Is Your Compromised Router Working for Hackers?

5Socks, Hackers, Online Proxy, Ophtek, Routers, The Moon, , , , ,
03
Jun 2025

The FBI has warned that outdated routers are being hijacked by cybercriminals to hide illegal activity and build massive, untraceable proxy networks.

The FBI has recently issued a security alert which is of interest to anyone who logs onto the internet on a daily basis. The alert centers upon outdated internet routers which are being targeted by cybercriminals. The routers at the heart of this attack all have one thing in common: they’re no longer supported by their manufacturers. These vulnerable devices, therefore, are perfect for the attackers to exploit and turn them into tools for cybercrime. As the threat actors are combining these compromised routers into huge proxy networks, identifying the perpetrators behind the attack is fiendishly difficult.

How Have the Routers Become Compromised?

The attack relies on a strain of malware called “TheMoon,” which is used to infect end-of-life (EoL) routers. An EoL device is one which no longer receives any firmware or security updates from its developer, typically as the device is of a certain age and has been superseded by more modern devices. This EoL status makes these devices a major security risk as there’s no protection against newly discovered vulnerabilities. Once compromised, these routers become part of a network of proxies used by the attackers to shield their identities when committing crimes online.

Routers at risk of this attack include EoL routers from popular brands such as Linksys, Cisco, and Cradlepoint. Once the attacker gains access to the router, they have all the time in the world to install the malware, which connects the router to a command-and-control server. The router can then be used to recruit other compromised devices and re-route malicious internet traffic. In particular, these proxies have been observed to be involved in cryptocurrency theft, Malware-as-a-Service activities and general data theft. And, due to the stealthy nature of the attack, the victim will have no idea what’s taking place.

The infected routers are also being sold as part of proxy-for-hire services like 5Socks and Online Proxy. These are underground networks where hackers can purchase access to compromised routers, allowing other them to disguise their malicious tracks by appearing to connect from genuine and trusted IP addresses. This innovative approach helps protects the trackers true destination from any law enforcement investigations and, instead, appears to incriminate innocent homes and businesses.

The FBI has also revealed that some of the compromised routers appear to have been used by Chinese-sponsored hackers to attack major US infrastructures, indicating a professional operation designed to create maximum damage.

How Do You Keep Your Router Safe?

This latest attack may be stealthy, but there are often telltale signs that your router has been compromised. Slower internet speeds, for example, are a common side-effect caused by the lack of resources available for genuine tasks. The increased activity can also lead to overheating alongside the appearance of new administrator accounts, and unusual internet traffic patterns.

In order to maintain the security of your router, make sure you follow these steps:

  1. Upgrade Your Hardware: If your router is no longer supported by the manufacturer with security updates, you have no alternative but to replace it. This is the single most effective way to block attacks of this nature and failing to do so will instantly increase the chances of your defenses being breached.
  2. Change Default Passwords: Routers are well known for being shipped with default passwords, which represents a major security risk. Accordingly, it’s vital that you always change default usernames and passwords before any routers are made active on your network.
  3. Monitor Your Network: Install firewalls, intrusion detection systems, and network monitoring tools to record and identify any abnormal traffic patterns or device behavior. The earlier these are the detected, the quicker you can limit the impact of the breach.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Hackers Unmasked: Who Are They and What Motivates Them?

Black Hat, Hackers, Hacktivists, malware, Ophtek, Phishing, security, White Hat, , , , , , , ,
19
Nov 2024

The headlines generated by cybersecurity attacks always focus on the damage caused by hackers, but who exactly are the hackers and why do they hack?

Financial losses associated with cybercrime hit a mighty $12.5 billion in 2023, so it’s clear to see that hackers have a major impact on society. And yet we know so little about them. Characterized as shady, hidden figures, hackers rely on this mysterious air to create panic and fear when they strike. Technically savvy, they pose a major threat to computer systems all over the world, and they often get away with it through a mixture of ingenuity and bravado.

To help you understand their motives better, we’re going to pull back the digital curtain and show you who these hackers are and what drives them to attack IT infrastructures.

The Main Types of Hackers

There are many different types of hackers, with different methods of operation and varying skillsets. The main variants you’re likely to encounter are:

  • Black Hat Hackers: Perhaps the most infamous type of hacker, black hat hackers are regularly discussed on the Ophtek blog due to their love of breaking into IT systems. Their main activities involve launching malware, compromising software vulnerabilities, and setting up phishing campaigns.
  • White Hat Hackers: In contrast to their black hat counterparts, white hat hackers are a force for good. Typically, they work in conjunction with organizations to identify weak spots in their IT security e.g. demonstrating where software vulnerabilities are present or highlighting the use of default passwords on routers.
  • Hacktivists: These hackers aren’t out to commit cybercrime in the same way as a black hat hacker, but hacktivists operate on the wrong side of the law in order to bring about social or political change. A good example of this can be found in the 2022 attacks launched against Russian websites by the hacking group Anonymous, an attack designed in response to the Russian war on Ukraine.

What are the Motivations Behind Hacking?

Every hack will have a motive behind it and it’s important to understand these motives in order to better protect our computer systems. The main driving forces behind cyberattacks include:

  • Financial Gain: As with all crime, money acts as a significant motivating factor. Stolen credentials, for example, can be sold on the dark web for large amounts of cash. Likewise, the rise of Malware-as-a-Service has proved highly lucrative for hackers and been responsible for some devastating attacks.
  • Challenging Themselves: Hackers love the prestige of a successful hack, and this hit of dopamine is enough to encourage them to set about launching increasingly audacious attacks. This not only challenges them and provides a firm motivation, but it also encourages them to hone their skills and make their attacks harder to defend against.
  • Personal Grievances: Often, the main motivation behind a hack is simply a slice of old-fashioned revenge. An ex-employee, perhaps terminated unfairly in their eyes, may seek revenge by exploiting their knowledge of an organization’s IT system. This insider knowledge may offer them the opportunity to strike back and hurt the organization.

Final Thoughts

Hackers, with their varying objectives and motivations, are a complex set of individuals and groups. While some may be a force for good, just as many have taken up their craft to inflict damage and benefit financially from their digital chaos. Whatever their circumstances, one thing remains clear: it’s crucial to strengthen your IT systems against all threats all the time.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

PKfail Flaw Exposes Secure Boot to Unauthorized Access

Acer, DDoS attacks, Dell, firmware vulnerability, Hackers, Lenovo, Ophtek, PK Fail, secure boot, unauthorized access, , , , , , , , ,
20
Aug 2024

Hundreds of devices from vendors such as Acer, Dell, and Lenovo have been found to be left wide open to threat actors due to untrusted test keys.

These devices have been left compromised due to PKfail, a firmware supply chain vulnerability. On devices where PKfail (short for Platform Key fail) is present, threat actors can install malware with ease. This is because the presence of PKfail means hackers can bypass the Secure Boot process and gain access to the device. Naturally, unauthorized access puts a device at risk of not only being infected with malware, but also suffering data breaches and being hijacked for DDoS attacks.

As the threat of PKfail has affected some of the major PC manufacturers, it’s important we investigate this a little closer.

The Failure of PKfail

Secure Boot is an integral part of any modern PC, ensuring a device’s firmware and operating system is correctly authenticated against a secure key on the machine. The devices at the center of this security failure have, within their system, a test Secure Boot key. This is named “DO NOT TRUST” and is created by American Megatrends International (AMI), a widespread BIOS system used to start up a computer after being powered on.

The intention of the test key was simply that, a test. Vendors using AMI on their systems, for example Lenovo PCs, should have removed this test key before generating a unique Platform Key. This would then protect the BIOS system, prevent Secure Boot from being compromised, and eliminate the threat of unauthorized access via this route. However, this task was missed by numerous vendors, leaving their devices unprotected.

Threat actors, aware of this flaw, could then exploit this workaround for Secure Boot and access the compromised devices without breaking a sweat. By taking control of the machines, the attackers were able to start downloading malware such as CosmicStrand and BlackLotus to the devices. This firmware vulnerability, linked to a June 2024 release as per supply chain security firm Binarly, has affected close to 900 devices, with those affected listed here.

Staying Safe from PKfail

Vendors who have failed to the replace the test key from AMI are being encouraged to immediately rectify this on any systems waiting to be issued. End users of the affected devices should also keep an eye on firmware updates issued by the vendors, prioritizing any which mention the PKfail flaw. Binarly has also given end users a helping hand by creating the pk.fail website, where those at risk can scan firmware binaries to identify any PKfail-vulnerable devices.

PC users, therefore, should be aware of the risk that even newly shipped products, with the latest firmware and patches in place, can be compromised straight out of the box. Forgetting the debacle of the Crowdstrike update debacle, promptly installing updates is one of the best ways to maintain your PC’s security.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Healthcare Industry Rocked by Major Hack

ALPHV, auto updates, Backup Strategies, BlackCat, Hackers, identify phishing, Ophtek, Ransomware, , , , , , ,
23
Apr 2024

Healthcare data is some of the most sensitive data in existence, but a major hack has just affected up to 15 billion records.

Change Healthcare, who provide revenue and payment services for healthcare providers and patients, has announced that its systems have been compromised by threat actors. With Change Healthcare processing around 15 billion transactions a year, this represents a major attack. And the impact has already been felt. Healthcare providers have been struggling to charge for their services, while patients have been struggling to get their prescriptions issued. It’s a nightmare scenario for all involved and underlines the effect malware can have.

How Did Change Healthcare Get Hacked?

The precise details of how Change Healthcare was hacked has not, as yet, been revealed. However, we do know it was carried out by a ransomware group which goes by the names of ALPHV or BlackCat. Naturally, their trademark attack style involves ransomware, and it’s most likely that this was utilized in the Change Healthcare attack. With ransomware typically encrypting data, this is highly damaging for any service handling healthcare data. By encrypting patient records, the hackers would be severing a crucial flow of information.

The attack came on the 21st February 2024, and Change Healthcare took down their systems on the same day. A week later, BlackCat announced they had been behind the attack. Details of a $22 million payment to the ransomware groups have also been revealed, although Change Healthcare are yet to confirm this was made by themselves. Prescription claim submissions and payment systems have recently been reinstated by Change Healthcare, but full access to their systems is unlikely to be restored until mid-March.

Who is BlackCat?

BlackCat has been active online since 2021 and, since then, has launched a series of audacious attacks. The group was linked to the Colonial Pipeline ransomware attack in 2021, and it also took responsibility for the MGM Casino attack in 2023. Headlines such as these didn’t go unnoticed, and in December 2023, the US Department of Justice set about disrupting BlackCat’s activities. Clearly, though, the resulting Change Healthcare attack has demonstrated how BlackCat was unharmed by this resistance.

Staying Safe from Ransomware

The threat of ransomware is well known, but the Change Healthcare attack is a big deal and acts as an important reminder to stay vigilant. With this in mind, we’re going to show you the best ways to stay safe from ransomware:

  • Regular software updates: ransomware often takes control of IT infrastructures due to software vulnerabilities. Accordingly, you need to make sure automatic updates are activated on your operating system. This ensures your software is updated as soon as an update is available, preventing you from running a network with open doors for threat actors.
  • Employee training: your employees are one of your most powerful forms of defense against ransomware threats. Therefore, regular training on cybersecurity threats such as identifying phishing emails, malicious websites, and understanding how to report cybersecurity incidents is vital. With this in place, you can rest assured your network is as secure as possible.
  • Regular, isolated backups: you need to regularly back up critical data and ensure that backups are stored in a secure, isolated location. Automated backup solutions can help ensure consistency and reliability in the event of your data being encrypted by ransomware.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

HeadCrab Attacks Servers with Advanced Malware

authentication, Hackers, HeadCrab, malware, Ophtek, Redis Servers, runtime monitoring, security scans, , , , , , ,
19
Mar 2024

A new strain of malware, which contains several different attack methods and is considered a severe threat, has been discovered and named HeadCrab.

The attack focuses its efforts on Redis servers, an open source, in-memory data structure store. In simpler terms, Redis acts as a database, cache, and message broker application which can store data, cookies, and authentication tokens. This means it contains confidential and personal data, which is a currency valued highly by threat actors. Redis is incredibly popular and used by many high-level clients, some of whom include Amazon, Adobe, OpenAI, and Airbnb. Therefore, it’s likely you and your team will visit websites using Redis servers, and you need to stay safe.

Unpacking the HeadCrab Attack

Redis servers appear to have been targeted by HeadCrab due to the fact they’re often exposed to the internet, without any solid authentication in place to protect them. This makes them highly vulnerable and puts any data stored on them at high risk. Using advanced coding techniques, the threat actor starts by taking control of a Redis server. This allows them to then download HeadCrab onto the infected server. This, as the command logs reveal, is a complex process, and one which leaves no stone unturned, highlighting the advanced skills of the threat actor.

With HeadCrab now active on the Redis server, it can get to work. Security researchers, who have reverse engineered HeadCrab, have discovered eight custom commands contained within its module. These allow HeadCrab to set up encrypted communication channels, reconfigure Redis servers, run exclusively in memory to avoid detection, and even run its own blog detailing its current activities and news.

Staying Safe from HeadCrab

Currently, HeadCrab has been detected in over 1200 servers and represents a serious threat. It doesn’t launch its attack using files, instead relying on advanced hacking techniques, so it’s a difficult threat to combat. However, by staying vigilant, your organization can stay safe against the threat of HeadCrab and similar attacks. The best ways to achieve this are:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More
1 2 3 6