December 2024 - Ophtek

Microsoft Teams and the Black Basta Malware Threat

Black Basta, DarkGate, junk emails, Microsoft Teams, Ophtek, TeamViewer, ZbotBlack Basta, DarkGate, junk emails, Ophtek, Teams, teamviewer, ZbotOphtek, LLC

Dec 2024

Microsoft Teams has become an integral part of business life, but it also represents a sure-fire malware opportunity for threat actors.

Teams can be used for videoconferencing, voice calls, file sharing, and numerous collaborative processes, so it’s no surprise that it’s become extremely popular. This growth has accelerated significantly since the pandemic, and with over 320 million daily active users of Teams, it’s clear to see why threat actors view it as such an attractive target. The latest attack of note to strike Teams has been carried out by the Black Basta malware, last seen on these pages targeting US businesses in 2022.

As many of our readers are regular users of Teams, we decided it would be beneficial to shed light on this attack to help you reinforce your defenses.

Black Basta Strikes Again

The attack starts when a threat actor launches an onslaught of junk emails into a victim’s inbox. Naturally, this is an irritating situation, so when an offer of help is received via a Microsoft Teams message, it sounds like a lifesaver. This ‘help’ involves downloading a remote management tool – such as TeamViewer or Quick Assist – in order for the mysterious helper to connect to the PC in question and investigate the problem.

However, granting access is a huge mistake as it gives them full control over the PC in question. Therefore, the threat actor is able to begin downloading malware onto the target PC which harvests data. Of particular interest to the malware are login credentials, VPN configuration files, and multi-factor authentication tokens. These powerful slices of data then allow remote access to the PC without a single security question being raised.

Researchers have found that malware such as DarkGate and Zbot is being utilized by the threat actors during the attack, and that they’re posing as members of the targeted organization’s IT team. It’s also been reported that the threat actors have, at least once, attempted to use a QR code to trick a user into giving up their login credentials.

Shield Yourself from Black Basta Attacks

Handing over even a single set of login credentials can have catastrophic consequences for your IT infrastructure. With a foothold in your defenses, a threat actor can quickly establish themselves within your system, stealing data, encrypting files, and damaging hardware. Therefore, you should be mindful of attacks such as Black Basta.

The best safety essentials to employ are:

Standardize Your Remote Management Tools: make sure that you take a consistent approach with remote management tools. For example, stick to using one particular tool – such as TeamViewer – and ensure this is the only one installed on your PCs. Additionally, make sure that staff are aware that your chosen tool is the only one to be trusted, but even this should be scrutinized.
Restrict External Communication in Teams: It’s possible to block external Teams users from interacting with your employees, so it may be beneficial to put this in place. This ensures that all communication taking place within your Teams system involves only authorized employees, minimizing the risk of rogue communications being spread.
Educate Your Employees: human error remains the leading cause of cyber attacks, so this is an area you need to pay close attention to. Training your employees to identify a social engineering campaign is crucial, and could help prevent your IT infrastructure being taken over by threat actors. Make this part of your onboarding processes and conduct regular refreshers with existing staff.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

One of the recent developments in hacking has been the Bring Your Own Vulnerable Driver (BYOVD) attack, but what is it and how do you defend against one?

By now, the Ophtek blog should have informed you about ransomware, trojans, and cryptojacking, but we’ve rarely mentioned the dangers of a BYOVD attack. In the past, BYOVD attacks were mostly carried out by only the most sophisticated threat actors, but they’re now becoming increasingly popular with even basic bedroom hackers. Therefore, today is the day we remedy this and provide you with a fully comprehensive look at BYOVD attacks and how you can stay safe.

The Role of Drivers within Your PC

Before we dig deep down into the mechanics of a BYOVD attack, it’s important that you understand what’s at the heart of their malicious activities: drivers. You’ve no doubt heard of drivers in passing, but it’s only the most die-hard PC user who would fully understand what they do. Their main role is as a file used to support software applications. They work by acting as a bridge between an operating system and a device e.g. between Windows and a graphics card.

Without drivers, your PC simply wouldn’t work. From your display through to your speakers and printer, there would be no way for your operating system to communicate with these devices. This makes drivers a crucial part of any PC, but it also means they’re ripe for cyberattacks.

Breaking Down a BYOVD Attack

We’re all aware of software vulnerabilities, and a BYOVD is a unique take on this method of hacking. In a BYOVD attack, threat actors will trick their victims into downloading outdated, vulnerable drivers onto their PC. This could be through phishing emails or pop-up adverts, with the main objective of getting these unsafe drivers downloaded onto a PC along with a nasty dose of malware. With these vulnerable drivers in place, threat actors can take control of the infected PC.

BYOVD attacks are dangerous for the following reasons:

Data Theft: With BYOVD attacks capable of bypassing your security software, they not only have easy access to all your data but can effortlessly transmit it to remote servers.
Install Further Malware: IT systems with vulnerabilities exploited are at risk of having further malware installed on them. So, for example, a threat actor could first gain access to your system before downloading further malware to facilitate DDoS attacks or support cryptojacking.
Damage Your Productivity: A BYOVD attack can quickly render your IT systems unusable due to the capabilities of drivers. By exploiting the deep access and reach drivers have, threat actors have the opportunity to disable network components, corrupt system files, and damage hardware.

You can find out more specifics of the impact of a BYOVD attack by checking out our article on the EDRKillShifter malware.

Protecting Your IT Systems from BYOVD Attacks

You may have been unfamiliar with BYOVD attacks, but you should now have a basic understanding of how they operate. The next step is to protect yourself by implementing these security practices:

Driver Whitelisting: this is a method whereby only authorized system users have the privileges to install drivers on your IT infrastructure. Even then, the use of Windows Defender Application Control should also be utilized to ensure that only pre-approved, digitally signed drivers can be installed.
Regular Updates: one of the simplest ways to protect against BYOVD attacks is by installing all updates and patches as soon as possible. Automating these updates allows you to guarantee that you have the freshest, most secure drivers on your system at all times.
Employee Education: BYOVD attacks are often distributed by phishing attacks, so it’s useful to educate, and regularly refresh, your employees on the telltale signs of a phishing attack. This could prove invaluable as your employees are your most important defense against cyberattacks.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Microsoft Defender Caught Out by Fake Gaming Malware

cryptocurrency, cryptojacking, data harvest, Defender, malware, Malwarebytes, Ophtek, Orbit Unitcryptocurrency, cryptojacking, data harvest, Defender, malware, Malwarebytes, Ophtek, Orbit UnitOphtek, LLC

Dec 2024

Microsoft Defender is an app whose objective is to defend against malware, but what happens when malware outsmarts it?

We’ve all heard the headlines about the volatile world of NFTs, but a new development is that they’re being used to help spread malware. In a particularly extreme case, one PC user thought they were downloading an NFT game, but the only thing which got played was the victim’s Google account. As a result of the Google account being hijacked, the victim ended up losing over $24,000 in cryptocurrency.

This incident, as with many other scams, relied on a momentary lapse of judgement, so we’re going to put it under the spotlight to see what we can learn.

How Did an NFT Game Carry Out a Robbery?

The attack started when the victim received a message from a stranger over Telegram, an encrypted messaging service which prides itself on the anonymity it provides users. The message urged the victim to download a blockchain game called Orbit Unit. Deciding that the message was harmless and the recommendation worthy of investigation, the victim downloaded Orbit Unit and installed it.

Unfortunately, the download was fake and riddled with malware. Once activated, the malware went on to install a malicious Chrome extension. Housed within the Chrome browser, the extension was titled Google Keep Chrome Extension, in an attempt to mimic the genuine Google note keeping app. The malicious app certainly fulfilled its promise of taking notes but did so in a way which compromised the victim’s data. All data entered into Chrome, be it login credentials, cookies, or browser history, was harvested by the malware.

For the victim, it was particularly frustrating as they had Malwarebytes on their PC and it failed to detect the malware. This has been attributed to the victim most likely having the free version of Malwarebytes, where real-time protection isn’t activated. What they did have, though, was Microsoft Defender, an app which promises to help “individuals and families protect their personal data and devices.” In this instance, Microsoft Defender failed spectacularly.

The threat actor behind the malware was able to access the victims Google passwords through Chrome and gain access to their cryptocurrency wallets. It was from here that they were able to steal $24,000 worth of cryptocurrency.

Staying Safe When Malware Protection Fails

You and your employees may not deal in cryptocurrency, but this cyberattack demonstrates the importance of being able to identify a potential attack and protect your data. Therefore, make sure you practice these best security practices:

Don’t Click Suspicious Links: Any links you receive via email, websites, or mobile devices should always be scrutinized closely before clicking. If they originate from an unknown sender or use unusual language with a sense of urgency to click, you need to get them verified by an IT professional in order to prevent downloading malware.
Use Real Time Protection Software: Installing anti-malware software should always be a priority, but you need to make sure you’re using one with real-time protection tools. This ensures that malware is identified and stopped in its tracks before it can activate its malicious payload.
Don’t Use Autologin on Chrome: Sure, it saves you a few minutes over the course of a week, but the autologin feature on Chrome also sets you up to fail. This tool stores login tokens in your browser and means you don’t have to use your password to access sites each time. However, if a threat actor gains access to them – as they did in the attack on LinusTechTips – they can gain access to all of your accounts. Learn how to turn autologin off in this guide.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

GeoVision Devices Vulnerability Exploited by Botnet Malware

Cryptominer, firewall, GeoVision, Legacy devices, Legacy Software, Mirai botnet, Ophtek, patches, security measures, Updatescryptomining, GeoVision, legacy devices, legacy software, Mirai botnet, OphtekOphtek, LLC

Dec 2024

No software, as GeoVision has recently discovered, is 100% secure from malware, with many applications left exposed by vulnerabilities within their coding.

GeoVision develops and manufactures advanced video surveillance hardware along with the appropriate software for running it. From IP cameras through to eyeball and dome cameras, GeoVision promises to offer state-of-the-art surveillance to strengthen your security. Unfortunately, the discovery of a vulnerability within their software has demonstrated that their products are fa r from the definition of secure.

Let’s dive into what’s happened and the lessons we can take away.

Mirai Malware Strikes at the Heart of GeoVision

Legacy devices, those which are at their end-of-life stage, suffer from security problems due to a lack of updates. Once a product has reached this stage of their lifespan, developers feel it’s uneconomical to continue providing software updates and patches. The best option for consumers is to upgrade to the latest model to ensure their devices remain safe. But many consumers decide, instead, to save a few dollars and continue with their legacy products. And this is when vulnerabilities rear their ugly head.

A vulnerability has been detected in numerous GeoVisions devices – video servers, compact digital video recorders and Linux systems – which allows threat actors to run system commands on the affected devices. Not all vulnerabilities are exploited, but this one – known as CVE-2024-11120 – has already been taken advantage of. Most notably, the Mirai botnet has been detected as active on infected systems. Mirai, typically, is used to facilitate botnet attacks or carry out cryptomining activities – both of which lead to a drop in performance for affected systems.

Close to 17,000 GeoVision devices are at risk of being exploited, with close to half of these being located in the US. Potentially, threat actors could compromise crucial security devices and have a major impact on the security of businesses and their employees. At present, due to the affected devices falling under the end-of-life classification, GeoVision has not announced any plans to update the software running on them.

Navigating the Risks of Exploited Software

All hardware and software reaches a legacy status at some point, and it’s important that your business knows how to approach this. And even the most up-to-date products still require close attention to remain secure. Therefore, make sure you implement the following to keep your IT systems safe:

Install all Updates and Patches: One of your main priorities should be to regularly install all software updates to minimize the risk of vulnerabilities being exploited. These updates can easily be automated and ensure your systems are kept as secure as possible.
Conduct Regular Security Audits: It makes sense to carry out regular security audits to evaluate how secure your IT systems are. This could involve verifying that all default passwords are changed, making sure that your employees receive regular security refreshers, and monitoring network activity for unusual patterns.
Carry Out Basic Security Measures: The simplest methods are often the most effective against malware, so you need to be sure the basics are taken care of. This can range from installing firewalls and security suites on your infrastructure through to partitioning networks and limiting user privileges across your network.

For more ways to secure and optimize your business technology, contact y our local IT professionals.

Infostealer malware is frequently referenced as the go-to weapon for threat actors, but what is it? And how do you protect your IT systems from it?

You only have to take a quick look over the Ophtek blog to understand the popularity of infostealers in modern hacking. From fake Zoom sites through to SnipBot and SambaSpy, threat actors are determined to get their hands on your sensitive data. Infostealers, therefore, present an everyday threat to PC users and it’s crucial you understand their methods and impact.

Luckily, Ophtek has your back, and we’re going to take a deep dive into infostealers to equip you with the knowledge you need to stay safe.

What is an Infostealer?

The main objective of all infostealer malware is to harvest confidential data from a compromised system. With this stolen data, threat actors have the opportunity to conduct numerous crimes such as identity theft or financial damage. This makes infostealer malware such a serious threat, especially in the age of big data, where organizations hold huge amounts of data on their IT systems. As with most modern malware, infostealer has strong stealth capabilities, allowing it to operate in the background without being detected and strengthening its impact.

The Danger Behind Infostealers

Infostealers can be individual malware threats or part of a more extensive suite of malware applications. Whatever their method, infostealers tend to focus on stealing the following data:

System login credentials
Social media and email passwords
Bank details
Personal details

All of these data categories have the potential for serious damage e.g. hacking someone’s personal emails and reading confidential information or clearing someone’s bank account out. From a business perspective, infostealers also have the potential to gain access to secure areas of your IT infrastructure and compromise the operations of your business. All of this data is taken directly from your servers and then discreetly transmitted to a remote server set up by the threat actors.

How Do Infostealers Strike?

Threat actors have developed numerous strategies to launch successful infostealer attacks with the two most common methods being:

Phishing Emails: 3.4 billion phishing emails are sent every day, so it’s fair to say they’re an incredibly popular route for malware. These highly deceptive emails will contain either malicious links or attachments which, when activated, expose the recipient to malware downloads.
Malicious Sites: As seen in our article on fake Zoom sites, threat actors regularly set up malicious websites in order to lure visitors into downloading either fake updates or complete applications. However, these downloads are never genuine and only contain malware such as infostealers.

Protecting Your Systems Against Infostealers

Despite the threat of infostealers, it’s relatively easy to stay safe and protect your systems from them. All you need to do is follow these best practices:

Be Wary of Suspicious Emails: Any emails which ring even the slightest alarm bell should be closely scrutinized. If something about the wording doesn’t sound quite right, or there’s a sense of urgency to commit to an action, the chances are that this could be a phishing email. In these instances, don’t click anything and, instead, contact an IT professional to review the content.
Always Update Your Software: One of the easiest ways for threat actors to deploy infostealers on your system is through software vulnerabilities. No piece of software is perfect, and they often contain weak spots which can be exploited. However, as these vulnerabilities are picked up by the developers, security patches are issued to remedy these weak spots. Accordingly, installing these updates should be a major priority.
Install Security Software: There are numerous security packages available such as AVG and Kaspersky which monitor your systems in real time and can block malware threats instantly. This automatic defense enables you to stay safe from infostealers and keeps your networks healthy and productive.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

Microsoft Teams and the Black Basta Malware Threat

What is a BYOVD Attack and How Can You Stay Safe?

Microsoft Defender Caught Out by Fake Gaming Malware

GeoVision Devices Vulnerability Exploited by Botnet Malware

Infostealers: What They Are and How to Stay Protected

Monthly Archives: December 2024