Our young people are always learning. It’s a great time to expand their cyber education to help keep them safe in the classroom.
The school bell rings, kids of all ages take their seats, and there’s an atmosphere of anticipation. Students open their textbooks and laptops, ready to explore language, history, science, and math, and further expand their horizons. Yet, unbeknownst to many, there are people lurking behind the screens in the academic world, actors whose intentions are not at all noble.
Agent Tesla functions as a Remote Access Trojan (RAT) and an information stealer built on the .NET framework. It is capable of recording keystrokes, extracting clipboard content, and searching the disk for valuable data. The acquired information can be transmitted to its command-and-control server via various channels, including HTTP(S), SMTP, FTP, or even through a Telegram channel.
Generally, Agent Tesla uses deceptive emails to infect victims, disguising as business inquiries or shipment updates. Opening attachments triggers malware installation, concealed through obfuscation. The malware then communicates with a command server to extract compromised data.
The following heat map shows the current prevalence of Agent Tesla on field:
Figure 1: Agent Tesla heat map
McAfee Labs has detected a variation where Agent Tesla was delivered through VBScript (VBS) files, showcasing a departure from its usual methods of distribution. VBS files are script files used in Windows for automating tasks, configuring systems, and performing various actions. They can also be misused by cybercriminals to deliver malicious code and execute harmful actions on computers.
Technical Analysis
The examined VBS file executed numerous PowerShell commands and then leveraged steganography to perform process injection into RegAsm.exe as shown in Figure 2. Regasm.exe is a Windows command-line utility used to register .NET assemblies as COM components, allowing interoperability between different software. It can also be exploited by malicious actors for purposes like process injection, potentially enabling covert or unauthorized operations.
Figure 2: Infection Chain
VBS needs scripting hosts like wscript.exe to interpret and execute its code, manage interactions with the user, handle output and errors, and provide a runtime environment. When the VBS is executed, wscript invokes the initial PowerShell command.
Figure 3: Process Tree
First PowerShell command
The first PowerShell command is encoded as illustrated here:
Figure 4: Encoded First PowerShell
Obfuscating PowerShell commands serves as a defense mechanism employed by malware authors to make their malicious intentions harder to detect. This technique involves intentionally obfuscating the code by using various tricks, such as encoding, replacing characters, or using convoluted syntax. This runtime decoding is done to hide the true nature of the command from static analysis tools that examine the code without execution. Upon decoding, achieved by substituting occurrences of ‘#@$#’ with ‘A’ and subsequently applying base64-decoding, we successfully retrieved the decrypted PowerShell content as follows:
Figure 5: Decoded content
Second PowerShell Command
The deciphered content serves as the parameter passed to the second instance of PowerShell..
Figure 6: Second PowerShell command
Deconstructing this command line for clearer comprehension:
Figure 7: Disassembled command
Steganography
As observed, the PowerShell command instructs the download of an image, from the URL that is strore in variable “imageURL.” The downloaded image is 3.50 MB in size and is displayed below:
Figure 8: Downloaded image
This image serves as the canvas for steganography, where attackers have concealed their data. This hidden data is extracted and utilized as the PowerShell commands are executed sequentially. The commands explicitly indicate the presence of two markers, ‘<<BASE64_START>>’ and ‘<<BASE64_END>>’. The length of the data is stored in variable ‘base64Length’. The data enclosed between these markers is stored in ‘base64Command’. The subsequent images illustrate these markers and the content encapsulated between them.
Figure 9: Steganography
After obtaining this data, the malware proceeds with decoding procedures. Upon examination, it becomes apparent that the decrypted data is a .NET DLL file. In the subsequent step, a command is executed to load this DLL file into an assembly.
Figure 10: DLL obtained from steganography
Process Injection into RegAsm.exe
This DLL serves two purposes:
Downloading and decoding the final payload
Injecting it into RegAsm.exe
Figure 11: DLL loaded
In Figure 11, at marker 1, a parameter named ‘QBXtX’ is utilized to accept an argument for the given instruction. As we proceed with the final stage of the PowerShell command shown in Figure 7, the sequence unfolds as follows:
The instruction mandates reversing the content of this parameter and subsequently storing the outcome in the variable named ‘address.’ Upon reversing the argument, it transforms into:
http://195.178.120.24 /castrnewbaze64.txt
Figure 12: Request for payload
Therefore, it is evident that this DLL is designed to fetch the mentioned text file from the C2 server via the provided URL and save its contents within the variable named “text.” This file is 316 Kb in size. The data within the file remains in an unreadable or unintelligible format.
Figure 13: Downloaded text file
In Figure 11, at marker 2, the contents of the “text” variable are reversed and overwritten in the same variable. Subsequently, at marker 3, the data stored in the “text” variable is subjected to base64 decoding. Following this, we determined that the file is a .NET compiled executable.
Figure 14: Final payload
In Figure 11, another activity is evident at marker 3, where the process path for the upcoming process injection is specified. The designated process path for the process injection is :
Since RegAsm.exe is a legitimate Windows tool, it’s less likely to raise suspicion from security solutions. Injecting .NET samples into it allows attackers to effectively execute their malicious payload within a trusted context, making detection and analysis more challenging.
Process injection involves using Windows API calls to insert code or a payload into the memory space of a running process. This allows the injected code to execute within the context of the target process. Common steps include allocating memory, writing code, creating a remote thread, and executing the injected code. In this context, the DLL performs a sequence of API calls to achieve process injection:
Figure 15: Process Injection
By obscuring the sequence of API calls and their intended actions through obfuscation techniques, attackers aim to evade detection and make it harder for security researchers to unravel the true behavior of the malicious code. The function ‘hU0H4qUiSpCA13feW0’ is used for replacing content. For example,
“kern!”.Replace(“!”, “el32”) à kernel32
Class1.hU0H4qUiSpCA13feW0(“qllocEx”, “q”, “VirtualA”) à VirtualAllocEx
As a result, these functions translate into the subsequent API calls:
CreateProcessA : This API call is typically employed to initiate the creation of a new process, rather than for process injection. In the context of process injection, the focus is generally on targeting an existing process and injecting code into it.
VirtualAllocEx: This is often used in process injection to allocate memory within the target process to host the injected code.
ReadProcessMemory: This is used to read the memory of a target process. It is typically used in reflective DLL injection to read the contents of a DLL from the injector’s memory and write it into the target process.
GetThreadContext: This API is used to retrieve the context (registers, flags, etc.) of a thread within a target process. It’s useful for modifying thread execution flow during injection.
Wow64GetThreadContext: This is like GetThreadContext, but it’s used when dealing with 32-bit processes on a 64-bit system.
SetThreadContext: This API is used to set the context of a thread within a target process. This can be useful for modifying the execution flow.
Wow64SetThreadContext: Like SetThreadContext, but for 32-bit processes on a 64-bit system.
ZwUnmapViewOfSection: This is used to unmap a section of a process’s virtual address space, which could potentially be used to remove a DLL loaded into a target process during injection.
WriteProcessMemory: This is used to write data into the memory of a target process. It’s commonly used for injecting code or data into a remote process.
ResumeThread: This is used to resume the execution of a suspended thread, often after modifying its context or injecting code.
Upon successful injection of the malware into RegAsm.exe, it initiates its intended operations, primarily focused on data theft from the targeted system.
The ultimate executable is heavily obfuscated. It employs an extensive array of switch cases and superfluous code, strategically intended to mislead researchers and complicate analysis. Many of the functions utilize either switch cases or their equivalent constructs, to defend detection. Following snippet of code depicts the same.
Figure 16: Obfuscation
Collection of data:
Fingerprinting:
Agent Tesla collects data from compromised devices to achieve two key objectives: firstly, to mark new infections, and secondly, to establish a unique ‘fingerprint’ of the victim’s system. The collected data encompasses:
Computer Name
IP information
Win32_baseboard
Serial number
win32_processor
processorID
Win32_NetworkAdapterConfiguration
MacAddress
Web Browsers:
Agent Tesla initiates the process of gathering data from various web browsers. It utilizes switch cases to handle different browsers, determined by the parameters passed to it. All of these functions are heavily obscured through obfuscation techniques. The following figures depict the browser data that it attempted to retrieve.
Figure 17: Opera browser
Figure 18: Yandex browser
Figure 19: Iridium browser
Figure 20: Chromium browser
Similarly, it retrieves data from nearly all possible browsers. The captured log below lists all the browsers from which it attempted to retrieve data:
Figure 21: User data retrieval from all browsers -1
Figure 22: User data retrieval from all browsers – 2
Mail Clients:
Agent Tesla is capable of stealing various sensitive data from email clients. This includes email credentials, message content, contact lists, mail server settings, attachments, cookies, auto-complete data, and message drafts. It can target a range of email services to access and exfiltrate this information. Agent Tesla targets the following email clients to gather data:
Figure 23: Mail clients
Exfiltration:
Agent Tesla employs significant obfuscation techniques to evade initial static analysis attempts. This strategy conceals its malicious code and actual objectives. Upon successful decoding, we were able to scrutinize its internal operations and functionalities, including the use of SMTP for data exfiltration.
The observed sample utilizes SMTP as its chosen method of exfiltration. This protocol is frequently favored due to its minimal overhead demands on the attacker. SMTP reduces overhead for attackers because it is efficient, widely allowed in networks, uses existing infrastructure, causes minimal anomalies, leverages compromised accounts, and appears less suspicious compared to other protocols. A single compromised email account can be used for exfiltration, streamlining the process, and minimizing the need for complex setups. They can achieve their malicious goals with just a single email account, simplifying their operations.
Figure 24: Function calls made for exfiltration.
This is the procedure by which functions are invoked to facilitate data extraction via SMTP:
A specific value is provided as a parameter, and this value is processed within the functions. As a result, it ultimately determines the port number to be utilized for SMTP communication. In this case, port number 587 is used for communication.
Figure 25: Port number
Next, the malware retrieves the hostname of the email address it intends to utilize i.e., corpsa.net.
Figure 26: Domain retrieval
Subsequently, the email address through which communication is intended to occur is revealed.
Figure 27: Email address used
Lastly, the password for that email address is provided, so that attacker can log in and can start sending out the data.
Figure 28: Password
The SMTP process as outlined involves a series of systematic steps. It begins with the processing of a specific parameter value, which subsequently determines the port number for SMTP communication. Following this, the malware retrieves the associated domain of the intended email address, revealing the address itself and ultimately providing the corresponding password. This orchestrated sequence highlights how the malware establishes a connection through SMTP, facilitating its intended operations.
Following these steps, the malware efficiently establishes a login using acquired credentials. Once authenticated, it commences the process of transmitting the harvested data to a designated email address associated with the malware itself.
Summary:
The infection process of Agent Tesla involves multiple stages. It begins with the initial vector, often using email attachments or other social engineering tactics. Once executed, the malware employs obfuscation to avoid detection during static analysis. The malware then undergoes decoding, revealing its true functionality. It orchestrates a sequence of PowerShell commands to download and process a hidden image containing encoded instructions. These instructions lead to the extraction of a .NET DLL file, which subsequently injects the final payload into the legitimate process ‘RegAsm.exe’ using a series of API calls for process injection. This payload carries out its purpose of data theft, including targeting browsers and email clients for sensitive information. The stolen data is exfiltrated via SMTP communication, providing stealth and leveraging email account. Overall, Agent Tesla’s infection process employs a complex chain of techniques to achieve its data-stealing objectives.
On 23 August 2023, NIST disclosed a critical RCE vulnerability CVE-2023-38831. It is related to an RCE vulnerability in WinRAR before version 6.23. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the harmless file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file.
Our intelligence shows that this vulnerability is being exploited as early as April 2023. Let’s look at a sample exploiting this vulnerability (Hash: bc15b0264244339c002f83e639c328367efb1d7de1b3b7c483a2e2558b115eaa)
The image below shows that the archive is named trading_system, which hints that it is used to target traders
We can also see that the threat actor can craft the archive so that folder and file names are the same.
This is interesting as Windows doesn’t allow files and folders to have the same name in the same path.
This shows that it was weaponized after creating a regular zip by changing the bytes to make the file and folder name the same.
Also, note there is a trailing space at the end of the file and folder name (in yellow).
When we look inside the folder, we see many files, but the most important file is highlighted, which is a bat file containing a malicious script.
The bat file also has the same name as the benign file outside the folder.
When we check the script, we see it launches cmd in the minimized state, then goes to the temp folder where WinRAR will extract the files, then tries to find the weakicons.com file, which is present inside the folder and executes it using wmic and then exits.
Checking weakicons.com we find that it is a CAB SFX file.
We extract it to check what is inside.
We found a PE file, some ActiveX control objects, and two text files.
AMD.exe is a visual basic compiled file whose main job is to extract the dll hidden in a blob of data inside pc.txt and execute the ActiveX controls.
Inside add.txt, we find the registry keys it will try to manipulate
The first control is responsible for registering a COM object in Windows. During registration, registry keys are imported from the “add.txt” file. As a result, a specific COM object with a unique CLSID is registered in the infected system. The default value of the InprocServer32 key is populated with the path to a malicious DLL named “Core.ocx”.
Wmic process executes weakicons.com
AMD.exe extracts the encrypted dll file inside pc.txt and writes it in the romaing\nvidia folder.
Here, we observe AMD.exe calls reg.exe on registry keys inside add.txt
Timeout is also called to slow down the activities of the infection chain.
AMD.exe Calls rundll32 on the clsid that is registered in the registry
We can see successful tcp connection to threat actors C2.( ip 37[.]120[.]158[.]229)
Global Heatmap where this vulnerability is being seen in the wild(based on McAfee telemetry data)
Infection chain
How does the vulnerability work?
Here, we will analyze the issue causing WinRAR to execute the script instead of opening the image.
We will compare how WinRAR behaves when we execute an image file from a weaponized zip vs. a normal zip. So we fire up ProcMon First.
Normal.zip
Weaponized.zip
The above image shows that the first logical bug is how WinRAR is extracting files in the temp folder before executing them. In the case of a regular zip, only the clean image file is extracted to the temp folder, whereas in the case of a weaponized zip, even the files present inside the folder are extracted to the temp folder along with the clean image file. This is due to the same file names we have given, which makes WinRAR extract those in temp.
Verifying the same in the temp folder
Normal Zip
Weaponized Zip
In Logs, when we dig deep, we can see Winrar searches for our filename with an *, which causes it to iterate over our bat file as it has the same name, which in turn gets executed.
To see what’s happening under the hood, we hook a debugger and launch WinRAR by manipulating the “image file Execution options” registry key.
When we execute the rar file, we see the debugger getting attached to the winrar process so that we can do just-in-time debugging.
We put a breakpoint on the ShellExecuteExW function to see what parameters are passed to it just after clicking the jpeg file.
When we double-click on the image file, we can see the debugger is opened, and after a few clicks, we hit our breakpoint.
Normal zip
In this case, the correct parameter is passed to the ShellExecuteExW function as the file exists at this exact path.
Weaponized zip
In this case, an incorrect parameter is passed to the ShellExecuteExW function as the parameter contains a trailing space, and such a file does not exist on the disk.
When we dig deep, we find that later, it calls PathUnquoteSpacesA API call, as per MSDN. It “Removes quotes from the beginning and end of a path.”
As quotes are removed from the end of the path, ShellExecuteExW executes “simple_image.jpg .cmd” instead of “simple_image.jpg.”
Every now and then, Windows 10 users and administrators wonder why the time on their systems suddenly jumps by several weeks, months or even years (either forward or backward).
What could be the cause of those jumps? Ars Technica journalists did a little research, and found that it might be linked to the Secure Time Seeding feature. In this post I explain how this feature seems to work, and what can be done to prevent such unexpected jumps.
What is Secure Time Seeding?
Secure Time Seeding (STS)
was added to Windows 10 in 2015. The feature is intended to correct discrepancies between the time set in the system and the actual time – primarily when a computer’s battery feeding the internal real-time clock dies and the time settings have nothing in common with reality. Most importantly, STS is able to correct the system time without accessing the current-time servers.
But why is such a correction of time discrepancies even needed? Oddly enough, for security. Typically, client-server data exchange (including system connection to the internet time servers) is protected with SSL/TLS encryption protocols. To establish such a connection with the server, the client first needs to verify its digital certificate, and these certificates have a certain validity period. Therefore, if the time in the system is set with a significant error, the certificate may be considered expired, and a secure connection won’t be established.
So a vicious circle appears: in order to find out the current time, the computer needs to know the current time. It doesn’t have to be perfectly accurate; the approximate time can work too. But the greater the difference between the system time and the actual time, the greater the chance the certificate will get flagged as expired.
STS introduces (at least in its developers’ minds) a way for the system to automatically identify and correct major discrepancies, even when a secure connection cannot be established with any server. This is achieved by using current timestamps and digital-certificate expiry dates contained in the data sent by the servers to the client during the initial establishment of a secure connection (the SSL and TLS handshakes).
The exact algorithm of STS is unknown. But the general idea is that Windows pulls data from the SSL handshake and uses it to compute a reliable range for the current time and assign it a probability. As new data becomes available, the range is updated, and the probability can gradually increase. When it reaches a certain threshold, STS decides to change the system time to the median time from the range it deems reliable. In theory, such precision should suffice to establish a secure connection, connect to a current time server, and get the precise time.
Why you should disable Secure Time Seeding
The main problem is that the feature is enabled in Windows 10 by default and operates regardless of whether the computer’s built-in clock has ever been out of sync. As a result, STS can reset the time at any moment when Microsoft’s secret algorithm decides that there are enough signs that the clock is telling the wrong time and needs fixing.
The reason for such malfunctions in Secure Time Seeding isn’t fully understood. One suggested cause is the significant rise in popularity of SSL/TLS implementations that send an incorrect timestamp during the handshake. The chief suspect here is the frequently used OpenSSL library (which, instead of the current server time, puts random values in the timestamp).
Moreover, this bug can also occur in server versions of the operating system: Windows Server 2016, Windows Server 2019, and Windows Server 2022. And while for regular computer users the issue is little more than a nuisance, for servers it can be catastrophic, since their correct operation often relies on the time being accurate.
There’s an unofficial piece of advice on this from a senior Microsoft technical support official for Active Directory Domain Controller Administrators:
“Hey people, if you manage Active Directory domain controllers, I want to give you some UNOFFICIAL advice that is solely my personal opinion: Disable Secure Time Seeding for w32time on your DCs.”
Unofficial advice from a Senior Windows Escalation Engineer: disable Secure Time Seeding
Disabling Secure Time Seeding in Windows
To disable STS, locate the following key in the Windows registry:
After changing the value, you need to reboot the system. If this is difficult or impossible, you can force the update with this command:
W32tm.exe /config /update
That done, the STS feature will stop bugging you. Now all that remains is to ensure that the system clock always stays accurate. On this point, the Ars Technica article gives a couple of helpful tips for server administrators.
The once cozy world of social media has been getting feverish in recent years. In the battle for audience attention, fly-by-night social networks come and go (Clubhouse, anyone?), users run back and forth, and governments, as ever, ponder the introduction of regulations. Who’d have thought, for example, that TikTok would be able to displace such monsters as Facebook and Instagram, and also to be banned fully or partially in a host of countries?
The public skirmishes between, and overall pantomime of the owners of the world’s largest social networks — Mark Zuckerberg (Facebook, Instagram, Threads) and Elon Musk (X, formerly Twitter) — similarly add nothing in terms of stability. And while Threads, despite analysts’ predictions, didn’t bury Twitter, Musk himself is doing a good job of digging the latter’s grave: with every new innovation he comes up with, users jump ship in their droves. Catching up, slowly but surely, is YouTube, which has long since morphed from a mere video hosting service into a social media powerhouse boasting 2.5 billion users a month and used by 95% of teenagers; while taking a breather on the sidelines is LinkedIn, having carved out a business niche all for itself.
Against this backdrop of upheavals, there’s a relatively new… elephant in the room, which more than fills an X-shaped hole. And that is Mastodon (a mastodon, in case you don’t know, was a furry elephant — long extinct). But it turns out Mastodon is no newcomer; it’s still a game-changer…
How Mastodon works
Created in 2016, Mastodon is a microblogging social network similar to X (ex-Twitter), but based on the principles of decentralization. Unlike X, Mastodon consists of multiple independent servers (called “instances”) brought together into a single network and interacting with each other, which offers far greater customization and control. Users can select instances according to their preferences and settings, yet still communicate with members from other instances.
What are Mastodon instances?
Instances are independent servers, each with their own address in the Mastodon network, its own administrator, and its own rules of use. They can be general-purpose, or highly specialized with a unique theme dedicated to specific interests, languages, regions or communities. Users can select the servers they want to register on, while being able to follow accounts registered on other servers and view posts from any account on any server in their timeline.
Mastodon is a decentralized social network where each server has its own rules, values and guidelines.
The first server to run Mastodon was mastodon.social. The instance was created and is maintained by its founder, Eugen “Gargron” Rochko, and is very popular.
Picking a Mastodon server is like choosing a place to live.
How to pick a Mastodon server
There are several criteria when it comes to choosing an instance in Mastodon:
Community size. Look at the number of registered users on the server. Larger instances are more buzzing with content, but the load on them is higher, and they may run slower.
Sign-up process. This option is worth considering if you need to get registered quickly. Some instances offer instant registration; others require confirmation from an administrator.
Server location. Instances may be hosted in different countries and regions. If accessibility and connection speed are important, choose a server closer to where you are.
Rules and moderation. Each Mastodon instance has its own policies. Before registering on a server, read its rules and make sure they align with your values and expectations. As each server moderates its own content, some may, for example, allow pornography, and even viewing such content can have legal consequences in a number of countries or jurisdictions. Besides local rules, Mastodon has general ones that describe what can and can’t be done on the platform. Violation of these common rules can result in the server being blocked and shut down.
Example of local rules for the mastodon.social server. Given that this is the server of Mastodon’s creator, they can in part be considered as general policies.
A privacy policy is published for each instance. On the whole, they all contain basic clauses about data collection, usage, storage and security, and about sharing information with third parties. On the odd occasion you might come across a particularly law-abiding server that mentions users’ rights to delete, amend, or do other things with collected personal data — usually these are EU servers that are subject to the GDPR.
Topics and interests. If you like a particular topic, or want to join a community of interest, search for relevant thematic servers.
Administration and support. Check whether the server has active administrators and community support. This may come in handy if you have any problems or questions.
Server reputation. Find out about an instance’s reputation by reading reviews or asking other Mastodon users.
Already registered? Let’s set up privacy!
Right after registration, head straight to the settings. First of all, turn on two-factor authentication and set the posting privacy level. You can choose one of three options for your account:
Public — everyone can see your posts.
Unlisted — everyone can see your posts, but they’re not listed on public timelines.
Followers-only — only followers can see your posts.
In addition, you can set the privacy level for each individual post:
Public
Followers-only
Direct (visible only to users mentioned in the post)
Privacy settings for accounts in general and for individual posts.
Additional privacy settings allow you to show or hide your followers and follows in your profile, as well as show what app you use for posting. We recommend unchecking the latter — your readers really don’t need to know what app or device you use.
Additional privacy settings in Mastodon.
On top of that, there are settings for choosing who can find and follow you, and how. For example, you can: enable your public posts to appear in Mastodon search results; make your profile findable in search engines; allow your posts and profile to show up in promos inside Mastodon; and even automatically accept follow requests.
How to become a star (or not): customizing how Mastodon tells others about you.
Finally, there are options to configure rules (and exceptions to them) for auto-deleting posts after a set period (from one week to two years) — and for archivists to export and download a complete archive of all their data.
You can configure auto-deletion of posts, or download all your data.
A few final tips
Mastodon is a far less regulated social network than the notoriously censor-heavy monsters, but it too has its rules and regulations. That said, these are mostly determined by the server administrator, and you get to choose which server you want out of many. But there are platform-wide policies as well, so when publishing posts you need to take into account the rules of both the specific instance you’re registered on and Mastodon in general. Furthermore, the privacy policy directly states: “We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others rights, property, or safety.” So the golden rule — Think Before You Post — applies equally to this social network.
Don’t forget about security either. Although Mastodon may feel like a hobby club, there might be bad actors amid the like-minders. So, as with other social networks, it pays to protect your privacy and guard against phishing and leaks of personal data on all your devices with the help of Kaspersky Premium.
The creators of any website bear the moral and legal responsibility for it during its entire existence. Moreover, few people know that if a corporate web server gets hacked, it’s not only the company and its customers that may suffer; often, a hacked site becomes a platform for launching new cyberattacks, with its owners not even being aware of it.
Why websites get hacked
A website hack can be part of a larger cyberattack, or a standalone operation. By “hack”, we mean making changes to the target site — not to be confused with a DDoS attack. If your company finds itself in the crosshairs of hackers, their goals are usually to:
Exert pressure on the victim organization as part of a ransomware attack, including by making the hack known to customers and partners;
Download valuable information from the site, for example, customer contact details stored in a database;
Distract IT and InfoSec teams from a more serious data theft or sabotage attack occurring at the same time;
Cause reputational damage.
That said, very often hackers don’t need your site in particular. They’ll happily make do with any reputable site they can sneak malicious content onto. Once that’s achieved, they can populate the site with phishing pages, links to spam resources, and pop-up ads. Basically, it turns into a cybercriminal tool. At the same time, the main sections of the site may be unaffected. Customers and employees visiting the home page won’t notice anything different. The malicious content is tucked away in new subfolders to which victims get lured through direct links.
How websites get hacked
Website hacks are normally carried out through vulnerabilities in server applications: web servers, databases, or content management systems and their add-ons. Around 43% of all websites on the internet run on WordPress, so it’s no surprise that hackers pay special attention to this content management system. Vulnerabilities are discovered in WordPress and thousands of add-ons for it regularly, and not all authors get around to fixing their plug-ins. And besides, not all users promptly install updates for their sites.
Attackers can exploit a vulnerability to upload to the web server a so-called web shell; that is, additional files and scripts allowing them to manage site content while bypassing standard administration tools. Next, they place malicious content on the site in subfolders, taking pains not to affect the main pages of the legitimate site.
Another common hacking scenario is to guess the administrator password. This is possible if the administrator uses weak passwords, or the same password on different web resources. In this way, cybercriminals can place malicious content by means of standard administration tools, creating new users on the site, as well as additional subsections or pages. However, this increases the likelihood of detection, so even in this case, attackers prefer to install their own backdoor in the shape of a web shell.
Damage from website hacking
In case of a large case targeted attack, the given company immediately suffers financial and reputational damage. As for opportunistic attacks, the harm is indirect. Website maintenance costs can increase due to spam content and its views. At the same time, the site’s SEO reputation drops, so it gets fewer visitors from search engines. The site may even be flagged as malicious, in which case its traffic drops catastrophically. In practice, however, hackers may go for abandoned sites, so issues with traffic are of no relevance.
How websites get abandoned
The internet has long turned into a website graveyard. According to statistics, there are more than 1.1 billion websites in total, but 82% of them are not updated or maintained. In the case of corporate websites, a number of scenarios can be the cause:
A company ceases to operate, but its website is published on free hosting and keeps running;
The only employee who had access to the site leaves the given small business. Unless the owners take action, the site will remain frozen for months or even years;
A company rebrands or merges, but keeps the old website “temporarily” for customers. The revamped entity then gets a brand-new site, and the “temporary” old one is gradually forgotten;
A dedicated site is launched for a marketing campaign, product line, blog, or side project. When the project is over, the site is no longer updated, but it’s not shut down either.
Signs of website hacking
Since the main pages are often left untouched by hackers, it can be difficult to tell if your site has been compromised. But there are some pointers: the site is running slower than usual; traffic has sharply increased or decreased for no apparent reason; new links or banners have appeared out of nowhere; problems with control panel access; new folders, files, or users can be seen in the control panel. Still, the most obvious sign is if others start bombarding you with complaints about malicious content on your site. To properly diagnose the situation, you need to study the web server logs, but this task is better entrusted to experts. Like pest control, it takes experience to get rid of an infestation — which here means removing the web shell and other backdoors from the site.
How to guard against website hacking
Even small companies without a large cybersecurity budget can implement simple measures that greatly reduce the chances of getting hacked:
Set long, strong passwords for the administration section of your site, and enable two-factor authentication. Each administrator must have their own password;
Never allow just one person to have access to the site (unless the company has just one employee, naturally). Remember to revoke access when employees leave;
Make sure to keep updated all software components of the site, including the operating system, web server, databases, content management system, and add-ons. Install updates as soon as they are released. If your company lacks the time or expertise, better to use professional website hosting where security is in the hands of a dedicated team. For example, for WordPress there are specialized secure hosting platforms, such as WP Engine;
Maintain a registry of all company websites. It should list every site created, even temporary ones set up, say, for a one-month ad campaign;
Each site in the registry should have its software components updated regularly, even if there’s no business need to update the content;
If the site is no longer needed, and the resources are lacking to update it, better to close it down in a tidy manner. Save the data to an archive, then terminate your hosting account. If necessary, you can also cancel the domain delegation. Another way to shut down a subsite is to remove all content from it, disable any software add-ons like WordPress, and set up redirection to the company’s main site.
The humble USB drive—the workhorse of students, professionals, and everyday computer users. No wonder hackers put USB drives in their crosshairs.
Why such a target? All the things that make USB drives attractive to us make them attractive to hackers. They’re inexpensive, portable, and often swap between users. Taken together, that creates the perfect medium for hosting and distributing malware.
Likewise, USB drives can get lost or stolen quite easily. An absentminded or careless moment could put sensitive information at risk.
However, that’s not to say you should avoid using USB drives. Not at all. In fact, you can use them securely by taking a few straightforward steps.
How to protect your USB drive from malware and loss
Encrypt your USB drive.
Encryption gives you huge peace of mind in the event you lose your USB drive. It prevents others from accessing the data and files on it by scrambling them. Only a person with the password can access them. Windows users can check out this “how to” article on encryption—Apple users can learn about encryption on their support site as well.
Purchase a USB drive with encryption built in.
If you’d rather skip those steps, you can purchase a USB drive that uses hardware-based encryption built in. These drives cost a little more, yet they more than make up for that in the protection that they offer.
Keep your USB drive on you.
Physical security is important too. You can prevent loss and theft by toting around your drive in your pocket, bag, or purse. Locking it away in a secure location while you’re not using it stands as a solid option as well.
Mind your sharing.
You never know what malware might be lurking on someone else’s device. Sharing a USB drive with someone else can help malware make the jump from their device to yours. Think twice before sharing.
Watch out for USB devices in the wild.
Don’t put it past hackers to load a USB drive with malware in the hopes that someone will pick it up. In fact, several large malware campaigns got their start by mailing “free” USB drives to thousands and thousands of households, businesses, and government agencies.
Disable AutoPlay.
On Windows computers, you can prevent USB drives from automatically running any files. Some malware will run when the drive gets inserted into the device. Head to Settings > Devices > AutoPlay to disable that feature.
Deleting isn’t enough—shred your old files.
Deleting a file doesn’t erase data from a drive. It makes space available on a drive, so that old data might still be there—and recoverable. Comprehensive online protection like ours includes a file shredder that will completely erase old data and files.
Use online protection software.
Malware can easily make its way onto a USB drive. Comprehensive online protection can spot, block, and remove malware before it can do any harm.
Introducing McAfee+
Identity theft protection and privacy for your digital life
One of the many dangerous tools in cybercriminals’ arsenals is OSINT. In this post, we explain what it is, the danger it poses, and how to guard your company against OSINT.
What is OSINT?
OSINT stands for open-source intelligence. That is, the collection and analysis of data obtained from publicly accessible information channels. Such sources can basically be anything: newspapers and magazines, television and radio, data published by official organizations, scientific research, conference reports, etc.
Nowadays, of course, such intelligence is primarily based on information scraped from the internet. Over the past 10–15 years, online public communication platforms have become especially valuable as OSINT-gathering tools: chats, forums, social networks, and messengers.
The range of people using OSINT is quite diverse: journalists, scientists, civil activists, government and business analysts, as well as intelligence officers themselves. In a nutshell, OSINT is an important and effective tool for collecting data. But perhaps the more significant question is how such information gets put to use.
OSINT and information security
OSINT can be used in planning a targeted attack on your company. After all, for a successful operation, cybercriminals need a huge amount of information about the victim organization.
This is especially true in the case of attackers who rely less on hi-tech tools (costly zero-day exploits, sophisticated malware, etc.) and more on social engineering tricks. For this type of threat actor, OSINT is often the number-one tool.
The most valuable source of open data in preparing an attack on an organization is employees’ activity on social networks. First and foremost, this means LinkedIn. There, it’s usually possible to find the full organizational structure of the company, with all names, positions, work histories, social connections, and lots of other extremely useful information about employees.
You don’t have to look far for examples of just how effective OSINT can be. Remember the infamous Twitter (now X) hack a couple of years back that targeted a whole bunch of people and companies, from Musk, Gates, and Apple to Obama and Biden)? It began with the hackers finding Twitter employees on LinkedIn who had access to Twitter’s internal account management system, and making contact with them. Then it was a simple matter of applying social engineering and good old phishing to dupe them into revealing the credentials needed to hijack the high-profile accounts.
How to protect your company from OSINT
Open-source intelligence is a predominantly passive method of information gathering, so there’s no simple and universal way to counter it. Fortunately there are measures you can take on several fronts.
Employee training and awareness
As mentioned above, modern-day OSINT is largely based on social networks, and information gathered through OSINT is most effective for social-engineering attacks. Thus, the human factor comes to the fore here.
Therefore, to counteract OSINT and the potential consequences of it, you need to work closely with your employees. Training is key here to increase awareness of potential threats and ways to protect against them.
The focus should be on two aspects: first, on the dangers of posting sensitive information about your company on social networks. Second, employees should learn to be more wary of calls, emails, and text messages that prod them to take some potentially risky action (and to be able to define “potentially risky action”). It must be clear that even if an email uses real company details, that doesn’t necessarily mean that the sender is a real colleague. The information could have been collected from open sources.
As a rough guide, if a caller, introducing himself as, say, John Smith, tells you that he works in such-and-such a position and asks for a username and password, this is wholly insufficient authentication – even if a John Smith does indeed hold this position in the company.
To raise awareness, you can develop and conduct your own in-house training program, or hire expert consultants. Another option is to use an interactive educational platform. For example, the Kaspersky Automated Security Awareness Platform.
It would also be useful to establish an internal cybersecurity communication channel with employees to convey information about live threats effectively.
Open-source counterintelligence
Over the past decade, the world of cybercrime has become highly compartmentalized. Some actors create malware, others collect data – all of which gets bought on the dark web and used for specific attacks by others.
The fact that information has been collected about your company is a surefire indicator of an impending attack. As such, monitoring activity of this kind will give you advance warning of the threat. For example, if someone puts data about your company up for sale, it’s very likely it’ll be used later to carry out an attack. So, by doing your own counterintelligence, you can take preemptive action: warn employees about what data the attackers have; put security analysts on high alert; and so on.
But such monitoring doesn’t necessarily have to be done in-house: there are ready-made services that you can subscribe to, such as Kaspersky Digital Footprint Intelligence. Note that our service offers far more than just the monitoring of mentions of your company on the dark web. It also tracks attacks on your suppliers and customers and, keeps tabs on APT campaigns that may affect your company or industry, provides vulnerability analysis, and much more.
Segmentation, rights management and Zero Trust
The third front is to mitigate the potential damage from attacks that deploy OSINT and social engineering. The primary goal here should be to limit spreading over the corporate network in the event of endpoint compromise.
The first requirement here is proper network segmentation: dividing company resources into separate subnets; defining security policies and settings for each of them; and restricting data transfer among them.
Also, pay attention to user access management. In particular, implement the principle of least privilege; that is, define and grant users only those accesses they need to perform their tasks. And review these rights regularly to reflect changes in their roles and responsibilities.
The ideal option would be to adopt the Zero Trust concept, which assumes there’s no secure perimeter, and so, by definition, no device or user is trusted, both inside and outside the corporate network.
Wrap-up
Open-source intelligence can be a powerful tool in criminals’ arsenals. Therefore, you need to be aware of the dangers and take steps to mitigate potential damage. Here’s a summary of my thoughts on how to protect your company from OSINT:
Be sure to train employees in the basics of information security. To do this, you can use our interactive Kaspersky Automated Security Awareness Platform.
Establish an internal communications channel to inform employees about information security.
Try to monitor the collection and sale of your company’s data on the dark web. Our Kaspersky Digital Footprint Intelligence can help with that.
Take measures in advance to minimize potential damage: manage user rights with maximum possible granularity; use network segmentation. And, ideally, embrace Zero Trust.
Beware: hundreds of thousands of websites are fakes. They’re made to look like the sites of popular online stores, banks, and delivery services, but with just one purpose: to steal your passwords and financial data. Victims are lured to such sites by phishing emails, messenger chats, and even paid ads. But don’t despair: even if you click on a bogus link, it might still be possible to escape the scammers’ clutches without loss. As long as you spot the fake in time…
Where do phishing sites get hosted?
Sometimes scammers create a special new website and register a name for it that resembles the original (for example, netflik.com instead of netflix.com). Our separate post on fake names is worth checking out. But such sites are expensive to make and easy to block, so many cybercriminals take a different route. They hack legitimate sites of any kind, then create their own subsections where they publish phishing pages. It’s very often SMBs that fall victim to such hacks because they lack the resources to constantly update and monitor their websites. Sometimes a site hack can go unnoticed for years, which is a godsend for cybercriminals.
One of the most popular web content management systems is WordPress, and the number of hacked sites on the platform runs into the tens of thousands. However, once you know what to look for, it’s not hard to detect such sites yourself.
First sign of fakery: mismatch between site name and address
When following a link in an email, a social media post, or an ad, it pays to take a look at the URL of the site you land on. If it’s a hacked site, the discrepancy will be staring you in the face. The name of the service the fake site pretends to be might crop up somewhere in the directory path, but the domain name will be completely different; for example: www.medical-helpers24.dmn/wp-admin/js/js/Netflix/home/login.php. You know perfectly well that Netflix lives at netflix.com, so what’s it doing on medical-helpers24?
It looks like Netflix, but the URL screams phishing
Checking the URL requires a little more effort on mobile devices because many apps open links in such a way that the site address isn’t visible or is only partially visible. In this case, click on the address bar in your browser to see the site’s full address.
Second sign of fakery: directory path elements
When looking at the full address of a web page, pay attention to the tail of the URL after the domain name. It might be rather long, but just focus on the first parts. Hacked subsections of a site are usually hidden deep within WordPress service directories, so the address will most likely contain elements like /wp-content/, /wp-admin/ or /wp-includes/.
In our example, www.medical-helpers24.dmn/wp-admin/js/js/Netflix/home/login.php, one such element comes right after the domain name, confirming our suspicions that the site has been compromised.
Chances are that the URL will end in .php. Pages with the .php extension are quite common, and this in itself is not a sign of hacking. But in combination with this directory path, the .php extension is compelling evidence of guilt.
Third sign of fakery: the site has a different subject
If the site name seems unfamiliar or suspicious, you can perform an additional check by going to the home page. To do that, delete the URL tail, leaving only the domain name. And this may open the page of the real owner of the site, which will be totally unlike the phishing page both in subject and design. It might even be in a different language, as in the example below:
French phishing on a Chinese site
Your personal data on a fake website
It might happen that some information fields (such as your email address or bank card number) are correctly pre-filled even on a phishing site. This means that the attackers have somehow gotten hold of a database of stolen personal data and are seeking to enrich it with additional information, such as passwords and CVV numbers. To this end, they post a table with known data on the victims, and this can often be freely downloaded from the site. So, if you see your real card number on a fake site, have the card reissued straight away, then think about additional security measures for other personal data. For example, if your email has been leaked, protect your email login with a stronger password and be sure to enable two-factor authentication.
How to guard against phishing
Be vigilant. For the above tips to work, remember to check every link you click on.
Check links before you click on them — some attacks don’t require the victim to do anything but land on an infected site. On your computer, you can hover over a link to show the URL it will take you to. On your phone, tap and hold the link with your finger to see the URL in the pop-up menu.
Important addresses (your bank, email server, etc.) are best accessed through bookmarks or typing them manually, not through links in emails.
Install security solutions on all computers, tablets, and phones. Phishing can get you on any device, so use Kaspersky Premium to keep all your digital companions secure.
People who use devices like smart cameras and Wi-Fi-enabled baby monitors should strongly consider taking the following steps to protect their devices:
1. Update your devices. Manufacturers often advise consumers to update their software to the latest version and enable further security features. Updating your devices regularly increases the chances that you’ll receive security improvements soon after they become available.
2. Do not connect to your smart cameras, baby monitors, and other devices through public Wi-Fi. Accessing these devices via a smartphone app from an unprotected network can compromise the security of your devices. Use a VPN or a secure cellular data connection instead.
3. Use strong, unique passwords. Every device of yours should have one, along with a unique username to go along with it. In some cases, connected devices ship with default usernames and passwords, making them that much easier to hack.
Further protect your connected cameras, baby monitors, and other devices
With those immediate steps in place, this security advisory offers you a chance to take a fresh look at your network and device security overall. With these straightforward steps in place, you’ll be more protected against such events in the future—not to mention more secure in general.
1. Use two-factor authentication
Our banks, many of the online shopping sites we use, and numerous other accounts use two-factor authentication to help validate that we’re who we say we are when logging in. In short, a username and password combo is an example of one-factor authentication. The second factor in the mix is something you, and only you, own or control, like your mobile phone. Thus, when you log in and get a prompt to enter a security code that’s sent to your mobile phone, you’re taking advantage of two-factor authentication. If your IoT device supports two-factor authentication as part of the login procedure, put it to use and get that extra layer of security.
2. Secure your internet router
Your router acts as the internet’s gateway into your home. From there, it works as a hub that connects all your devices—computers, tablets, and phones, along with your IoT devices as well. That means it’s vital to keep your router secure. A quick word about routers: you typically access them via a browser window and a specific address that’s usually printed somewhere on your router. Whether you’re renting your router through your internet provider or have purchased one, the internet provider’s “how to” guide or router documentation can step you through this process.
The first thing to do is change the default password of your router if you haven’t done so already. Again, use a strong method of password creation. Also, change the name of your router. When you choose a new one, go with name that doesn’t give away your address or identity. Something unique and even fun like “Pizza Lovers” or “The Internet Warehouse” are options that mask your identity and are memorable for you too. While you’re making that change, you can also check that your router is using an encryption method, like WPA2, which helps secure communications to and from your router. If you’re unsure what to do, reach out to your internet provider or router manufacturer.
3. Set up a guest network specifically for your IoT devices
Just as you can offer your human guests secure access that’s separate from your own devices, creating an additional network on your router allows you to keep your computers and smartphones separate from IoT devices. This way, if an IoT device is compromised, a hacker will still have difficulty accessing your other devices, like computers and smartphones, along with the data and info that you have stored on them. You may also want to consider investing in an advanced internet router that has built-in protection and can secure and monitor any device that connects to your network.
4. Update!
We mentioned this above, yet it’s so important that it calls for a second mention: make sure you have the latest software updates for your IoT devices. That will make sure you’re getting the latest functionality from your device, and updates often contain security upgrades. If there’s a setting that lets you receive automatic updates, enable it so that you always have the latest.
5. Protect your phone
You’ve probably seen that you can control a lot of your connected things with your smartphone. We’re using them to set the temperature, turn our lights on and off, and even see who’s at the front door. With that, it seems like we can add the label “universal remote control” to our smartphones—so protecting our phones has become yet more important. Whether you’re an Android or iOS device user, get security software installed on your phone so you can protect all the things it accesses and controls—in addition to you and the phone as well.
And protect your other things too
Using a strong suite of security software likeMcAfee+ Advanced, can help defend your entire family from the latest threats and malware, make it safer to browse, and look out for your privacy too.
Introducing McAfee+
Identity theft protection and privacy for your digital life
