cyberattack Archives

TP-Link Routers Exploited with Ease by Vulnerability

cyberattack, default passwords, Ophtek, remote management, router firmware update, security patches, security_updates, TP-Link Archer AX-21cyberattack, default passwords, firmware updates, Ophtek, remote management, security patches, TP-Link Archer AX-21, updatesOphtek, LLC

Apr 2025

A recent cyberattack has compromised thousands of TP-Link routers, turning them into a botnet which spreads malware and launches cyberattacks worldwide.

Cybersecurity researchers have discovered a widespread attack where threat actors exploited a vulnerability (CVE-2023-1389) in TP-Link Archer AX-21 routers. This security flaw allows attackers to take control of unpatched routers remotely, recruiting them – alongside thousands of others – into part of a botnet. What’s a botnet? Well, luckily Ophtek is here to explain: a botnet is a network of infected devices used for malicious activities on a huge scale.

At least 6,000 routers have been affected, with compromised devices being found all across the world in Brazil, Poland, the UK, Bulgaria, and Turkey. Once one of the TP-Link routers are infected, they can spread malware to other devices on the same network or be used as part of a coordinated botnet attack.

How Were the TP-Link Routers Exploited?

The threat-actors behind the attack started by simply scanning the internet for any vulnerable TP-Link routers that had not been updated with the latest security patches. Each time a router was found with the vulnerability in place, the attackers were able to exploit a remote code execution flaw – which allowed the hackers to install malware on the router.

Once infected, these routers became part of the Ballista botnet, which the threat actors were able to control remotely. As more and more routers, and devices connected to them, were recruited, Ballista became even more powerful. This enabled it to spread malware to further PCs and devices, launch DDoS attacks to flood websites and disrupt online services, and steal sensitive data passing through the router.

Why Should PC Users be Concerned?

All modern PCs rely on routers to connect to the internet and internal IT infrastructures, but many people take them for granted and don’t consider them a security risk. Accordingly, many PC users have been caught out by not updating their router’s firmware or keeping their device’s default password, both of which make them easy targets for hackers. As TP-Link router users have discovered, an infected router can quickly become a major security risk, sending data to hackers without the user being aware.

Keeping Your Router Safe from Vulnerabilities

It’s highly likely that you own a router or regularly use a computer connected to one. Regardless of the make and model, all routers have the potential to be compromised by threat actors. Here’s how you can stay safe:

Update Your Firmware Regularly: Router manufacturers regularly release security updates to fix vulnerabilities in their products, so it’s crucial that you install these as soon as possible. The best way to ensure you’re running the most up to date firmware is to log into your router settings and check for any available updates once a month.
Change Default Credentials: Many routers come straight out of the box with default usernames and passwords – hackers can easily guess these as huge lists of default credentials are readily available online. This is why you need to change your router’s admin login details to a strong, unique password.
Disable Remote Management: If your router has the option of allowing remote access over the internet, you should disable this feature unless there’s a real need for you to access it from a remote location – this type of access should only be reserved for your IT team.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Lazarus Exploits Open-Source Software and Infects it

cyberattack, data-stealing malware, Lazarus, North Korea, Ophtek, SecurityScorecardcyberattack, Lazarus, malware, North Korea, Ophtek, phishing, SecurityScorecardOphtek, LLC

Feb 2025

North Korean hackers from the Lazarus Group have launched a major cyberattack by cloning open-source software and infecting it with malware.

A recent cyberattack has found the North Korean hacking group Lazarus targeting software developers by modifying open-source tools to include malware. Open-source software, freely available for anyone to use or modify, has become a crucial part of software development. However, Lazarus exploited this understanding by injecting malicious code into genuine software. This led to numerous systems becoming compromised, particularly those used by developers in the Web3 and cryptocurrency industries.

Lazarus Attacks Open-Source Software

SecurityScorecard, a cybersecurity organization, discovered that Lazarus had carried out a supply-chain attack known as “Phantom Circuit.” Lazarus selected popular open-source projects to target and embedded malicious code into them. These compromised tools were then uploaded to code-sharing platforms such as GitLab, where developers soon downloaded and started using them.

Once executed, the compromised software set about installing data-stealing malware on the victims’ PCs. The malware’s main objective was harvesting sensitive data such as login credentials, authentication tokens, and other security information. This gave the threat actors full and unauthorized access to their targets’ accounts, allowing them to modify and steal digital assets.

Over 1,500 victims were affected, with the majority being located in Europe, India and Brazil. SecurityScorecard were keen to point out that many of the victims were software engineers, mostly working in cryptocurrency and blockchain technology. In particular, Lazarus targeted modified repositories which hosted Web3 development tools, authentication systems, and cryptocurrency software. These are all attractive targets for threat actors who are looking to make a quick buck through nefarious means and cause digital chaos to IT infrastructures.

How to Protect Yourself

Lazarus has committed numerous cyberattacks in the recent past, with Ophtek previously reporting on their attack on healthcare organizations in 2023. A powerful hacking group, Lazarus has the potential to create powerful and devastating malware. Accordingly, you need to make sure your IT defenses are secure against them and similar hacking groups.

Cybersecurity awareness, as ever, is key to protecting your digital assets, so make sure you follow these best security practices:

Verify Your Software Sources: always double-check where your software is coming from before you hit that download button. Stick to official developer websites and trusted repositories e.g. regularly updated GitHub projects. If a new tool appears out of nowhere or is uploaded by an unknown user, think twice before installing it. If in doubt, remember the golden advice: double check it with an IT professional.
Keep Your Security Software Updated: first of all, make sure you have antivirus and anti-malware software protecting your systems – these can be downloaded from companies such as AVG and Kaspersky. Secondly, as new cyber threats emerge every day, you need to keep your security software up to date to protect you from new malware. Regular updates will ensure you stay one step ahead of the threat actors.
Train Your Employees: Well-trained employees are your first line of defense against cyber threats. Regular cybersecurity training can help your staff recognize phishing attempts, avoid suspicious links, and practice safe browsing and downloading habits. By keeping your team trained and up to date, you can ensure employees stay aware of evolving threats, reducing the risk of security breaches.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

Threat actors are determined to harvest as much sensitive data as possible, and the Housing Authority of the City of Los Angeles (HACLA) know all about this.

It’s been revealed that HACLA has recently been attacked by the Cactus ransomware gang. First emerging in early 2023, the Cactus group has gained a reputation for stealing confidential data. Around 260 organizations have been affected by Cactus’ activities in the last year and a half, with no sign of them slowing up. HACLA, unfortunately, has previous form for data breaches, with the LockBit ransomware group gaining access to their IT systems for nearly a full year in 2022.

To help you bolster your organization’s defenses, we’re going to explore the Cactus attack in closer detail.

Cactus Get Prickly with HACLA

With 32,000 public housing units falling under its administration, HACLA is a prime target for any threat actors hungry for personal data. Accordingly, Cactus have struck at the heart of HACLA to harvest significant amounts of data.

Understandably, in order to protect their defenses, HACLA have revealed very little about the attack. They acknowledge that, after becoming aware of suspicious activity, IT professionals were contacted to investigate a possible cyberattack. HACLA’s systems remain operational as of this writing, but they haven’t confirmed exactly what happened or whether any data was stolen.

Cactus, on the other hand, has been more forthcoming with details. Announcing that they’ve managed to steal 891 GB of files from HACLA’s network, Cactus has clearly carried out an audacious attack. The data stolen, as Cactus claims, is highly sensitive and includes personal client details, financial documents, database backups, and correspondence. To demonstrate that they’re not just showboating, Cactus has published screenshots of some of this stolen data. Alongside this, Cactus has also followed up their claims by uploading an archive containing some of the stolen data.

Shielding Your Business from Breach Risks

While it’s currently unclear whether HACLA’s systems or data has been encrypted by ransomware, it’s a very real possibility. Regardless of whether encryption has taken place, the 891 GB of stolen data is a seriously worrying amount of personal data to leak. Therefore, you need to be on your guard against such attacks by practicing the following:

Data Backup Strategy: To minimize the impact of ransomware, it’s always a good idea to carry out regular, automated backups of your data. As well as keeping these backups close to hand on site, it’s crucial that you also keep copies stored on secure, off-site locations such as in the cloud. The 3-2-1 backup method is an excellent strategy to employ in order to keep your data secure and retrievable.
Regular Software Updates: Many data breaches are the result of vulnerabilities being exploited within software. These vulnerabilities allow threat actors to gain a foothold with IT infrastructures and start implementing malware infections or stealing data. Consequently, to plug all of these security holes, you should automate all software updates to optimize the strength of your defenses.
Employee Training: Regular training of your employees, both at the induction stage and through refresher courses, provides your organization with its strongest form of defense. It just takes one wrong click by an employee to expose your entire network, so it’s vital that you can sharpen their cybersecurity skills to secure your IT infrastructure.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

Tag Archives: cyberattack