Updates Archives

CrowdStrike Causes Unprecedented Global IT Outage

Cloud Storage, CrowdStrike, cybersecurity, Ophtek, Updates, vulnerability, Windows updatecloud storage, CrownStrike, Ophtek, security, updates, vulnerability, Windows updateOphtek, LLC

Jul 2024

One of the world’s biggest ever IT failures has caused chaos for major IT infrastructures all over the world. And it was all thanks to a CrowdStrike update.

The damage was caused by a content update for Windows issued by CrowdStrike, a major player when it comes to cybersecurity firms. However, rather than providing an enhanced experience for Windows users, it resulted in many users finding that their PCs crashed. The ‘blue screen of death’ was a common sighting and numerous applications were rendered unusable. The CrowdStrike glitch wasn’t restricted to a small number of individuals either, it went all away the round and affected major organizations.

Understanding the CrowdStrike Flaw

CrowdStrike has been providing security solutions since 2011, and it now offers a wide range of security services. These are provided through cloud-based platforms and have seen CrowdStrike’s profile rise significantly. However, their recent update for their application Falcon Sensor – which analyzes active processes to identify suspicious activity – is responsible for the worldwide outage of IT systems.

Falcon Sensor runs within Windows and, as such, interacts directly with the Windows operating system. Falcon Sensor’s main objective is to protect IT systems from security attacks and system failures, but their latest update achieved the complete opposite. As a result of faulty code within the update, Falcon Sensor malfunctioned and compromised the systems it had been installed on. This led to IT systems crashing and unable to be rebooted.

CrowdStrike were quick to identify the fault as a result of their update, and reassured the global community this was not a global cyberattack. With the fault identified and isolated, CrowdStrike rapidly developed a fix. But the damage had already been done, and many systems remained offline due to the disruption.

Who Was Affected by the CrowdStrike Glitch?

The impact of the faulty CrowdStrike update was of a magnitude rarely seen in the IT world. With many IT infrastructures relying on Windows, countless systems crashed all over the world. Airport services were badly hit, and lots of airlines had to ground their planes due to IT issues. Banks and credit card providers were also affected, and numerous organizations were unable to take card payments as a result. Healthcare services, too, felt the full impact of the glitch and struggled to book appointments and allocate staff shifts.

The Aftermath of the CrowdStrike Disaster

Disruption to IT systems was still evident days after the CrowdStrike incident, and it’s expected this disruption will continue. Matters weren’t helped by the simultaneous failure of Microsoft Azure, a cloud computing platform, which also created a major outage.

While the outages were caused by a technical glitch, CrowdStrike issued an announcement the day after that cybercriminals may be targeting affected systems. Evidence in Latin America indicated CrowdStrike customers were being targeted by a malicious ZIP archive which contains HijackLoader, a module used to install various strains of malware.

Final Thoughts

Ultimately, this digital catastrophe was caused by a faulty piece of code, and Microsoft currently estimate it affected 8.5 million Windows devices. It could easily happen again and reinforces the need for good backup protocols, such as the 3-2-1 backup method. The CrowdStrike glitch may have been unforeseen, but with the correct preparation, you can minimize the impact of future incidents on your IT systems.

For more ways to secure and optimize your business technology, contact your local IT professionals.

A Remote Access Trojan (RAT) is one of the most common forms of malware you are likely to encounter, and it’s crucial you understand what they are.

It’s important for all organizations to be aware of the danger posed by a RAT in terms of cybersecurity. After all, a RAT could easily take down your entire IT infrastructure or compromise your business data. And all it takes is one mistake for your team to fall victim to a RAT. Due to the severity posed by RATs, we’re going to define what a RAT is, how they work, and the best way to defend and protect against this threat.

The Basics of a RAT

A RAT is a strain of malware which is designed to give threat actors unauthorized access and control over a victim’s PC from a remote location. This is always completed without the victim’s consent, a fact made possible by the stealthy nature of a RAT.

For a RAT to succeed, it first needs to infect the victim’s PC, and this can be achieved in the following ways:

Phishing emails may be used to send malicious attachments which, once opened, activate the RAT and allow it to access the PC it is on.
Malicious downloads may be activated by unsuspecting users who are downloading them from illegal file sharing websites.
If hardware and software is not updated regularly, there is a chance that vulnerabilities may be discovered which a RAT can exploit.

RATs are stealthy types of malware and this cloak of invisibility is put in place by changes that the RAT makes to system settings and registry entries. With this deception in place, a RAT is then able to communicate to a command and control (C&C) server located in a remote location. This C&C server allows the RAT to transmit stolen data and, at the same time, gives the threat actor the opportunity to send commands directly to the RAT.

Some notable examples of RATs are ZuroRat from 2022, NginRAT from 2021 and, more recently, the QwixxRAT attack. All of these examples share one key thing in common: their main objective is to cause digital chaos for all those who fall victim. Accordingly, your organization needs to understand how to defend themselves against these threats.

Detecting and Protecting Against RATs

Protecting your IT infrastructure is far from difficult. In fact, as long as you implement the following measures, it’s relatively easy:

Always update your antivirus and anti-malware software. These security suites have the potential to put a strong barrier in place and detect any incoming malware. However, they also rely on regular updates to keep up to date on the latest threats. Therefore, you need to make sure these are put in place to maximize your defenses.
Make sure that network monitoring solutions are implemented to combat unauthorized network access. This means that your IT team will be able to identify unusual network traffic patterns and take actions to shut this down.

Email and web filtering can seriously reduce your risk of falling victim to a RAT. These excellent pieces of software will analyze and block any malicious attachments before they have a chance to reach your email inbox.

For more ways to secure and optimize your business technology, contact your local IT professionals.

HiatusRAT Malware Returns with a Vengeance

HiatusRAT, malware, network, Ophtek, Security, Updateseducate, HiatusRAT, malware, network, Ophtek, security, updatesOphtek, LLC

Oct 2023

The HiatusRAT malware has re-emerged from its slumber to prove how resilient it is by targeting multiple organizations in Taiwan and the US.

As with most malware which is deemed successful in terms of its longevity, the threat actors launching HiatusRAT have ensured that it’s more powerful than ever. And, to strengthen its attack, they have redesigned it to escape detection. So far, the majority of the organizations targeted by this latest version of HiatusRAT have been based in Taiwan, but at least one US-based military system has also been attacked. And, with HiatusRAT seemingly operating at full throttle, it’s likely to spread even further.

Due to the potential danger contained within HiatusRAT, we’re going to take you through how it operates and how you can protect your organization.

The Lowdown on the Latest HiatusRAT Campaign

HiatusRAT was first detected back in March 2023, when it was discovered infecting the routers of various organizations in Europe and North and South America. This attack involved stealing data by hijacking email channels as well as installing a remote-access Trojan (RAT) on infected routers. It was an attack which led to significant data loss, but the malware’s activity soon dropped off. However, during this downtime, HiatusRAT has been refined and reconfigured.

Again, HiatusRAT appears to be targeting routers and similar networking devices. By redesigning HiatusRAT to target ARM and Intel hardware, the threat actors – who are currently unknown – have managed to enhance the potency of their malware. Operating with two types of servers – Tier 1 and Tier 2 – they have been able to use multiple IP addresses to transmit data to remote sources. As the attack has targeted at least one military system, it’s suspected that there may be a nation-state involved with the attack. However, as of now, security researchers have been unable to pinpoint the true motives outside of data theft.

Protecting Your Organization from HiatusRAT

You may not run an organization in the military industry, but RAT-based malware doesn’t tend to discriminate. Therefore, you need to be on your guard against HiatusRAT and other similar attacks. Remaining vigilant is crucial, and you can strengthen this vigilance by practicing the following:

Always install updates: many malware attacks are the result of an unpatched vulnerability giving threat actors free access to your IT systems. This means that installing updates, for every piece of software and hardware you use, is vital. It may feel like a time-consuming task in the short-term, but ultimately it could save your organization from data breaches and significant disruption.

Monitor network activity: HiatusRAT was observed to be transmitting data to a remote server for around two hours, and this is why monitoring network activity is so important. Occasionally, there can be a surge in network activity, but this is most often related to identifiable reasons and directed towards known destinations. However, anything out of the ordinary – such as unusual destinations and IP addresses – should immediately be investigated.
Educate your employees: one of the surest ways for malware to breach your IT infrastructure is through your employees. This means that strong IT induction programs need to be implemented and regular refresher courses conducted to solidify this knowledge.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Every business wants their IT infrastructure to be secure, so it’s crucial that you understand all your options. And two of the best are an SOC and an NOC.

A Security Operations Center (SOC) and a Network Operations Center (NOC) are exciting options for your defenses, but not everyone knows what they are. The good news is that both of these options, which can be based in-house or outsourced to external contractors, are here to protect your IT operations. And they both do this with a high level of sophistication, which ensures that cybersecurity threats are quickly identified and nullified.

How Does an SOC Protect Your IT Infrastructure?

Integrating an SOC into your cybersecurity strategies is one of the quickest ways to enhance your defenses. In short, an SOC is a dedicated team of professionals who can provide 24/7 monitoring of your IT systems. Their main duties include:

Maintenance: one of the surest ways to keep any system operating effectively is through routine and preventative maintenance. And this is a duty which an SOC will take in its stride. From initiating and installing updates through to updating firewalls and managing backup protocols, a dedicated SOC will ensure that none of these vital tasks are missed.
Creating response plans: in the case of a security incident, your organization needs to have a solid response plan ready to go. This could involve restoring data from backups, partitioning your networks, or even shutting your entire IT infrastructure down. Regardless of the strategy, you need to make sure that the perfect response plan has been formulated. And, thanks to the experience of those employed in an SOC, you can rest assured that your response minimizes disruption.
Monitoring: security incidents can strike your organization at any time of day, so it’s important that you have round-the-clock monitoring to flag up any attacks. An SOC can take care of this by not only monitoring network activity, but also analyzing it to provide a strong determination as to the threat level posed. This allows the SOC team to quickly identify potential threats and react accordingly.

Why Does Your Organization Need an NOC?

IT networks are complex, highly complex. This means that monitoring them effectively is difficult, but crucial when it comes to securing them. It’s difficult for your standard IT team to dedicate themselves to this task, so this is why the emergence of NOCs is so exciting for organizations. With an NOC supporting your IT infrastructure, you can expect 24/7 coverage in the following areas:

Network monitoring: an NOC can provide your organization with constant network monitoring and surveillance. This monitoring will cover all of the most common elements found in a network such as servers, routers, and switches. It’s an approach which is not only comprehensive, but also allows the NOC team to minimize any disruptions to your network.
Enhanced security: the main aim of a threat actor is to bypass the security of your network, and it’s very easy for them to sneak in when a vulnerability is in place. However, the presence of an NOC team means that not only will updates and patches be installed quickly, but their constant monitoring of your network will allow them to identify any unauthorized access.
Performance monitoring: given the level of competition within business in the 21^st century, your organization’s network needs to perform at a high level. Monitoring the complexities of an IT network, though, is a tough ask. But the experience of an NOC team means they can easily analyze your network performance, and then suggest plans for improving and maximizing its output.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Windows WordPad Flaw Exploited to Infect PCs

cybersecurity, DLL_hijacking, email_links, email_sender, Ophtek, Phishing, Updates, WordPadCybersecurity, DLL_hijacking, email_links, email_sender, Ophtek, phishing, updates, WordPadOphtek, LLC

Jul 2023

WordPad, a basic yet popular word processor, is the latest Windows app to fall victim to a vulnerability exploited by threat actors.

Bundled free with almost every version of Windows since Windows 95, WordPad has remained popular thanks to its simplicity. Less complex than Microsoft Word and more advanced than the basic Notepad app, WordPad gives users an effective word processing tool. However, it’s now an app which carries a real threat to your IT security. Due to a flaw in WordPad’s design, threat actors have started to abuse this vulnerability by launching a DLL hijacking attack.

Everything You Need to Know about the WordPad Hack

You may not be familiar with DLL hijacking, so we’ll start by looking at this form of attack. DLL files are library files which can be used by multiple programs all at the same time. This makes it a highly flexible and efficient file, one which can reduce disk space and maximize memory usage. When Windows launches an app, it searches through default folders for DLLs and, if they are required, automatically loads them. What’s important to note, however, is that Windows will always give priority to loading DLLs located in the same folder as the app being launched.

DLL hijacking abuses this process by inserting malicious DLLs in the app’s parent folder. Therefore, Windows will automatically load this malicious file instead of the genuine one. This allows threat actors to guarantee their malware can be launched long after they have left the system. And this is exactly what has happened with WordPad. The hackers begin their attack by using a phishing email to trick users into downloading a file, one which contains the WordPad executable and a malicious DLL with the name of edputil.dll. Launching the WordPad file will automatically trigger the loading of the malicious DLL file.

This infected version of edputil.dll runs in the background and uses QBot, a notorious piece of malware, to not only steal data, but also download further malware. The infected PC is then used to spread the attack throughout its entire network.

Writing QBot into History

While this form of attack is far from new, it has proved successful. Accordingly, it’s important that we hammer home the basics of good cybersecurity, with a particular emphasis on phishing attacks:

Be careful of email links and attachments: Phishing emails often contain harmful links or attachments. Be careful when clicking on links or downloading attachments, especially if they seem suspicious. Hover over the link to check the URL before clicking and only download attachments from trusted sources. If you’re unsure, always verify the email with an IT professional before clicking anything.
Verify the email sender: phishing emails often impersonate genuine organizations or individuals. Therefore, make sure you check the sender’s email address for any inconsistencies or spelling mistakes. And, if you’re still in doubt, contact the sender by phone or in person to confirm they have sent the email.
Always update: software manufacturers routinely issue updates to patch security vulnerabilities and improve performance. It’s crucial that these updates are installed as soon as possible to avoid threat actors exploiting these flaws. The simplest way to do this is by authorizing automatic updates.

For more ways to secure and optimize your business technology, contact your local IT professionals.

1 2 3 … 7 Next »

What is a Remote Access Trojan?

HiatusRAT Malware Returns with a Vengeance

The Importance of an SOC and NOC in Business IT

Windows WordPad Flaw Exploited to Infect PCs

Category Archives: Updates