A Disguised Windows License Activator May Actually Be Malware

People who are in the habit of pirating movies and software have something new to worry about.  It seems hackers have begun targeting at least some of them with a ubiquitous form of malware.

On the Dark Web, anyone who is willing to shell out twenty bucks or so can get their hands on a copy of BitRAT, which is a surprisingly capable bit of malicious code for the price.

Recently, an individual or a group of hackers got their hands on BitRAT and devised a new way to spread it around the internet.

They disguised their malicious payload as a Windows 10 Pro License Activator.  So a pirate downloads what he or she believes to be a “crack” for Windows 10 Pro. They install the software and not only do they not get the free copy of Windows 10 Pro that they were expecting, but they also wound up with an infected system.  Ouch.

You may shrug your shoulders at this and conclude that the pirates got what they deserved. Looking at it from an ethical/moral perspective, there’s an argument to be found there.

On the other hand, the person with the hacked PC may wind up interacting with and sharing files with you or someone at your company, which could allow the hacker who infected the initial machine to get his hooks into your network. Ultimately, that’s why this deserves your attention.

Software pirates are not only bad because of what they do, they’re bad business in general. If you associate with anyone who pirates wares (knowingly or not), you may be setting yourself up for trouble down the road.

This is hardly a new phenomenon.  Pirates are frequently seen as good targets for malware campaigns, and this is but the latest in a long line of campaigns that specifically set their sights on that group.  At the end of the day it’s a numbers game.  The more often you rely on pirated wares the greater your risk of infection. At the end of the day, it’s probably not worth it.

Google Play Store Is Seeing More Trojan Style Malware

A security researcher who goes by the name “Dr. Web” has been tracking a suspicious increase in Trojan infiltration emanating from the Google Play Store.

It is not currently known whether a single organized and determined group of hackers is responsible for the surge or if several groups just happen to be focused on the Play Store at around the same time.

Although a variety of malware strains have been spotted embedded in poisoned versions of apps on the Play Store the focus has been on highly popular apps with 500,000 installs or more.  In addition to that, there’s a new Android Trojan disguised as a WhatsApp mod.

Other than ‘apps with lots of installs,’ there doesn’t seem to be a clear pattern.  Several poisoned apps were cryptocurrency management tools, Gasprom investment clones, photo editors, and the like.

Broadly speaking at least where investment-oriented apps are concerned, the gimmick was to get an unsuspecting user to create a new account and then deposit money into it which would be siphoned off later.  In cases of other types of apps, invariably there would be a request made to sign up for expensive subscription services.

The good news is that at this time this piece was written, most of the poisoned apps have been removed from the Play Store.  Unfortunately, there are still a few holdouts.  For example, the app called “Top Navigation” is known to be poisoned but at the time of this writing is still available on the Play Store. Even Worse is it boasts more than half a million installations.

Since Google has been busily chasing down and removing the poisoned apps, the group behind this latest campaign has been setting their sights a bit lower. They now seem to be poisoning apps like Advice Photo Power with around  100,000 installations.

The bottom line is that while the Play Store is still mostly safe it’s not a completely safe source for malware-free apps so stay on your guard.

Automotive Part Maker Denso Is Latest To Have Data Breached

The automotive parts giant named DENSO is the latest corporation to fall victim to a hacking attack.  The company has offices all over the world and supplies parts to brands including General Motors, Fiat, Volvo, Toyota, and others.

Collectively the company and its subsidiaries employ more than 160,000 people and boasts revenues of more than $44 billion USD (in 2021).

The company had this to say about the incident:

“DENSO has confirmed that its group company in Germany network was illegally accessed by a third party on March 10, 2022.

After the detecting the unauthorized access, DENSO promptly cut off the network connection of devices that received unauthorized access and confirmed that there is no impact on other DENSO facilities.”

Given DENSO’s size, it is fortunate that the attack didn’t shut down any of the company’s production facilities.  We’re only just getting the supply chain issues caused by the pandemic sorted out and this could have thrown much of the automotive industry into a tailspin.

The Pandora Ransomware gang is new and the operation apparently launched in March 2022.  Their stated goal is to target large corporate networks, and steal data before encrypting their files to profit in two ways.

Although the gang itself is new, some security researchers believe that the malware itself is not new but simply rebranded as it bears striking similarities to another ransomware strain called Rook.

Rebranding is not at all uncommon in the hacking world.  Many groups periodically do that in a bid to continue to evade law enforcement.  At this point, the jury is still out.  We don’t have definitive proof either way that Pandora is a new gang or a rebranded older one.

Whatever the case, they’ve seen fantastic initial success having apparently made off with more than 1.4 TB of data. That data includes purchase orders, technical schematics, NDAs, and the like.  It is just a matter of time before the group strikes again.

Social media at work what could go wrong?

Social media at work…what could go wrong?

As a business, there is no doubt today that you need to make your presence felt on major social media platforms such as Facebook, Twitter, Instagram and LinkedIn. But social media also exposes you to cybercriminals. In this post we talk about the steps you can take to ensure your social media account doesn’t become a gateway for cybercriminals to access your data.

Make someone accountable
The first step to a successful and safe social media experience as a company is to make someone in your organization accountable for it. Designate a social media manager who is responsible for maintaining your company’s social media accounts. This person should oversee everything–from the posts and pictures in your company account to approving/disapproving ‘Friend’/’Follow’ requests.

Train your employees
Of course you should train your employees who handle your official social media accounts about the security threats and how they need to steer clear of them, but you also need to train other employees who are not on your social media team as they could be a weak link that a cybercriminal could exploit to reach your business. Seems far fetched? Not really. A lot of people trust their ‘friends’ on social media and also unwittingly share a lot of information, which can be used to hack their personal accounts and devices, which in turn, may act as a gateway to your business. Teach your employees about general social media best practices in terms of security and also educate them about the privacy settings they can use to ensure there data is shared with trusted individuals only.

Take the necessary security measures
Make sure the devices you use to access your social media accounts are protected with firewalls and anti-malware tools and all security updates and patches are up-to-date.

Password hygiene
Practice good password hygiene and encourage your teams to do the same. That means no password sharing, no sequential letters/numerals, no obvious words or numbers as your social media account password.

Frame a social media policy
You should also frame a social media policy that spells out the dos and don’ts of social media that everyone in your organization should follow. This is important from various perspectives as employee’s statements on social media may be perceived as a reflection of your business’s values, whether you like it or not. This can make your business a target of cybercriminals and lawsuits.

Putting your business out there on the social networking sites gives your brand a lot of exposure, presents paid advertising opportunities and even helps you build and manage customer relationships, but as discussed, it can be tricky to navigate in terms of security. Businesses may find it overwhelming to manage their social media security strategy all by themselves can reach out to a managed services provider. An MSP with experience in social media security can be a valuable asset in helping you build a strong social media security strategy.

 Secure Your SQL Server To Avoid This Malware Infection

Do you rely on Microsoft SQL and MySQL databases?  If so, be advised that the cybersecurity firm AhnLab recently published a report about a newly emerging threat.

It seems that hackers are now targeting poorly secured Microsoft SQL and MySQLdatabases with a malware strain known as GhostCringe.

If you’re not familiar with it, GhostCringe is also known as CirenegRAT. It is a variant of the GhostRAT malware made famous by the Chinese government in a series of attacks in 2020, but dating back to 2018.

Of interest, it seems that the threat actors behind the GhostCringe attack aren’t alone.  A forensic analysis of compromised servers indicates that several other malware strains were present. That suggests that competing gangs of hackers were all competing to break into the same databases as part of their own campaigns.

As malware strains go, GhostCringe isn’t the worst or most destructive we’ve seen, but it does make rather aggressive use of its keylogging function. So once any passwords you enter on the system have been compromised, they will be fed directly to the hackers who control the code and that could expose you to a whole world of pain.

This is a genuine threat that should be taken seriously.  The first step in terms of taking it seriously is to make sure your server software is up to date with the latest security patches applied.  In addition to that, please do not make the mistake of either not setting an administrator password or setting one that is weak and easily guessed.

Those are rookie mistakes that are easy to avoid, and you don’t want to be the business owner who lost tens of thousands of dollars to a mistake like that.

Finally, be relentless in terms of monitoring all activity on your server including suspicious “reconnaissance” activity which could be a harbinger of things to come.