Ukraine’s Military Hacked by Russian Backed USB Malware 

malware, Ophtek, Phishing, Pteredo, Russian Hackers, Shuckworm, Ukraine, USB_malware, , , , , , ,
22
Aug 2023

The news footage may focus on military strikes, but, behind the war in Ukraine, cyberattacks are being utilised as a major weapon by Russia. 

Government-backed cyberattacks are nothing new, and they will continue to be utilized as part of global espionage campaigns for the foreseeable future. However, while these attacks are unlikely to be aimed at small businesses, the methods and techniques employed are likely to trickle down into the arsenal of smaller hackers. Therefore, in the near future, these powerful attacks could regularly be launched against your business. 

At Ophtek, we pride ourselves on keeping our clients up to date on contemporary threats. But we also strive to keep you one step ahead of the hackers. And that’s why we’re going to take you through this latest attack. 

Understanding the Mechanics of this Military Hack  

Warfare has always relied on much more than just weapons, intelligence has always been equally important. And, with the rise of technology in the digital age, compromising IT equipment has proven to be highly rewarding in the pursuit of sensitive information. This latest attack, which has links with Russia’s FSB security service, has been launched by Shuckworm, a Russian threat actor with a long history of attacks. 

February 2023 saw Shuckworm intensifying their attacks against Ukraine, a campaign which has been running for several years. Most notably, Shuckworm have been developing new malware in conjunction with command-and-control servers. Central to these attacks has been a strain of malware called Pterodo. Developed by Shuckworm, Pterodo is a backdoor attack which is executed when malicious USB drives are installed onto PCs. The first step that Pterodo takes is to install shortcut links on the infected PC, with these links given names such as evidence.rtf.lnk in order to tempt users into clicking them. 

Clicking these links will install Pterodo on the user’s PC and allow Pterodo to spread through any connected drives and download further malware. To cover its tracks, Pterodo uses a number of innovative approaches. Numerous variants of Pterodo have been developed to bypass identification tools and, in order to conceal their identity, the related command-and-control servers regularly rotate their IP addresses. While the USB route for launching this attack appears to be Shuckworm’s preferred method, there is also evidence that it’s being spread through phishing emails. 

How Do You Beat Military Backed Hackers? 

Threat actors which receive government support are very powerful, but it doesn’t mean they are unbeatable. In fact, this latest attack by Shuckworm can easily be deflected by practicing the following: 

  • Be wary of USB drives: USB drive attacks have been commonplace for many years, so it’s important that you don’t let your guard down. Mysterious USB drives which arrive in the mail or are found out in the parking lot should be fully scrutinized and never plugged into your PCs. As well as compromising data security, malicious USB drives also have the potential to destroy your PC

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More

Where is Cybersecurity Heading in 2023?

Artificial Intelligence, cryptojacking, cybersecurity, malware, Ophtek, Phishing, Ransomware, remote workers, , , , , , ,
08
Aug 2023

We’re already halfway through 2023 and threat actors are showing no signs of slowing up, but just where is cybersecurity heading?

It may feel as though you’re waging a never-ending battle against hackers and, well, that’s exactly what you’re doing. However, the strategies and techniques of threat actors has changed significantly in the last two decades. Back in 2003, for example, ransomware was less prevalent, but now it’s a major player in terms of cyber-attacks. Therefore, it’s always good to keep one step ahead of the hackers and understand where they are likely to go next.

What Will Future Cyber Attacks Look Like?

The future of cybersecurity will be concerned with maintaining defenses against existing threats and tackling new, innovative strategies launched by threat actors. These attacks are expected to be based in the following categories:

Artificial Intelligence: the impact of artificial intelligence (AI) has been huge in the last couple of years, just look at the interest generated by ChatGPT in 2023. However, the power to cause damage with AI is causing just as many headlines. You can, for example, ask AI systems to help generate code to build computer programs. The exact same code which is used to build malware. This means that designing and executing malware could be easier than ever before, and lead to a surge in new attacks.

Remote working: since the pandemic, more and more employees have been working remotely. While this is convenient, and has been shown to enhance productivity, it also increases the risk of falling victim to malware. Although many remote workers connect to their employers through a VPN, they are often accessing this through devices which aren’t secure. Also, as they will not have colleagues directly around them to offer advice, employees will be more vulnerable to, for example, clicking a malicious link.

Phishing: threat actors have been launching phishing attacks for nearly 20 years, and this means that many PC users can easily spot a phishing email. But this doesn’t mean we’re safe. Instead, it’s likely that future attacks will be more sophisticated to be successful. Taking advantage of AI and machine learning, threat actors will be able to craft phishing emails which are both engaging and convincing. This will allow their attacks to be more successful and harvest more stolen data.

Cryptojacking: despite several significant attacks, cryptojacking is yet to hit the mainstream PC user in the same way that ransomware has. Nonetheless, cryptojacking attacks are on the rise. Accordingly, PC users are likely to become more familiar with them in the next few years. Cryptojacking, as the name suggests, involves hijacking a PC and using its computing resources to mine cryptocurrencies. Due to the huge amount of processing power required to mine cryptocurrency, these attacks target entire networks and can grind them to a halt.

Final Thoughts

These four attack strategies may not be troubling you every day, but they could soon become regular headaches. That’s why you need to adopt a proactive approach to cybersecurity. Make sure that you

keep updated on the latest threats, regularly review your security measures, and ensure that your staff are fully trained in cybersecurity best practices.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Vidar Malware Attacks Online Sellers 

malware, Ophtek, Phishing, social engineering, Vidar Malware, Viruses, , , , ,
01
Aug 2023

E-commerce means big business in the 21st century and it proves a highly attractive target to threat actors, as online sellers are now finding out. 

Such is the size of the e-commerce industry – estimated to hit $4.11 trillion in 2023 – threat actors have many reasons for attacking online merchants. Taking control of a seller’s account will instantly provide hackers with a treasure chest of personal information about their customers e.g. payment methods, personal identifiers, and email addresses. It’s also common for threat actors to lace these compromised inventories and shops with malicious JavaScript code, this can then record credit card details during the checkout process. 

Therefore, this latest attack, which uses the Vidar malware to advance its payload, is one that you need to be aware of. 

How is Vidar Causing Havoc in the Digital Aisles? 

The attack launched against online sellers uses a combination of social engineering and phishing emails to deceive its targets. Threat actors are posing as disgruntled customers who claim to have had large amounts of money deducted from their bank without an order being processed. Using a bit.ly URL – which is typically used to shorten long URLs, but also hides the true destination of the link – the sender of the email advises the merchant to investigate a screenshot of their bank account. This, they claim, will show proof that funds have been taken. 
 
Clicking this link will take the victim to a malicious website designed to look like a genuine Google Drive account. Here, the victim is encouraged to download a .PDF of the bank statement which the sender claims will demonstrate that an illegal transaction has taken place. However, rather than downloading a .PDF, the victim will instead download a file called bank_statement.scr. And this file contains the Vidar malware. 

Vidar was first discovered in 2018 and its method of attack is well known. A classic data miner, Vidar will steal information such as passwords, browser cookies, text files, and also take screenshots of the infected PC. After uploading this data to a remote location, the threat actors can easily download this information and use it to exploit the victim further e.g. sell login credentials on the dark web or access other user accounts using the same information. 

Taking Vidar Back to the Store 

If you believe that your PC has been breached by Vidar, the good news is that most anti-virus tools will pick it up and eradicate it from your system. Nonetheless, it’s always better to not get infected in the first place. Therefore, make sure you follow these best practices to avoid falling victim to Vidar: 

Pick up on suspicious language: phishing emails are full of telltale signs, but you need to know what you’re looking for. Firstly, look out for urgency, fear, and excitement-inducing words. Secondly, watch for requests to disclose personal information or click on suspicious links. And, finally, pay attention to poor grammar or spelling errors. 

Only download from trusted sources: it’s advisable to only download files from sources you can verify are genuine. Downloading files from customers, even if they are genuine, should be avoided wherever possible. These files could, as the Vidar attack has shown, contain anything. In a scenario where you need verification, always turn to an IT professional. 

Use anti-phishing tools: installing anti-phishing software is a good way to enhance your protection against phishing attacks. These tools can be implemented as either browser extensions or part of a security suite. Once they detect an attempt at phishing, they will block the content and present you with a warning in its place. 

For more ways to secure and optimize your business technology, contact your local IT professionals

Read More

Windows WordPad Flaw Exploited to Infect PCs 

cybersecurity, DLL_hijacking, email_links, email_sender, Ophtek, Phishing, Updates, WordPad, , , , , , ,
25
Jul 2023

WordPad, a basic yet popular word processor, is the latest Windows app to fall victim to a vulnerability exploited by threat actors. 
 
Bundled free with almost every version of Windows since Windows 95, WordPad has remained popular thanks to its simplicity. Less complex than Microsoft Word and more advanced than the basic Notepad app, WordPad gives users an effective word processing tool. However, it’s now an app which carries a real threat to your IT security. Due to a flaw in WordPad’s design, threat actors have started to abuse this vulnerability by launching a DLL hijacking attack. 

Everything You Need to Know about the WordPad Hack 

You may not be familiar with DLL hijacking, so we’ll start by looking at this form of attack. DLL files are library files which can be used by multiple programs all at the same time. This makes it a highly flexible and efficient file, one which can reduce disk space and maximize memory usage. When Windows launches an app, it searches through default folders for DLLs and, if they are required, automatically loads them. What’s important to note, however, is that Windows will always give priority to loading DLLs located in the same folder as the app being launched. 

DLL hijacking abuses this process by inserting malicious DLLs in the app’s parent folder. Therefore, Windows will automatically load this malicious file instead of the genuine one. This allows threat actors to guarantee their malware can be launched long after they have left the system. And this is exactly what has happened with WordPad. The hackers begin their attack by using a phishing email to trick users into downloading a file, one which contains the WordPad executable and a malicious DLL with the name of edputil.dll. Launching the WordPad file will automatically trigger the loading of the malicious DLL file. 

This infected version of edputil.dll runs in the background and uses QBot, a notorious piece of malware, to not only steal data, but also download further malware. The infected PC is then used to spread the attack throughout its entire network.  

Writing QBot into History  

While this form of attack is far from new, it has proved successful. Accordingly, it’s important that we hammer home the basics of good cybersecurity, with a particular emphasis on phishing attacks: 

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Interest in ChatGPT Related to New Malware Attacks 

ChatGPT, cyber attacks, malware, Ophtek, Phishing, two-factor authentication, , , , ,
04
Jul 2023

The launch of ChatGPT and its accompanying headlines have been heard around the world. And threat actors are leveraging this interest to launch new attacks. 

You don’t have to look hard to find a headline relating to ChatGPT, the latest and most intriguing AI service to be released to the public. Everyone has been talking about it and, of course, this also includes hackers. After all, anything which proves popular – such as social media and cryptocurrency – quickly becomes an attractive method of delivering malware. Now, while you and your business may not use ChatGPT daily, this latest campaign utilizes a few attack strategies you need to be aware of. 

How Has ChatGPT Got Caught Up in Malware? 

The massive interest generated by ChatGPT means that AI related apps are at the forefront of most internet users’ thoughts. As a result, threat actors have decided to turn this interest to their benefit with their most favored technique: deception. The attacks, which were discovered by Meta, the owners of Facebook, have involved 10 different malware families and, on Meta’s platforms alone, 1,000 malicious links relating to ChatGPT. 
 
Two of the most notable strains detected, which appear to have originated from Vietnam hacking groups, are NodeStealer and DuckTail. NodeStealer is a JavaScript-based piece of malware which is used to steal cookies and login credentials. DuckTail, meanwhile, not only steals cookies, but also focuses on hijacking Facebook business accounts to access lucrative ad accounts. Both of these malware strains are typically spread and activated via infected files or links to malicious websites. 

How Do You Stay Ahead of AI Malware? 

The official and genuine ChatGPT site has already been used by threat actors to develop new malware, so there is already concern about how it can be compromised. And this latest attack, while not directly involving the app, certainly adds fuel to the fire. Deception, of course, is nothing new in the world of hacking. But the number of people who fall for the duplicitous schemes of hackers is astronomical. Therefore, you need to remain on your guard by following these best practices: 

  • Use two-factor authentication: many of the malware strains identified in the latest round of ChatGPT-related attacks involve stealing credentials. Therefore, there’s never been a better time to implement a further layer of security in the form of two-factor authentication. While it won’t necessarily protect against session hijacks, two-factor authentication will significantly reduce the risk of unauthorized access to your accounts. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More
1 2 3 4 5 6 11