. Recognizing the telltale signs of a phishing email prevents the chances of data breaches and compromised credentials. This will result in a securer IT landscape for your organization and protect your networks and data.

For more ways to secure and optimize your business technology, contact your local IT professionals.

HiatusRAT Malware Returns with a Vengeance

HiatusRAT, malware, network, Ophtek, Security, Updateseducate, HiatusRAT, malware, network, Ophtek, security, updatesOphtek, LLC

Oct 2023

The HiatusRAT malware has re-emerged from its slumber to prove how resilient it is by targeting multiple organizations in Taiwan and the US.

As with most malware which is deemed successful in terms of its longevity, the threat actors launching HiatusRAT have ensured that it’s more powerful than ever. And, to strengthen its attack, they have redesigned it to escape detection. So far, the majority of the organizations targeted by this latest version of HiatusRAT have been based in Taiwan, but at least one US-based military system has also been attacked. And, with HiatusRAT seemingly operating at full throttle, it’s likely to spread even further.

Due to the potential danger contained within HiatusRAT, we’re going to take you through how it operates and how you can protect your organization.

The Lowdown on the Latest HiatusRAT Campaign

HiatusRAT was first detected back in March 2023, when it was discovered infecting the routers of various organizations in Europe and North and South America. This attack involved stealing data by hijacking email channels as well as installing a remote-access Trojan (RAT) on infected routers. It was an attack which led to significant data loss, but the malware’s activity soon dropped off. However, during this downtime, HiatusRAT has been refined and reconfigured.

Again, HiatusRAT appears to be targeting routers and similar networking devices. By redesigning HiatusRAT to target ARM and Intel hardware, the threat actors – who are currently unknown – have managed to enhance the potency of their malware. Operating with two types of servers – Tier 1 and Tier 2 – they have been able to use multiple IP addresses to transmit data to remote sources. As the attack has targeted at least one military system, it’s suspected that there may be a nation-state involved with the attack. However, as of now, security researchers have been unable to pinpoint the true motives outside of data theft.

Protecting Your Organization from HiatusRAT

You may not run an organization in the military industry, but RAT-based malware doesn’t tend to discriminate. Therefore, you need to be on your guard against HiatusRAT and other similar attacks. Remaining vigilant is crucial, and you can strengthen this vigilance by practicing the following:

Always install updates: many malware attacks are the result of an unpatched vulnerability giving threat actors free access to your IT systems. This means that installing updates, for every piece of software and hardware you use, is vital. It may feel like a time-consuming task in the short-term, but ultimately it could save your organization from data breaches and significant disruption.

Monitor network activity: HiatusRAT was observed to be transmitting data to a remote server for around two hours, and this is why monitoring network activity is so important. Occasionally, there can be a surge in network activity, but this is most often related to identifiable reasons and directed towards known destinations. However, anything out of the ordinary – such as unusual destinations and IP addresses – should immediately be investigated.
Educate your employees: one of the surest ways for malware to breach your IT infrastructure is through your employees. This means that strong IT induction programs need to be implemented and regular refresher courses conducted to solidify this knowledge.

For more ways to secure and optimize your business technology, contact your local IT professionals.

5 Easy Ways to Improve Your Organization’s Cybersecurity

Backup, cyber attacks, cybersecurity, Ophtek, secure WIFI, Training, two-factor authentication, VPNbackup, Cyber Attacks, Cybersecurity, Ophtek, secure WIFI, Training, two factor authentification, VPNOphtek, LLC

Oct 2023

With cyber-attacks showing no signs of slowing up, it’s more important than ever before to make sure your organization’s IT systems are protected.

Luckily, this doesn’t necessarily involve huge amounts of investment. In fact, some of the most effective ways to protect your IT infrastructure are the simplest. But not ever business realizes this, and this is why so many find themselves falling victim to cybercriminals. Therefore, it’s crucial that you start implementing the best solutions for protecting your organization.

How Do You Keep the Cybercriminals at Bay?

To help you get started with securing your defenses, we’ve put together 5 easy ways to improve your organization’s cybersecurity:

Two-factor authentication: passwords are an amazing method of protection, and this is why they have been used as a security measure for decades. However, a breached password is of little use when it comes to securing your IT systems. Therefore, implementing two-factor authentication should be a major priority. This extra layer of security involves a user receiving a unique code – via registered text or email – to confirm their identity after entering their login credentials. This means that, even if a password is stolen, there is a further security hurdle to overcome.

Training as a team: training sessions are essential when it comes to educating your staff on the dangers of malware and threat actors. However, one-to-one IT induction processes aren’t enough. You also need to develop programs which train your team as a whole. Studies have shown that group learning is more effective and this is exactly what you need when building your IT defenses.

Secure your networks with a VPN: one of the best ways to protect your organization’s data and internet connections is by using a virtual private network (VPN). A VPN establishes secure connections between remote employees and the organization’s network, maximizing data privacy and preventing data breaches. It does this by encrypting data transmissions, shielding sensitive information from hackers, and preventing unauthorized access. Combined with tunneling protocols and authentication mechanisms, a VPN will help you create a secure digital barrier.

Create backups: many cyberattacks, particularly ransomware campaigns, focus on stealing and restricting access to data. This is why backups should form a major part of your IT defenses. By creating multiple backups – see our guide to the 3-2-1 backup method – you are essentially creating a safety net for your business in the event of a data breach. While it may not mitigate every negative impact of a data breach – such as customer data being leaked – it will minimize the risks of data loss.

Secure your Wi-Fi network: there’s absolutely no need for your Wi-Fi network to be publicly visible. By advertising the presence of your Wi-Fi network, you are inviting threat actors to test your defenses. Therefore, you need to not only secure and encrypt your Wi-Fi network, but also hide it from public view. This can be achieved by instructing your router to never broadcast its network name, also known as the Service Set Identifier (SSID).

For more ways to secure and optimize your business technology, contact your local IT professionals.

IcedID Malware Evolves to Become More Dangerous Than Ever

banking trojan, email attachments, IcedID, malicious payloads, malware, Ophtekbanking trojan, email attachments, IcedID, malicious payloads, malware, OphtekOphtek, LLC

Oct 2023

The only thing worse than a powerful piece of malware, is a powerful piece of malware which has evolved into something more dangerous, just like IcedID.

IcedID first emerged onto the digital landscape in 2017, when it was classed as a banking trojan and started targeting financial institutions in the US, Canada, and UK. IcedID’s main objective, in 2017, was to steal sensitive data such as credit card details. However, the very best threat actors are those that regularly update and repurpose their malware to evade detection and become more effective. And that’s exactly what they have done with IcedID, turning it from a banking trojan into something much more complex.

What is IcedID’s New Strategy?

IcedID has evolved, but what exactly has it evolved in to? Well, the objective of retrieving sensitive financial details appears to have been removed. However, IcedID is now concentrating its efforts on delivering further malicious payloads to compromised systems. Essentially, it’s opening your IT systems up to a whole new world of pain.

Using the BackConnect module, IcedID communicates with a command-and-control server which allows the transfer of commands and files to the infected system. Originally, this attack was easy to detect as IcedID used TCP port 8080 to transfer data and communications. However, the threat actors behind this new wave of attacks, quickly changed their approach and began to compromise TCP port 443, which is much harder for security software to detect as it usually only handles encrypted data.

At least 20 command-and-control servers have been detected since April 2023, indicating that the threat actors behind IcedID are keen to not only disguise their tracks, but also keep security experts guessing. IcedID appears to compromise its victims by carrying out a sustained campaign of data harvesting and using them as a connection point in spamming campaigns, which are used to spread IcedID even further.

Staying Safe from IcedID

The exact point at which this current IcedID campaign infects a host is currently unknown, but earlier variants of IcedID from 2023 used malicious email attachments. Therefore, it’s important for all your PC users to remain vigilant against the threat of infected emails arriving in their inbox. In particular, make sure they look out for the following:

Check email address and domain: always make sure that the sender’s email is genuine, without misspellings or unusual domain extensions that resemble well-known entities e.g. G00glemail. And when it comes to unfamiliar addresses, especially those that claim to be official sources, scrutinize them closely.
Content and language: pay attention to language inconsistencies and an urgent tone, especially one which urges you to take immediate action. Unexpected attachments and links, particularly from unknown senders, should always be checked by an IT professional as the risk of malware in these instances is high.
Requests for personal information: it’s vital that you treat requests for sensitive data, such as passwords or financial details, with suspicion. Legitimate organizations typically won’t ask for this information via email. Verify such requests directly through secure channels such as face-to-face or via telephone before responding.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Monthly Archives: October 2023