Security Archives

HiatusRAT Malware Returns with a Vengeance

HiatusRAT, malware, network, Ophtek, Security, Updateseducate, HiatusRAT, malware, network, Ophtek, security, updatesOphtek, LLC

Oct 2023

The HiatusRAT malware has re-emerged from its slumber to prove how resilient it is by targeting multiple organizations in Taiwan and the US.

As with most malware which is deemed successful in terms of its longevity, the threat actors launching HiatusRAT have ensured that it’s more powerful than ever. And, to strengthen its attack, they have redesigned it to escape detection. So far, the majority of the organizations targeted by this latest version of HiatusRAT have been based in Taiwan, but at least one US-based military system has also been attacked. And, with HiatusRAT seemingly operating at full throttle, it’s likely to spread even further.

Due to the potential danger contained within HiatusRAT, we’re going to take you through how it operates and how you can protect your organization.

The Lowdown on the Latest HiatusRAT Campaign

HiatusRAT was first detected back in March 2023, when it was discovered infecting the routers of various organizations in Europe and North and South America. This attack involved stealing data by hijacking email channels as well as installing a remote-access Trojan (RAT) on infected routers. It was an attack which led to significant data loss, but the malware’s activity soon dropped off. However, during this downtime, HiatusRAT has been refined and reconfigured.

Again, HiatusRAT appears to be targeting routers and similar networking devices. By redesigning HiatusRAT to target ARM and Intel hardware, the threat actors – who are currently unknown – have managed to enhance the potency of their malware. Operating with two types of servers – Tier 1 and Tier 2 – they have been able to use multiple IP addresses to transmit data to remote sources. As the attack has targeted at least one military system, it’s suspected that there may be a nation-state involved with the attack. However, as of now, security researchers have been unable to pinpoint the true motives outside of data theft.

Protecting Your Organization from HiatusRAT

You may not run an organization in the military industry, but RAT-based malware doesn’t tend to discriminate. Therefore, you need to be on your guard against HiatusRAT and other similar attacks. Remaining vigilant is crucial, and you can strengthen this vigilance by practicing the following:

Always install updates: many malware attacks are the result of an unpatched vulnerability giving threat actors free access to your IT systems. This means that installing updates, for every piece of software and hardware you use, is vital. It may feel like a time-consuming task in the short-term, but ultimately it could save your organization from data breaches and significant disruption.

Monitor network activity: HiatusRAT was observed to be transmitting data to a remote server for around two hours, and this is why monitoring network activity is so important. Occasionally, there can be a surge in network activity, but this is most often related to identifiable reasons and directed towards known destinations. However, anything out of the ordinary – such as unusual destinations and IP addresses – should immediately be investigated.
Educate your employees: one of the surest ways for malware to breach your IT infrastructure is through your employees. This means that strong IT induction programs need to be implemented and regular refresher courses conducted to solidify this knowledge.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Netgear RAX30 Routers Rocked by 5 Security Flaws

login credentials, Netgear RAX30, Ophtek, router, router firmware update, Security, WPA2 encryptionFirmware update, Login credentials, Netgear RAX30, Ophtek, router, security, vulnerability, WPA2 encryptionOphtek, LLC

Jul 2023

Routers are an essential part of any modern business which uses IT systems. But what happens when you’re working with a compromised router?

Routers are devices which help to connect different networks together. They receive data packets from one network, analyze the destination address, and then forward the data to the relevant destination network. Essentially, a router is used to facilitate communication between different devices and networks. The internet, of course, is crucial to directing this data and this makes routers highly attractive targets for threat actors.

Therefore, the discovery of a vulnerability within a router presents a significant threat to your cybersecurity. But, when there are five vulnerabilities within the same router, you have a disaster on your hands.

A Quick Guide to the 5 Vulnerabilities

Netgear has had to concede that their Netgear RAX30 routers have been exposed as lacking that seal of quality when it comes to security. A router, after all, is your gateway to the internet, the place where all your communication begins. If this is compromised, then a whole world of trouble is just waiting to take advantage. The five vulnerabilities picked up for the Netgear RAX30 routers are:

CVE-2023-27357: this security flaw allows external attackers to identify and record sensitive information passing through Netgear RAX30 routers.
CVE-2023-27368: an attacker can use this vulnerability to execute malicious code on the compromised routers. And, as user data is not being correctly validated by the Netgear RAX30 router, threat actors are able to avoid having to authenticate their access.
CVE-2023-27369: much like the previous vulnerability, this specific flaw allows attackers to run malicious code, or indeed any code they like, on affected systems.
CVE-2023-27370: unfortunately, for users of the Netgear RAX30 router, sensitive configuration data is stored in plaintext on the router. This allows attackers, who can easily bypass the authentication mechanisms, to steal system credentials with ease.
CVE-2023-27367: the final vulnerability known to be affecting the Netgear RAX30 router is, again, one which allows attackers to exploit it and run malicious code through it.

With all five vulnerabilities scoring highly on the Common Vulnerability Scoring System (CVSS) – with three of them gaining a CVSS of 8 or above – Netgear has a big problem on their hands.

How Do You Safely Secure Your Router?

Netgear has been quick to address the five vulnerabilities, with an updated firmware version released on April 7, 2023. However, it’s important that you always make sure your router is as secure as possible. And you can do that by putting the following into action:

Always change default login credentials: some routers are shipped with default login credentials, but this makes them incredibly easy to guess. In fact, many lists of default credentials can quickly be found online. Accordingly, make sure you always change your router’s login credentials before going online with it.
Enable WPA2 encryption: Another way to protect your router is to enable WPA2 encryption. This will secure the wireless network and prevent unauthorized access. Make sure to use a strong encryption key and avoid using common words or phrases that can be easily guessed.

Always update your router: regular firmware updates and patches ensure that your router remains as safe as possible. However, it’s crucial that you install these as soon as possible. Sometimes it can be time consuming to go through the update process, but it can save you major headaches further down the line.

For more ways to secure and optimize your business technology, contact your local IT professionals.

RapperBot Malware Develops New Distribution Tricks

IoT Attacks, malware, Ophtek, RapperBot, Security, strong passwords, UpdatesIoT Attacks, malware, Ophtek, RapperBot, security, strong passwords, updatesOphtek, LLC

Jun 2023

Malware constantly evolves, and that’s why it’s a constant thorn in the side of PC users. The ever-changing RapperBot malware is a perfect example of this.

If malware was boring and lacked innovation, it wouldn’t last very long or infect many computers. It would make our lives a lot easier, but it would defeat the main objective of malware. And that is to cause chaos. Repeatedly. Therefore, malware developers are keen to extend the lifespan of their creations. This is why malware is regularly developed, to keep one step ahead. It’s the digital example of a game of cat and mouse. But the good news is that you don’t have to be the mouse.

The Lowdown on RapperBot and Its Evolution

First discovered in 2022, RapperBot started its malware career in the Internet of Things (IoT) niche. Most notably, RapperBot was observed to be using parts of the Mirai botnet code. However, RapperBot was much more than just another take on Mirai. It was much more sophisticated. Not only had its remote access capabilities been upgraded, but it could now also brute force SSH servers – these allow two PCs to communicate with each other.

This evolution has continued at pace, with security experts Fortinet and Kaspersky detecting the following changes:

After infection, further code was added into RapperBot by the developers to avoid detection. A situation which persisted even after rebooting. A remote binary downloader was later added to allow self-propagation of the malware.

The self-propagation capabilities of RapperBot were later changed to allow the malware to gain constant remote access to SSH servers which had been brute forced.

Finally, RapperBot moved its aim away from SSH servers and targeted telnet servers. Cleverly, RapperBot sidestepped the traditional technique of using huge data lists and, instead, monitored telnet prompts to determine the target device. This allowed the threat actors to identify IoT devices and quickly try their default credentials.

The Best Tips for Tackling RapperBot

IoT devices are plentiful in the modern age, and we certainly couldn’t be without them. Accordingly, we need to protect them from threats such as RapperBot and BotenaGo. You can do this by following these best tips:

Keep devices up to date: it’s crucial that you regularly update the firmware and software which supports your IoT devices. Few, if any, pieces of hardware reach consumers without some form of security flaw present. Once these flaws are detected, the manufacturer will usually release a patch or update to remove this vulnerability. Therefore, you need to install these as soon as possible, a strategy which is made easy by allowing automatic updates.

Change default passwords: Many IoT devices come with default usernames and passwords, these are often the same across every single version of that device. As such, they represent an incredible risk. This means you need to change these default credentials to strong, unique usernames and passwords before they are connected to your IT infrastructure. Additionally, enable two-factor authentication, wherever possible, to add an extra layer of security.

Network segmentation: ideally, separate networks should be created to house your IoT devices and isolate them from your core network. As IoT devices carry a certain amount of risk, it makes sense to keep them away from the majority of your IT infrastructure. This ensures that, if an IoT device does become infected, the malware can only spread so far.

For more ways to secure and optimize your business technology, contact your local IT professionals.

What is Ransomware as a Service?

Ophtek, Phishing, Ransomware, Security, Suspicious links, UpdatesOphtek, phishing, ransomware, security, suspicious links, updatesOphtek, LLC

Feb 2023

There’s a lot of money to be made in hacking and threat actors are now turning it into a business with Ransomware as a Service (RaaS).

Ransomware, of course, is well known to anyone who steps online in the digital age. With the ability to encrypt your data and demand a ransom fee, it has not only generated headlines, but also caused significant headaches for business owners. And, with ransomware attacks increasing by 41% in 2022, it’s a strategy which is showing no signs of slowing up. Therefore, not only do you need to be aware of ransomware, but you also need to keep up with associated developments such as RaaS.

As RaaS has the potential to create attacks which are both wider ranging and easier than before, it’s crucial you understand how it operates

The Basics of Ransomware as a Service

We’re all aware of what ransomware is, but what is RaaS? After all, surely ransomware is the opposite of a service? Unfortunately, for PC owners, ransomware software and attacks are now available for hire in the form of RaaS. Similar to Software as a Service (Saas) – examples of which include Gmail and Netflix – RaaS allows threat actors to harness the power of hacking tools without having to design them. If, for example, a threat actor doesn’t have the time (or skills) to build a ransomware tool, what do they do? They purchase one.

Typically, RaaS kits are found on the dark web, so don’t expect to find them taking up space on Amazon. Depending on the sophistication of the RaaS, the cost of purchasing them can range between $30 – $5,000. Threat actors looking to purchase RaaS are also presented with several different purchasing options such as one-time fees, subscription tiers or even affiliate models. It’s estimated that over $10 billion exchanges hands each year – mostly in cryptocurrency – for RaaS kits.

Examples of RaaS include Black Basta, LockBit and DarkSide, with more available for those looking to unleash ransomware easily and quickly. These RaaS kits are also much more than just hacking software, they also offer user forums and dedicated support teams to help customers get the most out of their ransomware. Again, this is very similar to the way in which successful SaaS developers provide extra value for their product. However, whereas SaaS is provided by legitimate developers, RaaS tends to be created by criminal gangs with the sole intent of generating illegal funds.

Staying Safe from Ransomware as a Service

The end result of an RaaS attack is the same as a standard ransomware attack, so there’s nothing specific you need to do if an attack comes through RaaS. Instead, you just need to stick to good old fashioned ransomware security practices:

Update your software: if a vulnerability is present within your software, then there’s a risk this could be exploited, and ransomware given full access to your data. To counter this, make sure that you have automatic updates approved on your PC to keep it as secure as possible.
Don’t click suspicious links: you should only ever click a link if you know exactly what you are clicking on and where it will take you. Always hover your mouse cursor over a link to reveal its true destination. All it takes is for one malicious click to be activated to launch a ransomware attack.
Always back up your data: falling victim to a ransomware attack only means your data is lost if you haven’t backed it up. Therefore, save yourself a financial headache by making sure multiple backups are in place to minimize any data loss.

For more ways to secure and optimize your business technology, contact your local IT professionals.

LastPass Hit by Security Incident

Hackers, LastPass, Ophtek, password manager, Password Security, Security, strong passwordshackers, LastPass, Ophtek, password manager, security, vulnerabilityOphtek, LLC

Feb 2023

What exactly happened when LastPass, a password manager service, found itself at the center of a data breach? And what does this mean for your passwords?

Password managers provide a convenient service , one where complex passwords can be generated instantly and then, going forward, auto-fills when requested. LastPass is a successful example of what a password manager can do, but it’s a role which comes with great responsibility. Login credentials, after all, are often the difference between gaining access and being denied access to a user account. Therefore, password managers need to be sure the credentials they hold are highly secure.

However, as LastPass users are now finding out, password managers are highly tempting to threat actors, and far from 100% secure.

How LastPass was Hacked

Used by millions of users all over the world, LastPass has established itself as one of the leading password managers. Unfortunately, this credibility has been rocked by revelations that the service’s encrypted password vaults have been stolen by hackers. The attack – which took place in August 2022 – was ambitious, and its success even more so.

LastPass’ backup copies of their users’ password vaults were stored, apparently securely, on a third-party cloud storage platform. This, in itself, is nothing unusual; storing backup copies of secure data in remote locations is good practice. Nonetheless, once third parties become involved in storing your data, you relinquish control of this data’s security. And this is exactly where LastPass has fallen victim to threat actors.

While the mechanics of the breach remain under wraps, LastPass has had to admit that personal identifiers – including addresses, phone numbers, credit card details and IP addresses – are among the stolen data. The password vaults – which are encrypted – have also been stolen, so this means the threat actors are closer to knowing your password. And, given they now have access to your personal identifiers, it makes brute force attacks easier.

What to Do if You’re a LastPass User

LastPass has been keen to stress that, although stolen, the password vaults are secure due to the encryption protecting them. However, these encrypted passwords are now in the hands of an unauthorized party and means they are seriously compromised. Therefore, it’s crucial all LastPass users take the following decisive actions:

Change your LastPass password: your master password will be the password used to access the LastPass service, and this needs to be changed immediately. Any data breach means access has been compromised, so changing your master password is the first step to take. With your master password changed, you will instantly be reducing the risk of your passwords falling into the wrong hands.

Change all your stored passwords: the passwords stolen from LastPass are encrypted, but it makes bad sense to rely on this. Accordingly, we would recommend going through all your passwords on LastPass and changing them to new ones. With this completed, the details within the stolen password vaults will become redundant.

Make sure your LastPass password is not recycled: following a data breach, it’s always good practice to make sure your master password isn’t used on other platforms. For example, a threat actor may take your login details for LastPass and use a bot to automatically try them in thousands of different other platforms. As such, if you recycle your login credentials across platforms, you run the risk of these being compromised too.

For more ways to secure and optimize your business technology, contact your local IT professionals.

1 2 3 … 46 Next »

Category Archives: Security