News

Technical Advisory

Critical vulnerability in Apple iPhone detected – Apple issues forced global update

Posted on

100804_iPhoneHackAttention iPhone users! Overnight on the 26th August 2016, Apple released a critical patch to their iPhone and iPad software that addresses three previously unknown vulnerabilities, which could give a malicious user complete access and control over an iPhone.

Codenamed “Pegasus”, the malware gives attackers full control of the iOS device, and unfortunately for iOS users, becoming infected could be as simple as clicking a link on a website.

From the news.com.au website (click here for the full article):

“It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the FaceTime calls,” he said.

“It also basically backdoors every communications mechanism you have on the phone,”

“It steals all the information in the Gmail app, all the Facebook messages, all the Facebook information, your Facebook contacts, everything from Skype, WhatsApp, Viber, WeChat, Telegram — you name it.”

Apple are recommending to update your iPhone immediately, by going to the Settings menu > General > Software Update.

We are recommending that you back up your iPhone first, to ensure that you don’t lose any photos or data. iPhones are notorious for botched updates requiring a factory reset, so place it safe and backup your phone before you run the upgrade. If you need a hand, just let us know!

MORE

Update: TeamViewer accounts breached – serious security threat to systems

Posted on

Serious security threat to systems, risk reduced by swift, proactive action

Teamviewer Hacked
Important note and update: Regarding this breach, it is important that our clients understand that activIT systems does not use TeamViewer for remote connections to our client systems, and as such the majority of our clients computers are unaffected by this TeamViewer security issue.

However, a number of our clients are engaged with third party vendors, and TeamViewer is commonly used by those vendors to remotely provide support to line of business applications. Many of these third party vendors access our clients systems whilst those systems are unattended, and many of those systems are server environments. In addition, many people use TeamViewer for casual access to remote computers that they own. It is highly feasible that should one of those systems be breached, our clients would not know about it until it is far too late.

As security is our responsibility, we have taken a proactive approach and implemented a short term security measure to mitigate the risk to our clients by disabling TeamViewer on our clients systems, where we have those systems under our management.

We encourage all clients to liaise with your third party software vendors in order to ensure that they have changed the passwords associated with their TeamViewer accounts; for our clients on our activCare service plan, we will be doing this for you this week.

Original notice issued this morning by activIT systems
It has recently been reported that there have been a large number of TeamViewer users having their computers accessed by unauthorised third parties. It appears that this situation has occurred due to TeamViewer’s systems being breached, with account credentials stolen, thus allowing access to the PCs within the associated account. There have been reports of PCs being accessed and online banking, PayPal and other financial related services having money stolen from within.

To protect our clients from having this happen we have disabled the TeamViewer remote access software on all PCs we have under management to prevent any unauthorised parties being able to gain control of them. If you require the use of this software please contact us to discuss the options available and to allow us to detemine if it is safe for you to use TeamViewer.

More information on TeamViewer accounts is available from here: https://www.teamviewer.com/en/help/410-what-is-a-teamviewer-account-and-how-do-i-sign-up-for-one

News reports from affected users are available here: http://arstechnica.com/security/2016/06/teamviewer-users-are-being-hacked-in-bulk-and-we-still-dont-know-how/

A response from TeamViewer regarding the situation is available here: http://arstechnica.com/security/2016/06/teamviewer-says-theres-no-evidence-of-2fa-bypass-in-mass-account-hack/

If you have any queries please contact us or phone us on 1300 228 480.

MORE

eDellRoot certificate security issue – our clients are now safe

Posted on

eDellRoot certificate fix - Perth AustraliaactivIT systems has issued a security fix that will automatically apply to all Dell PCs under our care – regardless of whether you’re on a contract with us or not – to address a potentially security issue identified a few days ago by security researchers that affect in certain Dell systems. The vulnerablity could potentially allow malicious or fraudulent websites to present themselves as legitimate.

This fix has automatically and “silently” been applied to affected systems from 5pm Thursday 26th November. If you would like to test for yourself whether your system is vulnerable, you can click the link below to check your system.  The website is only compatible with Google Chrome or Internet Explorer, and will not work on Firefox.

Click Here to test if your system is vulnerable to the eDellRoot certificate issue

If this site loads and displays an image, it means your PC is vulnerable to this security flaw.  If your browser warns you of a security error when you attempt to view it, your PC is not vulnerable to the issue.  If the test indicates your PC is at risk, please inform us so we can take action to fix the problem.

If you’d like to manually run the fix or inform your colleagues that are using IT providers other than us, it can be downloaded from Dell’s website.

Unfortunately, security threats like this becoming increasingly common online, and it’s important to take steps to protect yourself. Our computerCare protection solution will ensure that you have an effective and current antivirus, your software and operating system are always updated with the latest security fixes, and constantly monitors your PC for potential threats.

MORE

Beware of unexpected “Scanned Documents” arriving in your Inbox .. they’re laden with viruses

Posted on

It seems the scammers are getting craftier by the minute, now sending you fake emails with attachments, using your own domain name, and purporting to be from your own scanner or photocopier!

In the example below, it looks like a legitimate scan-to-email you’d expect from a multifunction centre or photocopier, however there are a few giveaways that indicate that the message is suspicious:

  1. Unexpected file format: The scanned document is not a PDF or a JPG file, but rather a Microsoft Word .DOC file. The vast majority of scanners – and typically those that are only high end, configured for Optical Character Recognition – can send you a .DOC file directly from the scanner itself
  2. Unexpected scanner model: The scanner model, in this case a Fuji Xerox DocuCentre, doesn’t actually exist in our company!
  3. Unexpected sender email address: All of the scan-to-emails that our photocopier sends, don’t come from reception@activitsystems.com.au ..
  4. Unexpected email! In this case, I wasn’t expecting any scan-to-email messages. Alarm bells are ringing!!

2015-10-23 09_23_59-Scan Data from FX-D6DBE1 - Message (Plain Text)

Importantly, it seems that the virus-laden email is evading detection by many spam filters and antivirus applications. Talk amongst our industry peers is rife with reports of the email successfully bypassing many different spam filters and antivirus applications.

If you spot an unusual and unexpected email like the above, DO NOT OPEN THE ATTACHMENT! If in doubt, please check with us – contact us on 1300 228 480, or forward the suspect email to support@aitsys.com.au

Thanks, and keep your Inbox safe!

MORE

Critical Flaws in Adobe Flash, Reader, Shockwave and Java

Posted on

Critical security patches have been released for the popular Adobe Flash, Reader and Oracle Java software which most people have installed on their PCs. We urge everyone to install the latest versions available of these products, if using Internet Explorer on Windows then please install the latest Windows updates which will also include the latest version of Flash Player for Internet Explorer. Google Chrome users will be automatically updated via the Chrome auto update function.

All of the applications listed above will be automatically updated for our clients on our computerCare and activCare services, which checks for updates to these applications and many more twice daily.

See this article for further information about the exploits: http://krebsonsecurity.com/2015/07/adobe-ms-oracle-push-critical-security-fixes/

Please don’t hesitate to contact us should you have any concerns about the security and safety of your computer systems, via phone at 1300 228 480, or contact us via email at www.aitsys.com.au/support

MORE

Los Pollos Hermanos – more ransomware doing the rounds, disguised as chicken

Posted on

Aaaaand the Crypto viruses keep coming… This time, using the popular TV show Breaking Bad‘s fictional food outlet as a gimmick.

In what appears to be a salute to the TV show, the Breaking Bad Ransomware appears on your system showing the Los Pollos Hermanos Chicken Food chain shown in the show.

Behind this notice the virus is similar to previous crypto viruses. If infected, you computers files become encrypted and in order to get your files back, the virus directs you to a website where you can pay a ransom using untraceable Bitcoins. Payment for the ransom appears to vary between $450 and $1000.

lospollos
Screenshot of the virus on the screen, demanding ransom from you. Doesn’t even ask if you’d like fries with that!

The infection does appear to require user intervention to set it off and bypass virus scanners – note that virus scanners will protect you from viruses but only up to the point where you “open the door” and let them in.

The virus appears to arrive via email in the form of a courier email with a PDF document attached. Upon opening this document, which appears to look quite legitimate, the virus is unleashed and begins to wreak havoc on your system.

So please, be sceptical of unknown senders in your email, and check them thoroughly before opening. If an email look suspicious, chances are it probably is and should be deleted immediately.

MORE

Australian Federal Police phishing scam – they’re at it again!

Posted on

Doing the rounds at the moment is an email purporting to be from the AFP, telling you that you’ve got a traffic infringement and you need to click on the button to download the notice.

This email reeks of being suspicious – and it is. It’s a fairly convincing phishing email, until you look at it with a skeptical eye.

AFP traffic infringement notice 2015 phishing email

How to quickly spot this is a scam

  1. We are fairly certain the AFP does not issue traffic infringements – that is best left to the state police. The AFP have far better things to do than chase up negligent drivers.
  2. Why would the AFP send you an email rather than a letter in the mail, and how would they even know your email address?
  3. It’s anonymous – it doesn’t have YOUR name on it.
  4. The date of issue and due date are both four years in the past, making this infringement well overdue. More likely the AFP are after you for missing your court date, after you didn’t pay your fine in 2011.
  5. The email gives you an option to unsubscribe, which is very odd. What would be the purpose of unsubscribe from a notification like this .. so you don’t get any more fines in the future? Sweet!

The link to ‘see your traffic infringement’, actually takes you to a Russian website, selling such random items as 44 gallon drums, rechargeable batteries, and apparently Samsung Galaxy tablets. There doesn’t appear to be any malicious payload either, however we really recommend not to click on the ‘see your traffic infringement’ button anyway.

Dodgy Russian website

MORE

Thunderbolts and lightning, very very frightening … if you’re a modem

Posted on

The home of one of our business clients was struck by lightning back in January, causing most of their electrical devices within the house to stop working. They’ve been hanging on to a “mystery bag” for us since then. We picked it up from them late last week, only to find burnt out wires, blown  up plastic, scorch marks, and exploded circuitboards and electrical components. It’s their Netgear modem!!

With lightning striking a tall gum tree about 40 metres away from the house, the electrical current tore through the house and literally blew the modem to smithereens. The AC power pack was blown out of the power board and the two prongs bent by the force of the current, exploded capacitors and other circuitry within the modem, and smashed the modem itself into pieces.

You can imagine what kind of damage this would cause to a PC or server, and why top quality power protection for IT equipment is so essential in any business. Thankfully our clients laptop was not attached to the power grid at the time!

20150305_115152

20150305_115207

20150305_115303

20150305_115329

Moral of the story: If you rely on your IT equipment, don’t skimp on power protection. If you do want to skimp on power protection, then don’t skimp on your backup strategy!

MORE

New dangerous file locker and ransomware encountered – Win32/VirLock.J

Posted on

Uh oh! Win32/VirLock.J
We were unlucky enough to encounter the really nasty Win32/VirLock.J virus at a client we just started working with yesterday, on a system that was not protected by any antivirus. The really nasty virus packs three punches:

  1. It locks you out of your system, asking you to pay a ransom in Bitcoin – recovery from this is possible but not straight forward
  2. It encrypts your files and embeds the virus itself in those files – but the virus changes slightly, morphing and making it harder to detect
  3. When you try to view one of the encrypted files, the virus decrypts the file and then installs itself on your system – this means if you try to open the file on another computer, you’ll infect that computer as well.

This particular issue has clocked up around 7 hours of work to clean it up thus far .. and what makes it worse, the client does not yet have adequate backup in place on this system, which performs critical tasks at their retail store.

We don’t yet know how this virus made its way on to the system, but the suspects at the moment are USB key sharing, and running unpatched Java and Adobe Flash plugins in a web browser (this is so easy to prevent its not funny – we do it with computerCare automatically for you each day).

Please please please – if you have important data on your laptop or desktop, ensure you run top quality antivirus, regularly patch your applications and web browsers, and have an automated data backup system in place for the important data.

Additional information is available here: http://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter

A file infected with VirLock will be embedded into a Win32 PE file and the .exe extension appended to its name, unless it was already an executable file. When it is executed, it decrypts the original file from within its body, drops it to the current directory and opens it. The decryption methods are described later in the article. This behavior clearly sets it apart from typical filecoders.

VirLock then installs itself by dropping two randomly named instances of itself (not copies – the virus is polymorphic, so every instance is unique) into the %userprofile% and %allusersprofile% directories and adds entries in the Run registry keys under HKCU and HKLM so that they are launched when Windows boots up. These instances, which only contain the virus body without a host file to decrypt, are then launched. More recent variants of VirLock also drop a third instance that is registered as a service. This approach serves as a simple self-defense mechanism for the malware – processes and files get restored when they’re terminated or deleted.

MORE

FessLeak – new drive-by malware that encrypts your data without you even doing anything

Posted on

Fessleak - MapQuest example of drive-by infection attemptPC users beware – we’ve received reports of a new type of malware that can encrypt your data against your will, along the same vein as the CryptoWall family of viruses. This time around the malware gets on your system when you access any regular web page that displays an advertisement, and if the advertisement is compromised, your computer system can download and install the malware without you even knowing.

Here’s a snippet from Invincea.com:

Ransomware malvertising can strike at any time, and it typically is dropped from clickbait articles on popular websites or simply by visiting popular sites like DailyMotion.com. You can be checking out someone’s “Granny opening a new iPhone video” when you are suddenly confronted with a full screen announcing all your files and photos have been one-way encrypted and to get them back you have to pay a bitcoin ransom to a criminal organization. There may be no worse feeling in the digital age than having all your personal files, family albums, and work encrypted and held for a ransom.

Although ransomware has been in the news since CryptoLocker (CriLock) made its debut, we continue to see new innovations in ransomware. More advanced versions now use file-less infections and communicate via the Tor network. They can also check to ensure the host is not running on a virtual machine to frustrate security researchers and analysis.

More information available on www.invincea.com

Our recommendations to protect yourself online

  1. Ensure your antivirus software is up to date with the latest definitions
  2. Ensure your web browsers such as Internet Explorer, Firefox, and Chrome, are up to date with the latest versions
  3. Ensure plugins such as Adobe Flash and Java are up to date, as many exploits are delivered via these plugins
  4. Ensure your important data is regularly backed up, because if you don’t want to pay the ransom to the hackers, restoring from backup is the only way to get your data back
  5. Remain vigilant and inform your IT support team if you suspect anything is occurring on your computer system that is out of the ordinary

The top three items in the list above are taken care of automatically by our computerCare service, which installs patches for these items for you within 24 hours of a patch being released by the software vendor.

If you have any queries please don’t hesitate to contact us.

MORE
Top