Qbot is Back and Causing Digital Chaos Once Again 

malware, Ophtek, Qbot, Ransomware, spear phishing, , , ,
06
Jun 2023

It appears that you can’t keep a good piece of malware down as Qbot, first seen over 15 years ago, has reared its ugly head once again. 

Qbot was discovered in the late 2000s and, since then, has gone through numerous developments to keep pace with modern IT systems. Also known as Qakbot, this malware has strong capabilities to cause damage, a scenario which can be attributed to its longevity as a threat vector. Qbot has a habit of suddenly emerging after a period of inactivity and its most recent spike in activity was seen at the end of 2022. With a long history of stealing data and being used to deliver further malware, Qbot is a threat which could easily target your IT infrastructure. 

What Does Qbot Consist Of? 

Historically, and still to this day, Qbot has been used to steal login credentials by logging keystrokes and giving remote access to threat actors. Alongside this, it has also been used to download additional malware – such as ransomware – and hijacking email threads. Now, you may not be familiar with email hijacking, but it’s important you’re aware of what this is. 

Qbot is a sneaky piece of malware, and this is most readily demonstrated by its ability to hijack email threads. This is basically when it jumps into your email threads and messes with the messages. It does this to try and trick you into thinking you’re having a genuine conversation. This technique makes you more likely to click on a malicious link. It’s most effective in a work environment where people are used to communicating frequently via email. Qbot has been deploying this attach method regularly since 2020 and has been highly successful. 

How Much of a Threat is Qbot? 

Given its longevity, it should come as no surprise that Qbot is successful. However, Qbot is, in fact, the most prevalent malware currently active in the digital landscape. Therefore, you’re more likely to be infected by Qbot than any other piece of malware. It’s a serious feather in the cap for the developers behind Qbot’s latest incarnation, but it spells trouble for most PC users. This means it’s crucial that you know how to defend your IT systems. 

Staying Safe From Qbot 

The threat from Qbot is very real, but you can strengthen your IT defenses by employing the following best practices: 

  • Always install updates: make sure you install all updates as soon as they become available. Qbot thrives upon vulnerabilities in software, such as the Follina exploit, so keeping everything updated is an easy way to secure your network. It may feel time consuming for what is a small step, but allowing automatic updates ensures it makes a big difference in the long run.
  • Beware of phishing emails: email hijacking is very similar to spear phishing in that it attempts to trick your employees into clicking malicious links. Accordingly, you should you encourage your team to take their time and double-check emails for things like strange links and unusual writing styles. Even a quick 10-second check of an email will reduce your risk of being compromised. 
  • Backup: Qbot is often used to distribute ransomware and, as we know, ransomware can often rob you of your data. Often, it won’t even return your data if you pay the ransom fee. Therefore, protecting your data with regular and multiple backups is essential. With backups readily available, you will be able to navigate away from the threat actors and simply restore your data. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More

What is Ransomware as a Service?

Ophtek, Phishing, Ransomware, Security, Suspicious links, Updates, , , , ,
28
Feb 2023

There’s a lot of money to be made in hacking and threat actors are now turning it into a business with Ransomware as a Service (RaaS).

Ransomware, of course, is well known to anyone who steps online in the digital age. With the ability to encrypt your data and demand a ransom fee, it has not only generated headlines, but also caused significant headaches for business owners. And, with ransomware attacks increasing by 41% in 2022, it’s a strategy which is showing no signs of slowing up. Therefore, not only do you need to be aware of ransomware, but you also need to keep up with associated developments such as RaaS.

As RaaS has the potential to create attacks which are both wider ranging and easier than before, it’s crucial you understand how it operates

The Basics of Ransomware as a Service

We’re all aware of what ransomware is, but what is RaaS? After all, surely ransomware is the opposite of a service? Unfortunately, for PC owners, ransomware software and attacks are now available for hire in the form of RaaS. Similar to Software as a Service (Saas) – examples of which include Gmail and Netflix – RaaS allows threat actors to harness the power of hacking tools without having to design them. If, for example, a threat actor doesn’t have the time (or skills) to build a ransomware tool, what do they do? They purchase one.

Typically, RaaS kits are found on the dark web, so don’t expect to find them taking up space on Amazon. Depending on the sophistication of the RaaS, the cost of purchasing them can range between $30 – $5,000. Threat actors looking to purchase RaaS are also presented with several different purchasing options such as one-time fees, subscription tiers or even affiliate models. It’s estimated that over $10 billion exchanges hands each year – mostly in cryptocurrency – for RaaS kits.

Examples of RaaS include Black Basta, LockBit and DarkSide, with more available for those looking to unleash ransomware easily and quickly. These RaaS kits are also much more than just hacking software, they also offer user forums and dedicated support teams to help customers get the most out of their ransomware. Again, this is very similar to the way in which successful SaaS developers provide extra value for their product. However, whereas SaaS is provided by legitimate developers, RaaS tends to be created by criminal gangs with the sole intent of generating illegal funds.

Staying Safe from Ransomware as a Service

The end result of an RaaS attack is the same as a standard ransomware attack, so there’s nothing specific you need to do if an attack comes through RaaS. Instead, you just need to stick to good old fashioned ransomware security practices:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

5 Cybersecurity Threats to Look Out For in 2023

Artificial Intelligence, Cyber Security, IOT, Ophtek, Ransomware, social engineering, , , , ,
03
Jan 2023

With the end of 2022 fast approaching, it’s time to start looking ahead to the potential security threats that hackers are planning for 2023. 2022 has been another year packed full of ransomware, deceptive malware and unbelievable software vulnerabilities, so it should come as no surprise that more of the same lies ahead. However, threat actors are constantly evolving their techniques and strategies to stay one step ahead of your defenses. Accordingly, you need to make sure you’re keeping pace with their advances and, where possible, putting solutions in place ahead of any attacks being launched.

Preparing for cybersecurity threats in 2023 is vital if you want to keep your IT infrastructure safe for the next 12 months, so let’s look at what we’re likely to be fighting against.

What’s in Store for 2023?

There will be many threats during 2023 to look out for, but the 5 biggest cybersecurity threats you need to be aware of are:

Ransomware will push onwards and upwards: one of the biggest threats to cybersecurity over the last 10 years has been ransomware, and it’s a trend which will continue in 2023. In particular, it’s believed ransomware will move its focus towards cloud providers rather than single organizations, a move which will allow threat actors to target multiple organizations based within one platform. Additionally, due to the speed with which it can be completed, it’s likely ransomware will concentrate on file corruption as opposed to full encryption.

Artificial intelligence will become more important: whilst the potential for AI to help organizations is immense, it also has the capability to fuel cyberattacks. Polymorphic code, for example, uses AI to rapidly change its code, a skill which makes it perfect for malware to avoid being detected. AI learning is also likely to be used to help threat actors to sniff out software vulnerabilities, an opportunity which will allow hackers to focus their real-time activities elsewhere.

Internet of Things attacks to increase: the Internet of Things (IoT) is only going to get bigger during 2023 and, given the historical security issues with IoT devices, this is going to create a small-scale nightmare for your network. As a result, more emphasis is going to be needed when working with IoT devices due to the increased surface area for hackers to target e.g. regular updates and inventory checks. Supply chains to be targeted more and more: supply chain attacks are very dangerous, and 2023 is likely to see a further increase in the number of attacks launched. Much like IoT attacks, supply chain attacks open a large surface area to threat actors, a point underlined by the SolarWinds attack which exposed hundreds of organizations to a single attack. Therefore, it will be crucial that software and hardware being released is thoroughly checked by its manufacturers to avoid any security disasters.

Social engineering to start working with deepfakes: the danger of deepfakes has been well documented in the last five years, but it’s possible these are now going to be integrated into social engineering scams. Deepfakes are all about deception and, at their best, they are highly convincing. Consequently, they are perfect for adding legitimacy to emails and videos which, for example, may be pushing for you to take a call-to-action which is a smokescreen for downloading malware.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

US Companies Targeted by Black Basta Ransomware

Black Basta, Cyber Security, Ophtek, RaaS, Ransomware, , , ,
27
Dec 2022

Companies in the US have recently found themselves under attack by the Qakbot malware, a campaign leading to numerous infections by Black Basta ransomware.

Black Basta is a ransomware group which first entered the digital waters in April 2022. Positioned as a Ransomware-as-a-Service (RaaS) group, Black Basta have been very busy in the months following their initial detection. Their attack strategy tends to focus on specific targets rather than hitting thousands of targets and hoping that some fall victim. Primarily, Black Basta have been observed to be using malware such as Qakbot and exploits including PrintNightmare to gain an initial point of entry to PC networks. From here, they ratchet up the chaos by installing ransomware.

Due to the financial risk associated with ransomware, it’s crucial your IT infrastructure is on high alert when it comes to the Black Basta attacks.

The Lowdown on Black Basta’s Campaign

At least 10 US-based companies have been attacked by Black Basta’s campaign in the last two weeks, and at the heart of its attack is a double-extortion method. Essentially, this strategy involves taking a standard ransomware attack (encrypting files and demanding a ransom) and adding further weight by threatening to publish the encrypted data on the dark web. Naturally, this is considered a very serious and aggressive threat, but exactly how does Black Basta take control of these networks in the first place? By launching a spear phishing attack, Black Basta is able to deliver a malicious disk image to unsuspecting victims which, if opened, activates Qakbot. This malware is then used to connect to a remote server and distribute Cobalt Strike, a legitimate piece of software which threat actors can use to set up numerous ‘beacons’ on a network. Once these beacons are established, Black Basta begins to steal credentials and launch ransomware attacks on the compromised network. A number of instances have also arisen where users are completely locked out of their network.

How to Protect Against Black Basta

This is far from the first ransomware attack to be launched, but it is considered a significant threat to PC users and the finances of organizations. Therefore, protecting your IT infrastructure against the Black Basta threat actors must be a major priority. As with most ransomware attacks you should be carrying out the following:

  • Be aware of social engineering: spear phishing attacks, such as those deployed by Black Basta, are incredibly deceptive and have the potential to hoodwink even the most vigilant employee. However, if your employees are encouraged to always take time to double check emails – e.g. links, uncharacteristic writing styles and unusual requests – then you will reduce your risk of falling victim to spear phishing.
  • Make multiple backups of your data: many organizations are forced into paying ransomware demands as it’s the only way to retrieve their valuable data. Backing up your data to multiple sources, however, ensures you have a copy of this data preserved. As a result, you can ignore the hackers’ demands and keep your finances looking healthier.
  • Install all updates: attacks similar to Black Basta’s recent campaign are often attributed to software vulnerabilities – such as the PrintNightmare exploit – so it makes sense to make sure all updates are installed as soon as they are available. It may feel like a small step to take, but it provides your IT network with a serious security boost.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

BlackByte Ransomware Targets Windows Driver Vulnerability

BlackByte, MSI Afterburner utility, Ophtek, Ransomware, RTCore64.sys, update drivers, , , , ,
25
Oct 2022

A vulnerable Windows driver has been revealed to be the ‘hole in the fence’ that the BlackByte ransomware needs to breach your IT infrastructure.

The attack is interesting in that it uses a relatively new attack strategy known as Bring Your Own Vulnerable Driver (BYOVD). It’s an attack method which targets vulnerabilities in drivers to take control of the victim’s PC. And, to maximize the impact of the breach, the ransomware goes on to disable more than 1,000 drivers associated with security software.

The ransomware involved in this recent attack is believed to have been brewed by the BlackByte threat actors, a hacking group whose origins can be traced to the infamous Conti hacking team. Clearly, the BlackByte team know what they are doing and it’s vital that you are aware of their strategies.

What is BlackByte?

The vulnerable driver in the sights of BlackByte’s target is RTCore64.sys, a driver associated with the MSI Afterburner utility found in countless graphics cards. To be specific, RTCore64.sys is a kernel driver, and this means that it’s involved in the transfer of data between a piece of hardware and a PC’s operating system. The problem with RTCore64.sys is that it’s associated with the CVE-2019-16098 vulnerability.

Once BlackByte has exploited the CVE-2019-16098 vulnerability, the threat actors can access the arbitrary memory of that PC. Access to this area gives BlackByte the opportunity to assume administration privileges, execute commands and transmit data. The ransomware also prides itself on its ‘anti-analysis’ strength, a fact most evidenced by its ability to disable numerous security products and remain undetected.

The Importance of Updating Drivers

The vulnerability at the heart of BlackByte’s attack, CVE-2019-16098, is far from new and, therefore, is a very different attack to that of a zero-day vulnerability. In fact, the CVE-2019-16098 vulnerability has been known of since 2019. This underlines the fact that hackers will focus on known vulnerabilities – after all, it’s much easier to attack an existing vulnerability than to spend time trying to find new ones. As a result, it’s crucial that you update any drivers when prompted to or, more simply, you activate automatic updates.

Not all driver vulnerabilities, however, have updates available due to a variety of reasons such as support being discontinued for a product. Thankfully, it’s still possible to minimize the risk of these vulnerable drivers. As long as your organization keeps a log of all the authorized drivers used within your IT infrastructure, you can regularly check the security status of these drivers. If one is found to be vulnerable with no patch available, you can simply apply block rules to these drivers.

Final Thoughts

The threat presented by BlackByte’s ransomware has the potential to create chaos across your IT network and needs to be taken seriously. And it’s not the only risk which utilizes these methods as, for example, the Avos Locker ransomware uses similar strategies. Accordingly, the importance of applying updates and monitoring vulnerable drivers has never been stronger.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More
1 2 3 4 7