July 2024 - Ophtek

Polyfill Website Compromised with Malicious JavaScript

antivirus software, DNS Filtering, Malicious JavaScript, Ophtek, Polyfill, secure firewallAntivirus software, DNS filtering, malicious JavaScript, Ophtek, phishing, Polyfill, secure firewallOphtek, LLC

Jul 2024

The Polyfill.io website has been caught up in a supply chain attack, with the result that malicious JavaScript is now being supplied through the site.

Along with sites such as Bootcss and BootCDN, Polyfill has been compromised by threat actors and transformed into a malicious site. Typically, Polyfill was a treasure trove of JavaScript code which allowed the use of contemporary JavaScript functions in older browsers. The Polyfill domain was sold to a new firm at the start of 2024, and it appears the infected code was inserted into the JavaScript shortly after this. With Polyfill supplying JavaScript code to an estimated 110,000 websites, the potential for damage is high.

Understanding the Polyfill Attack

Unsuspecting web developers are downloading JavaScript code from Polyfill and incorporating it into their websites, under the understanding it will help their sites load in older browsers. However, the malicious JavaScript code now hosted on Polyfill does something very different. As JavaScript will be activated once a user loads an infected website, this means the malware is then downloaded to that user’s PC.

The main impact of this malicious JavaScript is a combination of data theft and clickjacking (where a user is tricked into clicking an element on a page). Some of the infected scripts also redirect users to malicious sites containing further malware, sports betting websites, and pornographic content. The attack has been significant, with notable victims affected including Intuit and the World Economic Forum.

The infected code has been difficult to analyze as security researchers have found it’s protected by high levels of obfuscation. By generating payloads which are specific to HTTP headers and only activating on certain devices, the malicious JavaScript has been difficult to pin down and examine. The attack has also been significant enough for Google to start banning Google Ads linking to the infected sites.

Protecting Your PCs from Polyfill

If your organization has used code from Polyfill.io in the past, it’s time to remove this code from your website. This is simplest and most effective way to minimize the threat to your visitors. Nonetheless, there’s much more you can do to stay safe from malicious websites:

Use Strong Firewall and Antivirus Solutions: you can protect against malicious websites by using comprehensive firewall and antivirus software, such as AVG and McAfee. These tools filter out harmful traffic, block access to known malicious sites, and detect suspicious activities. This combination of protection prevents malware infections and data breaches which can originate from unsafe web pages.

Employ DNS Filtering: access to malicious websites can be blocked at a network level by using DNS filtering services. By filtering out dangerous domains and websites known for malware distribution or phishing, these services provide an additional layer of security, preventing users from visiting harmful sites and protecting the integrity of your IT infrastructure.

Employee Education: training your employees to recognize phishing attempts, avoid suspicious links, and understand the importance of secure browsing habits is crucial. Regularly updated cybersecurity training programs ensure your staff can identify and avoid potential threats, reducing the risk of falling victim to malicious websites.

For more ways to secure and optimize your business technology, contact your local IT professionals.

CrowdStrike Causes Unprecedented Global IT Outage

Cloud Storage, CrowdStrike, cybersecurity, Ophtek, Updates, vulnerability, Windows updatecloud storage, CrownStrike, Ophtek, security, updates, vulnerability, Windows updateOphtek, LLC

Jul 2024

One of the world’s biggest ever IT failures has caused chaos for major IT infrastructures all over the world. And it was all thanks to a CrowdStrike update.

The damage was caused by a content update for Windows issued by CrowdStrike, a major player when it comes to cybersecurity firms. However, rather than providing an enhanced experience for Windows users, it resulted in many users finding that their PCs crashed. The ‘blue screen of death’ was a common sighting and numerous applications were rendered unusable. The CrowdStrike glitch wasn’t restricted to a small number of individuals either, it went all away the round and affected major organizations.

Understanding the CrowdStrike Flaw

CrowdStrike has been providing security solutions since 2011, and it now offers a wide range of security services. These are provided through cloud-based platforms and have seen CrowdStrike’s profile rise significantly. However, their recent update for their application Falcon Sensor – which analyzes active processes to identify suspicious activity – is responsible for the worldwide outage of IT systems.

Falcon Sensor runs within Windows and, as such, interacts directly with the Windows operating system. Falcon Sensor’s main objective is to protect IT systems from security attacks and system failures, but their latest update achieved the complete opposite. As a result of faulty code within the update, Falcon Sensor malfunctioned and compromised the systems it had been installed on. This led to IT systems crashing and unable to be rebooted.

CrowdStrike were quick to identify the fault as a result of their update, and reassured the global community this was not a global cyberattack. With the fault identified and isolated, CrowdStrike rapidly developed a fix. But the damage had already been done, and many systems remained offline due to the disruption.

Who Was Affected by the CrowdStrike Glitch?

The impact of the faulty CrowdStrike update was of a magnitude rarely seen in the IT world. With many IT infrastructures relying on Windows, countless systems crashed all over the world. Airport services were badly hit, and lots of airlines had to ground their planes due to IT issues. Banks and credit card providers were also affected, and numerous organizations were unable to take card payments as a result. Healthcare services, too, felt the full impact of the glitch and struggled to book appointments and allocate staff shifts.

The Aftermath of the CrowdStrike Disaster

Disruption to IT systems was still evident days after the CrowdStrike incident, and it’s expected this disruption will continue. Matters weren’t helped by the simultaneous failure of Microsoft Azure, a cloud computing platform, which also created a major outage.

While the outages were caused by a technical glitch, CrowdStrike issued an announcement the day after that cybercriminals may be targeting affected systems. Evidence in Latin America indicated CrowdStrike customers were being targeted by a malicious ZIP archive which contains HijackLoader, a module used to install various strains of malware.

Final Thoughts

Ultimately, this digital catastrophe was caused by a faulty piece of code, and Microsoft currently estimate it affected 8.5 million Windows devices. It could easily happen again and reinforces the need for good backup protocols, such as the 3-2-1 backup method. The CrowdStrike glitch may have been unforeseen, but with the correct preparation, you can minimize the impact of future incidents on your IT systems.

For more ways to secure and optimize your business technology, contact your local IT professionals.

In the digital age, it’s crucial for your business to have a robust IT infrastructure if you want to achieve long-term success and sustainability.

An IT infrastructure, however, is a complex combination of services and components. Accordingly, building and maintaining one is far from straightforward. But if you want to support your day-to-day operations and build for future growth, it’s essential you prioritize your IT infrastructure. To help you get started, or evaluate your existing system, we’re going to take a closer look and how you can build and maintain it.

What are the Key Components?

A well-designed IT infrastructure will ensure your daily operations run smoothly, but what are the components supporting this success? The core elements comprising an IT infrastructure include:

Hardware: central to any IT system is the hardware, without which you wouldn’t have any IT capabilities. This hardware typically includes major resources such as servers for managing network activity, storage solutions for data management and backup, as well as networking equipment to support connectivity and security e.g. routers and firewalls.
Software: the backbone of your hardware will be software, which your team can use to process, store, and analyze data. This software can include operating systems such as Windows and Linux, or business applications which support core functions e.g. using Microsoft Excel to store data.
Network Infrastructure: depending on the size of your business, you may rely on Local Area Network (LAN) or a Wide Area Network (WAN). Generally, a smaller business will only need to work with a LAN, but larger businesses may work with several LANs connected to a main WAN. Both of these networks ensure there is a seamless data flow across your network.

Building and Maintaining an IT Infrastructure

Before you start operating across an IT infrastructure, you need to first build one and then establish a maintenance schedule. It’s an important process and one which requires great planning. So, to do this successfully, make sure you cover the following:

Carry Out a Needs Assessment: before investing in an IT infrastructure, perform a thorough assessment of your business needs. This involves understanding current and future requirements, identifying gaps, and setting clear objectives. It’s important to involve multiple stakeholders from your business in this activity, as well as working with IT experts to determine what’s viable.
Scalability: It’s difficult to predict future growth, but designing your IT infrastructure to be scalable is vital. This means selecting hardware and software that can grow with your business, allowing for easy upgrades and expansions when your business activity demands it.
Regular Maintenance: you should regularly update software and hardware to ensure optimal performance and security. Implement a maintenance schedule and keep up with the latest patches and upgrades. Remember, failing to implement security patches promptly can have catastrophic results for your IT security.
Monitor Performance: once your IT infrastructure is up and running, it’s important to monitor its performance. It’s very easy for small issues to escalate into major IT issues, so being proactive can help identify issues before they become critical.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Snowflake Passwords Leaked Online Due to Malware

default settings, info-stealing malware, malware, multi factor authentication, offline backups, Ophtek, security audits, Snowflakebackup, malware, Ophtek, security, Snowflake, updatesOphtek, LLC

Jul 2024

Snowflake, a cloud data analysis company, has found itself under attack from malware, with the result that its customers passwords have been leaked online.

A leading cloud data platform, Snowflake was founded in 2012 and has experienced a rapid rise in the industry, with its current revenue estimated at $2.8 billion. This success has been founded upon innovative data analytics solutions and a number of leading clients such as Santander, Dropbox, and Comcast. For threat actors, Snowflake represents a tempting target, both in terms of the sheer amount of data they hold and financial value. And this is clearly why Snowflake has been attacked.

With threat actors claiming to have stolen hundreds of millions of customer records from Snowflake environments, the attack is clearly a significant one. Perhaps the most interesting aspect of the attack is that it appears to result from a lack of multi-factor authentication.

Cracking the Snowflake Infrastructure

Live Nation, a popular ticket sales service, was the first company to announce that their stolen data had been hosted on the Snowflake platform. Other Snowflake customers have come forwards to acknowledge a breach but are yet to name Snowflake as the hosts for this data. The attack appears to have been fueled by info-stealing malware, with the attack targeting PCs which had access to their organization’s Snowflake network.

How the initial attack was instigated remains unclear, but Snowflake has revealed that a demo account, protected with nothing more than a username/password combination, had been recently compromised. Whether this gave the threat actors direct access to Snowflake customer accounts is unknown, although it does point towards the threat actors establishing an early foothold. Snowflake has also disclosed that each customer is put in charge of their own security, and multi-factor authentication isn’t automatically enabled. This, Snowflake states, is how threat actors succeeded in hacking the compromised accounts.

Snowflake has advised all of its customers to switch on multi-factor authentication, but it appears to be too late for many. Whole lists of Snowflake customer credentials can be found available on illegal websites, with this data including email addresses alongside username/password combinations. Ticketmaster, another ticket sales platform, has been reported of having close to 560 million customer records compromised. This is a huge data breach, and one which has deservedly earned headlines.

The Importance of Multi-Factor Authentication

For Snowflake to have selected multi-factor authentication as an optional function, rather than a default security measure, is negligent. Regardless of this negligence, it’s also the responsibility of the compromised accounts to double check the available security measures. Therefore, to stay safe in the future, always carry out the following when working with external hosting providers for your data:

Always Check Default Settings: you can’t assume your default security settings are suitable for your organization, so always double check them before going live. For Snowflake customers, understanding multi-factor authentication wasn’t in place as default, could have avoided these data breaches.
Regular Security Audits: check with your hosts that regular security audits and penetration testing forms part of your agreement. These tests can help identify vulnerabilities and allow you to implement security measures, protecting the security of your network and data.
Schedule Offline Backups: while cloud computing offers fantastic benefits for backups, you should never rely solely on cloud networks. Instead, utilize offline backups as part of your backup strategy. These can be kept on site and, in the case of a network breach, will remain off-limits to external threat actors and ensure your data is preserved.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Malicious Microsoft Office Torrents Laced with Malware

anti-virus software, block torrent sites, Cracked MS Office, employee education, malware, MS Office Torrents, Ophtekanti-virus software, Block torrent sites, Cracked MS Office, employee education, malware, MS Office Torrents, OphtekOphtek, LLC

Jul 2024

Threat actors have been discovered to be using cracked versions of Microsoft Office to distribute a dangerous malware cocktail through illegal torrents.

Detected by the AhnLab Security Intelligence Center (ASEC), this malware campaign bundles together a collection of powerful malware strains – such as malware downloaders, cryptocurrency miners, and remote access trojans – to unleash a devastating attack. The malware is disguised as a cracked Microsoft Office installer, which would usually allow users to illegally download paid applications for free. However, those downloading this ‘cracked’ software are getting much more than they bargained for.

The Dangers of Malicious Torrents

Torrent sites, the use of which is generally illegal, have a long history of containing malware due to the unregulated nature of these sites. However, the promise of expensive software for nothing more than a few clicks is highly tempting to many internet users. Therefore, risks are taken and, occasionally, the consequences can be severe.

In this most recent example, torrents for Microsoft Office – as well as torrents for Windows and the Hangul word processor – are using professionally crafted interfaces to pass themselves off as legitimate software cracks. But despite the numerous options available, to apparently assist the user, these cracks have a nasty sting in their tail. Once the installer has been executed, a background process launches a hidden piece of malware which communicates with either a Mastodon or Telegram channel to download further malware.

This malware is downloaded from a URL linked to either GitHub and Google Drive, two platforms which are both legitimate and unlikely to ring any alarm bells. Unfortunately, there’s plenty to be alarmed about. A series of dangerous malware types are downloaded to the user’s computer, and these include Orcus Rat, 3Proxy, XMRig, and PureCrypter. These all combine to harvest data, convert PCs into proxy servers, download further malware, and use PC resources to mine cryptocurrency.

All of these malware strains run in the background, but even if they’re detected, removing them has little impact. This is because an ‘updater’ component of the malware is registered in the Windows Task Scheduler and, if the malware strains have been removed, they are re-downloaded on the next system reboot. This makes it a persistent threat, and one which is difficult to fully remove from your system.

Shield Yourself: Avoiding Harmful Torrents

Clearly, it’s crucial you need to protect your business from malicious torrents, but how do you do this? Well, it’s relatively simple if you implement the following strategies:

Strict Download Policies: your IT infrastructure is delicate and needs to be protected by a strict download policy. All torrent sites, and associated torrent software, should be completely restricted within your business. Therefore, block all access to torrent sites, and put restrictions in place as to who can install applications within your business.
Robust Security Software: many antivirus suites can detect malicious components within downloads before they’re downloaded. Accordingly, it makes sense to have strong antivirus software in place – if a download is flagged as suspicious, you can cancel it before the download launches. Additionally, an advanced firewall can detect and block any suspicious traffic in/out of your network related to torrent use.
Employee Education: as ever, your employees are strongest form of defense, so make sure that regular training sessions are conducted to highlight the dangers of torrents. These sessions can also be expanded to cover the telltale signs of malicious websites and phishing/social engineering attacks.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Monthly Archives: July 2024