Forgetting a password is frustrating, so the promise of a password recovery tool is tempting. Until, that is, you find out it’s packed full of malware.

If something online sounds too good to be true, then it usually is – see the numerous adverts on YouTube which promise to make you $50k a month with minimal effort. And this is exactly the case with the Sality malware. Naturally, Sality doesn’t advertise itself as malware. Instead, it bundles itself stealthily, as a hidden extra, alongside a password recovery tool for Programmable Logic Controllers (PLC) and Industrial Control Systems (ICS). Whilst the tool does indeed help you to extract passwords, the presence of Sality opens a whole world of digital pain.

The Lowdown on Sality

Sality, in its earliest form, is believed to have been online for nearly 20 years, so it’s certainly not a new threat. However, over the years, its evolution has led to its modern variant becoming a nasty piece of malware. At present, it’s making its way into people’s PCs thanks to relatively crude, yet tempting adverts on social media sites. Advertising itself as a free download, the tool will retrieve passwords for PLC and ICS – through a vulnerability in the system’s firmware – but it also activates the Sality malware.

To understand how Sality operates, you first need to know what a peer-to-peer (P2P) botnet is. Used to generate huge amounts of processing power – usually for cracking passwords or mining cryptocurrency – a P2P botnet obtains this power by hijacking large numbers of PCs. These hijacked PCs are then forced to work together on the same task – after all, 1,000 PCs mining cryptocurrency are going to achieve their objective a lot quicker than a single PC. It appears that Sality is currently focused on cryptocurrency, but there is nothing to stop threat actors unleashing more powerful attacks e.g. taking entire IT systems down.

How Do You Handle a Sality Infection?

While Sality may have been around for some time, it hasn’t learned every trick in the book. For example, not only will it throttle an infected PCs performance by using 100% of its CPU, it also triggers numerous Windows Defender alerts. However, it does have enough sense to scan any PC it lands on for anti-virus software before shutting down any identified tools. Therefore, it’s crucial that you follow preventative approaches to avoid Sality:

  • Do Not Trust Online Adverts: legitimate password recovery tools are unlikely to be advertised on social media sites. If you have forgotten your password, then you should contact the software developers for advice. Alternatively, you can create secure backups of your passwords with an app such as Google’s Password Manager.
  • Remove Download Privileges: almost every malware threat involves a malicious download and, as such, it makes sense for your organization to limit the number of downloads taking place. By limiting download privileges to, for example, line managers, you will minimize the chances of malware being downloaded by mistake.
  • Block Social Media: if you want to make sure that you are specifically limiting the risk of Sality, you can simply block access to social media sites from within your organization’s network. However, be aware that Sality is likely to be lurking elsewhere on the internet.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


A new piece of malware has been found to be targeting Microsoft Exchange servers operated by both military and government organizations all over the world.

Discovered by security giants Kaspersky, who also gave the malware its name, SessionManager appears to have been at large since March 2021, but its existence has only just been confirmed. It’s believed that SessionManager was created by Gelsemium, a relatively new hacking group who have already conducted a number of serious cyber-attacks.

Naturally, you would expect military and government organizations to have some of the strongest cybersecurity measures in place. And they do. However, there’s not a single IT infrastructure which can be described as 100% secure. And, as SessionManager has proved, where there are vulnerabilities, there’s a way in.

How Does SessionManager Operate?

At the start of 2021, Kaspersky revealed details of ProxyLogon, a series of vulnerabilities discovered in Microsoft Exchange. As a result of these vulnerabilities, threat actors were presented with an opportunity to install malicious modules into web server software for Microsoft’s Internet Information Services (IIS). And this is exactly how the SessionManager module came to be embedded within numerous organization’s servers.

Once installed, the threat actors were able to use SessionManager to carry out the following tasks:

  • Carry out remote command execution on affected devices
  • Gain quick and easy access to email accounts within the organization
  • Install further malware to maximize the way in which servers were compromised
  • Using infected servers to manipulate traffic moving across the network

As SessionManager has managed to operate without detection for over a year, it has been able to harvest signification amounts of sensitive data and take control of high-level networks. Even after SessionManager’s discovery, security experts have been slow to move, with Kaspersky commenting that a popular file scanning service was still failing to detect SessionManager. Accordingly, SessionManager remains active in the digital wild and maintains its threat.

What If You’re Infected with SessionManager?

Even if you do discover that your network has been infected by the SessionManager module, deleting it is not enough to fully rid yourself of it. Instead, you will need to go through the following:

  • The most important step to take first is to disable your IIS environment
  • Use the IIS manager to identify all references to the SessionManager module and ensure that these are fully removed
  • Update your IIS server to eliminate any known vulnerabilities and leave it fully patched
  • Restart your IIS environment and run a final check for any traces of SessionManager

If, of course, you want to prevent vulnerability threats such as SessionManager being enabled in the first place, then you need a conscientious approach to updates. The sooner you can install a firmware upgrade or a security patch, the sooner you can plug security holes in your IT infrastructure.

Sure, we live in a fast-paced world and it’s easy to forget minor tasks such as installing upgrades, but with automate installs a viable option, there’s not really an excuse. Therefore, keep your organization’s network safe by automating updates and enjoying the peace of mind this brings.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


Small businesses rely on routers to keep themselves and their customers connected. But this relationship could now be at risk due to the ZuoRAT malware.

For online communication to work, data needs to move from one computer network to another. And this is exactly what a router does. By directing traffic across the internet, a router can be used to deliver emails, transfer files and stream videos between PCs. Without a router, you simply won’t be able to send or receive data. So, as you can see, they’re an essential part of any small organization’s IT network. Unfortunately, this is the type of IT necessity which hackers love to interfere with. And the ZuoRAT malware does this with a disturbingly sophisticated ease.

The Lowdown on ZuoRAT

ZuoRAT is a strain of malware which takes advantage of vulnerabilities in routers produced by the popular manufacturers Cisco, Netgear, DrayTek and Asus. By exploiting these vulnerabilities, ZuoRAT can access local area networks (LAN) and harvest network traffic from the infected devices. This information is then transmitted to a remote ‘command and control’ server, so, for example, any login credentials which pass through your router will be transmitted to the hacker’s server.

However, ZuoRAT doesn’t stop at hijacking LAN traffic; it downloads additional malware in the form of two further remote access trojans (RAT). These RATs are used to infect devices connected to the network and facilitate the spread of the infection even further. This could, in theory, lead to the infected network being converted into a botnet or, worse still, allow the spread of ransomware across the network.

Although ZuoRAT is relatively new, it has been active in the digital wild since April 2020, and this has given it plenty of time to exploit a wide range of routers. It’s also important to point out that ZuoRAT made its debut at the start of the Covid-19 pandemic. Given that it targets SOHO (small office/home office) routers, ZuoRAT was perfectly placed to attack employees who were working at home with limited IT support. As a result, it has been presented with an opportunity to steal sensitive data with relative ease.

Protecting Your Network from ZuoRAT

Due to the way in which it was designed – a custom build through the complex MIPS architecture – ZuoRAT is not detected by conventional anti-malware software. Therefore, if you own a router made by the affected manufacturers, it’s crucial that you make sure the associated software is up-to-date and fully patched. As ever, monitoring network traffic is a smart move as this will allow you to flag up any suspicious activity.

Final Thoughts

Threats such as ZuoRAT present numerous problems to organizations, most notably due to their multi-pronged attack strategy and stealthy nature. However, it also demonstrates a perfect example of why you need to manage updates relating to your IT equipment. Implementing an upgrade strategy which takes advantage of automated processes has never been more important.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


Social engineering is one of the modern menaces of online life, and this has been demonstrated by a recent malware attack on a Swedish camera firm.

Axis Communications, who manufacture network and security cameras, are the company at the centre of this recent attack. The organization announced that they had been the victims of what they described as an “IT-related intrusion” and advised that, as a result, they had temporarily closed their public-facing services online. Naturally, the attack caused great disruption to Axis; it also brought to light a number of shortfalls in cyber-security, namely the impact of social engineering.

What is Social Engineering?

Social engineering is a form of hacking which involves using various methods of deception to glean information from the victims. So, for example, an employee who receives an email, from what appears to the organization’s IT department but is from a fake email address, asking for confirmation of their login credentials is a form of social engineering. And these incidents of social engineering don’t have to take place online, simply telling someone your mother’s maiden name – a popular choice for password recovery questions – is another example.

This image has an empty alt attribute; its file name is bus-cyber-attack2-lrg-960x480.jpg

How The Axis Attack Happened

The exact details of the Axis attack are yet to be released as the company are conducting a forensic investigation intoexactly what happened. Nonetheless, they have revealed the following details:

  • Several methods of social engineering were used in order to gain access to the Axis network, these were successful despite the presence of security procedures such as multi-factor authentication.
  • Advanced hacking techniques were used by the hackers – once they had breached the network – to enhance their credentials and gain high-level access to restricted areas.
  • Internal directory services were compromised by this unauthorized access.
  • While no ransomware was detected, there was evidence that malware had been downloaded to the Axis network.

Following concerns of suspicious network activity, and the employment of IT security experts, all external connectivity to the Axis network was closed down.

How to Protect Yourself from Social Engineering

It can be difficult to tackle the highly polished social engineering methods employed by hackers, but following the practices below can make a real difference:

  • Always Think: slowing down and assessing the situation is crucial when it comes to social engineering. If someone has asked you for sensitive information, such as password details, ask yourself why the need this and what could they do with it? Internal sources – such as managers and IT departments – will never ask for this, so guard your password carefully and, to clarify the situation, speak face-to face with the person who has apparently asked for it.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


Hackers have decided to cash in on the popularity of Spider-Man by infecting copies of his latest movie with cryptocurrency mining malware.

Going to the movies is an expensive activity these days and, as a result, many people are turning to illegal torrents. These torrents are shared by hundreds of different people, each sharing the entire film as a file, with downloaders able to download parts of the file from these multiple sources. It may sound like the perfect answer to paying and queuing at the movies, but it’s an act which infringes copyright and is 100% illegal. And, of course, there’s the little matter of malware being bundled into these torrents. Nonetheless, it’s estimated that around 28 million users download and share illegal files every day.

Illegal downloads are here to stay, so it’s important that you understand the dangers they carry in terms of cybersecurity. And the Spider-Man example is the perfect place to start.

Using Spider-Man to Spread Malware

The latest Spider-Man movie is ‘Spider-Man: No Way Home’ and it was released to theatres in December 2021. Within days of the movie’s premiere, poor quality copies – often filmed from within a theatre – started appearing on torrent sites such as The Pirate Bay. However, there were also torrents available which contained a nasty surprise. Several torrents which claimed to be of No Way Home contained a file with the name of ‘spiderman_net_putidmoi.torrent.exe’ – ‘net_putidmoi’ being Russian for No Way Home.

But far from presenting you with a copy of the new Spider-Man movie, activating this file would launch cryptocurrency mining malware. The malware automatically added exceptions to Windows Defender in order to avoid detection on the infected system. With this concealment in place, the malware could then harvest the PCs processing power to mine a cryptocurrency known as Monero. While mining cryptocurrency is legal, the hijacking of PCs to power this process is highly illegal and dangerous.

How Do You Avoid These Types of Infection?

The malware involved in the Spider-Man hack has not been shown to compromise any personal information. But it will slow your PC down. And a more dangerous piece of malware could easily start compromising your data. Therefore, it’s essential that you avoid falling victim to malware hidden in torrents. The best way to stay safe is:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More