Endpoint Security Risk Study Shows Major Rise in Fileless Malware Attacks

The Ponemon Institute has published the findings of a new report on endpoint security risk, which shows that ransomware attacks have occurred at most companies, the risk of fileless malware attacks has increased significantly, and successful cyberattacks are resulting in average losses of more than $5 million.

For the Barkly-sponsored endpoint security risk study, the Ponemon Institute surveyed 665 IT security professionals that were responsible for the management of their organization’s security risk.

7 out of ten respondents claimed endpoint security risk was significantly higher this year than in 2016, and one of the biggest threats was now fileless malware. Companies are still using traditional anti-virus and anti-malware solutions, although they are not effective at preventing fileless malware attacks.

Fileless malware is not detected by most anti-virus solutions since no files are written to the hard drive. Instead, fileless malware remains in the memory, oftentimes leveraging legitimate system tools to gain persistence and spread to other devices on the network.

These fileless malware attacks are occurring far more frequently, with respondents estimating a 20% rise in attacks in 2017. 29% of all cyberattacks in 2017 involved fileless malware, and the threat is expected to continue to increase, and will account for more than a third of all attacks in 2018.

The switch from file-based malware to fileless malware is understandable. The attacks are often successful. 54% of companies surveyed said they had experienced at least one cyberattack that resulted in data being compromised, and 77% of those attacks involved exploits or fileless malware. 42% of respondents said they had experienced a fileless malware attack that resulted in systems or data being compromised in 2017.

Fileless malware attacks are increasing, but so are ransomware attacks. Over half of companies that took part in the endpoint security risk study said they had experienced at least one ransomware attack in 2017, while four out of ten firms experienced multiple ransomware attacks. Even though most companies backup their files, 65% of respondents said they had paid a ransom to recover their data, with the average amount being $3,675. The primary method of ransomware delivery is email.

While the ransom payments may be relatively low, that represents only a small proportion of the costs of such attacks. For the endpoint security risk study, firms were asked to estimate the total cost of cyberattacks – On average, each successful attack on endpoints cost an average of $5,010,600 to resolve – $301 per employee.

Protect Against Malware Attacks by Blocking the Primary Delivery Vector

Email is the primary method for distributing malware. Implementing a spam filtering solution, preferably a gateway solution, can keep an organization protected from malicious emails and will prevent malicious messages from being delivered to end users, and is important for helping organizations manage endpoint security risk.

Many companies opt for an email gateway filtering appliance – an appliance located between the firewall and email server. These solutions are powerful, but they come at a cost since the appliance must be purchased. These appliance-based solutions also lack scalability.

If you want the power of an appliance, but want to keep costs to a minimum, consider a solution such as SpamTitan. SpamTitan offers the same power as a dedicated appliance, without the need to purchase any additional hardware. SpamTitan can be deployed as a virtual appliance on existing hardware, offering the same level of protection as an email gateway filtering appliance at a fraction of the cost.

Don’t Forget to Train Your Employees to be More Security Conscious

A recent InfoBlox survey on healthcare organizations in the United States and United Kingdom revealed that companies in this sector are realizing the benefits of training employees to be more security aware, although only 35% of firms currently provide training to employees.

No matter what email filtering solution you use, there will be times when spammers succeed, and messages are delivered. It is therefore important that staff are trained how to identify and respond to suspicious emails. If end users are not aware of the threats, and do not know how to recognize potential phishing emails, there is a higher chance of them engaging in risky behavior and compromising their device and the network.

Microsoft Patches 17-Year Old MS Office Remote Code Execution Vulnerability

A serious MS Office remote code execution vulnerability has been patched by Microsoft – One that would allow malware to be installed remotely with no user interaction required. The flaw has been present in MS Office for the past 17 years.

The flaw, which was discovered by researchers at Embedi, is being tracked as CVE-2017-11882. The vulnerability is in the Microsoft Equation Editor, a part of MS Office that is used for inserting and editing equations – OLE objects – in documents: Specifically, the vulnerability is in the executable file EQNEDT32.exe.

The memory corruption vulnerability allows remote code execution on a targeted computer, and would allow an attacker to take full control of the system, if used with Windows Kernel privilege exploits. The flaw can be exploited on all Windows operating systems, including unpatched systems with the Windows 10 Creators Update.

Microsoft addressed the vulnerability in its November round of security updates. Any unpatched system is vulnerable to attack, so it is strongly advisable to apply the patch promptly. While the vulnerability could potentially have been exploited at any point in the past 17 years, attacks exploiting this MS Office remote code execution vulnerability are much more likely now that a patch has been released.

The flaw does not require the use of macros, only for the victim to open a specially crafted malicious Office document. Malicious documents designed to exploit the vulnerability would likely arrive via spam email, highlighting the importance of implementing a spam filtering solution such as SpamTitan to block the threat.

End users who are fooled into opening a malicious document can prevent infection by closing the document without enabling macros. In this case, malware would be installed simply by opening the document.

Microsoft has rated the vulnerability as important, rather than critical, although researchers at Embedi say this flaw is “extremely dangerous.” Embedi has developed a proof of concept attack that allowed them to successfully exploit the vulnerability. The researchers said, “By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g. to download an arbitrary file from the Internet and execute it),”

EQNEDT32.exe is run outside of the Microsoft Office environment, so it is therefore not subject to Office and many Windows 10 protections. In addition to applying the patch, security researchers at Embedi recommend disabling EQNEDT32.EXE in the registry, as even with the patch applied, the executable still has a number of other vulnerabilities. Disabling the executable will not impact users since this is a feature of Office that is never needed by most users.

Ordinypt Malware: A New Wiper Disguised as Ransomware

Ordinypt malware is currently being used in targeted attacks on companies in Germany. While Ordinypt malware appears to victims to be ransomware, the malware is actually a wiper.

Infection sees files made inaccessible, and as with ransomware, a ransom demand is issued. The attackers ask for 0.12 Bitcoin – around $836 – to restore files.

Ordinypt malware does not encrypt files – it simply deletes the original file name and replaces it with a random string of letters and numbers. The contents of files are also replaced with random letters and numbers.

Even if the ransom demand is paid, the attackers do not have a mechanism to allow victims to recover their original files. The only sure-fire way to recover files is to restore them from a backup. In contrast to many ransomware variants that make it difficult to recover files by deleting Windows Shadow Volume copies, those are left intact, so it may be possible for users to recover some of their files.

Ordinypt malware – or HSDFSDCrypt as it was originally known – was discovered by Michael Gillespie. A sample of the malware was obtained and analyzed by German security researcher Karsten Hahn from G Data Security. G Data Security renamed the malware Ordinypt.

Hahn notes that Ordinypt malware is poorly written with a bad coding style, indicating this is not the work of a skilled hacker. Hahn said, this is “A stupid malware that destroy information of enterprises and innocent people and try steal money.”

The attackers are using a common technique to maximize the number of infections. The malware is disguised as PDF files which are distributed via spam email. The messages claim to be applications in reply to job adverts. Two files are included in a zip file attachment, which appear to be a resume and a CV.

While the files appear to be PDFs, and are displayed as such, they actually have a double extension. If the user’s computer has file extensions hidden, all that will be displayed is filename.pdf, when in actual fact the file is filename.pdf.exe. Clicking on either of the files will run the executable and launch Ordinypt malware.

In recent months there have been several wiper malware variants detected that pretend to be ransomware. The attackers are taking advantage of the publicity surrounding ransomware attacks, and are fooling end users into paying a ransom, when there is no way of recovering files. It is not clear whether the reason for the attacks is to make money. It is possible that these attacks are simply intended to cause disruption to businesses, as was the case with the NotPetya wiper attacks.

Regardless of how poorly written this malware is, it is still effective and can cause significant disruption to businesses. Protecting against this, and other email-based malware threats, requires a combination of end user training and technology.

End users should be informed of the risks of opening attachments from unknown senders and should assume that all such emails could be malicious. In this case, the malware is poorly written but the emails are not. They use perfect German and are highly believable. HR employees could be easily fooled by a ruse such as this.

The best protection against threats such as these is an advanced spam filter such as SpamTitan. Preventing these emails from reaching inboxes is the best defense.

By configuring the spam filter to block executable files, the messages will be rerouted to a quarantine folder rather than being delivered, mitigating the threat.

For further information on how a spam filter can help to block email-based threats and to register for a free trial of SpamTitan for your business, contact the TitanHQ team today.

Ursnif Banking Trojan Uses New Tactic to Spread More Rapidly

A new variant of the Ursnif banking Trojan has been detected and the actors behind the latest campaign have adopted a new tactic to spread the malware more rapidly.  

Ransomware attacks may make the headlines, but banking Trojans can cause considerably more damage. The $60 million heist from a Taiwanese bank last month shows just how serious infection with banking Trojans can be. The Dridex Trojan raked in more than $40 million in 2015.

The Ursnif banking Trojan is one of the most commonly used Trojans. As with other banking Trojans, the purpose of the Ursnif Trojan is to steal credentials such as logins to banking websites, corporate bank details, and credit card numbers. The stolen credentials are then used for financial transactions. It is not uncommon for accounts to be emptied before the transactions are discovered, by which time the funds have cleared, have been withdrawn, and the criminal’s account has been closed. Recovering the stolen funds can be impossible.

Infection will see the malware record a wide range of sensitive data, capturing credentials as they are entered through the browser. The Ursnif banking Trojan also takes screenshots of the infected device and logs keystrokes. All of that information is silently transmitted to the attacker’s C2 server.

Banking Trojans can be installed in a number of ways. They are often loaded onto websites where they are downloaded in drive-by attacks. Traffic is generated to the malicious websites via malvertising campaigns or spam emails contacting hyperlinks. Legitimate websites are compromised using brute force tactics, and kits loaded to the sites that prey on individuals who have failed to keep their software up to date. Oftentimes, downloads are sent via spam email, hidden in attachments.

Spam email has previously been used to spread the Ursnif banking Trojan, and the latest campaign is no different in that respect. However, the latest campaign uses a new tactic to maximize the chance of infection and spread infections more rapidly and widely. Financial institutions have been the primary target of this banking Trojan, but with this latest attack method they are far more widespread.

Infection will see the user’s contact list abused and spear phishing emails sent to each of the user’s contacts. Since the spear phishing emails arrive from a trusted email account, the likelihood of the emails being opened is significantly increased. Simply opening the email will not result in infection. For that to occur, the recipient must open the email attachment. Again, since it has come from a trusted sender, that is more likely.

The actors behind this latest Ursnif banking Trojan campaign have another trick to increase trust and ensure their payload is delivered. The spear phishing emails contain message threads from past conversations. The email appears to be a response to a previous email, and include details of past conversations.

A short line of text is included as a prompt to get the recipient to open the email attachment – A Word document containing a malicious macro. That macro needs to be authorized to run – if macros have not been set to run automatically, but it will not until the Word document is closed. When the macro runs, it launches PowerShell commands that download the Ursnif Trojan, which then starts logging activity on the infected device and sends further spear phishing emails to the new victim’s contact list.

This is not a brand-new tactic, but it is new to Ursnif – and it is likely to see infections spread much more quickly. Further, the malware incorporates a number of additional tactics to hamper detection, allowing information to be stolen and bank accounts emptied before infection is detected – the Trojan even deletes itself once it has run.

Malware is constantly evolving, and new tactics are constantly developed to increase the likelihood of infection. The latest campaign shows just how important it is to block email threats before they reach end users’ inboxes.

With an advanced spam filter such as SpamTitan in place, malicious emails can be blocked to stop them from reaching end user’s inboxes, greatly reducing the risk of malware infections.

Silence Trojan Used in New Wave of Cyberattacks on Financial Institutions

A new wave of cyberattacks on financial institutions using malware called the Silence Trojan has been detected. In contrast to many attacks on banks that target the bank customers, this attack targets the bank itself. The attack method bears a number of similarities to the attacks conducted by the Eastern European hacking group, Carbanak.

The Silence Trojan is being used to target banks and other financial institutions in several countries, although so far, the majority of victims are in Russia. The similarity of the Silence Trojan attacks to Carbanak suggests these attacks could be conducted by Carbanak, or a spinoff of that group, although that has yet to be established.

The attacks start with the malicious actors behind the campaign gaining access to banks’ networks using spear phishing campaigns. Spear phishing emails are sent to bank employees requesting they open an account. The emails are well written, and the premise is believable, especially since in many cases the emails are sent from within using email addresses that have previously been compromised in other attacks. When emails are sent from within, the requests seem perfectly credible.

Some of these emails were intercepted by Kaspersky Lab. Researchers report that the emails contain a Microsoft Compiled HTML Help file with the extension .chm.

These files contain JavaScript, which is run when the attachments are opened, triggering the download of a malicious payload from a hardcoded URL. That initial payload is a VBS script, which in turn downloads the dropper – a Win32 executable binary, which enables contact to be established between the infected machine and the attacker’s C2 server. Further malicious files, including the Silence Trojan, are then downloaded.

The attackers gain persistent access to an infected computer and spend a considerable amount of time gathering data. Screen activity is recorded and transmitted to the C2, with the bitmaps combined to form a stream of activity from the infected device, allowing the attackers to monitor day to day activities on the bank network.

This is not a quick smash and grab raid, but one that takes place over an extended period. The aim of the attack is to gather as much information as possible to maximize the opportunity to steal money from the bank.

Since the attackers are using legitimate administration tools to gather intelligence, detecting the attacks in progress is complicated. Implementing solutions to detect and block phishing attacks can help to keep banks protected.

Since security vulnerabilities are often exploited, organizations should ensure that all vulnerabilities are identified and corrected.  Kaspersky Lab recommends conducting penetration tests to identify vulnerabilities before they are exploited by hackers.

Kaspersky Lab notes that when an organization has already been compromised, the use of .chm attachments in combination with spear phishing emails from within the organization has proved to be a highly effective attack method for conducting cyberattacks on financial institutions.

Malicious Spam Email Volume Jumps 85%: Malicious URLs Favored Over Attachments

2017 has seen a major rise in malicious spam email volume. As the year has progressed, the volume of malicious messages sent each month has grown. A new report from Proofpoint shows malicious spam email volume rose by 85% in Q3, 2017.

A deeper dive into the content of those messages shows cybercriminals’ tactics have changed. In 2017, there has been a notable rise in the use of malicious URLs sent via email compared to malicious attachments containing malware. URL links to sites hosting malware have jumped by an astonishing 600% in Q3, which represents a 2,200% increase since this time last year. This level of malicious URLs has not been seen since 2014.

The links direct users to malicious websites that have been registered by cybercriminals, and legitimate sites that have been hijacked and loaded hacking toolkits. In many cases, simply clicking on the links is all that is required to infect the user’s computer with malware.

While there is a myriad of malware types now in use, the biggest threat category in Q3 was ransomware, which accounted for 64% of all email-based malware attacks. There are many ransomware variants in use, but the undisputed king in Q3 was Locky, accounting for 55% of total message volume and 86% of all ransomware attacks. There was also a rising trend in destructive ransomware – ransomware that encrypts files but does not include the option of letting victims’ recover their files.

The second biggest malware threat category was banking Trojans, which accounted for 24% of malicious spam email volume. Dridex has long been a major threat, although in Q3 it was a Trojan called The Trick that become the top banking Trojan threat. The Trick Trojan was used in 70% of all banking Trojan attacks.

Unsurprisingly, with such as substantial rise in malicious spam email volume, email fraud has also risen, up 12% quarter over quarter and up 32% from this time last year.

Cybercriminals are constantly changing tactics and frequently switch malware variants and attack methods, but for the time being at least, exploit kits are still not favored. Exploit kit attacks are at just 10% of the level of last year’s high, with spam email now the main method of malware delivery.

With malicious spam email volume having increased once again, and a plethora of new threats and highly damaging malware attacks posing a very real risk, it is essential that businesses double down on their defenses. The best way to defend against email threats is to improve spam defenses. An advanced spam filtering solution is essential for blocking email threats. The more malicious emails that are captured and prevented from being delivered, the lower the chance of end users clicking on malicious links and downloading malware.

SpamTitan blocks more than 99.9% of spam emails, helping to keep inboxes free from malware threats. No single solution can block all email threats, so a spam filtering solution should be accompanied with endpoint security solutions, web filters to block malicious links from being visited, antimalware and antivirus solutions, and email authentication technology.

While it is easy to concentrate on technology to protect against email threats, it is important not to forget to train employees to be more security aware. Regular training sessions, cybersecurity newsletters and bulletins about the latest threats, and phishing simulation exercises can help employees improve their threat detection skills and raise cybersecurity awareness.

Global Data Breach Study Shows 1.9 Billion Records Were Exposed in the First Half of 1017

A global data breach study by Gemalto provides valuable insights into data breaches reported over the first six months of 2017, showing there has been a significant increase in data breaches and the number of records exposed.

Barely a day has gone by without a report of a data breach in the media, so it will probably not come as a surprise to hear that data breaches have risen again in 2017. What is surprising is the scale of the increase. Compared to the first six months of 2016 – which saw huge numbers of data breaches reported – 2017 saw a 13% increase in incidents. However, it is the scale of those breaches that is shocking. 2017 saw 164% more records exposed than in 2016.

During the first six months of 2017, a staggering 918 data breaches were confirmed, resulting in 1.9 billion records and email credentials being exposed or stolen. Further, that figure is a conservative. According to Gemalto’s global data breach study, it is unknown how many records were compromised in 59.3% of data breaches between January and June 2017.

What is clear is the data breaches are increasing in size. Between January and the end of June, there were 22 breaches reported that each impacted more than 1 million individuals.

To put the global data breach study figures into perspective, more than 10.5 million records were exposed each day in the first half of 2017 – or 122 records per second.

What is the Biggest Cause of Data Breaches in the First Half of 2017?

While malicious insiders pose a significant threat, and caused 8% of breaches, accidental loss of devices or records accounted for 18% of incidents. But the biggest cause of data breaches was malicious outsiders, who caused 74% of all tracked data breaches.

However, in terms of the severity of breaches, it is accidental loss that tops the list. There many have only been 166/918 breaches due to accidental loss according to the global data breach study, but those incidents accounted for 86% of all records – That’s 1.6 billion.

Malicious outsiders may have caused the most breaches – 679/918 – but those breaches involved just 13% of the total number of records – 254 million. In the first half of 2016, malicious outsiders were the leading breach cause and data breaches and accounted for 76% of breached records.

It is worth noting that while malicious insiders were responsible for just 8% of incidents, those incidents saw 20 million records exposed. Compared to 2016, that’s a 4114% increase.

Which Regions Had the Most Data Breaches in the First Half of 2017?

While North America was the hardest hit, accounting for 88% of all reported breaches, that does not necessarily mean that most breaches are occurring in the United States. In the U.S. there are far stricter reporting requirements, and companies are forced to disclose data breaches.

In Europe, many companies choose not to announce data breaches. It will therefore be interesting to see how the figures change next year. From May 2018, there will be far stricter reporting requirements due to the introduction of the General Data Protection Regulation (GDPR). For this report, there were 49 reported breaches in Europe – 5% of the total. 40% of those breaches were in the United Kingdom. There were 47 breaches in the Asia Pacific region – 5% of the total – with 15 in India and the same percentage in Australia.

Which Industries Suffer the Most Data Breaches?

The worst affected industry was healthcare, accounting for 25% of all breaches. However, bear in mind that HIPAA requires healthcare organizations to report all breaches in the United States. The financial services industry was in second place with 14% of the total, followed by education with 13% of breaches. The retail industry recorded 12% of breaches, followed by the government on 10% and technology on 7%.

In terms of the number of records breached, it is ‘other industries’ that were the worst hit. Even though that group accounted for just 6% of breaches they resulted in the exposure of 71% of records. Government breaches accounted for 21% of the total, followed by technology (3%), education (2%), healthcare (2%) and social media firms (1%).

How Can These Breaches be Stopped?

In the most part, these data breaches occurred due to poor cybersecurity protections, basic security failures, poor internal security practices, and the failure to use data encryption. Previous research by PhishMe has shown that 91% of data breaches start with a phishing email. Anti-spam defenses are therefore critical in preventing data breaches. If phishing emails are prevented from being delivered, a large percentage of external attacks can be stopped.

Organizations that have yet to use two factor authentication should ensure that this basic security control is employed. Employees should receive cybersecurity awareness training, and training programs should be ongoing. In particular, employees should be trained how to identify phishing emails and the actions they should take when a suspicious email is encountered.

Accidental loss of data from lost and stolen devices can be prevented with the use of encryption, although most accidental losses were due to poorly configured databases. Organizations should pay particular attention to their databases and cloud instances, to make sure they are appropriately secured and cannot be accessed by unauthorized individuals.

Bad Rabbit Ransomware Hits Russia, Ukraine and Europe

Bad Rabbit ransomware attacks have been reported throughout Russia, Ukraine, and Eastern Europe. While new ransomware variants are constantly being developed, Bad Rabbit ransomware stands out due to the speed at which attacks are occurring, the ransomware’s ability to spread within a network, and its similarity to the NotPetya attacks in June 2017.

Bad Rabbit Ransomware Spreads via Fake Flash Player Updates

While Bad Rabbit ransomware has been likened to NotPetya, the method of attack differs. Rather than exploit the Windows Server Message Block vulnerability, the latest attacks involve drive-by downloads that are triggered when users respond to a warning about an urgent Flash Player update. The Flash Player update warnings have been displayed on prominent news and media websites.

The malicious payload packed in an executable file called install_flash_player.exe. That executable drops and executes the file C:\Windows\infpub.dat, which starts the encryption process. The ransomware uses the open source encryption software DiskCryptor to encrypt files with AES, with the keys then encrypted with a RSA-2048 public key. There is no change to the file extension of encrypted files, but every encrypted file has the .encrypted extension tacked on.

Once installed, it spreads laterally via SMB. Researchers at ESET do not believe bad rabbit is using the ETERNALBLUE exploit that was incorporated into WannaCry and NotPetya. Instead, the ransomware uses a hardcoded list of commonly used login credentials for network shares, in addition to extracting credentials from a compromised device using the Mimikatz tool.

Similar to NotPetya, Bad Rabbit replaces the Master Boot Record (MBR). Once the MBR has been replaced, a reboot is triggered, and the ransom note is then displayed.

Victims are asked to pay a ransom payment of 0.5 Bitcoin ($280) via the TOR network. The failure to pay the ransom demand within 40 hours of infection will see the ransom payment increase. It is currently unclear whether payment of the ransom will result in a valid key being provided.

So far confirmed victims include the Russian news agencies Interfax and Fontanka, the Ministry of Infrastructure of Ukraine, the Odessa International Airport, and the Kiev Metro. In total there are believed to have been more than 200 attacks so far in Russia, Ukraine, Turkey, Bulgaria, Japan, and Germany.

How to Block Bad Rabbit Ransomware

To prevent infection, Kaspersky Lab has advised companies to restrict the execution of files with the paths C:\windows\infpub.dat and C:\Windows\cscc.dat.

Alternatively, those files can be created with read, write, and execute permissions removed for all users.

US-CERT Warns of Phishing Attacks on Energy Companies

On Friday, the U.S. Department of Homeland Security’s (DHS) computer emergency readiness team (US-CERT) issued a new warning about phishing attacks on energy companies and other critical infrastructure sectors.

Advanced persistent threat (APT) actors are conducting widespread attacks on organizations in the energy, aviation, nuclear, water, and critical manufacturing sectors. Those attacks, some of which have been successful, have been occurring with increasing frequency since at least May 2017. The group behind the attack has been called Dragonfly by AV firm Symantec, which reported on the attacks in September.

DHS believes the Dragonfly group is a nation-state sponsored hacking group whose intentions are espionage, open source reconnaissance and cyberattacks designed to disrupt energy systems.

These cyberattacks are not opportunistic like most phishing campaigns. They are targeted attacks on specific firms within the critical infrastructure sectors. While some firms have been attacked directly, in many cases the attacks occur through a ‘staging’ company that has previously been compromised. These staging companies are trusted vendors of the targeted organization. By conducting attacks through those companies, the probability of an attack on the target firm succeeding is increased.

DHS warns that the attackers are using several methods to install malware and obtain login credentials. The phishing attacks on energy companies have included spear phishing emails designed to get end users to reveal their login credentials and malicious attachments that install malware.

In the case of the former, emails direct users to malicious websites where they are required to enter in their credentials to confirm their identity and view content. While some websites have been created by the attackers, watering hole attacks are also occurring on legitimate websites that have been compromised with malicious code. DHS warns that approximately half of the attacks have occurred through sites used by trade publications and informational websites “related to process control, ICS, or critical infrastructure.”

Phishing emails containing malicious attachments are used to directly install malware or the files contain hyperlinks that direct the user to websites where a drive-by malware download occurs. The links are often shortened URLS creating using the bit.ly and tinyurl URL shortening services. The attackers are also using email attachments to leverage Windows functions such as Server Message Block (SMB) protocol to retrieve malicious files. A similar SMB technique is also used to harvest login credentials.

The malicious attachments are often PDF files which claim to be policy documents, invitations, or resumés. Some of the phishing attacks on energy companies have used a PDF file attachment with the name “AGREEMENT & Confidential.” In this case, the PDF file does not include any malicious code, only a hyperlink to a website where the user is prompted to download the malicious payload.

US-CERT has advised companies in the targeted sectors that the attacks are ongoing, and action should be taken to minimize risk. Those actions include implementing standard defenses to prevent web and email-based phishing attacks such as spam filtering solutions and web filters.

Since it is possible that systems may have already been breached, firms should be regularly checking for signs of an intrusion, such as event and application logs, file deletions, file changes, and the creation of new user accounts.

Average Enterprise Data Breach Cost Now $1.3 Million

The average enterprise data breach cost has risen to $1.3 million, according to a new report from antivirus firm Kaspersky Lab – An increase of $100,000 year over year. Small to medium size businesses are also having to dig deeper to remediate data breaches. The average data breach cost for SMBs is now $117,000.

For the cost of a data breach study, Kaspersky Lab surveyed more than 5,000 businesses, asking questions about how much firms are spending on data breach resolution and how those costs are split between various aspects of the breach response. Businesses were also asked about future spending and how much their IT security budgets are increasing year over year.

The survey reveals that in North America, the percentage of the budget being spent on IT security is increasing. However, overall budgets are reducing, so the net spend on IT security has decreased year over year. Last year, businesses were allocating 16% of their budgets to IT security, which has risen to 18% this year. However, average enterprise IT security budgets have dropped from $25.5 million last year to just $13.7 million this year.

Breaking Down the Enterprise Data Breach Cost

So how is the enterprise data breach cost broken down? What is the biggest cost of resolving a data breach? The biggest single data breach resolution cost is additional staff wages, which costs an average of $207,000 per breach.

Other major costs were infrastructure improvements and software upgrades ($172,000), hiring external computer forensics experts and cybersecurity firms ($154,000), additional staff training ($153,000), lost business ($148,000), and compensation payments ($147,000).

The average SMB data breach resolution cost was $117,000. The biggest costs were contracting external cybersecurity firms to conduct forensic investigations and the loss of business as a direct result of a breach, both cost an average of $21,000 each. Additional staff wages cost $16,000, increases in insurance premiums and credit rating damage cost an average of $11,000, new security software and infrastructure costs were $11,000, and new staff and brand damage repair cost $10,000 each. Further staff training and compensation payouts cost $9,000 and $8,000 respectively.

The high cost of data breach mitigation shows just how important it is for enterprises and SMBs to invest in data breach prevention and detection technologies. Blocking cyberattacks is essential, but so too is detecting breaches when they do occur. As the IBM/Ponemon Institute 2017 Cost of a Data Breach Study showed, the faster a breach is detected, the lower the enterprise data breach cost will be.

The Importance of an Effective Spam Filter

There are many potential vulnerabilities that can be exploited by hackers, so it is important for businesses of all sizes to conduct regular risk assessments to find holes in their defenses before cybercriminals do. A risk management plan should be devised to address any vulnerabilities uncovered during the risk assessment. Priority should be given to the most serious risks and those that would have the greatest impact if exploited.

While there is no single cybersecurity solution that can be adopted to prevent data breaches, one aspect of data breach prevention that should be given priority is a software solution that can block email threats. Spam email represents the biggest threat to organizations. Research conducted by PhishMe suggests 91% of all data breaches start with a phishing email. Blocking those malicious emails is therefore essential.

TitanHQ has developed a highly effective spam filtering solution for enterprises – and SMBs – that blocks more than 99.9% of spam email, preventing phishing emails, malware, and ransomware from reaching employees’ inboxes.

To find out how SpamTitan can protect your business from email threats, for a product demonstration and to register for a free trial of SpamTitan, contact the TitanHQ team today.

Email Authentication Technology Now Mandatory for All U.S. Federal Agencies

The U.S. Department of Homeland Security (DHS) has made the use of email authentication technology mandatory for all federal agencies.

There have been numerous email security incidents affecting government agencies in recent years. Federal agencies are a major target for spammers, scammers, and phishers and the email security defenses of federal agencies are constantly tested.

One of the latest incidents involved the spoofing of an email account used by Jared Kushner, causing considerable embarrassment for White House officials. Homeland Security Adviser Tom Bosser was one of the individuals who was fooled into believing the emails were genuine. In his case, the emails were not part of a phishing campaign but were just ‘a bit of fun’ by a UK prankster. However, there are plenty of individuals and groups that have much more sinister motives.

When those cybercriminals succeed, not only is it a major embarrassment for government agencies, it can pose a major threat to national security. When national security is at stake, it pays to have excellent email defenses. However, in the United States (and elsewhere) they are often found to be lacking.

Action clearly needs to be taken to prevent phishing attacks, reduce the potential for government domains to be spoofed, and to make it much harder for phishing emails to be delivered to federal employees’ inboxes. Agari has reported that 90% of 400 government agencies’ protected domains have been targeted with deceptive emails and 25% of all federal agency emails are fraudulent. Even so, email authentication technology is often not used. That is, until now.

DHS Makes DMARC Mandatory for Federal Agencies

Now the DHS has taken action and has made it mandatory for all federal agencies to adopt DMARC. While some federal agencies have already implemented DMARC – the Social Security Administration and the Federal Trade Commission for example – they number in the few. Only 9% of domains have implemented DMARC and use it to block unauthenticated emails, while 82% of federal domains do not use the DMARC email authentication standard at all. Now all federal agencies have been given just 30 days to submit a plan of action and 90 days to implement DMARC. DHS has also made it mandatory for all federal websites to be switched to a secure connection (HTTPS) and for STARTTLS to be implemented for email.

DMARC is an email authentication technology that can be adopted to help authenticate emails, block spam, and reduce the volume of phishing emails that are delivered to inboxes. DMARC is not infallible, but it does offer an additional layer of protection for email, reducing the volume of email threats by around 77%. DMARC also restricts use of domains to legitimate senders. By adopting DMARC, when consumers receive an email from a federal agency such as the IRS, FEMA, or DHHS, they should be able to trust that email, at least once DMARC is implemented.

Many Businesses Struggle with DMARC

While some large enterprises have already adopted DMARC, two thirds of Fortune 500 companies do not use DMARC at all. Implementing the email authentication control is not without its problems. For small to medium sized businesses, implementing DMARC can be problematic. Part of the problem is many businesses need to secure their own internal email systems, but also cloud-based email, and third-party mailing services such as MailChimp or Salesforce. The task of implementing DMARC is often seen as too complex, and even when DMARC is used, it often fails and rarely are the full benefits gained. Consider that even when DMARC is adopted, 23% of phishing emails still make it past defenses, and it is easy to see why it is often not implemented. That said, email authentication technology is required to keep businesses protected from phishing threats.

SpamTitan Protects Businesses from Email Threats

Office 365 uses DMARC to help filter out phishing emails, but on its own it is not sufficient to block all threats. Businesses that use Office 365 can greatly improve their defenses against malicious emails by also adopting a third-party spam filtering solution such as SpamTitan.

SpamTitan incorporates many of the control mechanisms used by Microsoft, but also adds greylisting to greatly improve spam detection rates. Greylisting involves rejecting all emails and requesting they are resent. Since genuine emails are resent quickly, and spam emails are typically not resent as spam servers are busy conducting huge spamming campaigns, this additional control helps to identify far more malicious and unwanted emails. This additional control, along with the hundreds of checks performed by SpamTitan helps to keep spam detection rates well above 99.9%.

If you want to secure your email and block more phishing threats, contact the TitanHQ team today for more information on how SpamTitan can help to keep your inboxes spam free and your networks protected from malware and ransomware.

DoubleLocker Ransomware: An Innovative New Android Threat

DoubleLocker ransomware is a new Android threat, which as the name suggests, uses two methods to lock the device and prevent victims from accessing their files and using their device.

As with Windows ransomware variants, DoubleLocker encrypts files on the device to prevent them from being accessed. DoubleLocker ransomware uses a powerful AES encryption algorithm to encrypt stored data, changing files extensions to .cryeye

While new ransomware variants sometimes have a poorly developed encryption process with flaws that allow decryptors to be developed, with DoubleLocker ransomware victims are out of luck.

While it is possible for victims to recover their files from backups, first they must contend with the second lock on the device. Rather than combine the encryption with a screen locker, DoubleLocker ransomware changes the PIN on the device. Without the PIN, the device cannot be unlocked.

Researchers at ESET who first detected this new ransomware variant report that the new PIN is a randomly generated number, which is not stored on the device and neither is it transmitted to the attacker’s C&C. The developers allegedly have the ability to remotely delete the PIN lock and supply a valid key to decrypt data.

The ransom demand is much lower than is typical for Windows ransomware variants, which reflects the smaller quantity of data users store on their smartphones. The ransom demand is set at 0.0130 Bitcoin – around $54. The payment must be made within 24 hours of infection, otherwise the attackers claim the device will be permanently locked. The malware is set as the default home app on the infected device, which displays the ransom note. The device will be permanently locked, so the attackers claim, if any attempts are made to block or remove DoubleLocker.

Researchers at ESET have analyzed DoubleLocker ransomware and report that it is based on an existing Android banking Trojan called Android.BankBot.211.origin, although the ransomware variant does not have the functionality to steal banking credentials from the user’s device.

While many Android ransomware variants are installed via bogus or compromised applications, especially those available through unofficial app stores, DoubleLocker is spread via fake Flash updates on compromised websites.

Even though this ransomware variant is particularly advanced, it is possible to recover files if they have been backed up prior to infection. The device can also be recovered by performing a factory reset. If no backup exists, and the ransom is not paid, files will be lost unless the device has been rooted and debugging mode has been switched on prior to infection.

This new threat shows just how important it is to backup files stored on mobile devices, just as it is with those on your PC or Mac and to think before downloading any web content or software update.

Email Security and HIPAA Compliance

Healthcare organizations are being targeted by hackers and scammers and email is the No1 attack vector. 91% of all cyberattacks start with a phishing email and figures from the Anti-Phishing Working Group indicate end users open 30% of phishing emails that are delivered to their inboxes. Stopping emails from reaching inboxes is therefore essential, as is training healthcare employees to be more security aware.

Since so many healthcare data breaches occur as a result of phishing emails, healthcare organizations must implement robust defenses to prevent attacks. Further, email security is also an important element of HIPAA compliance. Fail to follow HIPAA Rules on email security and a financial penalty could follow a data breach.

Email Security is an Important Element of HIPAA Compliance

HIPAA Rules require healthcare organizations to implement safeguards to secure electronic protected health information to ensure the confidentiality, integrity, and availability of health data.

Email security is an important element of HIPAA compliance. With so many attacks on networks starting with phishing emails, it is essential for healthcare organizations to implement anti-phishing defenses to keep their networks secure.

The Department of Health and Human Services’ Office for Civil Rights has already issued fines to healthcare organizations that have experienced data breaches as a result of employees falling for phishing emails. UW medicine paid OCR $750,000 following a malware-related breach caused when an employee responded to a phishing email. Metro Community Provider Network settled a phishing-related case for $400,000.

One aspect of HIPAA compliance related to email is the risk assessment. The risk assessment should cover all systems, including email. Risk must be assessed and then managed and reduced to an appropriate and acceptable level.

Managing the risk of phishing involves the use of technology and training. All email should be routed through a secure email gateway, and it is essential for employees to receive training to raise awareness of the risk of phishing and the actions to take if a suspicious email is received.

How to Secure Email, Prevent and Identify Phishing Attacks

Email phishing scams today are sophisticated, well written, and highly convincing. It is often hard to differentiate a phishing email from a legitimate communication. However, there are some simple steps that all healthcare organizations can take to improve email security. Simply adopting the measures below can greatly reduce phishing risk and the likelihood of experiencing an email-related breach.

While uninstalling all email services is the only surefire way to prevent email phishing attacks, that is far from a practical solution. Email is essential for communicating with staff members, stakeholders, business associates, and even patients.

Since email is required, two steps that covered entities should take to improve email security are detailed below:

Implement a Third-Party AntiSpam Solution Into Your Email Infrastructure

Securing your email gateway is the single most important step to take to prevent phishing attacks on your organization. Many healthcare organizations will already have added an antispam solution to block spam emails from being delivered to end users’ inboxes, but what about cloud-based email services? Have you secured your Office 365 email gateway with a third-party solution?

You will already be protected by Microsoft’s spam filter, but when all it takes is for one malicious email to reach an inbox, you really need more robust defenses.  SpamTitan integrates perfectly with Office 365, offering an extra layer of security that blocks known malware and more than 99.9% of spam email.

Continuously Train Employees and they Will Become Security Assets

End users – the cause of countless data breaches and a constant thorn in the side of IT security staff. They are a weak link and can easily undo the best security defenses, but they can be turned into security assets and an impressive last line of defense. That is unlikely to happen with a single training session, or even a training session given once a year.

End user training is an important element of HIPAA compliance. While HIPAA Rules do not specify how often training should be provide, given the fact that phishing is the number one security threat, training should be a continuous process.

The Department of Health and Human Services’ Office for Civil Rights recently highlighted some email security training best practices in its July cybersecurity newsletter, suggesting “An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them.”

The frequency of training should be dictated by the level of risk faced by an organization. Many covered entities have opted for bi-annual training sessions for the workforce, with monthly newsletters and security updates provided via email, including information on the latest threats such as new phishing scams and social engineering techniques.

OCR also reminded HIPAA covered entities that not all employees respond to the same training methods. It is best to mix it up and use a variety of training tools, such as CBT training, classroom sessions, newsletters, posters, email alerts, team discussions, and phishing email simulation exercises.

Simple Steps to Verify Emails and Identify Phishing Scams

Healthcare employees can greatly reduce the risk of falling of a phishing scam by performing these checks. With practice, these become second nature.

  • Hovering the mouse over an email hyperlink to check the true domain. Any anchor text –hyperlinked text other than the actual URL – should be treated as suspicious until the true domain is identified. Also check that the destination URL starts with HTTPS.
  • Never reply directly to an email – Always click forward. It’s a little slower, but you will get to see the full email address of the person who sent the message. You can then check that domain name against the one used by the company.
  • Pay close attention to the email signature – Any legitimate email should contain contact information. This can be faked, or real contact information may be used in a spam email, but phishers often make mistakes in signatures that are easy to identify.
  • Never open an email attachment from an unknown sender – If you need to open the attachment, never click on any links in the document, or on any embedded objects, or click to enable content or run macros. Forward the email to your IT department if you are unsure and ask for verification.
  • Never make any bank transfers requested by email without verifying the legitimacy of the request.
  • Legitimate organizations will not ask for login credentials by email
  • If you are asked to take urgent action to secure your account, do not use any links contained in the email. Visit the official website by typing the URL directly into your browser. If you are not 100% of the URL, check on Google.

Microsoft Office Attacks Without Macros and New Locky Ransomware Variants Discovered

Microsoft Office documents containing malicious macros are commonly used to spread malware and ransomware. However, security researchers have now identified Microsoft Office attacks without macros, and the technique is harder to block.

Microsoft Office Attacks Without Macros

While it is possible to disable macros so they do not run automatically, and even disable macros entirely, that will not protect you from this new attack method, which leverages a feature of MS Office called Dynamic Data Exchange or DDE, according to researchers at SensePost. This in-built feature of Windows allows two applications to share the same data, for example MS Word and MS Excel. DDE allows a one- time exchange of data between two applications or continuous sharing of data.

Cybercriminals can use this feature of MS Office to get a document to execute an application without the use of macros as part of a multi-stage attack on the victim. In contrast to macros which flash a security warning before being allowed to run, this attack method does not present the user with a security warning as such.

Opening the MS Office file will present the user with a message saying “This document contains links that may refer to other files. Do you want to open this document with the data from the linked files?” Users who regularly use files that use the DDE protocol may automatically click on yes.

A second dialog box is then displayed asking the user to confirm that they wish to execute the file specified in the command, but the researchers explain that it is possible to suppress that warning.

This technique has already been used by at least one group of hackers in spear phishing campaigns, with the emails and documents appearing to have been sent from the Securities and Exchange Commission (SEC). In this case, the hackers were using the technique to infect users with DNSMessenger fileless malware.

Unlike macros, disabling DDE is problematic. While it is possible to monitor for these types of attacks, the best defense is blocking the emails that deliver these malicious messages using a spam filter, and to train staff to be more security aware and to verify the source of the email before opening any attachments.

Locky Ransomware Updated Again (..and again)

If you have rules set to detect ransomware attacks by scanning for specific file extensions, you will need to update your rules with two new extensions to detect two new Locky ransomware variants. The authors of Locky ransomware have updated their code again, marking four new changes now in a little over a month.

In August and September, Locky was using the .lukitus and .diablo extensions. Then the authors switched to the .ykcol extension. In the past week, a further campaign has been detected using the .asasin extension.

The good news regarding the latter file extension, is it is being distributed in a spam email campaign that will not result in infection. An error was made adding the attachment. However, that is likely to be corrected soon.

The ykcol variant is being spread via spam email and uses fake invoices as the lure to get users to open the attachments. The documents contain a macro that launches a JavaScript or PowerShell downloader than installs and runs the Locky binary. The .asasin variant is being spread via emails that spoof RightSignature, and appear to have been sent from the documents[@]rightsignature.com email address. The emails claim the attached file has been completed and contains a digital signature.

The authors of Locky are constantly changing tactics. They use highly varied spam campaigns, a variety of social engineering techniques, and various attachments and malicious URLs to deliver their malicious payload.

For this reason, it is essential to implement a spam filtering solution to prevent these emails from being delivered to end users’ inboxes. You should also ensure you have multiple copies of backups stored in different locations, and be sure to test those backups to make sure file recovery is possible.

To find out more about how you can protect your networks from malicious email messages – those containing macros as well as non-macro attacks – contact the TitanHQ team today.

Ransomware Growth in 2017 Has Increased by 2,502%

Ransomware growth in 2017 has increased by 2,502% according to a new report released this week by Carbon Black. The firm has been monitoring sales of ransomware on the darknet, covering more than 6,300 known websites where malware and ransomware is sold, or hired as ransomware-as-a-service. More than 45,000 products have been tracked by the firm.

The file encrypting code has been embraced by the criminal fraternity as a quick and easy method of extorting money from companies. Ransomware growth in 2017 was fueled by the availability of kits that allow campaigns to be easily conducted.

Ransomware-as-a-service now includes the malicious code, admin consoles that allow the code to be tweaked to suit individual preferences, and instructions and guidelines for conducting campaigns. Now, no coding experience is necessary to conduct ransomware campaigns. It is therefore no surprise to see major ransomware growth in 2017, but the extent of that growth is jaw-dropping.

Ransomware sales now generate $6.2 million a year, having increased from $249,287 in 2016. The speed at which ransomware sales have grown has even surprised security experts. According to the report, the developers of a ransomware variant can make as much as $163,000 a year. Compare that to the amount they would make working for a company and it is not hard to see the attraction. That figure is more than double the average earnings for a legitimate software developer.

Ransomware can now be obtained via these darknet marketplaces for pocket change. The report indicates ransomware kits can be purchased for as little as 50 cents to $1 for screen lockers. Some custom ransomware variants, where the source code is supplied, sell for between $1,000 and $3,000, although the median amount for standard ransomware is $10.50. The developers of the code know full well that they can make a fortune on the back end by taking a cut of the ransomware profits generated by their affiliates.

Ransomware attacks are profitable, so there is no shortage of affiliates willing to conduct attacks. Carbon Black suggests 52% of firms are willing to pay to recover encrypted files. Many businesses would pay up to $50,000 to regain access to their files according to the report. A previous study conducted by IBM in 2016 showed that 70% of businesses attacked with ransomware have paid the ransom to recover their files, half of businesses paid more than $10,000 and 20% paid over $40,000.

Figures released by the FBI suggest ransomware revenues were in excess of $1 billion last year, up from $24 million in 2015. However, since many companies keep infections and details of ransomware payments quiet, it is probable that the losses are far higher.

Since the ransomware problem is unlikely to go away, what businesses must do is to improve their defenses against attacks – That means implementing technology and educating the workforce to prevent attacks, deploy software solutions to detect attacks promptly when they occur to limit the damage caused, and make sure that in the event of an attack, data can be recovered.

Since the primary attack vector for ransomware is email, companies should ensure they use an advanced spam filtering solution to prevent the malicious emails from being delivered to end users. SpamTitan block more than 99.9% of spam email, keeping inboxes ransomware free.

Employee education is critical to prevent risky behavior and ensure employees recognize and report potentially malicious emails. To ensure recovery is possible without paying the ransom, firms should ensure multiple backups are made. Those backups should be tested to make sure data can be recovered. Best practices for backing up data are to ensure three copies exist, stored on at least two different media, with one copy stored off site.

Major Rise in Cyberattacks on Websites Reported

Email may be the primary vector used to conduct cyberattacks on businesses, but there has been a massive rise in cyberattacks on websites in recent months. The second quarter of 2017 saw a 186% increase in cyberattacks on websites, rising from an average of 22 attacks per day in Q1 to 63 attacks per day in Q2, according to a recent report from SiteLock. These sites were typically run by small to mid-sized companies.

WordPress websites were the most commonly attacked – The average number of attacks per day was twice as high for WordPress sites as other content management platforms. That said, security on WordPress sites is typically better than other content management platforms.

Joomla websites were found to contain twice the number of vulnerabilities as WordPress sites, on average. Many users of Joomla were discovered to be running versions of the CMS that are no longer supported. One in five Joomla sites had a CMS that had not been updated in the past 5 years. Typically, users of Joomla do not sign up for automatic updates.

WordPress sites are updated more frequently, either manually or automatically, although that is not the case for plugins used on those sites. While the CMS may be updated to address vulnerabilities, the updates will not prevent attacks that leverage vulnerabilities in third party plugins.

The study revealed 44% of 6 million websites assessed for the study had plugins that were out of date by a year or more. Even when websites were running the latest version of the CMS, they are still being compromised by cybercriminals who exploited out of date plugins. Seven out of 10 compromised WordPress sites were running the latest version of the WordPress.

There is a common misconception than website security is the responsibility of the hosting provider, when that is not the case. 40% of the 20,000 website owners who were surveyed believed it was their hosting company that was responsible for securing their websites.

Most cyberattacks on websites are automated. Bots are used to conduct 85% of cyberattacks on websites. The types of attacks were highly varied, including SQL injection, cross-site scripting attacks, local and remote file inclusion, and cross-site request forgery.

SiteLock noted that in 77% of cases where sites had been compromised with malware, this was not picked up by the search engines and warnings were not being displayed by browsers. Only 23% of sites that were compromised with malware triggered a browser warning or were marked as potentially malicious websites by search engines.

Due to major increase in attacks, it is strongly recommended that SMBs conduct regular scans of their sites for malware, ensure their CMS is updated automatically, and updates are performed on all plugins on the site.  Taking proactive steps to secure websites will help SMBs prevent website-related breaches and stop their sites being used to spread malware or be used for phishing.

FormBook Malware Used in Targeted Attacks on Manufacturing and Aerospace Sectors

FormBook malware is being used in targeted attacks on the manufacturing and aerospace sectors according to researchers at FireEye, although attacks are not confined to these industries.

So far, the attacks appear to have been concentrated on organizations in the United States and South Korea, although it is highly likely that attacks will spread to other areas due to the low cost of this malware-as-a-service, the ease of using the malware, and its extensive functionality.

FormBook malware is being sold on underground forms and can be rented cheaply for as little as $29 a month. Executables can be generated using an online control panel, a process that requires next to no skill. This malware-as-a-service is therefore likely to be used by many cybercriminals.

FormBook malware is an information stealer that can log keystrokes, extract data from HTTP sessions and steal clipboard content. Via the connection to its C2 server, the malware can receive and run commands and can download files, including other malware variants. Malware variants discovered to have already been downloaded by FormBook include the NanoCore RAT.

FireEye researchers also point out that the malware can steal passwords and cookies, start and stop Windows processes, and force a reboot of an infected device.

FormBook malware is being spread via spam email campaigns using compressed file attachments (.zip, .rar), .iso and .ace files in South Korea, while the attacks in the United States have mostly involved .doc, .xls and .pdf files. Large scale spam campaigns have been conducted to spread the malware in both countries.

The U.S campaigns detected by FireEye used spam emails related to shipments sent via DHL and FedEx – a common choice for cybercriminals. The shipment labels, which the emails say must be printed in order to collect the packages, are in PDF form. Hidden in the document is a tny.im URL that directs victims to a staging server that downloads the malware. The campaigns using Office documents deliver the malware via malicious macros. The campaigns conducted in South Korea typically include the executables in the attachments.

While the manufacturing industry and aerospace/defense contractors are being targeted, attacks have been conducted on a wide range of industries, including education, services/consulting, energy and utility companies, and the financial services. All organizations, regardless of their sector, should be alert to this threat.

Organizations can protect against this new threat by adopting good cybersecurity best practices such as implementing a spam filtering solution to block malicious messages and stop files such as ISOs and ACE files from being delivered to end users. Organizations should also alert their employees to the threat of attack and provide training to help employees recognize this spam email campaign. Macros should also be disabled on all devices if they are not necessary for general work duties, and at the very least, should be set to be run manually.

2013 Yahoo Data Breach Involved 3 Billion Email Accounts

The 2013 Yahoo data breach was already the largest data breach in U.S. history, now it has been confirmed that it was even larger than first thought.

Verizon has now confirmed that rather than the breach impacting approximately 1 billion email accounts, the 2013 Yahoo data breach involved all of the company’s 3 billion email accounts.

Prior to the disclosure of the 2013 Yahoo data breach, a deal had been agreed with Yahoo to Verizon. The disclosure of a 1-billion record data breach and a previous breach impacting 500 accounts during the final stages of negotiations saw the sale price cut to $4.48 billion – A reduction of around $350 million or 7% of the sale price. It is unclear whether this discovery will prompt Verizon to seek a refund of some of that money.

Verizon reports that while Yahoo’s email business was being integrated into its new Oath service, new intelligence was obtained to suggest all of Yahoo’s 3 billion accounts had been compromised. Third party forensic experts made the discovery. That makes it the largest data breach ever reported by a considerable distance, eclipsing the 360 million record breach at MySpace discovered in 2016 and the 145 million record breach at E-Bay in 2015.

The data breach involved the theft of email addresses and user ID’s along with hashed passwords. No stored clear-text passwords are understood to have been obtained, and neither any financial information. However, since the method used to encrypt the data was outdated, and could potentially be cracked, it is possible that access to the email accounts was gained. Security questions and backup email addresses were also reportedly obtained by the attackers.

The scale of the cyberattack is astonishing, and so is the potential fallout. Already there have been more than 40 class action lawsuits filed by consumers, with the number certain to grow considerably since the announcement that the scale of the breach has tripled.

Verizon has said all of the additional breach victims have been notified by email, but that many of the additional accounts were opened and never used, or had only been used briefly. Even so, this is still the largest data breach ever reported.

The 2013 Yahoo data breach was investigated and has been linked to state-sponsored hackers, four of whom have been charged with the hack and data theft, including two former Russian intelligence officers.One of those individuals is now in custody in the Untied States.

It’s National Cyber Security Month: Time to Start Developing a Security Culture

Today is the start of the 14th National Cyber Security Month – A time when U.S. citizens are reminded of the importance of practicing good cyber hygiene, and awareness is raised about the threat from malware, phishing, and social engineering attacks.

The cybersecurity initiative was launched in 2004 by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS) with the aim of creating resources for all Americans to help them stay safe online.

While protecting consumers has been the main focus of National Cyber Security Month since its creation, during the past 14 years the initiative has been expanded considerably. Now small and medium-sized businesses, corporations, and healthcare and educational institutions are assisted over the 31 days of October, with advice given to help develop policies, procedures, and implement technology to keep networks and data secure.

National Cyber Security Month Themes

2017 National Cyber Security Month focuses on a new theme each week, with resources provided to improve understanding of the main cybersecurity threats and explain the actions that can be taken to mitigate risk.

Week 1: Oct 2-6 – Simple Steps to Online Safety

It’s been 7 years since the STOP. THINK. CONNECT campaign was launched by the NCSA and the Anti-Phishing Workshop. As the name suggests, the campaign encourages users learn good cybersecurity habits – To assume that every email and website may be a scam, and to be cautions online and when opening emails. Week one will see more resources provided to help consumers learn cybersecurity best practices.

Week 2: Oct 9-13 – Cybersecurity in the Workplace

With awareness of cyber threats raised with consumers, the DHS and NCSA turn their attention to businesses. Employees may be the weakest link in the security chain, but that need not be the case. Education programs can be highly effective at improving resilience to cyberattacks. Week 2 will see businesses given help with their cyber education programs to develop a cybersecurity culture and address vulnerabilities. DHS/NCSA will also be promoting the NIST Cybersecurity Framework and explaining how its adoption can greatly improve organizations’ security posture.

Week 3: Oct 16-20 –Predictions for Tomorrow’s Internet

The proliferation of IoT devices has introduced many new risks. The aim of week three is to raise awareness of those risks – both for consumers and businesses – and to provide practical advice on taking advantage of the benefits of smart devices, while ensuring they are deployed in a secure and safe way.

Week 4: Oct 23-27 –Careers in Cybersecurity

There is a crisis looming – A severe lack of cybersecurity professionals and not enough students taking up cybersecurity as a profession. The aim of week 4 is to encourage students to consider taking up cybersecurity as a career, by providing resources for students and guidance for key influencers to help engage the younger generation and encourage them to pursue a career in cybersecurity.

Week 5: Oct 30-31 – Protecting Critical Infrastructure

As we have seen already this year, nation-state sponsored groups have been sabotaging critical infrastructure and cybercriminals have been targeting critical infrastructure to extort money. The last two days of October will see awareness raised of the need for cybersecurity to protect critical infrastructure, which will serve as an introduction to Critical Infrastructure Security and Resilience Month in November.

European Cyber Security Month

While National Cyber Security Month takes place in the United States, across the Atlantic, European Cyber Security Month is running in tandem. In Europe, similar themes will be covered with the aim of raising awareness of cyber threats and explaining the actions EU citizens and businesses can take to stay secure.

This year is the 5th anniversary of European Cyber Security Month – a collaboration between The European Union Agency for Network and Information Security (ENISA), the European Commission DG CONNECT and public and private sector partners.

As in the United States, each week of October has a different theme with new resources and reports released, and events and activities being conducted to educate the public and businesses on cybersecurity.

European Cyber Security Month Themes

This year, the program for European Cyber Security Month is as follows:

Week 1: Oct 2-6 – Cybersecurity in the Workplace

A week dedicated to helping businesses train their employees to be security assets and raise awareness of the risks from phishing, ransomware, and malware. Resources will be provided to help businesses teach their employees about good cyber hygiene.

Week 2: Oct 9-13 – Governance, Privacy & Data Protection

With the GDPR compliance date just around the corner, businesses will receive guidance on compliance with GDPR and the NIS Directive to help businesses get ready for May 2018.

Week 3: Oct 16-20 – Cybersecurity in the Home

As more IoT devices are being used in the home, the risk of cyberattacks has grown. The aim of week 3 is to raise awareness of the threats from IoT devices and to explain how to keep home networks secure. Awareness will also be raised about online fraud and scams targeting consumers.

Week 4: Oct 23-27 – Skills in Cyber Security

The aim in week 4 is to encourage the younger generation to gain the cyber skills they will need to embark upon a career in cybersecurity. Educational resources will be made available to help train the next generation of cybersecurity professionals.

Use October to Improve Your Cybersecurity Defenses and Train Your Workforce to Be Security Titans

This Cyber Security Month, why not take advantage of the additional resources available and use October to improve your cybersecurity awareness and train your employees to be more security conscious.

When the month is over, don’t shelve cybersecurity for another 12 months. The key to remaining secure and creating a security culture in the workplace is to continue training, assessments, and phishing tests throughout the year. October should be taken as a month to develop and implement training programs and to work toward creating a secure work environment and build a cybersecurity culture in your place of work.

Phishing Warning Issued to Digital Civil Liberties Activists

A warning has been issued to digital civil liberties activists by the Electronic Frontier Foundation about the risk of targeted spear phishing attacks. The phishing warning comes after spate of phishing attacks on digital civil liberties groups over the summer, at least one of which resulted in the disclosure of login credentials.

The attacks were directed at two NGOs – Free Press and Fight for Future – both of which are advocates of net neutrality. The campaign appears to have been conducted by the same individual and included at least 70 phishing attempts between July and August. The attacks started on July 12, which is Save Net Neutrality Day of Action – a day of protest against the FCC’s proposed rollback of net neutrality protections.

While phishing emails are often sent with the purpose of installing malware, in this case the aim was to obtain login credentials to LinkedIn, Google, and Dropbox accounts.

Spear phishing emails were sent using a variety of themes from standard phishing emails to sophisticated and highly creative scams. While most of the attempts failed, the scammer was able to obtain the credentials of at least one account. The compromised Google account was used to send further spear phishing emails to other individuals in the organization. It is unclear what other goals the attacker had, and what the purpose of gaining access to the accounts was.

The phishing campaign was analysed by Eva Galperin and Cooper Quintin at the Electronic Frontier Foundation. They said some of the phishing emails were simple phishing attempts, where the attacker attempted to direct end users to a fake Google document. Clicking the link would direct the user to a site where they were required to enter their Google account details to view the document. Similar phishing emails were sent in an attempt to obtain LinkedIn credentials, using fake LinkedIn notifications. Others contained links to news stories that appeared to have been shared by contacts.

As the campaign progressed, the attacker got more inventive and the attacker started researching the targets and using personal information in the emails. One email was sent in which the scammer pretended to be the target’s husband, signing the email with his name.  Another email was sent masquerading as a hateful comment on a video the target had uploaded to YouTube.

A pornography-related phishing scam was one of the most inventive attempts to gain access to login credentials. Emails were sent to targets masquerading as confirmations from well-known pornographic websites such as Pornhub and RedTube. The emails claimed the recipient had subscribed to the portals.

The initial email was then followed up with a further email containing a sexually explicit subject line. The sender name was spoofed to make it appear that the email was sent from Pornhub. The unsubscribe link on the email directed the user to a Google login page where they were asked for their credentials.

It is not clear whether the two NGOs were the only organizations targeted. Since these attacks may be part of a wider campaign, EFF is alerting all digital civil liberties activists to be aware of the threat. Indicators of compromise have been made available here.

Redboot Malware Encrypts Files and Replaces MFT

A new malware threat named RedBoot has been discovered that bears some similarities to NotPetya. Like NotPetya, RedBoot malware appears to be a form of ransomware, when in actual fact it is a wiper at least in its current form.

RedBoot malware is capable of encrypting files, rendering them inaccessible. Encrypted and given the .locked extension. Once the encryption process is completed, a ‘ransom’ note is shown to the user, providing an email address to use to find out how to unlock the encrypted files. Like NotPetya, RedBoot malware also makes changes to the master boot record.

RedBoot includes a module that overwrites the current master boot record and it also appears that changes are made to the partition table, but there is currently no mechanism for restoring those changes. There is also no command and control server and even though an email address is provided, no ransom demand appears to be issued. RedBoot is therefore a wiper, not ransomware.

According to Lawrence Abrams at BeepingComputer who has obtained a sample of the malware and performed an analysis, RedBoot is most likely a poorly designed ransomware variant in the early stages of development. Abrams said he has been contacted by the developer of the malware who claimed the version that was studied is a development version of the malware. He was told an updated version will be released in October. How that new version will be spread is unknown at this stage.

Even if it is the intention of the developer to use this malware to extort money from victims, at present the malware causes permanent damage. That may change, although this malware variant may remain a wiper and be used simply to sabotage computers.

It is peculiar that an incomplete version of the malware has been released and advance notice has been issued about a new version that is about to be released, but it does give businesses time to prepare.

The attack vector is not yet known, so it is not possible to give specific instructions on how to prevent RedBoot malware attacks. The protections that should be put in place are therefore the same as for blocking any malware variant.

A spam filtering solution should be implemented to block malicious emails, users should be alerted to the threat of phishing emails and should be training how to identify malicious emails and told never to open attachments or click on hyperlinks sent from unknown individuals.

IT teams should ensure all computers and servers are fully patched and that SMBv1 has been disabled or SMBv1 vulnerabilities have been addressed and antivirus software should be installed on all computers.

It is also essential to back up all systems to ensure that in the event of an attack, systems can be restored and data recovered.

Retefe Banking Trojan Upgraded with SMB Exploit

Ransomware developers have leveraged the EternalBlue exploit, now the criminals behind the Retefe banking Trojan have added the NSA exploit to their arsenal.

The EternalBlue exploit was released in April by the hacking group Shadow Brokers and was used in the global WannaCry ransomware attacks. The exploit was also used, along with other attack vectors, to deliver the NotPetya wiper and more recently, has been incorporated into the TrickBot banking Trojan.

The Retefe banking Trojan is distributed via malicious Microsoft Office documents sent via spam email. In order for the Trojan to be installed, the emails and the attachments must be opened and code must be run. The attackers typically use Office documents with embedded objects which run malicious PowerShell code if clicked. Macros have also been used in some campaigns to deliver the malicious payload.

Researchers at Proofpoint have now obtained a sample of the Retefe banking Trojan that includes the EternalBlue SMBv1 exploit. The EternalBlue module downloads a PowerShell script and an executable. The script runs the executable, which installs the Trojan.

The researchers noted the module used in the WannaCry attacks that allowed rapid propagation within networks – Pseb – was lacking in Retefe, although that may be added at a later date. It would appear that the criminals behind the campaign are just starting to experiment with EternalBlue.

Other banking Trojans such as Zeus have been used in widespread attacks, although so far attacks using the Retefe banking Trojan have largely been confined to a limited number of countries – Austria, Sweden, Switzerland, Japan, and the United Kingdom.

Businesses in these countries will be vulnerable to Retefe, although due to the number of malware variants that are now using EternalBlue, all businesses should ensure they mitigate the threat. Other malware variants will almost certainly be upgraded to include EternalBlue.

Mitigating the threat from EternalBlue (CVE-2017-0144) includes applying the MS17-010 patch and also blocking traffic associated with the threat through your IDS system and firewall. Even if systems have been patched, a scan for vulnerable systems should still be conducted to ensure no devices have been missed.

Since the Retefe Trojan is primarily being spread via spam email, a spam filter should be implemented to prevent malicious messages from reaching end users. By implementing SpamTitan, businesses can protect their networks against this and other malware threats delivered via spam email.

How to Stop SMBv1 Ransomware Attacks

While most ransomware attacks occur via phishing emails or exploit kits and require some user interaction, SMBv1 ransomware attacks occur remotely with no user interaction required.

These attacks exploit a vulnerability in Windows Server Message Block protocol (SMB), a communication protocol typically used for sharing printers and other network resources. SMB operates in the application layer and is typically used over TCP/IP Port 445 and 139.

A critical flaw in SMBv1 was identified and addressed by Microsoft in a March 14, 2017 security update – MS17-010. At the time, Microsoft warned that exploitation of the flaw could allow remote code execution on a vulnerable system.

An exploit for the flaw, termed EternalBlue, was reportedly used by the U.S. National Security Agency’s Equation Group for four years prior to the vulnerability being plugged. That exploit, along with several others, was obtained by a hacking group called Shadow Brokers. The EternalBlue exploit was disclosed publicly in April, after attempts to sell the exploit failed. Following its release, it was not long before malware developers incorporated the exploit and used it to remotely attack vulnerable systems.

The exploit was primarily used to attack older operating systems such as Windows 7 and Windows Server 2012, although other systems are also vulnerable, including Windows Server 2016. The security update addresses the flaw in all vulnerable systems. Microsoft also released a patch for the long-retired Windows XP.

The most widely reported SMBv1 ransomware attacks occurred in May and involved WannaCry ransomware. WannaCry exploited the SMBv1 vulnerability and used TCP Port 445 to propagate. These SMBv1 ransomware attacks were conducted around the globe, although fortunately a kill switch was found which was used to disable the ransomware and prevent file encryption.

While that spelled the end of WannaCry, the SMBv1 attacks continued. NotPetya – not a ransomware variant but a wiper – also used the EternalBlue exploit to attack systems, and with the code still publicly available, other malware developers have incorporated the exploit into their arsenal. Any business that has not yet applied the MS17-010 patch will still be vulnerable to SMBv1 ransomware attacks. Other malware developers are now using the exploit to deliver banking Trojans.

While most businesses have now applied the patch, there are some that are still running vulnerable operating systems. There is also a risk that even when patches have been applied, devices may have been missed.

All businesses should therefore make sure their systems have been patched, but should also perform a scan to ensure no devices have slipped through the net and remain vulnerable. All it takes is for one unpatched device to exist on a network for ransomware or malware to be installed.

There are several commercially available tools that can be used to scan for unpatched devices, including this free tool from ESET. It is also recommended to block traffic associated with EternalBlue through your IDS system or firewall.

If you still insist on using Windows XP, you can at least stop the SMB flaw from being exploited with this patch, although an upgrade to a supported OS is long overdue. The MS17-010 patch for all other systems can be found on this link.

CCleaner Hack Worse Than Previously Thought: Tech Firms Targeted

The CCleaner hack that saw a backdoor inserted into the CCleaner binary and distributed to at least 2.27 million users was far from the work of a rogue employee. The attack was much more sophisticated and bears the hallmarks of a nation state actor. The number of users infected with the first stage malware may have been be high, but they were not being targeted. The real targets were technology firms and the goal was industrial espionage.

Avast, which acquired Piriform – the developer of Cleaner – in the summer, announced earlier this month that the CCleaner v5.33.6162 build released on August 15 was used as a distribution vehicle for a backdoor. Avast’s analysis suggested this was a multi-stage malware, capable of installing a second-stage payload; however, Avast did not believe the second-stage payload ever executed.

Swift action was taken following the discovery of the CCleaner hack to take down the attacker’s server and a new malware-free version of CCleaner was released. Avast said in a blog post that simply updating to the new version of CCleaner – v5.35 – would be sufficient to remove the backdoor, and that while this appeared to be a multi-stage malware

Further analysis of the CCleaner hack has revealed that was not the case, at least for some users of CCleaner. The second stage malware did execute in some cases.

The second payload differed depending on the operating system of the compromised system. Avast said, “On Windows 7+, the binary is dumped to a file called “C:\Windows\system32\lTSMSISrv.dll” and automatic loading of the library is ensured by autorunning the NT service “SessionEnv” (the RDP service). On XP, the binary is saved as “C:\Windows\system32\spool\prtprocs\w32x86\localspl.dll” and the code uses the “Spooler” service to load.”

Avast determined the malware was an Advanced Persistent Threat that would only deliver the second-stage payload to specific users. Avast was able to determine that 20 machines spread across 8 organizations had the second stage malware delivered, although since logs were only collected for a little over 3 days, the actual total infected with the second stage was undoubtedly higher. Avast estimates the number of devices infected was likely “in the hundreds”.

Avast has since issued an update saying, “At the time the server was taken down, the attack was targeting select large technology and telecommunication companies in Japan, Taiwan, UK, Germany.”

The majority of devices infected with the first backdoor were consumers, since CCleaner is a consumer-oriented product; however, consumers are believed to be of no interest to the attackers and that the CCleaner hack was a watering hole attack. The aim was to gain access to computers used by employees of tech firms. Some of the firms targeted in this CCleaner hack include Google, Microsoft, Samsung, Sony, Intel, HTC, Linksys, D-Link, and Cisco.

The second stage of the attack delivered keylogging and data collection malware. Kaspersky and FireEye researchers have connected the attack to the hacking group APT 17, noting similarities in the infrastructure with the nation state actor. It was APT 17 that was behind the Operation Aurora attack which similarly targeted tech companies in 2009. Cisco Talos researchers noted that one of the configuration files was set to a Chinese time zone, further suggesting this was the work of a nation-state hacking group based in China.

While Avast previously said upgrading to the latest version would be sufficient to remove the backdoor, it would not remove the second-stage malware. Data could still be exfiltrated to the attackers C2 server, which was still active. Avast is currently working with the targeted companies and is providing assistance.

Cisco Talos criticized Avast’s stance on the attack, explaining in a recent blog post, “it’s imperative to take these attacks seriously and not to downplay their severity,” also suggesting users should “restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.”

Locky and FakeGlobe Ransomware Used in Double Ransomware Campaign

A new spam email ransomware campaign has been launched that has potential to infect users twice, with both Locky and FakeGlobe ransomware.

The campaign, which was launched earlier this month, sees the attackers alternate the payload between Locky and FakeGlobe ransomware. The researchers that discovered the campaign suggest the payload alternates each hour.

This method of distribution cpould result in victims being infected twice, first having their files encrypted by Locky ransomware, and then re-encrypted by FakeGlobe ransomware or vice versa. In such cases, two ransom payments would have to be paid if files could not be recovered from backups.

While the use of two malware variants for spam email campaigns is not new, it is much more typical for different forms of malware to be used, such as pairing a keylogger with ransomware. In such cases, if the ransom is paid to unlock data, the keylogger would likely remain and allow data to be stolen for use in further attacks.

As with previous attacks involving Locky, this double ransomware campaign involves fake invoices – one of the most effective ways of getting business users to open infected email attachments. In this campaign, the attachment claims to be the latest invoice which takes the form of a zip file. Opening that zip file and clicking to open the extracted file launches a script that downloads the malicious payload.

The emails also contain a hyperlink with the text “View Your Bill Online,” which will download a PDF file containing the same script as the attachment, although it connects to different URLs.

This campaign is widespread, being distributed in more than 70 countries with the large-scale spam campaign involving hundreds of thousands of messages.

Infections with Locky and FakeGlobe ransomware see a wide range of file types encrypted and there is no free decryptor to unlock the infections. Victims must either restore their files from backups or pay the ransom to recover their data.

If businesses are targeted, they can easily see multiple users fall for the campaigns, requiring multiple computers to be decrypted. However, since ransomware can spread across networks, all it takes is for one user to be fooled into downloading the ransomware for entire systems to be taken out of action. If data cannot be recovered from backups, multiple ransom payments will need to be made.

Good backup policies will help protect businesses against file loss and prevent them from having to pay ransoms; although, even if backups exist, organizations can experience considerable downtime while the malware is removed, files are restored, and networks are analyzed for other malware infections and backdoors.

Spam email remains the vector of choice for distributing ransomware. Organizations can reduce the risk of ransomware attacks by implementing an advanced spam filter such as SpamTitan. SpamTitan blocks more than 99.9% of spam emails, preventing malicious emails from reaching end users’ inboxes.

While most organizations are now using spam filtering software to prevent attacks, a recent study conducted by PhishMe suggests 15% of businesses are still not using email gateway filtering, leaving them at a high risk of ransomware attacks. Given the volume of phishing and ransomware emails now being sent, email filtering solutions are a necessity.

CCleaner Malware Inclusion Potentially Impacts More Than 2 Million Users

CCleaner malware infections continued for a month before the compromised binary was detected and the backdoor was removed.

Avast, which acquired Piriform over the summer, announced that between August 15 and September 15, a rogue version of the application was available on its server and was being downloaded by users. During that time, around 3% of users of the PC cleaning application had been infected according to Piriform.

Cisco Talos, which independently discovered the build of CCleaner had malware included, reported around 5 million users download the program each week, potentially meaning up to 20 million users may have been affected. However, Piriform suggests around 2.27 users had downloaded and installed the backdoor along with the legitimate application. On Monday this week, around 730,000 users had not yet updated to the latest, clean version of the program.

Any individual that downloaded the application on a 32-bit system between August 15 and September 15 was infected with the CCleaner malware, which was capable of gathering information about the users’ system. The malware in question was the Floxif Trojan, which had been incorporated into the build before Avast acquired Piriform.

The CCleaner malware collected details of users’ IP addresses, computer names, details of software installed on their systems and the MAC addresses of network adaptors, which were exfiltrated to the attackers C2 server. The CCleaner malware laced application was only part of the story. Avast says the attack involved a second stage payload, although it would appear the additional malware never executed.

The versions of the software affected were v5.33.6162 and CCleaner Cloud v1.07.3191. The malware reportedly did not execute on 64-bit systems and the Android app was unaffected. The malware was detected on September 13, 2017, although an announcement was not initially made as Avast and Piriform were working with law enforcement and did not want to alert the attackers that the malware had been detected.

The individuals behind the attack used a valid digital signature that was issued to Piriform by Symantec along with a Domain Generation Algorithm to ensure that new domains could be generated to receive exfiltrated data from compromised systems in the event that the main domain was taken down.

Now that the malware has been removed, users can simply download version 5.34 of the application which will remove the backdoor. Users of the Cloud version need do nothing, as the application has been updated to a clean version automatically. While simply updating the software should resolve all issues, users are advised to perform a full virus scan to make sure no additional malware has been introduced onto their system.

At present, it is unclear who was responsible for this supply chain attack or how the Floxif Trojan was introduced. It is possible that external hackers gained access to the development or build environment or that the Trojan was introduced from within.

Attacks such as this have potential to infect many millions of users since downloads from the developers of an application are trusted. In this case, the malware was included in the binary which was hosted on Piriform’s server – not on a third-party site.

A similar supply chain attack saw a software update for the Ukrainian accounting application MeDoc compromised. That attack resulted in the download of the NotPetya wiper, which caused billions of dollars of losses for companies.

Beware of Equifax Phishing Scams – Cybercriminals Are Typosquatting to Catch the Unwary

Consumers should be wary of Equifax phishing scams in the wake of the massive data breach announced earlier this month. The 143 million records potentially stolen in the breach will be monetized, which means many will likely be sold to scammers.

Trend Micro has suggested a batch of data of this scale could easily be sold for $27 million on underground marketplaces and there would be no shortage of individuals happy to pay for the data. The records include the exact types of information that is sought by identity thieves, phishers, and scammers.

However, it is not necessary to have access to the stolen records to pull of scams. Many opportunistic cybercriminals are taking advantage of consumer interest in the breach and are preparing phishing websites to fool the unwary into revealing their sensitive information. Equifax’s response to the breach has also made it easier for phishers to ply their trade.

Equifax has taken the decision not to inform all breach victims by mail. Only the 209,000 individuals whose credit card numbers were exposed will be receiving a breach notification letter in the mail. All the remaining breach victims will have to check the Equifax website to find out if their information was compromised in the breach. With almost half the population affected, and next to no one being directly informed, virtually the entire population of the United States will need to head online to find out if they have been affected by the breach.

Equifax has set up a new domain where information is provided to consumers on the steps they can take to secure their accounts and minimize the risk of financial harm. The official website is equifaxsecurity2017.com. Via this website, U.S consumers can get regular updates and enroll in the free credit monitoring services being offered.

To obtain the free credit monitoring services, consumers will be routed to a website with the domain trustedidpremier.com and will need to enter their name and the last six digits of their social security number to start the process. Cybercriminals have been quick to take advantage and have registered swathes of websites and are using them to phish for sensitive information.

Consumers Should Be Wary of Equifax Phishing Scams

USA Today reports that 194 domains closely resembling the site used by Equifax have already been registered in the past few days. Those domains closely mimic the site used by Equifax, with transposed letters and common typos likely to be made by careless typists. Many of the sites have already been shut down, but more are likely to be registered.

The purpose of these sites is simple. To obtain sensitive information such as names, addresses, Social Security numbers and dates of birth.

The technique is called typosquatting. It is extremely common and very effective. The websites use the same logos and layouts as the genuine sites and they fool many visitors into revealing their sensitive information. Links to the websites are sneaked into malicious adverts displayed via third-party ad networks and are emailed out in large scale phishing campaigns. Consumers should therefore exercise extreme caution and be alert to Equifax phishing scams sent via email and text message.

Consumers should also be careful about revealing sensitive information online and should treat all email attachments and emailed hyperlinks as potentially malicious. Consumers should look for the warning signs of phishing attacks in any email received, especially if it appears to have been sent from Equifax or another credit monitoring bureau, a credit card company, bank or credit union. Email, text messages and telephone scams are likely to be rife following an attack on this scale.

Additionally, all U.S. citizens should closely monitor their credit and bank accounts, Explanation of Benefits Statements, and check their credit reports carefully. Criminals already have access to a large amount of data and will be using that information for identity theft and fraud over the coming days, weeks, months and years.

Poor Patch Management Policies to Blame for Equifax Data Breach

It has been confirmed that poor patch management policies opened the door for hackers and allowed them to gain access to the consumer data stored by the credit monitoring bureau Equifax.  The massive Equifax data breach announced earlier this month saw the personal information – including Social Security numbers – of almost half the population of the United States exposed/stolen by hackers.

Poor Patch Management Policies to Blame for Yet Another Major Cyberattack

The vulnerability may have been different to that exploited in the WannaCry ransomware attacks in May, but it was a similar scenario. In the case of WannaCry, a Microsoft Server Message Block vulnerability was exploited, allowing hackers to install WannaCry ransomware.

The vulnerability, tracked as CVE-2017-010, was corrected in March 2017 and a patch was issued to prevent the flaw from being exploited. Two months later, the WannaCry ransomware attacks affected organizations around the world that had not yet applied the patch.

Few details about the Equifax data breach were initially released, with the firm only announcing that access to consumer data was gained via a website application vulnerability. Equifax has now confirmed that access to data was gained by exploiting a vulnerability in Apache Struts, specifically, the Apache Struts vulnerability tracked as CVE-2017-5638.

As with WannaCry, a patch had been released two months before the attack took place. Hackers took advantage of poor patch management policies and exploited the vulnerability to gain access to consumer information.

The Exploited Apache Struts Vulnerability

Apache Struts is used by many Fortune 100 firms and is popular with banks, airlines, governments, and e-commerce stores. Apache Struts is an open-source, MVC framework that allows organizations to create front and back-end Java web applications, such as applications on the public website of Equifax.

The CVE-2017-5638 Apache Struts vulnerability is well known. Details of the vulnerability were published in March 2017 and a patch was issued to correct the flaw. The flaw is relatively easy to exploit, and within three days of the patch being issued, hackers started to exploit the vulnerability and attack web applications that had not been patched.

The remote code execution vulnerability allows an attacker to execute arbitrary code in the context of the affected application. While many organizations acted quickly, for some, applying the patch was not straightforward. The process of upgrading and fixing the flaw can be a difficult and labor-intensive task. Some websites have hundreds of apps that all need to be updated and tested. While it is currently unclear if Equifax was in the process of upgrading the software, two months after the patch had been released, Equifax had still not updated its software. In mid-May, the flaw was exploited by hackers and access was gained to consumer data.

Poor Patch Management Policies Will Lead to Data Breaches

All software contains vulnerabilities that can be exploited. It is just a case of those vulnerabilities being found. Already this year, there have been several vulnerabilities discovered in Apache Struts of varying severity. As soon as new vulnerabilities are discovered, patches are developed to correct the flaws. It is up to organizations to ensure patches are applied promptly to keep their systems and data secure. Had the patch been applied promptly, the breach could have been prevented.

Even though a widely exploited vulnerability was known to exist, Equifax was not only slow to correct the flaw but also failed to detect that a breach had occurred for several weeks. In this case, it would appear that the attackers were throttling down on data exfiltration to avoid detection, although questions will certainly be asked about why it took so long for the Equifax cyberattack to be discovered.

Since zero-day vulnerabilities are often exploited before software developers become aware of flaws and develop patches, organizations – especially those of the size of Equifax – should be using intrusion detection solutions to monitor for abnormal application activity. This will help to ensure any zero-day exploits are rapidly identified and action is taken to limit the severity of any breach.

What Will the Cost of the Equifax Data Breach Be?

The cost of the Equifax data breach will be considerable. State attorneys general are lining up to take action against the credit monitoring bureau for failing prevent the breach. 40 attorneys general have already launched and Massachusetts attorney general Maura Healey has announced the state will be suing Equifax for breaching state laws.

Healey said, the Equifax data breach was “the most egregious data breach we have ever seen. It is as bad as it gets.” New York Attorney General Eric Schneiderman has also spoken out about the breach promising an in-depth investigation to determine whether state laws have been violated. If they have, action will certainly be taken.

U.S. consumers are also extremely angry that their highly sensitive information has been breached, especially since they did not provide their data to Equifax directly. Class-action lawsuits are certain to be launched to recover damages.

As if the breach itself is not bad enough, questions have been raised about the possibility of insider trading. Three Equifax executives allegedly sold $2 million in stock just days after the breach was discovered and before it had been made public.

The final cost of the Equifax data breach will not be known for years to come, although already the firm has lost 35% of its stock value – wiping out around $6 billion. Multiple lawsuits will be filed, there are likely to be heavy fines. The cost of the Equifax breach is therefore certain to be of the order of hundreds of millions. Some experts have suggested a figure of at least 300 million is likely, and possibly considerably more.

Its Time to Increase Office 365 Email Security and Improve Resilience Against Cyberattacks

Cyberattacks on Office 365 users are increasing and Office 365 email security controls are not preventing account compromises at many businesses. If you want to block phishing and malware attacks and prevent costly data breaches, there is no better time than the present to improve Office 365 email security.

Microsoft Office 365 – An Attractive Target for Cybercriminals

Microsoft’s figures suggest there are now more than 70 million active users of Office 365 making it the most widely adopted enterprise cloud service by some distance. 78% of IT decision makers say they have already signed up to Office 365 or plan to do so in 2017 and Microsoft says it is now signing up a further 50,000 small businesses to Office 365 every month. 70% of Fortune 500 companies are already using Office 365 and the number of enterprises transitioning to Office 365 is likely to significantly increase.

Office 365 offers many advantages for businesses but as the number of users grows, the platform becomes and even bigger target for hackers. Hackers are actively seeking flaws in Office 365 and users of the service are increasingly coming under attack. The more users an operating system or service has, the more likely hackers are to concentrate their resources on developing new methods to attack that system.

Cyberattacks on Office 365 are Soaring

Microsoft is well aware of the problem. Its figures show that malware attacks on Office 365 users increased by a staggering 600% last year and a recent survey conducted by Skyhigh Networks showed 71.4% of Office 365 business users have to deal with at least one compromised email account every month. Surveys often overestimate security problems due to having a limited sample size. That is unlikely to be the case here. The survey was conducted on 27 million users of Office 365 and 600 enterprises.

The majority of new malware targets Windows systems simply because there are substantially more users of Windows than Macs. As Apple increases its market share, it becomes more profitable to develop malware to attack MacOS. Consequently, MacOS malware is becoming more common. The same is true for Office 365. More users means successful attacks are much more profitable. If a flaw is found and a new attack method developed, it can be used on millions of users, making searching for flaws and developing exploits well worth the time and effort.

Phishers and hackers are also studying how the security functions of O365 work and are searching for flaws and developing exploits to take advantage. For a few dollars a month, hackers can sign up for accounts to study Office 365. Hackers are also taking advantage of poor password choices to gain access to other users’ accounts to trial their phishing campaigns to ensure they bypass Office 365 email security controls.

Office 365 Email Security Controls are Often Lacking

Given the resources available to Microsoft and its frequent updates you would expect the Office 355 email security to be pretty good. While Office 365 email security is not terrible, for standard users it is not great. Standard subscriptions include scant security features. To get enhanced security, the enterprise subscription must be purchased or extra email security add-ons must be purchased separately at a not insignificant cost.

Pay for the enterprise subscription and you will get a host of extra security features provided through the Advanced Threat Protection (ATP) security package. This includes message sandboxing, phishing protection, URL tracking and reporting, and link reputation checking. Even when Advanced Threat Protection is used, getting the settings right to maximize protection is not always straightforward.

APT will certainly improve email security, but it is worth bearing in mind that hackers can also sign up for those features and have access to the sandbox. That makes it easier for them to develop campaigns that bypass Office 365 security protections.

The Cost of Mitigating an Cybersecurity Incident is Considerable

The cost of mitigating a cyberattack can be considerable, and certainly substantially more than the cost of prevention. The Ponemon Institute/IBM Security 2017 Cost of a Data Breach study shows the average cost of mitigating a cyberattack is $3.62 million.

The recent NotPetya and WannaCry attacks also highlighted the high cost of breach mitigation. The NotPetya attack on Maersk, for example, has been estimated to cost the company up to $300 million, the vast majority of which could have been saved if the patches released by Microsoft in March had been applied promptly.

These large companies can absorb the cost of mitigating cyberattacks to a certain extent, although smaller businesses simply do not have the funds. It is no therefore no surprise that 60% of SMBs end up permanently closing their doors within 6 months of experiencing a cyberattack. Even cash-strapped businesses should be able to afford to improve security to prevent email-based attacks – The most common vector used by cybercriminals to gain access to systems and data.

Increase Office Email 365 Security with a Specialist Email Security Solution

No system can be made totally impervious to hackers and remain usable, but it is possible to improve Office 365 email security and reduce the potential for attacks to an minimal level. To do that, many enterprises are turning to third-party solution providers – specialists in email security – to increase Office 365 email security instead of paying extra for the protection offered by APT.

According to figures from Gartner, an estimated 40% of Microsoft Office 365 deployments will incorporate third-party tools by the end of 2018 with the figure predicted to rise to half of all deployments by 2020.

One of the best ways of improving Office 365 email security is to use an advanced, comprehensive email spam filtering solution developed by a specialist in email security, TitanHQ.

TitanHQ’s SpamTitan offers excellent protection against email-based attacks. The solution has also been developed to perfectly compliment Office 365 to block more attacks and keep inboxes spam and malware free. SpamTitan filters out more than 99.9% of spam and malicious emails giving businesses the extra level of protection they need. Furthermore, it is also one of the most cost-effective enterprise email security solutions for Office 365 on the market.

To find out more about SpamTitan and how it can improve Microsoft Office 365 email security at your business, contact TitanHQ today.

MSPs Can Profit from Providing Additional Office 365 Email Security

The days when MSPs could offer email box services to clients and make big bucks are sadly gone. MSPs can sell Office 365 subscriptions to their clients, but the margins are small and there is little money to be made. However, there are good opportunities for selling support services for MS products and also for providing enhanced email security for Office 365 users.

SpamTitan can be sold as an add-on service to enhance security for clients subscribing to Office 365, and since the solution is easy to implement and has a very low management overhead, it allows MSPs to easily boost monthly revenues.

SpamTitan can also be provided in white label form; ready to accept MSPs branding and the solution can even be hosted within an MSPs infrastructure. On top of that, there are generous margins for MSPs.

With SpamTitan it is easy for MSPs to provide valued added service, enhance Office 365 email services, and improve Microsoft Office 365 email security for all customers.

To find out more about how you can partner with SpamTitan and improve Office 365 email security for your customers, contact the MSP Sales team at TitanHQ today.

Bashware Allows Malware to be Run on Windows 10 Undetected

A new attack method – termed Bashware – could allow attackers to install malware on Windows 10 computers without being detected by security software, according to research conducted by Check Point.

The Windows Subsystem for Linux (WSL) was introduced to make it easier for developers to run Linux tools on Windows without having to resort to virtualization; however, the decision to add this feature could open the door to cybercriminals and allow them to install and run malware undetected.

Checkpoint researchers have conducted tests on Bashware attacks against leading antivirus and antimalware security solutions and in all cases, the attacks went undetected. Check Point says no current antivirus or security solutions are capable of detecting Bashware attacks as they have not been configured to search for these threats. Unless cybersecurity solutions are updated to search for the processes of Linux executables on Windows systems, attacks will not be detected.

Microsoft says the Bashware technique has been reviewed and has been determined to be of low risk, since WSL is not turned on by default and several steps would need to be taken before the attack is possible.

For an attack to take place, administrator privileges would need to be gained. As has been demonstrated on numerous occasions, those credentials could easily be gained by conducting phishing or social engineering attacks.

The computer must also have WSL turned on. By default, WSL is turned off, so the attacks would either be limited to computers with WSL turned on or users would have to turn on WSL manually, switching to development mode and rebooting their device. The potential for Bashware attacks to succeed is therefore somewhat limited.

That said, Check Point researchers explained that WSL mode can be switched on by changing a few registry keys. The Bashware attack method automates this process and will install all the necessary components, turn on WSL mode and could even be used to download and extract the Linux file system from Microsoft.

It is also not necessary for Linux malware to be written for use in these attacks. The Bashware technique installs a program called Wine that allows Windows malware to be launched and run undetected.

WSL is now a fully supported feature of Windows. Check Point says around 400 million computers are running Windows 10 are currently exposed to Bashware attacks.

Researchers Gal Elbaz and Dvir Atias at Check Point said in a recent blog post, “Bashware is so alarming because it shows how easy it is to take advantage of the WSL mechanism to allow any malware to bypass security products.”

Check Point has already updated its solutions to detect these types of attacks, and Kaspersky Lab is making changes to its solutions to prevent these types of attacks. Symantec said its solutions already check for malware created using WSL.

Patch Released to Fix Actively Exploited Microsoft .Net Framework Flaw

Microsoft has corrected 27 critical vulnerabilities this Patch Tuesday, including a Microsoft .Net Framework flaw that is being actively exploited to install Finspy surveillance software on devices running Windows 10.

Microsoft .Net Framework Flaw Exploited by ‘Multiple’ Actors

Finspy is legitimate software developed by the UK-based Gamma Group, which is used by governments around the world for cyber-surveillance. The software has been installed in at least two attacks in the past few months according to FireEye researchers, the latest attack leveraged the Microsoft .Net Framework flaw.

The attack starts with a spam email containing a malicious RTF document. The document uses the CVE-2017-8759 vulnerability to inject arbitrary code, which downloads and executes a VB script containing PowerShell commands, which in turn downloads the malicious payload, which includes Finspy.

FireEye suggests at least one attack was conducted by a nation-state against a Russian target; however, FireEye researchers also believe other actors may also be leveraging the vulnerability to conduct attacks.

According to a blog post on Tuesday, the Microsoft .Net Framework flaw has been detected and neutralized. Microsoft strongly recommends installing the latest update promptly to reduce exposure. Microsoft says the flaw could allow a malicious actor to take full control of an affected system.

BlueBorne Bluetooth Bug Fixed

Several Bluetooth vulnerabilities were discovered and disclosed on Tuesday by security firm Aramis. The vulnerabilities affect billions of Bluetooth-enabled devices around the world. The eight vulnerabilities, termed BlueBorne, could be used to perform man-in-the-middle attacks on devices via Bluetooth, rerouting traffic to the attacker’s computer. The bugs exist in Windows, iOS, Android and Linux.

In order to exploit the vulnerabilities, Bluetooth would need to be enabled on the targeted device, although it would not be necessary for the device to be in discoverable mode. An attacker could use the vulnerabilities to connect to a device – a TV or speaker for example – and initiate a connection to a computer without the user’s knowledge. In order to pull off the attack, it would be necessary to be in relatively close proximity to the targeted device.

In addition to intercepting communications, an attacker could also take full control of a device and steal data, download ransomware or malware, or perform other malicious activities such as adding the device to a botnet. Microsoft corrected one of the Bluetooth driver spoofing bugs – CVE-2017-8628 – in the latest round of updates.

Critical NetBIOS Remote Code Execution Vulnerability Patched

One of the most pressing updates is for a remote code execution vulnerability in NetBIOS (CVE-2017-0161). The vulnerability affects both servers and workstations. While the vulnerability is not believed to be currently exploited in the wild, it is of note as it can be exploited simply by sending specially crafted NetBT Session Service packets.

The Zero Day Initiative (ZDI) said the flaw “is practically wormable within a LAN. This could also impact multiple virtual clients if the guest OSes all connect to the same (virtual) LAN.”

In total, 81 updates have been released by Microsoft this Patch Tuesday. Adobe has corrected eight flaws, including two critical memory corruption bugs (CVE-2017-11281, CVE-2017-11282) in Flash Player, a critical XML parsing vulnerability in ColdFusion (CVE-2017-11286) and two ColdFusion remote code execution vulnerabilities (CVE-2017-11283, CVE-2017-11284) concerning deserialization of untrusted data.

Xafecopy Malware Silently Steals Money from Victims’ Mobile Accounts

Xafecopy malware is a new Trojan that is being used to steal money from victims via their smartphones. The malware masquerades as useful apps that function exactly as expected, although in addition to the useful functions, the apps have a malicious purpose.

Installing the apps activates Xafecopy malware, which silently subscribes the infected smartphone to a number of online services via websites that use the WAP billing payment method. Rather than require a credit card for purchases, this payment method adds the cost of the service to the user’s mobile phone bill. Consequently, it can take up to a month before the victim realizes they have been defrauded.

Several apps are used to deliver the malware, including BatteryMaster – An app that can kill processes on a smartphone to save battery life. Once installed, Xafecopy malware searches for websites that have the WAP billing feature and subscribes to the services. These websites often use the captcha system to verify that the user is human, although the malware uses JavaScript to bypass this control.

Additional features of Xafecopy malware include the ability to send text messages from the user’s device to premium rate phone numbers. The malware can also delete incoming text messages, such as text messages notifying users about services they have subscribed to and warnings from network operators about potential fraud.

To date, there are more than 4,800 victims spread across 47 countries around the world, although most of the WAP billing attacks have been seen in India, Mexico, Turkey and Russia, with India accounting for 37.5% of the WAP billing attacks. WAP billing attacks are concentrated in countries where WAP billing is most popular.

Kaspersky Lab senior malware analyst Roman Unucheck said, “WAP billing can be particularly vulnerable to so-called ‘clickjacking’ as it has a one-click feature that requires no user authorization. Our research suggests WAP billing attacks are on the rise.”

While most PC users have antivirus software installed, the same is not true for users of Android devices. Many users still do not use a security suite on their mobile devices to protect them from malware, even though they often use their smartphones to sign up and pay for online services or access their bank accounts.

Installing antivirus software can help to prevent Xafecopy malware infections. It is also important not to download apps from unofficial stores and to scan all apps with the Verify Apps utility.

UNITEDRAKE Malware Released by Shadow Brokers

Shadow Brokers are offering a new National Security Agency (NSA) hacking tool – UNITEDRAKE malware – making good on their promise to issue monthly releases of NSA exploits. The latest malware variant is one of several that were allegedly stolen from the NSA last year.

Shadow Brokers previously released the ETERNALBLUE exploit which was used in the WannaCry ransomware attacks in May that affected thousands of businesses around the world. There is no reason to suggest that this new hacking tool is not exactly what they claim.

UNITEDRAKE malware is a modular remote access and control tool that can capture microphone and webcam output, log keystrokes, and gain access to external drives. Shadow Brokers claim UNITEDRAKE malware is a ‘fully extensive remote collection system’ that includes a variety of plugins offering a range of functions that allow malicious actors to perform surveillance and gather information for use in further cyberattacks. UNITEDRAKE malware gives attackers the ability to take full control of an infected device.

Plugins include CAPTIVATEDAUDIENCE, which records conversations via an infected computer’s microphone, GUMFISH gives the attackers control of the webcam and allows them to record video and take images. FOGGYBOTTOM steals data such as login credentials, browsing histories and passwords, SALVAGERABBIT can access data on external drives such as flash drives and portable hard drives when they are connected, and GROK is a keylogger plugin. The malware is also able to self-destruct when its tasks have been performed.

The malware works on older Windows versions including Windows XP, Vista, Windows 7 and 8 and Windows Server 2012.

According to documents released by Edward Snowden in 2014, the malware has been used by the NSA to infect millions of computers around the world. The malware will soon be in the hands of any cybercriminal willing to pay the asking price of 500 Zcash – around $124,000. Shadow Brokers have released a manual for the malware explaining how it works and its various functions.

TrendMicro said in a recent blog post there is currently no way of blocking or stopping the malware. When attacks occur, they will be analyzed by security researchers looking for clues as to how the malware works. That should ultimately lead to the development of tools to block attacks.

In the meantime, organizations need to improve their security posture by ensuring all systems are patched and operating systems are upgraded to the latest versions. An incident response plan should also be developed to ensure it can be implemented promptly in the event of an attack.

A further NSA exploit is expected to be released later this month, with the monthly dumps scheduled for at least the next two months.

Dropbox Phishing Attacks Used to Download Locky Ransomware

Dropbox phishing attacks are relatively common and frequently fool employees into revealing their sensitive information or downloading malware.

Dropbox is a popular platform for sharing files and employees are used to receiving links advising them that files have been shared with them by their colleagues and contacts and phishers are taking advantage of familiarity with the platform.

There are two main types of Dropbox phishing attacks. One involves sending a link that asks users to verify their email address. Clicking the link directs them to a spoofed Dropbox website that closely resembles the official website. They are then asked to enter in their login credentials as part of the confirmation process.

Dropbox phishing attacks are also used to deliver malware such as banking Trojans and ransomware. A link is sent to users relating to a shared file. Instead of accessing a document, clicking the link will result in malware being downloaded.

Over the past few days, there has been a massive campaign using both of these attack methods involving millions of spam email messages. Last week, more than 23 million messages were sent in a single day.

Most of the emails were distributing Locky ransomware, with a smaller percentage used to spread Shade ransomware. There is no free decryptor available to unlock files encrypted by Locky and Shade ransomware. If files cannot be recovered from backups, victioms will have to dig deep.

Due to the rise in value of Bitcoin of late the cost of recovery is considerable. The malicious actors behind these attacks are demanding 0.5 Bitcoin per infected device – Around $2,400. For a business with multiple devices infected, recovery will cost tens if not hundreds of thousands of dollars.

According to F-Secure, the majority of malware-related spam messages detected recently – 90% – are being used to distribute Locky. Other security researchers have issued similar reports of a surge in Locky infections and spam email campaigns.

To prevent Locky ransomware attacks, businesses should install an advanced spam filtering solution to prevent malicious emails from being delivered to end users’ inboxes. Occasional emails are likely to make it past spam filtering defenses so it is important that all users receive security awareness training to help them identify malicious emails.

A web filter can be highly effective at blocking attempts to visit malicious websites where malware is downloaded, while up to date antivirus and anti-malware solutions can detect and quarantine malicious files before they are opened.

Backups should also be made of all data and systems and those backups should be stored on an air-gapped device. Ransomware variants such as Locky can delete Windows Shadow Volume Copies and if a backup device remains connected, it is probable that backup files will also be encrypted.

Best practices for backing up data involve three backup files being created, on two different media, with one copy stored offsite and offline. Backups should also be tested to make sure files can be recovered in the event of disaster.

The increase in ransomware attacks has prompted the National Institute of Standards and Technology (NIST) to develop new guidance (NIST SPECIAL PUBLICATION 1800-11on recovering from ransomware attacks and other disasters. The draft guidance can be downloaded on this link.

Recently Discovered Spambot Contains 711-Million Email Addresses

A Netherlands-based spambot has recently been discovered that is being used to send massive volumes of spam email containing ransomware and malware. What sets this spambot aside from the many others in use is the scale of the spamming operations. Paris-based cybersecurity firm Benkow says the spambot contains an astonishing 711,000,000 email addresses.

To put that absurdly high figure into perspective, it corresponds to the entire population of Europe or two email addresses for every resident in the United States and Canada.

The spambot – called Onliner – is being used as part of a massive malware distribution network that has been distributing Ursnif banking malware. Not only are these email addresses being used for spamming and malware distribution, the passwords associated with many of those accounts are also publicly available on the same server. Malicious actors could access the data and use the information to gain access to the compromised accounts to search for sensitive information.

All of the email addresses in the list have now been uploaded to HaveIBeenPwned. Troy Hunt of HaveIBeenPwned recently explained in a blog post that this is the single largest set of email addresses that has ever been uploaded to the database. Hunt said it took 110 separate data breaches and more than two and a half years for the site to amass a database of that size.

Hunt explained that an analysis of some of the email addresses in one of the text files were all present in the data from the LinkedIn breach, another set related to the Badoo breach and another batch were all in the exploit.in list, suggesting this massive collection of email addresses has been amalgamated from past data breaches. That shows data is being extensively bought and sold on forums and darknet marketplaces. However, not all of the email addresses were already in the database, suggesting they came either from previously undisclosed breaches and scrapes of Internet sites.

Some of the lists obtained contained email addresses, corresponding passwords, SMTP servers and ports, which allow spammers to abuse those accounts and servers in their spamming campaigns. Hunt says the list includes approximately 80 million email servers that are being used in spamming campaigns.

The problem is these are legitimate accounts and servers, which the spammers can abuse to send massive amounts of spam and even defeat some spam filters, ensuring malicious messages get delivered. Hunt says authorities in the Netherlands are currently attempting to shut down Onliner.

As a precaution, everyone is recommended to visit HaveIBeenPwned to check if their email addresses/passwords have been added to the database. If they are present, it is important to update the passwords for those email accounts and never to use those passwords again.

Defray Ransomware Used in Targeted Attacks on Healthcare and Education Sectors

Defray ransomware is being used in targeted attacks on organizations in the healthcare and education sectors. The new ransomware variant is being distributed via email; however, in contrast to many ransomware campaigns, the emails are not being sent out in the millions. Rather than use the spray and pay method of distribution, small campaigns are being conducted consisting of just a few emails.

To increase the likelihood of infection, the criminals behind Defray ransomware are carefully crafting messages to appeal to specific victims in an organization. Researchers at Proofpoint have captured emails from two small campaigns, one of which incorporates hospital logos in the emails and claims to have been sent by the Director of Information Management & Technology at the targeted hospital.

The emails contain an Microsoft Word attachment that appears to be a report for patients, relatives and carers. The patient report includes an embedded OLE packager shell object. If clicked, this executable downloads and installs Defray ransomware, naming it after a legitimate Windows file.

The ransom demand is considerable. Victims are asked to pay $5,000 per infected machine for the keys to unlock the encryption, although the ransom note does suggest the attackers are prepared to negotiate on price. The attackers suggest victims should backup their files to avoid having to pay ransoms in the future.

There is no known decryptor for defray ransomware. Files are encrypted using AES-256 with RAS-2048 used to encrypt the AES-256 encrypted password while SHA-2 is used to maintain file integrity. In addition to encrypting files, the ransomware variant can cause other disruption and will delete volume shadow copies to prevent the restoration of files without paying the ransom.

The developers of the ransomware have not given their malicious code a name and in contrast to most ransomware variants, the extensions of encrypted files are not changed. Proofpoint named the variant Defray ransomware from the C2 server used by the attackers.

A second campaign has been identified targeting the manufacturing and technology sector. In this case, the email appears to have been sent by a UK aquarium (Sea Life) with facilities around the world. The emails and attachments differ, although the same OLE packager shell object is used to infect end users.

The attackers have been sending these malicious emails to individuals, user groups and distribution lists. Attacks have occurred in both the United States and United Kingdom and are likely to continue.

Protecting against these targeted attacks requires a combination of spam filtering technology and end user training. Organizations in the healthcare, education, technology and manufacturing sectors should consider sending an email alert to end users warning of the risk of ransomware attacks, instructing end users to exercise caution and not to open email attachments from unknown senders and never to click to enable content on email attachments.

Beware of Hurricane Harvey Phishing Scams

Scenes of the devastation caused by Hurricane Harvey are all over the newsstands and Internet. Videos of the devastation are being broadcast around the globe. The hurricane hit the Texas coast two days ago, forcing tens of thousands of Texas residents to flee their homes. While the hurricane has now been downgraded to a tropical storm, meteorologists are predicting the heavy rainfall will continue at lease for a couple more days and flood waters are continuing to rise.

Following any natural disaster, email scams are rife and extra care must be taken. Hurricane Harvey is no exception. While homeowners were preparing for the worst, cybercriminals were developing Hurricane Harvey phishing scams to fool the unwary into revealing their sensitive information or downloading malware.

Just as looters take advantage of abandoned homes, scammers take advantage of interest in the disaster and send malicious emails that direct users to phishing websites and exploit kits that silently download malware. Scammers capitalize on interest in disasters to conduct malicious activities.

The expected deluge of malicious emails has prompted US-CERT to issue a warning about Hurricane Harvey phishing scams, urging Americans to be extra vigilant. Similar warnings have also been issued by the Better Business Bureau and Federal Trade Commission (FTC).

Hurricane Harvey phishing scams are likely to have eye-catching subject lines offering updates on Hurricane Harvey and stories relating to the disaster or relief efforts. The scam emails contain malicious hyperlinks that will direct users to phishing websites and sites where malware is downloaded. Malicious email attachments are also used to install malware and ransomware.

Users should be extremely wary about opening any emails relating to Hurricane Harvey, especially emails sent from unknown senders. The best advice is not to click on any hyperlink in an email relating to Hurricane Harvey and not to open email attachments sent in those messages.

While email is favored by many scammers, Hurricane Harvey phishing scams can be found on social media sites. Facebook posts and tweets may direct users to phishing websites where credit card details can be obtained or to fake charity websites where donations can be made.

How to Give to Charity to Support the Victims and Avoid Being Scammed

A natural disaster such as this causes devastation for tens of thousands of families. Homes and businesses are lost and families are forced to take refuge in shelters. Displaced families need support and many charities are accepting donations to help the victims.

However, all may not be as it seems. Scammers spoof legitimate charities and set up bogus websites where donations can be made. Oftentimes, legitimate charities are spoofed and donations never make it to the victims.

The advice offered by the Federal Trade Commission is to be wary of any request for donations to support the victims of Hurricane Harvey. Rather than respond directly to email and social media requests for donations, visit the charity webpage directly and independently verify the charity is legitimate.

The Better Business Bureau is maintaining a list of BBB-accredited charities that are accepting donations to support the victims of Hurricane Harvey, as is Guidestar. By checking the legitimacy of the charity, users can make sure their donations reach the victims of the hurricane and do not end up lining criminals’ pockets.

If you are considering donating to a charity that is not on either list, before making a donation, check that the charity is registered by contacting the National Association of State Charity Officials.

Biggest Cybersecurity Threat? Employees, Say 100% of Survey Respondents!

What is biggest cybersecurity threat currently faced by organizations? According to a recent survey of government IT professionals, the biggest cybersecurity threat is employees. 100% of respondents to the survey said employees were the biggest cybersecurity threat faced by their organziation.

The survey, conducted by Netwrix, explored IT security and compliance risks at a wide range of organizations around the globe, including government agencies.

Government agencies are an attractive target for cybercriminals. They store vast quantities of sensitive data on consumers and cybersecurity protections are often inferior to private sector organizations. Consequently, cyberattacks are easier to pull off. In addition to a treasure trove of consumer data, government agencies hold highly sensitive information critical to national security. With access to that information, hackers can take out critical infrastructure.

There are plenty of hackers attempting to gain access to government networks and oftentimes attacks are successful. The Office of Personnel Management breach in 2015 resulted in the Social Security numbers of 21.5 million individuals being compromised. In 2015, there was also a 6.2 million record breach at the Georgia Secretary of State Office and 191 million individuals were affected by a hack of the U.S. voter database.

The survey revealed 72% of government entities around the world had experienced at least one data breach in 2016 and only 14% of respondents felt their department was well protected against cyberattacks.

Employees Are the Biggest Cybersecurity Threat

Last year, 57% of data breaches at government entities were caused by insider error, while 43% of respondents from government agencies said they had investigated instances of insider misuse. Given the high percentage of security incidents caused by insiders – deliberate and accidental – it is no surprise that insiders are perceived to be the biggest cybersecurity threat.

How Can Employees be Turned from Liabilities into Security Titans?

Employees may be widely regarded as liabilities when it comes to information security, but that need not be the case. With training, employees can be turned into security titans. For that to happen, a onetime security awareness training program is not going to cut it. Creating a security culture requires considerable effort, resources and investment.

Security awareness training needs to be a continuous process with training sessions for employees scheduled at least twice a year, with monthly updates and weekly security bulletins distributed to highlight the latest threats. Training must also be backed up with testing – both to determine how effective training has been and to provide employees with the opportunity to test their skills. Phishing simulations are highly effective in this regard. If an employee fails a simulation it can be turned into a training opportunity. Studies by security training companies have shown susceptibility to phishing attacks can be reduced by more than 90% with effective training and phishing simulation exercises.

However, fail to invest in an effective security awareness program and employees will remain the biggest cybersecurity threat and will continue to cause costly data breaches.

How to Reduce Exposure to Phishing and Malware Threats

With the workforce trained to respond correctly to phishing emails, employees can be turned into a formidable last line of defense. The defensive line should be tested with simulated phishing emails, but technological solutions should be introduced to prevent real phishing emails from being delivered to end users’ inboxes.

The majority of malware and ransomware attacks start with a phishing email, so it is essential that these malicious messages are filtered out. An advanced spam filtering solution should therefore be at the heart of an organization’s email defenses.

SpamTitan is a highly effective enterprise-class spam filtering solution that blocks malicious messages and more than 99.9% of spam email, helping organizations to mount an impressive defense against email-based attacks. Dual anti-virus engines are used to identity and block malware and ransomware, with each email subjected to deep analysis using Sender Policy Framework (SPF), SURBL’s, RBL’s and Bayesian analysis to block threats.

If you want to improve your defenses against phishing and email-based malware attacks, SpamTitan should be at the heart of your email defenses. To find out more about SpamTitan and how it can prevent your employees having their phishing email identification skills frequently put to the test, contact the TitanHQ team today.

2017 Spam Study Reveals Majority of Malicious Messages Sent During Office Hours

The busiest day of the week for email spam is Tuesday and spammers concentrate on sending messages during working hours, Monday to Friday, according to a 2017 spam study conducted by IBM X-Force.

The study was conducted over a 6-month period from December 2016 to June 2017. The study analyzed more than 20 million spam messages and 27 billion webpages and images a day. The researchers also incorporated data provided by several anti-spam organizations, making the 2017 spam study one of the largest ever conducted.

The 2017 spam study showed the majority of spam emails – 83% – were sent to arrive in inboxes during office hours with Tuesday, Wednesday, and Thursday the spammiest days. Spam volume was much lower on Mondays and Fridays.

While spam is sent 24/7, the busiest times are between 1am and 4pm ET. If an email arrives at an inbox when a worker is at his/her desk, it is more likely to be opened. Spammers therefore concentrate their messages during office hours.

Malicious spam messages increase around the holidays and during tax season when email scams are rife. The increase in numbers of individuals heading online to shop for goods means rich pickings for spammers. Spam volume also increases during sporting events such as the Olympics, the Super Bowl and the Football World Cup, with sports-themed spam messages capitalizing on interest in the events.

Malicious messages aim to get email recipients to reveal their banking credentials, logins and passwords and install malware. The researchers found 44% of spam emails contained malicious code, and out of those emails, 85% were used to spread ransomware.

While the majority of spam messages are automated, the IBM researchers point out that spammers work at their campaigns. There is also considerable manual work required to control botnets and spam mailers. The process is not entirely automated. Considerable work is put into malicious messages that spread ransomware and malware, with these campaigns requiring the highest level of manual control. These campaigns also involve extensive planning to maximize the number of victims.

Spam is sent from countries all around the world, although the biggest percentage hails from India, which sends 30% of all spam emails. South America and China also send a high percentage of global spam. Only 7% of spam emails are sent from the United States and Canada.

Companies are getting better at filtering out spam emails and preventing the messages from reaching inboxes. Spam filtering technology has improved enormously in recent years, meaning fewer messages are being delivered; however, spam is still the main method of distributing malware and phishing scams are rife. Spammers are also getting much better at masking their malicious messages and they frequently change delivery vehicles develop new methods of hiding malicious code to avoid detection.

The researchers say spam email volume has increased fourfold over the past 12 months and malicious messages are now being increasingly targeted at organizations and individuals, rather than being sent randomly in huge spamming campaigns. Targeting allows the attackers to send carefully crafted campaigns which are more likely to result in the recipients taking the desired action.

Locky Ransomware Spam Campaigns Detected Spreading Two New Variants

Two new Locky ransomware spam campaigns have been detected this month, each being used to spread a new variant of the cryptoransomware. The campaigns have been launched after a relatively quiet period for ransomware attacks, although the latest campaigns show that the threat of ransomware attacks in never far away.

Previously, Locky ransomware spam campaigns have been conducted using the Necurs botnet – one of the largest botnets currently in use. One of the campaigns, spreading the Locky variant Lukitus is being conducted via Necurs. The other campaign, which is spreading the Diablo Locky variant, is being sent via a new botnet consisting of more than 11,000 infected devices. Those devices are located in 133 countries according to Comodo Threat Research Labs. The botnet appears to have been built quickly and is understood to be growing, with most infected devices in Vietnam, India, Mexico, Turkey and Indonesia.

The failure to backup files is likely to prove costly. The ransom demand issued by the attackers ranges between 0.5 and 1 Bitcoin per infected device – approximately $2,150 to $4,300 per machine. There is still no decryptor for Locky ransomware. Victims face file loss if they do not have a viable backup to restore files. Locky ransomware variants remove Shadow Volume Copies to hamper recovery without paying the ransom.

The Diablo Locky variant renames encrypted files with a unique 16-character file name and adds the diablo6 extension, while the Lukitus variant adds the .lukitus extension.

The two new Locky ransomware spam campaigns differ in their method of delivery of the ransomware, although both involve spam email. The Diablo campaign, which started on August 9, uses various attachments including pdf, doc, and docx files, although infection occurs via malicious macros.

Opening the infected documents will present the user with indecipherable data and a prompt to enable macros to view the content of the document. Enabling macro saves a binary to the device, runs it, and downloads the Locky payload.

The email subjects in this campaign are varied, although in many of the emails the attackers claim the attachment is a missed invoice or purchase order.

The Lukitus campaign was first detected on August 16 and has been mostly used in attacks in the United States, UK, and Austria, although there have also been successful attacks in Italy, Sweden, China, Russia, Botswana, Netherlands and Latvia.

This campaign uses zipped (zip and rar) attachments. The zip files contain JavaScript files, which if run, will download the Lukitus Locky variant.

As with all ransomware attacks via spam email, the best defense is an advanced spam filter to block the emails and prevent them from being delivered to end users. Employees should already have been trained on the threat from ransomware. Now would be a good time to issue a reminder via email to all employees of the current threat.

Recovery without paying the ransom depends on viable backup copies existing. Since Locky can encrypt backup files, backup devices should be disconnected after a backup has been made. Organizations should also ensure three copies of backups exist, on two different media, with one copy stored off site – the 3-2-1 approach to backing up.

Retail Industry Data Breaches Double in a Year

The retail industry is under attack with cybercriminals increasing their efforts to gain access to PoS systems. Retail industry data breaches are now being reported twice as frequently as last year, according to a recent report from UK law firm RPC.

Retailers are an attractive target. They process many thousands of credit card transactions each week and store huge volumes of personal information of consumers. If cybercriminals can gain access to Point of Sale systems, they can siphon off credit and debit card information and stolen consumer data can be used for a multitude of nefarious purposes.

Many retailers lack robust cybersecurity defenses and run complex systems on aging platforms, making attacks relatively easy.

While cyberattacks are common, the increase in data breaches does not necessarily mean hacks are on the rise. RPC points out that there are many possible causes of data breaches, including theft of data by insiders. Retailers need to improve they defenses against attacks by third parties, although it is important not to forget that systems need to be protected from internal threats.

Preventing retail industry data breaches requires a range of cybersecurity protections, but technology isn’t always the answer. Errors made by staff can easily result in cybercriminals gaining easy access to systems, such as when employees respond to phishing emails.

Employees are the last line of defense and that defensive line is frequently tested. It is therefore essential to improve security awareness. Security awareness training should be provided to all employees to raise awareness of the threat from phishing, malware and web-based attacks.

Phishing emails are the primary method of spreading malware and ransomware. Training staff how to identify phishing emails – and take the correct actions when email-based threats are received – will go a long way toward preventing retail industry data breaches. Employees should be taught the security basics such as never opening email attachments or clicking hyperlinks in emails from unknown individuals and never divulging login credentials online in response to email requests.

Employees can be trained to recognize email-based threats, although it is important to take steps to prevent threats from reaching inboxes. An advanced spam filtering solution is therefore a good investment. Spam filters can block the vast majority of spam and malicious emails, ensuring employees security awareness is not frequently put to the test. SpamTitan blocks more than 99.9% of spam and malicious emails, ensuring threats never reach inboxes.

Web-based attacks can be blocked with a web filtering solution. By carefully controlling the types of websites employees can access, retailers can greatly reduce the risk of malware downloads.

As the recent WannaCry and NotPetya malware attacks have shown, user interaction is not always required to install malware. Both of those global attacks were conducted remotely without any input from employees. Vulnerabilities in operating systems were exploited to download malware.

In both cases, patches had been released prior to the attacks that would have protected organizations from the threat. Keeping software up to date is therefore essential. Patches must be applied promptly and regular checks conducted to ensure all software is kept 100% up to date.

This is not only important for preventing retail industry data breaches. Next year, the General Data Protection Regulation (GDPR) comes into force and heavy fines await retailers that fail to do enough to improve data security. Ahead of the May 25, 2018 deadline for compliance, retailers need to improve security to prevent breaches and ensure systems are in place to detect breaches rapidly when they do occur.

Domain Spoofing Spam Campaigns Targeting Customers of Popular UK Banks

Several domain spoofing spam campaigns have been detected that are targeting customers of popular UK banks. The spam email campaigns include credible messages and realistic spoofed domains and pose a threat to consumers and businesses alike.  The domain spoofing email campaigns are targeting customers of HSBC, Lloyds Bank, Nationwide, NatWest and Santander.

Domain spoofing is the use of a domain similar to that used by a legitimate entity with the aim of fooling email recipients into believing the email and domain is genuine. Domain spoofing is commonly used in phishing attacks, with email recipients fooled into divulging their login credentials or downloading malware. In addition to a similarly named domain, the malicious websites often include the targeted brand’s logos, layouts and color schemes.

According to a warning issued by the SANS Institute’s Internet Storm Center, the latest domain spoofing spam campaigns involve the name of the bank and one of the following additional words: docs; documents; secure; communication; securemessage.

Customers of a targeted back who receive an email and a link from the domain ‘securenatwest.co.uk’ or ‘santandersecuremessage.com’ could easily be fooled into thinking the email is genuine. Other domains being used are hsbcdocs.co.uk, hmrccommunication.co.uk, lloydsbacs.co.uk, nationwidesecure.co.uk, natwestdocuments6.ml, and santanderdocs.co.uk. Further, many consumers still believe a website starting with HTTPS is secure. Yet all of these spoofed domains are all encrypted and have SSL certificates.

The domain spoofing spam campaigns involve messages claiming there is a new secure message from the bank along with an attached HTML file. That file downloads a malicious MS Office document containing macros. If those macros are enabled, the malicious payload is delivered. These campaigns are being used to distribute Trickbot malware – a banking Trojan used for man-in-the-middle attacks to steal banking credentials.

HTML documents are used as they download malicious MS documents via an HTTPS connection to reduce the risk of the documents being detected by antivirus software. SANS Institute researcher Brad Duncan pointed out that this method, while not new, can be effective. He also explained that “poorly managed Windows hosts (or Windows computers using a default configuration) are susceptible to infection.”

The domain spoofing spam campaigns were detected by My Online Security, which notes that “A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.”

Businesses can reduce risk by employing a spam filtering solution to prevent the malicious messages from being delivered to end users, ensuring Windows hosts are correctly configured, and ensuring employees are alert to the threat. Macros should be disabled on all devices and employees instructed never to enable macros or enable content on emailed documents.

NSA Exploit Used in Cyberattacks on Hotel WiFi Networks

Security researchers have discovered a wave of cyberattacks on hotel WiFi networks that leverage an NSA exploit – EternalBlue – for a vulnerability that was fixed by Microsoft in March.

The same exploit was used in the WannaCry ransomware attacks in May and the NotPetya wiper attacks in June. Even though the malware campaigns affected hundreds of companies and caused millions (if not billions) of dollars of losses, there are still companies that have yet to apply the update.

The recent cyberattacks on hotel WiFi networks have affected establishments in the Middle East and Europe. Once access is gained to hotel networks, the attackers spy on guests via hotel WiFi networks and steal their login credentials.

Researchers at FireEye discovered the new campaign, which they have attributed to the Russian hacking group APT28, also known as Fancy Bear. Fancy Bear is believed to receive backing from the Russian government and has performed many high profile cyberattacks in recent years, including the cyberattack on the World Anti-Doping agency (WADA). Following that attack, Fancy Bear published athletes’ therapeutic use exemption (TUE) data.

In contrast to the WannaCry and NotPetya attacks that were conducted remotely without any user involvement, the latest campaign is being conducted via a spear phishing campaign. The hacking group sends malicious emails to hotel employees and uses email attachments to download their backdoor – Gamefish. In this case, the attachment appears to be a reservation form for a hotel booking. Gamefish is installed if hotel employees run the macros in the document.

Once the backdoor is installed, the hackers search for internal and guest WiFi networks using EternalBlue and spread to other devices. Once embedded in computers that control the WiFi networks, the attackers can launch attacks on devices that attempt to connect to the hotel WiFi network.

The hackers use the open-source Responder tool to listen for MBT-NS (UDP/137) broadcasts from devices that are attempting to connect to WiFi network resources. Instead of connecting, they connect to Responder which obtains usernames and hashed passwords. That information is transferred to a computer controlled by the attackers. Once the hashed passwords have been cracked they can be used to attack hotel guests.

The names of the affected hotels have not been disclosed, although FireEye has confirmed that at least one Middle Eastern hotel and seven in Europe have been attacked. The hotels were well respected establishments likely to be frequented by high-net worth guests and business travellers.

The advice for travellers is to exercise caution when connecting to hotel WiFi networks, such as avoiding accessing online bank accounts or better still, avoiding connecting to hotel WiFi networks altogether. While the use of a VPN when connecting to hotel WiFi networks is a good idea, in this case the attack can occur before a secure VPN connection is made.

FireEye reports that this type of attack is difficult to detect and block. The attackers passively collect data and leave virtually no traces. Once login credentials have been obtained, guests are vulnerable and not just while they are at the hotel. FireEye believes the credentials are then used to attack individuals when they return home and connect to their home networks.

The best way for hotels to prevent cyberattacks on hotel WiFi networks such as this is by blocking the phishing and spear phishing attacks that lead to installation of the malware. Hotels should ensure all employees are provided with security awareness training and a spam filtering solution such as SpamTitan is deployed to stop malicious emails from being delivered to employees’ inboxes.

Cyberattacks in Q2 2017 Jumped by Almost a Quarter

Cyberattacks are continuing to rise, according to the latest threat report from NTT Security. Cyberattacks in Q2 2017 jumped considerably, while phishing emails are now being extensively used to spread malware. The majority of cyberattacks in Q2 2017 affected the manufacturing, finance and healthcare industries, which accounted for 72% of all detected attacks.

Cyberattacks in Q2 2017 Increased by Almost a Quarter

Cyberattacks in Q2 2017 were 24% higher than the previous quarter and the manufacturing industry is in hackers’ crosshairs. Manufacturing accounted for 34% of all malicious attacks last quarter, followed by finance with 25% of attacks and healthcare on 13%.

Cyberattacks on manufacturing firms are not limited geographically. Manufacturing was the most attacked industry in five out of the six geographical regions tracked by NTT Security. The attacks have involved ransomware, industrial espionage, sabotage and data theft. Even though cyberattacks on manufacturing firms have increased sharply, 37% of firms in the sector have yet to develop an incident response plan.

Flash Continues to Cause Security Headaches for Businesses

Unpatched vulnerabilities continue to cause headaches for businesses, with Adobe Flash the main culprit. Adobe will finally retire Flash in 2020, but until then, it remains something of a liability. 98% of vulnerabilities corrected by Adobe were in Flash, and in Q2, an Adobe Flash vulnerability was the most commonly exploited. The Adobe Flash remote code execution vulnerability CVE-2016-4116 was exploited in 57% of vulnerability exploitation attacks.

The message to businesses is clear. If Adobe Flash is not essential it should be disabled or uninstalled. If it is necessary, it is essential that patches are applied as soon as humanly possible. NTT Security notes that attacks increase exponentially once proof-of-concept code is published.

Increase in Use of Phishing Emails for Malware Delivery

The NTT Security report shows 67% of malware attacks on organizations were the result of phishing emails. The NTT Security report ties in with the findings of a recent threat report issued by Symantec, which showed that malware emails were at now at the highest levels seen this year.

The use of phishing emails to deliver malware is understandable. The emails target employees – a weak link in most organizations’ defenses. Phishing emails take just a few minutes to craft and can be sent in large volumes quickly and easily. The phishing scams are also highly effective, taking advantages of flaws in human nature.

Many organizations are still only providing annual security awareness training, rather than regular refresher training sessions, ongoing CBT courses and monthly bulletins detailing the new threats. Ineffective spam filtering also results in more messages reaching end users’ inboxes, increasing the chance of one of those emails being opened and malware being downloaded.

Improving defenses against phishing is now critical, yet many organizations are failing to appreciate how serious the threat from phishing really is. The volume of malware infections now occurring via phishing emails should be a wakeup call for organizations.

Technical solutions such as advanced spam filters, link blocking technology such as web filters and employee security awareness training should all now feature in organizations’ cybersecurity defenses.

Global Spam Email Levels at 2-Year High

Global spam email levels have been rising, with spam volume in July soaring to levels not seen since March 2015.

The figures come from the Symantec monthly threat report, which uses data from the Global Intelligence Network (GIN). Last month, global spam email levels increased by 0.6 percentage points to 54.9% of total email volume. The industry that received the most spam emails was the mining sector, with 59.1% of emails categorized as spam.

Spam emails include unsolicited marketing emails, offers of cut price medications and notices about women who have been trawling the internet for a man like you. While many of these emails are simply junk, the volume of malicious messages has been rising. In particular, spam messages containing malware.

Symantec reports that email malware has increased to levels not seen since December 2016. Last month, one in every 359 spam emails was used to deliver malware. The previous month, one in every 451 emails contained malware. The industry that received the most email malware levels was the agriculture, forestry and fishing sector, with one in every 152 emails containing malware.

Malware and Phishing Emails at The Highest Level Seen This Year

Malicious emails are being sent in campaigns targeting medium sized businesses, which registered the highest percentage of malware emails. Businesses with between 251 and 500 employees had the highest volume of malware in their inboxes, according to Symantec’s analysis. Large businesses – organizations with between 1,001 and 1,500 employees – had the highest rate of spam delivery as a whole.

While malware emails increased, the number of malware variants used in those emails dropped to 58.7 million variants from 66.3 million the previous month. Symantec notes that several malware families have now started being spread via email, which has contributed to the malware email volume.

In the past month, malware variants have been detected that are capable of generating their own spam emails from the infected device and sending malware copies to the victims’ entire address books. The Emotet banking Trojan now has this functionality and Reyptson malware also, with the latter sending itself to Thunderbird contacts.

This month, Microsoft has discovered a new tech support scam that is being distributed via spam email. Spam emails spoofing brands are being sent in large campaigns with links to websites that generate popups warning of suspicious activity and malware infections.

Symantec notes the volume of phishing emails has also increased with levels now at a 12-month high. One in 1,968 emails are used for phishing. Phishing attacks on the mining industry sector were the most common with one in 1,263 emails used for phishing, indicating targeted attacks are occurring.

Increase in Global Spam Email Levels Highlights Need for Effective Spam Filtering

The rise in global spam email levels highlights the need for an advanced email spam filter. Spam is a major drain on productivity and malware and phishing attacks are costly to mitigate. Employee security awareness programs are effective at preventing employees from falling for phishing scams, although a technological solution should be implemented to prevent spam emails from reaching inboxes. SpamTitan blocks more than 99.9% of spam and dual antivirus engines prevent the delivery of known malware.

If you want to protect your business, boost productivity and improve your malware defenses, contact the TitanHQ team today.

Trickbot Malware Now Includes Self-Replicating Worm Module

Trickbot malware is a banking Trojan that has been around for a few years now, although its authors have recently developed a WannaCry ransomware-style worm module that allows it to spread much more rapidly.

The recent NotPetya attacks also included a similar module enabling the malware to be used in devastating attacks that wiped out entire systems.

This new method of speeding up the spread of malware takes advantage of a vulnerability in Windows Server Message Block, which is used to identify all vulnerable computers on a network that connect via the Lightweight Directory Access Protocol (LDAP).

Since the exploit is readily available, cybercriminals can use it in conjunction with malware to spread infections more effectively and quickly. Worms were once popular, although their use has died out. The use of worm-like elements with the WannaCry and NotPetya attacks has shown just how effective they can be, and also served as a reminder of why they were popular in the first place.

Far from isolated malware variants, we could be about to see a rise in the use of worm-like modules. Fortunately, for the time being at least, the worm module in Trickbot malware does not appear to be fully operational. That said, the malware is constantly being redeveloped so it is probable the flaws will be fixed soon.

The malware can gain access to online banking accounts enabling the attackers to empty bank accounts.  It is fast becoming one of the most prevalent banking Trojans, according to IBM X-Force. It is currently being used in targeted attacks on organizations in the financial sector around the world, with recent campaigns targeting banks in the UK and United States. The ability to spread throughout a network rapidly will make it much more dangerous.

Aside from the new worm-like module another change has been detected. PhishMe reports that it has identified a change to how the Trojan is distributed. Attacks have occurred via malvertising campaigns this year that redirect web users to sites hosting the Rig exploit kit, although Trickbot is primarily distributed via spam email sent via the Necurs botnet.

The latest change to the Trickbot malware campaign is helping the threat actors to evade anti-virus solutions. Previously, the Trojan has been installed via macro scripts in specially crafted office documents. The latest campaign update sees the attackers use a Windows Script Component (WSC) containing XML-format scripts. The same delivery mechanism has also been used to deliver GlobeImposter ransomware.

Ransomware Attacks on Small Businesses Cause Devastating Losses

Ransomware attacks on small businesses can be devastating. Many small businesses have little spare capital and certainly not enough to be handing out cash to cybercriminals, let alone enough to cover the cost of loss of business while systems are taken out of action. Many small businesses are one ransomware attack away from total disaster. One attack and they may have to permanently shut their doors.

A recent research study commissioned by Malwarebytes – conducted by Osterman Research – has highlighted the devastating effect of ransomware attacks on small businesses.

1,054 businesses with fewer than 1,000 employees were surveyed and asked about the number of ransomware attacks they had experienced, the cost of mitigating those attacks and the impact of the ransomware attacks on their business.

Anyone following the news should be aware of the increase in ransomware attacks. Barely a week goes by without a major attack being announced. The latest study has confirmed the frequency of attacks has increased. More than one third of companies that took part in the survey revealed they had experienced at least one ransomware attack in the past 12 months.

22% of Small Businesses Shut Down Operations Immediately Following a Ransomware Attack

The survey also showed the devastating impact of ransomware attacks on small businesses. More than one fifth of small businesses were forced to cease operations immediately after an attack. 22% of businesses were forced to close their businesses.

Those companies able to weather the storm incurred significant costs. 15% of companies lost revenue as a result of having their systems and data locked by ransomware and one in six companies experienced downtime in excess of 25 hours. Some businesses said their systems were taken out of action for more than 100 hours.

Paying a ransom is no guarantee that systems can be brought back online quickly. Each computer affected requires its own security key. Those keys must be used carefully. A mistake could see data locked forever. A ransomware attack involving multiple devices could take several days to resolve. Forensic investigations must also be conducted to ensure all traces of the ransomware have been removed and no backdoors have been installed. That can be a long-winded, painstaking process.

Multiple-device attacks are becoming more common. WannaCry-style ransomware attacks that incorporate a worm component see infections spread rapidly across a network. However, many ransomware variants can scan neworks and self-replicate. One third of companies that experienced attack, said it spread to other devices and 2% said all devices had been encrypted.

Can Ransomware Attacks on Small Businesses be Prevented?

Can ransomware attacks on small businesses be prevented? Confidence appears to be low. Almost half of respondents were only moderately confident they could prevent a ransomware attack on their business. Even though a third of businesses had ‘anti-ransomware’ defenses in place, one third still experienced attacks.

Unfortunately, there is no single solution that can prevent ransomware attacks on small businesses. What organizations must do is employ multi-layered defenses, although that can be a major challenge, especially with limited resources.

A risk assessment is a good place to start. Organizations need to look at their defenses critically and assess their infrastructure for potential vulnerabilities that could be exploited.

Improving Defenses Against Ransomware

Ransomware attacks on small businesses usually occur via email with employees targeted using phishing emails. Organizations should consider implementing a spam filtering solution to reduce the number of malicious emails that reach inboxes.

Some emails will inevitably slip past these defenses, so it is important for staff to be security aware. Security awareness training should be ongoing and should involve phishing simulations to find out how effective training has been and to single out employees that need further training.

While ransomware can arrive as an attachment, it is usually downloaded via scripts of when users visit malicious websites. By blocking links and preventing end users from visiting malicious sites, ransomware downloads can be blocked. A web filtering solution can be used to block malicious links and sites.

Anti-virus solutions should be kept up to date, although traditional signature-based detection technology is not as effective as it once was. Alone, anti-virus software will not offer sufficient levels of protection.

As was clearly shown by the WannaCry and NotPetya attacks, malware can be installed without any user interaction if systems are not configured correctly and patches and software updates are not applied promptly. Sign up to alerts and regularly check for updated software and don’t delay patching computers.

A ransomware attack need not be devastating. If organizations back up their data to the cloud, on a portable (unplugged) local storage device and have a copy of data off site, in the event of an attack, data will not be lost.

Phishing by SMS: Smishing Attacks on The Rise

Smishing attacks are on the rise. Cybercriminals have been turning to the Short Message Service – SMS – to conduct phishing campaigns to gather personal information for identity theft and fraud. Smishing is also used to fool mobile device users into installing malware.

Like phishing emails, smishing attacks use social engineering techniques to get users to complete a specific action, often to click on a link that will direct them to a webpage where they are asked to provide sensitive information or to download a file to their device. Most commonly, the aim of smishing is to obtain personal information such as usernames and passwords to online bank accounts.

Many organizations have implemented spam filtering solutions that capture phishing emails and prevent them from being delivered to end users’ inboxes. Security awareness training is also provided, with the threat of phishing explained to employees.  However, the best practices that are taught are not always applied to SMS messages and spam controls do not block SMS messages.

In contrast to emails, which are often ignored, people also tend to access their SMS messages much more rapidly than emails. Text messages are typically opened within seconds, or minutes, of them being received. Cybercriminals are well aware that their malicious MS messages will be opened and read.

Cybercriminals use the same techniques for smishing attacks that are used on email phishing scams. The messages inject a sense of urgency, requiring an action to be taken quickly. The messages are designed to grab attention, with security threats one of the most common themes. The attackers typically impersonate banks, credit card companies, email providers, social media networks or online retailers and warn of security issues such as potential fraudulent activity, imminent charges that will be applied or they threaten account closure.

Messages may even appear to have been sent by a contact, either using a stolen mobile or by spoofing someone who is known and trusted. Messages may include a link to an interesting article, a photograph or a social media post for example.

Smishing attacks started with SMS messages, although similar scams are now being conducted on other messaging platforms such as WhatsApp, Skype and Facebook Messenger.

Blocking smishing attacks is difficult. The key to avoiding becoming a victim is awareness of the threat and adopting the same security best practices that can protect end users on email.

  • As with email, when receiving an odd message, stop and think about the request. Could it be a scam?
  • Even if the message suggests urgent action is required, take time to consider what is being asked. Smishing attacks work because people respond without thinking.
  • It is important not to respond to a SMS message that has been sent from an unknown sender. If you respond, the person who sent the message will be aware that messages are being received.
  • If a message containing a hyperlink is received, do not click on the link. Delete the message.
  • Never send any sensitive information via text message. Legitimate companies will not ask you to send sensitive information by text message.
  • If you are concerned about the contents of a text message, check with the institution concerned, but do not use links or telephone numbers sent in the message. Independently verify the phone number and call or find the correct website via the search engines.
  • If you are a business that provides employees with access to a WiFi network, it is possible to prevent employees from visiting malicious websites linked in smishing campaigns. WebTitan Cloud for WiFi is a web filter for WiFi networks that prevents users from visiting malicious websites, such as those used in smishing attacks.

Ransomware and Phishing Attacks in 2017 Have Soared

A new survey from CSO shows ransomware and phishing attacks in 2017 have increased, although companies have reported a decline in the number of cyber incidents experienced over the past year. While it is certainly good news that organizations are experiencing fewer cyberattacks, the report suggests that the severity of the attacks has increased and more organizations have reported suffering losses as a result of security incidents.

CSO conducted the annual U.S State of Cybercrime survey on 510 respondents, 70% of whom were at the vice president level or higher. Companies had an average IT security budget of $11 million.

This year’s report suggests organizations are struggling to keep up with the number of patches and software upgrades now being issued, although the consequences of the delays have been clearly shown this year with the NotPetya and WannaCry attacks. The failure to patch promptly has seen many organizations attacked, with some companies still struggling to recover. Nuance Communications was badly affected by NotPetya, and a month after the attacks, only 75% of its customers have regained access to its services. TNT also suffered extensive disruption to services in the weeks following the attacks, although these are just two companies out of many to experience extended disruption.

IT security budgets have increased by an average of 7.5% year over year with 10% of companies saying they have increased IT security spending by 20% or more in the past 12 months. While new technologies are taking up the bulk of the new budgets, organizations are also investing in audits and knowledge assessments, information sharing, redeveloping their cybersecurity strategy, policies and processes and are adding new skills. 67% of respondents said they have now expanded their security capabilities in include mobile devices, the cloud and IoT.

Even though the threat of attack is severe, many companies still believe a cyber response plan should not be part of their cybersecurity strategy, although acceptance that cyberattacks will occur has seen 19% of respondents plan to implement a response strategy in the next 12 months.

Even though there was a fall in the number of security incidents, losses experienced as a result of those attacks have remained constant or have increased over the past 12 months for 68% of respondents. Only 30% of companies said they had experienced no losses as a result of security incidents, down 6 percentage points from last year.

More CSOs and CISOs are now reporting directly to the board on a monthly basis, up 17% since last year. However, as was also confirmed by a recent survey conducted by KPMG, many boards still view cybersecurity as an IT issue – The CSO survey suggests 61% of boards believe cybersecurity is a concern of the IT department not a matter for the board, a drop of just two percentage points since last year.

Phishing attacks in 2017 have increased significantly, with 36% of companies reporting attacks – up from 26% last year. 17% of companies experienced ransomware attacks – up from 14% – and financial fraud increased from 7% to 12%. Business email compromise scams are also increasing, up from 5% to 9% in the past 12 months.

The increase in ransomware and phishing attacks in 2017 highlights the need for security awareness training for employees and an improvement to spam filtering controls. Organizations need to ensure they have sufficient staffing levels to ensure patches are applied promptly, while investment in people must improve to ensure they have the skills, resources and training to respond to the latest threats.  Boards must also appreciate that cybersecurity is not just a matter for IT departments, and the CSO survey shows that too much faith is being placed in cybersecurity protections. Currently only 53% of companies are testing the effectiveness of their security programs.

Reyptson Ransomware Spreads Itself by Emailing Itself to Contacts

Reyptson ransomware is a new threat that has been discovered in the past few days. The new ransomware variant is currently being used in attacks in Spain, with detected activity rising considerably in the days since its discovery.

There is no free decryptor for Reyptson ransomware at this stage. The ransomware variant encrypts a wide range of file types, including MS Office files and images using AES-128 encryption. Encrypted files will have the file extension .Reyptson appended to the file.

Infection will require files to be recovered from backups or the ransom demand must be paid if no backup exists and victims do not want permanent file loss. Users are told they must pay a ransom of €200 to unlock the encryption, although the payment will increase to €500 after 72 hours.

New cryptoransomware variants are being released on an almost daily basis with the majority spread via spam email. What makes this variant unique is its ability to spread itself following infection. Reyptson is capable of conducting its own email campaigns and spreading itself to a victim’s contacts.

The spam email campaigns are conducted via the Thunderbird email client. Reyptson ransomware searches for contacts and creates new spam email messages and sends them to all contacts using the victim’s credentials.

The emails claim to be invoices and include a link for the recipient to download the invoice. Clicking the link will download a compressed .rar file which contains an executable file that appears to be a PDF file. If that executable file is opened; the user will be infected with the ransomware and the process will repeat. According to an analysis by MalwareHunterTeam, the emails have the subject line Folcan S.L. Facturación.

Recently, global ransomware campaigns have been conducted using exploits stolen from the NSA. Those exploits take advantage of vulnerabilities in software that have not been addressed. Even though patches have been released to correct those vulnerabilities, many companies have yet to update their operating systems. A free scanner called Eternal Blues has been developed that has revealed more than 50,000 computers around the world are still vulnerable and have not been patched.

Patching promptly has always been important, but now even more so. Delaying the updating of software can see organizations infected and the damage can be considerable. In the case of NotPetya, computers are rendered useless and even payment of a ransom cannot undo the damage.

However, spam email remains the most common vector for spreading ransomware. Preventing Reyptson ransomware attacks and other cryptoransomware variants requires an advanced spam filter. A spam filter such as SpamTitan can block these messages and prevent them from being delivered to end users. If the spam emails are not delivered, they cannot be opened by end users.

Prompt patching, user awareness training, spam and web filtering can help organizations reduce the risk of attack. However, it is also essential to ensure multiple backups of data are made to ensure recovery in case of infection. Organizations should adopt the 3-2-1 approach to backups. Ensure there are three copies of data, on 2 different media with one copy stored off site.

One backup copy can be stored locally – on a removable device that is unplugged when backups are completed or are not being used. One copy should be stored in the cloud and one on a backup drive/tape that is stored in a secure location off site that can be used in the event of a disaster.

Supreme Court Phishing Scam Targets Law Firms in Ireland

Law firms in Eire and Northern Ireland are being targeted with a new Supreme Court phishing campaign that is being used to fool recipients into visiting a malicious website.

The email appears to have been sent from the Supreme Court and refers to a new/updated Statutory Instrument. The emails that have been detected so far include a PDF file containing further details, although the attachment will divert the recipient to a malicious domain.

The Supreme Court phishing emails add a sense of urgency, as is common in phishing campaigns, telling the recipient to read the information in the attached document by this Friday.

The emails that have been reported have the subject line – Supreme Court (S.I. No691/2017) – although it is possible there are other variations along the same theme.  The Courts Service has confirmed that the emails are not genuine and should be deleted without being opened. The phishing scam has been reported to the Gardaí and the Courts Service IT team is also investigating and a warning has been issued.

Supreme Court phishing scams are common. In February this year, the UK Supreme Court also issued a warning after numerous emails were received claiming to be subpoenas for court appearances in relation to a crime that the recipient had committed. In that case, a link was included to provide the court with all of the necessary information about the case. Receipents of the email were told to submit the information within 12 days or the case would proceed in their absence.

As the UK Supreme Court pointed out, it does not issue subpoenas to appear in court for criminal cases, although many law-abiding citizens would be aware of typical procedures associated with criminal cases. The fear generated by a potential court appearance for an unknown crime would likely see many email recipients open the message, click on the link and reveal their personal information.

The purpose of Supreme Court phishing emails is usually to obtain sensitive information under the guise of confirming the recipient’s identity. The information gathered by the phishing emails can be used for identity theft or other forms of fraud. Emails such as this are also used to spread malware or ransomware.

The emails are designed to scare people into responding and they can be highly effective. However, there are usually a variety of telltale signs that the email is not genuine. Before clicking or taking any requested action, it is important to stop, think and not to panic. Check the email for misspellings, grammatical errors and anything out of the ordinary.

If a link is included in the email, hover the mouse arrow over it to find out the true URL to see if it will direct you to a genuine domain. If the email contains an attachment, do not open it. If you are worried about the email, contact the organization that claims to have sent the message by obtaining the correct contact details from the Internet and verify the authenticity of the request.

In the most part, any serious matter such as a subpoena or important change to legislation would be unlikely to be communicated via email, and certainly not in an email attachment or via a link to a domain.

Federal Agencies Urged to Use DMARC to Prevent Impersonation Attacks

A U.S senator is urging the Department of Homeland Security and other federal agencies to adopt DMARC to prevent impersonation attacks via email. Over the past few months, several government agencies have been targeted by phishers who have used government domains to send huge numbers of spam emails.

The emails appear legitimate as they have been sent from government-owned domains, and while the text in the emails often contains clues to suggest the emails are not genuine, the official domain adds sufficient authenticity to see many email recipients fooled.

The use of official domains by phishers is nothing new of course, but government-owned domains should be protected to prevent them being used in phishing campaigns. The problem is that in the vast majority of cases, insufficient controls have been implemented to prevent impersonation attacks.

Sen. Ron Wyden (D-Oregon) wrote to the Department of Homeland Security voicing his concerns about the problem, and specifically, the failure of federal agencies – including DHS – to use the Domain-based Message Authentication Reporting and Conformance (DMARC) standard.

DMARC is a proven tool that can help to prevent impersonation attacks via email by allowing email recipients to verify the sender of an email. If DMARC is used, it is possible to determine whether the emails have genuinely been sent from federal agencies or if they have been sent by a third party unauthorized to use the domain. In short, it will prevent impersonation attacks and protect consumers. If DMARC was used, it would make it much harder for government agencies to be impersonated.

The standard is recommended by the National Institute of Standards & Technology (NIST) as well as the Federal Trade Commission (FTC). DMARC has also recently been adopted in the UK by the British government with hugely positive results. Since DMARC has been implemented, the UK Tax agency alone has reduced impersonation attacks to the tune of 300 million messages in a single year.

The UK’s National Cyber Security Center (NCSC) has also created a central system where it processes all of the DMARC reports from all government agencies to monitor impersonation attacks across all government departments

Currently the Department of Homeland Security does not use DMARC and it is not used on the majority of government owned domains. The U.S. government owns approximately 1,300 domains, yet DMARC is only used on an estimated 2% of those domains.

Impersonation attacks are on the rise and numerous government agencies have been impersonated in recent months including the Department of Health and Human Services, the IRS and even the Defense Security Service – part of the U.S. Department of Defense.

Sen. Wyden suggests the Department of Homeland Security should immediately adopt DMARC and mandate its use across all federal agencies.  DHS already scans other federal agencies for vulnerabilities under the Cyber Hygiene program. Sen. Wyden says DMARC scanning should be incorporated into that program. As in the UK, Sen. Wyden suggests a central repository should be created for all DMARC reports by the General Services Administration (GSA) to give DHA visibility into impersonation attacks across all federal agencies.

Ovidiy Stealer: A New Password Stealing Malware Priced to Maximize Sales

The Ovidiy Stealer is a password stealing malware that will record login credentials and transmit the information to the attacker’s C2 server. As with many other password stealers, information is recorded as it is entered into websites such as banking sites, web-based email accounts, social media accounts and other online accounts.

The good news is that even if infected, the Ovidiy Stealer will not record information entered via Internet Explorer or Safari. The malware is also not persistent. If the computer is rebooted, the malware will stop running.

The bad news is, if you use Chrome or Opera, your confidential information is likely to be compromised. Other browsers known to be supported include Orbitum, Torch, Amigo and Kometa. However, since the malware is being constantly updated it is likely other browsers will be supported soon.

Ovidiy Stealer is a new malware, first detected only a month ago. It is primarily being used in attacks in Russian-speaking regions, although it is possible that multi-language versions will be developed and attacks will spread to other regions.

Researchers at Proofpoint – who first detected the password stealing malware – believe email is the primary attack vector, with the malware packaged in an executable file sent as an attachment. Proofpoint also suggests that rather than email attachments, links to download pages are also being used. Samples have been detected bundled with LiteBitcoin installers and the malware is also being distributed through file-sharing websites, in particular via Keygen software cracking programs.

New password stealers are constantly being released, but what sets the Ovidiy Stealer aside and makes it particularly dangerous is it is being sold online at a particularly low price. Just $13 (450-750 Rubles) will get one build bundled into an executable ready for delivery via a spam email campaign. Due to the low price there are likely to be many malicious actors conducting campaigns to spread the malware, hence the variety of attack vectors.

Would be attackers willing to part with $13 are able to view the number of infections via a web control panel complete with login. Via the control panel they can manage their account, see the number of infections, build more stubs and view the logs generated by the malware.

Protecting against malware such as Ovidiy Stealer requires caution as it takes time before new malware are detected by AV solutions. Some AV solutions are already detecting the malware, but not all. As always, when receiving an email from an unknown sender, do not open attachments or click on hyperlinks.

Organizations can greatly reduce risk from this password-stealer and other malware spread via spam email by implementing an advanced spam filtering solution such as SpamTitan to prevent malicious emails from reaching end users’ inboxes. SpamTitan uses dual AV engines to maximize detections and blocks over 99.9% of spam email.

58% of Companies Not Deprovisioning Former Employees Promptly

You’ve secured the network perimeter, installed a spam filter, trained your employees to recognize phishing emails and have an intrusion detection system in place, but are you deprovisioning former employees to prevent data theft? According to a new report from OneLogin, 58% of companies are lax when it comes to blocking network access when employees leave the company.

For the study, 600 IT professionals with responsibility or partial responsibility for security decisions about hardware, software or cloud services were interviewed. When asked about the time delay between employees leaving the company and their accounts being deactivated, 58% said that it takes more than a day for that to happen and a quarter said it takes more than a week. 28% of respondents said deprovisioning former employees takes a month or longer.

48% of respondents said they were aware that former employees still had access to applications after they had left the company and 44% said they were not confident that deprovisioning former employees had actually occurred.

Even though there is a significant time delay involved in blocking access for former employees, only four out of ten organizations are using a security information and event management solution (SIEM). A SIEM would allow them to monitor app usage by former employees and would alert them if systems were still being accessed, yet only 45% of respondents said they used such a solution.

Organizations are taking a big risk by not ensuring accounts are deactivated before employees walk through the door for the final time. The study revealed that the risk is considerable. When asked if they had suffered data breaches due to former employees, 24% said they had.

Deprovisioning employees is time consuming, especially when they have been employed for a long time and have access to many business applications and networks. 92% of respondents said it takes up to an hour to deprovision employees and many must complete the process manually. Time may be pressed, but failing to block access promptly is a data breach waiting to happen.

IRS Launches Campaign to Raise Awareness of Phishing Attacks on Tax Professionals

Phishing attacks on tax professionals are soaring. Tax professionals across the United States have been extensively targeted by cybercriminals this tax season who fool them into disclosing sensitive information such as login credentials and tax information.

The IRS has received 177 reports from tax professionals that have fallen for the scams this year and have disclosed sensitive information, although the victim count is likely to be much higher since not all phishing attacks are reported. Currently, the IRS is receiving between three and five new reports of successful phishing scams each week.

Many of the victims have reported large data losses as a result of the phishing scams. Tax information is used by cybercriminals to file fraudulent tax returns in the victims’ names. The data can also be used for identity theft.

The IRS says tax professionals are being extensively targeted by highly organized criminal gangs in the United States, as well as international crime rings.  The IRS points out that the criminals conducting phishing attacks on tax professionals “are well funded, knowledgeable and creative.”

Targets are researched and information is often included in the emails that is relevant to the recipient. The name and address of the target are often used in the emails and the requests are highly credible. Emails may request data or provide a hyperlink for the recipient to click. Clicking the link results in malware being downloaded that gives the attacker access to the computer. Keyloggers are often downloaded that record and transmit passwords.

The Anti Phishing Working Group tracked 1.2 million unique phishing attacks last year, representing a 65% rise from 2015. Those scams often involve millions of emails. Currently, APWG is tracking an average of 92,564 unique phishing attacks each month.

Phishing attacks on tax professionals can be highly sophisticated, but in the majority of cases it is possible to block attacks by employing basic security measures. Unfortunately, many organizations overlook these steps.

The IRS is working closely with the tax industry and state tax agencies as the ‘Security Summit’. The Security Summit has recently launched a new campaign to help tackle the problem of phishing by raising awareness of the threat via a new “Don’t Take the Bait” campaign.

Over the next 10 weeks, the Security Summit will send weekly emails to raise awareness of the different types of phishing scams and other threats. The Security Summit has kicked off the campaign with spear phishing, which will be followed by education efforts to raise awareness of CEO fraud/BEC scams, ransomware attacks, remote account takeovers, EFIN thefts and business identity theft.

Blocking phishing attacks on tax professionals requires layered defenses, one of the most important being the use of software solutions to prevent phishing emails from being delivered to end users’ inboxes. SpamTitan blocks more than 99.9% of email spam and keeps inboxes free from malicious messages. If emails are not delivered, employees will not be tested.

Even with software solutions in place it is important for all employees to be aware of the threat from phishing. Security training should be provided to teach employees how to recognize the tell-tale signs of phishing emails and organizations should try to develop a culture of security awareness.

IRS Commissioner John Koskinen said “Doing nothing or making a minimal effort is no longer an option. Anyone who handles taxpayer information has a legal responsibility to protect it.”

The IRS recommends several measures to reduce risk:

  • Educate all employees on the risk from spear phishing and phishing in general
  • Ensure strong passwords are used
  • Always question emails – Never take them at face value
  • Never click a link without first checking the destination URL – Hover the mouse arrow over a masked link to find the true URL
  • Use two-factor authentication for all email requests to send sensitive data – Confirm with the sender via the telephone
  • Use security software to block phishing emails and malware and ensure the software is updated automatically
  • Use the security settings in tax preparation software
  • Report suspicious emails to the IRS

Trump Hotels Confirms 14 Locations Affected by Sabre Hospitality Solutions Data Breach

Trump Hotels has announced that guests at some of its hotels have been impacted by the Sabre Hospitality Solutions data breach and have had their credit/debit card details stolen. Sabre Hospitality Solutions provides the hotel reservation system used at certain Trump Hotels, and it was this system that was compromised not the systems used at Trump Hotels. Sabre’s system is used by more than 32,000 hotels and lodging establishments around the world.

Attackers gained access to the Sabre SynXis Central Reservations system (CRS) which is used by hotels and travel agencies to make hotel bookings. Sabre discovered the breach on June 5, 2017, with the attacker understood to have obtained account credentials that enabled access to the CRS and the payment card data processed through the system.

The data breach affected 13 Trump Hotels (Central Park, Chicago, Doonbeg, Doral, Las Vegas, Panama, Soho, Toronto, Turnberry, Vancouver, Waikiki, DC, Rio de Janeiro) and the Albemarle Estate. Each hotel was affected at a different time and for a different duration, with the first instance occurring on August 10, 2016. The last data access was on March 9, 2017. The hotel reservation system was compromised at most of the affected hotels for a few days up to three weeks in November 2016, with the exception of Trump Las Vegas, Trump Panama, and Trump DC, which saw systems compromised for around four months.

When the Sabre Hospitality Solutions data breach was detected, the company contracted cybersecurity firm Mandiant to conduct a forensic analysis to determine how the breach occurred, which hotels were affected and to ensure that access to its systems was blocked. Sabre reports that after March 9, 2017, no further unauthorized access to its system has occurred.

During the time that access to data was possible, the attackers were able to obtain the names of card holders, card numbers, expiration dates and in some cases, CVV codes. Other information potentially accessed includes guests’ names, addresses, phone numbers and potentially other information, although not Social Security numbers or driver’s licenses.

The Sabre Hospitality Solutions data breach affected many organizations, with Google recently announcing that some of its employees have had information exposed. In the case of Google, it was a travel agency – Carlson Wagonlit Travel (CWT) – that was affected. CWT was one of the companies used by Google to book hotels for its staff.

The hospitality industry has been hit with numerous POS system breaches over the past few years. The industry is an attractive target for cybercriminals. Most hotel bookings are made with credit and debit cards, cybersecurity protections are often poor and once access is gained to the systems it can be months before a data breach is detected.

A variety of attack vectors are used, although login credentials are commonly stolen in phishing attacks. Phishing emails are sent to company employees and social engineering tricks are used to convince those employees to disclose their login credentials or open malicious email attachments that install malware.

Email security solutions that prevent spam emails from being delivered to end users’ inboxes offer protection against phishing attacks. As an additional precaution, security awareness training should be provided to all hotel employees who have access to corporate email accounts.

With SpamTitan installed, hotel chains are well protected from phishing attacks. SpamTitan blocks more than 99.9% of spam emails, adding an important layer of protection for hotels to prevent data breaches.

57% Cyber Incidents Caused by Phishing and Social Engineering

Phishing and social engineering attacks are the biggest cyber risks faced by organizations. Not only are attacks on the rise, they are becoming more sophisticated. The increase in attacks and cost of mitigating cyber incidents is having a major negative impact on businesses.

Organizations can tackle the problem of phishing and social engineering by implementing technologies that preventing phishing emails from reaching end users’ inboxes and ensuring employees know how to identify threats and response when a malicious email arrives in their inbox.

One of the most effective ways of blocking these phishing and social engineering attacks is implementing an advanced spam filtering solution. SpamTitan blocks more than 99.9% of email spam and uses two antivirus engines to identify and block emails with malicious attachments.

Many organizations provide security training to their employees and teach them to be more security aware, although a new report from the Business Continuity Institute calls for businesses to do more in this regard. In order to tackle phishing and improve resilience to attacks BCI says user education needs to improve.

A one-off training program as part of an employee’s induction is no longer sufficient. Training should be an ongoing process with regular refresher training sessions provided throughout the year. Phishing simulation exercises are also highly beneficial for reinforcing training and gauging how effective training has been.

However, the study suggests only 52% of companies conduct awareness-raising seminars and just 55% conduct regular exercises on likely cybersecurity scenarios. Only 46% run desktop exercises such as attack simulations.

The BCI study confirmed just how often phishing and social engineering attacks result in cyber incidents. The report shows that 57% of cyber incidents involve phishing or social engineering emails. Malware is responsible for 41% of cyber disruptions, with spear phishing emails accounting for 30% of attacks. Ransomware has grown into a major issue in recent months and is behind 19% of cyber disruptions.

The survey was conducted on 734 individuals from 69 countries. Two thirds of respondents had experienced a cybersecurity incident in the past 12 months with 15% saying they had experienced 10 or more disruptions in the past year. 5% said they experienced between 11 and 20 incidents in the past 12 months, a further 5% experienced between 21 and 50 incidents and 5% said they experienced 51 or more incidents. Responding to these incidents takes up valuable time. 67% of attacks take more than an hour to resolve with 16% taking more than four hours.

These incidents are costing businesses dearly. 33% of organizations said the cost of those attacks exceeded €50,000, while 13% of respondents said they had spent over €250,000 remediating attacks. It should be noted that 40% of respondents that took part in the survey were from SMEs with an annual turnover of less than €1 million.

Cybercriminals are only likely to increase their efforts and conduct more phishing and social engineering attacks. It is therefore essential for businesses to have a high commitment to cyber resilience and to do more to improve cybersecurity defenses. The survey suggests only 60% of senior management are committed to improving their defenses, so there is still plenty of room for improvement.

NotPetya Ransomware Attacks Spread to 65 Countries

NotPetya ransomware attacks have spread globally, with the latest figures from Microsoft suggesting there are now more than 12,500 reported victims spread across 65 countries. The attacks first started to be reported on Tuesday morning with companies in the Ukraine hit particularly hard.

At first it appeared that the attacks involved Petya ransomware, although it has since been confirmed that this is a new ransomware variant. The ransomware has already attracted a variety of names such as GoldenEye, SortaPetya, ExPetr, and NotPetya. We shall use the latter.

Security researchers believe the NotPetya ransomware attacks started in Ukraine. The first attacks occurred the day before a national holiday – a common time to launch an attack. IT staff were unlikely to be working, so the probability of the attacks being halted before the ransomware was allowed to run would be increased.

The NotPetya ransomware attacks have been discovered to have occurred via a variety of vectors. Ukraine was hit particularly hard, which suggested a country-specific attack vector. Some security researchers have suggested the first attacks occurred via a Ukrainian accounting package called M.E. Doc, with the attackers managing to compromise a software update. M.E.Doc hinted that this may be the case initially, but later denied they were the cause of the attack. If it is true that a software update was involved, it would not be the first time M.E.Doc was attacked. A similar ransomware attack occurred via M.E.Doc software updates in May.

However, that is only one potential attack vector used in the NotPetya ransomware attacks. It has been confirmed that the attackers are also using two NSA exploits that were released by Shadow Brokers in April. As was the case with the WannaCry ransomware attacks, the EternalBlue exploit is being used. The latest attacks are also using another exploit released at the same time called EternalRomance.

In contrast to the WannaCry ransomware attacks last month, the exploits used in the NotPetya ransomware attacks only scan for vulnerable devices on local networks, not via the Internet.

Both exploits will not work if computers have already been patched with MS17-010 released by Microsoft in March. Following the WannaCry attacks, Microsoft also issued a patch for older, unsupported Windows versions to prevent further ransomware attacks.

However, patching would not necessarily have prevented infection. In contrast to WannaCry, NotPetya ransomware attacks have been reported by companies that have patched their computers. Security researchers have confirmed that all it takes for infection to occur is for one computer to have been missed when applying the patches. That allows the attackers to attack that machine, and also any other machines connected to the local network, even if the patch has been applied.

The attacks also appear to be occurring via phishing emails containing malicious Microsoft Office documents.  As has been the case with many other ransomware attacks, the failure to implement spam defenses can result in infection. The use of an advanced spam filter such as SpamTitan offers excellent protection against email-based ransomware attacks, preventing those emails from reaching end users’ inboxes.

Upon infection, the ransomware waits one hour before executing and forcing a reboot. When the computer restarts, the ransom note appears. The ransom demand is for $300 per infected machine. In contrast to the majority of ransomware variants, NotPetya does not encrypt files. Instead it replaces the Master File Table (MFT). Since the MFT shows the computer where files are located on the hard drive, without it files cannot be found. Files are not encrypted, but they still cannot be accessed.

Preventing ransomware attacks such as this requires regular patching to address vulnerabilities and anti-spam solutions to prevent malicious emails from being delivered.

Fortunately, NotPetya ransomware attacks can be blocked. Cybereason security researcher Amit Serber has found a way to vaccinate computers against this specific ransomware variant. He suggests IT teams “Create a file called perfc in the C:\Windows folder and make it read only.” This method has been confirmed as effective by other security researchers, although it will not work if infection has already occurred.

Unfortunately, recovery following an attack may not be possible if infected computers cannot be restored from backups. Kaspersky Lab reports there is a flaw in the ransomware saying, “We have analyzed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks.” Further, the email account used by the attacker to verify ransom payments has been shut down by a German email provider.

Fake Invoices Used in New Locky Ransomware Campaign

The WannaCry ransomware attacks may have attracted a lot of press, but Locky ransomware poses a bigger threat to organizations with a new Locky ransomware campaign now a regular event. The ransomware was first seen in February last year and rapidly became the biggest ransomware threat. In recent months, Cerber has been extensively distributed, but Locky is still being used in widespread attacks on organizations.

The actors behind Locky ransomware are constantly changing tactics to fool end users into downloading the malware and encrypting their files.

The Necurs botnet has recently been used to distribute Jaff ransomware, although now that a decryptor has been developed for that ransomware variant, the actors behind Necurs have switched back to Locky. The new Locky ransomware campaign involves millions of spam messages sent via the Necurs botnet, with some reports suggesting approximately 7% of global email volume at the start of the campaign came from the Necurs botnet and was spreading Locky.

The new Locky ransomware campaign uses a new variant of the ransomware which does not encrypt files on Windows operating systems later than XP. This appears to be an error, with new, updated version of the ransomware is expected to be launched soon. As with past campaigns, the latest batch of emails uses fake invoices to fool end users into installing the ransomware.

Fake invoices are commonly used to spread ransomware because they are highly effective. Even though these campaigns often include scant information in the email body, many end users open the attachments and enable macros. Doing so results in Locky being downloaded. There is still no free decryptor available to unlock Locky-encrypted files. Infections can only be resolved by paying a sizeable ransom payment or restoring files from backups.

Training end users to be more security aware will help organizations to reduce susceptibility to ransomware attacks, although the best defense against email-based ransomware attacks is to use an advanced spam filtering solution to prevent the messages from reaching end users’ inboxes. If emails are blocked, there is no chance of end users opening malicious attachments and installing the ransomware.

SpamTitan is an email security solution that can block these ransomware emails. SpamTitan blocks more than 99.9% of spam messages and dual anti-virus engines ensure malicious emails do not reach inboxes. While some anti-spam solutions have a high false positive rate and block genuine emails, SpamTitan’s false positive rate is extremely low at just 0.003%.

SpamTitan requires no additional hardware purchases, no staff training and the solution can be installed in a matter of minutes.

If you are unhappy with your current anti-spam solution or have yet to start protecting your inboxes from malicious messages, contact the TitanHQ team today for further information on how SpamTitan can benefit your business. TitanHQ also offers SpamTitan on a 30-day no-obligation free trial to allow you to see the benefits of the solution for yourself before committing to a purchase.

URL Padding Used in Latest Facebook Phishing Scam

A new Facebook phishing scam has been detected that attempts to fools end users into believing they are on the genuine Facebook site using a technique called URL padding. The attack method is being used in targeted attacks on users of the mobile Facebook website.

As with other Facebook phishing scams, the aim of the attackers is to get end users to reveal their Facebook login credentials. The scam takes advantage of poor security awareness and a lack of attentiveness.

URL padding – as the name suggests – involves padding the URL with hyphens to mask the real website that is being visited. The URLs being used by the attackers start with m.facebook.com, which is the correct domain for the genuine Facebook website. In a small URL bar on mobile phones, this part of the URL will be clearly visible.

What follows that apparent domain is a series of hyphens: m.facebook.com————-. That takes the latter part of the domain outside the viewable area of the address bar. End users may therefore be fooled into thinking they are on the genuine website as they will not see the last part of the URL. If they were to check, they would see that m.facebook.com————- is actually a subdomain of the site they are visiting.

The hyphens would be a giveaway that the site is not genuine, but the attackers add in an additional word into the URL such as ‘validate’ or ‘secure’ or ‘login’ to add authenticity.

The attackers have lifted the login box and branding from Facebook, so the login page that is presented appears to be the same as is used on the genuine site.

One telltale sign that all is not as it appears is the use of hxxp:// instead of https:// at the start of the URL, a sure sign that the site is not genuine. Even so, many Facebook users would be fooled by such a scam. URL padding is also being used to target users of other online services such as Apple iCloud and Comcast.

Facebook accounts contain a wealth of information that can be used in future spear phishing campaigns or attacks on the victims’ contacts.  PhishLabs, which discovered the new scam, says the attackers are currently using this phishing scam for the latter and are using the account access to spam end users’ contacts and conduct further phishing campaigns.

While the scam has been detected, it is currently unclear how links to the phishing website are being distributed. While it is possible that they are arriving via spam email, Phishlabs suggests SMS messages or messenger services are being used.

Erebus Ransomware Attack Results in $1 Million Ransom Payment

A $1 million ransom payment has been made to cybercriminals who used Erebus ransomware to attack the South Korean web hosting firm Nayana.

Erebus ransomware was first detected in September last year and was downloaded via websites hosting the Rig exploit kit. Traffic was directed to the malicious website hosting the Rig EK via malvertising campaigns. Vulnerable computers then had Erebus ransomware downloaded. This Erebus ransomware attack is unlikely to have occurred the same way. Trend Micro suggests the attackers leveraged vulnerabilities on the comapny’s Linux servers, used a local exploit or both.

The infection spread to all 153 Linux servers used by Nayana. Those servers hosted the websites of 3,400 businesses. All of the firm’s customers appear to have been affected, with website files and databases encrypted.

Nayana was attacked on June 10, 2017 in the early hours. The hosting company responded rapidly. Law enforcement was contacted and it was initially hoped that it would be possible to crack the ransomware and decrypt files without paying the ransom. It soon became clear that was not an option.

Companies can avoid paying ransom payments following ransomware attacks by ensuring backups are made of all data. Having multiple backups increases the likelihood of files being recoverable. In this case, Nayana had an internal and external backup; however, both of those backups were also encrypted in the attack. Nayana therefore had no alternative but to negotiate with the attackers.

While ransom payments for businesses are often in the $10,000 to $25,000 price bracket, the gang behind this attack demanded an astonishing 550 Bitcoin for the keys to unlock the encryption – Approximately $1.62 million. On June 14, Nayana reported that it had negotiated a ransom payment of 397.6 Bitcoin – Approximately $1.01 million, making this the largest ransomware ransom payment reported to date.

That payment is being made in three instalments, with keys supplied to restore files on the servers in batches. When one batch of servers was successfully recovered, the second ransom payment was made. Nayana said that the recovery process would take approximately 2 weeks for each of the three batches of servers, resulting in considerable downtime for the company’s business customers. Nayana experienced some problems restoring databases but says it is now paying the final payment.

This incident shows how costly ransomware resolution can be and highlights how important it is to ensure that operating systems and software are updated regularly. Patches should be applied promptly to address vulnerabilities before they can be exploited by cybercriminals.

Simply having a backup is no guarantee that files can be recovered. If the backup device is connected to a networked machine when a ransomware attack occurs, backup files can also be encrypted. This is why it is essential for organizations to ensure one backup is always offline. It is also wise to segment networks to limit the damage caused by a ransomware attack. If ransomware is installed, only part of the network will be affected.

Southern Oregon University Phishing Attack Nets Criminals $1.9 Million

A recent Southern Oregon University phishing attack has clearly demonstrated why so many cybercriminals have chosen phishing as their main source of income.

Hacking an organization takes considerable planning and effort, typically requiring many hours of hard work and a considerable amount of skill. Phishing on the other hand is easy by comparison, requiring little work. Furthermore, the potential profits from phishing can be considerable.

The Southern Oregon University Phishing Attack Required a Single Email

The Southern Oregon University phishing attack involved a single phishing email. The attackers impersonated a construction company – Andersen Construction – that was building a pavilion and student recreation center at the University.

The attackers spoofed the email address of the construction firm and requested all future payments be directed to a different bank account. The university then wired the next payment to the new account in April. The payment was for $1.9 million.

The university discovered the construction firm had not received the funds three days later. The FBI was contacted as soon as the fraud was discovered and efforts are continuing to recover the funds. The university reports that the attackers have not withdrawn all of the funds from their account, although a sizeable chunk is missing. Joe Mosley, a spokesperson for SOU said, “It’s certainly not all of the money that was transferred, but it’s not just nickels and dimes, either.”

In order to pull off a scam such as this, the attackers would need to know that the construction project was taking place and the name of the firm. Such information is not hard to find and universities often have construction projects taking place.

These attacks are known as Business Email Compromise (BEC) scams. They typically involve a contractor’s email account being hacked and used to send an email to a vendor. It is not clear whether the vendors email account had been hacked, but that step may not be required to pull off a phishing attack such as this.

Rise in BEC Attacks Prompts FBI Warning to Universities

In this case, the payment was substantial but it is far from an isolated incident. Last month, the FBI released a public service announcement warning universities of attacks such as this.

The FBI warned that access to a construction firm’s email account is not necessary. All that is required is for the scammer to purchase a similar domain to the one used by the firm. Accounts department employees may check the email address and not notice that there is a letter different.

By the time the university discovered a payment has not been received, the funds have already been cleared from the scammer’s account and cannot be recovered. Payments are commonly of the order of several hundred thousand dollars.

The FBI informed SOU that there have been 78 such attacks in the past year, some of which have been conducted on universities. However, all organizations are at risk from these BEC scams.

The Southern Oregon University phishing attack shows just how easy it can be for scammers to pull off a BEC attack. Protecting against this time of scam requires employees to be vigilant and to exercise extreme caution when requests are made to change bank accounts. Such a request should always be verified by a means other than email. A telephone call to the construction firm could easily have stopped this scam before any transfer was made.

Restaurants Facing Barrage of Fileless Malware Phishing Attacks

Cybercriminals have been conducting fileless malware phishing attacks and restaurants are in the firing line. Restaurants are being singled out as they tend to have relatively poor cybersecurity defenses and criminals can easily gain access to the credit card details of thousands of customers.

The phishing attacks are used to install fileless malware – malware that remains in the memory and does not involve any files being written to the hard drive. Consequently, fileless malware is particularly difficult to detect. By switching to fileless malware, which most static antivirus solutions do not detect, the criminals can operate undetected.

While fileless malware can be short-lived, only existing in the memory until the computer is rebooted, the latest variants are also persistent. The purpose of the malware is to allow the attackers to install a backdoor that provides access to restaurants’ computer systems. They can then steal the financial information of customers undetected.

The latest fileless malware phishing attacks involve RTF files. Researchers at Morphisec detected the campaign, which has been attributed to the hacking group FIN7; a group that has close associations with the Carbanak group.

The attacks start with a well-crafted phishing email, with social engineering methods used to encourage end users to open the attached RTF file. RTF files have been discovered that are restaurant themed, named menu.rtf and relating to orders. Some emails appear to have been written to target specific restaurant chains.

One intercepted phishing email claimed to be a catering order, with the attachment containing a list of the items required. In the email, brief instructions explaining when the order is needed and how to view the list of ordered items. The email was brief, but it was particularly convincing. Many restaurants are likely to be fooled by these fileless malware phishing attacks, with access to systems granted for long periods before detection.

As with other phishing campaigns, the user is prompted to enable the content in the attached file. Opening the RTF file presents the user with a large image that they must click in order to view the contents of the document. The document is expertly crafted, appears professional and suggests the contents of the document are protected. Double clicking on the image and confirming with a click on OK will launch the infection process, running JavaScript code.

FIN7 has recently been conducting attacks on financial institutions, but Morphisec reports that the methodology has changed for the malware attacks on restaurants. DNS queries are used to deliver the shellcode stage of infection, but in contrast to past attacks, the DNS queries are launched from the memory, rather than using PowerShell commands. Since the attack does not involve files being written to the hard drive, it is difficult to detect.

Further, the researchers checked the RTF file against VirusTotal and discovered none of the 56 AV vendors are currently detecting the file as malicious.

Corporate Phishing Emails Increased by 400% in Q2, 2017

Corporate phishing emails are one of the biggest cybersecurity risks faced by organizations. Cybercriminals are well aware that even companies with robust cybersecurity defenses are vulnerable to phishing attacks.

Phishing email volume is higher than at any other time in history. Employees are being targeted with threat actors now using sophisticated social engineering techniques to maximize the probability of employees clicking on links, opening infected email attachments or disclosing their login credentials. If corporate phishing emails are delivered to end users’ inboxes, there is a high chance that at least one employee will be fooled. All it takes is for one employee to click on a malicious link or open an infected attachment for malware to be installed or access to sensitive data be provided.

The threat from phishing attacks has been steadily increasing in recent years, although this year has seen phishing attacks soar. A recent study conducted by Mimecast has shown that cybercriminals have been stepping up their efforts in recent months. Last quarter, there was a 400% increase in corporate phishing emails according to the study.

A phishing trends & intelligence report for Q1, 2017 from the security awareness training firm PhishLabs showed that in the first quarter of 2017, overall phishing email volume increased by 20% compared to the previous quarter. 88% of phishing attacks were concentrated on five industries: payment services, financial institutions, cloud storage/file hosting firms, webmail/online services and e-commerce companies.

The anti-phishing training and phishing simulation platform provider PhishMe also noted a major increase in phishing emails in Q1, 2017. The firm’s Q1, 2017 malware review also showed there had been a 69.2% increase in botnet malware usage in the first quarter of this year.

Business email compromise attacks are also on the rise. Proofpoint’s annual Human Factor report showed BEC email attacks rose from 1% of message volume to 42% of message volume relative to emails bearing Trojans. Those attacks have cost businesses $5 billion worldwide.

These studies clearly show that corporate phishing emails are on the rise, highlighting the need for organizations to improve their defenses. The best defense against phishing emails and ransomware attacks is to ensure messages are intercepted and blocked. It is therefore essential for organizations to implement a robust spam filtering solution to prevent malicious messages from reaching end users’ inboxes.

SpamTitan conducts more than 100 checks of incoming emails, ensuring more than 99.98% of spam and malicious emails are blocked. Dual anti-virus engines are used to ensure 100% of known malware and ransomware is intercepted and prevented from being delivered to end users’ inboxes.

If you have yet to implement an advanced spam filtering solution or you are unhappy with your current provider, contact TitanHQ today to find out more about SpamTitan and how it can be used to protect your business from email attacks. SpamTitan is also available on a no obligation, 30-day free trial, allowing you to try the solution for yourself before committing to a purchase.

New Microsoft Windows XP Updates Released in Wake of WannaCry Attacks

Microsoft took the decision to issue emergency Windows XP updates to prevent exploitation of the Windows Server Message Block (SMB) vulnerability used to infect worldwide computers with ransomware on May 12, 2017.

The move came as a surprise since the operating system is no longer supported. Extended support came to an end on April 8, 2014. Yesterday, saw further Microsoft Windows XP updates released. The patches prevent further flaws in the operating system from being exploited by cybercriminals in WannaCry ransomware-style attacks.

Microsoft’s Cyber Defense Operations Center head, Adrienne Hall, said “Due to the elevated risk for destructive cyber-attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt.”

In total, nearly 100 vulnerabilities were patched this Patch Tuesday, including 18 critical flaws that can be remotely exploited by cybercriminals to take full control of vulnerable systems. In some cases, as was the case with the WannaCry ransomware attacks, no user interaction is required for the flaws to be exploited.

One of the flaws – tracked as CVE-2017-8543 – similarly affects the Windows Server Message Block service. Microsoft says CVE-2017-8543 is being actively exploited in the wild, with Windows Server 2008, 2012, and 2016 all affected as well as more recent versions of Windows – v7, 8.1 and Windows 10. It is this flaw that has been patched for Windows Server 2003 and Windows XP. As was the case on May 12, once the attackers infect one device, they can search for other vulnerable devices. Infection can spread incredibly quickly to many other networked devices.

Some security experts have criticized Microsoft for issuing yet more Windows XP updates, arguing that this sends a message to users of outdated operating systems that it is OK not to upgrade the OS. Windows XP has many unpatched flaws, but the recent Windows XP updates suggest that if a particularly serious vulnerability is discovered that is being actively exploited, patches will be issued.

While Microsoft Windows XP updates have been released, this should not be taken as signaling a change in Microsoft’s standard servicing policies. Further patches may not be released for unsupported Windows versions, so organizations should not delay upgrading their OS. Microsoft’s general manager of its Security Response Center, Eric Doerr, said “The best protection is to be on a modern, up-to-date system that incorporates the latest defense-in-depth innovations. Older systems, even if fully up-to-date, lack the latest security features and advancements.”

In total, there were 95 updates issued this patch Tuesday. Like CVE-2017-8543, a LNK remote code execution vulnerability (CVE-2017-8464) is also being exploited in the wild.

The latest round of updates also includes a patch for a serious flaw in Microsoft Outlook (CVE-2017-8507). Typically, in order to exploit vulnerabilities an end user would be required to open a specially crafted email attachment. However, if an attacker were to send a specially crafted message to an Outlook user, simply viewing the message would allow the attacker to take full control of the machine.

Adobe has also issued a slew of updates to address 21 vulnerabilities spread across four products (Flash, Shockwave Player, Captivate and Adobe Digital editions). 15 of those vulnerabilities have been marked as critical and would allow remote code execution.

As the WannaCry ransomware attacks clearly showed, the failure to apply patches promptly leaves the door wide open to cybercriminals. These updates should therefore not be delayed, especially since two of the flaws are being actively exploited.

MacRansom: A New, Free Ransomware-as-a-Service that Targets Mac Users

Mac users are better protected from ransomware than Windows users, although they now face a new threat: MacRansom. The new ransomware variant may not be particularly advanced, although it is capable of encrypting files.

MacRansom is being offered under a ransomware-as-a-service (RaaS) model with the RaaS advertised to cybercriminals on a Tor network portal. In contrast to many RaaS offerings that require payment to be made before the RaaS can be used, the threat actors behind MacRansom are offering the RaaS free of charge.

Any would-be cybercriminal looking to conduct ransomware attacks can email the creators of the ransomware via a secure Protonmail email address and a version of MacRansom will be created according to the user’s specifications.

The authors of MacRansom claim they are professional engineers and security researchers with extensive experience in software development and a thorough understanding of the MacOS. They claim they have previously worked at Yahoo and Facebook.

The authors claim that MacRansom can be installed and will remain invisible to the victim until the scheduled execution time, when it will complete its encryption routine in under a minute. The ransomware variant uses a 128-bit industrial standard encryption algorithm that cannot be beaten unless the ransom is paid. The authors claim the ransomware leaves no digital traces and that it can be scheduled to run at a specific time set by the user. It can even be triggered when an individual plugs in an external drive into an infected machine to maximize the number of files that are encrypted. However, the ransomware is only capable of encrypting a maximum of 128 files.

The Ransomware is capable of checking if it is in a virtual environment, whether it is being debugged or if it has been installed in a non-Mac environment, in which case it will exit.

Security researchers at Fortinet – Rommel Joven and Wayne Chin Low – signed up for the RaaS and obtained a sample, but noted that under some circumstances it may not be possible to decrypt encrypted files even if the ransom is paid. They said, “A remarkable thing we observed when reverse-engineering the encryption/decryption algorithm is that the TargetFileKey is permuted with a random generated number.  In other words, the encrypted files can no longer be decrypted once the malware has terminated.” However, to find out, victims will be required to pay a ransom payment of 0.25 Bitcoin – around $700.

Fortunately, infection requires the victim to run a file with an unidentified developer. They will therefore need to confirm they wish to do that before the file is run. This warning should be sufficient to prevent many end users from proceeding.

University of Alaska Phishing Attack Results in Exposure of 25,000 Individuals’ Data

A University of Alaska phishing attack has potentially resulted in attackers gaining access to the sensitive information of 25,000 staff, students and faculty staff.

The University of Alaska phishing attack occurred in December last year, although affected individuals have only just been notified. The phishing emails were sent to university employees. One or more individuals responded and were fooled into following the threat actors’ instructions.

Details of the exact nature of the phishing emails were not disclosed; however, as with other phishing scams, the emails appeared genuine and looked professional. By responding to the emails, the employees accidentally disclosed their usernames and passwords to the attackers. The attack resulted in ‘several’ email accounts being compromised.

The emails in the compromised accounts contained a range of sensitive information including names and Social Security numbers. In total, around 25,000 staff, students and faculty members had their information exposed.

The investigation into the University of Alaska phishing attack could not confirm whether any of the emails in the accounts were accessed or if information was copied by the attackers, although it remains a distinct possibility.

Due to the sensitive nature of data in the accounts, the University of Alaska had to inform all affected individuals by mail and offer credit monitoring and identity theft protection services. Victims will also be protected by a $1 million identity theft insurance policy.

A forensic analysis had to be conducted to determine the exact nature of the attack and which individuals had been affected – A process that took around 5 months. Staff had to be provided with additional training to improve awareness of credential phishing scams and were retrained correct handling of sensitive information. The notifications and mitigations came at a considerable cost.

The University of Alaska phishing attack was just one of many phishing attacks that have taken place in the United States over the past few months. The phishing attacks all have a common denominator. Employees were targeted, phishing emails reached inboxes, and end users followed the instructions in the emails.

Training staff to be aware of the threat of phishing can reduce susceptibility, although training did not prevent the University of Alaska phishing attack.

Even after receiving security awareness training, employees can make mistakes. A technology solution should therefore be implemented to stop phishing emails from being delivered to end users’ inboxes.

SpamTitan from TitanHQ offers excellent protection against phishing attacks, blocking more than 99.9% of spam, phishing emails and other malicious messages. SpamTitan is quick and easy to install, cost effective to implement and easy to maintain.

With SpamTitan installed, organizations can protect themselves against phishing attacks and avoid the considerable cost of data breaches.

For more information on SpamTitan and other TitanHQ security products, contact the sales team today and take the first step toward improving your defences against phishing attacks.

Phishing Attacks Likely to Follow Hotels.com Breach

The Texas-based online hotel booking website Hotels.com is notifying customers that some of their sensitive information has been exposed. The Hotels.com breach potentially involved usernames and passwords, email addresses, and the last four digits of site users’ credit card numbers.

Users’ accounts were hacked between May 22 and May 29, although at this stage it is unclear exactly how many individuals have been affected. While full credit card numbers were not obtained, the Hotels.com breach will see users face an elevated risk of phishing attacks.

Phishing emails come in many guises, although it is common for users of a site that has experienced a data breach or security incident to receive warning emails about the attack. The emails rightly claim that a user’s sensitive information has been compromised; however, the emails do not come from the company that experienced the breach. Instead, it is the cybercriminals who conducted the attack, or individuals who have bought stolen data from the attackers, that send the emails.

A typical phishing scenario sees individuals informed that their usernames and passwords have been compromised. A link is included in the emails to allow the user to reset their password or activate additional security controls on their account.

That link will direct the user to a phishing website where further information is obtained – the missing digits from their credit card number for example – or other personal information. Alternatively, the link could direct the user to a malicious website containing an exploit kit that downloads malware onto their computer.

Hotels.com customers were targeted in a 2015 phishing campaign which resulted in many site users divulging information such as names, phone numbers, email addresses and travel details. That information could be used in further scams or even for robberies when victims are known to be on vacation.

The Hotels.com breach is the latest in a number of attacks on online companies. While it is currently unclear how access to customers’ accounts was gained, a letter emailed to affected users suggests the attacks could be linked to breaches at other websites. The letter suggests access to online accounts could have resulted from password reuse.

Reusing passwords on multiple online platforms is a bad idea. While it is easier to remember one password, a breach at any online website means the attackers will be able to access accounts on multiple sites.

To prevent this, strong, unique passwords should be used for each online account. While these can be difficult to remember, a password manager can be used to store those passwords. Many password managers also help users generate strong, unique passwords. Users should also take advantage of two-factor authentication controls on sites whenever possible to improve security.

Since many businesses use hotel booking websites such as Hotels.com, they should be particularly vigilant for phishing emails over the coming weeks, especially any related to hotels.com. To protect against phishing attacks, we recommend using SpamTitan. SpamTitan blocks more than 99.9% of phishing and other spam emails, reducing the risk of those messages being delivered to end users. Along with security awareness training and phishing simulation exercises, businesses can successfully defend against phishing attacks.

Samba Flaw Could Be Exploited and Used in Network Worm Attacks

A critical Samba flaw has been discovered that has potential to be exploited and used for network worm attacks similar to those that resulted in more than 300,000 global WannaCry ransomware infections.

Samba is used to provide Windows-like file and print services on Unix and Linux servers and is based on the Windows Server Message Block (SMB) protocol that was exploited in the recent WannaCry ransomware attacks. The wormable remote code execution vulnerability has been identified in versions 3.5.0 an above.

The Samba flaw – tracked as CVE-2017-7494 – has existed for around 7 years, although no known attacks are understood to have occurred. That may not remain the case for long.

Samba is commonly installed on enterprise Linux servers, with around 104,000 machines believed to be vulnerable, per a recent search conducted by Rapid7 researchers. The Samba flaw can be exploited easily, requiring just a single line of code.

The Samba vulnerability has been rated as critical, although the good news is Samba has already issued an update that addresses the vulnerability. The patch can be applied to versions 4.4 and above. Any organization that is using an unsupported version of Samba, or is unable to apply the patch, can use a workaround to address the Samba vulnerability and secure their Linux and Unix servers.

The workaround is straightforward, requiring the addition of the following parameter to the [global] section of your smb.conf

nt pipe support = no

After the parameter has been added, the smbd daemon must be restarted. This will prevent clients from accessing any named pipe endpoints.

US-CERT has advised all organizations to apply the patch or use the workaround as soon as possible to prevent the vulnerability from being exploited.

If a threat actor were to exploit the Samba flaw, it would allow them to “upload a shared library to a writable share, and then cause the server to load and execute it.” A malicious file could be remotely uploaded on any vulnerable device. That could be ransomware, a network worm, or any other malicious file. That file could then be executed with root access privileges.

NAS devices also use Samba and may also be vulnerable to attack. Malicious actors could target NAS devices and access or encrypt stored data. Many organizations use NAS devices to store backups. An attack on those devices, using ransomware for instance, could be devastating. Bob Rudis, chief data scientist at Rapid7, said “A direct attack or worm would render those backups almost useless. Organizations would have little choice but to pay the ransom demand.

A proof-of-concept exploit for the Samba vulnerability is available to the public. It is therefore only a matter of time before the vulnerability is exploited. The patch or workaround should therefore be applied ASAP to mitigate risk.

TitanHQ Partners with Purple to Provide Secure Content Filtering for WiFi Networks

TitanHQ announced a new partnership with Purple, the intelligent spaces company, which is now using the WebTitan WiFi filtering solution to control the content that can be accessed through its WiFi networks.

Businesses are now realizing they can attract more customers by providing free WiFi access, with Purple allowing businesses to get something back from providing free WiFi access to customers.

Purple provides WiFi analytics and marketing solutions allowing businesses to get more out of their WiFi networks. Those services have proven incredibly popular, with Purple rapidly expanding its business to serve clients in more than 70 countries.

Businesses are facing increasing pressure not only to provide Internet access to customers, but also to ensure that the Internet can be accessed safely and securely. The recent WannaCry ransomware attacks have highlighted just how important Internet security has now become. An Internet content filtering solution is therefore necessary to ensure inappropriate website content can be filtered out and malicious websites are blocked.

TitanHQ’s website content filtering solution – WebTitan – is the global leading content filtering solution for WiFi networks. Each day, WebTitan detects and blocks more than 60,000 different types of malware and ransomware, preventing users from infecting their devices. The solution is managed from a web-based control panel and can instantly be applied to any number of global WiFi access points.

The solution can be easily configured, has no latency, and allows precise control over the types of content that can be accessed through WiFi networks.

Following the rollout of WebTitan, which took just a few days, Purple customers have started benefitting from the industry-leading WiFi filtering solution.

James Wood, Head of Integration at Purple, communicated Purple’s unique requirements to TitanHQ which was able to provide a solution that exactly matched the company’s needs. Wood said, “From day one it was evident that they were capable of not only providing what we needed but were very responsive and technically adept.”

The solution was ideal for Purple. Woods explained that “Along with superior protection, WebTitan also allows us to extend the control to our customers via their API. Our customers can now manage their own filtering settings directly from the Purple Portal.”

More and more companies are realizing that it is no longer sufficient to just offer free WiFi access to customers. Customers now want to be reassured that they can access the Internet securely. TitanHQ CEO Ronan Kavanagh said “Content filtering for Wi-Fi will be a given in service terms over the next few years. Purple again is leading the way with their focus on this area.”

Phishing Attacks on Healthcare Organizations Can Result in HIPAA Fines

In the United States, the healthcare industry is being targeted by cybercriminals, with phishing attacks on healthcare organizations one of the easiest and most common methods of gaining access to email accounts and protected health information.

A phishing email is sent to a healthcare employee along with a seemingly legitimate reason for revealing their login credentials. Doing so will give the attackers access to an email account and the protected health information of patients in those emails.

Emails accounts contain a wealth of information that can be used for further attacks. A compromised email account can be used to send further phishing emails within a company. One response to a phishing email can see many email accounts compromised. A single phishing email can result in a major security incident and costly data breach.

There have been many phishing attacks on healthcare organizations this year and the past 12 months has seen numerous phishing-related data breaches added to the Department of Health and Human Services’ Office for Civil Rights (OCR) Breach Portal.

Any breach of protected health information that results in more than 500 records being exposed is investigated by OCR. During investigations of phishing attacks on healthcare organizations, OCR often finds that Health Insurance Portability and Accountability Act Rules have been violated. Healthcare organizations are discovered not to have performed risk assessments – as is required by the HIPAA Security Rule – and have failed to identify the risk of phishing and take appropriate steps to reduce risk to an acceptable level.

When organizations are found to have violated HIPAA Rules, heavy fines may follow. Recently, OCR has investigated several healthcare phishing attacks and has taken some cases forward to settlement. The HIPAA fines can be considerable.

In 2015, OCR announced its first HIPAA settlement for a phishing attack. University of Washington Medicine was fined $750,000 as a result of a malware installation that occurred when an employee responded to a phishing email. In that case, 90,000 patients had their information revealed to the attackers.

A HIPAA penalty for a phishing attack was also announced last month, with the Colorado based Metro Community Provider Network (MCPN) having to pay OCR $400,000 to resolve HIPAA violations discovered during the investigation of the phishing attack. The phishing attack resulted in an email account being compromised, and along with it, the protected health information of 3,200 patients.

The employee did not reveal their email credentials in that case, at least not directly. Instead, the response to the email resulted in a malware installation that gave the attacker access to the email account.

Phishing attacks on healthcare organizations are to be expected. OCR is aware that it may not be possible to prevent 100% of phishing attacks, 100% of the time. Not all phishing attacks on healthcare organizations will therefore result in a HIPAA fine. However, failing to reduce risk to an acceptable level is another matter. If healthcare organizations do not do enough to prevent phishing attacks, fines are likely to result.

So, how can phishing attacks on healthcare organizations be prevented and what can healthcare organizations do to reduce risk to a level that will be deemed acceptable by OCR?

The HIPAA Security Rule requires protections to be put in place to safeguard the confidentiality, integrity, and availability of PHI. While the Security Rule does not specify exactly which security solutions should be used, there are two essential anti-phishing controls that should be employed.

A spam filtering solution should be used to prevent phishing and other malicious emails from being delivered to end users’ inboxes. It would be hard to argue that the threat from phishing has been reduced to an acceptable level if no controls are in place to block phishing emails from being delivered.

Healthcare employees must also receive security awareness training. All employees should be informed of the risk of phishing and the methods used by cybercriminals to gain access to computers and data. They should be taught best practices and shown how to identify phishing emails and other malicious email threats. By blocking phishing emails and training end users, the risk from phishing can be significantly reduced.

Beware of WannaCry Phishing Emails

Cybercriminals have started sending WannaCry phishing emails, taking advantage of the fear surrounding the global network worm attacks.

An email campaign has been identified in the United Kingdom, with BT customers being targeted. The attackers have spoofed BT domains and made their WannaCry phishing emails look extremely realistic. BT branding is used, the emails are well written and they claim to have been sent from Libby Barr, Managing Director, Customer Care at BT. A quick check of her name on Google will reveal she is who she claims to be. The WannaCry phishing emails are convincing, cleverly put together, and are likely to fool many customers.

The emails claim that BT is working on improving its security in the wake of the massive ransomware campaign that affected more than 300,000 computers in 150 countries on May 12, 2017. In the UK, 20% of NHS Trusts were affected by the incident and had data encrypted and services majorly disrupted by the ransomware attacks. It would be extremely hard if you live in the UK to have avoided the news of the attacks and the extent of the damage they have caused.

The WannaCry phishing emails provide a very good reason for taking prompt action. BT is offering a security upgrade to prevent its customers from being affected by the attacks. The emails claim that in order to keep customers’ sensitive information secure, access to certain features have been disabled on BT accounts. Customers are told that to restore their full BT account functionality they need to confirm the security upgrade by clicking on the upgrade box contained in the email.

Of course, clicking on the link will not result in a security upgrade being applied. Customers are required to disclose their login credentials to the attackers.

Other WannaCry phishing emails are likely to be sent claiming to be from other broadband service providers. Similar campaigns could be used to silently download malware or ransomware.

Cybercriminals often take advantage of global news events that are attracting a lot of media interest. During the Olympics there were many Olympic themed spam emails. Phishing emails were also rife during the U.S. presidential elections, the World Cup, the Zika Virus epidemic, and following every major news event.

The golden rule is never to click on links sent in email from individuals you do not know, be extremely careful about clicking links from people you do know, and assume that any email you receive could be a phishing email or other malicious message.

A single phishing email sent to an employee can result in a data breach, email or network compromise. It is therefore important for employers to take precautions. Employees should be provided with phishing awareness training and taught the tell-tale signs that emails are not genuine.  It is also essential that an advanced spam filtering solution is employed to prevent the vast majority of phishing emails from reaching end users inboxes.

On that front, TitanHQ is here to help. Contact the team today to find out how SpamTitan can protect your business from phishing, malware and ransomware attacks.

The Cost of Ransomware Attacks Estimated to Reach $5 Billion in 2017

The cost of ransomware attacks cannot be totaled by the amounts illegally earned by cybercriminals through ransom payments. In fact, the ransom payments are just a tiny fraction of the costs experienced by businesses that have been attacked with ransomware.

Take the recent WannaCry ransomware attacks as an example. The individuals behind that campaign were charging $300 per infected device to supply the keys to decrypt data. The amount gathered by those individuals was a little over $100,000 on Monday this week, even though the attacks involved data being encrypted on approximately 300,000 devices.

However, the cost of ransomware attacks is far higher. The biggest cost of ransomware attacks for most businesses is downtime while the infection is dealt with. Even if the ransom is paid, businesses often lose a week or more while the infection is removed and systems are brought back online. One Providence law firm suffered 3 months of downtime while systems remained locked!

Then there is the continued disruption while businesses catch up from the loss of productivity in the aftermath following the attack. The NHS was still experiencing disruption more than a week after the attacks on Friday 12, May.

Ransomware attacks can also involve loss of data and damage a company’s reputation. Typically, following a ransomware attack, a forensic analysis of IT systems must be conducted to ensure all traces of malware have been removed. Checks also must be performed to look for backdoors that may have been installed. Many businesses do not have the staff to perform those tasks. Cybersecurity experts must therefore be brought in. Additional cybersecurity solutions must also be purchased to ensure further attacks are prevented. The cost of ransomware attacks is therefore considerable.

The WannaCry ransomware attacks have been estimated to have cost businesses more than $1 billion. KnowB4 CEO Stu Sjouwerman said “The estimated damage caused by WannaCry in just the initial 4 days would exceed a billion dollars, looking at the massive downtime caused for large organizations worldwide.”

The cost of ransomware attacks in 2015 was an estimated $325 million, although figures from the FBI suggest that total was reached in the first quarter of the year. The final cost of ransomware attacks in the year was estimated to have reached $1 billion. Recently, Cybersecurity Ventures predicted the cost of ransomware attacks in 2017 will reach an incredible $5 billion. Given the expected costs of the recent WannaCry ransomware attacks, that could turn out to be an incredibly conservative estimate.

Cybercriminals are not concerned about the damage caused by the attacks, only the amount they can extort from businesses. The returns may be relatively low, but they are sufficiently high to make the attacks profitable. More and more individuals are also getting in on the act by using ransomware-as-a-service. Not only are ransomware attacks likely to continue, major cybercriminal gangs are likely to increase the scale of the attacks.

Businesses should be aware of the huge cost of ransomware attacks and take appropriate action to prevent those attacks from occurring. Having a backup of data may ensure that a ransom payment does not need to be made, but it will do little to prevent huge losses from being suffered if ransomware is installed.

Preventing ransomware attacks requires security awareness training for employees, advanced spam filters to stop ransomware from being delivered to end users’ inboxes, web filters to block individuals from accessing malicious URLs, endpoint protection systems to detect and block ransomware downloads, advanced firewalls and antivirus and antimalware solutions.

Fortunately, with appropriate defenses in place, it is possible to block ransomware attacks. Those solutions do come at a cost, but considering the losses from a successful ransomware attack, they are a small price to pay.

DocuSign Phishing Emails Sent to Account Holders Following Data Breach

A recent wave of DocuSign phishing emails has been linked to a data breach at the digital signature technology provider. A hacker gained access to a ‘non-core’ system that was used to send communications to users via email and stole users’ email addresses.

DocuSign reports that the peripheral system was compromised and only email addresses were accessed and stolen. No other data has been compromised as a result of the cyberattack. The data breach only affected DocuSign account holders, not registered users of eSignature.

It is currently unclear exactly how many email addresses were stolen, although the DocuSign website indicates the firm has more than 200 million users.

The attacker used customers’ email addresses to send specially crafted DocuSign phishing emails. The emails containing links to documents requiring a signature. The purpose of the emails was to fool recipients into downloading a document containing a malicious macro designed to infect computers with malware.

As is typical in phishing attacks, the DocuSign phishing emails appeared official with official branding in the headers and email body. The subject lines of the email were also typical of recent phishing campaigns, referring to invoices and wire transfer instructions.

The san Francisco based firm has been tracking the phishing emails and reports there are two main variations with the subject lines: “Completed: docusign.com – Wire Transfer Instructions for recipient-name Document Ready for Signature,” or “Completed *company name* – Accounting Invoice *number* Document Ready for Signature.”

The emails have been sent from a domain not linked to DocuSign – a sign that the emails are not genuine. However, due to the realism of the emails, many end users may end up clicking the link, downloading the document and infecting their computers.

Recipients are more likely to click on links and open infected email attachments if they relate to a service that the recipient uses. Since DocuSign is used by many business users, there is a significant threat of a network compromise if end users open the emails and follow the instructions provided by the threat actors.

Businesses can reduce the risk of malicious emails reaching end users inboxes by implementing an advanced spam filtering solution such as SpamTitan. SpamTitan blocks 99.97% of spam emails and 100% of known malware using dual antivirus engines for maximum protection.

To find out more about SpamTitan and other antimalware controls to protect your business, contact the TitanHQ team today.

Jaff Ransomware: A New Variant from the Distributors of Locky

A new encryptor – Jaff ransomware – could be heading your way via email. Jaff ransomware is being distributed by the individuals responsible for distributing the Dridex banking Trojan and Locky ransomware. The gang has also previously used Bart ransomware to encrypt files in an attempt to extort money from businesses.

In contrast to Locky and many other ransomware variants, the individuals behind Jaff ransomware are seeking a huge ransom payment to unlock files, suggesting the new variant will be used to target businesses rather than individuals. The ransom demand per infected machine is 1.79 Bitcoin – around $3,300. The WannaCry ransomware variant only required a payment of $300 per infected machine.

The distributors have used exploit kits in the past to spread infections, although spam email is used for the latest campaign. Whether that will remain the only distribution mechanism remains to be seen. Millions of spam email messages have already sent via the Necurs botnet, according to Proofpoint researchers who identified the new encryptor.

The emails have a PDF file attachment rather than a Word document. Those PDF files contain embedded Word documents with macros that will download the malicious payload. This method of distribution has been seen with Locky ransomware in recent weeks.

The change in file attachment is believed to be an attempt to get users to open the attachments. There has been a lot of publicity about malicious Word documents attached to emails from unknown senders. The change could see more end users open the attachments and infect their devices.

Opening the PDF file will present the user with a screen advising them that the contents of the document are protected. They are prompted to ‘enable editing’ by ignoring the security warning and enabling macros. Enabling macros will result in infection. Jaff ransomware will then search for and encrypt a wide range of file types including images and multimedia files, databases, office documents and backups.

There is no known decryptor for Jaff ransomware. Recovery will depend on a viable backup existing that has not been encrypted by the ransomware. The alternatives are to pay the sizable ransom payment or permanently lose files.

To protect against the threat, an advanced spam filtering solution should be implemented to prevent the emails from reaching end users’ inboxes. As a failsafe, employees should be warned about the threat of ransomware and instructed not to open any file attachments from unknown senders. They should also be alerted to the threat from PDF files containing embedded word documents.

Who Conducted the WannaCry Ransomware Attacks? Link Found to North Korea

Who Conducted the WannaCry Ransomware Attacks?

The WannaCry ransomware attacks that started on Friday May 12 rapidly spread to more than 150 countries. While the attacks have been halted, IT security professionals are still scrambling to secure their systems and the search is now on for the perpetrators.

Malware researchers are analyzing the ransomware code and attack method to try to find clues that will reveal who conducted the WannaCry ransomware attacks.

At this stage in the investigation, no concrete evidence has been uncovered that links the attacks to any individual or hacking group, although a Google security researcher, Neel Mehta, has found a possible link to the Lazarus Group; a hacking organization believed to be based in China with links to North Korea.

The Lazarus Group is thought to be behind the attack on Sony Pictures in 2014 and the major heist on the Bangladesh central bank in February this year. While the link between the Lazarus Group and North Korea has not been comprehensively proven, the U.S. government is sure the group has been backed by North Korea in the past.

WannaCry Ransomware Code has been Reused

Mehta discovered parts of the ransomware code from the latest attacks were the same as code in a 2015 backdoor used by the Lazarus Group, suggesting the WannaCry ransomware attacks were conducted either by the Lazarus Group or by someone who has access to the same code.

Mehta also compared the code from the latest WannaCry ransomware variant and the backdoor to an earlier version of WannaCry ransomware from February and found code had been shared between all three. Symantec’s researchers have confirmed the code similarities.

Whether the Lazarus Group conducted the attacks is far from proven, and there is no evidence to suggest that were that to be the case, that the group had any backing from North Korea. The group could have been acting independently.

While some have called this link ‘strong evidence’, it should be explained that comparing code between malware samples does not confirm origin. Code is often reused and it is possible that the actors behind this campaign may have put in a false flag to divert attention from themselves onto the Lazarus Group and North Korea.

While the false flag idea is possible and plausible, Kaspersky Lab believes it is improbable and that the similarities in the source code point the finger of blame at the Lazarus Group.

Many Questions Remain Unanswered

The link with the Lazarus Group/North Korea is now being investigated further, but there are currently many questions unanswered.

The ransomware included a self-replicating function making it act like a worm, allowing it to rapidly spread to all vulnerable computers on a network. The sophistication of the attack suggests it was the work of a highly capable organization rather than an individual. However, the kill switch in the ransomware that was discovered by UK researcher ‘Malware Tech,’ allowed the infections to be halted. Such an ‘easily found’ kill switch would be atypical of such a sophisticated hacking group.

Previous attacks linked with the Lazarus Group have also been highly targeted. The WannaCry ransomware attacks over the weekend were purposely conducted in multiple countries, including China and Russia. The widespread nature of the attacks would be a departure from the typical attack methods used by Lazarus.

There are doubts as to whether North Korea would back an attack on its neighbours and allies, and while financially motivated attacks cannot be ruled out, past state-sponsored attacks have had a political purpose.

At this stage, it is not possible to tell who conducted the WannaCry ransomware attacks, but the latest discovery is an important clue as to who may be responsible.

WannaCry Ransomware Campaign Claims Victims in 150 Countries

On Friday May 12, a massive WannaCry ransomware campaign was launched, with the UK’s National Health Service (NHS) one of the early victims. The ransomware attack resulted in scores of NHS Trusts having data encrypted, with the infection rapidly spreading to networked devices. Those attacks continued, with 61 NHS Trusts now known to have been affected. Operations were cancelled and doctors were forced to resort to pen and paper while IT teams worked around the clock to bring their systems back online.

Just a few hours after the first reports of the WannaCry ransomware attacks emerged, the scale of the problem became apparent. The WannaCry ransomware campaign was claiming tens of thousands of victims around the world. By Saturday morning, Avast issued a statement confirming there had been more than 57,000 attacks reported in 100 countries. Now the total has increased to more than 200,000 attacks in 150 countries. While the attacks appear to now be slowing, security experts are concerned that further attacks will take place this week.

So far, in addition to the NHS, victims include the Spanish Telecoms operator Telefonica, Germany’s rail network Deutsche Bahn, the Russian Interior ministry, Renault in France, U.S. logistics firm FedEx, Nissan and Hitachi in Japan and multiple universities in China.

The WannaCry ransomware campaign is the largest ever ransomware attack conducted, although it does not appear that many ransoms have been paid yet. The BBC reports that the WannaCry ransomware campaign has already resulted in $38,000 in ransom payments being generated. That total is certain to rise over the next few days. WannaCry ransomware decryption costs $300 per infected device with no free decryptor available. The ransom amount is set to double in 3 days if payment is not made. The attackers threaten to delete the decryption keys if payment is not made within 7 days of infection.

Ransomware attacks usually involve malware downloaders sent via spam email. If emails make it past anti-spam solutions and are opened by end users, the ransomware is downloaded and starts encrypting files. WannaCry ransomware has been spread in this fashion, with emails containing links to malicious Dropbox URLs. However, the latest WannaCry ransomware campaign leverages a vulnerability in Server Message Block 1.0 (SMBv1). The exploit for the vulnerability – known as ETERNALBLUE – has been packaged with a self-replicating payload which can spread rapidly to all networked devices. The vulnerability is not a new zero day however. In fact, Microsoft patched the vulnerability in its MS17-010 security bulletin almost two months ago. The problem is many organizations have not installed the update and are vulnerable to attack.

The ETERNALBLUE exploit was reportedly stolen from the National Security Agency by Shadow Brokers, a cybercriminal gang with links to Russia. ETERNALBLUE was allegedly developed as a hacking weapon to gain access to Windows computers used by enemy states and terrorists. Shadow Brokers managed to steal the tool and published the exploit online in mid-April. While it is not known whether Shadows Brokers is behind the attack, the publication of the exploit allowed the attacks to take place.

The exploit allows the attackers to drop files on a vulnerable system, with that file then executed as a service. The dropped file then downloads WannaCry ransomware, which searches for other available networked devices. The infection spreads before files are encrypted. Any unpatched device with port 445 open is vulnerable.

The WannaCry ransomware campaign would have resulted in far more infections had it not been for the actions of a security researcher in the UK. The researcher –@MalwareTechBlog – found a kill switch to prevent encryption. The ransomware attempts to communicate with a specific domain. If communication is possible, the ransomware does not proceed with encryption. If the domain cannot be contacted, files are encrypted.

@MalwareTechBlog discovered the reference to the nonsense domain, saw that it was unregistered and bought it. By doing so, the ransomware attack was thwarted. The domain checking mechanism was presumably added to prevent the ransomware from running in a sandbox environment.

However, a new version of the ransomware without the kill switch has reportedly already been released, which could see the victim count increase substantially over the next few days. Organizations that have not applied Microsoft’s patch are advised to do so as a priority to block the attack.

The massive ransomware attack should serve as reminder to all organizations of the importance of applying patches promptly. That will be a particularly painful reminder for many organizations that fell victim to this preventable ransomware attack.

Fatboy Ransomware – A New RaaS That Sets Ransoms by Location

A new email-borne threat has recently been discovered. Fatboy ransomware is a new ransomware-as-a-service (RaaS) being offered on darknet forums in Russia. The RaaS offers would-be cybercriminals the opportunity to conduct ransomware campaigns without having to develop their own malicious code.

RaaS has proven incredibly popular. By offering RaaS, malicious code authors can infect more end users by increasing the number of individuals distributing the ransomware.  In the case of Fatboy ransomware, the code author is offering limited partnerships and is dealing with affiliates directly via the instant messaging platform Jabber.

Fatboy ransomware encrypts files using AES-256, generating an individual key for the files and then encrypting those keys using RSA-2048. A separate bitcoin wallet is used for each client and a promise is made to transfer funds to the affiliates as soon as the money is paid. By offering to deal directly with the affiliates, being transparent about the RaaS and offering support, it is thought that the code author is trying to earn trust and maximize the appeal of the service.

Further, the ransomware interface has been translated into 12 languages, allowing campaigns to be conducted in many countries around the world. Many RaaS offerings are limited geographically by language.

Fatboy ransomware also has an interesting new feature that is intended to maximize the chance of the victim paying the ransom demand. This RaaS allows attackers to set the ransom payment automatically based on the victim’s location. In locations with a high standard of living, the ransom payment will be higher and vice versa.

To determine the cost of living, Fatboy ransomware uses the Big Mac Index. The Big Mac Index was developed by The Economist as a method of determining whether currencies were at their correct values. If all currencies are at their correct value, the cost of a product in each country should be the same. The product chosen was a Big Mac. In short, the higher the cost of a Big Mac in the victim’s country, the higher the ransom demand will be.

So far, Recorded Future – the firm that discovered the ransomware variant – says the code author has generated around $5,000 in ransom payments since February. That total is likely to rise considerably as more affiliates come on board and more end users are infected. There is no known decryptor for Fatboy ransomware at this time.

New ransomware variants are constantly being developed and RaaS allows many more individuals to conduct ransomware campaigns. Unsurprisingly, the number of ransomware attacks has grown.

The cost of resolving a ransomware infection can be considerable. Businesses therefore need to ensure they have defenses in place to block attacks and ensure they can recover fast.

Backups need to be made regularly to ensure files can be easily recovered. Staff need to be trained on security best practices to prevent them inadvertently installing ransomware. Antispam solutions should also be implemented to prevent malicious emails from reaching end users’ inboxes. Fortunately, even with a predicted increase in ransomware attacks, businesses can effectively mitigate risk if appropriate defenses are implemented.

For advice on security solutions that can block ransomware attacks, contact the TitanHQ team today.

Sabre Corporation Data Breach: PII and Payment Card Data Potentially Exposed

A Sabre Corporation data breach has potentially resulted in the theft of credit card details and PII from the SynXis Hospitality Solutions reservation system. The Sabre Corporation data breach was acknowledged in Sabre Corp’s Q2 10-Q filing with the Securities and Exchange Commission. Few details about the security incident have been released as the incident is currently under investigation.

What is known is the incident affects SynXis, a cloud-based SaaS used by more than 36,000 independent hotels and global hotel chains. The system allows employees to check room availability, pricing and process bookings.

Sabre Corporation recently discovered an unauthorized third party gained access to the system and potentially viewed the data of a subset of Sabre Corp’s hotel clients. Information potentially compromised as a result of the Sabre Corporation data breach includes the personally identifiable information and payment card information of hotel guests.

At this stage, Sabre Corporation is still investigating the breach and has not disclosed how the individual gained access to the payment system or when access was first gained. Sabre Corp is currently trying to determine exactly how many individuals have been affected, although affected companies have now been notified of the incident.

Sabre Corp has confirmed that the security breach only affected its SynXis Central Reservations system and unauthorized access has now been blocked. Law enforcement has been alerted to the incident and cybersecurity firm Mandiant contracted to conduct a full forensic investigation of its systems.

The Sabre Corporation data breach is the latest in a string of cyberattacks on hotel chains. Hyatt Hotels Corp, Kimpton Hotels and Restaurants, Omni Hotels & Resorts, Trump Hotels, Starwood Hotels & Resorts, Hilton Hotels, HEI Hotels & Resorts and InterContinental Hotels Group have all experienced data breaches in recent months that have resulted in the attackers gaining access to their card payment systems.

While the method used to gain access to Sabre’s system is not yet known, similar cyberattacks on hotel reservation and payment systems have involved malware and compromised login credentials.

If malware is installed on systems it can be used to monitor keystrokes and record login credentials. The sharing of login credentials and poor choices of passwords can also allow attackers to gain access to login credentials.

To protect against cyberattacks, hotels and their contracted SaaS providers should use layered defences including multiple systems to prevent the downloading of malware and multi-factor authentication to reduce the risk from compromised login credentials being used to gain access to POS systems.

Web filters should be used to control employees’ Internet access and downloads, an antispam solution used to prevent malicious emails from reaching end users’ inboxes and anti-virus and anti-malware solutions should be kept up to date and set to scan networks regularly.

Organizations in the hospitality sector must also ensure they have the basics correct, such as changing default passwords, using strong passwords and employing good patch management policies.

IC3 Issues Warning About Business Email Compromise Scams

The Internet Crime Complaint Center (IC3) has issued a new alert to businesses warning of the risk of business email compromise scams.

The businesses most at risk are those that deal with international suppliers as well as those that frequently perform wire transfers. However, businesses that only issue checks instead of sending wire transfers are also at risk of this type of cyberattack.

In contrast to phishing scams where the attacker makes emails appear as if they have come from within the company by spoofing an email address, business email compromise scams require a corporate email account to be accessed by the attackers.

Once access to an email account is gained, the attacker crafts an email and sends it to an individual responsible for making wire transfers, issuing other payments, or an individual that has access to employees PII/W-2 forms and requests a bank transfer or sensitive data.

The attackers often copy the format of emails previously sent to the billing/accounts department. This information can easily be gained from the compromised email account. They are also able to easily identify the person within the company who should be sent the request.

Not all business email compromise scams are concerned with fraudulent bank transfers. IC3 warns that the same scam is also used to obtain the W-2 tax statements of employees, as has been seen on numerous occasions during this year’s tax season.

Phishing scams are often sent out randomly in the hope that some individuals click on malicious links or open infected email attachments. However, business email compromise scams involve considerable research on the company to select victims and to identify appropriate protocols used by the company to make transfer requests.

Business email compromise scams often start with phishing emails. Phishing is used to get end users to reveal their login credentials or other sensitive information that can be used to gain access to business networks and perform the scam. Malware can also be used for this purpose. Emails are sent with links to malicious websites or with infected email attachments. Opening the attachments or clicking on the links downloads malware capable of logging keystrokes or provides the attackers with a foothold in the network.

IC3 warns that business email compromise scams are a major threat for all businesses, regardless of their size. Just because your business is small, it doesn’t mean that you face a low risk of attack.

Between January 2015 and December 2016, IC3 notes there was a 2,370% increase in BEC scams. While funds are most commonly sent to bank accounts in China and Hong Kong, IC3 says transfers have been made to 103 countries in the past two years.

The losses reported by businesses are staggering. Between October 2013 and December 2016, more than $5 billion has been obtained by cybercriminals. United States businesses have lost $1,594,503,669 in more than 22,000 successful scams. The average loss is $71,528.

IC3 lists the five most common types of business email compromise scams as:

  1. Businesses receiving requests from frequently used suppliers requesting transfers be made to a new bank account.This is also known as a bogus invoice scam.
  2. An executive within the company (CFO or CTO for example) requests a transfer be made by a second employee in the company. This is also known as a business executive scam.
  3. A compromised email account is used to send a payment request/invoice to a vendor in the employees contact list.
  4. The attackers impersonate an attorney used by the firm and request the transfer of funds. These scams are common at the end of the week or end of the business day. They are also known as Friday afternoon scams.
  5. A request is sent from a compromised email account to a member of the HR department requesting information on employees such as W-2 Forms or PII. These scams are most common during tax season.

There are a number of strategies that can be adopted to prevent business email compromise attacks from being successful.

IC3 recommends:

  • Using a domain-based email account rather than a web-based account for business email accounts
  • Exercising caution about the information posted to social media accounts. This is where the attackers do much of their research
  • Implement a two-step verification process to validate all transfer requests
  • Use two-factor authentication for corporate email accounts
  • Never respond to an email using the reply option. Always use forward and type in the address manually
  • Register all domains that are similar to the main domain used by the company
  • Use intrusion detection systems and spam filters that quarantine or flag emails that have been sent with extensions similar to those used by the company – Blocking emails sent from xxx_company.com if the company uses xxx-company.com for example
  • Be wary of any request that seems out of the ordinary or requires a change to the bank account usually used for transfers

Millions Affected by Google Phishing Scam

A Google phishing scam has been spreading like wildfire over the past couple of days. Emails have been sent in the millions inviting people to edit Google Docs files. The emails appear to have been sent by known individuals, increasing the likelihood of the messages being opened and the links being clicked.

In contrast to many email scams that include a link to a spoofed website, this scam directs the recipient to Google Docs. When the user arrives at the site they will be presented with a legitimate Google sign-in screen.

The Google phishing scam works within the Google platform, taking advantage of the fact that individuals can create a third-party app and give it a misleading name. In this case, the app has been named ‘Google Docs.’

This makes it appear that Google Docs is asking for permission to read, send, delete, and manage emails and access the user’s contacts. However, it is the creator of the app that is asking to be granted those permissions. If users check the developer name, they will see that all is not as it seems. Many individuals will not check, since the permission screen also includes Google logos.

Signing in will give the attacker access to the user’s Google account, including their emails, Google Docs files, and contact list. Further, signing in on the website will also result in the victim’s contact list being sent similar invitations. Unsurprisingly, many have fallen for the Google phishing scam and countless emails are still circulating.

The scam appears to have started at some point on Wednesday. Google has now issued an official statement saying it is taking action to protect users and has disabled the accounts that are being used to conduct the scam.

Google confirmed the actions it has taken in response to the phishing scam, saying “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”

Anyone who receives a request to edit a Google Doc should treat the request with suspicion, even if it has been sent from someone known to the recipient.

If you think you may have fallen for this phishing scam it is likely that emails will already have been generated and sent to your contacts. However, you can take action to block the threat by revoking the access rights you have given to the app through the Connected Apps and Sites page.

The Google phishing scam is highly convincing and clearly shows how sophisticated cybercriminals are getting in their attempts to gain access to sensitive information and why it is imperative that email users be permanently on their guard.

58% of UK Office Workers Open Email Attachments from Unknown Senders

Training employees on basic cybersecurity is essential. Conventional cybersecurity solutions such as antivirus software are no longer as effective at blocking threats as they once were and employees are targeted by cybercriminals.

Cybercriminals are well aware that employees are easy to fool. Social engineering techniques are used to create highly convincing phishing scams. Those emails contain images of well-known brands and text that would not look out of place in an official communication. Believable reasons are given for the need to disclose login credentials, click on hyperlinks or open email attachments. The emails are effective.

Email is now the number one attack vector for cybercriminals and the biggest cybersecurity threat for businesses.

Employees Still Lack Security Awareness

Even though the threat from phishing has been widely reported in the media, many employees still take major security risks at work.

A recent survey conducted by Glassdoor on UK office workers highlights how serious the risk of email cyberattacks is. 1,000 office workers from mid to large-sized businesses in the UK were asked questions about cybersecurity. 58% of respondents said they usually opened email attachments sent from unknown individuals.

Cybercriminals often mask email addresses to make the emails appear as if they have been sent from someone in the recipient’s contact list. Those tactics are even more effective at getting an end user to take the desired action – clicking on a hyperlink or opening an email attachment. The former directs the end user to a malicious website where malware is silently downloaded. Opening the email attachment results in code being run that downloads a malicious payload.

When asked how often email attachments from known senders were opened, 83% of respondents said they always or usually opened email attachments. Office workers were also asked whether their organization had experienced a cyberattack. 34% of respondents said it had.

How often are malicious emails getting past organizations security defenses? 76% of respondents said suspicious emails had been sent to their work email inboxes.

The survey suggests cybersecurity training is either not being conducted or that it is in effective and email security solutions are not in place or have not been configured correctly.

20% of respondents said their organization had no policy on email attachments, or if it did, it had not been communicated to them. 58% said they would feel much safer if their organization had the appropriate technology in place to protect them from email attacks.

How to Improve Defenses Against Email Attacks

Organizations must ensure appropriate technology is in place to block malicious emails and that employee cybersecurity training programs are developed to raise awareness of the risks of cyberattacks via email.

Policies should be developed – and communicated to staff – covering email attachments and hyperlinks. If staff are unaware of the risks, they cannot be expected to be able to identify an email as suspicious and take the appropriate action. It must also be made clear to employees what actions should be taken if suspicious emails are received.

Cybersecurity training programs should also be evaluated. If those programs are not tested, employers will not know how effective their training is. Sending dummy phishing emails is a good way to determine whether training programs are effective.

A powerful spam filtering and anti-phishing solution should also be employed to prevent malicious emails from reaching end users’ inboxes. SpamTitan, for instance, is an advanced antispam solution for SMEs that blocks over 99.7% of spam emails and 100% of known malware. By preventing malicious emails from reaching end users’ inboxes, employee cybersecurity training will not be put to the test.

Does GDPR Apply to American Companies?

The General Data Protection Regulation (GDPR) is a new data privacy and security law in Europe that comes into force next year, but does GDPR apply to American companies? As many U.S. companies have recently discovered, not only does GDPR apply to American companies, doing business within the EU is likely to be extremely costly for companies that do not comply with GDPR.

Any organization or individual that does business within any of the 28 EU member states (Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Romania, Slovakia, Spain, Sweden and the United Kingdom) must comply with GDPR or face heavy penalties.

The penalty for non-compliance with GDPR for enterprises is up to 20,000,000 Euros ($23,138,200) or 4% of the annual global turnover of the company for the previous fiscal year, whichever is the greatest. An enterprise found not to have complied with GDPR will also be subjected to regular, periodic data protection audits to ensure its policies and procedures are updated and the firm continues to comply with GDPR.

So, what is the regulation and how does GDPR apply to American companies? What do U.S firms need to do to comply with GDPR?

How Does GDPR Apply to American Companies?

The main purpose of GDPR is to give EU citizens greater control over how their personal data is collected, protected and used. While the legislation applies to EU companies, it also applies to any company that chooses to do business in the EU. That includes any online business that owns a website that is accessible by EU citizens if that website collects user data.

Since the definition of personal information includes online identifiers such as cookies, GDPR has implications for huge numbers of U.S businesses. GDPR applies to all companies that do business with persons based in EU member states, with the exception of law enforcement agencies or when data are collected for national security activities.

To continue to do business in the EU, most companies will have to implement additional privacy protections and adopt end-to-end data protection strategies.

The EU classes personal data as “Any information relating to an identified or identifiable natural person,” which includes a wide range of information from names, addresses, telephone numbers and email addresses to bank information and credit card details, photos, posts on social media websites, medical information, and even an individuals IP address.

Even when controls have been implemented to keep data secure, it may still be necessary to overhaul systems to ensure sufficient protections are in place. Companies must be aware where data are stored and employees must be trained to ensure they are aware of their responsibilities with regards to the use of data.

Organizations will need to provide customers – and website visitors – with detailed information on data that are collected and how data will be used. Consent must be obtained before any data are collected and consent must be obtained from a parent or custodian of a minor.

There must be a legitimate and lawful reason for collecting data and limited to the minimum necessary information for the purpose for which data are collected. Data must be deleted when that purpose has been achieved.

Organizations must appoint a Data Protection Officer who is knowledgeable about GDPR and will oversee compliance if their core activities are data collection, storage or data processing. That individual must also have a thorough understanding of the company’s organizational and technical infrastructure.

Organizations also need to implement appropriate policies, procedures and technologies to ensure that the data of EU citizens can be permanently erased. GDPR includes the right to be forgotten – termed ‘Right to Erasure’.

The legislation that GDPR replaces only required data to be deleted when it caused substantial damage or distress. However, from next year, an EU citizen can request that all data collected on them be permanently deleted if the information is no longer needed for the purpose that it was originally collected. Data must also be deleted if consent to use the data is withdrawn or if the processing of data is unlawful and breaches GDPR.

Many U.S. companies already have technologies in place that will comply with the data protection requirements of GDPR, but the right to erasure requirement could pose problems.

Symantec recently conducted a survey that revealed 9 out of 10 businesses were concerned that they would not be able to comply with the right to erasure requirement of GDPR, with only 4 out of 10 businesses already having a system in place that could potentially allow all data to be deleted.

Compliance with GDPR in the United States

A recent survey conducted by PricewaterhouseCoopers on large multinational companies in the United States shows efforts are already underway to ensure compliance with the EU regulation. More than half of surveyed firms said GDPR is now their main data protection priority, with 92% saying compliance with GDPR is a top priority this year.  The cost of compliance is considerable. 77% of surveyed firms said they are planning to spend more than $1 million on GDPR compliance, with one of the main spending priorities being improving their information security defenses.

Many companies are starting to ask how how does GDPR apply to American companies, but a study conducted by NTT Security suggests that three quarters of U.S. businesses are ignoring GDPR because they do not believe the regulation applies to them. Ignorance could prove very costly indeed. Further, time is running out. For many companies, compliance with GDPR will not be a quick process and the deadline is fast approaching. GDPR comes into effect on May 25, 2018. Miss the deadline and fines await.

Further Reading:  Read a more detailed explanation of the GDPR regulations for US companies here.

Law Firm Ransomware Attack Locks Data for Three Months

A law firm ransomware attack has resulted in business files being left encrypted and inaccessible for three months, causing considerable billing losses for the firm.

Why did the law firm not simply pay the ransom demand to regain access to their files? Well, they did. Unfortunately, the attackers took the money and did not supply viable keys to unlock the encrypted files. Instead, they had a much better idea. To issue another ransom demand to try to extort even more money from the law firm.

The law firm, Providence, RI- based Moses Afonso Ryan Ltd, was forced to negotiate with the attackers to gain access to its data. It took more than three months and ransomware payments of $25,000 to finally regain access to its files. However, the ransomware payment represented only a tiny proportion of the cost of the attack. During the three months that data were locked, the firm’s lawyers struggled to work.

Moses Afonso Ryan made a claim against its insurance policy for lost billings as a result of the attack; however, the insurer, Sentinel Insurance Co., has refused to pay the bill. The law firm claims to have lost $700,000 as a result of the attack in lost billings alone. The firm has recently filed a U.S. District Court lawsuit against its insurer claiming breach of contract and bad faith for denying the claim.

The law firm ransomware attack involved a single phishing email being opened by one of the firms’ lawyers. That email has so far cost the firm more than $725,000 and the losses will continue to rise.

Important lessons can be learned from this law firm ransomware attack. First, the importance of training all staff members on the risk of ransomware attacks and teaching security best practices to reduce the risk of attacks being successful.

Since phishing emails are now highly sophisticated and difficult to identify, technical solutions should be implemented to prevent emails from reaching employees’ inboxes. Endpoint protection systems can reduce the risk of ransomware being installed and can detect infections rapidly, limiting the damage caused.

All businesses should take care to segment their networks to ensure that a ransomware infection on a single computer does not result in an entire network being impacted.

It is also essential for backups to be performed regularly and for those backups to be tested to ensure data can be recovered. This law firm cyberattack clearly demonstrated that organizations cannot rely on attackers making good on their promise to unlock data if the ransom is paid.

There have been cases where the attackers have not been able to supply a functional key to unlock data, and numerous examples of attackers issuing further ransom demands in an attempt to extort even more money out of companies.

Healthcare Ransomware Attacks Accounted for 50% of All Security Incidents

Hackers are continuing to attack healthcare organizations, but healthcare ransomware attacks are the biggest cause of security incidents, according to the NTT Security 2017 Global Threat Intelligence Report.

Healthcare ransomware attacks accounted for 50% of all security breaches reported by healthcare organizations between October 2015 and September 2016 and are the largest single cause of security breaches.

However, healthcare is far from the only sector to be targeted. Retail, government, and the business & professional services sector have also suffered many ransomware attacks during the same period. Those four sectors accounted for 77% of global ransomware attacks. The worst affected sector was business & professional services, with 28% of reported ransomware attacks, followed by the government (19%), healthcare (15%) and retail (15%).

NTT Security reports that phishing emails are the most common mechanism for ransomware delivery, being used in 73% of ransomware and malware attacks. Poor choices of password are also commonly exploited to gain access to networks and email accounts. NTT says just 25 passwords were used in 33% of all authentication attempts on its honeypots, while 76% of authentication attempts used a password known to have been implemented in the Mirai botnet.

Zero-day exploits tend to attract considerable media attention, but they are used in relatively few attacks. Web-based attacks have fallen but they still pose a significant threat. The most commonly attacked products were Microsoft Internet Explorer, Adobe Flash Player, and Microsoft Silverlight. Exploit kit activity has fallen throughout the year as cybercriminals have turned to phishing emails to spread malware and ransomware. There was a steady decline in exploit kit attacks throughout the year.

With phishing posing the highest risk, it is essential that organizations ensure they have adequate defenses in place. Phishing attacks are sophisticated and hard to distinguish from genuine emails. Security awareness training is important, but training alone will not prevent some attacks from being successful. It is also important to ensure that training is not just a one time exercise. Regular training sessions should be conducted, highlighting the latest tactics used by cybercriminals and recent threats.

The best form of defense against phishing attacks is to use anti-phishing technologies such as spam filters to prevent phishing emails from reaching end users. The more phishing emails that are blocked, the less reliance organizations place on end users being able to identify phishing emails. Solutions should also be implemented to block users from visiting phishing websites via hyperlinks sent via email.

Cyberattacks on Educational Institutions Increase Sharply

Cyberattacks on educational institutions are occurring at an alarming rate. While the education sector has not been as heavily targeted as the financial services and healthcare in recent years, that is no longer the case. Cybercriminals and state-actors now have the education sector in their crosshairs.

Cybercriminals have realized that cyberattacks on educational institutions can be highly profitable, with this year seeing a sharp rise in attacks.

Schools, colleges and higher education institutions hold vast quantities of data that can be used for fraud and identity theft. As we have already seen this year, cyberattacks on educational institutions are now much more common. The first quarter of the year saw a rise in W-2 phishing attacks, with criminals managing to obtain the tax information of many thousands of staff members. Those data were used to file fraudulent tax returns. Student records can be used for identity theft and can be sold for big bucks on darknet marketplaces. Attacks aimed at obtaining the personal data of students have similarly increased.

Educational institutions also conduct extensive research. The past year has seen a sharp rise in espionage related cyberattacks on educational institutions. Criminals are also conducting attacks to gain access to bank accounts. This year, two major cyberattacks on educational organizations have resulted in bank transfers being made to criminals’ accounts. At the start of the year, a phishing attack on the Cleveland Metropolitan School District resulted in more than $100,000 being obtained by the attackers. Denver Public Schools was also attacked, with the attackers redirecting $40,000 in payroll funds to their own accounts.

The recently published Data Breach Investigation Report from Verizon clearly shows the new attack trend. Over the past year, there have been 455 incidents reported by educational institutions, 73 of which have resulted in the theft of data.

While many industries see cyberattacks conducted for financial reasons, in education, financial gain was only the motive behind 45% of cyberattacks. 43% of attacks involved espionage and 9% of attacks were conducted for fun. Out of all reported data breaches, 26% involved espionage. Last year the percentage was just 5%.

Attacks are coming from all angles – Internal attacks by students; attacks by cybercriminals looking to steal data, and state-sponsored actors looking to steal research. The latter accounted for more than half of data breaches in the past year.

The Verizon report indicates hacking is the biggest threat. 43% of breaches were due to hacks, although social attacks and malware were also common. Verizon reports that almost 44% of breaches involved social and around a third involved malware. Social attacks and malware have increased considerably over the course of the past year. The most common social attack was phishing via email.

As long cyberattacks on educational institutions remain beneficial or profitable, cyberattacks will continue.  Educational institutions therefore need to take steps to improve their security posture. Since social attacks such as phishing are commonplace, and malware infections commonly occur via email, educational institutions need review their email defenses.

Password policies should be introduced to ensure strong passwords are set on email accounts and policies introduced to ensure passwords are regularly changed. Spam filtering solutions should be implemented and all staff and students should receive training on security awareness. Verizon suggests staff and students should be encouraged or rewarded for reporting phishing and pretexting attacks.

Web-Based Attacks Fall: Ransomware Attacks on Businesses Soar

There was some good news in the latest installment of the Symantec Internet Security Threat Report. Web-based attacks have fallen year on year, but ransomware attacks on businesses have sky rocketed. Sabotage and subversion attacks have also risen sharply in the past 12 months.

The Internet Security Threat Report shows that exploit kit and other web-based attacks fell by 30% in 2016, but over the same period, ransomware attacks on businesses increased by 36%.

Ransomware has proved popular with cybercriminals as attacks are easy to perform and money can be made quickly. If an attacker succeeds in encrypting business data, a ransom must be paid within a few days. In the United States, where the majority of ransomware attacks occur, 64% of businesses pay the ransom.

Web-based attacks on the other hand typically take longer and require considerably more technical skill. Cybercriminals must create and host a malicious site and direct end users to the site. Once malware has been downloaded, the attackers must move laterally within the network and find and exfiltrate sensitive data. The data must then be sold.

Ransomware attacks on businesses are far easier to conduct, especially using ransomware-as-a-service. All that is required is for criminals to pay to rent the ransomware, set their own terms, and distribute the malware via spam email. Many ransomware authors even provide kits with instructions on how to customize the ransomware and conduct campaigns. The appeal of ransomware is clear. It is quick, easy and profitable to conduct attacks.

The Symantec Internet Security Threat Report charts the rise in popularity of ransomware. Symantec detected 101 separate ransomware families in 2016. In 2014 and 2015 the count was just 30. Symantec’s ransomware detections increased from 340,665 in 2015 to 463,841 in 2016. Ransomware as a service has played a major role in the increase in attacks.

Ransom demands have also increased in the past year. In 2015, the average ransom demand was $294 per infected device. In 2016, the average ransomware demand had increased to $1,077.

Fortunately, good data backup policies will ensure businesses do not have to pay to unlock their data. Unfortunately, even if data can be recovered from backups, ransomware attacks on businesses are costly to resolve. Cybersecurity firms need to be hired to conduct analyses of networks to ensure all traces of ransomware (and other malware) have been removed. Those firms must also check to make sure no backdoors have been installed.

Ransomware attacks on businesses typically see computers locked for several days, causing considerable loss of revenue for companies. Customer breach notifications may also need to be issued. Ransomware attacks can cost tens or hundreds of thousands of dollars to resolve, even if no ransom is paid.

Since ransomware is primarily distributed via spam email, businesses need to ensure they have appropriate email defenses in place. An advanced spam filter with an anti-phishing component is essential, along with other endpoint protection systems.

Symantec’s figures show that spam email volume has remained constant year on year, with spam accounting for 53% of email volume in 2016.

In 2016, one in 2,596 emails involved a phishing component, down from one in 965 in 2014. Phishing attacks may be down, but malware attacks increased over the same period.

Malware-infected email attachments and malicious links to malware-infected websites accounted for one in every 131 emails in 2016, up from 1 in 220 in 2015 and 1 in 244 in 2014. In 2016, 357 million new malware variants were detected, up from 275 million in 2014.

The decline in web-based attacks is certainly good news, but it doesn’t mean the threat can be ignored. Last year there were 229,000 web-based attacks tracked by Symantec. While that is a considerable decrease from the previous year, web-based attacks still pose a significant threat to businesses.

Web-based attacks could also increase this year. The Symantec Internet Security Threat Report indicates 9% of websites have critical bugs that could be easily exploited by cybercriminals allowing them to hijack the websites. Worryingly, Symantec reports that 76% of websites contain bugs that could potentially be exploited.

The Symantec Internet Security Threat Report shows data breaches have remained fairly constant over the past two years. In 2014, widely reported to be ‘the year of the data breach’, Symantec recorded 1,523 data breaches. The following year that fell to 1,211 breaches. Last year, there was little change, with 1,209 breaches reported.

The halt in the rise in data breaches suggests organizations are getting better at protecting their networks and data. However, large data breaches are increasing. Last year there were 15 data breaches that involved the theft of more than 10 million records, up from 11 in 2014.

Protecting against data breaches and cyberattacks requires comprehensive, multi-layered security defenses. TitanHQ offers a range of cybersecurity solutions for SMEs to help them improve their security posture and protect against web-based and email-based security threats.

For more information on how you can improve your security posture, contact the TitanHQ team today.

Shoney’s Restaurants Malware Incident Affects 37 Restaurants

A Shoney’s Restaurants malware infection has resulted in the theft of customers’ payment card details. Hackers managed to install malware on the POS system used by dozens of Shoney’s restaurants

Shoney’s is a 70-year-old Nashville, Tennessee-based restaurant chain that operates approximately 150 restaurants across the Southern United States, Midwest and lower Atlantic region. The chain serves customers in 17 states, although only selected restaurants in Alabama, Arkansas, Georgia, Florida, Louisiana, Mississippi, Missouri, South Carolina, Tennessee and Virginia were affected. At least 37 restaurants were affected.

Financial institutions identified a trend in credit card fraud and were able to determine that all of the affected cardholders had visited a Shoney’s Restaurant. Best American Hospitality Corp., which manages and operates a number of Shoney’s establishments, was notified of a potential cyberattack and started an investigation. Kroll Cyber Security LLC was hired to conduct an investigation into the attack.

Kroll’s investigation revealed the malware enabled the attackers to steal cardholder names, credit card numbers, CVV codes, and expiry dates, although in some cases, cardholder names were not obtained. It is unclear how many individuals have been impacted, although any individual who visited one of the affected restaurants and paid by credit card has potentially had their information stolen. The malware was capable of reading data from the magnetic strips of payment cards as the information was routed through its computer system.

Access to the POS system is understood to have first been gained on December 27, 2016, although some restaurants were not infected until January 11. The Shoney’s Restaurants malware infection was contained on March 6, 2017, according to a press release issued by Best American Hospitality Corp.

The Shoney’s Restaurants malware attack is the latest is a slew of POS system breaches that have hit the hospitality sector hard. Earlier this year, the Arby’s restaurant chain was attacked and had credit card data stolen, while Wendy’s suffered a major credit card breach last year. Hotels have also been attacked, with more than 1,100 Intercontinental Hotel Group hotels discovered to have had malware installed that accessed its POS system.

Cyberattacks on the hospitality sector are to be expected. Hotels and restaurants are visited by tens of thousands of customers, and payment by credit card is common. Card details can be stolen and encoded onto magnetic strips on blank cards and used for fraudulent purchases. Each card number can allow criminals to steal hundreds, if not thousands of dollars.

All too often, data breaches occur due to poor security practices such as the failure to use strong passwords or failing to change default passwords. Other basic security failures that can open the door to attackers include failing to use web and email security products, not using two-factor authentication and not implementing security patches promptly.  Businesses should also conduct regular vulnerability scans and penetration tests to ensure all of their systems are secure.

If you would like advice on web and email security protections that can prevent hackers from gaining access to your POS system and installing malware, contact the TitanHQ team today and find out how you can improve your resilience against malware and cyberattacks.

Cerber Becomes the Biggest Ransomware Threat

2017 was the year when Locky Ransomware first arrived on the scene, with the ransomware variant fast becoming the biggest ransomware threat. Locky infections rose rapidly following its release in February and continued to rise in the first half of the year. The ransomware variant was initially installed via exploit kits, although as exploit kit activity fell, the developers switched to spam email as the primary attack vector.

As 2016 progressed, Locky activity declined. While Locky infections continue, it is no longer the biggest ransomware threat. Locky now accounts for just 2% of infections. A new report from Malwarebytes has revealed that the biggest ransomware threat – by some distance – is Cerber ransomware.

Cerber ransomware is now behind 90% of all global ransomware infections, with those attacks performed using many different variants of the ransomware. Cerber has even surpassed TeslaCrypt; a previously highly prevalent ransomware variant that dominated attacks in 2015 and early 2016. At the start of 2017, Cerber’s ‘market share’ stood at 70%, although that increased to 90% by the end of Q3.

The secret of the success of Cerber lies not only in the sophistication of the ransomware, but how it is being used and distributed. Cerber ransomware has become the biggest ransomware threat because it is not only the authors that are using it to attack organizations. There is now an army of affiliates using the ransomware. Those affiliates do not need programming experience and neither much in the way of technical skill. Their role is simple. They are simply distributors who get a cut of the profits for any ransoms they manage to generate.

Ransom payments are likely with Cerber infections. There is no decryptor for the ransomware as no flaws have been discovered. Files locked by Cerber cannot be unlocked without the decryption keys, and only the attackers have access to those. The encryption used is of military-grade, says Malwarebytes. Further, a computer does not even need to be connected to the Internet in order for files to be encrypted. The latest variants also include a host of new defenses to prevent detection and analysis.

The primary attack vector used is email. Cerber is distributed in spam email, with infection occurring when a user opens an infected email attachment. That triggers the downloading of Cerber from the attacker’s Dropbox account.

With the new defenses put in place by its authors and no shortage of affiliates signing up to use the ransomware-as-a-service, Cerber looks set to remain the main ransomware threat throughout Q2. Attacks will continue and likely increase, and new variants will almost certainly be released.

All organizations can do is to improve their defenses against attack. Cybersecurity solutions should be employed to prevent spam emails from being delivered to end users. Staff should be trained how to identify malicious emails and not to open email attachments sent from unknown senders. Organizations should also use security tools to detect endpoint infections.

Since even with advanced security defenses infections are still possible, it is essential that all data are backed up and those backups tested to ensure they will allow encrypted data to be recovered.

Phishing Attacks on Schools Spike – Is Your School Doing Enough to Prevent Attacks?

In the United States, phishing attacks on schools and higher education institutions have soared in recent months, highlighting the need for improvements to be made to staff education programs and cybersecurity defenses.

Phishing refers to the practice of sending emails in an attempt to get the recipients to reveal sensitive information such as logins to email accounts, bank accounts, or other computer systems.  Typically, a link is included in the email which will direct the user to a website where information must be entered. The sites, as well as the emails, contain information to make the request look genuine.

Phishing is nothing new. It has been around since the 1980’s, but the extent to which sensitive information is stored electronically and the number of transactions that are now conducted online has made attacks much more profitable for cybercriminals. Consequently, attacks have increased. The quality of phishing emails has also improved immeasurably. Phishing emails are now becoming much harder to identify, especially by non-technical members of staff.

No organization is immune to attack, but attackers are no longer concentrating on financial institutions and healthcare organizations. The education sector is now being extensively targeted. Phishing attacks on schools are being conducted far more frequently, and all too often those attacks are succeeding.

Such is the scale of the problem that the IRS recently issued a warning following a massive rise in phishing attacks on schools. Campaigns were being conducted by attackers looking for W-2 Form data of school employees. That information was then used to submit fraudulent tax returns in school employees’ names.

Recent Phishing Attacks on Schools, Colleges, and Universities

Westminster College is one of the latest educational institutions to report that an employee has fallen for the W-2 Form phishing scam, although it numbers in dozens of schools, colleges and universities that have been attacked this year.

Phishing emails are not only concerned with obtaining tax information. Recently, a phishing attack on Denver Public Schools gave the attackers the information they needed to make a fraudulent bank transfer. More than $40,000 intended to pay staff wages was transferred to the criminal’s account.

This week, news emerged of a listing on a darknet noticeboard from a hacker who had gained access to school email accounts, teacher’s gradebooks, and the personal information of thousands of students. That individual was looking for advice on what to do with the data and access in order to make money.

Washington University School of Medicine was targeted in a phishing attack that saw the attackers gain access to patient health information. More than 80,000 patients potentially had their health information stolen as a result of that attack.

Last week, news emerged of an attempted phishing attack on Minnesota schools, with 335 state school districts and around 170 charter schools potentially attacked. In that case, the phishing attack was identified before any information was released. The attack involved an email that appeared to have been sent from the Education Commissioner. The attackers were trying to gain access to financial information.

How to Improve Defenses Against Phishing Attacks

Fortunately, there are a number of technological controls that can be implemented cheaply to reduce the risk of phishing attacks on schools being successful.

An advanced spam filtering solution with a powerful anti-phishing component is now essential. A spam filter looks for the common spam and phishing signatures and ensures suspect messages are quarantined and not delivered to end users.

It must be assumed that occasionally, even with a spam filter, phishing emails may occasionally be delivered. To prevent employees from visiting phishing websites and revealing their information, a web filtering solution can be used. Web filters can be configured to block end users from visiting websites that are known to be used for phishing. As an additional benefit, web filters can stop individuals from accessing websites known to contain malware or host illegal or undesirable material – pornography for instance.

Those solutions should be accompanied by training for all staff members on the risk from phishing and the common identifiers that can help staff spot a phishing email. Schools should also implement policies for reporting threats to the organization’s IT department. Fast reporting can limit the harm caused and prevent other staff members from responding.

IT departments should also have policies in place to ensure thwarted attacks are reported to law enforcement. Warnings should also be sent to other school districts following an attack to allow them to take action to protect themselves against similar attacks.

Any school or higher educational institution that fails to implement appropriate defenses against phishing attacks will be at a high risk of a phishing attack being successful. Not only do phishing attacks place employees at risk of fraud, they can prove incredibly costly for schools to mitigate. With budgets already tight, most schools can simply not afford to cover those costs.

If you would like further information on the range of cybersecurity protections that can be put in place to prevent phishing attacks on schools and other educational institutions, call TitanHQ today for an informal chat.

HIPAA Compliance and Phishing: Email Attacks Can Result in HIPAA Penalties

A phishing attack on a HIPAA-covered entity has resulted in a $400,000 penalty for non-compliance with HIPAA Rules. This is not the first time a phishing attack has attracted a penalty from OCR for non-compliance.

The failure to prevent phishing attacks does not necessarily warrant a HIPAA penalty, but failing to implement sufficient protections to prevent attacks could land HIPAA-covered entities in hot water.

HIPAA Compliance and Phishing

The U.S. Department of Health and Human Services’ Office for Civil Rights is tasked with enforcing Health Insurance Portability and Accountability Act Rules. While OCR conducts audits of covered entities to identify aspects of HIPAA Rules that are proving problematic for covered entities, to date, no financial penalties have been issued as a result of HIPAA violations discovered during compliance audits. The same is certainly not the case when it comes to investigations of data breaches.

OCR investigates each and every data breach that impacts more than 500 individuals. Those investigations often result in the discovery of violations of HIPAA Rules.  Any HIPAA-covered entity that experiences a phishing attack that results in the exposure of patients’ or health plan members’ protected health information could have historic HIPAA violations uncovered. A single phishing attack that is not thwarted could therefore end up in a considerable fine for non-compliance.

What HIPAA Rules cover phishing? While there is no specific mention of phishing in HIPAA, phishing is a threat to the confidentiality, integrity, and availability of ePHI and is covered under the administrative requirements of the HIPAA Security Rule. HIPAA-covered entities are required to provide ongoing, appropriate training to staff members. §164.308.(a).(5).(i) requires security awareness training to be provided, and while these are addressable requirements, they cannot be ignored.

These administrative requirements include the issuing of security reminders, protection from malicious software, password management and login monitoring. Employees should also be taught how to identify potential phishing emails and told about the correct response when such an email is received.

The HIPAA Security Rule also requires technical safeguards to be implemented to protect against threats to ePHI. Reasonable and appropriate security measures, such as encryption, should be employed to protect ePHI. Since ePHI is often available through email accounts, a reasonable and appropriate security measure would be to employ a spam filtering solution with an anti-phishing component.

Given the frequency of attacks on healthcare providers, and the extent to which phishing is involved in cytberattacks – PhishMe reports 91% of cyberattacks start with a phishing email –  a spam filtering solution can be classed as an essential security control.

The risk from phishing should be highlighted during a risk analysis: A required element of the HIPAA Security Rule. A risk analysis should identify risks and vulnerabilities that could potentially result in ePHI being exposed or stolen. Those risks must then be addressed as part of a covered entity’s security management process.

HIPAA Penalties for Phishing Attacks

OCR has recently agreed to a settlement with Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC) based in Denver, Colorado following a phishing attack that occurred in December 2011. The attack allowed the attacker to gain access to the organization’s email accounts after employees responded by providing their credentials. The ePHI of 3,200 individuals was contained in those email accounts.

The fine was not exactly for failing to prevent the attack, but for not doing enough to manage security risks. MCPN had failed to conduct a risk analysis prior to the attack taking place and had not implemented security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. OCR settled with MCPN for $400,000.

In 2015, another covered entity ended up settling with OCR to resolve violations of HIPAA Rules following a phishing attack. University of Washington Medicine paid OCR $750,000 following the exposure of 90,000 individual’s ePHI. In that case, the phishing attack allowed attackers to install malware.  OCR Director at the time, Jocelyn Samuels, pointed out “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.” She also said, “All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical records or that fails to provide appropriate oversight and accountability for all parts of the enterprise.”

Covered entities are not expected to prevent all phishing attacks, but they must ensure the risk of phishing has been identified and measures put in place to prevent phishing attacks from resulting in the exposure of theft of ePHI. If not, a HIPAA fine may be issued.

Microsoft Patches Actively Exploited Zero-Day Vulnerability in Microsoft Word

Microsoft has finally patched a zero-day vulnerability in Microsoft Word that has been exploited by cybercriminals for months. Recently, the vulnerability has been exploited by the gang behind the Dridex banking Trojan.

The remote code execution vulnerability (CVE-2017-0199) affects the Windows Object Linking and Embedding (OLE) application programming interface. The vulnerability is a logic flaw rather than a programming error, which makes defending against attacks difficult.

The bug affects RTF files. The spam email campaigns use RTF files containing an embedded OLE2Link object, which downloads an HTA (HTML Application) file containing malicious code when the document is opened. No user interaction other than opening the file is required to infect the end user’s device.

There is some debate as to how long the vulnerability has been actively exploited in the wild. Attacks may have been occurring as early as November 2016 according to SophosLabs, although certainly since the start of 2017. Over the past two months, the vulnerability has been extensively exploited to deliver the Dridex banking Trojan.

The zero-day vulnerability in Microsoft Word has been exploited for espionage purposes in Russian speaking countries, while FireEye observed the exploit being used to distribute Latentbot malware. Latentbot is an information stealer with the ability to corrupt hard drives.

Many security companies have been tracking the vulnerability, although it was McAfee that announced the existence of the actively exploited flaw on Friday last week. The flaw exists in virtually all Microsoft Word versions and does not require macros to be enabled in order for malicious code to run.

Employees are advised never to enable macros on documents unless they are 100% certain that a document is legitimate; however, this zero-day exploit does not rely on macros. Simply opening the Word document on an unpatched Office installation is likely to result in infection.

This makes the vulnerability particularly dangerous. Any end user that opens a specially crafted Word document would automatically run the code which would see the Dridex Trojan (or another malware) downloaded. One protection that can prevent the malicious code from running is to enable Protected View mode. However, the code will run when Protected View is turned off.

The malicious emails sent out in at least one campaign have the subject line “scanned data” with the RFT file attachments containing the word ‘scan’ followed by a random string of numbers, according to Proofpoint.

To protect against this exploit, the patches for both Office and Windows that were released by Microsoft on Tuesday April 11, 2017 should be applied. However, in order to apply the security update, Service Pack 2 for Office 2010 must be installed.

If it is not possible to apply the Microsoft updates immediately, you can configure your spam filter to block RTF files or add RTF files to the list of documents to block in the Microsoft Office Trust Center.

Kelihos Botnet Takedown: Spam King Arrested

Yesterday, the U.S. Department of Justice announced that one of the leading email spammers has been arrested as part of an operation to disrupt and dismantle the infamous Kelihos botnet.

The Kelihos botnet is a network of tens of thousands of computers that are used to launch massive spamming campaigns comprising millions of emails. Those spam emails are used for a variety of nefarious purposes including the distribution of ransomware and malware. The botnet has been extensively used to spread fake antivirus software and spread credential-stealing malware.

Computers are added to the Kelihos botnet using malware. Once installed, Kelihos malware runs silently and users are unaware that their computers have been hijacked. The Kelihos botnet can be quickly weaponized and used for a variety of malicious purposes. The botnet has previously been used for spamming campaigns that artificially inflate stock prices, promote counterfeit drugs and recruit people to fraudulent work-at-home schemes.

Pyotr Levashov is believed to operate the botnet in addition to conducting a wide range of cybercriminal activities out of Russia. In what turned out to be an unwise move, Levashov left the relative safety of his home country and travelled to Barcelona, Spain on holiday. Levashov was arrested on Sunday, April 9 by Spanish authorities acting on a U.S. issued international arrest warrant.

Levashov is suspected of playing a role in the alleged Russian interference in the U.S. presidential election in 2016, although Levashov is best known for his spamming activities, click fraud and DDoS attacks.

Levashov, or Peter Severa as he is otherwise known, is heavily involved in distributing virus spamming software and is believed to have written numerous viruses and Trojans. Spamhaus lists Levashov in seventh place on the list of the 10 worst spammers.

Levashov is believed to have run multiple operations that connected virus developers with spamming networks, and is suspected of running the Kelihos botnet, the Waledac botnet – which was taken down in 2010 – and the Storm botnet.  Levashov was indicted for his role in the latter in 2009, although he managed to avoid extradition to the United States. At the time, Storm was the biggest spamming botnet in operation and was used to send millions of emails every day. Levashov also moderates many spamming forums and is well known in underground circles. Levashov is believed to have been extensively involved in spamming and other cybercriminal activities for the past 20 years; although to date he has avoided prosecution.

A statement released by the U.S. Department of Justice reads, “The operation announced today targeted an ongoing international scheme that was distributing hundreds of millions of fraudulent e-mails per year, intercepting the credentials to online and financial accounts belonging to thousands of Americans, and spreading ransomware throughout our networks.”

The DOJ operation also involved the takedown of domains associated with the Kelihos botnet starting on April 8, 2017. The DOJ says shutting down those domains was “an extraordinary task.”

While it is certainly good news that such a high profile and prolific spammer has been arrested and the Kelihos botnet has been severely disrupted, other spammers are likely to soon take Levashov’s place. Vitali Kremez, director of research at Flashpoint said his firm had seen chatter on underground forums indicating other major spammers are responding to the news of the arrest by taking acting to secure their own operations. There may be a blip in email spam volume, but that blip is only likely to be temporary.

Denver Public Schools Phishing Scam Sees Employees Wages Stolen

The importance of anti-phishing training for staff members has been highlighted this week following a major incident in Denver. A targeted Denver Public Schools phishing scam saw at least 30 members of staff divulge their usernames and passwords to scammers.

The Denver Public Schools phishing scam enabled attackers to gain access to accounts, which allowed information to be gained to access to the school district’s payroll system. The attackers changed the routing numbers for payments to employees and directed the payments to their own accounts. More than $40,000 that had been set aside to pay staff wages was stolen.

Staff members have now been paid and efforts are continuing to recover the stolen funds. At least 14 direct deposits were made and have not been recovered. The school district is hoping that the payments will be covered by an insurance policy. The incident has been reported to the Colorado Bureau of Investigation and the incident is being investigated to try to identify the individuals behind the scam.

The Denver Public Schools phishing scam was highly convincing; however, questions will be asked about how so many employees fell for the scam and disclosed their login credentials. The school district has confirmed that efforts were made to educate its employees on the risk of phishing prior to the attack taking place.

Denver Public Schools employs 13,991 members of staff. The response percentage was therefore very low, but it can only take one individual to respond to such a scam for serious financial harm to be caused.

A Bad Year for Phishing Attacks on Schools

Phishing attacks on schools are commonplace, but this year has seen attacks soar. For instance, in 2017, there have been 141 reported W-2 phishing scams, 33 of which affected schools, colleges and universities.

While phishing scams used to be fairly easy to detect, now they are becoming much more sophisticated. It is now not easy to tell a phishing email from a real email request. The attackers use spoofing techniques to make the emails appear as if they have been sent from within the organization. Genuine email accounts may even be compromised and used for phishing attacks. Last month, the Digital Citizens Alliance reported finding millions of .edu email addresses listed for sale on the dark web. Those email addresses are often used for phishing scams as they are trusted.

Phishing emails are often free from the spelling and grammatical errors that were commonly seen in spam emails in years gone by. The emails often contain lifted branding, images and formatting, which makes them highly convincing. The requests for information may also seem reasonable.

How to Prevent Phishing Attacks

Providing anti-phishing training for staff is now an essential cybersecurity defense; however, it is also important to ensure that training has had the desired effect and has been taken onboard. Schools should therefore conduct dummy phishing exercises to identify the effectiveness of their training programs. Research has shown that with practice, employees get much better at identifying phishing scams.

Technological solutions should also be implemented to prevent spam emails from reaching end users’ inboxes. Advanced anti-spam solutions such as SpamTitan do not rely on blacklists to identify emails as spam. Blacklists are used along with a host of front end controls and emails are subjected to Bayesian analyses to identify common spam signatures. Rules can be set to reduce the risk of email spoofing.

If you are interested in finding out more about the range of technological solutions that can be employed to reduce the risk of phishing attacks, contact the TitanHQ team today.

IBM Reports 6,000% Increase in Tax-Related Email Spam This Tax Season

A recent report from IBM X-Force has highlighted the massive growth in tax-related email spam this year. Between December 2016 and February 2017, tax-related email spam increased by an incredible 6,000%.

A rise in tax-related email spam is to be expected during tax season. It is the time of year when tax returns are submitted and criminals can make substantial profits. If tax information is stolen and a fraudulent tax return is submitted prior to the individual submitting their own return, thousands of dollars in refunds can be obtained. With such high returns from each set of tax information, it is no surprise that tax-related scams are so prevalent.

This year, has seen many different scams detected, although one of the most successful is the W-2 phishing scam. The scam involves a tax fraudster impersonating the CEO, CFO or another executive, and emailing a request for W-2 Forms to members of the payroll department.

As we have seen on numerous occasions this year, the emailed lists can contain thousands of employees’ sensitive information. Usually, every employee that has taxable earnings for the previous fiscal year. To date, there have been 141 reports of successful scams. The largest breach was reported by American Senior Communities. The tax information of more than 17,000 members of staff were emailed to scammers.

The IRS said it was one of the most dangerous email phishing scams seen in recent years. It’s too early to tell how much in fraudulent refunds have been paid out by the IRS, although last year the total was around $5.8 billion. This year that total is expected to rise.

W-2 form phishing scams may be the most common type of tax-related email scams seen this year, but there are many. Most are delivered by email, although website phishing attacks have also been highly prevalent.

Cybercriminals have been impersonating tax software companies and have been sending out fake marketing emails encouraging consumers to visit spoofed websites. They are then relieved of their personal information. Information gathered via the online forms enable fraudsters to steal identities and file fraudulent tax returns in the victims’ names.

Tax season is also a time when malware infections spike. Tax-related email spam is sent with malicious email attachments. Opening those attachments results in malware or ransomware being downloaded to the victims’ computers.

Cybercriminals use a wide variety of techniques to steal credentials. Social engineering techniques are used to fool email recipients into believing requests for information are genuine. Attackers use typosquating and URL hijacking to make their malicious websites appear legitimate. The phishing templates used by some cybercriminals are so convincing it is almost impossible to distinguish them from genuine emails. The correct branding is used, links are masked, and support is even offered for uploading tax-related documentation. In many cases, the emails contain the IRS logo and victims are fooled into supplying their credentials. The scams are often successful, even though the IRS does not initiate contact with taxpayers via email.

To protect against attacks and fraud, consumers can set an IRS IP PIN on their accounts. That pin number must be used to file a tax return. Provided the PIN is not disclosed, individuals will be protected from fraudulent tax filings.

Many Americans leave filing their tax returns to the last minute; however, this year the scammers started sending tax-related email spam early. The late filing of tax returns gives cybercriminals plenty of time to submit fake returns. Tax returns should be filed as soon as a W-2 Form is received to reduce the risk of becoming a victim of fraud.

Businesses can protect themselves against W-2 phishing scams by implementing an advanced spam filtering solution to block spam emails. However, staff should also receive anti-phishing training and policies should be implemented that require any request for W-2 Forms to be verified with the sender of the email by telephone.

Businesses are still being targeted by scammers so they should be on their guard. They should also ensure that they are prepared well in advance for the tsunami of tax-related email spam that will start to arrive from December 2017.

Warning for Tax Professionals About New IRS e-Services Phishing Scam

The Inland Revenue Service has issued a new warning to tax professionals about a new IRS e-Services phishing scam.

With the tax return deadline fast approaching it is the last chance for the fraudsters to steal identities and file fraudulent tax returns. The past few days has seen a surge in phishing attacks on tax professionals.

The purpose of the IRS e-Services phishing scam is to obtain tax professionals’ e-Services usernames and passwords. The emails use a variety of subject lines that have been crafted to attract attention and ensure the emails are opened.

The emails claim to have been sent by the IRS about issues with the user’s e-Services account. The emails warn that the user’s e-Services account has been closed, suspended or blocked. In order to reactivate the account or prevent its closure, the email recipient is required to login to their account.

A link is supplied in the email that enables the recipient to take the required action. Clicking on the link will direct the user to a login page that closely resembles the IRS e-Services portal. Entering in a username and password into the login page will see the details captured by the attackers.

In response to the high volume of phishing attacks on tax professionals, the IRS has been improving account security in recent weeks. The IRS has been asking tax professionals to revalidate their accounts to prevent delays when accessing their e-Services accounts. The attackers appear to be taking advantage and piggybacking on those recent communications.

The IRS warns all tax professionals that if for any reason their e-Services account has been closed, they should contact the e-Services Help Desk to reactivate their account, but never to click on any links contained in emails. While links to malicious websites are used for this scam, users should also be wary about any attachments sent in e-Services emails.

This tax season has seen a major increase in tax-related email scams, most notably a massive rise in W-2 Form phishing scams. At least 140 successful W-2 Form phishing attacks have already been announced, although with two weeks left of tax season that figure is certain to rise. K12 schools, colleges and other higher education institutions have been extensively targeted this year, as has the healthcare industry. Some of the phishing scams have resulted in thousands of employees’ tax details being obtained by fraudsters.

The last few days before the April 18 deadline for submitting tax returns is likely to see many more phishing attacks performed. All businesses should therefore be on their guard and should exercise extreme caution.

It’s World Backup Day – A Time to Review Your Backup Strategies

Today is World Backup Day: An annual event that started in 2010 to raise awareness of the importance of backing up data.

Backups are used to recover data in the event of disaster; however, having a backup of data does not necessarily mean data can be recovered. Restoring files from backups is not always effective. Backups can be corrupted and the restoration of files can fail.

While World Backup Day raises awareness of the importance of backing up data, we would like to emphasize the importance of testing backups and reviewing backup strategies to ensure they are effective. Don’t wait until disaster strikes to ensure your strategies are effective and files can be recovered. By then it will be too late.

How Common is Data Loss?

Recent research conducted by Kroll OnTrack has revealed an alarming number of companies have experienced data loss, even when backups of data were performed. Kroll polled 1,000 companies in the United States, Europe, and Australia and discovered that a third of companies had experienced a data loss incident.

Out of those companies, 35% did not have a current backup and experienced data loss as a direct result. Two thirds (67%) of organizations were able to recover the majority of their data from backup files, while 13% said they could recover up to three quarters of their data. Corrupted backup files were cited as the reason for data loss by 12% of companies, but a quarter of companies that lost data said their backup system did not work as it should.

A quarter of companies that backed up their data said they did not test those backups to make sure files could be recovered. A quarter said they tested backups once a week to ensure data were recoverable, and 30% tested their backups on a monthly basis.

Backups are an organization’s insurance against data loss. Just as an insurance policy should not be taken out until the fine print has been read, backups should not be trusted until they have been tested.

The World Backup Day pledge is “I solemnly swear to backup my important documents and precious memories on March 31st.” However, to that we add, “I also swear to test my backups to make sure my important documents can be recovered.”

Ransomware – A Major Data Loss Risk for All Businesses

The past 12 months have clearly highlighted the importance of backing up data. Ransomware attacks soared in 2016. Ransomware is a form of malware that locks files with powerful encryption. A ransom demand is then issued to supply the key to unlock the data. Without access to that key, data will remain locked forever if a backup of data does not exisit.

The only way to unlock files is to pay a sizable ransom payment. That payment could be tens of thousands of dollars. In February, last year, Hollywood Presbyterian Medical Center was forced to pay a ransom of $17,000 to obtain the key to unlock ransomware-encrypted data after it was discovered files could not be recovered from backups.

Ransomware has fast become one of the biggest cybersecurity threats. Research conducted by Kaspersky Lab revealed the number of ransomware variants increased 11-fold between Q1 and Q3, 2016, by which time 32,091 different ransomware variants had been detected. By Q3 2016, a business was being attacked with ransomware every 40 seconds and 42% of small to medium sized businesses had been attacked with ransomware. 32% of businesses were forced to pay the ransom in order to recover their data.

While ransomware attacks have soared, the malicious software is only the third main cause of data loss. Hardware failure poses the biggest risk followed by the loss or theft of devices. Software errors and data loss due to system upgrades round off the top five list.

A Good Data Backup Strategy

Backup systems can be used to continuously backup data, but at the very least a daily backup should be made. Those backups should be tested at least once a week to ensure data can be successfully recovered.

To prevent data loss and maximize the probability of data recovery, organizations should use the 3-2-1 approach. Each organization should ensure they have three copies of data. The original and two backups. Those backups should be stored on two different media and one of those copies should be stored off site. The easiest option to satisfy those requirements is to have a physical copy on a storage device and a backup in the cloud. Since ransomware can encrypt data on network drives and connected storage devices, a local drive should be disconnected after the backup has been made.

Take out some time this World Backup Day to test your backups and review your backup strategies and ensure that you will be able to recover your data if disaster strikes.

2017 IBM X-Force Threat Intelligence Index Provides Insight into Cyberattack Trends

The 2017 IBM X-Force Threat Intelligence Index has been released this week. The report provides an insight into the main cybersecurity threats faced by all industries and major cyberattack trends, data breaches and security incidents experienced by U.S. organizations in 2016.

Last year’s IBM X-Force Threat Intelligence Index showed healthcare was the industry most heavily targeted by cybercriminals. However, the 2017 IBM X-Force Threat Intelligence Index shows cybercriminals changed their focus in 2016. Last year, the financial services was hit the hardest. The healthcare dropped down to fifth place.

The healthcare industry did not suffer mega data breaches of the same scale as 2015 – which saw a 78.8 million-record cyberattack on Anthem Inc., and 10 million record+ data breaches at Premera Blue Cross and Excellus BlueCross BlueShield. However, there were security breaches aplenty. 2016 was the worst ever year for healthcare industry breaches, with more incidents reported than any other year in history.

Those breaches resulted in far fewer records being exposed or stolen. The 2017 IBM X-Force Threat Intelligence Index indicates there was an 88% drop in exposed or stolen healthcare records in 2016 compared to the previous year. Around 12 million healthcare records were exposed or stolen in 2016.

The 2017 IBM X-Force Threat Intelligence Index also shows that there was a shift in the nature of attacks, with cybercriminals targeting unstructured data rather than structured data. Data breaches involving email archives, intellectual property, and business documents all rose in 2016.

The healthcare industry may not have seen so many records exposed, but that was certainly not the case across all industry sectors. 2016 was a very bad year for cyberattacks. In 2015, around 600 million records were exposed or stolen. In 2016 the total jumped to an incredible 4 million records, helped in no small part by the 1.5 billion record breach at Yahoo and the discovery of massive data breaches at LinkedIn, MySpace, and Dropbox. It is therefore no surprise that IBM called 2016 The Year of the Mega Data Breach.

Top of the list of attacked industries in 2016 was financial services. Both the financial services and healthcare sectors saw a fall in attacks by outsiders, but attacks by malicious insiders and inadvertent actors increased in both industry sectors.

In the financial services, 5% of attacks involved malicious insiders and 53% involved inadvertent actors. In healthcare, 25% of attacks involved malicious insiders and 46% involved inadvertent actors. The financial services saw 42% of attacks conducted by outsiders. Healthcare cyberattacks by outsiders accounted for 29% of the annual total.

According to the 2017 IBM X-Force Threat Intelligence Index, the second most targeted industry was information and communications, followed by manufacturing and retail. All three industries saw increases in attacks by outsiders, which accounted for the vast majority of attacks. 96% of attacks on information and communications were by outsiders, with 91% apiece for manufacturing and retail.

The financial services sector saw a substantial rise in SQLi and OS CMDi attacks in 2016 – The most common attack method for the industry. The main attack method on the information and communications sector involved exploitation of vulnerabilities allowing attackers to trigger buffer overflow conditions. The main attack method on the manufacturing, retail and healthcare industries was also SQLi and OS CMDi attacks, which accounted for 71% of manufacturing industry cyberattacks, 50% of retail cyberattacks, and 48% of healthcare cyberattacks.

The 2017 IBM X-Force Threat Intelligence Index indicates cybercriminals favored older attack methods in 2016 such as ransomware, malware toolkits, and command injection to gain access to valuable data and resources.

Ransomware was big news in 2016. Many cybercriminals turned to ransomware as a quick and easy source of income. Figures from the FBI indicate $209 million in ransom payments were made in the first three months of 2016 alone.

Malware was also extensively used in attacks, with Android malware and banking Trojans big in 2016. Not all attacks targeted organizations for their data. DDoS attacks increased, both in frequency and severity. While attacks of 300+ Mbps were unusual in 2015, they became the norm in 2016. One attack in excess of 1 Tbps was reported.

While 2015 saw exploit kits extensively used to infect endpoints with malware, in 2016 spam email was favored. Spam was a primary attack tool of cybercriminals, especially in the second half of the year. While the first half of the year saw spam email volume remain steady, the 2017 IBM X-Force Threat Intelligence Index indicates there was a significant increase in spam volume in the second half of the year and a massive rise in the number of malicious email attachments.

The 2017 IBM X-Force Threat Intelligence Index shows the vast majority of malicious attachments were ransomware or ransomware downloaders, which accounted for 85% of malicious email attachments.

The increase in the use of spam email as an attack vector shows how important it is for organizations to improve their defenses against email attacks. An advanced spam filter is essential as is training of employees on security best practices and phishing attack prevention.

Rise in Theft of University Email Credentials Explored in New Report

The Digital Citizens Alliance (DCA) has published new research showing there has been a massive rise in the theft of university email credentials and a massive rise in the sale of email credentials on darknet marketplaces.

This year’s study revealed the theft of university email credentials has grown significantly in the past 12 months. The report shows 13,930,176 stolen email credentials have been discovered to have been listed for sale. This time last year when the darknet was last scraped for stolen credentials there were around 2.8 million stolen credentials listed for sale. The year before that the figure stood at 2.2 million.

While the 13.9 million figure includes email credentials that were stolen over the past 8 years, 76% of those stolen credentials were discovered in the past 12 months.

When the researchers combined all types of credentials from multiple sectors they discovered there had been a 547% increase in credentials finding their way onto darknet marketplaces over the past three years.

The fivefold increase in the theft of university email credentials in a single year is a massive spike, which has been attributed to major data breaches at third party websites rather than cyberattacks on universities. The researchers say the massive 1-billion record data breach at Yahoo, the huge breach at LinkedIn and other large-scale cyberattacks on Dropbox, Weebly, MySpace and others are to blame.

The email credentials of university staff and students are being sold on underground marketplaces for between $3.50 to $10 each. While many actors had listed the email credentials for sale, some individuals were trading credentials and others were offering the stolen credentials for free.

The study only looked at theft of university email credentials at the top 300 higher education institutions. Smaller universities were excluded from the study. The stolen credentials were sorted into different higher education institutions to determine which were the worst affected. The universities with the highest numbers of stolen credentials were found to be:

  • University of Michigan – 122,556
  • Pennsylvania State University – 119,350
  • University of Minnesota – 117,604
  • Michigan State – 115,973
  • Ohio State – 114,032
  • University of Illinois (Urbana-Champaign) – 99,375
  • New York University – 91,372
  • University of Florida – 87,310
  • Virginia Polytechnic Institute and State University – 82,359
  • Harvard University – 80,100

The researchers were unable to determine why mid-west universities were the worst affected, although they hypothesized that it may be simply due to the size of the universities and the number of students, staff members, and alumni for those universities.

The researchers also looked at the size of the university and compared this to the number of stolen email credentials to gain a better understanding of demand for email addresses from specific universities and to ‘level the playing field’. Some universities appeared in the top ten of both lists, while smaller but more prestigious universities shot up the rankings. When ordered by the ratio of stolen email accounts to the total number of enrolled students and staff the top ten list changed to:

  • Massachusetts Institute of Technology
  • Carnegie-Mellon University
  • Cornell University
  • Baylor University
  • Virginia Polytechnic Institute and State University
  • Pennsylvania State University
  • University of Michigan
  • Kent State University
  • Bowling Green State University

It is easy to see why the theft of university email credentials is such a problem. Edu email addresses are valuable to cybercriminals. They can be used in spear phishing and phishing campaigns but they also allow the users to obtain student discounts with retailers or when purchasing items such as software. Microsoft for instance offers a discount for students purchasing its Office products. The discounts can be considerable.

University email addresses are also highly valuable due to the data contained in those accounts. Information in the accounts can be mined and a huge amount of information can be gathered, from medical records to ID numbers and passwords to the weekends when students are likely to be away.

While email addresses and passwords were discovered, the researchers were unable to tell if the passwords were real and current and could be used to gain access to the accounts. The researchers also found that some of the email addresses appeared to have been spoofed or were incorrect accounts. While these posed less of a threat, the credentials were still of value to cybercriminals.

Phishing attacks do not need correct email addresses to be successfully used. Providing the correct format for emails is used, the email addresses can add credibility to phishing campaigns.

Adam Benson, Executive Director of the DCA said “Higher Education Institutions have deployed resources and talent to make university communities safer, but highly-skilled and opportunistic cyber criminals make it a challenge to protect large groups of highly-desirable digital targets.”

“We shared this information from cybersecurity researchers to create more awareness of just what kinds of things threat actors are capable of doing with an .edu account.” Said Benton.

While large scale third party data breaches were partly to blame, cyberattacks on universities still occur. To prevent theft of university email credentials the researchers suggest cybersecurity programs need to be conducted and awareness needs to be raised on the importance of using strong passwords.

Training should be provided to make sure staff and students are aware of the techniques used by criminals such as phishing. They should also be warned of the risk of clicking on links sent in emails. The researchers suggest tests should be conducted to see who clicks on malicious links. Conducting those tests is not a witch hunt, rather, it can give universities a better idea about how easy staff and students are being duped. Universities should also consider the use of multi-factor authentication to make accounts more secure.

Exploit Kit Activity has Declined, but Spamming Activity Has Increased

Figures from Trustwave show there has been a steady decline in exploit kit activity over the past year. Exploit kits were once one of the biggest cybersecurity threats. In late 2015 and early 2016 exploit kits were being extensively used to spread ransomware and malware. Now exploit kit activity has virtually dropped to nothing.

Exploit kits are toolkits that are loaded onto malicious or hijacked websites that probe for vulnerabilities in browsers and plugins such as Adobe Flash Player and Java. When a new zero-day vulnerability was discovered, it would rapidly be added to exploit kits and used to silently download ransomware and malware onto web visitors’ computers. Any individuals that had failed to keep their browsers and plugins up to date would be at risk of being infected. All that would be required was make them – or fool them- into visiting a malicious website.

Links were sent via spam email, malvertising was used to redirect web visitors and websites were hacked and hijacked.  However, the effort required to develop exploits for vulnerabilities and host exploit kits was considerable. The potential rewards made the effort more than worthwhile.

Exploit kits such as Angler, Magnitude and Neutrino no longer pose such a big threat. The actors behind the Angler exploit kit, which was used to spread Locky ransomware in early 2016, were arrested. Law enforcement agencies across the world have also targeted gangs running these exploit kits. Today, exploit kit activity has not stopped entirely, but it is nowhere near the level seen in the first half of 2016.

While this is certainly good news, it does not mean that the threat level has reduced. Ransomware and malware are still major threats, all that has happened is cybercriminals have changed tactics for distributing the malicious programs. Exploit kits are not dead and buried. There has just been a lull in activity. New exploit kits are undoubtedly being developed. For the time being, exploit kit activity remains at a low level.

Now, the biggest threat comes from malicious spam email messages. Locky and other ransomware variants are now almost exclusively spread via spam email messages. Cybercriminals are also developing more sophisticated methods to bypass security controls, trick end users into opening infected email attachments, and improve infection rates.

Much greater effort is now being put into developing convincing phishing and spear phishing emails, while spam emails are combined with a wide range of social engineering tricks to get end users to open infected email attachments. End users are more knowledgeable and know not to click on suspicious email attachments such as executable files; however, malicious Word documents are another matter. Office documents are now extensively used to fool end users into installing malware.

With cybercriminals now favoring spam and phishing emails to spread malware and ransomware, businesses need to ensure their spam defenses are up to scratch. Employees should continue to be trained on cybersecurity, the latest email threats should be communicated to staff and advanced spam filters should be deployed to prevent messages from being delivered to end users.