malware Archives - Page 13 of 31

SessionManager Malware Targets Microsoft Exchange Servers

IIS, malware, Ophtek, security, SessionManager, Windows vulnerabilityIIS, malware, Ophtek, security, SessionManager, WindowsOphtek, LLC

Jul 2022

A new piece of malware has been found to be targeting Microsoft Exchange servers operated by both military and government organizations all over the world.

Discovered by security giants Kaspersky, who also gave the malware its name, SessionManager appears to have been at large since March 2021, but its existence has only just been confirmed. It’s believed that SessionManager was created by Gelsemium, a relatively new hacking group who have already conducted a number of serious cyber-attacks.

Naturally, you would expect military and government organizations to have some of the strongest cybersecurity measures in place. And they do. However, there’s not a single IT infrastructure which can be described as 100% secure. And, as SessionManager has proved, where there are vulnerabilities, there’s a way in.

How Does SessionManager Operate?

At the start of 2021, Kaspersky revealed details of ProxyLogon, a series of vulnerabilities discovered in Microsoft Exchange. As a result of these vulnerabilities, threat actors were presented with an opportunity to install malicious modules into web server software for Microsoft’s Internet Information Services (IIS). And this is exactly how the SessionManager module came to be embedded within numerous organization’s servers.

Once installed, the threat actors were able to use SessionManager to carry out the following tasks:

Carry out remote command execution on affected devices
Gain quick and easy access to email accounts within the organization
Install further malware to maximize the way in which servers were compromised
Using infected servers to manipulate traffic moving across the network

As SessionManager has managed to operate without detection for over a year, it has been able to harvest signification amounts of sensitive data and take control of high-level networks. Even after SessionManager’s discovery, security experts have been slow to move, with Kaspersky commenting that a popular file scanning service was still failing to detect SessionManager. Accordingly, SessionManager remains active in the digital wild and maintains its threat.

What If You’re Infected with SessionManager?

Even if you do discover that your network has been infected by the SessionManager module, deleting it is not enough to fully rid yourself of it. Instead, you will need to go through the following:

The most important step to take first is to disable your IIS environment
Use the IIS manager to identify all references to the SessionManager module and ensure that these are fully removed
Update your IIS server to eliminate any known vulnerabilities and leave it fully patched
Restart your IIS environment and run a final check for any traces of SessionManager

If, of course, you want to prevent vulnerability threats such as SessionManager being enabled in the first place, then you need a conscientious approach to updates. The sooner you can install a firmware upgrade or a security patch, the sooner you can plug security holes in your IT infrastructure.

Sure, we live in a fast-paced world and it’s easy to forget minor tasks such as installing upgrades, but with automate installs a viable option, there’s not really an excuse. Therefore, keep your organization’s network safe by automating updates and enjoying the peace of mind this brings.

For more ways to secure and optimize your business technology, contact your local IT professionals.

ZuoRAT Malware: A New Threat to Routers

malware, Ophtek, router, security, Trojans, Updates, ZuoRAT Malwaremalware, network, Ophtek, router, security, Trojans, updates, ZuoRATOphtek, LLC

Jul 2022

Small businesses rely on routers to keep themselves and their customers connected. But this relationship could now be at risk due to the ZuoRAT malware.

For online communication to work, data needs to move from one computer network to another. And this is exactly what a router does. By directing traffic across the internet, a router can be used to deliver emails, transfer files and stream videos between PCs. Without a router, you simply won’t be able to send or receive data. So, as you can see, they’re an essential part of any small organization’s IT network. Unfortunately, this is the type of IT necessity which hackers love to interfere with. And the ZuoRAT malware does this with a disturbingly sophisticated ease.

The Lowdown on ZuoRAT

ZuoRAT is a strain of malware which takes advantage of vulnerabilities in routers produced by the popular manufacturers Cisco, Netgear, DrayTek and Asus. By exploiting these vulnerabilities, ZuoRAT can access local area networks (LAN) and harvest network traffic from the infected devices. This information is then transmitted to a remote ‘command and control’ server, so, for example, any login credentials which pass through your router will be transmitted to the hacker’s server.

However, ZuoRAT doesn’t stop at hijacking LAN traffic; it downloads additional malware in the form of two further remote access trojans (RAT). These RATs are used to infect devices connected to the network and facilitate the spread of the infection even further. This could, in theory, lead to the infected network being converted into a botnet or, worse still, allow the spread of ransomware across the network.

Although ZuoRAT is relatively new, it has been active in the digital wild since April 2020, and this has given it plenty of time to exploit a wide range of routers. It’s also important to point out that ZuoRAT made its debut at the start of the Covid-19 pandemic. Given that it targets SOHO (small office/home office) routers, ZuoRAT was perfectly placed to attack employees who were working at home with limited IT support. As a result, it has been presented with an opportunity to steal sensitive data with relative ease.

Protecting Your Network from ZuoRAT

Due to the way in which it was designed – a custom build through the complex MIPS architecture – ZuoRAT is not detected by conventional anti-malware software. Therefore, if you own a router made by the affected manufacturers, it’s crucial that you make sure the associated software is up-to-date and fully patched. As ever, monitoring network traffic is a smart move as this will allow you to flag up any suspicious activity.

Final Thoughts

Threats such as ZuoRAT present numerous problems to organizations, most notably due to their multi-pronged attack strategy and stealthy nature. However, it also demonstrates a perfect example of why you need to manage updates relating to your IT equipment. Implementing an upgrade strategy which takes advantage of automated processes has never been more important.

For more ways to secure and optimize your business technology, contact your local IT professionals.

5 Forms of Hacking Which You May Not Be Familiar With

Free WiFi, Hacking, malicious code, malicious extensions, malicious links, malicious websites, Ophtekmalware, Ophtek, phishing, public wifi, ransomware, security, vulnerabilityOphtek, LLC

Jun 2022

All organizations are at risk of being hacked, and that’s why we’re familiar with the most common forms of hacking. But what about the lesser-known hacks?

With 300,000 new strains of malware being created every day, it comes as no surprise to discover that some of these are less familiar than others to PC users. And it’s this lack of familiarity which makes them so dangerous. Not only is it harder to be on your guard against them, but there’s also the small problem of not knowing how to remove them from an infected system. However, a little bit of education goes a long way. And that’s why we’re going to give you the lowdown on 5 forms of hacking which you may not be familiar with.

The Hacks You Need to Know About

Attack strategies such as phishing and ransomware are well known, so it’s time to learn about the lesser known cyberattacks you need to be prepared for:

SQL Injection Attacks: SQL is a common coding language used to design and manage databases, many of which are connected to a public facing website. Typically, these databases will hold significant amounts of secure data e.g. personal details and financial information. As a result, these are highly attractive targets for hackers. Attacks are made on these databases by injecting malicious SQL code and manipulating the server’s responses in numerous ways. This strategy allows hackers to gain access to unauthorized information and steal it.

Man in the Middle Attacks: using compromised IoT devices, or simply taking advantage of poorly secured public Wi-Fi, a Man in the Middle Attack allows threat actors to access your network connections. It’s a scenario which grants hackers the opportunity to monitor your communications and data transfers in real time. Therefore, confidential data can be stolen and traffic redirected with ease.

Brute Force Attacks: this is one of the oldest hacking strategies devised by hackers, but it doesn’t grab the headlines in the same way modern threats such as ransomware do. However, it remains an effective strategy, and one which is only getting more sophisticated. As the name suggests, brute force attacks launch a relentless campaign whereby a bot will try numerous login credential combinations until it finds the correct one to breach your security.

DNS Cache Poisoning: a DNS server takes domain names, such as ophtek.com, and translates them into an IP address which can be used to deliver data between two points. However, if a threat actor identifies a vulnerability in a DNS server, they can inject false data into its cache. This ‘poisoning’ of the DNS cache means that internet traffic will be directed away from its intended location, and this will most commonly be re-routed to a malicious website.

Fake Public Wi-Fi: hackers will go as far as setting up a fake public Wi-Fi which uses your company’s name or one that sounds similar. For example, a visitor to a Starbucks café, may detect a wireless network with a name such as “St@rbucks Free Wi-Fi” and assume it’s genuine. However, connecting to a public connection such as this opens a whole world of potential trouble. And, don’t forget, your own employees are also at risk of connecting their work devices to a fake Wi-Fi network, the result of which will expose your genuine network.

As with the most common forms of hacking, understanding the basics of good IT security is the most effective way to minimize the chances of these rarer attacks.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Social Engineering Used to Hack into Camera Firm

Cyber Security, Employee Training, malware, Ophtek, Password Security, social engineeringmalware, Ophtek, passwords, security, social engineering, TrainingOphtek, LLC

Mar 2022

Social engineering is one of the modern menaces of online life, and this has been demonstrated by a recent malware attack on a Swedish camera firm.

Axis Communications, who manufacture network and security cameras, are the company at the centre of this recent attack. The organization announced that they had been the victims of what they described as an “IT-related intrusion” and advised that, as a result, they had temporarily closed their public-facing services online. Naturally, the attack caused great disruption to Axis; it also brought to light a number of shortfalls in cyber-security, namely the impact of social engineering.

What is Social Engineering?

Social engineering is a form of hacking which involves using various methods of deception to glean information from the victims. So, for example, an employee who receives an email, from what appears to the organization’s IT department but is from a fake email address, asking for confirmation of their login credentials is a form of social engineering. And these incidents of social engineering don’t have to take place online, simply telling someone your mother’s maiden name – a popular choice for password recovery questions – is another example.

This image has an empty alt attribute; its file name is bus-cyber-attack2-lrg-960x480.jpg

How The Axis Attack Happened

The exact details of the Axis attack are yet to be released as the company are conducting a forensic investigation intoexactly what happened. Nonetheless, they have revealed the following details:

Several methods of social engineering were used in order to gain access to the Axis network, these were successful despite the presence of security procedures such as multi-factor authentication.
Advanced hacking techniques were used by the hackers – once they had breached the network – to enhance their credentials and gain high-level access to restricted areas.
Internal directory services were compromised by this unauthorized access.
While no ransomware was detected, there was evidence that malware had been downloaded to the Axis network.

Following concerns of suspicious network activity, and the employment of IT security experts, all external connectivity to the Axis network was closed down.

How to Protect Yourself from Social Engineering

It can be difficult to tackle the highly polished social engineering methods employed by hackers, but following the practices below can make a real difference:

Always Think: slowing down and assessing the situation is crucial when it comes to social engineering. If someone has asked you for sensitive information, such as password details, ask yourself why the need this and what could they do with it? Internal sources – such as managers and IT departments – will never ask for this, so guard your password carefully and, to clarify the situation, speak face-to face with the person who has apparently asked for it.

Regular Staff Training: it’s important that your staff understand the tell-tale signs of social engineering, so make sure that you arrange regular training/refresher courses to keep their knowledge up to date. After all, social engineering is all about the deception, and identifying this can be difficult. But, with the correct knowledge, your staff should be able to protect themselves and your organization.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Malware Found in Illegal Downloads of Spider-Man Film

cryptojacking, firewall, malware, mining malware, moreno, Ophtek, torrentscryptojacking, firewall, malware, mining malware, moreno, Ophtek, torrentsOphtek, LLC

Jan 2022

Hackers have decided to cash in on the popularity of Spider-Man by infecting copies of his latest movie with cryptocurrency mining malware.

Going to the movies is an expensive activity these days and, as a result, many people are turning to illegal torrents. These torrents are shared by hundreds of different people, each sharing the entire film as a file, with downloaders able to download parts of the file from these multiple sources. It may sound like the perfect answer to paying and queuing at the movies, but it’s an act which infringes copyright and is 100% illegal. And, of course, there’s the little matter of malware being bundled into these torrents. Nonetheless, it’s estimated that around 28 million users download and share illegal files every day.

Illegal downloads are here to stay, so it’s important that you understand the dangers they carry in terms of cybersecurity. And the Spider-Man example is the perfect place to start.

Using Spider-Man to Spread Malware

The latest Spider-Man movie is ‘Spider-Man: No Way Home’ and it was released to theatres in December 2021. Within days of the movie’s premiere, poor quality copies – often filmed from within a theatre – started appearing on torrent sites such as The Pirate Bay. However, there were also torrents available which contained a nasty surprise. Several torrents which claimed to be of No Way Home contained a file with the name of ‘spiderman_net_putidmoi.torrent.exe’ – ‘net_putidmoi’ being Russian for No Way Home.

But far from presenting you with a copy of the new Spider-Man movie, activating this file would launch cryptocurrency mining malware. The malware automatically added exceptions to Windows Defender in order to avoid detection on the infected system. With this concealment in place, the malware could then harvest the PCs processing power to mine a cryptocurrency known as Monero. While mining cryptocurrency is legal, the hijacking of PCs to power this process is highly illegal and dangerous.

How Do You Avoid These Types of Infection?

The malware involved in the Spider-Man hack has not been shown to compromise any personal information. But it will slow your PC down. And a more dangerous piece of malware could easily start compromising your data. Therefore, it’s essential that you avoid falling victim to malware hidden in torrents. The best way to stay safe is:

Don’t Download Torrents: the simplest way to avoid malware within illegal torrents is to avoid downloading them. It’s much safer for your PC (and your criminal record) to visit official sources and pay the required amount for songs, software and movies.

Always Use a Firewall: Although the Spider-Man malware is clever enough to write exceptions into Windows Defender, many similar strains of malware are not as clever. And that’s why it’s crucial that you always run a firewall, these can instantly stop malware operating on your PC.

Investigate Sluggish PC Activity: if your PC is regularly grinding to a halt and struggling to complete simple processes, there’s a good chance it’s been hijacked. Restarting your PC in Safe Mode and running anti-malware software is the best way to start ruling out an infection.

For more ways to secure and optimize your business technology, contact your local IT professionals.

« Previous 1 … 11 12 13 14 15 … 31 Next »

Tag Archives: malware