install updates Archives

A new threat actor has spent the last few months ramping up attacks involving the DarkGate and NetSupport malware, and this is set to increase further.

The name of this new threat actor is BattleRoyal, and between September and November 2023, they launched numerous attacks. These attacks featured the DarkGate and NetSupport malware, both powerful strains of malware. DarkGate employs multiple malicious activities such as keylogging, data theft, and cryptocurrency mining. Meanwhile, NetSupport – which is a legitimate application – is being exploited and repurposed as a remote access trojan, which gives threat actors unauthorized access to IT systems.

DarkGate and NetSupport both have the potential to cause great damage to your IT infrastructure and the security of your data. This means you need to know how to identify and deal with them.

BattleRoyal’s Malware Campaign

BattleRoyal appears to have launched its first wave of attacks in September 2023. This campaign involved email techniques to unleash the DarkGate malware on unsuspecting victims. At least 20 instances of this attack have been recorded, but it’s highly likely that more users were infected. Perhaps due to the noise that DarkGate was creating, BattleRoyal quickly switched its choice of weaponry to NetSupport in November. As well as using email campaigns to spread NetSupport, BattleRoyal also employed malicious websites and fake updates to infect PC users.

DarkGate is also notable for taking advantage of a vulnerability located in Windows SmartScreen. The main objective of SmartScreen is to protect users from accessing malicious websites. However, BattleRoyal were able to work around this by using a special URL which, due to the vulnerability in SmartScreen, gave users access to a malicious website. Clearly a sophisticated threat actor, BattleRoyal had discovered this vulnerability – logged as CVE-2023-36025 – long before Microsoft acknowledged its existence.

How to Stay Safe from BattleRoyal

Microsoft has since launched a security patch to combat the CVE-2023-36025 vulnerability, and installing this remains the surest way to combat the activity of DarkGate. However, given that BattleRoyal has used a multi-pronged attack, with NetSupport being used to download further malware, you can’t rely on patches alone. Vigilance, as ever, is vital. Therefore, you need to practice these best security tips to prevent any infections:

Beware of phishing emails: one of the most popular ways to breach the defenses of IT infrastructures involves phishing emails. Not only can these emails be used to steal confidential information through social engineering techniques, but they can also be used to direct recipients towards malicious websites and files. Therefore, it’s important that everyone in your organization can identify phishing emails.
Always install updates: although BattleRoyal was able to identify the SmartScreen vulnerability before the availability of a patch, this doesn’t mean you should minimize the importance of updates. All updates should be installed as soon as they’re available, activating automatic updates is the best way to guarantee that your defenses are fully up-to-date.
Use security software: reputable security software is one of the simplest, yet most effective ways to protect your IT systems against malware. Capable of identifying and removing malware before it’s activated, anti-malware tools should be an essential part of your IT defenses. As well as carrying out automatic scans of your system, many of these security suites feature screening tools to warn against malicious websites and emails.

For more ways to secure and optimize your business technology, contact your local IT professionals.

VMware Exploit Allows Hackers to Deliver Malware Package

install updates, malware, Ophtek, Security, VMware Exploit, Workspace ONEinstall updates, malware, Ophtek, security, VMware Exploit, Workspace ONEOphtek, LLC

Nov 2022

The importance of installing updates has been highlighted by VMware Users who have failed to update and found themselves at the mercy of malware attacks.

VMware is a tech company which specializes in providing both cloud computing services and virtualization technology (such as remote desktop software). Founded nearly 25 years ago, VMware has proved to be highly popular with businesses of all sizes. However, this experience doesn’t mean their software is perfect. In fact, no tech company – not even the biggest ones – can claim to create products which are 100% resistant to threat actors.

And that’s why VMware’s Workspace ONE Access service, an application which allows digital apps in an organization to be accessed on any device, has been compromised. The attack has been declared a significant one, so we’re going to take you through it.

Workspace ONE Compromised

The attack, which was discovered by security experts at Fortiguard Labs, centers around a vulnerability patched by VMware back in April 2022. However, this attack is still targeting this exploit, an indicator that the uptake of VMware’s patch has been poor. As a result, the CVE-2022-22954 vulnerability has the potential to open your PC up to all manner of malware.

If the vulnerability is still present, threat actors have the opportunity to launch remote code execution attacks against an infected PC. With the help of this foothold, the hackers have been able to download a wide range of malware to PCs and their associated networks. Examples involved in this attack have included:

Cryptoware
Ransomware
Software which removes other cryptomining apps
Malware used to spread the attack even further
Botnets

All of these campaigns are installed and operated separately, indicating that this is a well-organized attack by the unknown threat actors. Activity for the overall campaign peaked in August 2022, but it remains active as it seeks further users of Workspace ONE who have failed to patch their software.

Protecting Yourself Against Software Exploits

The impact of falling victim to the Workspace ONE vulnerability is huge as it attacks its victims on numerous fronts. Not only is there the financial risk of ransomware, but the activity of cryptoware and ransomware is going to seriously eat into the resources of your IT infrastructure. Therefore, you need to make sure you carry out the following:

Install all updates: if you are a Workspace ONE user then you need to ensure it’s fully patched and up to date. And, once this is complete, it’s crucial you make sure all your software is patched.

Monitor network activity: one of the most obvious signs of a botnet or cryptoware infection is a surge in network activity. Accordingly, it’s important to establish a benchmark for what constitutes ‘normal’ network activity within your organization. If this benchmark is breached, investigating it closer may reveal a malware attack is taking place.

Limit user access: minimizing the attack surface which a piece of malware has access to can reduce the impact of the attack. So, for example, if access to the Workspace ONE software was restricted to only those who need it, the chances of the exploit damaging the network would be reduced.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Tag Archives: install updates