Poisoned Software Updates Issued after ISP is Hacked

backdoor malware, Chinese hackers, DNS requests, ISP Hack, Malicious alternative IP address, malware, Ophtek, Poisoned Software, ReloadText, software updates, StormBamboo, System Updates, Volexity, , , , , ,
27
Aug 2024

Software updates should always enhance your PC’s efficiency, but the recent breach of an ISP has demonstrated quite the opposite.

This recent compromise appears to have been exploited by StormBamboo, a collection of Chinese threat actors who have been causing digital chaos since 2012. The attack was made possible after StormBamboo breached the defenses of an undisclosed ISP. This allowed StormBamboo to take control of the ISP’s traffic and redirect it for their own malicious gains.

If you’re accessing the internet, even if it’s only for basic email and browsing usage, your business is going to be partnered with an ISP. And this attack by StormBamboo tells a cautionary tale of how you always need to be on your guard.

StormBamboo’s Innovative Attack

Having gained unauthorized access to the ISPs servers, StormBamboo was able to intercept and compromise DNS requests from users of that ISP. A DNS request is a query to provide an IP address for a host name – e.g. en.wikipedia.org. An ISP will provide this IP address and allow the user to visit the required webpage.

However, StormBamboo was able to manipulate these DNS requests and, instead of the legitimate IP address, provide a malicious alternative. No action was required from the end user, and they would be transferred to a malicious domain automatically. In particular, StormBamboo focused on poisoning DNS requests for software updates. These updates were insecure as they were found to not validate digital signatures for security purposes.

As a result of these compromises, StormBamboo was able to deceive victims into downloading malware such as Macma (for MacOS machines) and Pocostick (for Windows devices). For example, users of 5KPlayer, a media player, were redirected to a malicious IP address rather than fetching a specific YouTube dependency. This led to a backdoor malware being installed on affected systems. StormBamboo was then observed to install ReloadText, a malicious Chrome extension used to steal mail data and browser cookies.

Staying Safe from StormBamboo

The attacks carried out by StormBamboo appear to have been active during 2023 and were identified by Volexity, a reputable cybersecurity organization. Volexity’s first step was to get in touch with the ISP and identify the traffic-routing devices which were being compromised. This allowed the ISP to reboot its servers and instantly stop the ISP poisoning. Users of the ISP, therefore, were no longer at risk of being exposed to malware. Further advice on eliminating this specific threat can be found on Volexity’s blog.

Nonetheless, businesses are reminded to remain mindful about malicious activity on their networks. Implementing robust security measures, conducting regular vulnerability assessments, and monitoring network traffic for unusual patterns are all crucial. Additionally, employing advanced threat detection tools and training employees on cybersecurity best practices will further strengthen your defenses. Finally, never forget the importance of keeping software and systems updated with official patches, firmware, and updates.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

PKfail Flaw Exposes Secure Boot to Unauthorized Access

Acer, DDoS attacks, Dell, firmware vulnerability, Hackers, Lenovo, Ophtek, PK Fail, secure boot, unauthorized access, , , , , , , , ,
20
Aug 2024

Hundreds of devices from vendors such as Acer, Dell, and Lenovo have been found to be left wide open to threat actors due to untrusted test keys.

These devices have been left compromised due to PKfail, a firmware supply chain vulnerability. On devices where PKfail (short for Platform Key fail) is present, threat actors can install malware with ease. This is because the presence of PKfail means hackers can bypass the Secure Boot process and gain access to the device. Naturally, unauthorized access puts a device at risk of not only being infected with malware, but also suffering data breaches and being hijacked for DDoS attacks.

As the threat of PKfail has affected some of the major PC manufacturers, it’s important we investigate this a little closer.

The Failure of PKfail

Secure Boot is an integral part of any modern PC, ensuring a device’s firmware and operating system is correctly authenticated against a secure key on the machine. The devices at the center of this security failure have, within their system, a test Secure Boot key. This is named “DO NOT TRUST” and is created by American Megatrends International (AMI), a widespread BIOS system used to start up a computer after being powered on.

The intention of the test key was simply that, a test. Vendors using AMI on their systems, for example Lenovo PCs, should have removed this test key before generating a unique Platform Key. This would then protect the BIOS system, prevent Secure Boot from being compromised, and eliminate the threat of unauthorized access via this route. However, this task was missed by numerous vendors, leaving their devices unprotected.

Threat actors, aware of this flaw, could then exploit this workaround for Secure Boot and access the compromised devices without breaking a sweat. By taking control of the machines, the attackers were able to start downloading malware such as CosmicStrand and BlackLotus to the devices. This firmware vulnerability, linked to a June 2024 release as per supply chain security firm Binarly, has affected close to 900 devices, with those affected listed here.

Staying Safe from PKfail

Vendors who have failed to the replace the test key from AMI are being encouraged to immediately rectify this on any systems waiting to be issued. End users of the affected devices should also keep an eye on firmware updates issued by the vendors, prioritizing any which mention the PKfail flaw. Binarly has also given end users a helping hand by creating the pk.fail website, where those at risk can scan firmware binaries to identify any PKfail-vulnerable devices.

PC users, therefore, should be aware of the risk that even newly shipped products, with the latest firmware and patches in place, can be compromised straight out of the box. Forgetting the debacle of the Crowdstrike update debacle, promptly installing updates is one of the best ways to maintain your PC’s security.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

How AI is Revolutionizing Cyber Threats

anti-malware tools, Artificial Intelligence, cyber attacks, Ophtek, phishing training, , , ,
13
Aug 2024

Threat actors are increasingly turning to artificial intelligence (AI) and generative AI technologies to launch cyberattacks against businesses.

Technology is always advancing, and AI represents the future of where technology is likely to head. AI is also a powerful force for good, with countless benefits on offer for society. But it’s also a technology which can be exploited by threat actors. The development of AI means more sophisticated attacks can be launched with more ease and cause more damage. Therefore, businesses need to be on their guard against these new attack methods.

Why is AI So Dangerous?

Creating malware and sending it out into the digital wild is a complex and time-consuming task for threat actors. AI and generative AI remove this obstacle by allowing threat actors to automate complex tasks and generate realistic content e.g. creating malware code automatically and writing realistic phishing emails without spelling mistakes. This means phishing emails, for example, have the potential to become much more engaging and dangerous.

Another area where AI can be subverted is within the realm of vulnerability detection. No longer do threat actors have to spend their time manually analyzing security systems to discover weaknesses. Instead, they can delegate this duty to AI tools which quickly and accurately scan data to highlight vulnerabilities e.g. checking for outdated operating systems and software. The threat actor will then know which vulnerabilities are available to target.

When it comes to generative AI, the potential for successful social engineering attacks is significantly enhanced. This is down to the emergence of deepfakes, a type of content which appears to be genuine but is 100% fake. Deepfakes can take the form of audio, video, and text content to deceive recipients into acting on any call-to-actions at the heart of the content. So, for example, a threat actor could generate a voice note which purports to be a senior executive requesting a password. Deepfakes are already disturbingly realistic, and their authenticity is only going to increase.

How Can You Stay Safe from AI?

The prospect of AI, in terms of cybersecurity attacks, is concerning, but it’s a threat which can be countered. For one thing, the very reasons why threat actors have adopted AI can also be adopted into your defenses. Anti-malware tools such as McAfee are now using AI technology to combat malicious AI-generated content. Additionally, threat detection systems can use AI to analyze traffic patterns and automatically highlight potential threats to your IT infrastructure e.g. recording new and unknown IP addresses accessing the network.

As phishing emails are one of the main beneficiaries of AI, it makes sense to strengthen your employee training in this area. Not only should this be an integral part of IT inductions for new staff, but solidifying this knowledge with regular refresher training is crucial for protecting your network. The effectiveness of this training can be evaluated by running random phishing email tests, whereby a ‘fake’ phishing email is randomly sent to staff to determine if they can identify the malicious nature of it.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Malware Cluster Bombs: A New Threat

anti-malware tools, anti-virus software, Cluster Bombs, compressed cabinet files, KrakenLabs, malicious emails, malware, Ophtek, Phishing, software updates, Unfurling Hemlock, WEXTRACT.EXE, , , , , , , , , , ,
06
Aug 2024

A malware infection is always bad news but imagine being infected with multiple strains at once. Welcome to the new threat of malware cluster bombs.

Researchers at the cybersecurity firm KrakenLabs have revealed the dangers of a new malware technique launched by Unfurling Hemlock, a new threat actor group. Their malware cluster bombs have been verified as active in at least 10 countries, but most Unfurling Hemlock’s targets have been US-based. This attack has also been active for some time, with evidence of the earliest infections going back to February 2023.

The mere concept of malware cluster bombs is enough to worry any IT professional, so that’s why we’re going to delve a bit deeper and discuss how you can keep your IT systems safe.

Understanding Unfurling Hemlock’s Attack

This new attack starts, as with many malware attacks, through malicious emails or malware loaders. It would appear, perhaps to cover their own tracks, Unfurling Hemlock are paying other hackers to distribute their malware. The initial attack is focused around a malicious file named WEXTRACT.EXE. Within this executable is a collection of compressed cabinet files, each of which contains a strain of malware.

The final part of the attack comes when all of the malicious files have been extracted and are executed in reverse order. Each cluster bomb is believed to contain multiple strains of malware, so while the number is varied, the impact is always significant. Among these malware strains are a cocktail of different attacks, with botnets, backdoors, and info stealers all detected so far. Unfurling Hemlock’s ultimate aim, aside from causing digital chaos, is unknown, but KrakenLabs believe the threat actor may be harvesting sensitive data to sell.

The malware cluster bomb approach is innovative and effective for two reasons: the opportunities for monetization are increased and the multiple strains in use mean that persistence is enhanced. Ultimately, dropping ten strains of malware onto one device is more likely to provide opportunities for threat actors than a single strain.

Staying Safe from Malware Cluster Bombs

It’s clear that malware cluster bombs represent a serious threat to your IT infrastructure, and that’s why you need to keep your defenses secure. You can put this into action by following these best practices:

  • Regular Software Updates: ensure that all software, including operating systems and applications, is regularly updated and patched. Automated patch management tools can help make this easier, and Windows allows you to set automatic updates for Microsoft apps. Regular updates protect against known vulnerabilities and exploits which malicious actors often target with malicious files.
  • Antivirus and Anti-malware Solutions: always use reputable antivirus and anti-malware software across your network. These tools should be regularly updated to recognize and handle the latest threats. High-level security solutions will provide real-time protection, scanning, and removal of malicious files. This is conducted by regular scans and monitoring to ensure potential threats are detected and dealt with promptly.
  • Employee Education: carry out regular training sessions for employees to recognize phishing attempts, suspicious emails, and other potential threats. Training should include best practices for safe internet use, identifying social engineering tactics, and reporting suspicious activities. Your employees are your first line of defense, so it’s crucial you reduce the likelihood of attacks due to human error.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More