The Importance of Data Backups in Ransomware Protection

Ransomware attacks have become increasingly sophisticated, targeting not only primary data but also backup systems. Regular data backups are essential for reducing the impact of these attacks and ensuring business continuity. By maintaining current copies of critical data, companies can avoid the difficult decision of whether to pay a ransom and can resume operations more quickly after an attack.

Immutable Backups: A Powerful Defense

Immutable backups have emerged as a superior solution for ransomware protection. These backups are designed to be unchangeable, providing an extra layer of security against various threats, including ransomware attacks, accidental deletions, and insider threats.

Key benefits of immutable backups include:

1. Enhanced protection against ransomware
2. Data integrity and security
3. Compliance with data regulations (e.g., GDPR)
4. Reliable disaster recovery
5. Faster Recovery Time Objectives (RTOs)
6. Higher Recovery Point Objectives (RPOs)

Recovering from a Ransomware Attack: With Immutable Backups

When a business with immutable backups faces a ransomware attack, the recovery process is significantly more straightforward and less costly. Here’s what the ransomware recovery typically looks like:

1. Incident Detection and Containment: The organization identifies the ransomware attack and isolates affected systems to prevent further spread.
2. Damage Assessment: An IT team such as ATYXIT evaluate the extent of the attack and identify which systems and data have been compromised.
3. Backup Verification: The immutable backups are verified to ensure they haven’t been tampered with or encrypted by the ransomware.
4. System Restoration: Using the clean, immutable backups, the organization can quickly restore its systems and data without paying any ransom.
5. Business Continuity: With data and systems restored from immutable backups, the company can resume normal operations with minimal downtime and data loss.
6. Post-Incident Analysis: The organization conducts a thorough investigation to understand how the attack occurred and implements additional security measures to prevent future incidents.

Example: Gladstone Institutes, a research organization, implemented immutable backups using cloud storage solutions. When faced with a ransomware attack, they were able to quickly restore their critical research data from these backups, avoiding significant delays in their scientific work and potential loss of valuable research findings.

Recovering from a Ransomware Attack: Without Backups

For businesses without proper backup systems in place, recovering from a ransomware attack can be a nightmare scenario. Here’s what the ransomware recovery process often looks like for these businesses:

1. Panic and Assessment: Upon discovering the attack, the organization frantically tries to determine the extent of the damage and which systems are affected.
2. Limited Options: Without backups, the company faces two unappealing choices: pay the ransom or lose the data permanently.
3. Ransom Negotiation: If the organization decides to pay, they must negotiate with cybercriminals, often through cryptocurrency transactions, with no actual guarantee of data recovery.
4. Lengthy Decryption Process: Even if the ransom is paid and decryption keys are provided, the process of decrypting and restoring data can take days or weeks, resulting in extended downtime and loss of revenue.
5. Data Loss and Integrity Issues: There’s a high risk of permanent data loss, as not all files may be recoverable even after paying the ransom. Additionally, there’s no way to verify the integrity of the recovered data.
6. Financial and Reputational Damage: The organization suffers significant financial losses due to extended downtime, potential ransom payments, and damage to its reputation.
7. Rebuilding from Scratch: In worst-case scenarios, the company may need to rebuild its entire IT infrastructure and recreate lost data, a process that can take months and incur substantial costs.

Example: A small manufacturing company without proper backups fell victim to a ransomware attack. Unable to access their production schedules, customer orders, and financial records, they were forced to halt operations for weeks. The company ultimately paid the ransom but still lost several days of recent data and spent months rebuilding customer trust and catching up on delayed orders.

Best Practices for Ransomware-Resilient Backups

To ensure effective protection against ransomware, businesses should implement the following backup strategies:

1. Implement the 3-2-1 Backup Rule: Maintain at least three copies of data on two different media types, with one copy stored offsite. This is the bare minimum backup rule that ATYXIT offers as part of its Data Backup and Disaster Recovery services.
2. Use Immutable Storage: Leverage immutable storage solutions to prevent unauthorized modifications to backup data.
3. Regular Testing: Frequently test backup and recovery processes to ensure they work as expected.
4. Offline Backups: Keep at least one backup copy offline or air-gapped to prevent ransomware from accessing it.
5. Encryption: Use strong encryption for both data in transit and at rest to protect against unauthorized access.
6. Versioning: Maintain multiple versions of backups to increase the chances of having a clean, pre-attack copy.
7. Employee Training: Educate staff about ransomware threats and proper data handling procedures to reduce the risk of successful attacks or enroll staff into cyber security training like the one ATYXIT offers as part of its Managed IT Services.

In conclusion, data backups, especially immutable backups, play a crucial role in protecting businesses from the devastating effects of ransomware attacks. Organizations that implement robust backup strategies can recover quickly and efficiently, minimizing downtime and financial losses. In contrast, those without proper backups face a much more challenging and costly recovery process. By following best practices and investing in modern backup solutions, businesses can significantly enhance their resilience against ransomware and other cyber threats and make ransomware recovery the easiest it can be.

ATYXIT is a security-first Business IT Solutions Provider and Chicago Cloud Provider. We excel in supporting and evolving company networks. Our technical support, technology consulting, project management, cyber security and IT strategy services make us the ideal IT resource for small and medium sized businesses looking to leverage enterprise-grade technology solutions.

Reach out today if you need any assistance with your business technology!

The post Ransomware Recovery Guide appeared first on ATYXIT - Illinois IT Services and IT Support.

The FortiManager Vulnerability Explained

Fortinet’s FortiManager is a network management solution widely used by businesses to manage their Fortinet security infrastructure. On October 23, 2024, a zero-day vulnerability was disclosed in FortiManager, which has been actively exploited in the wild. This vulnerability stems from a missing authentication mechanism in the fgfmd daemon, allowing remote attackers to execute arbitrary code or commands without needing authentication (see: Google explanation). The vulnerability carries a CVSS v3 score of 9.8, indicating its critical severity. Exploitation of this flaw can lead to unauthorized access and control over FortiManager devices, potentially allowing attackers to exfiltrate sensitive data such as IP addresses, credentials, and configurations of managed devices. This can have severe consequences, including data breaches and further attacks on connected systems.

Implications for Small to Medium-Sized Businesses

For SMBs, the implications of such vulnerabilities are profound. Unlike larger enterprises, SMBs often lack the robust cybersecurity infrastructure and dedicated IT teams needed to defend against sophisticated cyber threats. This makes them attractive targets for cybercriminals who exploit vulnerabilities like CVE-2024-47575. A successful cyberattack can result in significant financial losses, reputational damage, and even business closure.

According to recent data, small businesses are increasingly targeted by cyberattacks due to their perceived vulnerabilities. Therefore, addressing cybersecurity proactively is not just a defensive measure but a strategic necessity for business continuity and growth.

The Importance of Trustworthy IT Partners

Given the complexity and ever-evolving nature of cybersecurity threats, it is crucial for SMBs to partner with reliable IT service providers who specialize in cybersecurity. Companies like ATYXIT offer tailored solutions that can help businesses navigate challenges such as this Fortigate vulnerability effectively.

Why Choose ATYXIT?

• Expertise in Cybersecurity: ATYXIT specializes in providing enterprise-level technology solutions at affordable prices for SMBs. Their expertise includes implementing robust cybersecurity measures that protect against threats like the FortiManager vulnerability.
• Local Presence: Being a local provider means we can offer personalized service and rapid response times. This is critical when dealing with urgent security threats that require immediate attention.
• Comprehensive IT Solutions: Beyond cybersecurity, ATYXIT provides a range of IT services including data backups, cloud services, patch management and much more. This holistic approach ensures that all aspects of your business technology are secure and optimized.

Staying Ahead of Cyber Threats

To effectively combat cyber threats like the FortiManager vulnerability, SMBs should adopt a proactive approach to cybersecurity:

• Regular Updates and Patching: Ensure that all software and systems are regularly updated to mitigate known vulnerabilities. For FortiManager users affected by CVE-2024-47575, updating to the latest patched version is critical or disabling port 541 from accepting public connections.
• Employee Training: Educate employees on cybersecurity best practices to prevent common attack vectors such as phishing and social engineering.
• Robust Security Policies: Implement strong security policies that include multi-factor authentication, data encryption, and regular security audits.
• Incident Response Planning: Develop an incident response plan that outlines steps to take in the event of a security breach. This should include communication strategies and recovery procedures.

Conclusion

The recent Fortigate vulnerability serves as a stark reminder of the cybersecurity challenges facing SMBs today. By understanding these risks and taking proactive measures, businesses can protect themselves from potentially devastating cyberattacks.

Partnering with a trusted IT provider like ATYXIT can provide the expertise and support needed to navigate this complex landscape effectively. Investing in cybersecurity is not just about protecting your business; it’s about ensuring its long-term success and sustainability in an increasingly digital world.

As threats continue to evolve, staying informed and prepared is your best defense against malicious actors seeking to exploit vulnerabilities like those found in FortiManager.

ATYXIT is a security-first Business IT Solutions Provider and Chicago Cloud Provider. We excel in supporting and evolving company networks. Our technical support, technology consulting, project management, cyber security and IT strategy services make us the ideal IT resource for local small and medium sized businesses.

Reach out today if you need any assistance with your business technology!

The post Understanding the Fortigate Vulnerability appeared first on ATYXIT - Illinois IT Services and IT Support.

Understanding BGP: The Internet’s Hidden Highway

Before we delve into the White House’s initiatives, it’s crucial to understand what BGP is and why it’s so important. Think of BGP as the traffic cop of the internet. It’s responsible for directing data packets across the vast network of networks that make up the global internet. When you send an email, stream a video, or browse a website, BGP is working behind the scenes to ensure your data reaches its destination efficiently. However, BGP was designed in a time when trust was assumed, and security was an afterthought. This has left it vulnerable to various attacks, including route hijacking, where malicious actors can redirect traffic, potentially leading to data theft or network outages. The consequences of BGP security can be far-reaching, affecting everything from personal communications to critical infrastructure.

The White House’s Multi-Pronged Approach

Recognizing the urgent need to address these vulnerabilities, the Biden administration has unveiled a comprehensive strategy to enhance BGP security.

Here’s a breakdown of the key components:

1. Mandating Federal Agency Compliance

The White House is taking a lead-by-example approach by requiring all federal agencies to implement BGP security best practices. This mandate includes:

• Implementing Resource Public Key Infrastructure (RPKI) to validate route origins
• Deploying route filtering mechanisms to prevent the propagation of illegitimate routes
• Regular audits and updates to ensure ongoing compliance

By setting a high standard for federal networks, the administration aims to create a model for the private sector to follow.

2. Incentivizing Private Sector Adoption

Recognizing that government action alone is not enough, the White House is also introducing incentives for internet service providers (ISPs) and other private sector entities to adopt similar security measures. These incentives may include:

• Tax breaks for companies that invest in BGP security upgrades
• Preferential treatment in government contracts for compliant organizations
• Public recognition and certification programs for companies that meet high security standards

The goal is to create a market-driven push towards better BGP security practices across the entire internet ecosystem.

3. Investing in Research and Development

To stay ahead of evolving threats, the administration is allocating increased funding for research and development of new BGP security technologies and protocols. This investment aims to:

• Foster innovation in routing security
• Develop more robust authentication mechanisms for BGP
• Create tools for real-time detection and mitigation of BGP-related attacks

By supporting cutting-edge research, the White House hopes to ensure that the U.S. remains at the forefront of internet security technology.

4. International Collaboration

Recognizing that the internet is a global resource, the Biden administration is also reaching out to international partners to promote BGP security on a global scale. This includes:

• Engaging in diplomatic efforts to establish international norms for secure routing practices
• Sharing best practices and technologies with allied nations
• Collaborating on joint research initiatives to address common challenges

By fostering international cooperation, the U.S. aims to create a more secure global internet infrastructure.

Challenges and Opportunities

While the White House’s initiatives are a significant step forward, implementing these changes across the vast and complex landscape of internet routing will not be without challenges. Some of the key hurdles include:

• Legacy Systems: Many organizations still rely on older networking equipment that may not support the latest security features.
• Cost Concerns: Upgrading to more secure BGP practices can be expensive, particularly for smaller ISPs and organizations.
• Technical Complexity: Implementing BGP security measures requires specialized knowledge and skills that may be in short supply.

However, these challenges also present opportunities for innovation and growth in the cybersecurity sector. We may see:

• A surge in demand for networking professionals with BGP security expertise
• The emergence of new tools and services to simplify BGP security implementation
• Increased collaboration between public and private sectors to address common challenges

What This Means for Internet Users

While much of the discussion around BGP security may seem technical, the implications for everyday internet users are significant. A more secure BGP infrastructure means:

• Reduced risk of service outages due to routing attacks
• Greater protection against certain types of phishing and man-in-the-middle attacks
• Increased confidence in the integrity of online transactions and communications

In essence, these initiatives aim to make the internet a safer and more reliable place for everyone.

Looking Ahead: The Future of Internet Security

The White House’s focus on BGP security is part of a broader trend towards treating cybersecurity as a critical national security issue. As we move forward, we can expect to see:

• Continued emphasis on securing fundamental internet protocols and infrastructure
• Greater integration of security considerations into the design of new technologies
• Increased public awareness of cybersecurity issues and best practices

The initiatives around BGP security serve as a reminder that the internet, despite its ubiquity, is a complex and evolving system that requires ongoing attention and investment to remain secure and reliable.

Conclusion: A Step Towards a More Secure Digital Future

The White House’s BGP security initiatives represent a significant milestone in the ongoing effort to secure the internet’s core infrastructure. By addressing vulnerabilities in how data is routed across the global network, these measures aim to create a more resilient and trustworthy internet for all users. While challenges remain, the comprehensive approach taken by the Biden administration—combining regulatory mandates, private sector incentives, research investment, and international collaboration—provides a strong foundation for progress. As these initiatives unfold, we can look forward to a future where the internet’s hidden highways are not just efficient, but also secure and reliable. In an interconnected world where digital security is more critical than ever, these steps towards securing BGP are not just technical upgrades—they’re investments in the future of our digital society.

ATYXIT is a security-first Business IT Solutions Provider and Chicago Cloud Provider. We excel in supporting and evolving company networks. Our technical support, technology consulting, project management, cyber security and IT strategy services make us the ideal IT resource for local small and medium sized businesses.

Reach out today if you need any assistance with your business technology!

The post The White House on BGP Security appeared first on ATYXIT - Illinois IT Services and IT Support.

What are YubiKeys?

YubiKeys are small USB devices that provide an extra layer of security when logging into accounts. They’re widely used by companies and individuals to protect sensitive information.

The YubiKey Vulnerability:
The researchers found a way to potentially clone these keys by exploiting a weakness in how the devices process information. This weakness is called a “side-channel vulnerability.”

How the Attack Works:

1. An attacker would need physical access to the YubiKey in question.
2. They would use special equipment to measure tiny changes in the device’s power consumption.
3. By analyzing these changes, they could potentially figure out the secret key stored in the YubiKey.
4. With this information, they could create a clone of the original key.

Important Points:

• This attack is complex and requires specialized knowledge and equipment.
• It’s not something that can be done remotely or easily.
• The researchers notified Yubico (the company that makes YubiKeys) about this issue.

Yubico’s Response:

• Yubico acknowledged the research but stated that the risk to users is low.
• They emphasized that an attacker would need prolonged physical access to the key to carry out this attack.
• Yubico is working on updates to address this vulnerability in future products.

What Users Should Do:

• Continue using your YubiKeys as they still provide strong security.
• Be cautious about who has physical access to your YubiKey.
• Consider using the YubiKey’s touch-required feature for added security.

The Bigger Picture:

This research highlights that even highly secure devices can have vulnerabilities. It’s a reminder of the ongoing challenge in cybersecurity to stay ahead of potential threats. In conclusion, while this vulnerability is concerning, YubiKeys remain a strong security tool when used properly. Users should stay informed but don’t need to panic about this specific discovery.

ATYXIT is a security-first Business IT Solutions Provider and Chicago Cloud Provider. We excel in supporting and evolving company networks. Our technical support, technology consulting, project management, cyber security and IT strategy services make us the ideal IT resource for local small and medium sized businesses.

Reach out today if you need any assistance with your business technology!

The post YubiKey Vulnerability Discovered appeared first on ATYXIT - Illinois IT Services and IT Support.

The Anatomy of Fake Email Order Scams

The modus operandi of these scammers is alarmingly simple yet effective. Individuals or businesses receive an email that appears to be a confirmation of an order they never placed. These fake email orders are meticulously crafted to mimic the correspondence from reputable companies, with GeekSquad being one of the most commonly impersonated brands. The goal? To sow enough confusion and concern that the recipient feels compelled to act.

Embedded within these emails is the bait: a customer support number that the recipient is urged to call if they have any questions or wish to cancel the purported order. However, this number doesn’t connect to the legitimate customer service of the impersonated company but rather to the scammers themselves. Once on the phone, the scammers deploy a variety of tactics to extract personal information, financial details, or direct payment to “cancel” the non-existent order.

Recognizing and Reacting to Fake Email Orders

The key to not falling victim to these scams lies in vigilance and a critical eye. Here are some red flags to watch for:

• Unexpected Order Confirmations: If you receive an order confirmation for a purchase you didn’t make, it’s a significant warning sign.
• Generic Greetings: Scammers often use generic greetings like “Dear Customer” instead of your name.
• Inconsistencies and Errors: Look out for typos, grammatical errors, and inconsistencies in the email address or domain.
• Unsolicited Contact Numbers: Legitimate companies will not pressure you to call an unsolicited number for order disputes.

Upon spotting a suspicious email, the best course of action is to directly contact the company allegedly sending the email through their official website or customer service number. Do not use any contact information provided in the suspicious email.

The Crucial Role of Anti-Spam Solutions

In the fight against fake email order scams, anti-spam solutions are your first line of defense. These tools are designed to filter out potential scam emails before they even reach your inbox, using sophisticated algorithms to detect the hallmarks of spam and phishing attempts. By utilizing a robust mail anti-spam solution, you significantly reduce the risk of these scams reaching you or your employees, protecting both personal and business assets.

The Importance of Local IT Support

While individual vigilance and anti-spam solutions play a critical role in safeguarding against fake email orders, the value of professional IT support cannot be overstated. A local IT provider, such as ATYXIT, brings a wealth of knowledge and experience in dealing with these scams. They can offer customized solutions tailored to your specific needs and vulnerabilities, ensuring an added layer of protection. We stay abreast of the latest scam trends and tactics, enabling us to implement proactive measures to prevent these scams from impacting your operations.

Choosing a local IT partner like ATYXIT means having a dedicated team that understands the unique threats faced by businesses and individuals in your area. They can offer immediate, on-the-ground support and advice, helping to mitigate any potential damage from fake email orders and other cyber threats via our cyber security solutions.

Conclusion

The trend of fake email orders is a stark reminder of the ingenuity and persistence of online scammers. These scams represent a significant threat, exploiting the trust individuals and businesses place in digital communication. However, by staying informed, exercising caution, and leveraging the right tools and support, it’s possible to navigate these hazardous waters safely. Remember, in the digital age, knowledge and preparedness are your best allies against the cunning of cybercriminals.

The post Fake Email Orders and How to Stop Them appeared first on ATYXIT - Illinois IT Services and IT Support.

What is CEO Fraud?

CEO fraud involves cybercriminals impersonating senior executives, often the CEO, to deceive employees, customers, or vendors into transferring money or sensitive information to fraudulent accounts. These scammers employ sophisticated social engineering tactics, combined with detailed research on their targets, to create emails that appear legitimate, making the scam difficult to detect.

The Mechanics of an Attack

The process begins with the attacker gaining access to a senior executive’s email account through phishing or other means. They may also create a lookalike domain that closely resembles the target company’s, using it to send deceptive emails. For example, if your business domain is wayneaccounting.tld, a scammer will purchase wayneaccounling.tld or wayneaccountling.tld and use the new domain to send out emails. The fraudster, posing as the CEO or another top executive, then instructs an employee to perform an urgent transfer of funds or to send confidential information, often with the pretext of closing a confidential deal or resolving a purported emergency.

The Financial Toll

The financial impact of CEO fraud is staggering. According to the Federal Bureau of Investigation (FBI), businesses worldwide have lost billions of dollars to BEC scams over the past few years. In just one year, reported losses exceeded $1.8 billion, a testament to the effectiveness of these scams and the importance of vigilance.

Protecting Your Business

Third-Party Mail Filtering Tools

One of the first lines of defense against CEO fraud is implementing third-party mail filtering tools. These tools scrutinize incoming emails for signs of phishing, such as suspicious attachments or links, and inconsistencies in email addresses that could indicate a spoofed domain. By filtering out potentially harmful emails, these tools significantly reduce the risk of an employee accidentally engaging with a fraudulent request.

Employee Training

Equally important is the ongoing education and training of employees. They should be made aware of the tactics used by fraudsters and taught to recognize the signs of a phishing email. Regular training sessions can help instill a culture of security awareness, ensuring employees think twice before responding to email requests for fund transfers or sensitive information, especially when such requests deviate from standard procedures.

Collaborating with a Local IT Provider

Partnering with a local IT provider like ATYXIT can offer personalized support and training tailored to your business’s specific needs is invaluable. As part of our cyber-security services we conduct regular security assessments, implement effective cybersecurity measures, and provide cyber security training to your employees. This hands-on approach ensures that your team is not only aware of the risks but also equipped with the knowledge to combat threats effectively.

Key Takeaways for Business Leaders

• Be Proactive, Not Reactive: Implementing preventative measures before an attack occurs is crucial. This means investing in the right technology and training to protect your business.
• Foster a Culture of Security: Encourage employees to question unusual requests, even if they appear to come from senior executives. A healthy level of skepticism can prevent fraud.
• Regularly Update Security Measures: Cyber threats evolve rapidly, and so should your defense strategies. Regular updates and training sessions are essential.
• Collaborate with Experts: A security conscious provider like ATYXIT can offer invaluable insights and support tailored to your business’s unique vulnerabilities and needs.

Conclusion

CEO fraud represents a significant threat to businesses worldwide, but with the right strategies in place, it’s a threat that can be effectively mitigated. By understanding the mechanics of these scams, implementing advanced mail filtering solutions, providing comprehensive employee training, and partnering with a local IT provider, businesses can protect themselves against the financial and reputational damage caused by CEO fraud. In the digital age, where cyber threats are constantly evolving, staying informed, vigilant, and proactive is the key to safeguarding your business’s future.

ATYXIT is a security-focused Business IT Solutions Provider based out of Streamwood, Illinois. We excel in supporting and evolving company networks. Our technical support, technology consulting, project management, cyber security and IT strategy services make us the ideal IT resource for local small and medium sized businesses.

Reach out today if you need any assistance with your business technology.

The post The Rising Threat of CEO Fraud appeared first on ATYXIT - Illinois IT Services and IT Support.

What is Ransomware?

Ransomware is a type of malicious software designed to deny access to a computer system or data until a ransom is paid. Typically, cyber-criminals infiltrate a network through phishing emails, compromised websites, or exploiting vulnerabilities in software. Once inside, ransomware encrypts files, rendering them inaccessible to the rightful owners. The attackers then demand payment, often in cryptocurrency, in exchange for decryption keys.

Impact on Businesses

The impact of ransomware on businesses cannot be overstated. According to recent studies, the number of businesses impacted by ransomware surged dramatically in 2022 and 2023. Reports indicated that tens of thousands of businesses fell victim to ransomware attacks during these years, causing significant financial losses, operational disruptions, and reputational damage.

Financial Costs

The financial costs associated with ransomware attacks are staggering. Not only are businesses forced to pay hefty ransom demands to regain access to their data, but they also incur additional expenses related to downtime, recovery efforts, legal fees, and damage to their brand reputation. On average, the cost of recovering from a ransomware attack can run into hundreds of thousands or even millions of dollars, depending on the scale and severity of the incident.

Moreover, the average ransom payment demanded by cyber-criminals has also been on the rise. In 2022 and 2023, ransomware gangs demanded increasingly exorbitant sums, further exacerbating the financial burden on affected businesses.

Why Paying Ransom is Not the Solution

While it may be tempting for businesses to consider paying the ransom to quickly regain access to their data, doing so only perpetuates the cycle of cyber crime. There is no guarantee that paying the ransom will actually result in the full restoration of data, and it emboldens attackers to target more organizations in the future. Additionally, complying with ransom demands may violate legal and regulatory requirements, further complicating the situation for businesses.

The Importance of Preparation and Prevention

Instead of succumbing to ransom demands, businesses should focus on preparing themselves to mitigate the impact of ransomware attacks. This entails implementing robust cybersecurity measures, including regular data backups, network segmentation, employee training on cybersecurity best practices, and deploying advanced threat detection and prevention solutions.

Partnering with a knowledgeable IT partner such as ATYXIT that specializes in cybersecurity and ransomware recovery is crucial for businesses looking to fortify their defenses against cyber threats. A reputable IT partner can assess the organization’s vulnerabilities, develop a comprehensive cybersecurity strategy, and deploy backup solutions that are immune to ransomware attacks.

Conclusion

Ransomware poses a significant threat to businesses of all sizes, with the potential to cause irreparable harm to operations and finances. However, by understanding the nature of ransomware, its impact on businesses, and the importance of proactive measures for recovery and prevention, organizations can better safeguard themselves against this insidious threat. By investing in robust cybersecurity measures and partnering with experienced IT professionals, businesses can bolster their defenses and minimize the risk of falling victim to ransomware attacks.

ATYXIT consists of a group of specialists specializing in supporting and evolving company networks in industries such as Legal, Construction, Logistics, Medical, and more. From technical support to high level consulting services, project management, cyber security, and IT strategy, we’re no match for any other IT providers.

While the majority of our services are provided to small and medium sized businesses in Illinois, we can assist anyone in the United States thanks to the very same technology we provide to our clients. See just some of the Areas We Service.

Reach out today to secure your business with no commitment required.

The post Ransomware Recovery: Safeguarding Your Business appeared first on ATYXIT - Illinois IT Services and IT Support.

Security Reports

Mandiant, a leading cybersecurity company, has released a report outlining two prominent USB drive malware campaigns observed this year. The first campaign, named ‘Sogu,’ has been attributed to a Chinese espionage threat group called ‘TEMP.HEX.’ Sogu is currently the most aggressive USB-assisted cyber-espionage campaign, targeting industries worldwide with the primary objective of stealing valuable data. The victims of Sogu malware are located in a wide range of countries, including the United States, France, the UK, Italy, Poland, Austria, Australia, Switzerland, China, Japan, Ukraine, Singapore, Indonesia, and the Philippines. The sectors affected vary from pharmaceuticals and IT to energy, communications, health, and logistics.

Sogu malware achieves persistence through various means, including the creation of a registry Run key and the utilization of Windows Task Scheduler to ensure regular execution. It employs a payload called ‘Korplug,’ which loads C shellcode into memory via DLL order hijacking, necessitating the victim’s execution of a legitimate file. Once established, Sogu conducts system reconnaissance by dropping a batch file onto ‘RECYCLE.BIN,’ scanning for valuable data contained in MS Office documents, PDFs, and other text files. The discovered files are encrypted using base64 and copied to both the host’s C:\ drive and the working directory on the flash drive. The exfiltration of these document files to the command-and-control (C2) server occurs over TCP or UDP using HTTP or HTTPS requests.

Sogu’s capabilities extend beyond data theft, with support for command execution, file execution, remote desktop access, screenshot capturing, establishing reverse shells, and keylogging. Notably, any connected drives automatically receive a copy of Sogu’s initial compromise file to facilitate lateral movement within the network through USB drive malware.

Snowydrive

Another campaign highlighted by Mandiant is ‘Snowydrive,’ attributed to UNC4698, which specifically targets oil and gas firms in Asia. Snowydrive infects computers through a backdoor mechanism that enables attackers to execute arbitrary payloads, modify the registry, and perform file and directory actions. Similar to Sogu, Snowydrive relies on deceiving victims into launching what appears to be a legitimate executable on a USB drive. This action triggers the extraction and execution of the malware components stored within a folder named ‘Kaspersky.’ The backdoor, which is based on shellcode, loads into the process of a legitimate archive unzip software called ‘CUZ.exe.’

Snowydrive’s backdoor offers various commands for file operations, data exfiltration, reverse shell setup, command execution, and reconnaissance. To evade detection, the malware utilizes a malicious DLL side-loaded by a legitimate Notepad++ updater named ‘GUP.exe.’ This technique allows Snowydrive to conceal file extensions and protect specific files labeled as “system” or “hidden.”

USB Drive Malware Traction

These USB-based attacks continue to gain traction in 2023 due to their ability to bypass security mechanisms, remain stealthy, gain initial access to corporate networks, and even infect air-gapped systems that are isolated from unsecured networks for enhanced security. Mandiant’s investigation reveals that print shops and hotels often serve as infection hotspots for USB malware. It is essential to recognize that given the random and opportunistic nature of these backdoors, any system equipped with a USB port becomes a potential target.

Moreover, it is worth noting that in November 2022, Mandiant had already highlighted a USB-based campaign originating from China, which utilized USB devices to infect entities in the Philippines with four distinct malware families. Additionally, in January 2023, the Unit 42 team from Palo Alto Networks uncovered a variant of PlugX malware capable of hiding within USB drives and infecting connected Windows hosts. These reports further emphasize the growing threat posed by USB-delivered malware and the need for robust cybersecurity measures to mitigate these risks.

ATYXIT provides every one of our partners with a Cyber Security stack that outperforms all these viruses and malicious attacks functions and helps ensure the technology in your business continues to function, just like your business.

Contact us to improve the way your business does technology.

We Make IT Easy. See the areas we service.

The post Rise in USB drive malware attacks appeared first on ATYXIT - Illinois IT Services and IT Support.

The majority of malicious e-mail campaigns use Word documents to hide and spread malware, however, a recently discovered campaign uses a malicious PDF file in combination with a 22-year-old Office bug to spread the Snake Keylogger malware. A trusted IT partner should utilize and provide your company with a next-generation anti-virus to thwart such common attack methods.

The campaign—discovered by researchers at HP Wolf Security—aims to trick victims with via a PDF file purporting to have information about a remittance payment. Instead, it deploys info-stealing malware via an embedded Word document file.

“While Office formats remain popular, this campaign shows how attackers are also using weaponized PDF documents to infect systems,” HP Wolf Security researcher Patrick Schlapfer wrote in the post, which opined in the headline that “PDF Malware Is Not Yet Dead.”

Most attackers to date have preferred to package malware in Microsoft Office file formats, particularly Word and Excel, for the past decade, Schlapfer said. In the first quarter of 2022 alone, nearly half (45 percent) of malware stopped by HP Wolf Security used Office formats.

“The reasons are clear: users are familiar with these file types, the applications used to open them are ubiquitous, and they are suited to social engineering lures,” he wrote.

The new campaign does use PDF in the file lure, however, it later employs Microsoft Word to deliver the ultimate payload—the Snake Keylogger, researchers found. Snake Keylogger is a malware developed using .NET that first appeared in late 2020 and is aimed at stealing sensitive information from a victim’s device, including stored credentials, computer keystrokes, screenshots of the victim’s screen, and clipboard data, according to Fortinet.

‘Unusual’ Campaign

The HPW Wolf Security team noted that the new PDF-based threat campaign involved not just a PDF but also “several tricks to evade detection, such as embedded malicious files, loaded remotely-hosted exploits and shellcode encryption,” Schlapfer wrote.

Attackers attempt to target victims with emails that include a PDF document named “REMMITANCE INVOICE.pdf” as an attachment. If someone opens the file, Adobe Reader prompts the user to open a .docx file.

“The attackers sneakily named the Word document “has been verified. However PDF, Jpeg, xlsx, .docx” to make it look as though the file name was part of the Adobe Reader prompt.”

The .docx file is stored as an EmbeddedFile object within the PDF, which opens the file in Microsoft Word if clicked on. If Protected View is disabled, Word downloads a Rich Text Format (.rtf) file from a web server, which is then run in the context of the open document.

Researchers unzipped the contents of the .rtf—which is an Office Open XML file—finding a URL hidden in the “document.xml.rels” file that is not a legitimate domain found in Office documents.

17-Year-Old Bug Exploited

The aforementioned URL leads to a redirect and then downloads an RTF document called “f_document_shp.doc. This document contained two “not well-formed” OLE objects that revealed shellcode exploiting  CVE-2017-11882, which researchers said is an “over four-years-old” remote code execution vulnerability (RCE).

The bug that attackers leverage in the campaign is actually one that Microsoft patched more than four years ago–in 2017, to be exact—but actually had existed some 17 years before that, making it 22 years old now.

As the final act of the attack, researchers found shellcode stored in the “OLENativeStream” structure at the end of one of the OLE objects they examined. The code eventually decrypts a ciphertext that turns out to be more shellcode, which is then executed to lead to an executable called fresh.exe that loads the Snake Keylogger.

Cyber-attacks are on the rise, and we’re happy to help you attain the protection your business needs against attacks. Please contact us if you require IT assistance!

The post Snake Keylogger Spreading through PDFs appeared first on ATYXIT - Illinois IT Services and IT Support.

This issue was originally brought to light after several Windows administrators started sharing reports on Reddit of some policies failing after installing this month’s security updates.

Microsoft explained that “After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP).”

The OOB Windows Updates released today (05/19/2022) are available only via the Microsoft Update Catalog and will not be offered or installed through Windows Update. In the event you are experiencing any issues after the May 2022 Patch Tuesday, it is important that you install the emergency update for Windows AD Authentication issues.

The following cumulative updates have been released for installation on Domain Controllers:

• Windows Server 2022: KB5015013 
• Windows Server, version 20H2: KB5015020 
• Windows Server 2019: KB5015018 
• Windows Server 2016: KB5015019 

Microsoft also released standalone updates: 

• Windows Server 2012 R2: KB5014986 
• Windows Server 2012: KB5014991 
• Windows Server 2008 R2 SP1: KB5014987 
• Windows Server 2008 SP2: KB5014990 

These updates can be manually imported into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager.

If you require assistance with preventing the installation of problematic updates, please don’t hesitate to reach out to us and we’ll be happy to help you. As part of our Managed IT Services, we manage and review all updates and patches before they are installed on your devices.

The post Microsoft issues emergency update for Windows AD Authentication Issues appeared first on ATYXIT - Illinois IT Services and IT Support.