Hackers Archives

The headlines generated by cybersecurity attacks always focus on the damage caused by hackers, but who exactly are the hackers and why do they hack?

Financial losses associated with cybercrime hit a mighty $12.5 billion in 2023, so it’s clear to see that hackers have a major impact on society. And yet we know so little about them. Characterized as shady, hidden figures, hackers rely on this mysterious air to create panic and fear when they strike. Technically savvy, they pose a major threat to computer systems all over the world, and they often get away with it through a mixture of ingenuity and bravado.

To help you understand their motives better, we’re going to pull back the digital curtain and show you who these hackers are and what drives them to attack IT infrastructures.

The Main Types of Hackers

There are many different types of hackers, with different methods of operation and varying skillsets. The main variants you’re likely to encounter are:

Black Hat Hackers: Perhaps the most infamous type of hacker, black hat hackers are regularly discussed on the Ophtek blog due to their love of breaking into IT systems. Their main activities involve launching malware, compromising software vulnerabilities, and setting up phishing campaigns.
White Hat Hackers: In contrast to their black hat counterparts, white hat hackers are a force for good. Typically, they work in conjunction with organizations to identify weak spots in their IT security e.g. demonstrating where software vulnerabilities are present or highlighting the use of default passwords on routers.
Hacktivists: These hackers aren’t out to commit cybercrime in the same way as a black hat hacker, but hacktivists operate on the wrong side of the law in order to bring about social or political change. A good example of this can be found in the 2022 attacks launched against Russian websites by the hacking group Anonymous, an attack designed in response to the Russian war on Ukraine.

What are the Motivations Behind Hacking?

Every hack will have a motive behind it and it’s important to understand these motives in order to better protect our computer systems. The main driving forces behind cyberattacks include:

Financial Gain: As with all crime, money acts as a significant motivating factor. Stolen credentials, for example, can be sold on the dark web for large amounts of cash. Likewise, the rise of Malware-as-a-Service has proved highly lucrative for hackers and been responsible for some devastating attacks.
Challenging Themselves: Hackers love the prestige of a successful hack, and this hit of dopamine is enough to encourage them to set about launching increasingly audacious attacks. This not only challenges them and provides a firm motivation, but it also encourages them to hone their skills and make their attacks harder to defend against.
Personal Grievances: Often, the main motivation behind a hack is simply a slice of old-fashioned revenge. An ex-employee, perhaps terminated unfairly in their eyes, may seek revenge by exploiting their knowledge of an organization’s IT system. This insider knowledge may offer them the opportunity to strike back and hurt the organization.

Final Thoughts

Hackers, with their varying objectives and motivations, are a complex set of individuals and groups. While some may be a force for good, just as many have taken up their craft to inflict damage and benefit financially from their digital chaos. Whatever their circumstances, one thing remains clear: it’s crucial to strengthen your IT systems against all threats all the time.

For more ways to secure and optimize your business technology, contact your local IT p rofessionals.

Hundreds of devices from vendors such as Acer, Dell, and Lenovo have been found to be left wide open to threat actors due to untrusted test keys.

These devices have been left compromised due to PKfail, a firmware supply chain vulnerability. On devices where PKfail (short for Platform Key fail) is present, threat actors can install malware with ease. This is because the presence of PKfail means hackers can bypass the Secure Boot process and gain access to the device. Naturally, unauthorized access puts a device at risk of not only being infected with malware, but also suffering data breaches and being hijacked for DDoS attacks.

As the threat of PKfail has affected some of the major PC manufacturers, it’s important we investigate this a little closer.

The Failure of PKfail

Secure Boot is an integral part of any modern PC, ensuring a device’s firmware and operating system is correctly authenticated against a secure key on the machine. The devices at the center of this security failure have, within their system, a test Secure Boot key. This is named “DO NOT TRUST” and is created by American Megatrends International (AMI), a widespread BIOS system used to start up a computer after being powered on.

The intention of the test key was simply that, a test. Vendors using AMI on their systems, for example Lenovo PCs, should have removed this test key before generating a unique Platform Key. This would then protect the BIOS system, prevent Secure Boot from being compromised, and eliminate the threat of unauthorized access via this route. However, this task was missed by numerous vendors, leaving their devices unprotected.

Threat actors, aware of this flaw, could then exploit this workaround for Secure Boot and access the compromised devices without breaking a sweat. By taking control of the machines, the attackers were able to start downloading malware such as CosmicStrand and BlackLotus to the devices. This firmware vulnerability, linked to a June 2024 release as per supply chain security firm Binarly, has affected close to 900 devices, with those affected listed here.

Staying Safe from PKfail

Vendors who have failed to the replace the test key from AMI are being encouraged to immediately rectify this on any systems waiting to be issued. End users of the affected devices should also keep an eye on firmware updates issued by the vendors, prioritizing any which mention the PKfail flaw. Binarly has also given end users a helping hand by creating the pk.fail website, where those at risk can scan firmware binaries to identify any PKfail-vulnerable devices.

PC users, therefore, should be aware of the risk that even newly shipped products, with the latest firmware and patches in place, can be compromised straight out of the box. Forgetting the debacle of the Crowdstrike update debacle, promptly installing updates is one of the best ways to maintain your PC’s security.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Healthcare Industry Rocked by Major Hack

ALPHV, auto updates, Backup Strategies, BlackCat, Hackers, identify phishing, Ophtek, RansomwareALPHV, backup data, BlackCat, hackers, Ophtek, phishing, ransomware, updatesOphtek, LLC

Apr 2024

Healthcare data is some of the most sensitive data in existence, but a major hack has just affected up to 15 billion records.

Change Healthcare, who provide revenue and payment services for healthcare providers and patients, has announced that its systems have been compromised by threat actors. With Change Healthcare processing around 15 billion transactions a year, this represents a major attack. And the impact has already been felt. Healthcare providers have been struggling to charge for their services, while patients have been struggling to get their prescriptions issued. It’s a nightmare scenario for all involved and underlines the effect malware can have.

How Did Change Healthcare Get Hacked?

The precise details of how Change Healthcare was hacked has not, as yet, been revealed. However, we do know it was carried out by a ransomware group which goes by the names of ALPHV or BlackCat. Naturally, their trademark attack style involves ransomware, and it’s most likely that this was utilized in the Change Healthcare attack. With ransomware typically encrypting data, this is highly damaging for any service handling healthcare data. By encrypting patient records, the hackers would be severing a crucial flow of information.

The attack came on the 21^st February 2024, and Change Healthcare took down their systems on the same day. A week later, BlackCat announced they had been behind the attack. Details of a $22 million payment to the ransomware groups have also been revealed, although Change Healthcare are yet to confirm this was made by themselves. Prescription claim submissions and payment systems have recently been reinstated by Change Healthcare, but full access to their systems is unlikely to be restored until mid-March.

Who is BlackCat?

BlackCat has been active online since 2021 and, since then, has launched a series of audacious attacks. The group was linked to the Colonial Pipeline ransomware attack in 2021, and it also took responsibility for the MGM Casino attack in 2023. Headlines such as these didn’t go unnoticed, and in December 2023, the US Department of Justice set about disrupting BlackCat’s activities. Clearly, though, the resulting Change Healthcare attack has demonstrated how BlackCat was unharmed by this resistance.

Staying Safe from Ransomware

The threat of ransomware is well known, but the Change Healthcare attack is a big deal and acts as an important reminder to stay vigilant. With this in mind, we’re going to show you the best ways to stay safe from ransomware:

Regular software updates: ransomware often takes control of IT infrastructures due to software vulnerabilities. Accordingly, you need to make sure automatic updates are activated on your operating system. This ensures your software is updated as soon as an update is available, preventing you from running a network with open doors for threat actors.
Employee training: your employees are one of your most powerful forms of defense against ransomware threats. Therefore, regular training on cybersecurity threats such as identifying phishing emails, malicious websites, and understanding how to report cybersecurity incidents is vital. With this in place, you can rest assured your network is as secure as possible.
Regular, isolated backups: you need to regularly back up critical data and ensure that backups are stored in a secure, isolated location. Automated backup solutions can help ensure consistency and reliability in the event of your data being encrypted by ransomware.

For more ways to secure and optimize your business technology, contact your local IT professionals.

HeadCrab Attacks Servers with Advanced Malware

authentication, Hackers, HeadCrab, malware, Ophtek, Redis Servers, runtime monitoring, security scansauthentication, hackers, HeadCrab, malware, Ophtek, Redis Servers, runtime monitoring, security scansOphtek, LLC

Mar 2024

A new strain of malware, which contains several different attack methods and is considered a severe threat, has been discovered and named HeadCrab.

The attack focuses its efforts on Redis servers, an open source, in-memory data structure store. In simpler terms, Redis acts as a database, cache, and message broker application which can store data, cookies, and authentication tokens. This means it contains confidential and personal data, which is a currency valued highly by threat actors. Redis is incredibly popular and used by many high-level clients, some of whom include Amazon, Adobe, OpenAI, and Airbnb. Therefore, it’s likely you and your team will visit websites using Redis servers, and you need to stay safe.

Unpacking the HeadCrab Attack

Redis servers appear to have been targeted by HeadCrab due to the fact they’re often exposed to the internet, without any solid authentication in place to protect them. This makes them highly vulnerable and puts any data stored on them at high risk. Using advanced coding techniques, the threat actor starts by taking control of a Redis server. This allows them to then download HeadCrab onto the infected server. This, as the command logs reveal, is a complex process, and one which leaves no stone unturned, highlighting the advanced skills of the threat actor.

With HeadCrab now active on the Redis server, it can get to work. Security researchers, who have reverse engineered HeadCrab, have discovered eight custom commands contained within its module. These allow HeadCrab to set up encrypted communication channels, reconfigure Redis servers, run exclusively in memory to avoid detection, and even run its own blog detailing its current activities and news.

Staying Safe from HeadCrab

Currently, HeadCrab has been detected in over 1200 servers and represents a serious threat. It doesn’t launch its attack using files, instead relying on advanced hacking techniques, so it’s a difficult threat to combat. However, by staying vigilant, your organization can stay safe against the threat of HeadCrab and similar attacks. The best ways to achieve this are:

Run security scans: using scanning tools contained within software, such as AVG and McAfee, gives your organization the opportunity to discover and nullify malware threats. These scans can be automated and provide you with real-time updates of the scan results. Many of these applications are available in freeware versions, with paid subscriptions allowing you to access more powerful security options.
Use authentication: you may not operate Redis servers, but the HeadCrab attack serves as a cautionary tale for failing to install strict authentication protocols on your servers. This extra layer of security ensures that only those users who are known to your organization can directly access your servers. This minimizes the chances of rogue commands being received by your IT infrastructure by threat actors.
Employ runtime monitoring: it’s important to use runtime monitoring to constantly analyze your IT system’s behavior and performance. This gives you real-time visibility into the operations of your infrastructure, and you can use these metrics to identify suspicious behaviors – such as data packets being sent to unknown addresses – and take actions.

For more ways to secure and optimize your business technology, contact your local IT professionals.

A recently discovered vulnerability appears to allow threat actors to hack into your Google account, even if you change your password.

Given that there are 1.8 billion people actively using Gmail, it should come as no surprise that Google accounts represent a mouthwatering target for hackers. Google claims that their users are protected by world-class security and, on the whole, it is a secure system. No infrastructure, however, is 100% safe. Threat actors are industrious individuals and won’t rest until they’ve tried every avenue to compromise a system. Unfortunately, for Google and its users, this is exactly what’s happened.

Losing Control of Google

Google accounts are highly valuable to their owners. Packed full of apps such as Gmail and Google Drive, there’s a lot of personal data involved. A new vulnerability, attributed to a flaw in Google cookies, gives access to these accounts over to threat actors. Worst of all, this can be achieved time after time. Sure, you can try changing your password, but they will still be able to unlock your account.

The attack starts when a user unwittingly allows malware to be installed on their PC. This malware then gets to work by searching for and identifying any Google login tokens, which are typically stored in the application’s local database. These stolen tokens can then be used to trick Google’s API interface.

One of the main duties of a Google API is to help sync the various Google services across one account. So, for example, if you were logged into Google Drive, you wouldn’t have to log into Gmail as well. The threat actors exploit a vulnerability with Google cookies to create new cookies which can be used to gain unauthorized access to the compromised account. And this trick can be completed multiple times. Changing your password, naturally, would be the simple choice here. But even doing this still grants the hacker one more chance to access your account.

The vulnerability in question is currently being sold by threat actors online, with at least six hacking groups advertising it. These threat actors also claim that that this vulnerability has been redesigned to tackle the efforts Google has taken to shut this exploit down.

Keep Your Google Account Safe

No one wants to lose their Google account, aside from the loss of personal data, there’s also the sheer inconvenience of having to create a new account and updating any services associated with your original account. Accordingly, make sure you play safe by following these best practices:

Use multi-factor authentication: at present, Google hasn’t revealed whether multi-factor authentication will prevent this vulnerability from seizing control of your account. However, if you don’t have it activated, you need to make this a priority as it’s one of the simplest ways to add extra security to your account.

Do not download suspicious software: the first stepping stone for the threat actors to compromise your Google account involves installing malware on your PC. This gives them a foothold to begin stealing your Google login tokens. Therefore, you need to remain vigilant as to the software you’re downloading. The most obvious question to ask here is whether the download comes from an official source.

For more ways to secure and optimize your business technology, contact your local IT professionals.

1 2 3 … 7 Next »

Hackers Unmasked: Who Are They and What Motivates Them?

PKfail Flaw Exposes Secure Boot to Unauthorized Access

Healthcare Industry Rocked by Major Hack

HeadCrab Attacks Servers with Advanced Malware

Google Accounts Compromised by Cookie Vulnerability

Category Archives: Hackers