Snowflake Passwords Leaked Online Due to Malware

default settings, info-stealing malware, malware, multi factor authentication, offline backups, Ophtek, security audits, Snowflake, , , , ,
09
Jul 2024

Snowflake, a cloud data analysis company, has found itself under attack from malware, with the result that its customers passwords have been leaked online.

A leading cloud data platform, Snowflake was founded in 2012 and has experienced a rapid rise in the industry, with its current revenue estimated at $2.8 billion. This success has been founded upon innovative data analytics solutions and a number of leading clients such as Santander, Dropbox, and Comcast. For threat actors, Snowflake represents a tempting target, both in terms of the sheer amount of data they hold and financial value. And this is clearly why Snowflake has been attacked.

With threat actors claiming to have stolen hundreds of millions of customer records from Snowflake environments, the attack is clearly a significant one. Perhaps the most interesting aspect of the attack is that it appears to result from a lack of multi-factor authentication.

Cracking the Snowflake Infrastructure

Live Nation, a popular ticket sales service, was the first company to announce that their stolen data had been hosted on the Snowflake platform. Other Snowflake customers have come forwards to acknowledge a breach but are yet to name Snowflake as the hosts for this data. The attack appears to have been fueled by info-stealing malware, with the attack targeting PCs which had access to their organization’s Snowflake network.

How the initial attack was instigated remains unclear, but Snowflake has revealed that a demo account, protected with nothing more than a username/password combination, had been recently compromised. Whether this gave the threat actors direct access to Snowflake customer accounts is unknown, although it does point towards the threat actors establishing an early foothold. Snowflake has also disclosed that each customer is put in charge of their own security, and multi-factor authentication isn’t automatically enabled. This, Snowflake states, is how threat actors succeeded in hacking the compromised accounts.

Snowflake has advised all of its customers to switch on multi-factor authentication, but it appears to be too late for many. Whole lists of Snowflake customer credentials can be found available on illegal websites, with this data including email addresses alongside username/password combinations. Ticketmaster, another ticket sales platform, has been reported of having close to 560 million customer records compromised. This is a huge data breach, and one which has deservedly earned headlines.

The Importance of Multi-Factor Authentication

For Snowflake to have selected multi-factor authentication as an optional function, rather than a default security measure, is negligent. Regardless of this negligence, it’s also the responsibility of the compromised accounts to double check the available security measures. Therefore, to stay safe in the future, always carry out the following when working with external hosting providers for your data:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Malicious Microsoft Office Torrents Laced with Malware

anti-virus software, block torrent sites, Cracked MS Office, employee education, malware, MS Office Torrents, Ophtek, , , , , ,
02
Jul 2024

Threat actors have been discovered to be using cracked versions of Microsoft Office to distribute a dangerous malware cocktail through illegal torrents.

Detected by the AhnLab Security Intelligence Center (ASEC), this malware campaign bundles together a collection of powerful malware strains – such as malware downloaders, cryptocurrency miners, and remote access trojans – to unleash a devastating attack. The malware is disguised as a cracked Microsoft Office installer, which would usually allow users to illegally download paid applications for free. However, those downloading this ‘cracked’ software are getting much more than they bargained for.

The Dangers of Malicious Torrents

Torrent sites, the use of which is generally illegal, have a long history of containing malware due to the unregulated nature of these sites. However, the promise of expensive software for nothing more than a few clicks is highly tempting to many internet users. Therefore, risks are taken and, occasionally, the consequences can be severe.

In this most recent example, torrents for Microsoft Office – as well as torrents for Windows and the Hangul word processor – are using professionally crafted interfaces to pass themselves off as legitimate software cracks. But despite the numerous options available, to apparently assist the user, these cracks have a nasty sting in their tail. Once the installer has been executed, a background process launches a hidden piece of malware which communicates with either a Mastodon or Telegram channel to download further malware.

This malware is downloaded from a URL linked to either GitHub and Google Drive, two platforms which are both legitimate and unlikely to ring any alarm bells. Unfortunately, there’s plenty to be alarmed about. A series of dangerous malware types are downloaded to the user’s computer, and these include Orcus Rat, 3Proxy, XMRig, and PureCrypter. These all combine to harvest data, convert PCs into proxy servers, download further malware, and use PC resources to mine cryptocurrency.

All of these malware strains run in the background, but even if they’re detected, removing them has little impact. This is because an ‘updater’ component of the malware is registered in the Windows Task Scheduler and, if the malware strains have been removed, they are re-downloaded on the next system reboot. This makes it a persistent threat, and one which is difficult to fully remove from your system.

Shield Yourself: Avoiding Harmful Torrents

Clearly, it’s crucial you need to protect your business from malicious torrents, but how do you do this? Well, it’s relatively simple if you implement the following strategies:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

North Korean Hackers Launch New Durian Malware

Durian Malware, install updates, Kimsuky, malware, multi factor authentication, North Korea, Ophtek, spear phishing, , , , , , ,
18
Jun 2024

A North Korean hacking group has targeted two South Korean cryptocurrency companies with a new strain of malware dubbed Durian.

The relationship between North and South Korea has always been troubled, and this latest cyber-attack will do little to resolve these tensions. The attack itself uses a previously unseen malware variant known as Durian, which is coded in the Golang programming language. Both attacks occurred in the second half of 2023, with Kaspersky recently announcing them in their Q1 APT trends report.

While you may not run a cryptocurrency firm, or be a target of North Korea, it’s important to understand contemporary threats, so we’re going to look at Durian.

How Does Durian Work?

The exact attack method which Durian uses is currently unknown, but it appears to target software which is exclusively used in South Korea. It’s likely, therefore, that a vulnerability has been discovered, although no specific vulnerability has been identified yet. Regardless of the entry method, what is known is that Durian sets up backdoor functionality. This allows the threat actor to download further files, harvest data and files to external servers, and execute commands on the compromised servers.

Once Durian has a foothold within a target’s system, it starts downloading further malware such as Appleseed and LazyLoad, alongside genuine apps such as Chrome Remote Desktop. This makes Durian a particularly persistent threat and makes it a difficult piece of malware to combat.

It’s believed that the threat actor behind Durian is Kimsuky, a North Korean group who has been active since 2012. Kimsuky has been busy in recent times and appear focused on stealing data on behalf on North Korea. Notably, the usage of LazyLoad indicates that Kimsuky may also be partnering with another North Korean group known as Lazarus. LazyLoad has previously been deployed by Andariel, a splinter group with connections to the Lazarus Group.

Staying One Step Ahead of Durian

A specific fix against Durian hasn’t been announced, but this doesn’t mean your defenses are under immediate threat. Instead, by following the basic principles of cybersecurity, you can keep your IT infrastructure safe:

  • Always Install Updates: it’s suspected Durian is targeting specific software to establish itself on targeted systems, and this indicates that a vulnerability is being exploited with this software. Therefore, this acts as a worthy reminder on the importance of installing updates promptly. These updates can instantly plug security holes and keep your IT systems secure.
  • Be Aware of Spear-Phishing: Kimsuky is known for employing spear-phishing techniques so it’s vital your employees are educated on this threat. Typically, spear-phishing targets specific individuals within a company and attempts to deceive them into providing confidential information or direct access to internal systems.
  • Use Multi-Factor Authentication: if you want to add extra locks to your IT systems, then multi-factor authentication is the way forwards. Password breaches are common, but the use of multi-factor authentication minimizes the risk this poses. After entering a password, a unique code will be sent via SMS or through an authentication app which only the end user will have access to. Without this code, a threat actor will be unable to get any further with your password.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Cuttlefish Malware is Putting Your Routers at Risk

bash script, brute force hacking, Cuttlefish, Data Breach, HiatusRAT, malware, Ophtek, router firmware update, zero-day vulnerabilities, , , , , , , ,
11
Jun 2024

A new strain of malware, dubbed Cuttlefish, which attempts to hijack your router has been discovered, and it poses a major threat to your data.

The experts at Black Lotus Labs recently discovered a number of routers had been compromised by a previously unseen malware. The security researchers named the malware Cuttlefish, and found it had compromised numerous enterprise-level and small office/home routers. The threat actors are not currently known, but the main impact of Cuttlefish is that it stealthily steals data once it has a foothold. Data breaches, of course, represent a major incident for businesses, so it’s crucial you keep your routers safe.

Decoding the Danger Behind Cuttlefish

The exact attack method behind Cuttlefish is unknown, but it’s been revealed there are similarities between its source code and that of the HiatusRAT malware. Black Lotus Labs believe Cuttlefish may launch its attack either through a zero-day vulnerability or by using good old fashioned brute force hacking methods.

Whatever the nature of its attack, which was first executed in July 2023, Cuttlefish hands control of the compromised router over to a set of threat actors. This is achieved by instructing an infected router to execute a Bash script – a text file containing a set of commands – which sends data to a remote Command & Control (C2) server. The first action taken by the C2 server is to send back the Cuttlefish malware, this is then installed on the compromised router.

From here, Cuttlefish can monitor all traffic passing through the router and any devices connected to it. Cleverly, Cuttlefish is designed to establish a VPN tunnel, which is then used to extract sensitive data, such as login credentials, from the router’s traffic. These attack methods mark Cuttlefish out as a highly stealthy and dangerous strain of malware, one with the ability to expose and misuse confidential data.

Fighting Back Against the Threat of Cuttlefish

As very little of the mechanics behind Cuttlefish are known, it’s difficult to pinpoint a single solution. For now, all the attacks have been focused on routers based in Turkey. But this can quickly change if threat actors behind Cuttlefish decide to start targeting global victims.

While there isn’t, for example, a simple security patch to install, you can still protect your organization’s routers by following these best security practices:

  • Always Install Updates: routers, like all hardware, rely on firmware updated and patches to maintain their security and maximize performance. But not everyone prioritizes installing these updates. And this approach can put your router at risk of being exploited by a vulnerability. Therefore, where possible, automate updates for your routers (and all devices) or manually install updates as soon as possible.
  • Regularly Change Your Router Credentials: it’s vital you regularly change the password associated with your router. Otherwise, you run the risk of allowing external threats to essentially live on your router. And as well as regularly changing your password, it’s important that you generate strong and unique passwords every time.
  • Monitor Network Traffic: unusual activity on your network, such as high-volume traffic to unknown destinations should always be scrutinized. Accordingly, you need to implement specialized software and hardware tools to analyze your network traffic and raise alerts when abnormal traffic patters are detected. This will maintain both the integrity and security of your network.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

MadMXShell Delivers Malware via Google Ads

adblocker, google ads, MadMXShell, malware, Ophtek, typosquatting, verify sources, windows backdoor, , , , , , ,
28
May 2024

Thanks to the presence of a previously unknown Windows backdoor, the MadMXShell malware has created digital chaos through the use of Google Ads

Google Ads are a common sight for anyone stepping foot online, and they’re a sure-fire way to guarantee clicks for those behind the advertising campaigns. Naturally, this makes of great interest to threat actors, as not only is malvertising a useful tool for hacking, but it’s also an easy way to lead people to malicious websites. MadMXShell appears to be a complex piece of malware, comprising several attack methods and tools, so it’s crucial that your organization is on guard against it.

How MadMXShell Serves Up its Malware

The threat actor responsible for MadMXShell is yet to be identified, but the effort invested in the attack demonstrates they’re highly skilled. Having created several domains in the IP scanner niche – with similar sounding names to official sites (a technique known as typosquatting) – the threat actor took advantage of the Google Ads algorithm to push them to the top of the search engine results. This was achieved by targeting keywords – words/phrases entered into search engines by those searching for specific content – and ensuring that their click rate was maximized.

Once lured to these malicious websites, it appears that visitors are encouraged to download IP scanner software. But, as you’ve already worked out, there is no IP scanner software to download. Instead, MadMXShell is downloaded and executed. With its strategy made up of a multi-targeted attack, MadMXShell sets to work harvesting data from infected systems. It does this by communicating with command-and-control servers and evades detection by injecting altered code into seemingly legitimate processes.

Curiously, as the entire campaign centers around IP scanning software, it would appear the main target of MadMxShell are IT professionals. Despite being a tough crowd to deceive, MadMXShell has already managed to gain plenty of victims, and underlines the ease with which even professionals can be taken in by malware.

Keeping the Threat of MadMxShell at Bay

It may sound as though MadMxShell is impossible to protect yourself against, especially if IT experts are struggling to defend against its threat. However, by taking the time to consider the validity of content you see online, you can significantly reduce the risk of falling victim to MadMxShell or similar attacks. The most important factors to consider are:

  • Always Verify Sources: before clicking on an online advert, always verify its source. If you’re unfamiliar with a website name then try performing a Google search against it, as this may flag it up as a malicious website. Remember, many attacks will use typosquatting, so it’s important that URLs are double checked e.g. usa.visa.com is official, but usa.v1sa.com is an attempt to fake the official website.
  • If It’s Too Good to Be True: online adverts which are offering unlikely and unrealistic rewards should always be scrutinized closely. While they may not necessarily link you to malicious websites, it’s more than likely that some form of scam/deception is the most likely end point.
  • Use an Adblocker: pop-up adverts are both annoying and a potential security risk, so why not minimize these risks by installing an adblocker into your browser? Easy to operate, and available for free, these browser add-ons allow you to prevent pop-up adverts from being displayed on your screen. Popular adblockers include Adblock Plus, Privacy Badger, and Ghostery.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More
1 2 3 4 5 6 21