updates Archives - Page 2 of 10

Software updates should always enhance your PC’s efficiency, but the recent breach of an ISP has demonstrated quite the opposite.

This recent compromise appears to have been exploited by StormBamboo, a collection of Chinese threat actors who have been causing digital chaos since 2012. The attack was made possible after StormBamboo breached the defenses of an undisclosed ISP. This allowed StormBamboo to take control of the ISP’s traffic and redirect it for their own malicious gains.

If you’re accessing the internet, even if it’s only for basic email and browsing usage, your business is going to be partnered with an ISP. And this attack by StormBamboo tells a cautionary tale of how you always need to be on your guard.

StormBamboo’s Innovative Attack

Having gained unauthorized access to the ISPs servers, StormBamboo was able to intercept and compromise DNS requests from users of that ISP. A DNS request is a query to provide an IP address for a host name – e.g. en.wikipedia.org. An ISP will provide this IP address and allow the user to visit the required webpage.

However, StormBamboo was able to manipulate these DNS requests and, instead of the legitimate IP address, provide a malicious alternative. No action was required from the end user, and they would be transferred to a malicious domain automatically. In particular, StormBamboo focused on poisoning DNS requests for software updates. These updates were insecure as they were found to not validate digital signatures for security purposes.

As a result of these compromises, StormBamboo was able to deceive victims into downloading malware such as Macma (for MacOS machines) and Pocostick (for Windows devices). For example, users of 5KPlayer, a media player, were redirected to a malicious IP address rather than fetching a specific YouTube dependency. This led to a backdoor malware being installed on affected systems. StormBamboo was then observed to install ReloadText, a malicious Chrome extension used to steal mail data and browser cookies.

Staying Safe from StormBamboo

The attacks carried out by StormBamboo appear to have been active during 2023 and were identified by Volexity, a reputable cybersecurity organization. Volexity’s first step was to get in touch with the ISP and identify the traffic-routing devices which were being compromised. This allowed the ISP to reboot its servers and instantly stop the ISP poisoning. Users of the ISP, therefore, were no longer at risk of being exposed to malware. Further advice on eliminating this specific threat can be found on Volexity’s blog.

Nonetheless, businesses are reminded to remain mindful about malicious activity on their networks. Implementing robust security measures, conducting regular vulnerability assessments, and monitoring network traffic for unusual patterns are all crucial. Additionally, employing advanced threat detection tools and training employees on cybersecurity best practices will further strengthen your defenses. Finally, never forget the importance of keeping software and systems updated with official patches, firmware, and updates.

For more ways to secure and optimize your business technology, contact your local IT professionals.

CrowdStrike Causes Unprecedented Global IT Outage

Cloud Storage, CrowdStrike, cybersecurity, Ophtek, Updates, vulnerability, Windows updatecloud storage, CrownStrike, Ophtek, security, updates, vulnerability, Windows updateOphtek, LLC

Jul 2024

One of the world’s biggest ever IT failures has caused chaos for major IT infrastructures all over the world. And it was all thanks to a CrowdStrike update.

The damage was caused by a content update for Windows issued by CrowdStrike, a major player when it comes to cybersecurity firms. However, rather than providing an enhanced experience for Windows users, it resulted in many users finding that their PCs crashed. The ‘blue screen of death’ was a common sighting and numerous applications were rendered unusable. The CrowdStrike glitch wasn’t restricted to a small number of individuals either, it went all away the round and affected major organizations.

Understanding the CrowdStrike Flaw

CrowdStrike has been providing security solutions since 2011, and it now offers a wide range of security services. These are provided through cloud-based platforms and have seen CrowdStrike’s profile rise significantly. However, their recent update for their application Falcon Sensor – which analyzes active processes to identify suspicious activity – is responsible for the worldwide outage of IT systems.

Falcon Sensor runs within Windows and, as such, interacts directly with the Windows operating system. Falcon Sensor’s main objective is to protect IT systems from security attacks and system failures, but their latest update achieved the complete opposite. As a result of faulty code within the update, Falcon Sensor malfunctioned and compromised the systems it had been installed on. This led to IT systems crashing and unable to be rebooted.

CrowdStrike were quick to identify the fault as a result of their update, and reassured the global community this was not a global cyberattack. With the fault identified and isolated, CrowdStrike rapidly developed a fix. But the damage had already been done, and many systems remained offline due to the disruption.

Who Was Affected by the CrowdStrike Glitch?

The impact of the faulty CrowdStrike update was of a magnitude rarely seen in the IT world. With many IT infrastructures relying on Windows, countless systems crashed all over the world. Airport services were badly hit, and lots of airlines had to ground their planes due to IT issues. Banks and credit card providers were also affected, and numerous organizations were unable to take card payments as a result. Healthcare services, too, felt the full impact of the glitch and struggled to book appointments and allocate staff shifts.

The Aftermath of the CrowdStrike Disaster

Disruption to IT systems was still evident days after the CrowdStrike incident, and it’s expected this disruption will continue. Matters weren’t helped by the simultaneous failure of Microsoft Azure, a cloud computing platform, which also created a major outage.

While the outages were caused by a technical glitch, CrowdStrike issued an announcement the day after that cybercriminals may be targeting affected systems. Evidence in Latin America indicated CrowdStrike customers were being targeted by a malicious ZIP archive which contains HijackLoader, a module used to install various strains of malware.

Final Thoughts

Ultimately, this digital catastrophe was caused by a faulty piece of code, and Microsoft currently estimate it affected 8.5 million Windows devices. It could easily happen again and reinforces the need for good backup protocols, such as the 3-2-1 backup method. The CrowdStrike glitch may have been unforeseen, but with the correct preparation, you can minimize the impact of future incidents on your IT systems.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Snowflake Passwords Leaked Online Due to Malware

default settings, info-stealing malware, malware, multi factor authentication, offline backups, Ophtek, security audits, Snowflakebackup, malware, Ophtek, security, Snowflake, updatesOphtek, LLC

Jul 2024

Snowflake, a cloud data analysis company, has found itself under attack from malware, with the result that its customers passwords have been leaked online.

A leading cloud data platform, Snowflake was founded in 2012 and has experienced a rapid rise in the industry, with its current revenue estimated at $2.8 billion. This success has been founded upon innovative data analytics solutions and a number of leading clients such as Santander, Dropbox, and Comcast. For threat actors, Snowflake represents a tempting target, both in terms of the sheer amount of data they hold and financial value. And this is clearly why Snowflake has been attacked.

With threat actors claiming to have stolen hundreds of millions of customer records from Snowflake environments, the attack is clearly a significant one. Perhaps the most interesting aspect of the attack is that it appears to result from a lack of multi-factor authentication.

Cracking the Snowflake Infrastructure

Live Nation, a popular ticket sales service, was the first company to announce that their stolen data had been hosted on the Snowflake platform. Other Snowflake customers have come forwards to acknowledge a breach but are yet to name Snowflake as the hosts for this data. The attack appears to have been fueled by info-stealing malware, with the attack targeting PCs which had access to their organization’s Snowflake network.

How the initial attack was instigated remains unclear, but Snowflake has revealed that a demo account, protected with nothing more than a username/password combination, had been recently compromised. Whether this gave the threat actors direct access to Snowflake customer accounts is unknown, although it does point towards the threat actors establishing an early foothold. Snowflake has also disclosed that each customer is put in charge of their own security, and multi-factor authentication isn’t automatically enabled. This, Snowflake states, is how threat actors succeeded in hacking the compromised accounts.

Snowflake has advised all of its customers to switch on multi-factor authentication, but it appears to be too late for many. Whole lists of Snowflake customer credentials can be found available on illegal websites, with this data including email addresses alongside username/password combinations. Ticketmaster, another ticket sales platform, has been reported of having close to 560 million customer records compromised. This is a huge data breach, and one which has deservedly earned headlines.

The Importance of Multi-Factor Authentication

For Snowflake to have selected multi-factor authentication as an optional function, rather than a default security measure, is negligent. Regardless of this negligence, it’s also the responsibility of the compromised accounts to double check the available security measures. Therefore, to stay safe in the future, always carry out the following when working with external hosting providers for your data:

Always Check Default Settings: you can’t assume your default security settings are suitable for your organization, so always double check them before going live. For Snowflake customers, understanding multi-factor authentication wasn’t in place as default, could have avoided these data breaches.
Regular Security Audits: check with your hosts that regular security audits and penetration testing forms part of your agreement. These tests can help identify vulnerabilities and allow you to implement security measures, protecting the security of your network and data.
Schedule Offline Backups: while cloud computing offers fantastic benefits for backups, you should never rely solely on cloud networks. Instead, utilize offline backups as part of your backup strategy. These can be kept on site and, in the case of a network breach, will remain off-limits to external threat actors and ensure your data is preserved.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Healthcare Industry Rocked by Major Hack

ALPHV, auto updates, Backup Strategies, BlackCat, Hackers, identify phishing, Ophtek, RansomwareALPHV, backup data, BlackCat, hackers, Ophtek, phishing, ransomware, updatesOphtek, LLC

Apr 2024

Healthcare data is some of the most sensitive data in existence, but a major hack has just affected up to 15 billion records.

Change Healthcare, who provide revenue and payment services for healthcare providers and patients, has announced that its systems have been compromised by threat actors. With Change Healthcare processing around 15 billion transactions a year, this represents a major attack. And the impact has already been felt. Healthcare providers have been struggling to charge for their services, while patients have been struggling to get their prescriptions issued. It’s a nightmare scenario for all involved and underlines the effect malware can have.

How Did Change Healthcare Get Hacked?

The precise details of how Change Healthcare was hacked has not, as yet, been revealed. However, we do know it was carried out by a ransomware group which goes by the names of ALPHV or BlackCat. Naturally, their trademark attack style involves ransomware, and it’s most likely that this was utilized in the Change Healthcare attack. With ransomware typically encrypting data, this is highly damaging for any service handling healthcare data. By encrypting patient records, the hackers would be severing a crucial flow of information.

The attack came on the 21^st February 2024, and Change Healthcare took down their systems on the same day. A week later, BlackCat announced they had been behind the attack. Details of a $22 million payment to the ransomware groups have also been revealed, although Change Healthcare are yet to confirm this was made by themselves. Prescription claim submissions and payment systems have recently been reinstated by Change Healthcare, but full access to their systems is unlikely to be restored until mid-March.

Who is BlackCat?

BlackCat has been active online since 2021 and, since then, has launched a series of audacious attacks. The group was linked to the Colonial Pipeline ransomware attack in 2021, and it also took responsibility for the MGM Casino attack in 2023. Headlines such as these didn’t go unnoticed, and in December 2023, the US Department of Justice set about disrupting BlackCat’s activities. Clearly, though, the resulting Change Healthcare attack has demonstrated how BlackCat was unharmed by this resistance.

Staying Safe from Ransomware

The threat of ransomware is well known, but the Change Healthcare attack is a big deal and acts as an important reminder to stay vigilant. With this in mind, we’re going to show you the best ways to stay safe from ransomware:

Regular software updates: ransomware often takes control of IT infrastructures due to software vulnerabilities. Accordingly, you need to make sure automatic updates are activated on your operating system. This ensures your software is updated as soon as an update is available, preventing you from running a network with open doors for threat actors.
Employee training: your employees are one of your most powerful forms of defense against ransomware threats. Therefore, regular training on cybersecurity threats such as identifying phishing emails, malicious websites, and understanding how to report cybersecurity incidents is vital. With this in place, you can rest assured your network is as secure as possible.
Regular, isolated backups: you need to regularly back up critical data and ensure that backups are stored in a secure, isolated location. Automated backup solutions can help ensure consistency and reliability in the event of your data being encrypted by ransomware.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Striped Fly Malware Infected 1 Million Hosts in 5 Years

install updates, malware, network security, Ophtek, screen attachments, secure firewall, Striped Flymalware, Ophtek, phishing, security, Striped Fly, updatesOphtek, LLC

Dec 2023

Malware and flies share one thing in common: they’re pesky. However, while flies help the ecosystem, the Striped Fly malware is nothing but trouble.

Striped Fly has recently hit the headlines, but Kaspersky has revealed they’ve found evidence of its malicious activity dating back to 2017. Unfortunately, no one had been aware of its true identity until now. This means Striped Fly has enjoyed a five-year campaign where not even a single security researcher knew of its existence. And Kaspersky estimate that this invisibility has allowed it to infect over one million Windows and Linux hosts.

In 2017, Striped Fly was mistakenly labelled as a cryptocurrency miner, falling under the Monero trojan family. Subsequent findings, however, have revealed that Striped Fly is much more sophisticated.

What is Striped Fly?

Striped Fly’s exact mechanism is not fully understood at present, but researchers believe they know how it operates. It’s suspected that the threat actors exploited an EternalBlue SMBv1 exploit to gain a foothold in internet facing PCs. After discovering evidence of Striped Fly within the WININIT.exe application – used to help load subsystems within Windows – Kaspersky determined that it then downloads further files.

These files typically come from online software depositories such as GitHub and BitBucket. These are used to build the final Striped Fly payload. Cleverly, Striped Fly comes with Tor network capabilities to encrypt its communications. Tor, of course, is an internet router service used to encrypt data transferred over its network. And this is part of the reason why Striped Fly remained hidden for so long.

The main talking point about Striped Fly is its sophistication and wide range of functions. Striped Fly is capable of harvesting login credentials, taking unauthorized screenshots of infected devices, stealing Wi-Fi network configuration details, transferring files to remote sources, and recording microphone output. Clearly, it poses a significant threat to all PC users.

Swatting Striped Fly Away

Striped Fly’s half-decade long campaign has proved to be highly successful. Accordingly, your organization needs to be on its guard against Striped Fly and any similar threats. Kaspersky hasn’t revealed a specific fix for Striped Fly but, as ever, vigilance and good security practices are key. So, make sure the following is part of your established cybersecurity strategy:

Install all updates: Kaspersky believe that Striped Fly was able to launch its initial attack thanks to a vulnerability it exploited. Therefore, installing all updates needs to be a priority for your organization. If there’s a hole in your defenses, you need to plug it. And a vulnerability represents a huge hole.
Screen all attachments: all email attachments should be screened as part of a vital defense process in protecting businesses against malware. Attachments can often contain a malicious payload such as phishing scams, cryptocurrency or trojans. Accordingly, employees should always know what to question before clicking an email attachment.
Use network security tools: installing firewalls and ensuring that your Wi-Fi networks are secured is a sure-fire way to protect yourself against the threat of malware. Striped Fly, after all, sought out Wi-Fi details and transmitted stolen files across compromised networks. With a secure firewall in place, this will reduce the likelihood of malware being able to operate effectively.

For more ways to secure and optimize your business technology, contact your local IT professionals.

« Previous 1 2 3 4 … 10 Next »

Tag Archives: updates