Ophtek Archives - Page 26 of 60

SessionManager Malware Targets Microsoft Exchange Servers

IIS, malware, Ophtek, security, SessionManager, Windows vulnerabilityIIS, malware, Ophtek, security, SessionManager, WindowsOphtek, LLC

Jul 2022

A new piece of malware has been found to be targeting Microsoft Exchange servers operated by both military and government organizations all over the world.

Discovered by security giants Kaspersky, who also gave the malware its name, SessionManager appears to have been at large since March 2021, but its existence has only just been confirmed. It’s believed that SessionManager was created by Gelsemium, a relatively new hacking group who have already conducted a number of serious cyber-attacks.

Naturally, you would expect military and government organizations to have some of the strongest cybersecurity measures in place. And they do. However, there’s not a single IT infrastructure which can be described as 100% secure. And, as SessionManager has proved, where there are vulnerabilities, there’s a way in.

How Does SessionManager Operate?

At the start of 2021, Kaspersky revealed details of ProxyLogon, a series of vulnerabilities discovered in Microsoft Exchange. As a result of these vulnerabilities, threat actors were presented with an opportunity to install malicious modules into web server software for Microsoft’s Internet Information Services (IIS). And this is exactly how the SessionManager module came to be embedded within numerous organization’s servers.

Once installed, the threat actors were able to use SessionManager to carry out the following tasks:

Carry out remote command execution on affected devices
Gain quick and easy access to email accounts within the organization
Install further malware to maximize the way in which servers were compromised
Using infected servers to manipulate traffic moving across the network

As SessionManager has managed to operate without detection for over a year, it has been able to harvest signification amounts of sensitive data and take control of high-level networks. Even after SessionManager’s discovery, security experts have been slow to move, with Kaspersky commenting that a popular file scanning service was still failing to detect SessionManager. Accordingly, SessionManager remains active in the digital wild and maintains its threat.

What If You’re Infected with SessionManager?

Even if you do discover that your network has been infected by the SessionManager module, deleting it is not enough to fully rid yourself of it. Instead, you will need to go through the following:

The most important step to take first is to disable your IIS environment
Use the IIS manager to identify all references to the SessionManager module and ensure that these are fully removed
Update your IIS server to eliminate any known vulnerabilities and leave it fully patched
Restart your IIS environment and run a final check for any traces of SessionManager

If, of course, you want to prevent vulnerability threats such as SessionManager being enabled in the first place, then you need a conscientious approach to updates. The sooner you can install a firmware upgrade or a security patch, the sooner you can plug security holes in your IT infrastructure.

Sure, we live in a fast-paced world and it’s easy to forget minor tasks such as installing upgrades, but with automate installs a viable option, there’s not really an excuse. Therefore, keep your organization’s network safe by automating updates and enjoying the peace of mind this brings.

For more ways to secure and optimize your business technology, contact your local IT professionals.

ZuoRAT Malware: A New Threat to Routers

malware, Ophtek, router, security, Trojans, Updates, ZuoRAT Malwaremalware, network, Ophtek, router, security, Trojans, updates, ZuoRATOphtek, LLC

Jul 2022

Small businesses rely on routers to keep themselves and their customers connected. But this relationship could now be at risk due to the ZuoRAT malware.

For online communication to work, data needs to move from one computer network to another. And this is exactly what a router does. By directing traffic across the internet, a router can be used to deliver emails, transfer files and stream videos between PCs. Without a router, you simply won’t be able to send or receive data. So, as you can see, they’re an essential part of any small organization’s IT network. Unfortunately, this is the type of IT necessity which hackers love to interfere with. And the ZuoRAT malware does this with a disturbingly sophisticated ease.

The Lowdown on ZuoRAT

ZuoRAT is a strain of malware which takes advantage of vulnerabilities in routers produced by the popular manufacturers Cisco, Netgear, DrayTek and Asus. By exploiting these vulnerabilities, ZuoRAT can access local area networks (LAN) and harvest network traffic from the infected devices. This information is then transmitted to a remote ‘command and control’ server, so, for example, any login credentials which pass through your router will be transmitted to the hacker’s server.

However, ZuoRAT doesn’t stop at hijacking LAN traffic; it downloads additional malware in the form of two further remote access trojans (RAT). These RATs are used to infect devices connected to the network and facilitate the spread of the infection even further. This could, in theory, lead to the infected network being converted into a botnet or, worse still, allow the spread of ransomware across the network.

Although ZuoRAT is relatively new, it has been active in the digital wild since April 2020, and this has given it plenty of time to exploit a wide range of routers. It’s also important to point out that ZuoRAT made its debut at the start of the Covid-19 pandemic. Given that it targets SOHO (small office/home office) routers, ZuoRAT was perfectly placed to attack employees who were working at home with limited IT support. As a result, it has been presented with an opportunity to steal sensitive data with relative ease.

Protecting Your Network from ZuoRAT

Due to the way in which it was designed – a custom build through the complex MIPS architecture – ZuoRAT is not detected by conventional anti-malware software. Therefore, if you own a router made by the affected manufacturers, it’s crucial that you make sure the associated software is up-to-date and fully patched. As ever, monitoring network traffic is a smart move as this will allow you to flag up any suspicious activity.

Final Thoughts

Threats such as ZuoRAT present numerous problems to organizations, most notably due to their multi-pronged attack strategy and stealthy nature. However, it also demonstrates a perfect example of why you need to manage updates relating to your IT equipment. Implementing an upgrade strategy which takes advantage of automated processes has never been more important.

For more ways to secure and optimize your business technology, contact your local IT professionals.

The Importance of Admin Accounts in IT

Admin Accounts, Data Security, Domain Admin Account, Domain Service Account, IT, OphtekAdmin Accounts, Data Security, Domain Admin Accounts, Domain Service Account, it, OphtekOphtek, LLC

Jun 2022

Visibility is vital when it comes to dealing with your IT network. Without it, anything could happen on your network. And that’s why we have admin accounts.

The amount of data processed on any business network will be substantial and, accordingly, it needs to be both secured and made accessible correctly. Your HR department, for example, will need to be able to access employee data whereas your sales team would, instead, more likely need customer data. Additionally, the security of your IT network needs considering. You wouldn’t, for example, want every employee to be able to download applications, an action which should only be reserved for IT professionals.

For all these factors to be regulated and correctly adhered to, you need to have an admin account overseeing everything.

What is an Admin Account?

The account you use to log on to Windows in the morning will, in general, be a standard user account. These will allow you to access the applications you need and store data which is relevant to your job. However, an admin account is significantly different. These grant the user much more power across the network. The most common and effective forms of admin accounts are:

Domain administrator accounts: this is the most powerful form of admin account, and allows those with the login credentials to carry out administrative tasks when required e.g. installing software and setting up new user accounts.

Doman service accounts: these admin accounts are used to complete automated tasks such as checking for software updates and completing backups. It’s important to separate these privileges from domain administrator accounts to maximize security.

What Do Admin Accounts Do?

Admin accounts are highly important when it comes to running an IT network, and their core focus includes:

User authentication: multi-factor authentication is one of the strongest forms of network security and its one which should be managed by admin accounts. This allows those with the correct privileges to put multi-factor authentication tools in place e.g. automated software to generate unique text message codes. Admin accounts can also be used to monitor and manage the way in which login credentials are entered e.g. raising an alert when multiple failed logins are attempted.

Analyze Data: one of the biggest breakthroughs in modern business has been the push to analyze data, and admin accounts are perfect for taking this on. Thanks to the visibility they have of your network, admin accounts are well placed to identify patterns such as the most popular files, website activity and where the most interaction takes place. This data can then be used to optimize your business performance.

Group configuration: admin accounts don’t need to operate purely on individuals’ accounts, instead they can configure entire groups. Therefore, if you need all of your customer service team to have the same privileges and access, admin accounts can configure bespoke solutions for entire teams. This not only puts team members on a level playing field, but it also reduces the time taken to configure user accounts for new employees – they are simply assigned the group privileges.

Final Thoughts

Admin accounts are an essential part of a functioning business IT network. Not only can they protect your employees and customers, but they allow you to optimize your performance in both IT and business productivity. Assigning admin account access, however, shouldn’t be taken lightly and it’s important that, when granted, this need is regularly reviewed to increase compliance and security.

For more ways to secure and optimize your business technology, contact your local IT professionals.

5 Forms of Hacking Which You May Not Be Familiar With

Free WiFi, Hacking, malicious code, malicious extensions, malicious links, malicious websites, Ophtekmalware, Ophtek, phishing, public wifi, ransomware, security, vulnerabilityOphtek, LLC

Jun 2022

All organizations are at risk of being hacked, and that’s why we’re familiar with the most common forms of hacking. But what about the lesser-known hacks?

With 300,000 new strains of malware being created every day, it comes as no surprise to discover that some of these are less familiar than others to PC users. And it’s this lack of familiarity which makes them so dangerous. Not only is it harder to be on your guard against them, but there’s also the small problem of not knowing how to remove them from an infected system. However, a little bit of education goes a long way. And that’s why we’re going to give you the lowdown on 5 forms of hacking which you may not be familiar with.

The Hacks You Need to Know About

Attack strategies such as phishing and ransomware are well known, so it’s time to learn about the lesser known cyberattacks you need to be prepared for:

SQL Injection Attacks: SQL is a common coding language used to design and manage databases, many of which are connected to a public facing website. Typically, these databases will hold significant amounts of secure data e.g. personal details and financial information. As a result, these are highly attractive targets for hackers. Attacks are made on these databases by injecting malicious SQL code and manipulating the server’s responses in numerous ways. This strategy allows hackers to gain access to unauthorized information and steal it.

Man in the Middle Attacks: using compromised IoT devices, or simply taking advantage of poorly secured public Wi-Fi, a Man in the Middle Attack allows threat actors to access your network connections. It’s a scenario which grants hackers the opportunity to monitor your communications and data transfers in real time. Therefore, confidential data can be stolen and traffic redirected with ease.

Brute Force Attacks: this is one of the oldest hacking strategies devised by hackers, but it doesn’t grab the headlines in the same way modern threats such as ransomware do. However, it remains an effective strategy, and one which is only getting more sophisticated. As the name suggests, brute force attacks launch a relentless campaign whereby a bot will try numerous login credential combinations until it finds the correct one to breach your security.

DNS Cache Poisoning: a DNS server takes domain names, such as ophtek.com, and translates them into an IP address which can be used to deliver data between two points. However, if a threat actor identifies a vulnerability in a DNS server, they can inject false data into its cache. This ‘poisoning’ of the DNS cache means that internet traffic will be directed away from its intended location, and this will most commonly be re-routed to a malicious website.

Fake Public Wi-Fi: hackers will go as far as setting up a fake public Wi-Fi which uses your company’s name or one that sounds similar. For example, a visitor to a Starbucks café, may detect a wireless network with a name such as “St@rbucks Free Wi-Fi” and assume it’s genuine. However, connecting to a public connection such as this opens a whole world of potential trouble. And, don’t forget, your own employees are also at risk of connecting their work devices to a fake Wi-Fi network, the result of which will expose your genuine network.

As with the most common forms of hacking, understanding the basics of good IT security is the most effective way to minimize the chances of these rarer attacks.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Hello XD Ransomware is no Laughing Matter

Data Backup, Hello XD, Ophtek, Phishing, Ransomware, Russian Hackerbackup data, Hello XD, Ophtek, phishing, ransomware, Russian HackerOphtek, LLC

Jun 2022

The Hello XD ransomware was first spotted in the digital wild back in November 2021, but recent research indicates that it’s becoming more virulent.

There’s no such as ‘good’ ransomware, but it’s not unreasonable to describe Hello XD as ‘disastrous’ due to its enhanced capabilities. Whereas, previously, Hello XD focused its efforts on the standard ransomware practice of encrypting files, its evolved form now includes a backdoor feature. This enhanced functionality allows the transfer of data from infected PCs to external sources. Combined with its ransomware feature, this new form of Hello XD represents a huge security risk.

Ransomware is a highly problematic attack, and it’s one which your organization needs to avoid at all costs. Hello XD is the latest in a long line of ransomware attacks and, as ever, it could save you a fortune by understanding how it operates.

Hello XD Steps Up Its Game

Spread through various phishing techniques, Hello XD operates in the following manner once it arrives on a PC:

Hello XD’s first step is to disable shadow copy capabilities, this means that system snapshots cannot be saved or accessed. System recovery, therefore, can’t be used to counter the impact of Hello XD.

The infected system’s hard drive is then encrypted by Hello XD, all files are encrypted with a .hello extension and rendered inaccessible.

A ransom note is issued to the victim through a text file which instructs them to communicate with the threat actors through the TOX chat system. Featuring strong end-to-end encryption, TOX provides a cloak of secrecy for the hackers while they communicate with their victims.

Hello XD’s final move is to use its backdoor functionality – a program named Microbackdor – to steal files, wipe any evidence of the PC being compromised and execute remote commands.

Clearly, Hello XD packs a powerful punch and has the capability to bring your organizations IT operations to a halt. It is believed that Hello XD has been designed by X4K, a Russian-speaking hacker who has been advertising his wares on various hacking forums. It’s also likely that X4K will enhance Hello XD’s capabilities even further for future attacks, so it’s crucial you remain alert.

How Do You Say Goodbye to Hello XD?

The best way to avoid falling victim to Hello XD is by practicing the following:

Understand phishing techniques: Hello XD, and many other forms of ransomware, use phishing strategies such as mass emails to snare their victims. Emails, for example, which instill a sense of urgency over financial matters can be used to encourage users to open malicious attachments. However, if your employees understand the tell-tale signs of social engineering, they will be better placed to avoid falling victim to phishing attacks.

Keep backups offline: it’s essential that you keep backups of your data and system snapshots offline to retain control over your data. While this will not stop a ransomware attack, it does provide your organization with a solution if they are attacked. A threat actor will be unable to encrypt offline files, and this ensures that you can restore your data without paying a ransom.

For more ways to secure and optimize your business technology, contact your local IT professionals.

« Previous 1 … 24 25 26 27 28 … 60 Next »

Category Archives: Ophtek