Hello XD Ransomware is no Laughing Matter

Data Backup, Hello XD, Ophtek, Phishing, Ransomware, Russian Hacker, , , , ,
14
Jun 2022

The Hello XD ransomware was first spotted in the digital wild back in November 2021, but recent research indicates that it’s becoming more virulent.

There’s no such as ‘good’ ransomware, but it’s not unreasonable to describe Hello XD as ‘disastrous’ due to its enhanced capabilities. Whereas, previously, Hello XD focused its efforts on the standard ransomware practice of encrypting files, its evolved form now includes a backdoor feature. This enhanced functionality allows the transfer of data from infected PCs to external sources. Combined with its ransomware feature, this new form of Hello XD represents a huge security risk.

Ransomware is a highly problematic attack, and it’s one which your organization needs to avoid at all costs. Hello XD is the latest in a long line of ransomware attacks and, as ever, it could save you a fortune by understanding how it operates.

Hello XD Steps Up Its Game

Spread through various phishing techniques, Hello XD operates in the following manner once it arrives on a PC:

  • Hello XD’s first step is to disable shadow copy capabilities, this means that system snapshots cannot be saved or accessed. System recovery, therefore, can’t be used to counter the impact of Hello XD.
  • The infected system’s hard drive is then encrypted by Hello XD, all files are encrypted with a .hello extension and rendered inaccessible.

Clearly, Hello XD packs a powerful punch and has the capability to bring your organizations IT operations to a halt. It is believed that Hello XD has been designed by X4K, a Russian-speaking hacker who has been advertising his wares on various hacking forums. It’s also likely that X4K will enhance Hello XD’s capabilities even further for future attacks, so it’s crucial you remain alert.

How Do You Say Goodbye to Hello XD?

The best way to avoid falling victim to Hello XD is by practicing the following:

  • Understand phishing techniques: Hello XD, and many other forms of ransomware, use phishing strategies such as mass emails to snare their victims. Emails, for example, which instill a sense of urgency over financial matters can be used to encourage users to open malicious attachments. However, if your employees understand the tell-tale signs of social engineering, they will be better placed to avoid falling victim to phishing attacks.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Follina Exploit: A New Microsoft Office Vulnerability

Follina Exploit, Microsoft Word, Ophtek, Suspicious Documents, Zero Click Attack, , , ,
07
Jun 2022

The latest Microsoft vulnerability has been discovered, and this one allows infected Word documents to execute malicious code.

This vulnerability, dubbed Follina by security researchers, is of the zero-day variety and has the potential to hand control of your PC over to threat actors. Word documents, of course, are some of the most regularly used files in business, and it’s likely your organization uses these throughout the day. This allows Follina to adopt a stealthy approach, one where your employees are unlikely to question what appears to be a harmless Word document.

What is Follina?

At the heart of the Follina exploit is an infected Word document, one which is packed with code designed to download a HTML file from a remote location. This file, which is brought into your internal network, uses the Microsoft troubleshooting app MSDT to load further code and execute Powershell – a Microsoft app used to automate management of tasks.

Typically, infected Word documents require the recipient to enable macros before any payload can be released. However, the Word document associated with Follina can bypass disabled macros. In fact, the recipient doesn’t even need to fully open the document, its malicious contents can even be activated when the Word document is in preview mode. For this reason, Follina has been categorized as a zero-click attack.

Follina is likely to be employed in phishing attacks, either through email attachments or by sending a malicious link to victims. As such, Follina can spread quickly and in large numbers. It can be considered a major threat and one which can give full control of an infected PC to the threat actors behind it.

How to Protect Against Follina

As of this time of writing, Microsoft has failed to issue a security patch against the Follina exploit. However, this doesn’t mean that your organization has to fall victim to Follina. Microsoft has provided some guidance, a set of instructions which advise users how to disable MSDT’s URL protocol. PC users have also been informed that disabling ‘Troubleshooting wizards’ entries in their system’s registry will help protect them.

While these recommendations should only be implemented by an IT professional, there is one simple piece of advice which all employees need to be aware of:

Final Thoughts

Vulnerabilities are never going to go away, the sheer complexity behind PC hardware and software means that there will always be room for exploits to be discovered. And this is where the vigilance of your employees needs to be at its strongest. Although Follina, for example, is classed a zero-click attack, it still requires the input of an employee to activate it. Therefore, ensure that regular cybersecurity training is given to limit the risk of falling victim to these attacks.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Malicious Extension Found Being Injected into Chrome

ChromeLoader, extensions, Google Chrome, malicious extensions, Ophtek, , , ,
31
May 2022

Chrome is the world’s most popular browser and, as such, is a major target for hackers, a fact highlighted by the emergence of a malicious Chrome extension.

If you’re a Chrome user, then you will be well aware of the wide range of benefits that Chrome extensions deliver. They not only making browsing easier, but their main objective is to make you more productive e.g. automating tasks such as blocking pop-up adverts. While Chrome extensions allow you to personalize your browsing experience, they are not without risk. Privacy concerns have surrounded browser extensions for as long as they have been available, and malicious extensions have been equally concerning.

It’s more than likely that your organization uses the Chrome browser in some capacity, so let’s look at the dangers of this most recent malicious extension.

The Lowdown on ChromeLoader

With a name that does exactly what it says on the tin, the ChromeLoader extension loads itself into Chrome. It begins its journey towards Chrome in the form of an ISO file – an image copy of the contents of an optical disc – which is currently being spread through social media sites and pay-per-install sites. Within this ISO is an executable file which, when activated, installs the ChromeLoader extension into Chrome and uses Windows’ Task Scheduler application to load the extension.

At present, the malicious activity of ChromeLoader has been recorded as relatively low. Rather than stealing data or encrypting files, ChromeLoader appears more concerned with redirecting victims towards spam sites. It’s a threat level which may not appear significant but, as with all malware, there’s a potential for ChromeLoader to evolve into something more powerful. It could, for example, be used to load ransomware into a compromised PC, and that’s when your productivity really will come under attack. And, even it remains only a minor nuisance with its spam redirection, it’s still a problem your organization could do without.

How to Tackle ChromeLoader

ChromeLoader is delivered via an ISO file, and the chances of your employees needing to handle ISO files at work are slim. Therefore, it makes sense to add ISO files to your list of prohibited files that can be downloaded. If an employee does need an ISO file downloading from the internet, then they should contact your IT team to arrange this securely. Banning torrent sites, such as PirateBay, will also limit the chances an employee has to access infected ISO files, so build this into your web filters as well.

Ultimately, extensions such as ChromeLoader prey upon the naivety of the common internet user. For the average person, a Chrome extension is a useful ally, not something to be feared. However, threat actors are always keen to deliver their malicious payloads as stealthily as possible. And that’s why they try to take advantage of routes, such as Chrome extensions, which are commonly trusted by PC users. As a result, educating your staff on the potential dangers of downloading files from the internet, such as ISO files or browser add-ons, should be a priority.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

5 Sure-fire Ways to Know You’ve Been Hacked

Cyber Security, Encryption, Hackers, Hacking, Network, Ophtek, pop ups, , , , , ,
24
May 2022

The aim of most hackers is to be discreet, but there’s almost always a tell-tale sign they’re at work. You just have to know what you’re looking for.

Damage limitation is an essential part of cyber-security and, accordingly, the sooner you realize you’ve been hacked, the sooner you can get to work on rectifying the issue. Establishing that you’ve been hacked, however, isn’t always straightforward. Hackers are well known for their stealthy attack strategies, and, in many cases, you’re unlikely to realize that you’ve been hacked. You may, instead, simply think that your network is experiencing technical problems, and that’s why you can’t access your files, or why your PCs performance has ground to a halt. But you also need to consider that you may have been hacked.

How Do You Know You’ve Been Hacked?

There are several clear giveaways that your organization’s digital defenses have been breached, and here are five of the most sure-fire ways to know you’ve been hacked:

  1. Your Files are Encrypted: your day-to-day IT activity will likely center around the regular usage of files e.g. Word documents and Excel spreadsheets. But what happens when you can’t access these? Firstly, your organization’s productivity will plummet and, secondly, it could indicate that you’ve been the victim of ransomware. If your files are encrypted and a message is received demanding a ransom fee to decrypt them, then you’ve been hacked.
  2. Unusual Network Activity: regular traffic patterns should be easily identifiable on your network logs, but anything unusual should be closely scrutinized. Modern hacking methods often find malware communicating with remote locations to transmit information or download further malware. Therefore, any unknown locations that are delivering or receiving data from your organization need to be investigated.
  3. Persistent Pop-Ups: there’s nothing more irritating than a pop-up window when you’re trying to work on something. But when these are regularly popping up, when they shouldn’t be, there’s a good chance you’ve been hacked. Often, these pop-ups will try to convince you to perform an action, such as downloading an anti-malware app due to an infection on your PC. These, of course, are fake and are simply a devious strategy to get you to download further malware on to your PC.
  4. People Ask You If You’ve Been Hacked: one of the most obvious signs that you’ve been hacked is when people start asking you if you’ve been hacked. And this is because malware often hijacks email accounts to help spread spam. As a result, people you know – who are listed in your email address book – will be receiving spam messages direct from your email account. Naturally, these unusual messages will ring alarm bells with the recipients, and they are likely to check in with you to confirm if your email account has been hacked.
  5. Your Credentials are Available Online: hackers like to make money by harvesting valuable login credentials, these can then be sold to other hackers who want to breach security measures and gain quick, unauthorized access to private networks. Thankfully, applications such as Google’s Password Manager can warn you when these credentials turn up in password dumps, this is a good sign to immediately change all your passwords.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Raspberry Robin: A New USB-based Malware

Ophtek, Rasberry Robin, USB Drives, USB Flash Drives, USB Malware, , ,
17
May 2022

USB drives are vital parts of any IT system, providing external storage and simple file transfers. But they also run the risk of introducing malware to PCs.

We’ve talked in the past about USB drives which can completely destroy a PC, but this new threat is a little different. Believed to have been active in the digital wild since September 2021, Raspberry Robin (as it has been named by researchers) is a strain of malware loaded with a series of dangerous commands. Although it was first discovered in September 2021, researchers noted a sharp uptick in its activity during January 2022. Accordingly, like most malware, it’s likely that its activity will accelerate again in the future, so it’s crucial you know what to look for.

What is Raspberry Robin?

Despite sounding like a charming brand of candy, Raspberry Robin is far from sweet. Instead, it’s a form of malware which is delivered to its victims through an infected USB drive. Quite how Raspberry Robin makes its way onto these USB drives is a question which has security researchers scratching their heads. Regardless of this mystery, however, the fact remains that Raspberry Robin is there and it’s capable of causing digital chaos.

Once the infected USB drive is connected to an active PC, it uses this as a prompt to activate a shortcut link housed on the USB drive. This opens explorer.exe and, most importantly, MsiExec.exe which is used to install new programs in Windows. MsiExec.exe is then used to launch a communication channel to an external domain, from which it will receive malicious commands. Raspberry Robin also harnesses MsiExec.exe to install a malicious .DLL file, although it is yet to be established what the objective of this file is.

Another feature of Raspberry Robin’s attack strategy is to execute the Windows tool fodhelper.exe – this is used to manage features in Windows settings – and instruct rundll32.exe to, in turn, launch further malicious actions. These processes are executed with elevated admin privileges, yet do not require authorization from a User Account Control prompt. While this allows Raspberry Robin unauthorized privileges, it also highlights unusual behavior on a PC and can be used to identify the malware’s presence.

How Can You Avoid Raspberry Robin?

One of the simplest ways to minimize your risk against Raspberry Robin is to never plug unknown USB drives into a PC. Without scanning the drive thoroughly and securely, there is no way of knowing exactly what’s on there. And this can put your PC and indeed your entire IT network at risk.

Likewise, any new USB drives purchased by your organization should be tested by an IT professional on an offline network. This approach will prevent malware such as Raspberry Robin spreading throughout your IT network.

It’s also important that you practice good network monitoring. As Raspberry Robin communicates with external domains, significant traffic will be visible between your network and new, unknown locations. Identifying unusual traffic patterns such as this will allow you to investigate and take care of any concerns.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More
1 22 23 24 25 26 57