multi factor authentication Archives

Snowflake Passwords Leaked Online Due to Malware

default settings, info-stealing malware, malware, multi factor authentication, offline backups, Ophtek, security audits, Snowflakebackup, malware, Ophtek, security, Snowflake, updatesOphtek, LLC

Jul 2024

Snowflake, a cloud data analysis company, has found itself under attack from malware, with the result that its customers passwords have been leaked online.

A leading cloud data platform, Snowflake was founded in 2012 and has experienced a rapid rise in the industry, with its current revenue estimated at $2.8 billion. This success has been founded upon innovative data analytics solutions and a number of leading clients such as Santander, Dropbox, and Comcast. For threat actors, Snowflake represents a tempting target, both in terms of the sheer amount of data they hold and financial value. And this is clearly why Snowflake has been attacked.

With threat actors claiming to have stolen hundreds of millions of customer records from Snowflake environments, the attack is clearly a significant one. Perhaps the most interesting aspect of the attack is that it appears to result from a lack of multi-factor authentication.

Cracking the Snowflake Infrastructure

Live Nation, a popular ticket sales service, was the first company to announce that their stolen data had been hosted on the Snowflake platform. Other Snowflake customers have come forwards to acknowledge a breach but are yet to name Snowflake as the hosts for this data. The attack appears to have been fueled by info-stealing malware, with the attack targeting PCs which had access to their organization’s Snowflake network.

How the initial attack was instigated remains unclear, but Snowflake has revealed that a demo account, protected with nothing more than a username/password combination, had been recently compromised. Whether this gave the threat actors direct access to Snowflake customer accounts is unknown, although it does point towards the threat actors establishing an early foothold. Snowflake has also disclosed that each customer is put in charge of their own security, and multi-factor authentication isn’t automatically enabled. This, Snowflake states, is how threat actors succeeded in hacking the compromised accounts.

Snowflake has advised all of its customers to switch on multi-factor authentication, but it appears to be too late for many. Whole lists of Snowflake customer credentials can be found available on illegal websites, with this data including email addresses alongside username/password combinations. Ticketmaster, another ticket sales platform, has been reported of having close to 560 million customer records compromised. This is a huge data breach, and one which has deservedly earned headlines.

The Importance of Multi-Factor Authentication

For Snowflake to have selected multi-factor authentication as an optional function, rather than a default security measure, is negligent. Regardless of this negligence, it’s also the responsibility of the compromised accounts to double check the available security measures. Therefore, to stay safe in the future, always carry out the following when working with external hosting providers for your data:

Always Check Default Settings: you can’t assume your default security settings are suitable for your organization, so always double check them before going live. For Snowflake customers, understanding multi-factor authentication wasn’t in place as default, could have avoided these data breaches.
Regular Security Audits: check with your hosts that regular security audits and penetration testing forms part of your agreement. These tests can help identify vulnerabilities and allow you to implement security measures, protecting the security of your network and data.
Schedule Offline Backups: while cloud computing offers fantastic benefits for backups, you should never rely solely on cloud networks. Instead, utilize offline backups as part of your backup strategy. These can be kept on site and, in the case of a network breach, will remain off-limits to external threat actors and ensure your data is preserved.

For more ways to secure and optimize your business technology, contact your local IT professionals.

North Korean Hackers Launch New Durian Malware

Durian Malware, install updates, Kimsuky, malware, multi factor authentication, North Korea, Ophtek, spear phishingDurian Malware, install updates, Kimsuky, malware, multi-factor authentification, North Korea, Ophtek, spear phishingOphtek, LLC

Jun 2024

A North Korean hacking group has targeted two South Korean cryptocurrency companies with a new strain of malware dubbed Durian.

The relationship between North and South Korea has always been troubled, and this latest cyber-attack will do little to resolve these tensions. The attack itself uses a previously unseen malware variant known as Durian, which is coded in the Golang programming language. Both attacks occurred in the second half of 2023, with Kaspersky recently announcing them in their Q1 APT trends report.

While you may not run a cryptocurrency firm, or be a target of North Korea, it’s important to understand contemporary threats, so we’re going to look at Durian.

How Does Durian Work?

The exact attack method which Durian uses is currently unknown, but it appears to target software which is exclusively used in South Korea. It’s likely, therefore, that a vulnerability has been discovered, although no specific vulnerability has been identified yet. Regardless of the entry method, what is known is that Durian sets up backdoor functionality. This allows the threat actor to download further files, harvest data and files to external servers, and execute commands on the compromised servers.

Once Durian has a foothold within a target’s system, it starts downloading further malware such as Appleseed and LazyLoad, alongside genuine apps such as Chrome Remote Desktop. This makes Durian a particularly persistent threat and makes it a difficult piece of malware to combat.

It’s believed that the threat actor behind Durian is Kimsuky, a North Korean group who has been active since 2012. Kimsuky has been busy in recent times and appear focused on stealing data on behalf on North Korea. Notably, the usage of LazyLoad indicates that Kimsuky may also be partnering with another North Korean group known as Lazarus. LazyLoad has previously been deployed by Andariel, a splinter group with connections to the Lazarus Group.

Staying One Step Ahead of Durian

A specific fix against Durian hasn’t been announced, but this doesn’t mean your defenses are under immediate threat. Instead, by following the basic principles of cybersecurity, you can keep your IT infrastructure safe:

Always Install Updates: it’s suspected Durian is targeting specific software to establish itself on targeted systems, and this indicates that a vulnerability is being exploited with this software. Therefore, this acts as a worthy reminder on the importance of installing updates promptly. These updates can instantly plug security holes and keep your IT systems secure.
Be Aware of Spear-Phishing: Kimsuky is known for employing spear-phishing techniques so it’s vital your employees are educated on this threat. Typically, spear-phishing targets specific individuals within a company and attempts to deceive them into providing confidential information or direct access to internal systems.
Use Multi-Factor Authentication: if you want to add extra locks to your IT systems, then multi-factor authentication is the way forwards. Password breaches are common, but the use of multi-factor authentication minimizes the risk this poses. After entering a password, a unique code will be sent via SMS or through an authentication app which only the end user will have access to. Without this code, a threat actor will be unable to get any further with your password.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

Cybersecurity for Businesses in the Remote Work Era

device inventory, Employee Training, monitor devices, multi factor authentication, Ophtek, Public WiFi, remote work, secure toolsdevice inventory, monitor devices, multi-factor authentification, Ophtek, public wifi, remote work, secure tools, TrainingOphtek, LLC

Jun 2024

The impact of the Covid-19 can still be felt, with high numbers of employees continuing to work remotely. But how does this affect your cybersecurity?

The shift towards remote work was essential at the start of the pandemic, and it has now become a permanent aspect of many employees’ lives. However, while it represents a flexible approach to work, which helps achieve a healthy work/life balance, it also comes with challenges in terms of cybersecurity. With employees working from different locations and connecting to your IT infrastructure from different networks, it’s a complex scenario to manage.

Staying Secure in the Remote Work Era

It’s important your organization takes the necessary steps to strengthen their defenses when it comes to remote working practices. Many of these are simple and can be implemented easily. Therefore, you need to make sure you follow these best practices:

Avoid Public Wi-Fi: remote working allows your employees to work from anywhere, but this can open them and your servers up to significant risk. In particular, the risk of public Wi-Fi networks – such as those found in coffee shops and public places – should never be underestimated. With little protection in place, these Wi-Fi networks can easily be compromised and risk your organization’s data being harvested. Therefore, your remote employees should be discouraged from using these, instead using secure networks at home.
Use Multi-Factor Authentication: For remote workers, extra layers of security are everything when it comes to protecting your networks. And this is why multifactor authentication can be a real game-changer in terms of your security. Furthermore, biometric authentication such as Windows Hello allows your business to enhance its security and prevent unauthorized access.

Use Secure Collaboration Tools: You have to think a little differently when working with remote employees, especially when it comes to collaborating. It’s not as simple as having your entire team in the same room, so collaboration software is crucial. However, this needs to be secure. So, make sure you use secure collaboration tools such as Microsoft Teams, Slack, and Basecamp to ensure your communications remain encrypted and safe

Monitor Remote Devices: With your remote employees’ devices out of sight, they need to be monitored closely. Endpoint monitoring software allows you to track devices in real time and identify any unusual behaviors. Automatic alerts and notifications can be put in place to ensure you’re aware of any breaches immediately and allows you to take action to neutralize any threats.

Device Inventory: As many of your IT devices will now be located off-site, it’s vital you keep a device inventory to manage all of them. This allows you to know exactly what devices are accounted for within your business and where they’re currently located. By keeping a device inventory, you minimize the risk of, for example, laptops not receiving updates and becoming vulnerable to threat actors.

Employee Training: As ever, the most important aspect of cybersecurity for businesses involves employee training. Accordingly, your remote employees need specific training to make sure they understand the risks of remote work. Strong and unique passwords, for example, have never been more important, and being able to identify phishing attempts is equally crucial when an employee is unable to call on the immediate support of their colleagues.

For more ways to secure and optimize your business technology, contact your local IT professionals.

A recently discovered vulnerability appears to allow threat actors to hack into your Google account, even if you change your password.

Given that there are 1.8 billion people actively using Gmail, it should come as no surprise that Google accounts represent a mouthwatering target for hackers. Google claims that their users are protected by world-class security and, on the whole, it is a secure system. No infrastructure, however, is 100% safe. Threat actors are industrious individuals and won’t rest until they’ve tried every avenue to compromise a system. Unfortunately, for Google and its users, this is exactly what’s happened.

Losing Control of Google

Google accounts are highly valuable to their owners. Packed full of apps such as Gmail and Google Drive, there’s a lot of personal data involved. A new vulnerability, attributed to a flaw in Google cookies, gives access to these accounts over to threat actors. Worst of all, this can be achieved time after time. Sure, you can try changing your password, but they will still be able to unlock your account.

The attack starts when a user unwittingly allows malware to be installed on their PC. This malware then gets to work by searching for and identifying any Google login tokens, which are typically stored in the application’s local database. These stolen tokens can then be used to trick Google’s API interface.

One of the main duties of a Google API is to help sync the various Google services across one account. So, for example, if you were logged into Google Drive, you wouldn’t have to log into Gmail as well. The threat actors exploit a vulnerability with Google cookies to create new cookies which can be used to gain unauthorized access to the compromised account. And this trick can be completed multiple times. Changing your password, naturally, would be the simple choice here. But even doing this still grants the hacker one more chance to access your account.

The vulnerability in question is currently being sold by threat actors online, with at least six hacking groups advertising it. These threat actors also claim that that this vulnerability has been redesigned to tackle the efforts Google has taken to shut this exploit down.

Keep Your Google Account Safe

No one wants to lose their Google account, aside from the loss of personal data, there’s also the sheer inconvenience of having to create a new account and updating any services associated with your original account. Accordingly, make sure you play safe by following these best practices:

Use multi-factor authentication: at present, Google hasn’t revealed whether multi-factor authentication will prevent this vulnerability from seizing control of your account. However, if you don’t have it activated, you need to make this a priority as it’s one of the simplest ways to add extra security to your account.

Do not download suspicious software: the first stepping stone for the threat actors to compromise your Google account involves installing malware on your PC. This gives them a foothold to begin stealing your Google login tokens. Therefore, you need to remain vigilant as to the software you’re downloading. The most obvious question to ask here is whether the download comes from an official source.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Safeguarding Your Business Against Social Engineering

complex passwords, malware, multi factor authentication, Ophtek, Phishing Email, Ransomware, social engineering, vulnerabilitycomplex passwords, malware, multi factor authentication, Ophtek, phishing, ransomware, social engineering, vulnerabilityOphtek, LLC

Dec 2023

One of the biggest threats to your organization’s IT comes in the form of social engineering attacks. Therefore, you need to keep your business protected.

In the digital age, there are many threats to your IT infrastructure. These can include ransomware, software vulnerabilities and malware. However, perhaps the most dangerous, and easiest to launch, attack involves social engineering. This attack relies on exploiting human psychology to gain a foothold within a targeted network. In many ways, it’s an age-old deception strategy from the physical world, but simply transferred over to the digital world. This article looks deep into the world of social engineering and should provide you with a better understanding of how to safeguard your business.

What is Social Engineering?

The main objective of social engineering, for a threat actor, is to convince individuals that divulging sensitive information or performing network actions is the right thing to do. Often, this strategy relies on phishing emails. These are emails which are sent to targets and claim to have been sent from someone they know e.g. a work colleague or a supplier. However, what the threat actor is trying to do here is either extract confidential information – such as login credentials – or encourage the target to click a malicious link.

Get Your Team to Recognize Social Engineering

Social engineering attacks will always be targeted at your employees, so this means that you need to invest in educating your employees. While an IT induction represents a good opportunity to warn them of the telltale signs of social engineering, the sheer range of social engineering strategies requires something more intensive. Accordingly, regular training courses which are followed up with refresher courses are highly recommended. Even better, sending randomised ‘spoof’ phishing emails internally can indicate which employees require tailored training.

Strengthen Your Authentication Processes

If you want to add an extra layer of defense to your IT infrastructure, strengthening your authentication processes is an excellent way of achieving this. Not only will this thwart social engineering campaigns, but it will also protect you against almost all other security threats. Therefore, make sure you focus on the following:

Integrate password rules which require your employees to create complex passwords e.g. using a mixture of case types, numbers and symbols.

Bring in multi-factor authentication to help protect your employees’ existing login credentials and place a further obstacle in the way of unauthorized access.
Put a time limit on passwords and ensure that they have to be updated within a set time e.g. every two months.

Secure Your Communication Channels

Applications such as Microsoft Outlook and Teams have revolutionized the way that businesses communicate, but they also represent a rich source of data. With this in mind, you need to secure these communication channels against the threat of social engineering. Encrypting data flowing in and out of these applications is paramount to protect the type of data that social engineering is hungry for. So, use VPN’s where possible and make sure your employees avoid using their devices on public Wi-Fi.

For more ways to secure and optimize your business technology, contact your local IT professionals.

1 2 Next »

Category Archives: multi factor authentication