Tag Archives: Technology Tips

Posted on Author Atlantic Computer Services Categories Blog

Has Your Bandwidth Slowed Down? It Could Be Proxyware

There’s a lot of money to be made by selling things that don’t belong to you. That’s a lesson hackers around the world have learned very well. Their latest venture is selling other people’s internet bandwidth.

You may not have heard the term Proxyware before just now. If not it’s a new way hackers and cybercriminals have devised to make money. The idea discovered by researchers from Cisco Talos is simplicity itself.

Hackers penetrate a target system and install something called Proxyware which is a catch all phrase to describe any number of internet-sharing applications. A great many proxyware applications are perfectly legitimate and used by millions every day.

Hackers are perverting this and creating an internet hotspot on the victim’s machine. It is used as a host and the proxyware portions out their available bandwidth to those who pay for access to it. The end result is that the hackers make money and your internet connection slows to an annoying crawl.

It’s devious but this is by no means the first time that hackers have figured out how to abuse perfectly legitimate software. After all many people install and run cryptocurrency miners in hopes of making a bit of extra money. Naturally hackers have co-opted this too and have created a wide range of cryptojacking software. It functions just like “regular” cryptomining software except that it’s designed to give any payouts to the hackers and not the person who actually owns the machine.

Right now proxyware is in its infancy. There aren’t many active campaigns and none of them are widespread or have a global reach. You can expect that to change however as hackers find their footing in this new market and maximize its moneymaking potential.

As Cisco Talos puts it:

“This is a recent trend, but the potential to grow is enormous. We are already seeing serious abuse by threat actors that stand to make a significant amount of money off these attacks. These platforms also pose new challenges for researchers, since there is no way to identify a connection through these kinds of networks — the origin IP becomes even less meaningful in an investigation.”

Ready or not large scale proxyware attacks are coming.

0
Posted on Author Atlantic Computer Services Categories Blog

Exchange Servers Are The Target Of This New Ransomware

A new ransomware gang known as “LockFile” has recently burst onto the scene. They specifically target Microsoft Exchange servers to gain access then proceed to encrypt everything they can find.

LockFile employs a trio of vulnerabilities that are collectively known as ProxyShell to gain access to a targeted exchange server.

ProxyShell was given its name by Orange Tsai. Tsai is the Devcore Principal Security Researcher who initially chained them together to create the attack. All three issues had been known previously but it was Tsai who first thought to daisy chain them to create a new attack vector.

The issues are being tracked separately as follows:

  • CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779)
  • CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779)
  • CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)

All of these issues have already been patched per the notes above but of course there is no guarantee that they’re patched on your network. Your IT staff may or may not have gotten around to applying the patches referenced above. If not then your network is at risk.

It should also be noted that hackers are actively scanning for Exchange servers vulnerable to ProxyShell attacks. So if your network is at risk then it’s just a matter of time until LockFile finds you.

Bookmark this article to serve as a reference and have your IT staff double check to be sure that the patches referenced above have indeed been applied on your network. If they haven’t then make sure they are as soon as possible in order to minimize your risk.

Very little is known about the LockFile gang and their motivations. It should be known that their ransomware is incredibly dangerous. Lack of action to protect vulnerable systems could have tragic consequences.

0
Posted on Author Atlantic Computer Services Categories Blog

WhatsApp Mods On Android Devices May Contain Malware

Are you a WhatsApp user? If you are you may have heard of the FMWhatsApp mod.

It promises to improve the WhatsApp user experience by improving user privacy, giving access to custom chat themes, emoji packs from other social networking sites, app locking via a customizable PIN, and more.

Hackers have hijacked this legitimate and helpful mod. It’s somewhat hard to detect because the poisoned mod does what it promises. In addition to providing the promised features, it also installs the Triadatrojan malware.

Triadatrojan isn’t harmful in and of itself but the hackers have seen fit to bundle the XHelper trojan with the malware. Triadatrojan plants seeds in any Android device it infects that allow the hackers to install other malware as well.

The poisoned version of FMWhatsapp was found by researchers at Kaspersky. They discovered that FMWhatsapp 16.80-.0 will install the following additional malware (taken from a recent Kaspersky post on the topic).

According to the Kaspersky post:

  • Trojan-Downloader.AndroidOS.Agent.ic, which downloads and launches other malicious modules.
  • Trojan-Downloader.AndroidOS.Gapac.e, which installs other malicious modules and displays full-screen ads.
  • Trojan-Downloader.AndroidOS.Helper.a installs the xHelper Trojan installer module and runs invisible ads in the background.
  • Trojan.AndroidOS.MobOk.i signs the Android device owner up for paid subscriptions.
  • Trojan.AndroidOS.Subscriber.l also signs up victims up for premium subscriptions.
  • And Trojan.AndroidOS.Whatreg.b harvests the info and requests the verification code to sign into the victims’ WhatsApp accounts.

The best way to avoid the poisoned version of the app is to be sure you’re getting it from the Google Play Store. So far it has not made it past Google’s stringent checks but the Kaspersky researchers did discover it on a number of popular WhatsApp mod distribution sites.

The FMWhatsApp mod is excellent. Just be sure you’re getting the non-poisoned version of it.

0
Posted on Author Atlantic Computer Services Categories Blog

Even Computer Hardware Manufacturers Can Get Hit By Ransomware

Retailers, hospitals and financial institutions tend to be the targets of choice for the hackers of the world. Of course they’re not the only targets. The simple truth is that any company can find itself in the cross hairs of a hacker.

The most recent victim is Taiwanese motherboard manufacturer Gigabyte. In addition to shutting down manufacturing operations in Taiwan the attack also took a number of the company’s web-based systems. They include its online support and the Taiwanese website itself.

The investigation into the matter is ongoing. The early indications are that the company fell victim to the RansomEXX strain of ransomware. In addition to locking files on a number of Gigabyte’s network devices the hackers made off with some 112 GB of data. The hackers have published portions of this data on their own website on the Dark Web as proof that they were indeed behind the attack.

The Ransom EXX strain has an interesting history. It began life in 2018 as a strain called Defray. For the first couple of years of its life it gained little traction among the hackers of the world. It wasn’t used in many high profile attacks.

It seemed to go dormant and re-emerged in 2020 as RansomEXX with a raft of new capabilities. It is not clear whether it was abandoned and picked up by a new hacker group or the original Defray authors used their initial experiments to refine the code. In its current form RansomEXX is a dangerous threat indeed and is capable of infecting both Windows- and Linux-based systems

The group controlling the malware has used it to attack a number of high profile targets in recent weeks, including:

  • The Texas state Department of Transportation
  • The Brazilian Government
  • IPG PhotonicsAnd more.Be on your guard against this one. You definitely don’t want to be the hackers’ next victims.
0
Posted on Author Atlantic Computer Services Categories Blog

Older Industrial Technology May Have Security Risks

The vulnerability of Industrial Control Systems has been getting a lot of press in recent months. That’s a good thing because most people don’t spend much time thinking or worrying about such systems. Unfortunately they are among the most vulnerable systems of all.

Industrial Control Systems haven’t really changed all that much in the past decade or two. The protocols they use are fairly rudimentary by today’s standards. It’s no surprise that they are a fair bit more vulnerable than more modern and robust systems.

Researchers at Forescout Labs and JFrog Security recently underscored this fact by highlighting fourteen different security flaws found in the protocols commonly used by Industrial Control Systems.

They’ve dubbed the set of flaws “Infra:Halt”. As that name suggests these exploits can bring broad swaths of the nation’s infrastructure to a screeching halt. That is if hackers make use of the exploits and most security experts agree is just a matter of time.

Forescout wrote extensively about each of the fourteen exploits on a recent blog post.

Daniel dos Santos (research manager at Forescout) had this to say about the risks:

“When you’re dealing with operational technology, crashing devices and crashing systems is something that can have various serious consequences. There are also remote code execution possibilities in these vulnerabilities, which would allow the attacker to take control of a device, and not just crash it but make it behave in a way that it’s not intended to or use it to pivot within the network.”

This is a serious threat indeed. Fortunately patches that address many of the vulnerabilities are currently available.

If your business is in any way connected to the sale or maintenance of Industrial Control Systems the researchers urge immediate upgrades. Upgrades will patch the currently known vulnerabilities in order to minimize risk.

0
1 6 7 8 9 10 11