new-hempacks-logo

We like to think that once a cyber-attack takes place that a solution will be found. However, malware is evolving and becoming harder and harder to stop.

In Q1 2016, Kaspersky prevented just over 228 million malware attacks and this is a   figure which has been increasingly rapidly for the last few years. In fact, several years ago, it would have been unlikely to see pushed 228 million malware attacks in an entire year.

Malware, therefore, remains big business for hackers so, naturally, they’re constantly looking to upgrade their weaponry to beat the firewalls and antivirus software we rely on. And it’s a digital arms race which the cyber security experts are struggling to keep up with.

Let’s take a look at why malware is getting harder to stop.

Ransomware Arrives

499979-ransomware-feature

One of the most reported evolutions in the malware landscape has been the rise in ransomware attacks such as Locky.

Ransomware is a form of malware which encrypts users’ files and then demands a ransom to decrypt them. Being a relatively new form of malware, knowledge regarding their build and execution capabilities is somewhat limited, so this is making them particularly difficult to combat.

What’s also crucial to the success of ransomware is that the majority of attacks are routed through anonymous Tor servers which mask the attacker’s true IP address. This means that identifying the hackers becomes very difficult and they’re able to continue operating impeded and improve their malware. And this evolution of existing ransomware is best demonstrated by the Locky Trojan which began as a .DOC file, but is now being identified as a .ZIP archive in order to evade detection.

Targeted Attacks

Malware has, traditionally, followed the same execution regardless of which network it has been deployed upon. However, hacking groups such as Poseidon are now ensuring that their attacks are, after the standard breach, able to customize the attack depending upon the network.

Poseidon maps their victims’ networks and harvests all the available credentials to ensure they can gain the maximum privileges on the network. And the reason for this customized attack is because Poseidon is actively hunting the computer which operates as the local Windows domain controller. If the hackers are able to take control of this computer then they will have free rein over the entire network.

It’s this type of attack which is a cyber-security firm’s worst nightmare as it involves extensive research into the intricacies of individual networks. This is very time consuming and underlines how hackers are actively looking to make themselves more powerful.

Long Term Evolution

adwind-rat-console

One of the biggest problems with Malware is that certain strains are constantly evolving into new strains. The best example of this is the Adwind RAT (remote access tool) which first appeared in 2012 as a tool for online spying.

Originally debuting under the name Frutas, it evolved into Adwind, Unrecom, AlienSpy and JSocket over the next three years. Starting off as a Spanish language piece of software, it soon received an English language interface which allowed it to spread worldwide.

All these changes have allowed the Adwind RAT to enjoy a long career and cause so many cyber-attacks. By actively changing its exterior appearance and name, it has fooled firewalls and antivirus software to leave security experts scratching their heads.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


hackershackhacked

Anyone who sets foot online these days is at risk of falling victim to hackers, so it’s a good idea to know when you’ve been hacked.

After all, the sooner you realize you’ve been hacked, the sooner you can start working to remove the infection from your PC and make your data secure again. However, hackers are stealthy individuals and you may have to look a little closer than usual to catch them in the act.

And, to give you a helping hand, here are 7 tell-tale signs that you’ve been hacked.

1. Slow Internet Connection

If you internet connection has ground to a halt then this could indicate that you’ve been hacked. Due to an increase in network activity – caused by hackers using your bandwidth to commit malicious activity – this can render your normal internet access next to useless.

2. Unusual Access Times

It’s always a good idea to keep an eye on the times at which your network is accessed by new connections. In general, access during your normal working hours is to be expected, but new connections outside these times should be treated as suspicious. Hackers, you see, are likely to use automated software that is active throughout the entire day rather than between 9-5.

3. Disabled Antivirus

There are very few occasions that you would deliberately disable your antivirus, so if you notice that your antivirus software has been disabled this should start ringing alarm bells. And, for a hacker, if they’re able to disable your antivirus software, this allows them free rein to download all sorts of malware to your PC.

4. Unable to Log on?

One of the first things a hacker will try to alter on your system is your login credentials as this restricts your access and gives them more time to cause trouble. Therefore, if you’re absolutely sure that you’re entering the correct username/password combination, you need to consider that you may have been hacked.

5. Strange Cursor Movements

Due to hardware and software issues, your mouse may occasionally move without any user interaction. However, these are usually haphazard movements and certainly don’t double click on programs to open them. If you ever see your mouse ‘come to life’ on its own then it’s time to shut your PC down and call in the experts!

6. Fake Antivirus Messages

fake-antivirus-pro-security

You should always make sure that your network users are aware of the antivirus software that you’re running; this is because one way that hackers can target your PCs is through fake antivirus messages. These will usually advise users that a virus scan has been run and viruses detected that only this piece of software can remove. And this will involve being redirected to a website to download the “antivirus software”, but in reality you’ll be downloading nothing but malware.

7. Internet Searches Redirected

Hackers are keen to disrupt your activity for their own benefits and one way to do this is to redirect your internet searches to alternate websites. So, if you find your internet searches suddenly start taking you to dubious websites then there’s a good chance you’ve been hacked.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


serveimage Malware is often forwarded by swarms of infected PCs known as botnets; just recently the Necurs botnet has really ramped up its activity to cause havoc.

The Necurs botnet, which has been active for several months, suddenly went quiet for three weeks, but, on June 22, it was responsible for sending 160 million malicious emails. This is a huge amount of traffic and particularly troubling for businesses.

It’s important that you understand what the Necurs botnet is capable of and how to avoid being swallowed up in its activities, so I’m going to run through how it works.

Understanding a Botnet

First off, we need to understand what a botnet is, so let’s take a look at that.

Although it sounds like a futuristic android, it’s much more contemporary than that. Also known as zombie computers, a botnet is a collection of PCs which have become infected and allowed external users to access them.

In these cases the hackers are looking to exploit these PCs and their bandwidth to carry out all manner of dubious actions. These can range from crippling websites with huge amounts of traffic they can’t cope with (a Distributed Denial of Service Attack) or mass email campaigns containing malicious software.

The botnet ‘army’ is created by exploiting open ports on PCs which allow Trojan viruses to gain access and deliver their payload. The botnet controller then has remote access to many thousands of PC to carry out bigger attacks very quickly.

What Does Necurs Contain?

serveimage

Necurs main operation, at the moment, is to deliver two particularly nasty packages in the form of Locky and Dridex.

Locky is part of an increasingly popular attack known as ransomware. This malicious software is most often sent as an Office document which requests that you enable macros to translate some nonsensical text. Once this request is approved then Locky gets to work by encrypting your personal files and demanding payment to decrypt them.

Dridex is a piece of malware, also activated by Office documents, which looks to cause financial chaos by stealing banking information such as login credentials. It carries this out by monitoring network activity and taking screenshots of user activity.

Protect Yourself From Necurs

serveimage (1)Becoming part of a botnet not only threatens your own security, but also risks the security of millions of other users all over the world. That’s why you need to make sure you’re fully aware of how your PC can become enslaved, so it’s crucial you take the following steps:

  • Ensure you have a firewall which is turned on at all times. This provides a first line of defense which can monitor any unusual network activity on your PCs.

Even if you’re not part of a botnet you still need to remain vigilant due to the emails being sent by infected computers. Both Locky and Dridex can create a lot of trouble for businesses, so it’s vital that you don’t fall foul to their deceptive attachments.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


skype-lockAside from when video connections drop out, is a useful piece of software for businesses. However, the T9000 trojan is compromising Skype’s security.

Skype is an amazingly innovative app which has helped make the world that little bit smaller and cost effective. The days of having to pay extortionate rates to call people on the other side of the globe are over. And you can even throw in video conferencing as an added bonus!

Unfortunately, hackers are also innovative and if they discover there’s even a minuscule opportunity to breach a piece of software they’ll pounce upon it. Researchers at Palo Alto Networks have discovered that this is exactly what is happening with Skype and the T9000 trojan.

As Skype is an essential business tool, it was crucial to look through what the T9000 is capable of and how to protect yourself.

The Hard Facts about the T9000

Virus Detected

The T9000 trojan is actually an upgrade of the T5000 trojan which was first spotted in 2013/14. The delivery route of the T9000 trojan appears to be through spear phishing emails in the form of infected Rich Text Format (RTF) files which contain exploits for Microsoft Office controls.

Once the malware contained within these RTF files is activated, the following processes take place:

  • The first step the malware takes is to check for the presence of the 24 most common security products e.g. Kaspersky, AVG and McAfee
  • The malware is then installed onto the system’s hard drive and performs a number of checks which allow the T9000 trojan to relay information about the user’s system to the control and command centre supporting the attack
  • Three plugins (tyeu.dat, vnkd.dat and qhnj.dat) are then decompressed and executed on the infected system
  • The tyeu.dat plugin is the one which will hijack Skype through a user prompt next time Skype is started

If this user prompt is authorized then the T9000 can begin spying on the user’s Skype sessions.  This allows the T9000 the perfect opportunity to steal screenshots, audio and video data from the infected system.

The vnkd.dat plugin also works away in the background with its main intent being to steal files from the hard drive or any removable devices. Finally, the qhnj.dat plugin gives the control and command center the opportunity to send commands to the infected computers and spy on any user activity.

Protecting yourself from the T9000

virus_protection

The T9000 trojan is a very sophisticated piece of malware which threatens the security of your system on a number of different levels. The key to avoiding infection, as ever, is to practice good security methods.

Training staff on the dangers of unknown and unusual attachments is paramount, but your staff are only human and mistakes will no doubt be made. The T9000, however, is not infallible, so if your business has professional network security in place the threat will be limited or stopped in its tracks.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


email-threatsMalware causes many security concerns, but, just recently, hackers have been targeting the Ukraine’s electric distributors to bring havoc to power supplies.

Instead of merely targeting secure data such as financial and classified information, the authors behind the malware – known as Black Energy – are infiltrating the systems at leading energy suppliers to cause widespread disruption.

To better understand the serious risk that this can bring to a business, we decided to investigate exactly how the hackers are executing this attack.

What’s a Spear Phishing Email?

The malware attacks in the Ukraine have been carried out with the help of a spear phishing email, but what exactly is this?

Well, it’s pretty similar to your standard phishing email, but a little more sophisticated.

A spear phishing email attempts to deceive you by demonstrating a level of familiarity. For example, instead of starting with Dear Sir/Madam, it’s likely to use your actual name e.g. Dear Ben. And it’s also likely to make a reference, in some way, to an event in your life e.g. marriage, online purchase etc.

And where do they pull this information from? It’s pretty simple, social media sites and pretty much anywhere online where you may upload personal information.

By demonstrating some familiarity with yourself, the hacker is able to lower your defenses and increase their chances of extracting information and potential access to your system.

How Did Black Energy Gain Access?

Powerlines_2

The Black Energy malware attack involves a spear phishing email which contains a seemingly innocent Excel document. Once this document is opened, the recipient is advised to enable macros, but this is a big mistake!

Once the macros are enabled, the Trojan downloader loads up malware which is capable of executing files, keylogging secure data and taking screenshots. This backdoor into the infected system is operated through a Gmail account and contributes to the difficulty in tracing the hackers.

 

The Effect on Power Companies

Ukrainian power companies such as Prykarpattyaoblenergo and Kyivoblenergo have been attacked by Black Energy and suffered widespread disruption to their operations. The biggest impact of this has been the resulting outages in power for local regions.

Although it’s not been confirmed or denied, it’s unlikely that the Black Energy creators were actively involved in flicking the power switch off. It’s more likely that infected systems struggled to operate and are unable to boot correctly or freeze.

The cumulative effect of these symptoms is that the energy companies are unable to run their system as intended and things start to go wrong. In several cases, this has resulted in the reported power outages.

Obviously, energy is essential everyone in the surrounding community, so this threat is being taken very seriously.

Combating Spear Phishing Emails

fake-email

Spear phishing emails appear very genuine, but their deceptive power should not be underestimated as the Ukraine has learned. Business staff need to remain vigilant of all emails coming into their business in order to maintain security.

The authors behind Black Energy are yet to be identified, so the threat of them (and others like them) striking again remains a very real risk.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More