Hundreds of devices from vendors such as Acer, Dell, and Lenovo have been found to be left wide open to threat actors due to untrusted test keys.

These devices have been left compromised due to PKfail, a firmware supply chain vulnerability. On devices where PKfail (short for Platform Key fail) is present, threat actors can install malware with ease. This is because the presence of PKfail means hackers can bypass the Secure Boot process and gain access to the device. Naturally, unauthorized access puts a device at risk of not only being infected with malware, but also suffering data breaches and being hijacked for DDoS attacks.

As the threat of PKfail has affected some of the major PC manufacturers, it’s important we investigate this a little closer.

The Failure of PKfail

Secure Boot is an integral part of any modern PC, ensuring a device’s firmware and operating system is correctly authenticated against a secure key on the machine. The devices at the center of this security failure have, within their system, a test Secure Boot key. This is named “DO NOT TRUST” and is created by American Megatrends International (AMI), a widespread BIOS system used to start up a computer after being powered on.

The intention of the test key was simply that, a test. Vendors using AMI on their systems, for example Lenovo PCs, should have removed this test key before generating a unique Platform Key. This would then protect the BIOS system, prevent Secure Boot from being compromised, and eliminate the threat of unauthorized access via this route. However, this task was missed by numerous vendors, leaving their devices unprotected.

Threat actors, aware of this flaw, could then exploit this workaround for Secure Boot and access the compromised devices without breaking a sweat. By taking control of the machines, the attackers were able to start downloading malware such as CosmicStrand and BlackLotus to the devices. This firmware vulnerability, linked to a June 2024 release as per supply chain security firm Binarly, has affected close to 900 devices, with those affected listed here.

Staying Safe from PKfail

Vendors who have failed to the replace the test key from AMI are being encouraged to immediately rectify this on any systems waiting to be issued. End users of the affected devices should also keep an eye on firmware updates issued by the vendors, prioritizing any which mention the PKfail flaw. Binarly has also given end users a helping hand by creating the pk.fail website, where those at risk can scan firmware binaries to identify any PKfail-vulnerable devices.

PC users, therefore, should be aware of the risk that even newly shipped products, with the latest firmware and patches in place, can be compromised straight out of the box. Forgetting the debacle of the Crowdstrike update debacle, promptly installing updates is one of the best ways to maintain your PC’s security.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


Healthcare data is some of the most sensitive data in existence, but a major hack has just affected up to 15 billion records.

Change Healthcare, who provide revenue and payment services for healthcare providers and patients, has announced that its systems have been compromised by threat actors. With Change Healthcare processing around 15 billion transactions a year, this represents a major attack. And the impact has already been felt. Healthcare providers have been struggling to charge for their services, while patients have been struggling to get their prescriptions issued. It’s a nightmare scenario for all involved and underlines the effect malware can have.

How Did Change Healthcare Get Hacked?

The precise details of how Change Healthcare was hacked has not, as yet, been revealed. However, we do know it was carried out by a ransomware group which goes by the names of ALPHV or BlackCat. Naturally, their trademark attack style involves ransomware, and it’s most likely that this was utilized in the Change Healthcare attack. With ransomware typically encrypting data, this is highly damaging for any service handling healthcare data. By encrypting patient records, the hackers would be severing a crucial flow of information.

The attack came on the 21st February 2024, and Change Healthcare took down their systems on the same day. A week later, BlackCat announced they had been behind the attack. Details of a $22 million payment to the ransomware groups have also been revealed, although Change Healthcare are yet to confirm this was made by themselves. Prescription claim submissions and payment systems have recently been reinstated by Change Healthcare, but full access to their systems is unlikely to be restored until mid-March.

Who is BlackCat?

BlackCat has been active online since 2021 and, since then, has launched a series of audacious attacks. The group was linked to the Colonial Pipeline ransomware attack in 2021, and it also took responsibility for the MGM Casino attack in 2023. Headlines such as these didn’t go unnoticed, and in December 2023, the US Department of Justice set about disrupting BlackCat’s activities. Clearly, though, the resulting Change Healthcare attack has demonstrated how BlackCat was unharmed by this resistance.

Staying Safe from Ransomware

The threat of ransomware is well known, but the Change Healthcare attack is a big deal and acts as an important reminder to stay vigilant. With this in mind, we’re going to show you the best ways to stay safe from ransomware:

  • Regular software updates: ransomware often takes control of IT infrastructures due to software vulnerabilities. Accordingly, you need to make sure automatic updates are activated on your operating system. This ensures your software is updated as soon as an update is available, preventing you from running a network with open doors for threat actors.
  • Employee training: your employees are one of your most powerful forms of defense against ransomware threats. Therefore, regular training on cybersecurity threats such as identifying phishing emails, malicious websites, and understanding how to report cybersecurity incidents is vital. With this in place, you can rest assured your network is as secure as possible.
  • Regular, isolated backups: you need to regularly back up critical data and ensure that backups are stored in a secure, isolated location. Automated backup solutions can help ensure consistency and reliability in the event of your data being encrypted by ransomware.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


A new strain of malware, which contains several different attack methods and is considered a severe threat, has been discovered and named HeadCrab.

The attack focuses its efforts on Redis servers, an open source, in-memory data structure store. In simpler terms, Redis acts as a database, cache, and message broker application which can store data, cookies, and authentication tokens. This means it contains confidential and personal data, which is a currency valued highly by threat actors. Redis is incredibly popular and used by many high-level clients, some of whom include Amazon, Adobe, OpenAI, and Airbnb. Therefore, it’s likely you and your team will visit websites using Redis servers, and you need to stay safe.

Unpacking the HeadCrab Attack

Redis servers appear to have been targeted by HeadCrab due to the fact they’re often exposed to the internet, without any solid authentication in place to protect them. This makes them highly vulnerable and puts any data stored on them at high risk. Using advanced coding techniques, the threat actor starts by taking control of a Redis server. This allows them to then download HeadCrab onto the infected server. This, as the command logs reveal, is a complex process, and one which leaves no stone unturned, highlighting the advanced skills of the threat actor.

With HeadCrab now active on the Redis server, it can get to work. Security researchers, who have reverse engineered HeadCrab, have discovered eight custom commands contained within its module. These allow HeadCrab to set up encrypted communication channels, reconfigure Redis servers, run exclusively in memory to avoid detection, and even run its own blog detailing its current activities and news.

Staying Safe from HeadCrab

Currently, HeadCrab has been detected in over 1200 servers and represents a serious threat. It doesn’t launch its attack using files, instead relying on advanced hacking techniques, so it’s a difficult threat to combat. However, by staying vigilant, your organization can stay safe against the threat of HeadCrab and similar attacks. The best ways to achieve this are:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


A recently discovered vulnerability appears to allow threat actors to hack into your Google account, even if you change your password. 

Given that there are 1.8 billion people actively using Gmail, it should come as no surprise that Google accounts represent a mouthwatering target for hackers. Google claims that their users are protected by world-class security and, on the whole, it is a secure system. No infrastructure, however, is 100% safe. Threat actors are industrious individuals and won’t rest until they’ve tried every avenue to compromise a system. Unfortunately, for Google and its users, this is exactly what’s happened. 

Losing Control of Google 

Google accounts are highly valuable to their owners. Packed full of apps such as Gmail and Google Drive, there’s a lot of personal data involved. A new vulnerability, attributed to a flaw in Google cookies, gives access to these accounts over to threat actors. Worst of all, this can be achieved time after time. Sure, you can try changing your password, but they will still be able to unlock your account. 

The attack starts when a user unwittingly allows malware to be installed on their PC. This malware then gets to work by searching for and identifying any Google login tokens, which are typically stored in the application’s local database. These stolen tokens can then be used to trick Google’s API interface. 

One of the main duties of a Google API is to help sync the various Google services across one account. So, for example, if you were logged into Google Drive, you wouldn’t have to log into Gmail as well. The threat actors exploit a vulnerability with Google cookies to create new cookies which can be used to gain unauthorized access to the compromised account. And this trick can be completed multiple times. Changing your password, naturally, would be the simple choice here. But even doing this still grants the hacker one more chance to access your account. 

The vulnerability in question is currently being sold by threat actors online, with at least six hacking groups advertising it. These threat actors also claim that that this vulnerability has been redesigned to tackle the efforts Google has taken to shut this exploit down. 

Keep Your Google Account Safe 

No one wants to lose their Google account, aside from the loss of personal data, there’s also the sheer inconvenience of having to create a new account and updating any services associated with your original account. Accordingly, make sure you play safe by following these best practices: 

  • Use multi-factor authentication: at present, Google hasn’t revealed whether multi-factor authentication will prevent this vulnerability from seizing control of your account. However, if you don’t have it activated, you need to make this a priority as it’s one of the simplest ways to add extra security to your account. 
  • Do not download suspicious software: the first stepping stone for the threat actors to compromise your Google account involves installing malware on your PC. This gives them a foothold to begin stealing your Google login tokens. Therefore, you need to remain vigilant as to the software you’re downloading. The most obvious question to ask here is whether the download comes from an official source. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More


State-sponsored hacking remains a serious problem for PC users around the world, and the latest headline grabber – with links to North Korea – is EarlyRAT. 

A remote access trojan (RAT) is nothing new in the world of cybercrime, with the earliest examples believed to have been released in the late 1980s. However, their impact has grown significantly over the last 30 years, and this means they need to be taken seriously. There’s a culture of evolution in the world of hacking and, as a result, new RATs are always more powerful than the previous generation. And that’s why the emergence of EarlyRAT has got so many IT professionals concerned. 

What is a Remote Access Trojan? 

You may not be familiar with the ins and outs of a RAT, so we’re going to take a second to explain what they are and why they are so dangerous. A RAT is a malicious software program designed to provide unauthorized remote access and control over a targeted PC. They tend to be disguised as genuine files – this is why RATs are often distributed through phishing emails – but are nothing short of digital chaos. 

Once installed, a RAT allows attackers to gain control of the victim’s computer, and this is all carried out remotely. This allows the threat actors to steal sensitive information, monitor user activity, execute commands, and even activate the webcam or microphone to carry out surveillance. All of these dangers put the victim at risk of data theft and further cyber-attacks. 

How Does EarlyRAT Work? 

EarlyRAT was first detected by security experts at Kaspersky, who were analyzing a hacking campaign from 2022. The attack was made possible due to a flaw discovered in Log4j, a Java library used to log error messages generated by applications. This vulnerability was exploited by the Andariel hacking group, a team believed to be sponsored by North Korea. Once Log4j had been compromised, Andariel was able to download malware to the victims’ PCs. 

Part of this initial attack also included a phishing campaign, and it was here that EarlyRAT was first detected. Phishing documents, once activated, would download EarlyRAT from servers well known for having connections to threat actors. EarlyRAT’s first objective was to start logging system information and, after this, it would begin downloading additional malware, affecting the productivity of infected machines and stealing user credentials. 

Keeping Safe from EarlyRAT 

It’s important that you protect your IT infrastructure and your data, so staying one step ahead of threats like EarlyRAT is vital. To achieve this, make sure you always practice the following: 

  • Identify malicious websites: a large number of RATs are located on malicious websites, so it’s important that you know how to spot one of these. With this knowledge at your disposal, you will be able to not only identify a malicious website, but you’ll be able to realize a link is malicious before you even click it. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More

1 2 3 7