We all use USB devices daily, but these innovative and simple devices also make the perfect environment for the PlugX malware to take hold.

USB devices are installed and ready to use within seconds of being plugged into a PC, a setup procedure which is a marked improvement on the traditional approach of installing via a CD. In fact, since the 1990s, USB connections have become ubiquitous in the hardware market. One of the most popular USB devices is the portable drive, a simple way of transferring data from one PC to another. However, USB drives have always represented a security risk and it’s this risk which PlugX is now exploiting.

How Did PlugX Get onto USB Drives?

First gaining notoriety around 15 years ago, PlugX is far from a new and mysterious strain of malware. However, it remains a viable threat when it comes to spreading malware and infecting systems.

This recent attack started with a popular Windows debugging tool called x64dbg being hijacked and manipulated by threat actors. Using the 32-bit version of x64dbg (x32dbg.exe), the threat actors execute a malicious file they have created called x32bridge.dat. Once activated, x32bridge.dat infects the resident PC and, more importantly, searchew out any USB drives connected to it. The PlugX malware is then loaded onto this USB drive.

To cover its tracks, PlugX uses a Unicode character technique to prevent the true contents and structure of the USB drive being displayed by Windows Explorer. A shortcut .LNK file is then installed in the root directory of the USB drive, which appears to be a link to the USB drive and even copys the device’s name. However, the link actually activates the PlugX malware from a hidden directory on the USB drive and allows it to search out other USB drives attached to the PC. And each time this drive is connected to a new PC, the infection process begins again.

PlugX, of course, does much more than simply spread from PC to PC without causing any damage. In fact, PlugX has the capability to launch the following attacks:

  • Keystroke logging
  • Screen captures
  • Managing processes on PCs
  • Rebooting the system
  • Remote control of the keyboard and mouse
  • Copying PDF and Word documents from the infected PC to the USB’s hidden directories

How Do You Pull the Plug on PlugX?

PlugX is currently difficult to detect due to the way in which it works, with only 11 out of 5U9 anti-malware tools currently detecting it according to Virus Total. Therefore, it’s a tough slice of malware to contend with. Nonetheless, you can minimize the risk it presents to your organization by:

  • Blocking access to USB storage drives: it’s a good idea to restrict access to USB storage drives by employees. After all, there’s little reason why they should be removing data from a company PC. Accordingly, you can block employee access to USB drives through your administration settings, effectively rendering USB ports as unusable. If an employee does need to transfer data, make this an action only privileged users can process.
  • Monitor network activity: PlugX falls under the category of being a Remote Access Trojan, so it’s likely that unusual network activity will be caused by the threat actors connecting to infected PCs. As such, any network activity which involves connections to unknown destinations should immediately be halted and investigated.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


Two-factor authentication (2FA) is there to provide a high level of security, but what happens when this process is compromised?

CircleCI is a platform used by software developers to build, test and implement code. Therefore, due to the amount of confidential and potentially valuable data CircleCI holds, it’s a highly attractive target for threat actors. Thankfully, for those using CircleCI, strong security practices are in place to provide a secure environment, and one of the most important is 2FA. Nonetheless, threat actors are persistent and innovative individuals, and the presence of 2FA merely represents a challenge. And it was this obstacle hackers managed to overcome in December 2022 when they breached CircleCI.

As 2FA is such a critical element of excellent cybersecurity practices, it’s important that we understand what went wrong at CircleCI.

How 2FA Failed at CircleCI

The first sign of CircleCI becoming compromised came in early January 2023 when a user discovered that their OAuth token – used to identify customers to online platforms – had been accessed by an unauthorized party. CircleCI were unable to pinpoint how the security token had been compromised, but immediately began to randomly rotate the OAuth tokens in use by their users.

Further investigation, however, revealed how access to the OAuth tokens had been breached. A developer at CircleCI had fallen victim to a malware attack, one which focused on stealing data. Among the stolen data was a session cookie which had already been validated through the 2FA process and, therefore, ensured that anyone in possession of it could gain quick and easy access to the CircleCI network. And this is exactly what the threat actors did, stealing encryption keys, OAuth tokens and customer data.

Can You Combat a Compromised Cookie?

2FA has long been championed as one of the cornerstones of IT security, but this attack on CircleCI has brought the spotlight on to one of its glaring weaknesses. The success of the attack also highlights the popularity of this technique, which has recently been deployed against several major IT organizations. Accordingly, to protect your IT infrastructure, it’s crucial that your organization practices the following:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


Cloud storage continues to grab the headlines with all manner of head turning statistics, but this doesn’t mean that offline storage is now redundant.

Ease of access, scalability and high levels of security are just three of the many reasons why cloud storage has become the go to solution for data storage. As a result, in many people’s eyes, offline storage appears clunky and outdated in comparison. However, offline storage solutions – no matter how old fashioned – remain relevant to businesses in 2023. It’s simply a case of understanding why you should implement them into your storage schedules and the best ways to achieve this.

What is Offline Storage?

In its simplest terms, offline storage is data which is not connected to your network or accessible by the internet. Cloud storage solutions – including mainstream services such as Google Drive – all require one key element to grant access to their users: an internet connection. Therefore, a storage solution which isn’t accessible by the internet is classed as offline storage. Examples of offline storage options include:

  • External hard drives
  • USB flash drives
  • Optical media such as Blu-Ray and DVD
  • Magnetic tapes (still in use, but less popular compared to more modern solutions)

Why Do You Still Need Offline Storage?

The wonders of cloud storage may be cutting edge and deal with an old problem in a new way, but offline storage remains crucial for the following reasons:

  • Multiple backups are critical: relying on a single data storage solution is a recipe for disaster. Say, for example, your cloud storage provider is hacked and all your data is encrypted or, worse yet, wiped from the servers, this is going to cause you major continuity issues if this is your only backup. However, with offline storage options in the background, you are significantly reducing the risk of your productivity dropping to zero. The 3-2-1 backup method is the best approach to adopt and could save your organization.

Final Thoughts

Cloud storage is clearly an exciting and effective option when it comes to data storage in 2023, but it should not be considered the only option. Instead, it’s vital that businesses understand that a multiple backup approach, which utilizes both online and offline storage, is the surest way to keep data safe.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


There’s a lot of money to be made in hacking and threat actors are now turning it into a business with Ransomware as a Service (RaaS).

Ransomware, of course, is well known to anyone who steps online in the digital age. With the ability to encrypt your data and demand a ransom fee, it has not only generated headlines, but also caused significant headaches for business owners. And, with ransomware attacks increasing by 41% in 2022, it’s a strategy which is showing no signs of slowing up. Therefore, not only do you need to be aware of ransomware, but you also need to keep up with associated developments such as RaaS.

As RaaS has the potential to create attacks which are both wider ranging and easier than before, it’s crucial you understand how it operates

The Basics of Ransomware as a Service

We’re all aware of what ransomware is, but what is RaaS? After all, surely ransomware is the opposite of a service? Unfortunately, for PC owners, ransomware software and attacks are now available for hire in the form of RaaS. Similar to Software as a Service (Saas) – examples of which include Gmail and Netflix – RaaS allows threat actors to harness the power of hacking tools without having to design them. If, for example, a threat actor doesn’t have the time (or skills) to build a ransomware tool, what do they do? They purchase one.

Typically, RaaS kits are found on the dark web, so don’t expect to find them taking up space on Amazon. Depending on the sophistication of the RaaS, the cost of purchasing them can range between $30 – $5,000. Threat actors looking to purchase RaaS are also presented with several different purchasing options such as one-time fees, subscription tiers or even affiliate models. It’s estimated that over $10 billion exchanges hands each year – mostly in cryptocurrency – for RaaS kits.

Examples of RaaS include Black Basta, LockBit and DarkSide, with more available for those looking to unleash ransomware easily and quickly. These RaaS kits are also much more than just hacking software, they also offer user forums and dedicated support teams to help customers get the most out of their ransomware. Again, this is very similar to the way in which successful SaaS developers provide extra value for their product. However, whereas SaaS is provided by legitimate developers, RaaS tends to be created by criminal gangs with the sole intent of generating illegal funds.

Staying Safe from Ransomware as a Service

The end result of an RaaS attack is the same as a standard ransomware attack, so there’s nothing specific you need to do if an attack comes through RaaS. Instead, you just need to stick to good old fashioned ransomware security practices:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


What exactly happened when LastPass, a password manager service, found itself at the center of a data breach? And what does this mean for your passwords?

Password managers provide a convenient service, one where complex passwords can be generated instantly and then, going forward, auto-fills when requested. LastPass is a successful example of what a password manager can do, but it’s a role which comes with great responsibility. Login credentials, after all, are often the difference between gaining access and being denied access to a user account. Therefore, password managers need to be sure the credentials they hold are highly secure.

However, as LastPass users are now finding out, password managers are highly tempting to threat actors, and far from 100% secure.

How LastPass was Hacked

Used by millions of users all over the world, LastPass has established itself as one of the leading password managers. Unfortunately, this credibility has been rocked by revelations that the service’s encrypted password vaults have been stolen by hackers. The attack – which took place in August 2022 – was ambitious, and its success even more so.

LastPass’ backup copies of their users’ password vaults were stored, apparently securely, on a third-party cloud storage platform. This, in itself, is nothing unusual; storing backup copies of secure data in remote locations is good practice. Nonetheless, once third parties become involved in storing your data, you relinquish control of this data’s security. And this is exactly where LastPass has fallen victim to threat actors.

While the mechanics of the breach remain under wraps, LastPass has had to admit that personal identifiers – including addresses, phone numbers, credit card details and IP addresses – are among the stolen data. The password vaults – which are encrypted – have also been stolen, so this means the threat actors are closer to knowing your password. And, given they now have access to your personal identifiers, it makes brute force attacks easier.

What to Do if You’re a LastPass User

LastPass has been keen to stress that, although stolen, the password vaults are secure due to the encryption protecting them. However, these encrypted passwords are now in the hands of an unauthorized party and means they are seriously compromised. Therefore, it’s crucial all LastPass users take the following decisive actions:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More