A recently discovered vulnerability appears to allow threat actors to hack into your Google account, even if you change your password. 

Given that there are 1.8 billion people actively using Gmail, it should come as no surprise that Google accounts represent a mouthwatering target for hackers. Google claims that their users are protected by world-class security and, on the whole, it is a secure system. No infrastructure, however, is 100% safe. Threat actors are industrious individuals and won’t rest until they’ve tried every avenue to compromise a system. Unfortunately, for Google and its users, this is exactly what’s happened. 

Losing Control of Google 

Google accounts are highly valuable to their owners. Packed full of apps such as Gmail and Google Drive, there’s a lot of personal data involved. A new vulnerability, attributed to a flaw in Google cookies, gives access to these accounts over to threat actors. Worst of all, this can be achieved time after time. Sure, you can try changing your password, but they will still be able to unlock your account. 

The attack starts when a user unwittingly allows malware to be installed on their PC. This malware then gets to work by searching for and identifying any Google login tokens, which are typically stored in the application’s local database. These stolen tokens can then be used to trick Google’s API interface. 

One of the main duties of a Google API is to help sync the various Google services across one account. So, for example, if you were logged into Google Drive, you wouldn’t have to log into Gmail as well. The threat actors exploit a vulnerability with Google cookies to create new cookies which can be used to gain unauthorized access to the compromised account. And this trick can be completed multiple times. Changing your password, naturally, would be the simple choice here. But even doing this still grants the hacker one more chance to access your account. 

The vulnerability in question is currently being sold by threat actors online, with at least six hacking groups advertising it. These threat actors also claim that that this vulnerability has been redesigned to tackle the efforts Google has taken to shut this exploit down. 

Keep Your Google Account Safe 

No one wants to lose their Google account, aside from the loss of personal data, there’s also the sheer inconvenience of having to create a new account and updating any services associated with your original account. Accordingly, make sure you play safe by following these best practices: 

  • Use multi-factor authentication: at present, Google hasn’t revealed whether multi-factor authentication will prevent this vulnerability from seizing control of your account. However, if you don’t have it activated, you need to make this a priority as it’s one of the simplest ways to add extra security to your account. 
  • Do not download suspicious software: the first stepping stone for the threat actors to compromise your Google account involves installing malware on your PC. This gives them a foothold to begin stealing your Google login tokens. Therefore, you need to remain vigilant as to the software you’re downloading. The most obvious question to ask here is whether the download comes from an official source. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More


A new threat actor has spent the last few months ramping up attacks involving the DarkGate and NetSupport malware, and this is set to increase further. 

The name of this new threat actor is BattleRoyal, and between September and November 2023, they launched numerous attacks. These attacks featured the DarkGate and NetSupport malware, both powerful strains of malware. DarkGate employs multiple malicious activities such as keylogging, data theft, and cryptocurrency mining. Meanwhile, NetSupport – which is a legitimate application – is being exploited and repurposed as a remote access trojan, which gives threat actors unauthorized access to IT systems. 

DarkGate and NetSupport both have the potential to cause great damage to your IT infrastructure and the security of your data. This means you need to know how to identify and deal with them. 

BattleRoyal’s Malware Campaign 

BattleRoyal appears to have launched its first wave of attacks in September 2023. This campaign involved email techniques to unleash the DarkGate malware on unsuspecting victims. At least 20 instances of this attack have been recorded, but it’s highly likely that more users were infected. Perhaps due to the noise that DarkGate was creating, BattleRoyal quickly switched its choice of weaponry to NetSupport in November. As well as using email campaigns to spread NetSupport, BattleRoyal also employed malicious websites and fake updates to infect PC users. 

DarkGate is also notable for taking advantage of a vulnerability located in Windows SmartScreen. The main objective of SmartScreen is to protect users from accessing malicious websites. However, BattleRoyal were able to work around this by using a special URL which, due to the vulnerability in SmartScreen, gave users access to a malicious website. Clearly a sophisticated threat actor, BattleRoyal had discovered this vulnerability – logged as CVE-2023-36025 – long before Microsoft acknowledged its existence. 

How to Stay Safe from BattleRoyal 

Microsoft has since launched a security patch to combat the CVE-2023-36025 vulnerability, and installing this remains the surest way to combat the activity of DarkGate. However, given that BattleRoyal has used a multi-pronged attack, with NetSupport being used to download further malware, you can’t rely on patches alone. Vigilance, as ever, is vital. Therefore, you need to practice these best security tips to prevent any infections: 

  • Beware of phishing emails: one of the most popular ways to breach the defenses of IT infrastructures involves phishing emails. Not only can these emails be used to steal confidential information through social engineering techniques, but they can also be used to direct recipients towards malicious websites and files. Therefore, it’s important that everyone in your organization can identify phishing emails
     
  • Always install updates: although BattleRoyal was able to identify the SmartScreen vulnerability before the availability of a patch, this doesn’t mean you should minimize the importance of updates. All updates should be installed as soon as they’re available, activating automatic updates is the best way to guarantee that your defenses are fully up-to-date. 
     
  • Use security software: reputable security software is one of the simplest, yet most effective ways to protect your IT systems against malware. Capable of identifying and removing malware before it’s activated, anti-malware tools should be an essential part of your IT defenses. As well as carrying out automatic scans of your system, many of these security suites feature screening tools to warn against malicious websites and emails. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More


Based upon the Mirai botnet, a new botnet has emerged onto the digital landscape in the form of InfectedSlurs, and it’s helping to fuel DDoS attacks.  

Once again, the cause of infection behind InfectedSlurs attack are a number of zero-day vulnerabilities. These vulnerabilities – now identified as CVE-2023-49897 and CVE-2023-47565 – allowed InfectedSlurs to compromise both a series of WiFi routers and a QNAP network video recorder. The potential for data loss here is huge, but InfectedSlurs also makes sure that it hijacks infected devices and integrates them into a huge DDoS swarm. 

The InfectedSlurs Attack 

It’s believed that the attack by InfectedSlurs involved vulnerabilities which should have been addressed by firmware updates released several years ago. However, many organizations appear to still be using legacy versions of the QNAP software. And this is what’s allowed them to be compromised. It’s also been revealed that InfectedSlurs has been running in the digital wild since late 2022, so it’s had close to a year to take advantage of legacy versions. 

A security patch was launched at the start of December 2023, to provide the strongest possible protection, and users were told to perform a factory reset alongside a password change. Users have also been advised to initiate a firmware update, found within the network video recorder settings, to ensure they have the latest and most secure version in place. Again, it’s been recommended that all passwords and access privileges are verified. 

However, for the older, legacy devices which are in their end-of-life phase, there will be no further firmware updates released. In these instances, users have no alternative but to replace their devices with the latest models, which will be fully patched against all known threats. 

How Can You Prevent These Attacks? 

There are two big takeaways from the InfectedSlurs attack: 

  1. Always install software updates as soon as possible 
  1. Replace legacy devices when they have reached their end-of-life phase 

Both these points are easy to implement, but the evidence of the InfectedSlurs attack proves this is not always undertaken by organizations. However, to protect the security of your IT infrastructure, it’s crucial that this is given priority. 

InfectedSlurs was also able to execute its attack for close to a year without being detected, so what else should you be looking out for? Well, the following signs may indicate that you have fallen victim to an attack: 

  • Slow performance: one of the telltale signs of being involved in a DDoS attack is a drop in performance from the infected PC. This is because all the processing power is diverted away from the PC’s day-to-day operations and dedicated to supporting the DDoS attack. Therefore, if your PCs are running slow, and you can’t pinpoint the cause to hardware issues, there’s a chance they may have become involved in a DDoS attack. 
     
  • Unusual server patterns: if your PCs have been integrated into a DDoS swarm, it’s likely this will result in abnormal spikes in traffic related to your server. This is because DDoS attacks usually involve high volumes of traffic from multiple sources at once. So, if your server logs indicate behavior such as this, it’s important you investigate immediately to identify if the cause is known. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More


Healthcare data is some of the most sensitive and confidential data to exist in IT systems, so the ransomware attack at Norton Healthcare is a big deal. 

Based in Kentucky, Norton Healthcare is a provider who delivers health services to adults and children in over 40 clinics. Their objective, as with all healthcare providers, is to improve the lives of their patients. However, a recent data breach has done little to inspire a sense of wellness in their patients. The breach, which occurred in May this year but is only just being reported, was part of a ransomware attack. Norton Healthcare’s network was breached for two days, but there appeared to be no evidence that their medical record system had been accessed. 

Nonetheless, healthcare data should always be secure, and breaches in local networks represent a major cause for concern. 

The Norton Healthcare Attack 

The exact nature of the attack has, at present, not been released. But we do know what the impact of the breach was. After discovering that an attack was taking place, Norton was forced into turning its network off, the last thing a healthcare provider wants to do. As the attack was unfolding, Norton received, in a novel twist, a faxed ransom note featuring threats and demands. Later that month, a ransomware group known as ALPHV claimed responsibility for the attack. 

ALPHV released a statement to the dark web which claimed that they had managed to compromise 4.7TB worth of data from Norton Healthcare’s servers. As proof, ALPHV uploaded numerous files – containing patients’ bank statements and Social Security numbers – to backup their claims. Norton’s official line is that only some network storage devices were breached, and these only contained identifying information rather than any medical data. 

How Can Healthcare Providers Protect Themselves?

With more and more healthcare providers coming under attack from threat actors, it’s important that they understand how to minimize their risk. In fact, these lessons are valuable for any business running an IT network, so it’s time to find out how. So, to stay safe from ransomware attacks, make sure you follow this best guidance: 

  • Regular backups: it’s vital that you perform regular backups of your data to ensure, if it becomes encrypted by ransomware, you still have access to it. Ideally, these backups should be completed daily at the very least, and they should always be saved to secure locations. It’s important to keep copies of your backups offline as well, this will allow you to access your data even if you need to take your network down. 
     
  • Partition your hard drives: to minimize the impact of a breach, it’s a good idea to partition you hard drives and data storage. By separating these from your main network, and from each other, you’re limiting the files and data that malware can access. This minimizes the risk of data loss and allows you to keep important systems online. 
     
  • Employee training: educating your staff about the dangers of social engineering and phishing emails is one of the most important steps you can take. Ransomware, such as the strain encountered by Norton Healthcare, is often spread through emails and your employees need to be able to identify these threats before clicking on them. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More


A new strain of malware called Agent Raccoon has been discovered, and it appears to have been launched by nation-state threat actors.

A wide range of different organizations – based in sectors such as education, government, non-profit, and telecommunications – have fallen victim to Agent Raccoon. And these organizations aren’t based purely in the US, with attacks also discovered in African and the Middle East. Clearly, Agent Raccoon is an ambitious piece of malware and, given the nation-state approach of the attack, it’s one to be on your guard against.

How Does Agent Raccoon Work?

Although the exact identity of the threat actors behind Agent Raccoon remains unknown, security researchers have been able to detail how the malware works. Disguised as either a Microsoft OneDrive Update or Google Update, Agent Raccoon tricks unwitting victims into downloading an executing it. Once initiated, Agent Raccoon launches its backdoor attack. Using Domain Name Service protocols, Agent Raccoon can communicate directly with the command-and-control server set up by its creators.

Primarily, Agent Raccoon focuses its malicious attention on three main areas:

  • Opening up remote access to the infected PC
  • Incoming and outgoing file transfers
  • Remote command execution

However, Agent Raccoon’s activities do not appear to be set in stone. Researchers have discovered numerous variants of Agent Raccoon, suggesting that the threat actors are regularly updating it.

Can Agent Raccoon Be Stopped?

Agent Raccoon isn’t the most persistent piece of malware to have been developed, but it remains a major problem for those that it infects. As ever, maintaining strict security practices is vital for protecting your IT infrastructure. Accordingly, you need to make sure that all members of your organization are fully versed in the following:

  • Question all emails and links: even if an email appears to have been sent by a trusted source, this can easily be faked. Therefore, all incoming emails should be scrutinized closely. This means hovering your mouse cursor over any links to reveal their true destination, double checking email addresses to confirm they are correct and not a close variation, and contacting the sender of emails to double check they are genuine.
  • Only accept updates from genuine sources: software updates are an important aspect of PC security but should only even be downloaded directly from the developer. Online adverts and emails suggesting that you download these from alternative sources should never be trusted. Often, the files at the heart of these downloads are nothing but malware. So, stick to legitimate downloads and rest assured that they will be safe.
  • Monitor network traffic: Agent Raccoon communicates with a remote server and also transmits significant amounts of data. This means that you should be monitoring your network activity for any unusual traffic. If, for example, an unknown destination regularly starts connecting with your network, it could be a sign that your network has been compromised. In these situations, connections to this destination should be terminated and fully investigated.

For more ways to secure and optimize your business technology, contact your local IT professionals

Read More