USB Malware is Being Delivered by Mail

BadUSB, malware, Ophtek, UPS, USB Flash Drives, USB Malware, USPS, , , , , ,
18
Oct 2022

It may sound like a backwards step, but a group of cyber criminals have decided to enlist the help of the postal service to deliver their malware.

Snail mail may feel like an archaic method of attack for cyber criminals, but it’s surprisingly effective as a series of attacks – using the BadUSB malware – have proven. We all deal with traditional mail daily, so it’s easy to take it for granted, and it’s this familiarity that the hackers are targeting. This particular attack, as the name suggests, involves a malicious USB drive. These attacks have proved successful in the past and the BadUSB campaign has the potential to cause significant damage.

How Does BadUSB Work?

Delivered through the United Parcel Service and United States Postal Service, the malicious USB drives come loaded with malware and allow a threat actor to take control of a victim’s USB port. Activating the malware is simple: all it needs is to be plugged into a USB port.

However, there needs to be a reason why a victim decides to plug the device into their PC. And the minds behind BadUSB do this by instilling a sense of urgency in the recipient. This is achieved by claiming that the USB drive contains official Covid-19 warnings or that the drive is an Amazon gift from a friend.

Once plugged into a PC, the affected USB port can be manipulated to believe that an alternate device is installed e.g. a keyboard or mouse. These fake devices can then be controlled by remote cyber criminals and used to cause untold damage. For example, a keyboard and mouse could be used to take full control of a PC and download further malware. In 2020, the BadUSB malware was involved in a series of attacks which downloaded ransomware to exploit the finances of those attacked, and this could easily happen again.

Staying Safe from Malicious USB Drives

BadUSB has the potential to cause you a serious headache, both in terms of your data and your finances. As a result, it’s crucial that you steer clear of this and similar attacks, an outcome which is possible if you do the following:

  • Be wary of USB drives: while they are not one of the ‘go to’ options for hackers, infected USB drives (and the USB killer) have the capacity to cause real damage. Therefore, if you are presented (or even find) a USB drive which doesn’t belong to your company, do not plug it in to your PC. Instead, ask an IT professional to safely analyze it.
  • Disable USB ports: there’s not a pressing need for your employees to be plugging additional devices into their PC, so it makes sense to disable access to USB ports. Sometimes, this is as simple as blocking any unused ports and, in other scenarios, you may want to restrict access to these ports through administration privileges.
  • Disable Autorun: if your employees do need access to their USB ports, then it may be worth disabling the autorun feature associated with them. This feature allows USB drives to automatically open – and activate their contents – once plugged in. However, with autorun disabled, there is a chance to view the drive’s contents before running it.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Stealer Malware Hidden in Fake Zoom Sites

Cyber Security, Data Security, malware, Ophtek, stealer malware, zoom, , , , , ,
11
Oct 2022

Six malicious websites have been discovered which claim to offer downloads of Zoom, but contain nothing but the Vidar stealer malware.

The popularity of Zoom – a video meeting application – has exploded in the post-Covid landscape we find ourselves living in. No longer do people need to travel for face-to-face meetings, they can now be conveniently arranged and carried out over video. Accordingly, the demand for Zoom is huge, with around 485 million downloads completed since 2020. Due to this popularity, a gang of cybercriminals have decided to use Zoom as the bait for downloading the Vidar stealer.

As your employees are likely to consider a Zoom install safe, it’s important that we delve a little deeper and demonstrate why it may be far from safe.

Beware of Fake Zoom Sites

Vidar has been an active threat for some time now, but this latest attack is a new campaign and carries a number of unique threats. The six sites, discovered by Cyble Research, use a variety of URLs such as ‘zoom-download’ and ‘zoomus’ to appear legitimate. And, if you visit one of these sites, the visual aesthetics are remarkably similar to the official Zoom website, but this is where all similarities end.

Attempting to download the Zoom application from these malicious sites will, instead, redirect you to a GitHub file depository. From here, two files will be downloaded to your temporary folder:

  • ZOOMIN~1.exe: this is a genuine Zoom installer which is included to create a front that nothing untoward is taking place.
  • Decoder.exe: this is the malicious file which injects Vidar’s ability to steal into the Microsoft Build Engine. With this infection in place, Vidar is then able to contact remote Command and Control servers and begin transmitting data from the infected PC.

Like most stealer malware, Vidar concentrates on extracting confidential data such as login credentials, network details and whether any further vulnerabilities are present in the IT infrastructure. If vulnerabilities are detected, then it’s highly likely these will be logged and sold by criminal gangs. Protecting yourself against Vidar, therefore, is crucial.

How to Avoid Having Your Data Stolen

The mechanics of the Vidar Zoom threat are relatively common in the world of malware, so it’s likely you will run into a similar threat at some point. The best way to protect your PCs is by following these practices:

  • Always Verify Websites: Vidar’s latest attack relies on poor judgement from its intended victims, the main error coming when they assume that the malicious website is genuine. Many antivirus suites contain tools which allow search results to be rated as to their level of safety, and there is also the option for these tools to present warning screens before accessing sites deemed unsafe. If these are unavailable, and you need to download some software, reach out to your IT team instead.
  • Install Updates: Vidar is keen on logging any vulnerabilities contained within your PC, so it makes sense to limit these vulnerabilities. The best way to achieve this is by always installing updates as soon as they are available.
  • Segment Your Network: to protect your data, it makes sense to adopt network segmentation. This procedure divides your network into different segments and allows you to keep them separate. Therefore, if one segment is breached, the others will remain protected, and this allows you to limit the spread of the malware.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

YouTube Channels Are Being Used to Spread Malware

Cryptominer, malicious videos, malware, NirCmd, Ophtek, redline stealer, YouTube, , , , , ,
04
Oct 2022

Following the discovering of a malware campaign spreading through YouTube channels, it appears that no corner of the internet is immune from hackers.

It’s increasingly common for businesses to run a YouTube channel as part of their marketing efforts, with over 60% of businesses regularly uploading videos. And with YouTube regularly attracting 5 billion daily video views, you can see why it’s an attractive target for threat actors. Thankfully, you can’t be hacked simply by watching a video on YouTube. However, you do need to consider the legitimacy of each video’s content and, more importantly, how safe the embedded links within these videos are.

How Does YouTube Spread Malware?

This latest threat to online safety appears, at present, to be concentrating on YouTube gaming channels, with a specific focus on those which cover games including Final Fantasy, FIFA and Spider-Man. The malware involved is what’s known as a malware bundle i.e. it contains several different strains of malware, with RedLine being the most dominant piece of malware.

The malware spreads through YouTube by uploading malicious videos to infected channels. These malicious videos may appear to be on-brand with the channel e.g. links to cheats for FIFA, but the payload will actually be the same malware which has infected the channel. Therefore, this malware bundle can spread through numerous niche-specific channels by using the same content.

What Does the Malware Bundle Do?

The malware contained within this attack comprises several different attack methods:

  • RedLine: the most substantial piece of malware found in the attack, RedLine harvests confidential data from those it infects e.g. downloading login credentials, accessing cryptocurrency wallets and extracting data entered into web browsers.
  • NirCmd: this application is, in fact, a genuine piece of software, but it’s one which provides the threat actors with a layer of stealth. Once activated, NirCmd conceals the activities of the malware it’s bundled with and makes the attack difficult to identify.
  • Cryptominer: interestingly, a cryptominer which hijacks the resources of the victim’s graphics card is also included. This is considered interesting as the attack targets gamers, a demographic who are likely to possess powerful graphics cards.

Staying Safe on YouTube

YouTube is a crucial asset in the business world, but this recent attack demonstrates it also carries security risks. Your organization may not run a gaming channel, but it’s likely this template will soon be replicated in other niches. Accordingly, it’s essential that you follow these two important practices:

  • Doublecheck links: when viewing videos on YouTube, it’s vital that you treat their links in the same way you would in an email. Always hover your mouse over any links (and that includes those in the video description) to reveal the true destination, copy and paste links into Google to highlight any existing concerns and, finally, ask an IT professional to verify them before clicking.
  • Regularly check your video library: if your organization hosts a YouTube channel, it’s recommended you keep an eye on the videos uploaded to it. The sudden appearance of videos you have no record of uploading may be the only indicator you have that your channel has been hacked.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Sality Malware Delivers More than Recovered Passwords

block social media, download privileges, malware, Ophtek, password recovery, Sality, social media advertising, , , , , ,
20
Jul 2022

Forgetting a password is frustrating, so the promise of a password recovery tool is tempting. Until, that is, you find out it’s packed full of malware.

If something online sounds too good to be true, then it usually is – see the numerous adverts on YouTube which promise to make you $50k a month with minimal effort. And this is exactly the case with the Sality malware. Naturally, Sality doesn’t advertise itself as malware. Instead, it bundles itself stealthily, as a hidden extra, alongside a password recovery tool for Programmable Logic Controllers (PLC) and Industrial Control Systems (ICS). Whilst the tool does indeed help you to extract passwords, the presence of Sality opens a whole world of digital pain.

The Lowdown on Sality

Sality, in its earliest form, is believed to have been online for nearly 20 years, so it’s certainly not a new threat. However, over the years, its evolution has led to its modern variant becoming a nasty piece of malware. At present, it’s making its way into people’s PCs thanks to relatively crude, yet tempting adverts on social media sites. Advertising itself as a free download, the tool will retrieve passwords for PLC and ICS – through a vulnerability in the system’s firmware – but it also activates the Sality malware.

To understand how Sality operates, you first need to know what a peer-to-peer (P2P) botnet is. Used to generate huge amounts of processing power – usually for cracking passwords or mining cryptocurrency – a P2P botnet obtains this power by hijacking large numbers of PCs. These hijacked PCs are then forced to work together on the same task – after all, 1,000 PCs mining cryptocurrency are going to achieve their objective a lot quicker than a single PC. It appears that Sality is currently focused on cryptocurrency, but there is nothing to stop threat actors unleashing more powerful attacks e.g. taking entire IT systems down.

How Do You Handle a Sality Infection?

While Sality may have been around for some time, it hasn’t learned every trick in the book. For example, not only will it throttle an infected PCs performance by using 100% of its CPU, it also triggers numerous Windows Defender alerts. However, it does have enough sense to scan any PC it lands on for anti-virus software before shutting down any identified tools. Therefore, it’s crucial that you follow preventative approaches to avoid Sality:

  • Do Not Trust Online Adverts: legitimate password recovery tools are unlikely to be advertised on social media sites. If you have forgotten your password, then you should contact the software developers for advice. Alternatively, you can create secure backups of your passwords with an app such as Google’s Password Manager.
  • Remove Download Privileges: almost every malware threat involves a malicious download and, as such, it makes sense for your organization to limit the number of downloads taking place. By limiting download privileges to, for example, line managers, you will minimize the chances of malware being downloaded by mistake.
  • Block Social Media: if you want to make sure that you are specifically limiting the risk of Sality, you can simply block access to social media sites from within your organization’s network. However, be aware that Sality is likely to be lurking elsewhere on the internet.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

SessionManager Malware Targets Microsoft Exchange Servers

IIS, malware, Ophtek, security, SessionManager, Windows vulnerability, , , , ,
12
Jul 2022

A new piece of malware has been found to be targeting Microsoft Exchange servers operated by both military and government organizations all over the world.

Discovered by security giants Kaspersky, who also gave the malware its name, SessionManager appears to have been at large since March 2021, but its existence has only just been confirmed. It’s believed that SessionManager was created by Gelsemium, a relatively new hacking group who have already conducted a number of serious cyber-attacks.

Naturally, you would expect military and government organizations to have some of the strongest cybersecurity measures in place. And they do. However, there’s not a single IT infrastructure which can be described as 100% secure. And, as SessionManager has proved, where there are vulnerabilities, there’s a way in.

How Does SessionManager Operate?

At the start of 2021, Kaspersky revealed details of ProxyLogon, a series of vulnerabilities discovered in Microsoft Exchange. As a result of these vulnerabilities, threat actors were presented with an opportunity to install malicious modules into web server software for Microsoft’s Internet Information Services (IIS). And this is exactly how the SessionManager module came to be embedded within numerous organization’s servers.

Once installed, the threat actors were able to use SessionManager to carry out the following tasks:

  • Carry out remote command execution on affected devices
  • Gain quick and easy access to email accounts within the organization
  • Install further malware to maximize the way in which servers were compromised
  • Using infected servers to manipulate traffic moving across the network

As SessionManager has managed to operate without detection for over a year, it has been able to harvest signification amounts of sensitive data and take control of high-level networks. Even after SessionManager’s discovery, security experts have been slow to move, with Kaspersky commenting that a popular file scanning service was still failing to detect SessionManager. Accordingly, SessionManager remains active in the digital wild and maintains its threat.

What If You’re Infected with SessionManager?

Even if you do discover that your network has been infected by the SessionManager module, deleting it is not enough to fully rid yourself of it. Instead, you will need to go through the following:

  • The most important step to take first is to disable your IIS environment
  • Use the IIS manager to identify all references to the SessionManager module and ensure that these are fully removed
  • Update your IIS server to eliminate any known vulnerabilities and leave it fully patched
  • Restart your IIS environment and run a final check for any traces of SessionManager

If, of course, you want to prevent vulnerability threats such as SessionManager being enabled in the first place, then you need a conscientious approach to updates. The sooner you can install a firmware upgrade or a security patch, the sooner you can plug security holes in your IT infrastructure.

Sure, we live in a fast-paced world and it’s easy to forget minor tasks such as installing upgrades, but with automate installs a viable option, there’s not really an excuse. Therefore, keep your organization’s network safe by automating updates and enjoying the peace of mind this brings.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More
1 9 10 11 12 13 21