Lazarus Exploits Open-Source Software and Infects it

cyberattack, data-stealing malware, Lazarus, North Korea, Ophtek, SecurityScorecard, , , , , ,
25
Feb 2025

North Korean hackers from the Lazarus Group have launched a major cyberattack by cloning open-source software and infecting it with malware.

A recent cyberattack has found the North Korean hacking group Lazarus targeting software developers by modifying open-source tools to include malware. Open-source software, freely available for anyone to use or modify, has become a crucial part of software development. However, Lazarus exploited this understanding by injecting malicious code into genuine software. This led to numerous systems becoming compromised, particularly those used by developers in the Web3 and cryptocurrency industries.

Lazarus Attacks Open-Source Software

SecurityScorecard, a cybersecurity organization, discovered that Lazarus had carried out a supply-chain attack known as “Phantom Circuit.” Lazarus selected popular open-source projects to target and embedded malicious code into them. These compromised tools were then uploaded to code-sharing platforms such as GitLab, where developers soon downloaded and started using them.

Once executed, the compromised software set about installing data-stealing malware on the victims’ PCs. The malware’s main objective was harvesting sensitive data such as login credentials, authentication tokens, and other security information. This gave the threat actors full and unauthorized access to their targets’ accounts, allowing them to modify and steal digital assets.

Over 1,500 victims were affected, with the majority being located in Europe, India and Brazil. SecurityScorecard were keen to point out that many of the victims were software engineers, mostly working in cryptocurrency and blockchain technology. In particular, Lazarus targeted modified repositories which hosted Web3 development tools, authentication systems, and cryptocurrency software. These are all attractive targets for threat actors who are looking to make a quick buck through nefarious means and cause digital chaos to IT infrastructures.

How to Protect Yourself

Lazarus has committed numerous cyberattacks in the recent past, with Ophtek previously reporting on their attack on healthcare organizations in 2023. A powerful hacking group, Lazarus has the potential to create powerful and devastating malware. Accordingly, you need to make sure your IT defenses are secure against them and similar hacking groups.

Cybersecurity awareness, as ever, is key to protecting your digital assets, so make sure you follow these best security practices:

  • Verify Your Software Sources: always double-check where your software is coming from before you hit that download button. Stick to official developer websites and trusted repositories e.g. regularly updated GitHub projects. If a new tool appears out of nowhere or is uploaded by an unknown user, think twice before installing it. If in doubt, remember the golden advice: double check it with an IT professional.
  • Keep Your Security Software Updated: first of all, make sure you have antivirus and anti-malware software protecting your systems – these can be downloaded from companies such as AVG and Kaspersky. Secondly, as new cyber threats emerge every day, you need to keep your security software up to date to protect you from new malware. Regular updates will ensure you stay one step ahead of the threat actors.
  • Train Your Employees: Well-trained employees are your first line of defense against cyber threats. Regular cybersecurity training can help your staff recognize phishing attempts, avoid suspicious links, and practice safe browsing and downloading habits. By keeping your team trained and up to date, you can ensure employees stay aware of evolving threats, reducing the risk of security breaches.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Threat Actors Start Hiding Malware within Website Images

archive.org, generative AI, malicious code, Obj3tivityStealer, Ophtek, Phishing, VIP Keylogger, website images, , , , , , ,
11
Feb 2025

Cybercriminals are increasingly embedding malware within website images to evade detection and compromise IT systems.

Recent investigations have revealed a growing trend among threat actors: hiding malicious code within image files hosted on trusted websites. This approach allows the attackers to bypass traditional security measures, which tend to trust well-known and widely used websites. As ever, the attack begins with a phishing email designed to trick the victim into unleashing the malware. The phishing email in question has taken numerous forms such as invoices or purchase orders. Once opened, the file exploits a Microsoft Office vulnerability.

Emails are an essential part of business, so it’s crucial that you understand how this attack works to keep your IT infrastructure safe.

Unpacking the Image Attack

The vulnerability at the heart of the attack can be found in Microsoft Office’s Equation Editor (CVE-2017-11882). This vulnerability enables a malicious script to run, downloading an image file from a trusted website (such as archive.org). The image may, to the average PC user, look harmless, but hidden within its metadata is a malicious code. This is used to automatically install spyware and keyloggers such as VIP Keylogger and Obj3tivityStealer. These slices of malware allow the threat actors to monitor your systems, harvest sensitive data, and gain access to financial information.

What’s interesting – or disturbing, depending on your perspective – about the attack is that it appears to harness the power of AI. Cybercriminals are increasingly turning to generative AI to create convincing phishing emails, malicious scripts, and even HTML web pages which can host malicious payloads. This is making attacks much easier to launch while also lowering the barriers to entry around your IT networks.

Keeping Your IT Systems Secure

No business wants keyloggers and spyware downloaded onto their IT infrastructure, so it’s vital that you keep it secure and protected. It’s impossible to keep it 100% safe, but you can optimize its strength by following these three tips:

  1. Regularly Update Your Software: make sure all your software, especially Microsoft Office applications, is up to date. Software developers release regular updates to patch vulnerabilities – like CVE-2017-11882 – which attackers seek to exploit. As well as enabling automatic updates, schedule regular checks for patches to ensure that critical updates are not missed. And remember, this applies to all software on your networks.
  2. Use Advanced Email Security: always utilize email filtering tools to automatically block phishing emails before they reach your staff. These highly effective solutions can scan all incoming messages for suspicious links, attachments, or blacklisted senders to prevent them from reaching your employee inboxes. Also, make sure your team are educated on the danger signs of a phishing email. Regular training and refresher sessions can help maximize the security of your first-line defenses.
  3. Monitor Network Activity: Use network monitoring tools to detect unusual activities, such as unexpected downloads or unauthorized connections. These tools can indicate potential threats early, allowing you to respond quickly before threat actors secure a foothold within your systems. Make sure that you establish a program of regular reviews for your activity logs, this approach will enable you to spot anomalies and take action.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Malicious Chrome Extensions Threaten Millions

Bard AI Chat, ChatGPT, Cyber Attack, Facebook Ads, Google Chrome, Google Meet, malware, Ophtek, Phishing, , , , , , ,
04
Feb 2025

A recent cyberattack has compromised several popular Google Chrome extensions, infecting millions of users with data-stealing malware.

In early January 2025, cybersecurity researchers at Extension Total discovered a malicious campaign targeting Chrome extensions which offer AI services. The threat actors hijacked at least 36 extensions – including Bard AI Chat, ChatGPT for Google Meet, and ChatGPT App – with approximately 2.6 million users affected. This widespread attack has raised the alarm among users and software developers as, previously, these extensions were highly trusted.

With 3.45 billion people using Chrome as their browser, it’s no surprise that threat actors would target it. This attack is especially ingenious, so we’re going to take a deep dive into it.

How Were the Chrome Extensions Compromised?

The affected extensions may be named after popular AI tools like Bard and ChatGPT, but they are third-party applications with no development from Google or OpenAI. Third-party extensions can, of course, be legitimate, but these compromised extensions were far from helpful. Instead, they were used to deliver fake updates containing malware.

The malware was designed to steal sensitive user information, specifically targeting data related to Facebook Ads accounts. Therefore, this posed a significant threat to businesses which rely on Facebook for marketing and sales. With this stolen data, the threat actors could use it for unauthorized access, financial and identity theft, or to fuel phishing attacks.

In response to the attack, many of the affected extensions have been removed from the Chrome Store to limit further infections. However, others remain available, exposing users to the malware. Chrome, as we’ve already mentioned, is hugely popular with around 130,000 extensions are available to install. The risk of a security incident, as you would imagine, is high; this recent attack underscores the importance of practicing vigilance when installing extensions.

Staying Safe from Rogue Chrome Extensions

Browser extensions are designed to help users by enhancing functionality and making everyday browsing easier. However, this recent attack has also demonstrated that they’re a security risk. Ophtek wants to keep you safe from similar attacks, so we’ve put together our top tips for protecting your PC from rogue extensions:

  • Install Extensions from Trusted Sources: you should only ever download extensions from reputable developers and official web stores. Before hitting that install button, always carry out some research on the developer, read user reviews, and check ratings to assess how legitimate it is.
  • Limit Extension Permissions: extensions often require permissions to function correctly on your PC but be very careful of any extension which requests a long list of permissions e.g. access to browsing data, microphone control, and cookies. You should only ever grant permissions to what is necessary for the extension to operate. If in doubt of a permission request, seek help from an IT professional.
  • Update Extensions: always ensure your extensions are kept up to date, as developers often release patches to fix security vulnerabilities. Regularly check for updates and keep an eye out for any unusual browser behavior such as strange pop-ups, redirects to other sites, or performance issues. Additionally, if you have extensions you no longer use, remove these to reduce your exposure to risk

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Fake Job Scam Used to Serve Up Malware

fake recruiters, Linkedin, malicious websites, Ophtek, phishing_email, update security software, verify identities, webcams, , , , ,
28
Jan 2025

Threat actors are highly innovative – one recent attack tricked victims into addressing fake webcam and microphone issues to gain system access.

We’re constantly advised to be aware of phishing emails, infected documents, and malicious websites, but what happens when threat actors take a different approach? Well, they increase their chances of breaching your defenses. This is why it’s crucial to keep up to date with developments in the world of cybersecurity. This latest attack targeted professionals on LinkedIn, but it could easily be used in other environments.

Ophtek wants to keep you secure from these types of threats, so we’re going to summarize this attack and show you how to stay safe.

The Interview from Hell

Job interviews are always stressful affairs, but at least they don’t hit you financially. However, there is an exception – the LinkedIn attack. With 1 billion members, LinkedIn is hugely popular and this makes it the perfect target for a threat actor.

Victims are approached on LinkedIn by fake recruiters who claim to be working for crypto firms such as Kraken and Gemini. On offer is the opportunity of a number of high-ranking roles at these firms, and the victims has been specially chosen to apply. Victims who take the bait and then posed a series of long-form questions relating to the crypto industry e.g. which crypto trends will have the most impact in the next 12 months.

It may, at first, seem like any other job interview, but the final question posed requires an answer filmed on video. This is where the breach begins. The threat actor will issue an error message stating that there’s an access issue for the victim’s camera and microphone. The problem is apparently caused by a cache issue but, luckily, the ‘interviewer’ has a set of instructions to fix the error. Unfortunately, following these instructions simply hands the threat actor access to the victim’s PC, where their crypto wallet is likely to be targeted.

How to Stay Safe on LinkedIn

You may have a LinkedIn account, and even if you don’t, it’s important that you know how to defend against a similar attack. The three main ways you can protect your PC are:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Infostealers: What They Are and How to Stay Protected

Infostealers, malicious sites, malware, Ophtek, Phishing Email, SambaSpy, security software, SnipBot, software updates, , , , , , , ,
03
Dec 2024

Infostealer malware is frequently referenced as the go-to weapon for threat actors, but what is it? And how do you protect your IT systems from it?

You only have to take a quick look over the Ophtek blog to understand the popularity of infostealers in modern hacking. From fake Zoom sites through to SnipBot and SambaSpy, threat actors are determined to get their hands on your sensitive data. Infostealers, therefore, present an everyday threat to PC users and it’s crucial you understand their methods and impact.

Luckily, Ophtek has your back, and we’re going to take a deep dive into infostealers to equip you with the knowledge you need to stay safe.

What is an Infostealer?

The main objective of all infostealer malware is to harvest confidential data from a compromised system. With this stolen data, threat actors have the opportunity to conduct numerous crimes such as identity theft or financial damage. This makes infostealer malware such a serious threat, especially in the age of big data, where organizations hold huge amounts of data on their IT systems. As with most modern malware, infostealer has strong stealth capabilities, allowing it to operate in the background without being detected and strengthening its impact.

The Danger Behind Infostealers

Infostealers can be individual malware threats or part of a more extensive suite of malware applications. Whatever their method, infostealers tend to focus on stealing the following data:

  • System login credentials
  • Social media and email passwords
  • Bank details
  • Personal details

All of these data categories have the potential for serious damage e.g. hacking someone’s personal emails and reading confidential information or clearing someone’s bank account out. From a business perspective, infostealers also have the potential to gain access to secure areas of your IT infrastructure and compromise the operations of your business. All of this data is taken directly from your servers and then discreetly transmitted to a remote server set up by the threat actors.

How Do Infostealers Strike?

Threat actors have developed numerous strategies to launch successful infostealer attacks with the two most common methods being:

Protecting Your Systems Against Infostealers

Despite the threat of infostealers, it’s relatively easy to stay safe and protect your systems from them. All you need to do is follow these best practices:

  • Be Wary of Suspicious Emails: Any emails which ring even the slightest alarm bell should be closely scrutinized. If something about the wording doesn’t sound quite right, or there’s a sense of urgency to commit to an action, the chances are that this could be a phishing email. In these instances, don’t click anything and, instead, contact an IT professional to review the content.
  • Always Update Your Software: One of the easiest ways for threat actors to deploy infostealers on your system is through software vulnerabilities. No piece of software is perfect, and they often contain weak spots which can be exploited. However, as these vulnerabilities are picked up by the developers, security patches are issued to remedy these weak spots. Accordingly, installing these updates should be a major priority.
  • Install Security Software: There are numerous security packages available such as AVG and Kaspersky which monitor your systems in real time and can block malware threats instantly. This automatic defense enables you to stay safe from infostealers and keeps your networks healthy and productive.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More
1 2 3 14