updates Archives

One of the recent developments in hacking has been the Bring Your Own Vulnerable Driver (BYOVD) attack, but what is it and how do you defend against one?

By now, the Ophtek blog should have informed you about ransomware, trojans, and cryptojacking, but we’ve rarely mentioned the dangers of a BYOVD attack. In the past, BYOVD attacks were mostly carried out by only the most sophisticated threat actors, but they’re now becoming increasingly popular with even basic bedroom hackers. Therefore, today is the day we remedy this and provide you with a fully comprehensive look at BYOVD attacks and how you can stay safe.

The Role of Drivers within Your PC

Before we dig deep down into the mechanics of a BYOVD attack, it’s important that you understand what’s at the heart of their malicious activities: drivers. You’ve no doubt heard of drivers in passing, but it’s only the most die-hard PC user who would fully understand what they do. Their main role is as a file used to support software applications. They work by acting as a bridge between an operating system and a device e.g. between Windows and a graphics card.

Without drivers, your PC simply wouldn’t work. From your display through to your speakers and printer, there would be no way for your operating system to communicate with these devices. This makes drivers a crucial part of any PC, but it also means they’re ripe for cyberattacks.

Breaking Down a BYOVD Attack

We’re all aware of software vulnerabilities, and a BYOVD is a unique take on this method of hacking. In a BYOVD attack, threat actors will trick their victims into downloading outdated, vulnerable drivers onto their PC. This could be through phishing emails or pop-up adverts, with the main objective of getting these unsafe drivers downloaded onto a PC along with a nasty dose of malware. With these vulnerable drivers in place, threat actors can take control of the infected PC.

BYOVD attacks are dangerous for the following reasons:

Data Theft: With BYOVD attacks capable of bypassing your security software, they not only have easy access to all your data but can effortlessly transmit it to remote servers.
Install Further Malware: IT systems with vulnerabilities exploited are at risk of having further malware installed on them. So, for example, a threat actor could first gain access to your system before downloading further malware to facilitate DDoS attacks or support cryptojacking.
Damage Your Productivity: A BYOVD attack can quickly render your IT systems unusable due to the capabilities of drivers. By exploiting the deep access and reach drivers have, threat actors have the opportunity to disable network components, corrupt system files, and damage hardware.

You can find out more specifics of the impact of a BYOVD attack by checking out our article on the EDRKillShifter malware.

Protecting Your IT Systems from BYOVD Attacks

You may have been unfamiliar with BYOVD attacks, but you should now have a basic understanding of how they operate. The next step is to protect yourself by implementing these security practices:

Driver Whitelisting: this is a method whereby only authorized system users have the privileges to install drivers on your IT infrastructure. Even then, the use of Windows Defender Application Control should also be utilized to ensure that only pre-approved, digitally signed drivers can be installed.
Regular Updates: one of the simplest ways to protect against BYOVD attacks is by installing all updates and patches as soon as possible. Automating these updates allows you to guarantee that you have the freshest, most secure drivers on your system at all times.
Employee Education: BYOVD attacks are often distributed by phishing attacks, so it’s useful to educate, and regularly refresh, your employees on the telltale signs of a phishing attack. This could prove invaluable as your employees are your most important defense against cyberattacks.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Infostealer malware is frequently referenced as the go-to weapon for threat actors, but what is it? And how do you protect your IT systems from it?

You only have to take a quick look over the Ophtek blog to understand the popularity of infostealers in modern hacking. From fake Zoom sites through to SnipBot and SambaSpy, threat actors are determined to get their hands on your sensitive data. Infostealers, therefore, present an everyday threat to PC users and it’s crucial you understand their methods and impact.

Luckily, Ophtek has your back, and we’re going to take a deep dive into infostealers to equip you with the knowledge you need to stay safe.

What is an Infostealer?

The main objective of all infostealer malware is to harvest confidential data from a compromised system. With this stolen data, threat actors have the opportunity to conduct numerous crimes such as identity theft or financial damage. This makes infostealer malware such a serious threat, especially in the age of big data, where organizations hold huge amounts of data on their IT systems. As with most modern malware, infostealer has strong stealth capabilities, allowing it to operate in the background without being detected and strengthening its impact.

The Danger Behind Infostealers

Infostealers can be individual malware threats or part of a more extensive suite of malware applications. Whatever their method, infostealers tend to focus on stealing the following data:

System login credentials
Social media and email passwords
Bank details
Personal details

All of these data categories have the potential for serious damage e.g. hacking someone’s personal emails and reading confidential information or clearing someone’s bank account out. From a business perspective, infostealers also have the potential to gain access to secure areas of your IT infrastructure and compromise the operations of your business. All of this data is taken directly from your servers and then discreetly transmitted to a remote server set up by the threat actors.

How Do Infostealers Strike?

Threat actors have developed numerous strategies to launch successful infostealer attacks with the two most common methods being:

Phishing Emails: 3.4 billion phishing emails are sent every day, so it’s fair to say they’re an incredibly popular route for malware. These highly deceptive emails will contain either malicious links or attachments which, when activated, expose the recipient to malware downloads.
Malicious Sites: As seen in our article on fake Zoom sites, threat actors regularly set up malicious websites in order to lure visitors into downloading either fake updates or complete applications. However, these downloads are never genuine and only contain malware such as infostealers.

Protecting Your Systems Against Infostealers

Despite the threat of infostealers, it’s relatively easy to stay safe and protect your systems from them. All you need to do is follow these best practices:

Be Wary of Suspicious Emails: Any emails which ring even the slightest alarm bell should be closely scrutinized. If something about the wording doesn’t sound quite right, or there’s a sense of urgency to commit to an action, the chances are that this could be a phishing email. In these instances, don’t click anything and, instead, contact an IT professional to review the content.
Always Update Your Software: One of the easiest ways for threat actors to deploy infostealers on your system is through software vulnerabilities. No piece of software is perfect, and they often contain weak spots which can be exploited. However, as these vulnerabilities are picked up by the developers, security patches are issued to remedy these weak spots. Accordingly, installing these updates should be a major priority.
Install Security Software: There are numerous security packages available such as AVG and Kaspersky which monitor your systems in real time and can block malware threats instantly. This automatic defense enables you to stay safe from infostealers and keeps your networks healthy and productive.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

Threat actors are determined to harvest as much sensitive data as possible, and the Housing Authority of the City of Los Angeles (HACLA) know all about this.

It’s been revealed that HACLA has recently been attacked by the Cactus ransomware gang. First emerging in early 2023, the Cactus group has gained a reputation for stealing confidential data. Around 260 organizations have been affected by Cactus’ activities in the last year and a half, with no sign of them slowing up. HACLA, unfortunately, has previous form for data breaches, with the LockBit ransomware group gaining access to their IT systems for nearly a full year in 2022.

To help you bolster your organization’s defenses, we’re going to explore the Cactus attack in closer detail.

Cactus Get Prickly with HACLA

With 32,000 public housing units falling under its administration, HACLA is a prime target for any threat actors hungry for personal data. Accordingly, Cactus have struck at the heart of HACLA to harvest significant amounts of data.

Understandably, in order to protect their defenses, HACLA have revealed very little about the attack. They acknowledge that, after becoming aware of suspicious activity, IT professionals were contacted to investigate a possible cyberattack. HACLA’s systems remain operational as of this writing, but they haven’t confirmed exactly what happened or whether any data was stolen.

Cactus, on the other hand, has been more forthcoming with details. Announcing that they’ve managed to steal 891 GB of files from HACLA’s network, Cactus has clearly carried out an audacious attack. The data stolen, as Cactus claims, is highly sensitive and includes personal client details, financial documents, database backups, and correspondence. To demonstrate that they’re not just showboating, Cactus has published screenshots of some of this stolen data. Alongside this, Cactus has also followed up their claims by uploading an archive containing some of the stolen data.

Shielding Your Business from Breach Risks

While it’s currently unclear whether HACLA’s systems or data has been encrypted by ransomware, it’s a very real possibility. Regardless of whether encryption has taken place, the 891 GB of stolen data is a seriously worrying amount of personal data to leak. Therefore, you need to be on your guard against such attacks by practicing the following:

Data Backup Strategy: To minimize the impact of ransomware, it’s always a good idea to carry out regular, automated backups of your data. As well as keeping these backups close to hand on site, it’s crucial that you also keep copies stored on secure, off-site locations such as in the cloud. The 3-2-1 backup method is an excellent strategy to employ in order to keep your data secure and retrievable.
Regular Software Updates: Many data breaches are the result of vulnerabilities being exploited within software. These vulnerabilities allow threat actors to gain a foothold with IT infrastructures and start implementing malware infections or stealing data. Consequently, to plug all of these security holes, you should automate all software updates to optimize the strength of your defenses.
Employee Training: Regular training of your employees, both at the induction stage and through refresher courses, provides your organization with its strongest form of defense. It just takes one wrong click by an employee to expose your entire network, so it’s vital that you can sharpen their cybersecurity skills to secure your IT infrastructure.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

Macros make our lives easier when it comes to repetitive tasks on PCs, but they’re also a potential route for malware to take advantage of.

The most up to date version of MS Office prevents macros from running automatically, and this is because macros have long been identified as a major malware risk. However, older versions of MS Office still run macros automatically, and this puts the PC running it at risk of being compromised. Legacy software, such as outdated versions of MS Office, comes with a number of risks and drawbacks, but budgetary constraints mean many businesses are unable to update.

Malicious MS Office Macro Clusters

A macro is a mini program which is designed to be executed within a Microsoft application and complete a routine task. So, for example, rather than taking 17 clicks through the Microsoft Word menu to execute a mail merge, you can use a single click of a macro to automate this process. Problems arise, however, when a macro is used to complete a damaging process, such as downloading or executing malware. And this is exactly what Cisco Talos has found within a cluster of malicious macros.

Several documents have been discovered which contain malware-infected macros, and they all have the potential to download malware such as PhantomCore, Havoc and Brute Ratel. Of note is that all of the macros detected so far appear to have been designed with the MacroPack framework, typically used for creating ‘red team exercises’ to simulate cybersecurity threats. Cisco Talos also discovered that the macros contained several lines of harmless code, this was most likely to lull users into a false sense of security.

Cisco Talos has been unable to point the finger of blame at any specific threat actor. It’s also possible that these macros were originally designed as a part of a legitimate cybersecurity exercise. Regardless of the origins of these macros, the fact remains that they have the potential to expose older versions of MS office to dangerous strains of malware.

Protect Your Systems from Malicious Macros

The dangers of malicious macros require you to remain vigilant about their threat. Clearly, with this specific threat, the simplest way to protect your IT systems is to upgrade to the latest version of MS Office. This will enable you to block the automatic running of macros and buy you some thinking time when you encounter a potentially malicious macro. As well as this measure, you should also ensure you’re following these best practices:

Always Verify Email Attachments: a common delivery method for malicious macros is through attachments included with phishing emails. This is why it’s crucial that you avoid opening macros in documents which have been received from unknown sources. As with all emails, it’s paramount that you verify the sender before interacting with any attachments.
Install All Security Updates: almost all software is regularly updated with security patches to prevent newly discovered vulnerabilities from being exploited. Macros are often used to facilitate the exploitation of software vulnerabilities, so it pays to be conscientious and install any security updates as soon as they’re available.
Use Anti-Malware Software: security suites, such as AVG, perform regular, automated scans of your PCs to identify any potential malware infections. In particular, many of these security suites target malicious macros, so they make a useful addition to your arsenal when targeting the threat of macros.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

New Malware Used to Target Security Software

BYOVD, DSE, EDRKillShifter, install updates, malware, Ophtek, Russian Hackers, SophosBYOVD, DSE, EDRKillShifter, malware, Ophtek, Russia, Sophos, updatesOphtek, LLC

Sep 2024

The hacking collective RansomHub has unveiled a new strain of malware, one which is used to disable security software and leave PCs open to attack.

Discovered by security firm Sophos, RansomHub’s new malware has been dubbed EDRKillShifter. First detected during May 2024, EDRKillShifter carries out a Bring Your Own Vulnerable Driver (BYOVD) attack. The main objective of a BYOVD attack is to install a vulnerable driver on a target PC. With this driver in place, threat actors can remotely gain unauthorized access and get a foothold within the system.

The Story Behind EDRKillShifter’s Attack

EDRKillShifter typically targets Endpoint Detection and Response (EDR) security software, leaving PCs at risk of multiple malware attacks. Classed as a ‘loader’ malware, EDRKillShifter delivers a legitimate, yet vulnerable driver onto the target PC. In many cases, it’s been identified that multiple drivers, which are all vulnerable, have been introduced to PCs.

Once the vulnerable drivers have been deployed within the PC, EDRKillShifter executes a further payload within the device’s memory. This payload allows the threat actors to exploit the vulnerable drivers and, as a result, gain access to elevated privileges. This change in privileges gives the attackers the ability to disable EDR software on the machine. And the name of this software is hardcoded into EDRKillShifter’s processes, to prevent it from being restarted.

Attempts to run ransomware on compromised machines has been noted by Sophos and, digging deeper into the EDRKillShifter code, there are strong indicators that the malware originates from Russia. As regards the vulnerable drivers, these are freely available on the Github repository and have been known about for some time.

Preventing the Spread of EDRKillShifter

The mechanics of EDRKillShifter are effective and dangerous but are nothing new. Similar attacks, such as AuKill, have been carried out in the last year, and the technique currently appears popular with threat actors.

Luckily, your organization doesn’t have to fall victim to malware such as EDRKillShifter and its variants. Instead, you can maintain the security of your IT infrastructure by following these best practices:

Enable Tamper Protection: It’s important that you limit user privileges for installing drivers. For the average PC user, there’s no reason why they should be installing drivers. Therefore, you can protect your security defenses by limiting driver privileges to restricted admin accounts. This ensures that unauthorized users are unable to disable your EDR software.

Always Install Updates: Vulnerable drivers, such as those exploited by EDRKillShifter, are often updated once vulnerabilities have been detected. This is why it’s paramount that your organization always installs updates as quickly as possible. By eliminating compromised files from your PCs, you’re instantly strengthening the safety of your machines.

Use Driver Signature Enforcement: Windows has a tool called Driver Signature Enforcement (DSE), which can help protect your PC from BYOVD malware. DSE ensures that only drivers signed by Microsoft can be installed on your devices. By enlisting the help of DSE, you’re adding another layer of protection to your defenses.

For more ways to secure and optimize your business technology, contact your local IT professionals .

1 2 3 … 11 Next »

What is a BYOVD Attack and How Can You Stay Safe?

Infostealers: What They Are and How to Stay Protected

Los Angeles Housing Authority Rocked by Ransomware Group

Malicious Macros Target Old Versions of MS Office

New Malware Used to Target Security Software

Tag Archives: updates