A new Adidas phishing scam has been detected that offers free shoes and money. The messages claim that Adidas is celebrating its 69th anniversary and is giving 2,500 lucky customers a free pair of Adidas sneakers and a free $50 a month subscription.
The scam is targeting users on mobile devices in specific locations. If the user clicks the link in the message and is determined not to be using a mobile device, they will be directed to a webpage that displays a 404 error. The scam will also only run if the user is in the United States, Pakistan, India, Norway, Sweden, Nigeria, Kenya, Macau, Belgium or the Netherlands.
Provided the user is on a mobile device and located in one of the targeted countries, a series of four questions will be asked. The responses to the questions are irrelevant as all users will be offered a “free” pair of sneakers after answering the four questions.
In order to be able to claim the prize, users must share the offer with their contacts on WhatsApp. Regardless of whether the user does this, they will be directed to another webpage where they are asked further questions and are finally offered a “free” pair of sneakers worth $199.
There is another catch. In order to claim their free sneakers, the user must pay $1. The user is advised that they will also be charged $49.99 a month for the subscription at the end of the month if they do not cancel. The user is told they can cancel at any point.
On the payment screen the user is told that the payment will be processed by organizejobs.net. Proceeding with the payment will see the user charged $1, followed by the subscription cost of $49.99 in 7 days.
The campaign is being run on WhatsApp, although similar scams have been conducted via email and SMS messages. Several variations along the same theme have also been identified using different shoe manufacturers.
The link supplied in the WhatsApp message appears to be genuine, using the official domain for the country in which the user is located. While the domain looks correct, this is an example of a homoglyph attack. Instead of the domain adidas.de, the i is replaced with a vertical line – a homoglyph attack.
These types of scams are commonplace. Homoglyph scams take advantage of the ability to use non-ASCII characters in domain names. Similar scams use a technique called typosquatting – where domains closely matching real brand names are registered: Incorrect spellings for instance, such as “Addidas” instead of Adidas, or with an i replaced with a 1 or an L.
In this case, the attackers appear to be earning a commission for getting users to sign up, although disclosing debit and credit card details could easily see the information used to run up huge bills or drain bank accounts.
There are various warning signs indicating this is an Adidas phishing scam. Close scrutiny of the domain will reveal it is incorrect. The need to share the message to contacts is atypical, being notified of a charge after being told the shoes are free, the failure to ask the user to choose a pair of shoes or even select their size, and an odd domain name is used to process payment. However, even with these tell-tale signs that the offer is not genuine, this adidas phishing scam is likely to fool many people.
Be warned. If you receive any unsolicited WhatsApp message offering you free goods, assume it is a scam.
A new type of ransomware attack could be on the horizon. The attack method, termed ransomcloud, was developed by a white hat hacker to demonstrate just how easy it is to launch an attack that results in cloud-based emails being encrypted.
A successful attack will see the attacker gain full control of a cloud-based email account, allowing them to deploy a ransomware payload that encrypts all emails in the account. This method could also be used to gain full control of the account to use for spamming and other malicious purposes.
The attack works on all cloud-based email accounts that allow third party applications account access via OAuth, which includes Gmail and Office 365 accounts.
The ransomcloud attack starts with a phishing email. In this example, the message appears to have been sent by Microsoft offering the user the opportunity to sign up and use a new email spam filtering service called AntiSpamPro. The email includes the Microsoft logo and appears to be a new Microsoft service that provides the user with better spam protection.
In order to take advantage of this service, the user is required to click a hyperlink in the email to give authorization for the new service to be installed. Clicking the link will result in a popup window appearing that requires the user to authorize the app to access their email account.
Such a request is perfectly reasonable, as an app that offers protection against spam would naturally require access to the email account. Emails would need to be read in order for the app to determine whether the messages are genuine or spam. Clicking on ‘accept’ would give the attacker full control of the email account via an OAuth token. If access is granted, the user loses control of their email account.
In this example, ransomware is installed which encrypts the body text of all emails in the account. An email then appears in the inbox containing the ransom note. The user is required to pay a ransom to regain access to their emails.
Additionally, the attacker could claim the email account as their own and lock the user out, send phishing emails to all the user’s contacts, access sensitive information in emails, use email information to learn about the individual to use in future attacks such as spear phishing campaigns to gain access to their computer.
The ransomcloud attack method is astonishingly simple to pull off and could be adopted by cybercriminals as a new way of extorting money and gaining access to sensitive information.
TitanHQ, the award-winning provider of email and web security solutions to SMBs, has partnered with the networking giant Datto. The partnership has seen TitanHQ integrate its cutting-edge cloud-based web filtering solutions – WebTitan Cloud and WebTitan Cloud for Wi-Fi – into the Datto networking range.
Datto was formed in 2007 and fast became the leading provider of MSP-delivered IT solutions to SMBs. The company selects the best products and tools for its MSP partners to allow them to meet the needs of their clients and improve their bottom lines.
The company’s solutions include data backup and disaster recovery solutions, cloud-to-cloud data protection services, managed networking services, professional services automation, remote monitoring and management tools, and a wide range of security solutions.
Now that TitanHQ’s DNS-based web filtering solutions have been included, MSPs can offer their clients even greater protection from malware and phishing threats.
WebTitan Cloud and WebTitan Cloud for WiFi use a combination of AI-based services and human-supervised machine learning to block Internet-based threats. The solutions provide real-time protection against malicious URLs and phishing sites by preventing end users from visiting malicious webpages. The solutions also allow companies to carefully control the Internet content that can be accessed through their wired and wireless networks.
The MSP-friendly solutions can be rapidly deployed by MSPs, without the need for site visits, software installations or additional hardware purchases. The multi-tenant solutions allow all client deployments to be managed through a single, intuitive administration console and can be configured in minutes.
MSPs are also offered multiple hosting solutions, including hosting WebTitan in their own environment, and the solutions can be provided in full white-label format.
“We are delighted that Datto has chosen TitanHQ as a partner in web security. By integrating TitanHQ’s secure content and web filtering service, we are well positioned to offer Datto MSPs a best of breed solution for their small to mid-size customers,” said TitanHQ CEO, Ronan Kavanagh.
“We pride ourselves in equipping our community of Managed Service Provider partners with the right products and tools to allow each and every customer to succeed,” said John Tippett, VP, Datto Networking. “With that in mind, I’m delighted to welcome TitanHQ as a security partner and look forward to growing our partnership.”
TitanHQ is a sponsor of the upcoming DattoCon 2018 conference – The largest MSP event in the United States. The full TitanHQ team will be in attendance and Datto’s MSP partners can come and meet the team and see WebTitan in action.
In addition to showcasing WebTitan Cloud, MSPs will also be able to find out more about SpamTitan – TitanHQ’s 100% cloud-based spam filtering solution, and ArcTitan – Its MSP-friendly email archiving solution.
DattoCon 2018 runs from June 18-20 in Austin, Texas at the Fairmont Austin Hotel. The TitanHQ team will be at booth #66 in the exhibition hall for all three days of the conference.
A recent study of commonly used passwords by Dashlane/Virginia Tech has revealed some of the worst passwords of 2018.
For the study, Virginia Tech researchers provided Dashlane with an anonymized copy of 61.5 million passwords. The password list was created from 107 individual lists of passwords available on forums and in data archives, many of which have come from past data breaches.
The analysis of the list revealed many common themes. These include the names of favorite sports teams: In the UK, common password choices were liverpool, chelsea and arsenal – the leading soccer teams in the premier league.
Popular brand names were also chosen, such as cocacola, snickers, mercedes, skittles, mustang, and playboy. MySpace and LinkedIn were also common choices, alarmingly, to secure accounts on those sites.
Bands and movie references were often used, with Spiderman, superman, starwars, and pokemon all common choices as were expressions of frustration – a**hole, bull****, and f***you were often chosen.
The Dashlane report shows that despite warnings about the risk of using easy-to-remember passwords, end users are still choosing weak passwords. One particularly worrying trend is the use of seemingly secure passwords, which are anything but secure.
1q2w3e4r5t6y and 1qaz2wsx3edc may appear to be relatively secure passwords; however, how they are created makes them easy to guess. They are certainly better than “password” or letmein” but not by much.
The passwords are created by a process that Dashlane calls password walking – the use of letters, numbers, and symbols next to each other on a keyboard. Simpler variations on this theme are qwerty and asdfghjk. To get around password rules, the same technique is used with the incorporation of capital letters and symbols.
The study shows that even though many companies require end users to set strong passwords, employees ignore password advice or choose passwords that pass security checks but are really not that secure.
What Makes a Good Password?
A good password will not be in the dictionary, will not use sequential numbers or be created by walking fingers along a keyboard. Brand names and locations should also be avoided. Passwords should be a minimum of 8 characters and should be unique – never used before by the user, and never reused on a different platform.
Passwords should include at least one capital letter, lowercase letter, symbol and number. If all lowercase letters are used, each letter in the password could be one of 26 letters. Add in capitals and the possible options double to 52. There are 10 digits, increasing the options to 62, and let’s say 32 special characters, bringing the total up to 94 options. With so many options and possible combinations, randomly generated passwords are particularly difficult to guess. However, randomly generated passwords are also particularly difficult to remember.
Recently, that problem has been recognized by the National Institute of Standards and Technology (NIST), which has revised its advice on passwords (See special publication 800-63B).
While the use of random strings of characters and symbols makes passwords particularly difficult to guess and more resilient to hackers’ brute force password guessing tactics, end users have trouble remembering their passwords and that leads to particularly risky behaviors such as writing the password down or storing it in a browser.
NIST now suggests the use of longer passphrases rather than passwords – Iboughtacarwithmyfirstpaypacket or ifihadahorseIwouldcallitDave– for example. Passphrases are more user-friendly and easier to remember, but are still secure – provided a sufficient number of characters are used.
The minimum number of characters can be set by each organization, but rather than restricting the characters at 16, companies should consider expanding this to at least 64. They should also accept all printable ASCII characters, including spaces, and UNICODE characters.
Since some end users will attempt to set weak passwords, it is important to incorporate controls that prevent commonly used passwords from being chosen. Each password choice should be checked against a blacklist before it can be set.
A new spam campaign has been identified that uses Excel Web Query files to deliver malware. In this case, the .iqy files are used to launch PowerShell scripts that give the attackers root access to a device. .iqy files are not usually blocked by spam filters, making the technique effective at silently delivering malware.
The spam emails are being delivered via the Necurs botnet. Three spam campaigns have been detected by Barkly that use these attachments, although further campaigns are almost certain to be launched.
Excel Web Query files obtain data from an external source and load it to Excel. In this case, the external data is a formula which is executed in Excel. The formula is used to run PowerShell scripts which, in at least one campaign, downloads a Remote Access Trojan (RAT) called FlawedAmmyy Admin – a tweaked legitimate remote administration tool that gives the attacker full control of a computer, allowing any number of malicious programs to be installed.
The emails masquerade as purchase orders, unpaid invoices, and scanned documents – Common themes used in spam emails to deliver malware. These spam email campaigns often use Word documents with malicious macros. Macros are usually disabled by default. Through security awareness training, end users have been conditioned not to enable macros on documents from unknown senders, thus preventing malware downloads.
Since most end users will not be used to receiving .iqy files, these attachments should arouse suspicion. Microsoft has also built in warnings to prevent these files from being run by end users. If an end user attempts to open one of these files it will trigger a warning alerting the user that the file may not be safe as it enables an external connection. The end user would be required to click enable before the connection is made and data is pulled into Excel. A second warning would then be displayed, again requiring authorization. Only if both warnings are ignored will the script be allowed to run that downloads the malicious payload.
There are two steps you can take to protect your endpoints and networks from these types of attacks. The first is to configure your email spam filter to quarantine any emails containing .iqy attachments. SpamTitan allows certain attachment types to be blocked such as executable files and iqy files. You can set the policy to quarantine, reject, or delete the emails. Since these types of files are not usually sent via email, rejecting the messages or deleting them is the safest option.
You should also cover the use of these files in your security awareness training sessions and should consider sending an email alert to end users warning them about the threat.
Further information on steps you can take to prevent malware infections spread via email can be found in our anti-spam tips page. You can find out more about the capabilities of SpamTitan by calling the sales team:
- USA: +1 5859735070
- UK/EU: +44 (0)2476993640
- Ireland: +353 91 545555
- Mid East: +971 4 3886998
World Cup 2018 phishing scams can be expected over the coming weeks. There has already been a spike in World Cup related phishing emails and many malicious World Cup-themed domains have been registered.
World Cup 2018 Phishing Scams Detected!
The World Cup may be two weeks away, but interest in the soccer extravaganza is already reaching fever pitch. The World Cup is watched by billions of people around the world, and there are expected to be around 5 million soccer fans expected to travel to Russia to see the matches live between June 14 to July 15. With such interest in the sporting event it should be no surprise that cybercriminals are poised to take advantage.
Kaspersky Lab has already detected several World Cup 2018 phishing scams, with many of the early scams using emails to direct soccer fans to malicious websites offering the opportunity to buy tickets for the games.
Fake Tickets and Fake Touts
With tickets for the big matches scarce and demand outstripping supply, many fans are turning to touts to secure tickets to the big matches. Steps have been taken by FIFA to make it harder for ticket touts to operate, such as only allowing one ticket for a game to be purchased by any football fan. That individual is also named on the ticket. However, it is still possible for individuals to purchase tickets for guests and touts are taking advantage. The price for guest tickets is extortionate – up to ten times face value – and that price will likely rise as the event draws closer.
Such high prices mean the opportunity of snapping up a cheaper ticket may seem too good to miss. However, there are plenty of scammers who have registered websites and are posing as touts and third parties that have spare tickets.
Purchasing a ticket through any site other than the official FIFA is a tremendous risk. The only guarantee is that the price paid will be substantially higher, but there are no guarantees that a ticket will be sent after payment is made. Even if a ticket is purchased from an unofficial seller, it may turn out to be a fake. Worse, paying with a credit or debit card could see bank accounts emptied.
Kaspersky Lab detected large numbers of malicious domains set up and loaded with phishing pages to take advantage of the rush to buy tickets ahead of the tournament. The websites are often clones of the official site.To add credibility, domains have been purchased that include the words worldcup2018 and variations along that theme. Cheap SSL certifications have also been purchased, so the fact that a website starts with HTTPS is no guarantee that a site is legitimate. Tickets should only be purchased through the official FIFA website.
Why pay a high price for a ticket when there is a chance of obtaining one for free? Many competition-themed World Cup 2018 phishing emails have been detected. These emails are sent out in the millions offering soccer fans the change to win a free ticket to a match. To be in with a chance, the email recipient is required to register their contact details. Those details are subsequently used for further phishing and spamming campaigns. Stage two of the scam, where the ‘lucky’ registrant is told they have one tickets, involves opening an email attachment, which installs malware.
Notifications from FIFA and Prizes from FIFA World Cup 2018 Partners
Be wary of any communications from FIFA or any company claiming to be an official World Cup Partner. Kaspersky Lab has detected several emails that appear, at face value, to have been sent by FIFA or its World Cup 2018 partners. These emails usually request the recipient to update their account for security reasons.
Visa is one brand in particular that is being spoofed in World Cup 2018 phishing emails for obvious reasons. Fake security alerts from Visa require credit card credentials to be entered on spoofed websites. If any security alert is received, visit the official website by typing in the official domain into the browser. Do not click the links contained in the emails.
Cheap Travel Accommodation Scams
Airline tickets to cities staging World Cup matches may be difficult to find, and with more than 5 million fans expected in Russia for the World Cup, accommodation will be scarce. Scammers take advantage of the scarcity of flights and accommodation and the high prices being charged and offer cheap deals, usually via spam email. A host of malicious websites have been set up mimicking official travel companies and accommodation providers to fool the unwary into disclosing their credit card details. Retail brands are also being spoofed, with offers sent via email for cut price replica shirts and various other World Cup apparel.
These World Cup 2018 phishing scams can usually be identified from the domain name, which needs to be checked carefully. These websites are often clones and are otherwise indistinguishable from the official websites.
Team and Match News and World Cup Gossip
As the World Cup gets underway, there are likely to be waves of spam emails sent with news about matches, team information, betting odds, and juicy gossip about teams and players. Every major sporting event sees a variety of lures sent via spam email to get users to click links and visit malicious websites. Hyperlinks often direct users to webpages containing fake login pages – Facebook and Google etc. – where credentials need to be entered before content is displayed.
How to Avoid Becoming a Victim of a World Cup 2018 Phishing Scam
These are just a few of the World Cup 2018 phishing scams that have been detected so far and a great deal more can be expected by the time the World Cup winner lifts the trophy on July 15.
Standard security best practices will help soccer fans avoid World Cup 2018 phishing scams. Make sure you:
- Only buy tickets from the official FIFA website
- Only book travel and accommodation from trusted vendors and review the vendors online before making a purchase
- Never buy products or services advertised in spam email
- Never opening attachments in World Cup-themed emails from unknown senders
- Do not click hyperlinks in emails from unknown senders
- Never click a hyperlink until you have checked the true domain and avoid clicking on shortened URLs
- Ensure all software, including browsers and plugins, is patched and kept fully up to date
- Ensure anti-virus software is installed and is kept up to date
- Consider implementing a third-party spam filtering solution to prevent spam and malicious messages from being delivered – Something especially important for businesses to stop employees from being duped into installing malware on work computers.
- Stay alert – If an offer seems to good to be true, it most likely is
The UK Government’s Department for Digital, Culture, Media, & Sport has published its Cybersecurity Breaches Survey for 2018. The survey, conducted by Ipsos MORI, was a quantitative and qualitative survey conducted in the winter of 2017 on 1,519 UK businesses and 569 UK registered charities.
The purpose of the cybersecurity breaches survey was to identify the nature and significance of cyberthreats, determine how prevalent cyberattacks are, and what is being done to prevent such attacks.
The cybersecurity breaches survey revealed UK businesses and charities are being targeted by cybercriminals intent on gaining access to sensitive information, email accounts, corporate networks, and bank accounts and attacks are on the rise.
43% of businesses and 19% of charities experienced a cybersecurity breach or cyberattack in the past 12 months with large businesses and charities more likely to be attacked. 72% of large businesses – those with more than 250 employees – and 73% of large charities – with incomes over £5 million – experienced a cyberattack in the past year.
While not all security breaches result in material losses such as theft of data or personal information, when there is a material outcome the costs can be significant. The average costs of breaches with a material outcome is £3,100 for businesses and £1,030 for charities, although the larger the business, the greater the cost. Medium sized businesses have average costs of £16,100 and large businesses have an average breach cost of £22,300.
The high probability of a breach occurring and the high cost of remediating breaches has seen cybersecurity become a priority for senior managers. The percentage of businesses (74%) and charities (53%) that say cybersecurity is a high priority has risen year on year and the percentage of businesses (30%) and charities (24%) that say cybersecurity is a low priority has fallen once again. Cybersecurity is also now a high priority for many small businesses (42%) having risen from 33% last year when the survey was conducted. Cybersecurity may be a high priority, but just 3 out of 10 businesses and under a quarter of charities have board members with a responsibility for cybersecurity.
The most common type of breaches and cyberattacks involve fraudulent emails directing employees to malicious websites. 75% of UK businesses and 74% of UK charities that experienced a breach in the past year experienced these types of attacks. Email impersonation attacks were the second most common breach type with 28% of UK businesses and 27% of UK charities saying they had experienced these types of incidents in the past 12 months.
Not only are these types of attacks common, they also cause the most disruption. 48% of UK businesses and charities said fraudulent emails and being directed to malicious websites caused the most disruption out of all cybersecurity breaches experienced, well ahead of malware infections which were rated as the most disruptive cyberattacks by 13% of UK businesses and 12% of UK charities.
The cybersecurity breaches survey clearly highlights the importance of implementing robust defenses to prevent malicious emails from being delivered to employees’ inboxes and to ensure staff are well trained and taught how to identify malicious emails.
TitanHQ offers two cybersecurity solutions that can help UK businesses block the most common and most disruptive types of cyberattack. SpamTitan is a powerful spam filtering solution that blocks more than 99.97% of spam emails and 100% of known malware from being delivered to end users’ inboxes.
WebTitan is a cloud-based web filtering solution that prevents employees from visiting malicious websites, such as those used in phishing emails to steal credentials and spread malware. Implementing these solutions is far cheaper than having to cover the cost of remediating cyberattacks.
There is also clearly a problem with training in the UK. Only 20% of UK businesses and 15% of UK charities have had staff attend internal or external cybersecurity training in the past year, even though security awareness training has clearly been shown to be effective at reducing susceptibility to email-based attacks.
According to data from the UK’s fraud tracking team, Action Fraud, there has been a massive rise in TSB phishing scams in the past few weeks. Customers of TSB have been duped into handing over their online banking credentials to scammers. Action Fraud is now receiving around 10 complaints a day from TSB customers who have fallen for phishing scams.
A Nightmare Scenario for TSB Customers
The problem that made the scams possible was the separation of the TSB banking system from Lloyds Bank, of which TSB was part until 2015. TSB moved over to a new core banking system provided by Banco Sabadell, the Spanish bank which took over TSB. That transition happened in April. Unfortunately for TSB and its customers, it did not go smoothly.
While migrating customer information to the new core banking system, many customers were locked out of their accounts and were unable to access their money. Some customers were presented with other customers’ bank accounts when they logged in online, and there have been cases of customers having money taken from their accounts without authorization, and transfers have been made to the wrong bank accounts. It is almost June, and the problems have still not been completely resolved.
Customers starting to experience problems over the weekend of 21/22 April and the problems were understandably covered extensively by the media with many customers taking to Social Media sites to vent their spleens over the chaos. For scammers, this was too good an opportunity to miss.
Action Fraud had received more than 320 reports of TSB phishing scams in the first three weeks in May. There were only 30 reports of such scams in the entire month of April. That’s an increase of 969%.
TSB Phishing Scams Soar
The situation was ideal for scammers. Many TSB customers could not access their accounts, so there was little chance of customers realizing they had been defrauded until it was too late.
TSB staff were overworked dealing with the IT problems and its helplines were overwhelmed with calls from customers unable to access their money. When customers realized they had been scammed they were unable to contact the bank quickly. There have been reports of customers seeing money taken from their accounts while they were logged in, yet they could not get through to customer support to stop transfers being made.
The TSB phishing scams used a combination of SMS messages, emails, and telephone calls to obtain customers banking credentials. As is typical in these types of scams, customers were sent links and were asked to use them to login to their accounts. The websites the bank’s customers visited looked exactly how they should. The only sign that the website was not genuine was the URL, otherwise the website was a carbon copy of the genuine TSB website.
Many victims of the scam had received an email or text messages, which was followed up with a voice call to obtain the 2-factor authentication code that would allow the scammers to gain access to the victim’s account. While the requests from the scammers may have seemed unusual or suspicious, this was an unusual situation for TSB customers.After that information was obtained, the scammers went to work and emptied bank accounts.
According to data from cybersecurity firm Wandera, TSB has now jumped to second spot in the list of the financial brands most commonly used in impersonation attacks. Prior to the IT problems, TSB wasn’t even in the top five.
With the bank’s IT issues ongoing, the TSB phishing scams are likely to continue at high levels for some time to come. The advice to TSB customers is to be extremely wary of any email, text message or call received from TSB bank. Scammers can spoof email addresses and phone numbers and can make text messages appear as if they have been sent by someone else.
Data breach costs have risen considerably in the past year, according to a recent study of corporate IT security risks by Kaspersky Lab. Compared to 2016, the cost of a data breach for enterprises increased by 24% in 2017, and by even more for SMBs, who saw data breach costs rise by 36% in 2017.
The average cost of data breach recovery for an average-sized enterprise is now $1.23 million per data breach, while the cost for SMBs is now $120,000 per incident.
For the study, Kaspersky Lab surveyed 6,614 business decision makers. Respondents were asked about the main threats they have to deal with, cybersecurity incidents they have experienced in the past year, how much they spent resolving those incidents, and how that money was spent.
When a data breach is experienced, the costs can quickly mount. Enterprises and SMBs must contain the attack, scan systems for malware and backdoors, and pay for improvements to security and infrastructure to prevent similar attacks from occurring in the future. Staff need to receive additional training, new staff often need to be brought in, and third-parties hired to assist with recovery and security assessments.
Data breach recovery can take time and considerable effort. Additional wages have to be paid to staff assisting in the recovery process, there can be losses due to system downtime, repairing damage to a brand prove costly, credit monitoring and identity theft recovery services may have to be provided to breach victims, insurance premiums rise, credit ratings drop, and there may also be regulatory fines to cover.
The largest component of data breach costs is making emergency improvements to security and infrastructure to prevent further attacks, which is around $193,000 per breach for enterprises, the second biggest cost for enterprises is repairing reputation damage, which causes major increases in insurance costs and can severely damage credit ratings. On average, this costs enterprises $180,000. Providing after-the-event security awareness training to the workforce was the third biggest cost for enterprises at $137,000.
It is a similar story for SMBs who typically pay around $15,000 for each of the above three cost categories. A lack of inhouse expertise means SMBs often have to call in cybersecurity experts to assist with making improvements to security and for forensic analyses to determine how access to data was gained.
Data breaches affecting third-party hosted infrastructure are the costliest for SMBs, followed by attacks on non-computing connected devices, third party cloud services, and targeted attacks. For enterprises, the costliest data breaches are targeted attacks followed by attacks on third-party infrastructure, attacks on non-computing connected devices, third party cloud services, and leaks from internal systems.
The high cost of recovering from a data breach means a successful cyberattack on an SMB could be catastrophic, forcing the company to permanently shut its doors. It is therefore no surprise that businesses are allocating more of their IT budgets to improving their security defenses. Enterprises are now spending an average of $8.9 million on cybersecurity each year, while SMBs spend an average of $246,000. Even though the cost of additional cybersecurity defenses is high, it is still far lower than the cost of recovering from data breaches.
While data breach prevention is a key driver for greater investment in cybersecurity, that is far from the only reason for devoting a higher percentage of IT budgets to security. The main drivers for increasing security spending are the increasing complexity of IT infrastructure (34%), improving the level of security expertise (34%), and management wanting to improve security defenses (29%).
A suspected nation-state sponsored hacking group has succeeded in infecting at least half a million routers with VPNFilter malware.
VPNFilter is a modular malware capable of various functions, including the monitoring of all communications, launching attacks on other devices, theft of credentials and data, and even destroying the router on which the malware has been installed. While most IoT malware infections – including those used to build large botnets for DDoS attacks – are not capable of surviving a reboot, VPNFilter malware can survive such a reset.
The malware can be installed on the type of routers often used by small businesses and consumers such as those manufactured by Netgear, Linksys, TP-Link and MikroTik, as well as network-attached storage (NAS) devices from QNAP, according to security researchers at Cisco Talos who have been monitoring infections over the past few months.
The ultimate aim of the attackers is unknown, although the infected devices could potentially be used for a wide range of malicious activities, including major cyberattacks on critical infrastructure, such as disrupting power grids – as was the case with BlackEnergy malware.
Since it is possible for the malware to disable Internet access, the threat actors behind the campaign could easily prevent large numbers of individuals in a targeted region from going online.
While the malware has been installed on routers around the world – infections have been detected in 54 countries – the majority of infections are in Ukraine. Infections in Ukraine have increased significantly in the past few weeks.
While the investigation into the campaign is ongoing, the decision was taken to go public due to a massive increase in infected devices over the past three weeks, together with the incorporation of advanced capabilities which have made the malware a much more significant threat.
While the researchers have not pointed the finger at Russia, they have identified parts of the code which are identical to that used in BlackEnergy malware, which was used in several attacks in Ukraine. BlackEnergy has been linked to Russia by some security researchers. BlackEnergy malware has been used by other threat actors not believed to be tied to Russia to the presence of the same code in both forms of malware is not concrete proof of any link to Russia.
The FBI has gone a step further by attributing the malware campaign to the hacking group Fancy Bear (APT28/Pawn Storm) which has links to the Russian military intelligence agency GRU. Regardless of any nation-state backing, the sophisticated nature of the malware means it is the work of a particularly advanced hacking group.
Most of the attacked routers are aging devices that have not received firmware updates to correct known flaws and many of the attacked devices have not had default passwords changed, leaving them vulnerable to attack. It is not entirely clear exactly how devices are being infected although the exploitation of known vulnerabilities is most probable, rather than the use of zero-day exploits; however, the latter has not been ruled out.
Some progress has been made disrupting the VPNFilter malware campaign. The FBI has seized and sinkholed a domain used by the malware to communicate with the threat group behind the campaign. Without that domain, the attackers cannot control the infected routers and neither identify new devices that have been infected.
Ensuring a router is updated and has the latest firmware will offer some degree of protection, as will changing default passwords on vulnerable devices. Unfortunately, it is not easy to tell if a vulnerable router has been infected. Performing a factory reset of a vulnerable router is strongly recommended as a precaution.
Rebooting the device will not eradicate the malware, but it will succeed in removing some of the additional code downloaded to the device. However, those additional malware components could be reinstalled once contact is re-established with the device.
Several GDPR phishing scams have been detected in the past few days as scammers capitalize on the last-minute rush by companies to ensure compliance ahead of the May 25, 2018 GDPR deadline. Be wary about any GDPR related email requests – they may be a scam.
GDPR Provides Scammers with a New Opportunity
You will probably already be sick of receiving email requests from companies asking if they can continue sending you emails, but that is one of the requirements of GDPR. GDPR requires consent to be obtained to use – or continue to use – personal information. With previous privacy policies failing to comply with the new EU law, email requests are being sent to all individuals on mailing lists and those who have previously registered on websites to re-obtain consent.
All companies that have dealings with EU residents are required to comply with GDPR, regardless of their location. Emails are therefore being sent from companies far and wide. Consumers are receiving messages from companies that they may have forgotten they had dealings with in the past. If personal data is still on file, email requests are likely to be sent asking for permission to retain that information.
The masses of emails now being sent relating to GDPR has created an opportunity for scammers. GDPR phishing scams have been developed to fool users into revealing sensitive information under the guise of GDPR related requests. There have been many GDPR phishing scams identified in recent weeks. It is ironic that a regulation that aims to improve privacy protections for EU residents is being used to violate privacy.
Apple Spoofed in New Phishing Scam
Phishers often spoof large, familiar brands as there is a greater chance that the recipient of the message will have an account with that company. The most popular global brands – Netflix, PayPal, Apple, and Google are all commonly impersonated.
These impersonation scams can be highly convincing. A request is sent via email that seems perfectly reasonable, the emails appear to have been sent from the company, and the email address of the sender is spoofed to appear genuine. The emails contain branding and images which are familiar, and the messages can be almost indistinguishable from genuine communications.
The aim is to get users to click on an embedded hyperlink and visit the company’s website and login. There is usually an urgent call to action, such as a security alert, threat of account closure, or loss of services.
Apple is one such brand that has recently been impersonated in GDPR phishing scams. The aim of the attackers is to get Apple customers to login to a fake site and disclose their credentials. Once the credentials have been obtained, the scammers have access the user’s account, which includes financial information, credit card details, and other personal information.
Airbnb GDPR Phishing Scams Detected
Redscan has detected Airbnb GDPR phishing scams recently. Users of its home sharing platform are required to update their contact details due to GDPR law in order to continue to use the platform. The request is entirely reasonable given so many companies are sending similar emails.
The emails claim to be from Airbnb customer service, contain the correct images and branding, and direct users to a familiar looking website that differs only in the domain name. Users are asked to re-enter their contact information and payment card details.
Watch Out for GDPR Phishing Scams
These scams are just two of several. More can be expected over the coming days in the run up to the compliance deadline and beyond. To avoid falling for the scams, make sure you treat all GDPR-related requests as potentially suspicious.
The easiest way to avoid the scams is to visit the website of the brand by typing the correct address directly into the browser or using your usual bookmark. It should be clear when you login if you need to update your information because of GDPR.
Ransomware attacks on businesses appear to be declining. In 2017 and 2018 there has been a marked decrease in the number of attacks. While this is certainly good news, it is currently unclear whether the fall in attacks is just a temporary blip or if the trend will continue.
Ransomware attacks may have declined, but there has been a rise in the use of cryptocurrency mining malware, with cybercriminals taking advantage in the high price of cryptocurrencies to hijack computers and turn them into cryptocurrency-mining slaves. These attacks are not as devastating or costly as ransomware attacks, although they can still take their toll, slowing down endpoints which naturally has an impact on productivity.
While ransomware attacks are now occurring at a fraction of the level of 2016 – SonicWall’s figures suggest there were 184 million attacks in 2017 compared to 638 million in 2016 – the risk of an attack is still significant.
Small players are still taking advantage of ransomware-as-a-service – available through darknet forums and marketplaces – to conduct attacks and organized cybercriminal gangs are conducting targeted attacks. In the case of the latter, victims are being selected based on their ability to pay and the likelihood of a payment being made.
These targeted attacks have primarily been conducted on organizations in the healthcare industry, educational institutions, municipalities and the government. Municipalities are targeted because massive disruption can be caused, and attacks are relatively easy to pull off. Municipalities typically do not have the budgets to devote to cybersecurity.
Attacks in healthcare and education industries are made easier by the continued use of legacy software and operating systems and highly complex networks that are difficult to secure. Add to that the reliance on access to data and not only are attacks relatively easy, there is a higher than average chance of a ransom being paid.
In the past, the aim of ransomware gangs was to infect as many users as possible. Now, targeted attacks are conducted with the aim of infecting as many end points as possible within an organization. The more systems and computers that are taken out of action, the greater the disruption and cost of mitigating the attack without paying the ransom.
Most organizations, government agencies, municipalities, have sound backup policies and can recover all data encrypted by ransomware without paying the ransom. However, the time taken to recover files from backups and restore systems – and the cost of doing so – makes payment of the ransom preferable.
The attack on the City of Atlanta shows just how expensive recovery can be. The cost of restoring systems and mitigating the attack was at least $2.6 million – The ransom demand was in the region of $50,000. It is therefore no surprise that so many victims have chosen to pay up.
Even though the ransom payment is relatively low compared to the cost of recovery, it is still far more expensive than the cost of implementing security solutions to prevent attacks.
There is no single solution that can block ransomware and malware attacks. Multi-layered defenses must be installed to protect the entire attack surface. Most organizations have implemented anti-spam solutions to reduce the risk of email-based attacks, and security awareness training is helping to eliminate risky behaviors and teach security best practices, but vulnerabilities still remain with DNS security often lacking.
Vulnerabilities in DNS are being abused to install ransomware and other malware variants and hide communications with command and control servers and call home addresses. Implementing a DNS-based web filtering solution offers protection against phishing, ransomware and malware by preventing users from visiting malicious websites where malware and ransomware is downloaded and blocking C2 server communications. DNS-based web filters also provide protection against the growing threat from cryptocurrency mining malware.
To mount an effective defense against phishing, malware and ransomware attacks, traditional cybersecurity defenses such as ant-virus software, spam filters, and firewalls should be augmented with web filtering to provide security at the DNS layer. To find out more about how DNS layer security can improve your security posture, contact TitanHQ today and ask about WebTitan.
Another school district has fallen victim to a ransomware attack, which has seen files encrypted and systems taken out of action for two weeks. The Leominster school district ransomware attack saw a ransom demand of approximately $10,000 in Bitcoin was issued for the keys to unlock the encrypted files, which includes the school’s entire student database.
School districts attacked with ransomware often face a difficult decision when ransomware is installed. Attempt to restore systems and recover lost data from backups or pay the ransom demand. The first option is time consuming, costly, and can see systems remain out of action for several days. The second option includes no guarantees that the attackers will make good on their promise and will supply valid keys to unlock the encryption. The keys may not be held, it may not be possible to unlock files, or a further ransom demand could be issued. There have been many examples of all three of those scenarios.
The decision not to pay the ransom demand may be the costlier option. The recent ransomware attack on the City of Atlanta saw a ransom demand issued in the region of $50,000. The cost of recovering from the attack was $2.6 million, although that figure does include the cost of improvements to its security systems to prevent further attacks.
School districts are often targeted by cybercriminals and ransomware offers a quick and easy way to make money. The attackers know all too well that data can most likely be recovered from backups and that the ransom does not need to be paid, but the cost of recovery is considerable. Ransom demands are set accordingly – high enough for the attackers to make a worthwhile amount, but low enough to tempt the victims into paying.
In the case of the Leominster ransomware attack, the second option was chosen and the ransom demand of was paid. That decision was taken after carefully weighing up both options. The risk that no keys would be supplied was accepted. In this case, they were supplied, and efforts are well underway to restore files and implement further protections to ensure similar incidents do not occur in the future.
Even though the ransom was paid, the school district was still without access to its database and some of its computer systems two weeks after the attack. Files were encrypted on April 14, but systems were not brought back online until May 1.
Unfortunately for the Leominster School District, ransom payments are not covered by its cyberinsurance policy, so the payment had to come from its general fund.
There is no simple way to defend against ransomware attacks, as no single cybersecurity solution will prove to be 100% effective at blocking the threat. Multiple attack vectors are used, and it is up to school districts to implement defenses to protect the entire attack surface. The solution is to defend in numbers – use multiple security solutions to create layered defenses.
Some of the most important defenses include:
- An advanced firewall to defend the network perimeter
- Antivirus and anti-malware solutions on all endpoints/servers
- Vulnerability scanning and good patch management policies. All software, systems, websites, applications, and operating systems should be kept up to date with patches applied promptly
- An advanced spam filtering solution to prevent malicious emails from being delivered to end users. The solution should block all executable files
- Disable RDP if it is not required
- Provide security awareness training for employees and teach staff and students the skills to enable them to identify malicious emails and stop risky behaviors
- A web filtering solution capable of blocking access to malicious websites
The cost of implementing these solutions is likely to be far lower than the cost of a ransom payment and certainly lower than the cost of mitigating a ransomware attack.
The cost of the Equifax data breach has risen to more than $242 million, and that figure will continue to rise and could even double.
According to the Equifax financial report for the first quarter of 2018, the total spent on mitigation and preventative measures to avoid a further security breach is now $242.7 million.
The breach, which was made public in September 2017, affected 147.9 million customers, making it one of the largest data breaches ever discovered and certainly one of the most serious considering the types of data involved. Yahoo may have experienced much larger breaches, but the data exposed in those incidents was far less sensitive.
Fortunately for Equifax, it holds a sizable insurance policy against cybersecurity incidents. The policy will cover up to $125 million of the cost, minus a $7.5 million deductible. That insurance policy has already paid out $60 million, with $10 million in payments received in the first quarter of 2018.
The breakdown of cost of the Equifax data breach so far for Q1, 2018 is:
- $45.7 million on IT security
- $28.9 million on legal fees and investigation of the breach
- $4.1 million on product liability
- $10 million has been recovered from an insurance payout.
The net expenses from the breach in the first quarter of 2018 was $68.7 million. That is on top of the $114 million spent in the final quarter of 2017, which is broken down as $64.6 million on product costs and customer support, $99.4 million on professional fees, minus $50 million that was paid by its insurance carrier. The net spend so far for Q4, 2017 and Q1, 2018 is $140.5 million, although Equifax reports that the total costs related to the cybersecurity incident and incremental IT and data security costs has been $242.7 million.
Equifax has also reported that throughout 2018 and 2019 the firm will be investing heavily in IT and is committed to building an industry-leading data security system, although the firm has not disclosed how much it is expecting to spend, as the company does not have visibility into costs past 2018.
Equifax has predicted that there will be at least a further $275 million in expenses related to the cyberattack which must still be covered, although a further $57.5 million should be covered by its insurance policy.
While considerable costs have been incurred so far, the firm has done little to repair the reputational damage suffered as a result of the breach and has yet to hire many of the new staff it plans to bring in to help with the breach recovery, including a new CTO. The firm has said that it is taking a very aggressive approach in attracting the top talent in both IT and data security.
The high cost of the Equifax data breach to date, and the ongoing costs, is likely to make this the most expensive data breach of all time.
The Atlanta ransomware attack that took IT systems and computers out of action and brought many municipal operations to a grinding halt has proven particularly costly for the city.
On March 22, 2018, ransomware was deployed on its network forcing a shutdown of PCs and systems used by some 8,000 employees. Those employees were forced to work on pen and paper while attempts were made to recover from the attack. With IT systems offline, many municipal services stopped entirely.
The attackers sent a ransom demand for approximately $50,000. By paying the ransom, the city could potentially have been given the keys to unlock the files encrypted by the SamSam ransomware variant used in the attack. However, there are never any guarantees decryption keys will be supplied. Many victims have received further demands for payment after the initial demand was paid, and there have been many cases where the attackers have not made good on their promise and did not supply any valid keys.
It is unclear whether the ransom payment was made, although that appears unlikely. The payment portal used by the attackers went offline shortly after the attack and the cleanup costs following the Atlanta ransomware attack have been considerable. The high cost suggests the city opted to recover its data and restore systems from backups.
In the immediate aftermath of the Atlanta ransomware attack, the city awarded emergency procurements to eight firms to assist with recovery efforts. The total cost of those services was $2,667,328.
The city spent $60,000 on incident response services, $50,000 on crisis communication services, and $60,000 on support staff augmentation. Secureworks was paid $650,000 for emergency incident response services, Two contracts were awarded to assist with its Microsoft cloud and Windows environments, including migrating certain on-premises systems to the cloud. Those two contracts totaled $1,330,000 and a further $600,000 was paid to Ernst & Young for advisory services for cyber incident response. The $2.6 million cost could rise further still.
Paying the threat actors who conducted the Atlanta ransomware attack could well have seen sizable savings made, although it would certainly not have cost $50,000. Some of the costs associated with recovery from the attack have been spent on improving security to prevent further incidents, and certainly to make recovery less costly. Those costs would still have to be recovered even if the ransom was paid.
What is clear however, is that $2.6 million paid on reactive services following a ransomware attack will not give tremendous value for money. Had that amount been spent on preventative measures prior to the attack, the city would have got substantially more value for every buck spent. Some industry experts have estimated the cost of preventative measures rather than reactive measures would have been just 20% of the price that was paid.
The attack revealed the City of Atlanta was unprepared and had failed to implement appropriate defenses. The city was vulnerable to attack due to the failure to apply security best practices, such as closing open ports on its systems and segmenting its network. The vulnerabilities made an attack far to easy. However, it would be unfair to single out the city as many others are in exactly the same position.
This incident should therefore serve as a stern warning to other cities and organizations that the failure to adequately prepare for an attack, implement appropriate defenses, and apply security best practices will likely lead to an incredibly costly attack.
It may be difficult to find the money to spend on ransomware attack prevention measures, but it will be much harder to find five times the cost to implement defenses and respond after an attack has taken place.
A warning has been issued to the healthcare industry over an extensive campaign of targeted cyberattacks by the Orangeworm threat group. The Orangeworm threat group has been operating since 2015, but activity has been largely under the radar. It is only recently that the group’s activities have been identified and disclosed.
Attacks have been conducted on a range of industries, although the primary targets appear to be large healthcare organizations. 39% of confirmed attacks by the Orangeworm threat group have been on organizations in the healthcare industry, including large healthcare providers and pharmaceutical firms. IT service providers, manufacturers, and logistics firms have also been attacked, many of which have links to the healthcare industry.
Some of the IT service providers discovered to have been attacked have contracts with healthcare organizations, while logistics firms have been attacked that deliver medical equipment, as have manufacturers of medical devices. The aim appears to be to infect and investigate the infrastructure of the entire supply chain.
The Orangeworm threat group is using a custom backdoor, which is deployed once access to a network is gained. First the backdoor is deployed on one device, giving the Orangeworm threat group full control of that device. The backdoor is then aggressively spread laterally within a network via unprotected network shares to infect as many devices as possible with the Kwampirs backdoor. While some steps have been taken by the group to avoid detection, this lateral worm-like movement is noisy and easily detected. The threat group does not seem to be overly concerned about hiding its activity.
This attack method works best on legacy operating systems such as Windows XP. Windows XP is no longer supported, and even though the continued use of the operating system is risky and in breach of industry regulations, many healthcare organizations still have many devices operating on Windows XP, especially machines connected to imaging equipment such as MRI and X-Ray machines. It is these machines that have been discovered to have been infected with the Kwampirs backdoor.
Once access is gained, the group is spending a considerable amount of time exploring networks and collecting information. While the theft of patient health information is possible, this does not appear to be a financially motivated attack and systems are not sabotaged.
Symantec, which identified a signature which has allowed the identification of the backdoor and raised the alert about the Orangeworm threat group, believes this is a large-scale espionage campaign with the aim of learning as much as possible about the targets’ systems. What the ultimate goal of the threat group is, no one knows.
The method of spreading the backdoor does not have the hallmarks of nation-state sponsored attacks, which tend to use quieter methods of spreading malware to avoid detection. However, the attacks are anything but random. The companies that have been attacked appear to have been targeted and well researched before the attacks have taken place.
That suggests the Orangeworm threat group is a cybercriminal gang or small collective of hackers, but the group is clearly organized, committed to its goals, and is capable of developing quite sophisticated malware. However, even though the group is clearly capable, and has operated under the radar for three years, during that time no updates have been made to their backdoor. That suggests the group has been confident that they would not be detected, or that they simply didn’t see the need to make any updates when their campaign was working so well.
While espionage may be the ultimate aim, the Orangeworm threat group could easily turn to more malicious and damaging attacks. Once the backdoor has been installed on multiple devices, they would be under full control of the hackers. The group has the capability to deploy malware such as wipers and ransomware and cause considerable damage or financial harm.
The ease at which networks can be infiltrated and the backdoor spread should be of major concern for the healthcare industry. The attacks show just how vulnerable the industry is and how poorly protected many organizations are.
The continued use of outdated and unsupported operating systems, a lack of network segmentation to prevent lateral movement once access has been gained, the failure to protect network shares, and poor visibility of the entire network make these attacks far too easy. In fact, simply following security best practices will prevent such attacks.
The attacks by the Orangeworm threat group should serve as a wakeup call to the industry. The next wave of attacks could be far, far worse.
Microsoft has released new figures that show there has been a sizeable increase in tech support scams over the past year. The number of victims that have reported these scams to Microsoft increased by 24% in 2017. The true increase could be much higher. Many victims fail to report the incidents.
According to Microsoft, in 2017 there were 153,000 reports submitted from customers in 183 countries who had been fooled by such a scam. While not all of the complainants admitted to losing money as a result, 15% said they paid for technical support. The average cost of support was between $200 and $400, although many individuals were scammed out of much more significant amounts. While victims may not willingly pay much more to fix the fictitious problem on their computers, if bank account details are provided to the scammers, accounts can easily be drained. One victim from the Netherlands claims a scammer emptied a bank account and stole €89,000.
The rise in complaints about tech support scams could, in part, be explained by more scammers pretending to be software engineers from Microsoft, prompting them to report the incidents to Microsoft when they realize they have been scammed.
However, the rise in tech support scams is backed up by figures released by the FBI. Its Internet Crime Complaint Center (IC3) received 86% more complaints in 2017 from victims of tech support scams. Around 11,000 complaints were received by IC3 about tech support scams last year and more than $15 million was lost to the scams.
It is easy to see why these scams are so attractive for would-be cybercriminals. In many cases, little effort is required to pull off the scam. All that is required in many cases is a telephone. Cold calling is still common, although many of the scams are now much more sophisticated and have a much higher success rate.
Email is also used. Some tech support scams involve warnings and use social engineering techniques to convince the recipient to call the helpline. Others involve malware, sent as an attachment or downloaded as a result of visiting a malicious website via a hyperlink supplied in the email.
Once installed, the malware displays fake warning messages that convince the user that they have been infected with malware that requires a call to the technical support department.
The use of popups on websites is common. These popups cannot be closed and remain on screen. Browser lockers are also common which serve the same purpose. To prompt the user to call the support helpline.
While many more experienced users would know how to close the browser – CTRL+ALT+DEL and shut down the browser via Windows Task Manager – less experienced users may panic and call the helpline number, especially when the popup claims to be from a well-known company such as Microsoft or even law enforcement.
The typical process used in these tech support scams is to establish contact by telephone, get the user to download software to remove a fictitious virus or malware that has previously been installed by the attackers. Remote administration tools are used that allows the scammer to access the computer. The user is convinced there is malware installed and told they must pay for support. Payment is made and the fictitious problem is fixed.
These techniques are nothing new, it is just that more cybercriminals have got in on the act and operations have been expanded due to the high success rate. Fortunately, there are simple steps to take that can prevent users from falling for these tech support scams.
To avoid becoming a victim of such a scam:
- Never open any email attachments you receive from unknown senders
- Do not visit hyperlinks in email messages from unknown senders
- If contacted by phone, take a number and say you will call back. Then contact the service provider using verified contact information, not the details supplied over the telephone
- If you are presented with a warning via a popup message or website claiming your device has been infected, stop and think before acting. Genuine warnings do not include telephone numbers and do not have spelling mistakes or questionable grammar
- If you receive a warning about viruses online and want to perform a scan, download free antivirus software from a reputable firm from the official website (Malwarebytes, AVG, Avast for instance)
- Before making any call, verify the phone number. Use a search engine to search for the number and see if it has been associated with scams in the past
- ISPs and service providers rarely make unsolicited telephone calls to customers about viruses and technical issues and offer to fix the device
If you believe you are a victim of a tech support scam, report the incident to the service provider who was spoofed and notify appropriate authorities in your country of residence.
In the USA, that is the Federal Trade Commission or the FBI’s IC3; in the UK it is the National Fraud and Cyber Crime Reporting Center, the European Consumer Center in Ireland, or the equivalent organizations in other countries.
Two new phishing campaigns have been detected in the past few days that have seen phishers sink to new lows. An active shooter phishing campaign has been detected that uses fear and urgency to steal credentials, while a Syrian refugee phishing campaign takes advantage of compassion to increase the probability of victims paying ransom demands.
Active Shooter Phishing Campaign
Mass shootings at U.S schools are on the rise, with the latest incident in Parkland, Florida placing teachers and other staff on high alert to the threat of campus shootings. A rapid response is essential when an active shooter alert is issued. Law enforcement must be notified quickly to apprehend the suspect and children and staff must be protected.
It is therefore no surprise that fake active shooter threats have been used in a phishing campaign. The emails are designed to get email recipients to click without thinking to receive further information on the threat and have been developed to cause fear and panic.
The active shooter phishing campaign was being used in a targeted attack on a Florida school – an area of the country where teachers are hypersensitive to the threat of shootings, given recent events in the state.
Three active shooter phishing email variants were reported to the anti-phishing and security awareness platform provider KnowBe4, all of which were used to direct recipients to a fake Microsoft login page where they were required to enter in their login credentials to view the alert. Doing so would give those credentials to the attacker.
The email subject lines used – although other variants could also be in use – were:
- IT DESK: Security Alert Reported on Campus
- IT DESK: Campus Emergency Scare
- IT DESK: Security Concern on Campus Earlier
It is likely that similar campaigns will be conducted in the future. Regardless of the level of urgency, the same rules apply. Stop and think about any message before taking any action suggested in the email.
Syrian Refugee Phishing Campaign
Phishing campaigns often use crises, major world events, and news of sports tournaments to get users to click links or open email attachments. Any news that is current and attracting a lot of interest is more likely to result in users taking the desired action.
There have been several Syrian refugee phishing campaigns run in recent months that take advantage of compassion to infect users with malware and steal their credentials. Now researchers at MalwareHunterTeam have identified a ransomware campaign that is using the terrible situation in Syria to convince victims to pay the ransom – By indicating the ransom payments will go to a very good cause: Helping refugees.
Infection with what has been called RansSIRIA ransomware will see the victim presented with a ransom note that claims all ransom payments will be directed to the victims of the war in Syria. A link is also provided to a video showing the seriousness of the situation in Syria and links to a WorldVision document explaining the plight of children affected by the war.
While the document and images are genuine, the claim of the attackers is likely not. There is no indication that any of the ransom payments will be directed to the victims of the war. If infected, the advice is not to pay and to try to recover files by other means. If you want to do your bit to help the victims of the war, make a donation to a registered charity that is assisting in the region.
What is the future of the system administrator? What can sysadmins expect over the coming months and years and how are their jobs likely to change? Our predictions on what is likely to happen to the role in the foreseeable future.
What Does the Future of the System Administrator Have in Store?
The system administrator is an important role in any organization. Without sysadmins to deal with the day to day IT problems faced by organizations, the business would grind to a halt. Sysadmins also play an essential role in ensuring the security of the network by taking proactive steps to keep systems secure as well as responding to threats before they result in a data breach. With more cyberattacks occurring, increasingly complex IT systems being installed, and the fast pace of technological development, one thing is for sure: The future of the system administrator is likely to continue to involve long hours and hard work.
It is also easy to predict that the future of the system administrator will involve major changes to job descriptions. That has always been the case and never more so than now. There will be a continued need for on the job training and new systems and processes must continue to be learned. Being a System administrator is therefore unlikely to be boring.
According to data from the US Bureau of Labor Statistics, there is likely to be sustained growth in the profession for the next two years. While the forecast was previously 12% growth, this has now been reduced to 6% – similar to other occupations. The increased automation of many sysadmin tasks is partly responsible for this decline in growth, since businesses are likely to need less staff as manual processes are reduced. That said, the figures indicate demand for IT workers will remain high. Even with newer, faster technology being implemented, staff are still required to keep everything running smoothly.
XaaS, the Cloud, Virtualization, and VoIP Use to Grow
Unfortunately, while automation means greater efficiency, it can entail many hidden costs. For a start, with more automation it can become harder to determine the source of a problem when something goes wrong. Increased automation also means the system administrator must become even more knowledgeable. Automation typically involves scripting in various languages, so while you may have been able to get away with knowing Python or Windows PowerShell, you will probably need to become proficient in both, and maybe more.
If you are considering becoming a system administrator, now is the time to learn your first scripting language, as it will make it easier to learn others on the job if you understand the basics. It will also help you to get the job in the first place. The more you know, the better.
Use of the cloud is increasing, especially for backup and archiving, which in turn has reduced the need for server-centered tasks. While there has been a reduction in labor-intensive routine data operations, there has been a rise in the need to become proficient in the use of Application Programming Interfaces (APIs).
While many functions are now being outsourced through XaaS, it is still important to understand those functions. The future of the system administrator is likely to require XaaS to be screened and assessed to make sure those services match the IT needs of the organization. Sales staff will likely say their XaaS meets all business needs. Having an SA that understands the functions, the technology, and the needs of the business will be invaluable for screening out the services that are unsuitable.
To cut costs, many businesses are turning to VoIP. While this does offer considerable cost savings, businesses cannot tolerate less than the 99.999% of uptime offered by phone companies. The future of the system administrator is therefore likely to involve a thorough understanding of the dynamics of network load.
Virtualization has also increased, with a myriad of virtual networks making the SA’s job more complex. That means knowledge of switching and routing will have to improve.
Communication, Collaboration, and Negotiation Skills Required
The SA’s job no longer just involves studying manuals and learning new systems. SAs are now expected to be able to communicate more effectively, understand the business, and collaborate with others. SAs will need strong communication skills, must become excellent collaborators, and also be skilled at negotiation. Fortunately, there are many courses available that can help SAs improve in these areas.
Providing security awareness training for employees helps to eradicate risky behaviors that could potentially lead to a network compromise. Training programs should cover all the major threats faced by your organization, including web-based attacks, phishing emails, malware, and social engineering scams via the telephone, text message, or social media channels.
All too often, businesses concentrate on securing the network perimeter with firewalls, deploying advanced anti-malware solutions, and implementing other technological controls such as spam filters and endpoint protection systems, yet they fail to provide effective security awareness training for employees. Even when security awareness training programs are developed, they are often once-a-year classroom-based training sessions that are forgotten quickly.
If you view security awareness training for employees as a once-a-year checkbox item that needs to be completed to ensure compliance with industry regulations, chances are your training will not have been effective.
The threat landscape is changing rapidly. Cybercriminals often change their tactics and develop new methods to attack organizations. If your security program does not incorporate these new methods of attack, and you do not provider refresher security awareness training for employees throughout the year, your employees will be more likely to fall for a scam or engage in actions that threaten the security of your data and the integrity of your network.
Many Businesses Fail to Provide Effective Security Awareness Training for Employees
One recent study has highlighted just own ineffective many security awareness training programs are. Positive Technologies ran a phishing and social engineering study on ten organizations to determine how effective their security awareness programs were and how susceptible employees are to some of the most common email-based scams.
These include emails with potentially malicious attachments, emails with hyperlinks to websites where the employee was required to enter their login credentials, and emails with attachments and links to a website. While none of the emails were malicious in nature, they mirrored real-world attack scenarios.
27% of employees responded to the emails with a link that required them to enter their login credentials, 15% responded to emails with links and attachments, and 7% responded to emails with attachments.
Even a business with 100 employees could see multiple email accounts compromised by a single phishing campaign or have to deal with multiple ransomware downloads. The cost of mitigating real world attacks is considerable. Take the recent City of Atlanta ransomware attack as an example. Resolving the attack has cost the city $2.7 million, according to Channel 2 Action News.
The study revealed a lack of security awareness across each organization. While employees were the biggest threat to network security, accounting for 31% of all individuals who responded to the emails, 25% were team supervisors who would have elevated privileges. 19% were accountants, administrative workers, or finance department employees, whose computers and login credentials would be considerably more valuable to attackers. Department managers accounted for 13% of the responders.
Even the IT department was not immune. While there may not have been a lack of security awareness, 9% of responders were in IT and 3% were in information security.
The study highlights just how important it is not only to provide security awareness training for employees, but to test the effectiveness of training and ensure training is continuous, not just a once a year session to ensure compliance.
Tips for Developing Effective Employee Security Awareness Training Programs
Employee security awareness training programs can reduce susceptibility to phishing attacks and other email and web-based threats. If you want to improve your security posture, consider the following when developing security awareness training for employees:
- Create a benchmark against which the effectiveness of your training can be measured. Conduct phishing simulations and determine the overall level of susceptibility and which departments are most at risk
- Offer a classroom-style training session once a year in which the importance of security awareness is explained and the threats that employees should be aware of are covered
- Use computer-based training sessions throughout the year and ensure all employees complete the training session. Everyone with access to email or the network should receive general training, with job and department-specific training sessions provided to tackle specific threats
- Training should be followed by further phishing and social engineering simulations to determine the effectiveness of training. A phishing simulation failure should be turned into a training opportunity. If employees continue to fail, re-evaluate the style of training provided
- Use different training methods to help with knowledge retention
- Keep security fresh in the mind with newsletters, posters, quizzes, and games
- Implement a one-click reporting system that allows employees to report potentially suspicious emails to their security teams, who can quickly take action to remove all instances of the email from company inboxes
The SamSam ransomware attacks are continuing and the threat actors behind the campaign are showing no sign of stopping. So far in 2018 there have been at least 10 attacks in the United States, although many more may have gone unreported. Most of the known attacks have hit government agencies, municipalities, and healthcare organizations – all of whom are required to disclose attacks.
The attacks have caused massive disruption, taking computers, servers, and information systems out of action for several days to several weeks. Faced with the prospect of continued disruption to essential business processes, some organizations have chosen to pay the ransom – a risky strategy since there is no guarantee that the keys to unlock the encryption will work or even be supplied.
Others have refused to be extorted, often at great cost. One U.S. healthcare provider, Erie County Medical Center, took six weeks to fully recover from the attack. Mitigating the attack has cost several million dollars.
Multiple SamSam ransomware attacks are possible as the Colorado Department of Transportation discovered. After recovering from an attack in February, a second attack occurred in March.
It is not only financial harm that is caused by the attacks. Another hospital was attacked, and its outpatient clinic and three physician hospitals were unable to view histories or schedule appointments. The ransomware attack on the electronic medical record provider AllScripts saw its EMR systems taken out of action for several days. During that time, around 1,500 medical centers were unable to access patient health records resulting in many cancellations of non-critical medical appointments.
The March SamSam ransomware attack on the City of Atlanta brought many government services to a grinding halt. The extensive attack forced the shutdown of many systems, many of which remained inaccessible for six days. Bills and parking tickets couldn’t be paid and court proceedings had to be cancelled. The huge backlog of work continued to cause delays when systems were restored.
While the SamSam ransomware attacks have been concentrated on just a few industry sectors, the attacks are not necessarily targeted. What the victims have in common is they have been found to have easily exploitable vulnerabilities on public facing servers. They were attacked because mistakes had been made, vulnerabilities had not been patched promptly, and weak passwords had been set.
The threat actors behind the latest SamSam ransomware attacks have not been confirmed, although researchers at Secureworks believe the attacks are being conducted by the Gold LOWELL threat group. It is not known whether they are a defined group or a network of closely affiliated threat actors. What is known, whether it is GOLD LOWELL or other group, is they are largely staying under the radar.
What is more certain is the SamSam ransomware attacks will continue. In the first four weeks of January, the Bitcoin wallet used by the attackers showed $325,000 of ransom payments had been paid. The total in April is likely to be substantially higher. Hancock Health, one of two Indiana hospitals attacked this year, has confirmed that it paid a ransom demand of approximately $55,000 for the keys to unlock the encryption. As long as the attacks remain profitable and the threat actors can stay under the radar, there is no incentive to stop.
In contrast to many threat actors that use phishing emails and spam messages to deliver ransomware downloaders, this group exploits vulnerabilities on public-facing servers. Access is gained to the network, the attackers spend time navigating the network and moving laterally, before the ransomware payload is finally deployed. Detecting network intrusions quickly may prevent file encryption, or at least limit the damage caused.
The ongoing campaign has now prompted the U.S. Department of Health and Human Services’ Healthcare Cybersecurity Integration and Communications Center (HCCIC) to issue a warning to healthcare organizations about the continued threat of attacks. Healthcare organizations should heed the advice of the HCCIC and not only implement defences to block attacks but also to prepare for the worst. If contingency plans are made and incident response procedures are developed in advance, disruption and cost will be kept to a minimum.
That advice from the HCCIC to prevent SamSam ransomware attacks is:
- Conduct vulnerability scans and risk assessments to identify potential vulnerabilities
- Ensure those vulnerabilities are remediated
- Ensure patches are applied promptly
- Use strong usernames and passwords and two-factor authentication
- Limit the number of users who can login to remote desktop solutions
- Restrict access to RDP behind firewalls and use a VPN or RDP gateway
- Use rate limiting to stop brute force attacks
- Ensure backups are made for all data to allow recovery without paying the ransom and make sure those backups are secured
- Develop a contingency plan to ensure that the business can continue to function while the attack is mitigated
- Develop procedures that can easily be followed in the event of a ransomware attack
- Implement defenses capable of detecting attacks quickly when they occur
- Conduct annual penetration tests to identify vulnerabilities and ensure those vulnerabilities are rapidly addressed
Under Armour has experienced a massive MyFitnessPal data breach that has resulted in the personal information of 150 million users being accessed and stolen by a hacker.
The data relates to users of the mobile MyFitnessPal app and the web version of the fitness and health tracking platform. The types of data stolen in the MyFitnessPal data breach include hashed usernames, passwords and email addresses.
While payment card data is held by Under Armour, the information is processed and stored separately and was unaffected. Other highly sensitive information typically used for identity theft and fraud such as Social Security numbers was not obtained by the attacker.
The MyFitnessPal data breach is notable for the sheer volume of data obtained and is the largest data breach to be detected this year; however, the theft of hashed data would not normally pose an immediate risk to users. That is certainly the case for the passwords, which were hashed using bcrypt – a particularly strong hashing algorithm. However, usernames and passwords were only hashed using the SHA-1 hashing function, which does not offer the same level of protection. It is possible to decode SHA-1 hashed data, which means the information could potentially be accessed by the attacker.
Further, the attacker has had the data for some time. Under Armour became aware of the breach on March 25, 2018, but the attack took place more than a month before it was detected – some six weeks before the announcement about the data breach was made.
Given the method used to protect the usernames and passwords, the data can be considered accessible and it is almost certain the person or persons responsible for the attack will attempt to monetize the data. If the attacker cannot personally decrypt the data, it is certain that the data will be some to someone who can.
While it is possible that the bcrypt-encrypted passwords can be decoded, it is unlikely that decryption will be attempted. To do so would take a considerable amount of time and effort. Further, Under Armour is notifying affected users and is encouraging them to change their passwords as a precaution to ensure accounts cannot be accessed.
While MyFitnessPal accounts may remain secure, that does not mean that users of MyFitnessPal will be unaffected by the breach. The attacker – or current holders of the data – will no doubt use the 150 million email addresses and usernames for phishing campaigns.
Under Armour started notifying affected users four days following the MyFitnessPal data breach. Any user affected should login and change their password as a precaution to prevent their account from being accessed. Users also need to be alert to the risk from phishing.
Phishing campaigns related to the MyFitnessPal data breach can be expected although the attackers will likely develop a variety of phishing emails to target breach victims.
An incident of the scale of the MyFitnessPal data breach also poses a risk to businesses. If an employee was to respond to a phishing campaign, it is possible that they could download malware onto their work device – an action that could result in the business network being compromised.
Attacks on this scale are becoming far more common, and with huge volumes of email addresses now being used for phishing campaigns, advanced spam filtering solutions for businesses are now a necessity.
If you have yet to implement a spam filter, are unhappy with your current provider and the detection/false positive rate, contact TitanHQ to find out about SpamTitan – The leading anti-spam software for enterprises and SMBs.
A recent Lazio phishing scam has potentially resulted in a €2 million loss for the Italian Serie A football team, which made the final installment of a transfer of a football player to the bank account of a scammer.
The Lazio phishing scam involved some insider knowledge as the scammer was aware that part of the transfer fee for a player was outstanding. An email was carefully crafted and sent to the Italian football team that appeared to have come from representatives of the Dutch football club Feyenoord. In the email the outstanding balance for the player Stefan de Vrij was demanded. Stefan de Vrij had joined Lazio from Feyenoord in 2014.
The email looked official and appeared to have been sent from a legitimate source. The accounts department at the Italian club responded and proceeded with the transfer of funds – approximately $2,460,840 – to the bank account as requested. However, the bank account details supplied in the email were not those of Feyenoord.
When Feyenoord was contacted, the club denied all knowledge of any email communication about the player and confirmed that no funds had been received. The money had been paid to a Dutch bank account, but not one held by any staff at the club, nor any representative of the player.
The payment has been tracked and Lazio is attempting to recover the funds. It is not yet known whether the money has been recovered and if that will be possible.
The Lazio phishing scam has certainly made the headlines, but many similar attacks go unreported. Scams such as this are commonplace, and businesses are being fooled into making huge transfers of funds to criminals’ accounts.
While this attack clearly involved some insider knowledge, that information can easily be gained with a simple phishing email. If the CFO of an organization can be fooled into revealing their email login credentials, the account can be accessed and a treasure trove of information can be found. The account can then be used to send an email request to a member of the accounts department or a company that is in the process of making a sizeable purchase.
The attacker can match the writing style of the CTO and copy the usual format of email requests. All too often the recipient is fooled into making the transfer.
This type of scam is called business email compromise – or BEC – and it is costing businesses billions. One recent report estimates the total losses to BEC attacks alone is likely to reach $9 billion in 2018.
These scams are far different to the typical phishing scams of years gone by where huge numbers of emails were sent in the hope of a few individuals responding. These attacks are highly targeted, the recipient is extensively researched, and a great deal of time is spent conducting the attack. As the Lazio phishing scam showed, it is certainly worth the time and effort.
Businesses need to protect themselves against these types of phishing attacks, but there is no silver bullet. Layered defenses are essential. Businesses need to develop an anti-phishing strategy and purchase anti-phishing security solutions. An advanced spam filtering solution is a must, DMARC should be implemented to prevent brand abuse, and security awareness training for staff is essential. Policies should also be developed and implemented that require two-factor verification on any wire transfer over a certain threshold.
Even if an email filter could not block the Lazio phishing email and the email was so believable to fool a security aware employee, a quick telephone call to confirm the request could have highlighted the scam for what it was.
Several new AutoHotKey malware variants have been discovered in recent weeks as threat actors turn to the scripting language to quickly develop new malware variants. The latest discovery – Fauxpersky malware – is very efficient at stealing passwords.
AutoHotKey is a popular open-source scripting language. AutoHotKey make it easy to create scripts to automate and schedule tasks, even inside third-party software. It is possible to use AutoHotKey to interact with the local file system and the syntax is simple, making it straightforward to use, even without much technical knowledge. AutoHotKey allows scripts to be compiled into an executable file that can be easily run on a system.
The usefulness of AutoHotKey has not been lost on malware developers, and AutoHotKey malware is now used for keylogging and to install other malware variants such as cryptocurrency miners, the first of the latter was discovered in February 2018.
Several other AutoHotKey malware variants have since been discovered with the latest known as Fauxpersky, so named because it masquerades as Kaspersky antivirus.
Fauxpersky malware lacks sophistication, but it can be considered a significant threat – One that has potential to cause considerable harm. If undetected, it allows the attackers to steal passwords that can be used for highly damaging attacks and give the attackers a foothold in the network.
Fauxpersky malware was discovered by security researchers Amit Serper and Chris Black. The researchers explained in a recent blog post that the malware may not be particularly advanced and stealthy, but it is a threat and could allow the authors to steal passwords to gain access to data.
Fauxpersky infects USB drives which are used to spread the malware between devices. The malware can also replicate across the system’s listed drives. Communication with the attackers is via a Google Form, that is used to send stolen passwords and keystroke lists to the attackers’ inbox. Since the transmission is encrypted, it doesn’t appear to be data exfiltration by traffic monitoring systems.
Once installed it renames the drive and appends “Protected y Kaspersky Internet Security 2017” to the drive name. The malware records all keystrokes made on a system and also adds context to help the attackers determine what the user is doing. The name of the window where the text is being typed is added to the text file.
Once the list of keystrokes has been sent, it is deleted from the hard drive to prevent detection. The researchers reported the new threat to Google which rapidly took down the malicious form although others may well be created to take its place.
AutoHotKey Malware Likely to become More Sophisticated
AutoHotKey malware is unlikely to replace more powerful scripting languages such as PowerShell, although the rise in use of AHK and the number of new variants detected in recent weeks suggest it will not be dropped any time soon. AHK malware has now been discovered with several obfuscation functions to make it harder to detect, and many AV vendors have yet to implement the capability to detect this type of malware. In the short to medium term, we are likely to see an explosion of AHK malware variants, especially keyloggers designed to steal passwords.
A disaster recovery plan will help to ensure your business continues to function when disaster strikes, and you can recover as quickly as possible. Developing a disaster recovery plan in advance is essential as it will allow you to prevent many lost hours in the early stages of an attack when rapid action is critical.
When Disaster Strikes You Must be Ready for Action
When disaster strikes, you need to act fast to get your systems back online and return to normal business operations. One of the biggest problems for many organizations, is the amount of time that is lost immediately after a cyberattack is discovered. When staff are scrambling around not knowing what to do, precious minutes, hours, and even days can be lost.
The first few hours after a cyberattack can be critical. The time it takes to respond can have a significant impact on the cost of mitigating the attack and the harm caused. In the case of ransomware, that could be movement within your network, with one infected endpoint becoming two, then 4, then 8 and so on until files on your entire network are encrypted. Each lost minute can mean hours of extra work and major productivity losses.
The only way to ensure the fastest possible response is to be prepared for the unexpected. That means you must have a disaster recovery plan formulated that is easily accessible and can be followed by all staff involved in the breach response. Staff not responsible for recovery must be aware how they must operate in the absence of computers and critical systems to ensure the business does not grind to a halt.
Developing a Disaster Recovery Plan
There are many potential disaster scenarios. Natural disasters such as earthquakes, floods, tornados can cause major disruption, as can terrorist attacks and sabotage. The most likely disaster scenario in the current climate is a cyberattack.
All of these disaster scenarios threaten your systems and business data, so your disaster recovery plan must ensure your systems are protected and the confidentiality, integrity, and availability of data is safeguarded while you respond.
While the threat may be similar for all scenarios, priorities will be different for each situation and the order of actions and the actions themselves will be specific to different threats. It is therefore essential to plan for each of the likely disasters and to develop procedures for each. For example, your plan should cover a cyberattack affecting each specific location that you operate, and a separate plan developed for a ransomware attack, malware infection, and system outage.
Assess Business Impact and Set Priorities
A cyberattack could take out multiple systems which will all need to be restored and brought back online. That process could take days or weeks, but some systems must take priority over others. After your disaster recovery policy has been developed, you must set priorities. To effectively prioritize you will need to perform a business impact analysis on all systems. You should conduct a BIA to determine the possible financial, safety, contractual, reputational, and regulatory impact of any disaster and assess the impact on confidentiality, integrity, and availability of data. When the BIA has been completed, it should make it clear what the priorities are for recovery.
Everyone Must Know Their Role
When disaster strikes, everyone in the IT department must be aware of their responsibilities. You must know who will need to be called in when the attack occurs outside office hours, which means you must maintain up to date contact information such as phone numbers, addresses, and email addresses. You will also need to have a list of contractors and cybersecurity firms that can assist. You must know which law enforcement agencies to contact and any regulators or authorities that should be notified. All employees within the organization must be aware how their day-to-day activities will change and the role they will play, and what you will say to your customers, clients, and business associates.
Testing, Testing, Testing
You will naturally have developed a disaster recovery plan and emergency mode operations plan, but those plans rarely need to be put into action. You therefore need to be 100% sure that your disaster recovery plan developed a couple of years previously will work as planned. That is unlikely unless it is thoroughly tested and is regularly updated to take hardware, software, and business changes into account.
Your disaster recovery plan must be tested to make sure that it will work in practice. That means testing individual aspects against specific scenarios and also running through a full test – like a fire drill – to make sure that the whole plan works.
Don’t wait until disaster strikes before developing a disaster recovery plan and don’t wait for a disaster to find out all of your planning has been in vain as system changes have rendered the plan unworkable.
No matter how many cybersecurity solutions you have deployed or the maturity of your cybersecurity program, it is now essential for develop and effective security awareness program and to ensure all employees and board members are trained how to recognize email threats.
Threat actors are now using highly sophisticated tactics to install malware, ransomware, and obtain login credentials and email is the attack method of choice. Businesses are being targeted and it will only be a matter of time before a malicious email is delivered to an employee’s inbox. It is therefore essential that employees are trained how to recognize email threats and told how they should respond when a suspicious email arrives in their inbox.
The failure to provide security awareness training to staff amounts to negligence and will leave a gaping hole in your security defenses. To help get you on the right track, we have listed some key elements of an effective security awareness program.
Important Elements of an Effective Security Awareness Program
Get the C-Suite Involved
One of the most important starting points is to ensure the C-Suite is on board. With board involvement you are likely to be able to obtain larger budgets for your security training program and it should be easier to get your plan rolled out and followed by all departments in your organization.
In practice, getting executives to support a security awareness program can be difficult. One of the best tactics to adopt to maximize the chance of success is to clearly explain the importance of developing a security culture and to back this up with the financial benefits that come from having an effective security awareness program. Provide data on the extent that businesses are being attacked, the volume of phishing and malicious emails being sent, and the costs other businesses have had to cover mitigating email-based attacks.
The Ponemon Institute has conducted several major surveys and provides annual reports on the cost of cyberattacks and data breaches and is a good source for facts and figures. Security awareness training companies are also good sources of stats. Present information clearly and show the benefit of the program and what you require to ensure it is a success.
Get Involvement from Other Departments
The IT department should not be solely responsible for developing an effective security awareness training program. Other departments can provide assistance and may be able to offer additional materials. Try to get the marketing department on board, human resources, the compliance department, privacy officers. Individuals outside of the security team may have some valuable input not only in terms of content but also how to conduct the training to get the best results.
Develop a Continuous Security Awareness Program
A one-time classroom-based training session performed once a year may have once been sufficient, but with the rapidly changing threat landscape and the volume of phishing emails now being sent, an annual training session is no longer enough.
Training should be an ongoing process provided throughout the year, with up to date information included on current and emerging threats. Each employee is different, and while classroom-based training sessions work for some, they do not work for everyone. Develop a training program using a variety of training methods including annual classroom-based training sessions, regular computer-based training sessions, and use posters, games, newsletters, and email alerts to keep security issues fresh in the mind.
Use Incentives and Gamification
Recognize individuals who have completed training, alerted the organization to a new phishing threat, or have scored highly in security awareness training and tests. Try to create competition between departments by publishing details of departments that have performed particularly well and have the highest percentage of employees who have completed training, have reported the most phishing threats, scored the highest in tests, or have correctly identified the most phishing emails in a round of phishing simulations.
Security awareness training should ideally be enjoyable. If the training is fun, employees are more likely to want to take part and retain knowledge. Use gamification techniques and choose security awareness training providers that offer interesting and engaging content.
Test Employees Knowledge with Phishing Email Simulations
You can provide training, but unless you test your employees’ security awareness you will have no idea how effective your training program has been and if your employees have been paying attention.
Before you commence your training program it is important to have a baseline against which you can measure success. This can be achieved using security questionnaires and conducting phishing simulation exercises.
Conducting phishing simulation exercises using real world examples of phishing emails after training has been completed will highlight which employees are security titans and which need further training. A failed phishing simulation exercise can be turned into a training opportunity.
Comparing the before and after results will show the benefits of your program and could be used to help get more funding.
Train your staff regularly and test their understanding and in a relatively short space of time you can develop a highly effective human firewall that complements your technological cybersecurity defenses. If a malicious email makes it past your spam filter, you can be confident that your employees will have the skills to recognize the threat and alert your security team.
A city of Atlanta ransomware attack has been causing havoc for city officials and Atlanta residents alike. Computer systems have been taken out of action for several days, with city workers forced to work on pen and paper. Many government services have ground to a halt as a result of the attack.
The attack, like many that have been conducted on the healthcare industry, involved a variant of ransomware known as SamSam.
The criminal group behind the attack is well known for conducting attacks on major targets. SamSam ransomware campaigns have been conducted on large healthcare providers, major educational institutions, and government organizations.
Large targets are chosen and targeted as they have deep pockets and it is believed the massive disruption caused by the attacks will see the victims pay the ransom. Those ransom payments are considerable. Demands of $50,000 or more are the norm for this group. The City of Atlanta ransomware attack saw a ransom demand issued for 6 Bitcoin – Approximately $51,000. In exchange for that sum, the gang behind the attack has offered the keys to unlock the encryption.
SamSam ransomware attacks in 2018 include the cyberattack on the electronic health record system provider Allscripts. The Allscripts ransomware attack saw its systems crippled, with many of its online services taken out of action for several days preventing some healthcare organizations from accessing health records. The Colorado Department of Transportation was also attacked with SamSam ransomware.
SamSam ransomware was also used in an attack on Adams Memorial Hospital and Hancock Health Hospital in Indiana, although a different variant of the ransomware was used in those attacks.
A copy of the ransom note from the city of Atlanta ransomware attack was shared with the media which shows the same Bitcoin wallet was used as other major attacks, tying this attack to the same group.
SecureWorks, the cybersecurity firm called in to help the City of Atlanta recover from the attack, has been tracking the SamSam ransomware campaigns over the past few months and attributes the attacks to a cybercriminal group known as GOLD LOWELL, which has been using ransomware in attacks since 2015.
While many ransomware attacks occur via spam email with downloaders sent as attachments, the GOLD LOWELL group is known for leveraging vulnerabilities in software to install ransomware. The gang has exploited vulnerabilities in JBoss in past attacks on healthcare organizations and the education sector. Flaws in VPNs and remote desktop protocol are also exploited.
The ransomware is typically deployed after access to a network has been gained. SecureWorks tracked one campaign in late 2017 and early 2018 that netted the gang $350,000 in ransom payments. The earnings for the group have now been estimated to be in the region of $850,000.
Payment of the ransom is never wise, as this encourages further attacks, although many organizations have no choice. For some, it is not a case of not having backups. Backups of all data are made, but the time taken to restore files across multiple servers and end points is considerable. The disruption caused while that process takes place and the losses suffered as a result are often far higher than any ransom payment. A decision is therefore made to pay the ransom and recover from the attack more quickly. However, the GOLD LOWELL gang has been known to ask for additional payments when the ransom has been paid.
The city of Atlanta ransomware attack commenced on Thursday March 22, and with the gang typically giving victims 7 days to make the payment. The city of Atlanta only has until today to make that decision before the keys to unlock the encryption are permanently deleted.
However, yesterday there were signs that certain systems had been restored and the ransomware had been eradicated. City employees were advised that they could turn their computers back on, although not all systems had been restored and disruptions are expected to continue.
As of today, no statement has been released about whether the ransom was paid or if files were recovered from backups.
How to Defend Against Ransomware Attacks
The city of Atlanta ransomware attack most likely involved the exploitation of a software vulnerability; however, most ransomware attacks occur as a result of employees opening malicious email attachments or visiting hyperlinks sent in spam emails.
Last year, 64% of all malicious emails involved ransomware. An advanced spam filter such as SpamTitan is therefore essential to prevent attacks. End users must also be trained how to recognize malicious emails and instructed never to open email attachments or click on links from unknown senders.
Software must be kept up to date with patches applied promptly. Vulnerability scans should be conducted, and any issues addressed promptly. All unused ports should be closed, RDP and SMBv1 disabled if not required, privileged access management solutions deployed, and sound backup strategies implemented.
2017 ransomware statistics do not make for pleasant reading. Ransomware attacks continued to increase, the cost of mitigating attacks rose, and the number of ransomware variants in use has soared. Further, there are no signs that the attacks will stop and mounting evidence that the ransomware epidemic will get worse in 2018.
Key 2017 Ransomware Statistics
We have compiled some of the important 2017 ransomware statistics from research conducted by a range of firms over the past few months.
Kaspersky Lab’s research suggests ransomware attacks on businesses were happening every 2 minutes in Q1, 2017, but by Q3 attacks were far more frequent, occurring approximately every 40 seconds. Cybersecurity Ventures predicts the frequency of attacks will increase and by 2019 there will be an attack occurring every 14 seconds.
Cybersecurity Ventures also predicts ransomware will continue to be a major problem for businesses throughout 2018 and 2019, with the total cost of ransomware attacks expected to reach $11.5 billion by 2019.
The healthcare industry is likely to be heavily targeted due to the relative ease of conducting attacks and the likelihood of a ransom being paid. Cybersecurity Ventures predicts there will be a fourfold increase in ransomware attacks on healthcare organizations by 2019.
While research from IBM in 2016 suggested 70% of businesses pay ransom demands to recover data, in 2017 the percentage dropped considerably. Far fewer firms are now considering paying ransoms to recover data.
Symantec’s 2017 Internet Security Threat Report indicates ransom demands increased by 266% between 2015 and 2017.
There is considerable variation in published 2017 ransomware statistics. Malwarebytes reports there was a 90% increase in ransomware attacks in 2017. Beazley reports the increase was 18% and the healthcare sector accounted for 45% of those attacks. A recent McAfee Report puts the rise in ransomware attacks at 59% for the year, with a 35% quarter-over-quarter increase in attacks in Q4.
Microsoft’s Security Intelligence Report indicates Asia had the highest number of ransomware attacks in 2017, with Myanmar and Bangladesh the worst hit countries. Mobile devices that were the worst hit, with the most frequently encountered ransomware variant being LockScreen – an Android ransomware variant.
55% of Firms Experienced A Ransomware Attack in 2017
The research and marketing consultancy firm CyberEdge Group conducted a study that showed 55% of surveyed organizations had experienced at least one ransomware attack in 2017. Out of the organizations that had data encrypted by ransomware, 61% did not pay the ransom.
87% of firms that experienced an attack were able to recover the encrypted data from backups. However, 13% of attacked firms lost data due to the inability to recover files from backups.
Organizations that are prepared to pay a ransom are not guaranteed viable keys to recover their encrypted files. The CyberEdge survey revealed approximately half of companies that decided to pay the ransom were unable to recover their data.
FedEx reported in 2017 that the NotPetya attack cost the firm an estimated $300 million, the same figure quoted by shipping firm Maersk and pharma company Merck. Publishing firm WPP said its NotPetya attack cost around $15 million.
Strategies are being developed by businesses to respond to ransomware attacks quickly. Some companies, especially in the UK, have bought Bitcoin to allow fast recovery. However, those that have may find their stash doesn’t go as far as it was first thought thanks to the decline in value of the cryptocurrency. Further, many cybercriminals have switched to other forms of cryptocurrency and are no longer accepting Bitcoin. A third of mid-sized companies in the UK have purchased Bitcoin for ransoms according to Exeltex Consulting Group.
The cybersecurity threat level is at an all time high, according to a recently published threat report from McAfee. The AV solution provider has compiled a report from data collected over the final quarter of 2017 which shows the last three months of 2017 saw record numbers of new malware samples detected – 63.4 million samples. A level never before seen.
The soaring value of Bitcoin and other cryptocurrencies in the final quarter of 2017 fueled a massive rise in cryptocurrency hijacking and the use of cryptocurrency miners over other forms of malware that were favored in previous quarters. With Bitcoin valued at $19,000 in December and cryptocurrency mining hardware costing several thousand dollars, it is no surprise that so many threat actors chose to hijack other computers and steal money from cryptocurrency wallets.
Cryptocurrency miners were being used in spam email campaigns, disguised as mobile apps, and there was a massive rise in the hijacking of websites and loading cryptocurrency mining code.
While mining cryptocurrencies has proven to be highly profitable for cybercriminals, they did not abandon the use of other malware variants. The use of ransomware continues to increase, with spam email the primary method of delivery.
McAfee reports that there was 35% ransomware growth in Q4, and 59% growth in 2017. For the fourth consecutive quarter there has been an increase in new ransomware variants, with much of the increase due to the widespread use of Ransom:Win32/Genasom. There is unlikely to be a fall in use of ransomware any time soon.
The use of spam email to deliver malware and ransomware continues to grow, with two botnets – Necurs and Gamut – responsible for delivering 97% of all spam email in Q4, with the former now the most prevalent spamming botnet.
Botnets are also being developed to exploit IoT devices, which typically lack security and often have poor passwords. Infecting the devices allows massive botnets to be easily assembled for use in DDoS and DoS attacks.
Q4 was the fourth consecutive quarter where new malware samples have continued to increase, with total malware samples now just short of 700,000,000. New Mac malware also increased for the third consecutive quarter and there are now approximately 750,000 Mac malware variants, although there was a fall in new mobile malware samples from the 2-year high in Q3.
There was a rise in new Faceliker and macro malware, although the biggest increase was PowerShell malware. Q4 saw a massive jump in new PowerShell downloaders.
While the cybersecurity threat level continues to increase, and all industries are at risk, healthcare was the most targeted industry in 2017 by some distance. Healthcare may have been the third most targeted industry sector in 2016-2017, but the first three quarters of 2017 saw more than twice as many attacks on healthcare organizations than any other industry sector.
McAfee reports that there has been a 210% increase in cybersecurity incidents reported by healthcare organizations in 2017 compared to 2016, although there was some respite in Q4, which saw a 78% quarter over quarter decline in security incidents.
McAfee suggests it is poor security practices that have contributed to the rise in healthcare data breaches and cyberattacks. Many of the reported incidents could have been prevented if cybersecurity best practices had been followed.
There have been several major cyberattacks on restaurants in recent months. Organized cybercriminals gangs are using specially crafted malware to silently steal credit card data from POS systems. Not only do the initial intrusions go undetected, the presence of the malware is often not detected for several months, during which time tens of thousands of credit card details are stolen.
Last month saw another large restaurant chain suffer a major breach of payment card data. The cyberattack on Applebee’s affects more than 160 of its RMH Franchise Holdings owned and operated restaurants across 15 states.
Customers who visited one of the RMH restaurants in Alabama, Arizona, Texas, Florida, Illinois, Indiana, Kansas, Kentucky, Ohio, Mississippi, Missouri, Nebraska, Oklohoma, Pennsylvania or Wyoming between November 2017 and January 2018 and paid for their meal on a credit or debit card have potentially had their card details stolen. Customers who paid using the self-pay tabletop devices were not affected, and neither were customers who paid online. The data breach was confined to RMH-operated restaurants. Other restaurants in the Applebee’s network were unaffected.
The data theft occurred as a result of malware on its POS system. The malware had been developed to capture data such as card numbers, expiry dates, CVV codes, and cardholder names. After recording the data, the information was exfiltrated to the attacker’s command and control server.
RMH reports that it has security systems in place to prevent cyberattacks and was able to contain the incident prior to discovery of malware on February 13, 2018. One a breach was discovered, RMH conducted a thorough investigation to identify the full extent of the breach and the individuals potentially impacted. A leading computer forensics firm was contracted to assist with the investigation and help mitigate of the attack. RHM has not disclosed how the malware was installed and nether the type of malware used in the attack.
The Applebee’s cyberattack is the latest in a string of cyberattacks on restaurants and retailers. In 2017 there were similar cyberattacks on restaurants throughout the United States. Arby’s fast food restaurants experienced a POS-malware related breach that affected many of its 1,000+ corporate stores. Chipotle Mexican Grill discovered malware had been installed on its POS system, with most of its stored affected over a 1-month period last spring.
Retailers are also major targets. Earlier this year, the retailer Forever21 discovered malware has been installed on its POS system. It took the retailer 7 months to identify the breach, during which time the credit and debit card details of many thousands of its customers were stolen.
Last year, many of the 750 Kmart stores were infected with POS malware – the second major credit card breach experienced by the chain in the past three years. Buckle Inc., was also attacked, with an undisclosed number of its stores affected. The malware infection remained on its system undetected for more than 5 months.
The breaches highlight the importance of implementing layered defenses to protect the entire attack surface, from spam email defenses to web filters, next generation firewalls, and advanced intrusion detection systems. It is also essential for retailers and restaurateurs to conduct regular vulnerability scans of the entire network to identify and address security flaws, with technical solutions implemented to constantly monitor POS systems for signs of compromise.
A massive campaign spreading the Dofoil Trojan has been detected by Microsoft. The campaign has already seen almost half a million PCs infected with the malware in just 12 hours. The Dofoil Trojan is otherwise known as Smoke Loader – a downloader that has been active for several years.
The Dofoil Trojan is a small application which once installed on a PC is capable of downloading other forms of malware. The Dofoil Trojan has been used in various campaigns since at least 2011 to install malware, with the latest campaign used to install cryptocurrency mining malware.
More than 400,000 Dofoil Trojan Infections Detected in Just 12 Hours
The alarm was raised on March 6 when Windows Defender detected around 80,000 instances of the Trojan on PCs with the number rising rapidly to well over 400,000 in the following 12 hours. Several variants of the Dofoil Trojan were being used in the campaign which was mostly targeting devices in Russia, Ukraine, and Turkey.
The cryptocurrency mining malware is being used to mine Electroneum coins on infected devices, although the malware can mine various different cryptocurrencies.
Detecting the malware can be difficult as it uses process hollowing to create a new instance of a legitimate Windows process for malicious purposes. In this case the malware is disguised as a Windows binary file to avoid detection – wuauclt.exe. Explorer.exe is used to create a copy of the malware in the Roaming AppData folder which is renamed ditereah.exe. The Windows registry is also altered to ensure persistence, modifying an existing entry to point to the malware copy. The malware communicates with its C2 server and is also capable of installing further malware variants onto an infected device.
While Microsoft was able to detect infections, what is not known at this stage is how the malware was installed on so many devices in such as short space of time. While the malware could potentially have been distributed by spam email, another means of distribution is suspected. Microsoft notes that in several cases the malware is believed to have been spread via torrent files, which are used in P2P file sharing, often to obtain pirated movies, music, and software.
Microsoft has only reported on the number of infections it has detected via Windows Defender. The company does not have visibility into devices that do not have the anti-malware software installed. The total number of infections is therefore likely to be far greater. The 400,000+ infections are likely to be just the tip of the iceberg.
Microsoft notes that its efforts to disrupt the operation did not just stop devices from mining cryptocurrencies. Infection with the Dofoil Trojan allows the attackers to download any number of additional malicious payloads including more dangerous malware variants and ransomware.
More than 50,000 Websites Discovered to Host Cryptocurrency Mining Malware
These sites do not result in infection with malware. Typically, the only problems experienced by website visitors is a slowing down of their computers. However, in some cases, the malware has been configured to take full advantage of visitors’ computers and some hardware damage has been caused as a result.
Since it is difficult to determine which sites have been infected or are using cryptocurrency miners, the solution for users is to use a browser extension such as minerBlock to prevent the scripts from running. Users of the Opera browser need do nothing as the browser already blocks cryptocurrency mining scripts from running.
Phishing attacks in healthcare are to be expected. Healthcare providers hold vast quantities of data on patients. Hospitals typically employ hundreds or thousands of members of staff, use many third-party vendors, and historically they have had relatively poor cybersecurity defenses compared to other industry sectors. That makes them an attractive target for phishers.
Phishing is a method of gaining access to sensitive information which typically involves a malicious actor sending an email to an employee in which they attempt to get that individual to reveal their login credentials. This is achieved using social engineering techniques to make the email recipient believe the email is a genuine. For instance, a security alert could inform the email recipient that an online account has been compromised and a password change is required. They are directed to a spoofed website where they are asked to login. The site is fake but looks genuine.
Credentials are entered and passed to the attacker who uses them to gain access to that individual’s account. Phishing can also involve malware. Emails attempt to convince the recipient to open a malware-infected attachment or download a malicious file from a compromised website.
Compliance with HIPAA Rules Helps to Prevent Phishing Attacks in Healthcare
HIPAA Rules require healthcare providers to implement administrative, technical, and physical safeguards to reduce the risk of cyberattacks and phishing. HIPAA only demands a minimum standard for data security be reached, although complying with HIPAA Rules can help to prevent phishing attacks in healthcare.
HIPAA is not technologically specific on the defenses that should be used to protect patient data. Healthcare providers can choose appropriate defenses based on the results of a risk analysis.
It is possible for healthcare organizations to be compliant with HIPAA Rules but still be vulnerable to phishing attacks. If healthcare providers are to block the majority of phishing attacks and truly secure patients’ data, they must go above and beyond the requirements of HIPAA.
HHS’ Office for Civil Rights Warns of Phishing Attacks in Healthcare
Recent phishing attacks in healthcare have prompted the HHS’ Office for Civil Rights to issue a warning about the risk from phishing.
Attacks are now highly sophisticated and can be hard to detect. The emails are often free from spelling mistakes, have near perfect grammar, include brand images and logos, and appear to have been sent from genuine domains. The reasons given for taking a specific course of action are perfectly plausible as is the need for urgent action.
OCR also highlights the rise in spear phishing attacks in healthcare. These attacks involve more targeted attempts to gain access to sensitive information and can be conducted on specific individuals or groups of individuals in an organization – The payroll or HR department for instance.
These attacks often see a CEO or superiors impersonated to add legitimacy to the attack. These attacks tend to require the opening of attachments or visiting links to download malware. Spear phishing emails are also used to request bank transfers or for sensitive information to be sent via email – W2-Forms of employees for instance. Many healthcare employees have been fooled by these scams.
Recent Phishing Attacks in Healthcare
Listed below are some of the recent examples of phishing attacks in healthcare. This is just a small selection of incidents that have resulted in healthcare records being exposed or stolen. The reality is that many data breaches start with a phishing email. Security awareness training company Cofense suggests that as many as 91% of data breaches have their root in a phishing campaign.
November 2017: 1,670 patients of Forrest General Hospital have their PHI exposed following a phishing attack on business associate HORNE.
October 2017: Henry Ford Health System discovers several email accounts were compromised as a result of employees responding to phishing emails. The PHI of 18,470 patients may have been stolen.
September 2017: Employees of UPMC Susquehanna responded to phishing emails with the attackers able to gain access to the PHI of 1,200 patients.
September 2017: A phishing attack on Wisconsin-based Network Health resulted in the PHI of approximately 51,000 patients being exposed.
August 2017: Chase Brexton Health Care in Maryland experienced a phishing attack that saw several email accounts compromised along with the PHI of 16,000 patients.
July 2017: The Medical College of Wisconsin experienced a phishing attack that allowed attackers to gain access to email accounts and the PHI of 9,500 patients.
July 2017: RiverMend Health employees responded to phishing emails and their accounts were accessed by the attackers. The PHI of 1,200 patients was potentially viewed or stolen.
June 2017: A phishing attack on Elderplan Inc., saw several email accounts compromised along with the PHI of 22,000 individuals.
June 2017: MJHS Home Care experienced a phishing attack that saw email access gained by an unauthorized individual. The compromised email accounts contained the PHI of 6,000 patients.
Staff Training and Anti-Phishing Technology
HIPAA does not specifically mention spam filters, but since phishing is used to target employees via email, spam filtering can be considered essential. By filtering out the majority of spam and malicious messages there is less potential for an employee to click on a malicious link or open a malware infected email attachment.
SpamTitan is a cloud-based anti-spam service that blocks more than 99.9% of spam emails from being delivered to inboxes and has a 0.03% false positive rate. Dual antivirus engines (Bitdefender/ClamAV) ensure malicious email attachments are blocked.
Healthcare employees are the last line of defense, so it is important for them to be able to recognize email threats and anti-phishing training is a requirement of HIPAA. In July 2017, OCR issued advice to healthcare organizations on anti-phishing training in its cybersecurity newsletter.
OCR also recommends using multi-factor authentication to ensure email accounts are not compromised when a password is guessed or stolen. Software and operating systems must be kept up to date and fully patched to prevent vulnerabilities from being exploited, and anti-virus and anti-malware solutions should be deployed to prevent infection. Regular backups can also prevent data loss in the event of a malware or ransomware infection.
Titan HQ has announced from March 5, 2018 all new customers signing up to use the SpamTitan cloud-based anti-spam service will benefit from leading antivirus and anti-malware protection from Bitdefender. All existing customers will similarly be protected by Bitdefender, although first they will need to upgrade to SpamTitan v7.00. v7.00 was released on March 5.
The primary AV engine used in previous versions of SpamTitan was provided by Kaspersky Lab, with ClamAV used as a secondary AV engine. SpamTitan v7.00 will also incorporate ClamAV as a secondary AV engine. Kaspersky AV will no longer be supported on SpamTitan suite of products from May 1, 2018.
The change to the new primary AV engine is due to a growing strategic relationship with Bitdefender. Further collaboration with the Romanian cybersecurity firm is planned for the future. Customers already using SpamTitan are encouraged to upgrade to the latest version of the product as soon as possible as several other updates have been incorporated into the latest version, including patches for recently discovered vulnerabilities in ClamAV.
These include the use-after-free vulnerability CVE-2017-12374; buffer overflow vulnerabilities CVE-2017-12375 and CVE-2017-12376; Mew Packet Heap Overflow vulnerability CVE-2017-12377; Buffer Overflow in messageAddArgument vulnerability CVE-2017-12379; and Null Dereference vulnerability CVE-2017-12380. TitanHQ has also included patches for openssl, openssh, php, and wget and updates have been included to resolve potential denial of service attacks.
Customers already on v6.x of the platform who have enabled prefetch of system updates will find the latest patches in the list of available updates on the System updates page. If this option is disabled, they should use the ‘Check for Updates Now’ option in the user interface.
Customers using SpamTitan v4 and v5 have been advised that support for both versions of SpamTitan will cease on May 1, 2018. An upgrade to version 7.00 will therefore be required before the deadline. It is important to note that the update process requires v4/5 to first be upgraded to v6 before installing SpamTitan v7.00. Upgrading to the new version will not change the existing configuration of the product.
Customers should allow 10-20 minutes for the installation of the new version and should read all product notes before installation.
This month Adobe patched a critical use-after-free vulnerability in Adobe Flash Player that affects Windows 10, Mac, Chrome, and Linux operating systems. If exploited, an attacker can gain full control of an unpatched device.
Adobe reports that an exploit for the vulnerability – tracked as CVE-2018-4878 – has been identified and is being used in attacks on Windows 10 devices.
At the time that the patch was issued, only a limited number of attacks had been detected. However, researchers at Morphisec report the vulnerability is now being exploited in a massive spam email campaign that is targeting users in the United Kingdom and United States. While the spam campaign was relatively short-lived, large quantities of emails were sent and further spam campaigns can be expected.
The emails include a shortlink which, if clicked, downloads a Word document from a recently registered domain. Opening the document sees a command prompt opened that is injected with Shellcode that connects to the attackers’ C2. Once a connection is made, a DLL file is downloaded and executed using regsvr32. According to Morphisec this bypasses whitelisting solutions. A SWF Flash file is then extracted which also had a low detection rate and the vulnerability is exploited.
What makes the attack particularly dangerous is the poor detection rate by AV solutions. In a recent blog post Morphisec said in its tests, only 1/67 AV firms on VirusTotal identified the email attachment as malicious.
The shortened goo.gl URLs used in the emails are difficult to detect as malicious and look similar to those used in legitimate email campaigns. The number of links being opened also corresponds with standard email campaigns, with high numbers of clickthroughs as the emails hit inboxes. The figures show that many email recipients have been fooled by the campaign.
This email campaign shows why it is so important for patches to be applied promptly, especially when there are active exploits for a vulnerability in the wild. This is just one campaign, and there are likely to be many conducted using the Flash exploit.
However, despite the risks from slow patching, many companies take weeks, months, or in some cases years before patches are applied, leaving them extremely vulnerable to attack.
A Colorado Department of Transportation ransomware attack on February 21, 2018 affected at least 21 computers preventing files from being accessed by employees. A prompt response to the ransomware attack limited the harm caused, although to prevent the spread of the ransomware more than 2,000 computers were shut down.
The attack has already caused considerable disruption, which is ongoing as the cleanup operation continues.
The DOT says it received a ransom demand which would need to be paid in order to obtain the keys to unlock encrypted files, but that the DOT has no intention of paying any money to the attackers. Instead the firm has called in an external cybersecurity firm (McAfee) to restore data on the affected workstations and ensure all devices are clean and protected from infection. All encrypted files will be recovered from backups.
Fortunately, the ransomware attack was limited to certain endpoints. Other computer systems that are used with surveillance cameras and traffic alerts were not affected.
The Colorado Department of Transportation ransomware attack is one of several high-profile attacks involving SamSam ransomware to have been reported this year. Hancock Health Hospital in Indiana was one notable victim. The hospital was issued with a ransom demand and paid the attackers for the keys to unlock the encryption, even though backups could have been used to recover files. A Bitcoin payment worth approximately $55,000 is believed to have been paid. The payment was believed to be considerably less than the cost of disruption while files were recovered from backups.
Another Indiana hospital – Adams Memorial Hospital was also attacked with a variant of SamSam ransomware, and Allscripts – an electronic health record provider – also suffered an attack that took down some of its web services.
SamSam ransomware first surfaced in 2015, and while some antivirus and antimalware solutions can detect the malware, the attackers continue to release new variants that are much better at evading detection.
Bleeping Computer reported on January 19 that one of the Bitcoin wallets used by the gang involved in SamSam ransomware campaign had already made approximately $300,000 from ransom payments, although that figure will almost certainly be higher since multiple Bitcoin wallets are believed to be used and the campaign is ongoing.
On February 15, Secureworks reported that the profits from the attacks had increased to at least $350,000, with the firm attributing the attacks to a hacking group called Gold Lowell.
It is unclear how the Colorado Department of Transportation ransomware attack occurred. Some sources report that the attack involved phishing emails, although Gold Lowell’s modus operandi is leveraging vulnerabilities in Remote Desktop Protocol (RDP) services.
With the campaign ongoing, all businesses should be alert to the threat from phishing and RDP attacks. Spam filters, such as TitanHQ’s cloud-based anti-spam service, are essential as is anti-phishing training for employees. If RDP is necessary, strong passwords should be set and controls implemented to reduce the potential for brute force attacks. Rate limiting on login attempts for example. It is also important to make sure that multiple data backups are performed to ensure files can be recovered in the event of an attack.
A new report has been released that shows there has been a massive rise in the global cost of cybercrime, highlighting the seriousness of the threat from hackers and scammers. 2017 global cybercrime costs exceeded $600 billion, according to the McAfee report. That represents a 20% increase since 2014, when the global cybercrime costs were calculated to be around $500 billion. The current global cybercrime costs equate to 0.8% of global GDP.
The report shows that in spite of increases in cybersecurity spending, hackers and scammers are still managing to breach organizations’ defenses and gain access to sensitive data, login credentials, corporate bank accounts, and intellectual property.
Accurately Determining the Global Cost of Cybercrime
Any calculation of global cybercrime costs involves some margin of error, as the figures cannot be totally based on reported losses by businesses. Many companies do not disclose details of data breaches, and even fewer publish information of the financial impact of cyberattacks. When details about financial losses are published, typically only a fraction of the losses are reported. In many cases the losses are not known until many years after the event. It is therefore difficult to obtain a true picture of the losses due to cybercrime because of the shortage of data.
To try to gain an accurate picture of the total cost of cybercrime, McAfee had to turn to the same modelling techniques used by government agencies to determine the costs of criminal activities such as drug trafficking, prostitution, maritime piracy, and organizational crime groups.
McAfee is not the only company to make these predictions. Compared to some reports the figures from McAfee seem quite conservative. The true cost could be considerably higher.
Factors Contributing to the Increase in Losses
McAfee reports that several factors have contributed to the large increase in cybercrime costs over the past few years. The growth in popularity of ransomware has played a part. Ransomware has proved to be a particularly plump cash cow, allowing cybercriminals to rake in millions by extorting companies. The anonymity of cryptocurrencies has helped these cybercriminal gangs obtain payments without detection, while the use of TOR has helped the gangs stay under the radar of law enforcement agencies.
Ransomware-as-a-service has also boosted profits for cybercriminals. The increase in the number of individuals conducting attacks has made it possible to increase the scale of operations and distribute the malicious code more effectively. State-sponsored hacks have also increased, including attacks aimed at sabotaging businesses and critical infrastructure as well as major heists that have seen millions of dollars stolen.
McAfee cites research showing around 300,000 new malware samples are now being identified on a daily basis, while data breaches are exposing a staggering 780,000 records a day.
Personal records can sell for big bucks on darknet forums; however, one of the biggest costs is the theft of intellectual property, which McAfee estimates has resulted in at least 25% of the annual losses to cybercrime. When patented processes are obtained, the benefits of millions in research and development is lost and companies can lose their competitive advantage.
One thing is clear from the report. With global cybercrime costs rising, and the sophistication and frequency of attacks increasing, companies have little alternative than to invest more in cybersecurity and develop more sophisticated defenses.
Cybercriminal gangs operating in Nigeria have been discovered to be using phishing kits in a highly sophisticated phishing campaign that has seen millions of dollars obtained from big businesses.
The scammers are regularly fooling employees into revealing their email login credentials – The first stage of the complex scam. The ultimate goal of the attackers is to gain access to corporate bank accounts and convince accounts department employees to make sizeable transfers to their accounts.
According to research conducted by IBM, these scams have been highly successful. Fortune 500 companies are being targeted and losses have been estimated to be of the order of several million dollars.
These scams take time to pull off and considerable effort is required on the part of the scammers. However, the potential rewards are worth the effort. Bank transfers of tens or hundreds of thousands of dollars can be made and business email accounts can be plundered.
A Sophisticated Multi-Stage Phishing Scam
In order to pull off the scam, the attackers must first gain access to at least one corporate email account. Access is gained using phishing emails, with social engineering tactics used to convince employees to click on a malicious link. Those links direct the email recipients to malicious DocuSign login pages where credentials are harvested. These malicious pages have been created on multiple websites.
According to IBM, the gang behind this campaign has created more than 100 of these pages, many of which have been loaded onto genuine websites that have been compromised by the attackers.
Once access to one email account is gained, it is easy to obtain email addresses from the contact list to fool other employees. When an email account is accessed, the attackers search the account for messages involving accounts and payments. The attackers then send emails carrying on conversations between staff members, inserting themselves into conversations and continuing active discussions.
“The attackers typically took a week between the point they gained initial access to a user’s email account and the time they started setting up the infrastructure to prepare a credible ruse,” said IBM’s X-Force researchers. “During this time, they likely conducted extensive research on the target’s organizational structure, specifically focusing on the finance department’s processes and vendors.”
By setting up email rules and filters, it is possible to block genuine conversations between the employees that could uncover the scam. By doing this, all conversations take place between a specific individual and the attacker.
This method of attack allows the attackers to gain access to banking credentials and send highly convincing emails requesting transfers to their accounts. Targeted employees are unlikely to be unaware that they are not emailing a legitimate contact.
This is a manual, labor-intensive scam involving no malware. That has the advantage of allowing the attackers to evade anti-malware technologies.
How to Protect Against These Sophisticated Email Scams
While these scams are complex, they start with a simple phishing email to gain access to a corporate email account. Once access to an email account has been gained, stopping the scam becomes much harder. The easiest time to prevent such an attack is at the initial stage, by preventing the phishing emails from reaching the inboxes of employees and training employees how to identify phishing emails.
That requires an advanced spam filtering solution that can identify the common signatures of spam and scam emails. By setting aggressive filtering policies, the vast majority of spam emails will be captured and quarantined. With the SpamTitan cloud-based anti-spam service, that equates to more than 99.9% of all spam and malicious emails. SpamTitan also has a particularly low false positive rate – less than 0.03% – ensuring genuine emails are still delivered.
No spam solution can be 100% effective, so it is also important to prepare the workforce and train staff how to identify malicious emails. Security awareness and anti-phishing training allows organizations to create a ‘human firewall’ to complement technical solutions.
Spear phishing – highly targeted email attacks – are harder to block, but it is possible to implement solutions to prevent scams such as this from resulting in credentials being obtained. In this campaign, links are sent in emails. By implementing a web filtering solution, those links can be blocked. In tandem with a spam filter, organizations with a security aware workforce will be well protected from phishing attacks.
Further, the use of two-factor authentication is an important security measure to implement. This will prevent attackers from using an unknown device to access an email account.
For further information on web filters and spam filters, and the benefits of installing them at your organization, contact the TitanHQ team today and take the first step toward improving your defenses against sophisticated phishing scams.
A new IRS-themed rapid ransomware email scam has been detected that uses the threat of significant financial penalties for late tax payments to fool victims into installing ransomware.
Tax season is well underway and cybercriminals have been increasing their efforts to obtain tax credentials to file fraudulent tax returns in the names of their victims. Businesses are the prime targets, as a successful scam can see the tax credentials of hundreds or thousands of employees obtained from a single response to an scam email.
However, it is not only tax fraudsters that are taking advantage of tax season. Ransomware attacks are also likely, as has been highlighted by a recently uncovered email scam that impersonates the IRS.
The purpose of this scam is to install Rapid ransomware. Rapid ransomware is a relatively new ransomware variant first detected in January 2018. In contrast to many ransomware variants that encrypt files and then terminate, rapid ransomware remains active after encryption and will encrypt any further files that are created on the infected device.
In addition to encrypting files, the ransomware deletes Windows shadow volume copies and disables automatic repair to hamper any attempts to restore files without paying the ransom. There is currently no decryptor for Rapid ransomware. Recovery will depend on backups being available or the ransom demand must be paid.
IRS Spoofed to Spread Rapid Ransomware
The Rapid ransomware email scam is similar to many other scams conducted during tax season. The emails are well written and plausible. There is urgency to encourage rapid action and a threat of financial penalties if the emails are ignored.
The emails have the subject line: ‘Please Note – IRS Urgent Message 164’ and contain a zipped notification attachment which email recipients are required to open to obtain further information.
In the body of the email, the recipient is led to believe they have significant tax arrears related to a property. The recipient is told that no action is taken by the IRS when tax arrears are cleared within 4-6 months of their due date, but since the recipient’s tax is 7 months out of date they are liable for a fine. They are told that if they do not respond to the email within one day and attempt to rectify the situation, ‘significant charges and fines may apply’. They are also told to open and study the attached document. The zip file contains a Word file containing a macro. If allowed to run, the macro downloads a PowerShell file, which in turn downloads Rapid ransomware.
Security aware individuals should be able to identify signs that the email is not genuine. First, the email is addressed ‘Dear Customer.’ In the event of the IRS contacting an individual about tax arrears, it would be likely that the email would be addressed using the individual’s name. However, such a situation would not occur. The IRS has confirmed in numerous warnings about phishing emails that it does not initiate contact about tax arrears via email. Further, tax arrears are serious, but not so serious that a response of 1 day would be given for a response.
The scammers behind this campaign have made some glaring mistakes in their campaign. The email address spoofed has the domain nottscc.gov.uk. While the email address looks official, it relates to Nottinghamshire County Council in the UK and the IRS is the American tax agency. However, many devices do not show the full domain so this may not be noticed. Another major error is the use of German language in the Word document, including instructions for enabling the macro.
Scam Highlights Need for Spam Filters and Security Awareness Training
Due to the errors made by the scammers, in particular the use of German and a UK local government email address – this email scam should be easily detected by employees and consumers, but such mistakes are not always made. The email is plausible, and otherwise it would be likely that many individuals would be fooled by such a scam.
For businesses, these scams can prove incredibly costly. In this case, there is no set ransom payment. Victims need to email the scammers to find out how to pay the ransom and how much is being charged. If the emails come from a business domain, the ransom payment would likely be increased. Further, ransomware can spread laterally within a network and result in file encryption on multiple endpoints and servers. With ransoms typically charged for each infected device, the costs can be considerable.
This Rapid ransomware email scam highlights the need for spam protections to be put in place to prevent malicious emails from being delivered. With SpamTitan implemented, more than 99.9% of spam email is blocked, preventing employees from having their phishing email identification skills tested.
It is also important to provide security awareness training to employees to teach them the skills they need to identify scams such as this. Not all email scams will be as easy to detect as this one. Training goes a long way toward ensuring that when emails slip past security defenses they are quickly identified by the workforce.
Saturn ransomware is a new threat recently identified by security researchers at MalwareHunterTeam. Saturn ransomware takes its name from the extension added to encrypted files (.saturn).
While it is easy to determine the ransomware variant used in an attack, this will be of little use to victims. There is currently no decryptor available to recover files.
A single infection can rapidly spread laterally, encrypting files on an infected device as well as network shares. Recovering files from backups may prove difficult. Saturn ransomware searches for and deletes shadow volume copies, clears the Windows backup catalog, and also disables Windows startup repair.
If no viable backup exists, the victim must pay a ransom payment in bitcoin of approximately $300 per infected device. If payment is not made within 7 days of infection, the ransom payment doubles.
As with many new ransomware variants, attacks can come from all angles. That is because the new ransomware variant is being offered to affiliates as ransomware-as-a-service.
Ransomware-as-a-service allows the malware developers to maximize the number of infections – and profits – by recruiting a large team of distributors to send spam emails, load the ransomware onto malicious websites, and install the malicious software by taking advantage of poor security defenses. In exchange for their efforts, affiliates are given a percentage of the ransom payments that are received.
The developers of Saturn ransomware have made it as easy as possible for affiliates. A portal has been developed that allows affiliates to obtain copies of the ransomware binaryeither embedded in exe files or Office, PDF files or other documents. To tempt individuals into using this ransomware variant instead of other RaaS offerings, the developers are offering a large percentage of the ransom payments to affiliates – 70%.
The ease of running campaigns together with the high potential rewards for infection means many affiliates are likely to start using the new ransomware variant in attacks. The new malware is already being offered on various darknet forums.
How to Block Saturn Ransomware Attacks
Spam email is the easiest way of spreading ransomware. Massive spam campaigns require little skill and there is no shortage of email addresses for sale on the dark web. We can therefore expect this new ransomware variant to be widely distributed over the coming weeks.
With spam email likely to be the main vector of attack, one of the best defenses to deploy to prevent infection is to use anti spam software such as SpamTitan. SpamTitan blocks more than 99.9% of spam email. With SpamTitan in place, emails can be blocked and will not reach end users inboxes.
However, no single defense can provide total protection from ransomware attacks. Layered defenses are required. Antivirus and antimalware solutions should be used, although signature and heuristics-based defenses will not provide total protection. Businesses should also use a technology that identifies changes to files to ensure that if infection occurs, rapid action can be taken to limit the spread of the ransomware.
Multiple copies of files should also be made to ensure that should the unthinkable happen, data will not be lost. Businesses should make at least three backups, stored on two different media, with at least one copy stored securely off-site. Good patch management policies are also required to prevent vulnerabilities from being leveraged to install the ransomware.
Technical defenses are essential, but don’t forget the human element. Ransomware spread via spam email requires some user interaction – the opening of an email attachment or the clicking of a link. Security awareness training and phishing email simulations are now a necessity to reduce user susceptibility to email-based attacks.
A new malware campaign has been detected that uses Microsoft Word without macros. Opening a Word document sent via email will not generate the usual warnings that macros must be enabled.
Employees may have been warned to be wary of any emails containing attachments, and never to enable macros on documents received via email. However, the use of Microsoft Word without macros means that even opening email attachments can see malware downloaded, if patches have not been applied.
The multi-stage infection process uses the CVE-2017-11822 Word vulnerability to install an information stealer. CVE-2017-11822 was patched by Microsoft last year, although companies that have not patched their systems recently will be vulnerable to this attack.
CVE-2017-11822 is a vulnerability in Office Equation Editor. The bug has been present in Microsoft Office for the past 17 years. Last year, Microsoft rated the code execution vulnerability as important rather than critical, but many security professionals disagreed and claimed the vulnerability was very dangerous as the bug could be exploited to run arbitrary code and the vulnerability was present in all Office versions.
Microsoft Equation Editor is an application that allows the insertion and editing of complex equations in Office documents as OLE items. Last year, security researchers were able to exploit the vulnerability to run a sequence of commands, including the downloading of files from the Internet. This campaign similarly triggers the downloading of a document – a Rich Text File (RTF) via an OLE object embedded in the Word document.
The OLE object opens the RTF file which uses the vulnerability to run a MSHTA command line, which downloads and runs an HTA file containing a VBScript. The VBScript unpacks a PowerShell script, which in turn downloads and runs the information-stealing malware. The purpose of the malware is to steal passwords from web browsers, email accounts and FTP servers.
The email campaign has been developed to target businesses. So far, four email templates have been detected by SpiderLabs researchers, although more will almost certainly be used over the coming days and weeks.
The four emails intercepted by have the subject lines:
- TNT Statement of Account
- Request for Quotation (RFQ)
- Telex Transfer Notification
- Swift Copy for Balance Payment
While a patch was released last year to address the vulnerability, Microsoft has taken further steps this Patch Tuesday by removing some of the functionality of Microsoft Equation Editor to prevent CVE-2017-11882 from being exploited.
Businesses can mitigate this attack in three main ways:
- Ensuring Office installations and operating systems are kept patched and 100% up to date
- Use of anti spam software to prevent malicious emails from being delivered to end users
- Training end users on cybersecurity best practices and the danger of opening Office documents from unknown individuals. Consider sending a warning about this campaign and the email subject lines being used
Every February, Valentine’s day email scams are to be expected and this year has been no different. On Monday, a massive new phishing campaign was launched. The Necurs botnet was used to deliver millions upon millions of dating, romance and Valentine’s themed emails.
Dating and Valentine’s Day Email Scams Pose Problems for Businesses
Dating scams increased significantly in January and continued in February. You have probably seen the emails already in one of your inboxes.
The emails appear to have been sent by Russian women desperate to find love. Unsolicited emails from attractive women complete with suggestive pictures and messages claiming the recipient is particularly attractive are certain to be spam, yet the emails are effective. The FBI’s figures indicate around $230 million is lost to these scams alone each year. In 2016, the FBI received around 15,000 complaints about financial losses as a result of dating and romance scams.
There were two major peaks in spam email volume between January 15 and 17 and January 29 and February 2 when around 35 million dating spam messages were delivered via the Necurs botnet. Over 230 million messages were sent in a two-week period in January. The aim of the campaign is to obtain credit card details, payments to cover flights to bring the women over to the US, but in many cases the purpose is to fool the email recipient into downloading malware.
Cybercriminals use all manner of tactics to entice users to click. Another effective technique, highlighted by security awareness training firms KnowBe4 and PhishMe, is the use of eCards, especially on Valentine’s Day. Links are sent that appear to be from legitimate eCard sites that require users to click the link to view a Valentine’s day card from a secret admirer. The purpose is to deliver malware.
Valentine’s day email scams this year also include messages alerting the recipient about the failed delivery of flowers from Interflora and email attachments claiming to be delivery receipts.
It is the likelihood of these emails being opened that makes defending against them a major headache for businesses. One single click is all it takes for malware to be installed, and since many malware variants can rapidly spread laterally, one click could be all it takes to compromise an entire network.
The Winter Olympics Scams Continue
This month has also seen plenty of Winter Olympics phishing campaigns conducted. Cybercriminals have been taking advantage of interest in the games to get their emails opened. Malicious links are used to direct users to websites that claim to have up to date news on the events, the competitors, fake news, and the results of events.
The reality is these links direct users to phishing websites, exploit kits, and sites where malware is silently downloaded. With workers unable to watch the sports live at work, these malicious emails stand a high chance of being opened.
With Valentine’s day and the Winter Olympics, February has been a busy month for scammers and with the Pyeongchang Winter Olympics still in full flow, businesses need to be on high alert.
Fortunately, there is one technology in particular that can help businesses counter these email-based threats. An advanced spam filtering solution: The most effective defense against email-based attacks. An advanced spam filter such as SpamTitan blocks more than 99.9% of spam emails, 100% of known malware, and ensures that phishing and other malicious emails do not reach inboxes.
To find out more about SpamTitan – the best spam filter for business use – contact the TitanHQ team today.
Last week news broke that government supercomputers in Russia had been turned into cryptocurrency miners, now comes news that many UK government websites have been infected with cryptocurrency mining code.
More than 4,200 Websites Infected with Cryptocurrency Mining Code
The latest attack affects government websites around the globe, with more than 4,200 websites turning visitors’ computers into cryptocurrency miners.
The attack involved a popular website plugin called Browsealoud. Browsealoud is used to convert written website content into audio for the blind and partially sighted. The browser plugin was compromised by hackers who altered the source code of the plugin to include cryptocurrency mining code. By altering the plugin, the malicious code runs every time a site user visits a webpage that offers the audio function using the Browsealoud plugin.
When a visitor arrived at such as webpage, the code ran and turned that user’s computer into a cryptocurrency miner, using the computer’s processing power to mine Monero. Mining is the term given to verifying cryptocurrency transfers. Mining requires a computer to solve a complex problem. Once that problem is solved, the miner is rewarded with a small payment. In this case, the individual(s) who altered the code.
Using one computer to mine cryptocurrency will only generate a small return. However, by hijacking a browser plugin on a website that is visited by many thousands of individuals, the potential returns are considerable. The processing power of millions of computers can be harnessed.
Browsealoud was developed by the British company Texthelp. According to its website, its plugin has been installed on 4,275 domains. In the United Kingdom, many government websites use the plugin, including the Financial Ombudsman Service, the Information Commissioner’s Office, the Student Loans Company, many National Health Service (NHS) websites, and local government websites including the .gov.uk sites used by Camden, Croydon, Manchester, and Newham to name but a few. Many federal and state government websites in the US have turned their visitors’ devices into cryptocurrency miners, and it is the same story in Australia, Ireland, Sweden, and beyond.
The Browsealoud plugin is understood to have been infected with cryptocurrency mining code at some point between 0300 and 1145 UTC on February 11, 2018. The code was only active for a few hours before the change was identified and Texthelp disabled the plugin.
The mining only took place while a visitor was on a webpage that used the Browsealoud plugin. As soon as the tab or browser was closed, the mining stopped. Visiting the website that had been infected with cryptocurrency mining code via the plugin would not result in a malware infection. The only noticeable effect for any visitors to the websites would have been a slowing down of their computers or the fan starting as their computer started going into overdrive.
This incident has however made it quite clear to government agencies that their websites are not secure and using third party plugins on their sites to improve services for website users introduces risk.
These supply-chain attacks exploit a trusted relationship between the website owner and a third-party software/plugin supplier and the benefits for cybercriminals are clear. All it takes is for one plugin to be hacked to have malicious code run on many thousands of websites, thus targeting millions of website visitors. In this case, the damage caused was minimal, but the attack could have been much worse. The goal on this occasion was to mine cryptocurrency. The attackers could easily have inserted much more malicious code and attempted to steal login credentials.
That means a new hash is required if the vendor does not include a version number in their updated code. However, it will ensure that attacks such as this, or worse attacks with much more malicious code, will be blocked.
Following a slew of cyber extortion attacks on schools, the FBI and the Department of Education’s Office of the Inspector General have issued a warning. Schools need to be alert to the threat of cyber extortion and must take steps to mitigate risk by addressing vulnerabilities, developing appropriate policies and procedures, and using technologies to secure their networks.
K12 schools and other educational institutions are an attractive target for cybercriminals. They hold large quantities of valuable data – The types of data that can be used to commit identity theft and tax fraud. Further, in education, security defenses are typically of a much lower standard than in other industries. Poor defenses and large volumes of valuable data mean cyberattacks are inevitable.
The warning comes after several cyber extortion attacks on schools by a group of international hackers known collectively as TheDarkOverlord. The hacking group has conducted numerous attacks on the healthcare industry the public school system since April 2016.
The modus operandi of the hacking group is to search for vulnerabilities that can be easily exploited to gain access to internal networks. Once network access is gained, sensitive data is identified and exfiltrated. A ransom demand is then issued along with the threat to publish the data if payment is not made. The hacking group does not make empty threats. Several organizations that have failed to pay have seen their data dumped online. Recent attacks have also included threats of violence against staff and students.
Access to networks is typically gained by exploiting vulnerabilities such as weak passwords, poor network security, unpatched software, and misconfigured databases and cloud storage services.
The FBI reports that the hacking group has conducted at least 69 cyber extortion attacks on schools, healthcare organizations, and businesses and has stolen more that 100 million records containing personally identifiable information. More than 200,000 of those records have been released online after ransom demands were ignored. More than 7,000 students have had their PII exposed by the hackers.
The escalation of the threats to include violence have caused panic and some schools have been temporarily closed as a result. Sensitive data has been released which has placed staff and students at risk of financial losses due to fraud. The FBI recommends not paying any ransom demand as it just encourages further criminal activity. What schools must do is take steps to mitigate risk and make it harder for their institution to be attacked. By doing so, cybercriminals are likely to continue their search for organizations that are easier to attack.
Ransomware and DDoS Attacks are Rife
TDO is not the only criminal group conducting cyber extortion attacks on schools, and these direct attacks are not the only way access to school networks is gained.
The past two years have seen a massive rise in the use of ransomware on schools. Ransomware attacks are often indiscriminate, taking advantage of vulnerabilities in human firewalls: A lack of security awareness of staff and students. These attacks commonly involve email, with malicious attachments and links used to deliver the ransomware payload.
Ransomware is malicious code that is used to search for stored files and encrypt them to prevent access. With files encrypted, organizations must either restore files from backups or pay the ransom demand to obtain the key to unlock the encryption. Since the code can also encrypt backup files, many organizations have had no alternative other than paying the ransom, since data loss is not an option.
Other cyber extortion attacks on schools do not involve data theft. DoS and DDoS attacks bombard servers with thousands or millions of requests preventing access and often damaging hardware. Cybercriminal gangs use mafia-style tactics to extort money, threatening to conduct DoS/DDoS attacks unless payment is made. Alternatively, they may conduct the attacks and demand payment to stop the attack.
The rise in cyber extortion attacks on schools means action must be taken to secure networks. A successful attack often results in educational institutions suffering major losses. The ransom payment is only a small part of the total cost. Removing ransomware, rebuilding systems, and protecting individuals whose sensitive data has been exposed can cost hundreds of thousands of dollars.
How to Protect Against Cyber Extortion Attacks on Schools
Schools and other educational institutions can develop policies and procedures and use technologies to deter cybercriminals and improve network and email security. By adhering to IT best practices and adopted a layered approach to security, it is possible to mount a robust defense and prevent cyber extortion attacks on schools.
Educational institutions should:
Implement strong passwords: Weak passwords can easily be cracked using brute force methods. Set strong passwords (Upper/lower case letters, numbers, and special characters or long 15+ digit passphrases) and use rate limiting to block access attempts after a set number of failures. Never reuse passwords for multiple accounts.
Patch promptly: Vulnerabilities in software and operating systems can easily be exploited to gain access to networks. Develop good patch management policies and ensure all software and operating systems are updated promptly.
Implement an advanced spam filter: Phishing and spam emails are commonly used to deliver ransomware and obtain login credentials. Do not rely on the spam filters of email service providers. Implement separate, advanced anti spam software or a cloud-based filtering service to block email-based threats and prevent them from reaching inboxes.
Provide security awareness training: Cybersecurity should be taught. Staff and students should be made aware of email and web-based threats and told how to identify malicious emails and potential web-based threats.
Implement a web filter: A web filter is necessary for CIPA compliance to protect students from harm caused by viewing obscene images online. A web filter is also an important cybersecurity defense that can block malware and ransomware and stop staff and students from visiting phishing websites.
Secure remote desktop/access services: Conduct audits to determine which devices have remote access enabled. If remote access is not necessary, ensure it is disabled. If the services cannot be disabled, ensure they are secured. Use Secure Sockets Layer (SSL) Transport Layer Security for server authentication, ensure sessions are encrypted, and use strong passwords. Whitelist access is strongly recommended to ensure only authorized devices can connect.
Use two-factor authentication: Use two-factor authentication on all accounts to prevent access if a password is used on an unfamiliar device.
Limit administrator accounts: Administrator accounts should be limited. When administrator access is not required, log out from those accounts and use an account with fewer privileges.
Segment your network: Segmenting the network can limit the damage caused when malware and ransomware is installed, preventing it from spreading across the entire network.
Scan for open ports and disable: Conduct a scan to identify all open ports and ensure those open, unused ports are disabled.
Monitor audit logs: Audit logs for all remote connection protocols, check logs to ensure all accounts were intentionally created, and audit access logs to check for unauthorized activity.
Backup all data: Good backup polices are essential for recovery from ransomware attacks: Adopt a 3-2-1 approach. Make three copies of backups, store them on at least two different media, and keep one copy off site. Backups should be on air-gapped devices (not connected to the Internet or network).
A new FedEx phishing scam has been detected that appears to be targeting universities and businesses. Spam emails with the subject line ‘FedEx Delivery Notification’ are sent to users that explain FedEx was unable to deliver a package. The email claims the package was over the allowable weight limit and did not qualify for free delivery.
The email recipients are informed that in order to collect the package, they must visit their local FedEx depot in person. The package will not be released unless the user presents a label to the dispatcher, which the user is required to print.
The sophisticated FedEx phishing scam involves no email attachments, only a link. However, the link does not appear to be a malicious site. The attackers are using Google Drive to distribute their malware.
This is an increasingly common tactic that abuses trust of Google. Since the website is genuine – drive.google.com – users are less likely to believe that they are being scammed. The hyperlink will direct the user to Google Drive and will trigger the download of a file called Lebal copy.exe. An executable file that if run, will install malware.
Many people know not to run executable files, although in this case the file is disguised as a PDF and has the PDF icon. If known file extensions are not configured to be displayed on the user’s computer – which is now common- they would not be aware that the file is not a PDF.
The latest scam was uncovered by researchers at Comodo, who identify the malware as a Trojan called TrojWare.Win32.Pony.IENG that steals cookies and credentials. It is capable of stealing information from FTP clients, attempts to obtain and access cryptocurrency wallets, and extracts a wide range of user data and transmits the information to its command and control server. The malware uses various tactics to avoid detection by anti-malware and anti-virus defences.
Universities and Businesses Fall for FedEx Phishing Scam
According to Comodo, so far there have been 23 businesses, several government employees, and five university employees that have fallen for the scam. Since those businesses were protected by anti-virus software that was able to block the malware they avoided infection, although many others will not be so fortunate.
Protecting against scams like this requires layered defenses and user vigilance. Spam filters should be used by businesses to detect and quarantine spam emails such as this. Links to Google Drive can be difficult to block, as Google Drive is a legitimate website. Antivirus and anti-malware defenses must therefore be in place to detect the malicious download.
Businesses should not forget the human element of the security chain. Security awareness training and phishing simulations can help users to detect a FedEx phishing scam such as this.
Netflix Users Targeted by Scammers
A new sophisticated Netflix scam has appeared in the past few days. The emails claim users will have their Netflix membership suspended due to a problem processing the most recent payment.
The email appears to have been sent from Netflix and includes all the appropriate branding, making the email look highly convincing. The subject line is ‘Suspension of your membership’.
The email says there was a problem validating the most recent payment, and a link is supplied in the email that requires the user to validate their payment and billing information.
Clicking the link directs the user to what appears to be the Netflix website where they are asked to go through a series of steps to validate their account. The validation process requires them to re-enter their payment card information. The failure to complete the step will result in the suspension of their Netflix account.
The website contains the correct branding and looks exactly like the legitimate site. The URL is different, but the website is HTTPS and has the green padlock. A casual glance at the URL may not reveal there is anything wrong with the site.
Spam filtering solutions such as SpamTitan can detect this type of scam, but users must exercise caution as not all phishing emails can be blocked.
Users should carefully check the URL of any site they visit to make sure it is legitimate before entering sensitive information. Links sent in emails should be checked by hovering the mouse arrow over the link to find out the true URL.
An email such as this should prompt the user to visit Netflix using their usual bookmark or by typing in the URL into their browser, rather than visiting any links in the email.
Phishing emails cost a North Carolina school district $314,000 to resolve and caused considerable disruption while the infection was removed.
The high cost of resolving the attack was due to a particularly nasty and difficult to remove malware variant called Emotet malware which had been installed on endpoints and servers after employees responded to phishing emails.
The Rockingham County School District was attacked in late November. Numerous employees of the school district received a phishing email in their inboxes which appeared to be an incorrect invoice from their anti-virus provider. The emails contained an attachment and asked users to open the file to confirm. Doing so triggered the infection process, that resulted in the Emotet virus being downloaded.
The purpose of the malware is to obtain banking credentials. To ensure the maximum number of credentials are stolen, the virus is able to spread to other users. It was the attempt to spread that saw the infection detected. Some employees of the school district discovered their Google email accounts had been disabled as a result of spamming, which prompted an investigation. Internet access through web browsers was also impacted, suggesting a widespread malware infection.
While a malware infection was confirmed, removing the virus was not an easy task. There is no anti-virus software program that can remove the virus and prevent infection. The school district was able to clean and reimage some infected devices, but they were subsequently reinfected.
Unable to resolve the malware infection internally, the school district was forced to bring in external security consultants. In total, approximately a dozen infected servers had to be rebuilt to remove the infection. The school district also had to cover the cost of reimaging 3,000 workstations. The recovery is expected to involve some 1,200 on-site hours by IT staff and the process is expected to take up to a month.
During that time, the school district has had limited access to computers and had to loan around 200 Windows devices for key personnel. In order to cover the cost of the phishing attack, the school district took $314,000 in funds from its coffers.
“We feel like the $314,000 will get us back to where we were before we had the virus,” said school district Superintendent Rodney Shotwell.
The high cost of the phishing attack and the disruption caused shows just how important it is to deploy an advanced anti spam software solution to prevent malicious emails from reaching inboxes, and the importance of providing security awareness training to all employees to help them identify potential phishing attacks.
What industries are the most susceptible to phishing scams? What industries must do more to prevent phishing attacks on their employees?
Recent research shows organizations that fail to implement technological defenses to block phishing emails and do not provide phishing awareness training to their employees are likely to suffer costly data breaches.
This year’s cost of a data breach study conducted by the Ponemon Institute suggests the average cost of mitigating a data breach is $3.62 million, while the FBI’s figures show that between 2013 and 2016, more than $1.6 billion was lost to phishing scams – Approximately $500 million a year. Phishing attacks on organizations have also been increasing year on year.
Unfortunately, while public awareness of the threat from phishing has improved considerably in recent years, an alarming number of employees continue to fall for phishing scams. A recent survey conducted by the phishing awareness training company Knowbe4 showed an astonishing 27% of employees clicked on a potentially malicious link or opened an email attachment sent via its phishing simulation tests. In some industry sectors, more than a third of employees failed the phishing simulations.
The Industries Most Susceptible to Phishing
Many studies produce questionable results due to a low sample size. However, the Knowbe4 study used data from 11,000 organizations and 6 million users. The results of the study therefore paint an accurate picture of just how susceptible employees are to phishing attacks.
Phishing simulations were run prior to the provision of security awareness training to obtain a baseline of the susceptibility of employees to phishing attacks. The results showed the industries most susceptible to phishing were insurance, manufacturing, retail, and non-profits. In the 1-249 employee category, 35.46% of insurance employees failed phishing tests, and 33.32% of employees failed the tests in the 250-999 employee category – The highest level of susceptibility of any industry sector in both categories.
Manufacturing was second worse in the 1-249 employee category with a failure rate of 33.21% followed by not-for-profits on 32.63%. In the 250-999 employee category, manufacturing (31.06) and business services (31.01%) were second and third.
The 1000+ employee category showed much reduced phishing susceptibility rates, ranging from business services on 19.40% to not-for-profits on 30.97%. Even the best performing industry sector saw almost 2 out of 10 employees fail phishing tests.
90 days after implementing a phishing awareness program, susceptibility to phishing was dramatically reduced. In the insurance sector, susceptibility rates fell from 35% and 33% in the small and medium sized business categories to 13% and 16%. A massive improvement. Overall, after a year – once phishing awareness training programs had matured – the overall susceptibility rates fell to a level of around 1% to 2%, with the highest percentages at the 5% level.
The survey shows just how important it is to provide ongoing training for the workforce to improve security awareness and the clear benefits of doing so.
It will never be possible to reduce phishing susceptibility to zero, therefore organizations should ensure that phishing emails are not delivered inboxes in the first place, and for that, an advanced anti spam software solution such as SpamTitan is required.
The exponential growth in the price of cryptocurrencies has been accompanied by similar growth in email campaigns spreading cryptocurrency mining malware. There has also been a big rise in new mining malware variants, with three new malware variants detected in the past week. Conservative estimates suggest one malware variant has already been installed on at least 15 million systems, although the true figure could well be closer to 30 million.
The data comes from the cybersecurity firm Palo Alto Networks, which performed an analysis of the URLs used in the campaign using Bitly telemetry. It is difficult to determine how many systems have been affected since Bitly is not the only URL shortening service being used in the campaign. AdFly is also in use, which suggests the number of infected systems could well be twice as high.
The malicious links for this campaign are being sent in spam email. Clicking the links will direct the user to a malicious website containing executable files that install the Monero mining application XMRig using VBS scripts. The popularity of Monero mining is due to the lower processor demands than cryptocurrencies such as Bitcoin. Monero mining can take place on less powerful computers such as those typically at home. In addition to spam email campaigns, the malicious executable files are being loaded to popular file sharing websites
Cryptocurrency mining malware does not pose such a big threat to organizations as other forms of malware and ransomware, but there are implications for businesses. The malware does require a considerable amount of processing power, so there will be an impact on performance on infected machines. Infection will see applications slow considerably, and that will have an impact on productivity.
Campaigns are also being conducted that target businesses. The aim is to installing cryptocurrency mining malware on business servers. These attacks are not email-based, instead vulnerabilities are identified and exploited to install the malware, with Apache Struts (CVE-2017-5638) and DotNetNuke (CVE-2017-9822) vulnerabilities commonly exploited.
Preventing Infection with Cryptocurrency Mining Malware
Businesses can prevent cryptocurrency mining malware from being installed on their servers by ensuring all applications are patched and kept up to date. The patch to fix the Apache Struts vulnerability was released in September 2017, yet many businesses have not applied the patch. The DNN vulnerability has also been patched.
The risk of infections on employee and home computers requires antivirus and antimalware software and an advanced spam filter to prevent malicious messages from reaching inboxes. Businesses should also be training their staff how to recognize malicious emails. Training programs and phishing email simulations have been shown to help reduce susceptibility to email-based attacks by up to 95%.
The past few months have also seen a rise in cryptocurrency mining malware infections via unsecured WiFi networks, with cybercriminals performing man-in-the-middle attacks that hack the WiFi sessions of any user connected to one of the rogue WiFi access points. Unsecured public WiFi hotspots should be avoided, or VPNs used.
In this post we explain two of the most important strategies to adopt to block phishing and ransomware attacks.
Ensure Malicious Messages Do Not Reach Inboxes
Last year, Netwrix released a report based on a survey that showed 100% of government IT workers believed employees were the biggest threat to security. While those figures are the highest of many such surveys, the common theme throughout all of the research is employees are the most likely cause of a data breach.
One of the biggest areas of weakness is email-based attacks. Research conducted by the Friedrich Alexander University in Germany suggests half of users click links in emails from unknown senders. Those links often lead employees to phishing and malware-laced websites. With such high click rates, it is no surprise that so many IT workers believe employees are the weakest link in their security defenses.
Stopping employees from taking risky actions is difficult, so organizations must do all they can to ensure malicious emails are not delivered to inboxes. Only then, can IT workers be sure that employees will not click links or open dangerous email attachments.
TitanHQ is a leading provider of spam filtering solutions for enterprises. SpamTitan ensures the vast majority of spam and malicious emails are identified and quarantined and are not delivered to inboxes. SpamTitan blocks more than 99.9% of spam emails, ensuring end users are protected. But what can organizations do to protect their employees from the 0.1% of emails that are delivered to inboxes?
There is No Silver Bullet That Will Block Phishing and Ransomware Threats 100% of the Time
No business can no survive without email and unfortunately, no spam filtering solution can block 100% of all spam emails, 100% of the time. At least not without also blocking many genuine messages. Organizations cannot rely on a spam filter to block phishing and ransomware threats. It is just one important layer of security. Several other layers are required.
Anti-virus and anti-malware solutions are essential for detecting malicious software, but these signature-based security controls are proving less and less effective as years go by. For instance, the solutions are not particularly good at detecting fileless malware.
Most businesses further reduce risk by implementing endpoint protection systems that can detect anomalies and unnatural behavior on endpoints, indicative of an intrusion, malware activity, or ransomware scanning for files and making changes.
However, AV software and endpoint detection systems only detect phishing and ransomware attacks when they are occurring. If you want to block phishing and ransomware attacks, the most effective solution is a human firewall.
IT departments can blame employees for being rubbish at security, but if staff are not trained, they will remain the biggest security threat.
The Human Firewall – The Best Defense Against Phishing, Malware, and Ransomware Emails
A firewall is the first line of defense, and anti spam software will help to keep inboxes free from malicious messages. The rear guard is made up of your employees. To ensure you have a strong defensive backline, you must provide security awareness training. Many employees do not know that they are taking big risks that could compromise the network. It is up to organizations to ensure that those risks are explained.
Most malware and ransomware attacks involve at least some user interaction: The clicking of a link, the opening of a malicious document, or the enabling of a macro. Employees must be told this is how malware is installed and how access to email accounts and networks is gained. By training the workforce to be more security aware, employees can be turned into a formidable last line of defense.
Security Awareness Training Should Be Continuous
While it was once possible to provide annual security training and be reasonably confident that employees would be able to recognize malicious emails, that is no longer the case. Email-based cyberattacks are now far more sophisticated, and cybercriminals are investing considerably more time in developing highly convincing campaigns. Cybercriminals’ tactics are constantly changing. Training programs must reflect that.
To develop a strong human firewall, training should be ongoing. An annual classroom-based training session should be accompanied by regular CBT training sessions, provided in bite-sized chunks. Cybersecurity should be kept fresh in the mind with monthly email bulletins, as well as ad hoc alerts about new threats.
Research conducted by several security awareness training companies shows, training is very effective. PhishMe, Wombat Security Technologies, and Knowbe4 all suggest that with regular training it is possible to reduce susceptibility to email-based attacks by up to 95%.
Test the Effectiveness of Security Awareness Training with Phishing Simulations
You can backup all your data to ensure you can recover files in the event of a disaster, but if your backups are never tested you can never be sure file recovery is possible.
Similarly, providing security awareness training to employees will not guarantee you have created a strong human firewall. Your firewall must be tested. By sending phishing simulations to your workforce you can find out just how effective your training has been. You can identify weak links – employees that have not grasped the concept of phishing and email security and those individuals can be scheduled additional training. Phishing simulation exercises also help to reinforce training. When a test is failed, it can be turned into a learning opportunity, which helps to improve knowledge retention.
Implement technological solutions to block phishing and ransomware attacks and train your employees and test them on all manner of email-based attacks. When the real deal arrives in an inbox they will be prepared and deal with it appropriately. Fail to block emails or provide high quality training, and your company is likely to have to deal with a costly, and potentially disastrous, email-based attack.
Tax season is open season for cybercriminals and phishers, who increase their efforts to obtain personal information and Social Security numbers in the run up to – and during – tax season. Until April, we can expect many W2 phishing attacks. Make sure you are prepared and do not fall for a scam.
Anatomy of a W2 Phishing Attack
The most common method of stealing the information needed to file fraudulent tax returns is phishing. Phishing emails are sent in the millions to individuals in an effort to obtain their sensitive information. Individuals must be on high alert for malicious emails during tax season, but it is businesses that are most likely to be targeted.
Payroll employees have access to the W2 forms of the entire workforce. If a single worker can be convinced to email the data, the attacker can file thousands of fraudulent tax returns in the names of employees.
The way cybercriminals get payroll staff to part with sensitive data is by impersonating the CEO or CFO in what is referred to as a Business Email Compromise Scam – otherwise known as a BEC attack or CEO fraud.
The most successful attacks require access to the CEO or CFO’s email account to be gained. That means the CEO or CFO must first be targeted with a spear phishing email and lured into parting with his/her login credentials. Once access to the email account is gained, the impostor can craft an email and send it to a select group of individuals in the company: Payroll and accounts department employees.
The company is researched, individuals likely to have access to W2 forms are identified, and emails are sent. A request is made to attach the W2 forms of all employees who worked for the company in the past year, or for a specific group of employees. A series of emails may be sent, rather than asking for the information straight away.
Since the attacker has access to the CEO’s or CFO’s email account, they can delete sent emails and replies before they are seen by the account holder.
An alternative way of conducting BEC attacks is to spoof an email address. The CFO or CEO is identified from social media sites or LinkedIn, the email address is obtained or guessed based on the format used by the company, and the email is made to appear as if it has come from that email account. An alternative is for the attacker to purchase a similar domain to that used by the company, with two transposed letters for instance. Enough to fool an inattentive worker.
Oftentimes, W2 phishing attacks are not detected until days or weeks after the W2 forms have been sent, by which times IRS tax refund checks have been received and cashed.
How to Defend Against W2 Phishing Attacks
There are several methods that can be used to block W2 phishing attacks. A software or cloud-based anti-spam service should be used to block attacks that come from outside the company. Configured correctly, the spam filter should block spoofed emails and emails sent from similar domains to that used by the company. However, a spam filter will not block emails that come from the CFO or CEOs account.
Multi-factor authentication should be set up on all email accounts to help prevent the first phish that gives the attacker access to a C-suite email address. W2 phishing attacks using spoofed email addresses are much easier to identify and block.
It is therefore important to raise awareness of the threat of W2 phishing attacks with accounts and payroll staff, and anyone else with access to W2 forms. Training can greatly reduce susceptibility to W2 phishing attacks. Training should also be provided to the C-suite, not just employees.
The number of staff who have access to W2 forms should be restricted as far as is possible. Policies should also be introduced that require any request for W2 data to be verified. At a minimum, a request for the data should be checked by a supervisor. Ideally, the request should be confirmed face to face with the sender of the email, or with a quick phone call. The scammers rely on this check not taking place.
The insurance, telecoms, and financial service sectors are being targeted by malicious actors spreading Zyklon malware. A large-scale spam email campaign has been detected that leverages three separate Microsoft Office vulnerabilities to download the malicious payload.
Zyklon malware is not a new threat. The malware variant was first detected at the start of 2016, but it stopped being detected soon after and was not extensively used until the start of 2017.
Zyklon malware is a backdoor with a wide range of malicious functions. The malware acts as a password harvester, keylogger, and data scraper, obtaining sensitive information and stealing credentials for further attacks. The malware can also be used to conduct DoS attacks and mine cryptocurrency.
The latest variant of Zyklon malware can download and run various plugins and additional malware variants. It can identify, decrypt, and steal serial keys and license numbers from more than 200 software packages and can also hijack Bitcoin addresses. All told, this is a powerful and particularly nasty and damaging malware variant that is best avoided.
While the latest campaign uses spam email, the malware is not included as an attachment. A zip file is attached to the email that contains a Word document. If the document is extracted, opened, and the embedded OLE object executed, it will trigger the download of a PowerShell script, using one of three Microsoft Office vulnerabilities.
The first vulnerability is CVE-2017-8759: A Microsoft NET vulnerability that was patched by Microsoft in October.
The second ‘vulnerability’ is Dynamic Data Exchange (DDE) – a protocol part of Office that allows data to be shared through shared memory. This protocol is leveraged to deliver a dropper that will download the malware payload. This vulnerability has not been patched, although Microsoft has released guidance on how to disable the feature to prevent exploitation by hackers.
The third vulnerability is far older. CVE-2017-11882 is a remote code execution flaw in Microsoft Equation Editor that has been around for 17 years. The flaw was only recently identified and patched by Microsoft in November.
The second stage of infection – The PowerShell script – serves as a dropper for the Zyklon malware payload.
According to the FireEye researchers who identified the campaign, the malware can remain undetected by hiding communications with its C2 using the Tor network. “The Zyklon executable contains another encrypted file in its .Net resource section named tor. This file is decrypted and injected into an instance of InstallUtiil.exe, and functions as a Tor anonymizer.”
Campaigns such as this highlight the importance of applying patches promptly. Two of the vulnerabilities were patched in the fall of 2017, yet many organizations have yet to apply the patches and remain vulnerable. If patches are not applied, it will only be a matter of time before vulnerabilities are exploited.
FireEye researchers have warned that while the campaign is currently only targeting three industry sectors, it is probable that the campaign will be widened to target other industry sectors in the near future.
The advice is to implement an advanced cloud-based anti-spam service such as SpamTitan to identify and quarantine malicious emails, and ensure that operating systems and software is kept up to date.
More than 60 apps have now been removed from Google Play Store that were laced with AdultSwine Malware – A malware variant that displays pornographic adverts on users’ devices. Many of the apps that contained the malware were aimed at children, including Drawing Lessons Lego Star Wars, Mcqueen Car Racing Game, and Spinner Toy for Slither. The apps had been downloaded by between 3.5 and 7 million users before they were identified and removed.
While the malicious apps have been removed, users who have already downloaded the infected apps onto their devices must uninstall the apps to remove the malware. Simply deleting the apps from the Play Store only prevents more users from being infected. Google has said that it will display warnings on Android phones that have the malicious apps installed to alert users to the malware infection. It will be up to users to then uninstall those apps to remove the AdultSwine malware infection.
Apps Infected with AdultSwine Malware
- Addon GTA for Minecraft PE
- Addon Pixelmon for MCPE
- Addon Sponge Bob for MCPE
- Blockcraft 3D
- CoolCraft PE
- Dragon Shell for Super Slither
- Draw Kawaii
- Draw X-Men
- Drawing Lessons Angry Birds
- Drawing Lessons Chibi
- Drawing Lessons Lego Chima
- Drawing Lessons Lego Ninjago
- Drawing Lessons Lego Star Wars
- Drawing Lessons Subway Surfers
- Easy Draw Octonauts
- Exploration Lite: Wintercraft
- Exploration Pro WorldCraft
- Fire Skin for Slither IO app
- Five Nights Survival Craft
- Flash Skin for Slither IO app
- Flash Slither Skin IO
- Girls Exploration Lite
- Guide Clash IO
- Guide Vikings Hunters
- How to Draw Animal World of The Nut Job 2
- How to Draw Batman Legends in Lego Style
- How to Draw Coco and The Land of the Dead
- How to Draw Dangerous Snakes and Lizards Species
- How to Draw Real Monster Trucks and Cars
- Invisible Skin for Slither IO app
- Invisible Slither Skin IO
- Jungle Survival Craft 1.0
- Jurassic Survival Craft Game
- Mcqueen Car Racing Game
- Mine Craft Slither Skin IO
- Pack of Super Skins for Slither
- Paw Puppy Run Subway Surf
- Pixel Survival – Zombie Apocalypse
- Players Unknown Battle Ground
- San Andreas City Craft
- San Andreas Gangster Crime
- Shin Hero Boy Adventure Game
- Spinner Toy for Slither
- Stickman Fighter 2018
- Subway Banana Run Surf
- Subway Bendy Ink Machine Game
- Subway Run Surf
- Temple Bandicoot Jungle Run
- Temple Crash Jungle Bandicoot
- Temple Runner Castle Rush
- Virtual Family – Baby Craft
- Woody Pecker
- Zombie Island Craft Survival
Malicious Activities of AdultSwine Malware
AdultSwine malware, and the apps that infect users, were identified and analyzed by security researchers at CheckPoint. The researchers note that once downloaded onto a device, the malware sends information about the user to its command and control server and performs three malicious activities: Displaying advertisements, signing up users to premium services, and installing scareware to fool victims into paying for security software that is not necessary. Information is also stolen from the infected device which can potentially be used for a variety of malicious purposes.
The advertisements are displayed when users are playing games or browsing the Internet, with the adverts coming from legitimate ad networks and the AdultSwine library. The AdultSwine malware library includes extreme adverts containing hardcore pornographic images. Those images appear on screen without warning.
The scareware claims the victim’s device has been infected with a virus that requires the download of an anti-malware app from the Google Play Store, although the virus removal tool is a fake app. Users are told that their phone will be rendered unusable if the app is not downloaded, with a countdown timer used to add urgency.
Registering for premium services requires the user to supply further information, which is done through pop-up phishing adverts. The user is told they have won a prize, but that they must answer four questions to claim their prize. The information they supply is used to register for premium services.
Preventing Infection of Mobile Devices
Generally, users can reduce the risk of a malware infection by only downloading apps from official app stores, although this latest malware campaign has shown that even official stores can be compromised and have malicious apps uploaded.
Google does scan all apps for malware, but new forms of malware can be sneaked into Google Play Store on occasion. Google has announced that from the end of January it will be rolling out a new service called Google Play Protect that is capable of scanning previously downloaded apps to ensure they are still safe to use.
Google recommends only downloading apps for children that have been verified by Google as being ‘Designed for Families’. Those apps may contain adverts, but they have been vetted and strict rules apply covering the advertisements that can be displayed.
It is also important to install some form of anti-malware solution – from a reputable and well-known company – that will scan downloaded content and apps for malware.
It has been pretty difficult to avoid the news of Meltdown and Spectre – Two vulnerabilities recently discovered that could potentially be exploited to gain access to sensitive information on PCs, Macs, servers, and smartphones. Meltdown and Spectre affect virtually all devices that contain CPUs, which amounts to billions of devices worldwide.
What are Meltdown and Spectre?
Meltdown and Spectre are two separate vulnerabilities affecting CPUs – central processing units. The chips that power a wide range of electronic devices. The flaws make devices vulnerable to side-channel attacks, in which it is possible to extract information from instructions that have been run on CPUs, using the CPU cache as a side channel.
There are three types of attacks, two for Spectre and one for Meltdown. Spectre Variant 1 – tracked as CVE-2017-5753- is a bounds check bypass, while Spectre variant 2 – tracked as CVE-2017-5715 – is a branch target injection. Variant 3, termed Meltdown – tracked as CVE-2017-5754 – is a rogue data cache load, memory access permission check that is performed after kernel memory read.
The less technical explanation is the attacks leverage the prediction capabilities of the CPU. The CPU will predict processes, load them to an easily accessible, fast sector of the memory to save time and ensure fast performance. Spectre allows data to be read from the memory, but also for information to be loaded into the memory and read that would otherwise not be possible.
Meltdown also reads information from the memory, stealing information from memory used by the kernel that would not normally be possible.
What Devices are Affected by Meltdown and Spectre?
US-CERT has warned that the following vendors have been affected by Meltdown and Spectre: AMD, Apple, Arm, Google, Intel, Linux Kernel, Microsoft, and Mozilla. Apple has said that virtually all of its Macs, iPhones, and iPads are affected. PCs and laptops with Intel, Arm, and AMD chips are affected by Spectre, as are Android smartphones. while Meltdown affects desktops, laptops, and servers with Intel chips. Since servers are affected, that has major implications for cloud service providers.
How Serious are Meltdown and Spectre?
How serious are Meltdown and Spectre? Serious enough for the Intel chief executive officer, Brian Krzanich, to sell $25 million of his shares in the company prior to the announcement of the flaws, although he maintains there was no impropriety and the sale of the shares was unrelated to the announcement of the flaws a little over a month later.
For users of virtually all devices that contain CPUs, the flaws are certainly serious. They could potentially be exploited by malicious actors to gain access to highly sensitive data stored in the memory, which can include passwords and credit card data.
What makes these flaws especially serious is the number of devices that are affected – billions of devices. Since one of the flaws affects the hardware itself, which cannot be easily corrected without a redesign of the chips, resolving the problem will take a considerable amount of time. Some security experts have predicted it could take decades before the flaws are totally eradicated.
At present, it would appear that the flaws have not been exploited in the wild, although now the news has broken, there will certainly be no shortage of individuals attempting to exploit the flaws. Whether they are able to do so remains to be seen.
What Can You do to Prevent Meltdown and Spectre Attacks?
As is the case when any vulnerability is identified, protecting against Meltdown and Spectre requires patches to be applied. All software should be updated to the latest versions, including operating systems, software packages, and browsers. Keeping your systems 100% up to date is the best protection against these and other attacks.
Some third-party antivirus software will prevent Windows patches from being installed, so before Windows can be updated, antivirus must be updated. Ensure that your AV program is kept up to date, and if you have automatic updates configured for Windows, as soon as your system is ready for the update it will be installed.
Chrome and Firefox have already been updated, Microsoft will be rolling out a patch for Windows 10 on Thursday, and over the next few days, updates will be released for Windows 7 and 8. Apple has already updated MacOS version 10.13.2, with earlier versions due to receive an update soon.
Google has already issued updates for Android phones, although only Google devices have so far been updated, with other manufactures due to roll out the updates shortly. Google has already updates its Cloud Platform, and Amazon Web Services has also reportedly been updated. Linux updates will also be issued shortly.
Fixes for Meltdown are easier to implement, while Spectre will be harder as true mitigations would require major changes to the way the chips work. It is unlikely, certainly in the short term, for Intel to attempt that. Instead, mitigations will focus on how programs interact with the CPUs. As US-CERT has warned, “[The] Underlying vulnerability is caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware,” although that advice is no longer detailed in its updated vulnerability warning.
Applying patches will help to keep computers protected, but that may come at a cost. For example, the fix for the Meltdown vulnerability changes the way the computer works, which means the processor will have to work harder as it has to repeatedly access information from the memory – tasks that would otherwise not normally need to be performed.
That will undoubtedly have an impact on the performance of the machine. How much of a dip in performance can be expected? Some experts predict the changes could slow computers down by as much as 30%, which would certainly be noticed at times when processor activity is particularly high.
A recently discovered Forever 21 POS malware attack has seen customers’ credit card data compromised. While malware attacks on retail POS systems are now commonplace, in the case of the Forever 21 POS malware attack, the security breach stands out due to the length of time malware was present on its systems. Attackers first gained access to its POS system seven months before the infection was discovered.
The Forever 21 POS malware infections were first identified in October, when a third-party linked credit card fraud to customers who had previously visited Forever 21 stores. The potential malware infections were investigated and a third-party cybersecurity firm was called in to assist.
Forever 21 first made the announcement about a data breach in November, although the investigation has been ongoing and now new details about the attack have been released.
The investigation has revealed the attack was extensive and affected many POS devices used in its U.S. stores. The Forever 21 POS malware attack started on April 3, 2017, with further devices compromised over the following 7 months until action was taken to secure its systems on November 18, 2017. Forever 21 reports that some POS devices in its stores were only compromised for a few days, others for a few weeks, while some were compromised for the entire timeframe.
In response to the increased threat of cyberattacks on retailers, Forever 21 started using encryption technology on its payment processing systems in 2015; however, the investigation revealed the encryption technology was not always active.
While the encryption technology was active, the attackers would have been prevented from obtaining the credit card details of its customers, although the information could be stolen at times when the encryption technology was turned off.
Further, some devices that were compromised by the malware maintained logs of completed credit card transactions. When the encryption technology was not active, details of completed transactions were stored in the logs and could therefore be read by the attackers. Since those logs contained details of transactions prior to the malware infections, it is possible that customers who visited affected Forever 21 stores prior to April 3, 2017 may also have had their credit card details stolen.
Each store uses multiple POS devices to take payments from consumers, and in most cases only one device per store was compromised. The attackers concentrated their efforts on stores where POS devices did not have encryption enabled. Further, the attackers main aim appeared to be to find and infect devices that maintained logs of transactions.
On most POS devices, the attackers searched for track data read from payment cards, and in most cases, while the number, expiry date and CVV code was obtained, the name of the card holder was not.
The investigation into the Forever 21 POS malware attack is ongoing, and at present it is unclear exactly how many of the company’s 700+ stores have been affected, how many devices were infected, and how many customers have had their credit and debit card details stolen. However, it is fair to assume that an attack of this duration will have affected many thousands of customers.
The type of malware used in the attack is not known, and no reports have been released that indicate how the attackers gained access to its systems. It is not yet known if stores outside the US have been affected.
2017 has been a bad year for data breaches, but what were the worst data breaches of 2017? We have compiled a list of the largest and most serious cyberattacks that came to light this year.
The Worst Data Breaches of 2017
Equifax – 143 Million Records
The Equifax data breach was discovered in September and ranks first in our list of the worst data breaches of 2017, not just for the size of the breach, but also due to the nature of data stolen by the attackers. Equifax reports that the breach impacted as many as 143 million consumers – That’s 44% of the population of the United States.
The data stolen in the attack including highly sensitive information – the types of data cybercriminals seek in order to commit identity theft and fraud. Social Security numbers and driver’s license numbers were stolen along with names, addresses, dates of birth, and credit card numbers. The breach was the result of an unpatched software vulnerability.
Deep Root Analytics – 198 Million Records
The data breach at Deep Root Analytics was massive, involving almost 200 million records. Deep Root Analytics is a marketing firm that was contracted by the Republican National Convention to gather political information on U.S voters.
The data were stored in an Amazon AWS S3 bucket that could be accessed without the need for a password for two weeks before the lack of protection was discovered. During that time, voter records could be accessed, including names, addresses, dates of birth, and phone numbers.
Uber – 57 Million Records
The Uber data breach may not have been the most severe in terms of the types of data exposed, but it certainly ranks as one of the worst data breaches of 2017, affecting some 57 million riders and drivers.
What really makes this one of the worst breaches of 2017 is the discovery that Uber attempted to keep the breach quiet. Uber paid the attacker $100,000 to keep quiet and not publish the data, which included names, addresses, email addresses, and in some cases, driver’s license numbers. The breach occurred in October 2016, but it was not disclosed for more than a year.
Verizon – 14 Million Records
As with many other data breaches in 2017, this security breach was due to an unsecured Amazon AWS S3 bucket that was controlled by NICE systems – A partner of Verizon. It is unclear whether Verizon customer data was stolen, but the records of 14 million customers were exposed. Those records included names, PIN numbers, and phone numbers in the form of logs from Verizon customers that had called its customer service department. Potentially, the information could be used to access customers’ accounts. The data were stored in an unprotected Amazon AWS S3 bucket
Dun & Bradstreet – 33.7 Million Records
The data analytics firm Dun & Bradstreet created a marketing database containing 52 GB of data, including 33.7 million email addresses and contact information. While Dun & Bradstreet maintains its systems were not compromised, one of the companies that the database was sold to certainly was. The database contained the records of millions of employees of major companies including Wal-Mart and CVS Health, as well as the U.S Postal Service and the Department of Defense.
America’s JobLink – 4.8 Million Records
A misconfigured application was exploited by a hacker to gain access to the records of 4.8 million individuals. The data were maintained by America’s JobLink – a firm that connects employers and job seekers
The breach was detected in March 2017, although an analysis revealed the code error was introduced in October 2016. The hacker exploited the vulnerability in February and had access to the data for a month.
The breach was particularly bad as it involved names, dates of birth and Social Security numbers, placing the breach victims at a high risk of identity theft and fraud. It is unclear whether the hacker managed to steal all 4.8 million records.
Deloitte – 350+ records
In the list of the largest data breaches of 2017, the Deloitte breach would come in very close to the bottom; however, in terms of the potential severity of the breach it ranks near the top. An estimated 350 clients were impacted when a hacker gained access to Deloitte’s email server and email conversations between the firm and its clients. Those clients included government departments – including Homeland Security and the Department of Defense – the National Institutes of Health, FIFA, and the U.S Postal Service.
The breach was discovered this year, although the hackers reportedly had access to its systems for several months. The email server was breached using an admin account, with the breach preventable had two-factor authentication been used.
River City Media – 1.4 Billion Records
A massive illegal spam operation run by River City Media was uncovered this year by security researchers, who discovered more than 1.4 billion records had been left exposed online. An analysis of the data showed there were 393 million unique email addresses in the database, along with names, IP addresses, and real addresses.
The investigation into River City Media revealed the group was sending as many as a billion emails a day, and was masquerading as a legitimate marketing company. The files were exposed due to poor RSync backup practices, which ensured a disaster would not result in data loss, but the firm inadvertently left its data exposed online.
Onliner Spambot – 711 Million Records
Another massive data breach to affect spammers involved the operator of the onliner spambot, which harvested email addresses to send spam emails. A database of some 711 million email addresses was left exposed online after the server on which the data were stored had been left unprotected. It is unknown how many people discovered the database and are now using it to plague those 711 million individuals with email more spam email. The breach was largely limited to email addresses, but in terms of size, it certainly ranks as one of the worst data breaches of 2017.
Every December, a list of terrible passwords is published by SplashData, and this year the list of the worst passwords of 2017 contains the same horrors as years gone by. Passwords that not only would take a hacker next to no time to guess, but in many cases, could be cracked at the first attempt.
The list of the worst passwords of 2017 is compiled from databases of leaked and stolen passwords that have been published online throughout 2017. This year, SplashData compiled its list from more than 5 million leaked passwords.
The minimum password length on many websites has now been increased to eight characters; however, it is still possible to use passwords of six characters in many places. This year, the worst password is six characters long and is the extremely unimaginative: 123456. A password so easy to guess, it is barely worth setting a password at all.
In second place is an eight-character password, which is similarly not worth using at all: password. In third place is 12345678. Those three passwords retained the same positions as last year.
Each year, the same passwords appear on the list, with slight fluctuations in their positions in the list. However, there are some new entries this year. The rebooting of the Star Wars saga has spurred many people to choose Star Wars related passwords, with starwars featuring in 16th position on the list.
An interesting entry makes it into 25th place – trustno1. Good advice, but even with the addition of a number, it is still a poor password choice. At first glance, number 24 in the list appears to be reasonable, but qazwsx is the first six characters on the left-hand side of the keyboard.
Using the passwords letmein, passw0rd, admin, master, and whatever, are all equally bad. All of those words make the top 25 in the list of the worst passwords of 2017.
Top 25 Worst Passwords of 2017
The list of the worst passwords of 2017 reveals many people are extremely unimaginative when choosing a password to secure their email, social media, and online accounts.
SplashData estimates 3% of people have used the worst password on the list, while 10% have used one of the first 25 passwords to “secure” at least one online account.
Most people know that strings of consecutive numbers are bad, as is any variation of the word password, but changing to a dictionary word or a pop culture reference is just as bad, as Morgan Slain, CEO of SplashData, Inc., explained, “Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words.”
That means using football (or any other sport) or starwars will not prevent a hacker from gaining access to an account for very long.
What Makes a Bad Password?
Brute force attacks, those where repeated attempts are made to guess passwords, does not involve a hacker sitting at a computer typing bad passwords until the correct one is guessed. Those attacks are performed by bots, and it doesn’t take long for a bot to guess a poor password.
Without rate limiting – setting a maximum number of failed attempts before access is temporarily blocked – to slow down the process, the bots can cycle through the list of the worst passwords of 2017 quickly, followed by those used in other years and other dictionary words.
Hackers also know the tricks that people use to keep passwords easy to remember, while meeting the strong password requirements set by IT departments, such as adding an explanation mark to the end of an easy to remember word or replacing certain letters with their numerical equivalent: An A with a 4, or an O with a zero for instance.
What Makes a Good Password?
A good password should contain upper and lowercase letters, numbers, and special characters, and should preferably be a random string of 10 or more characters. That of course makes passwords very difficult to remember. Writing the password down so you don’t forget it is also a very bad idea, as is reusing passwords on multiple sites and recycling old passwords.
In 2017, NIST revised its advice on choosing passwords as its research showed that forcing people to choose upper and lower-case passwords and special characters did not always ensure people chose strong passwords. Instead, they get around the technology by simply changing the first letter to a capital letter and adding a special character and number to the end, for instance.
Instead, NIST recommended using a passphrase rather than a password. A phrase that only you would know.
A list of four or five unrelated words would work well. Dogforkliftmonkeyhousecar would be a strong password phrase to use (other than the fact it has now been published online). It would be difficult to crack but easy to remember with a mnemonic.
To keep your accounts secure, make sure you choose strong and complex passwords, ideally long passwords of at least 15 characters. However, remembering the 20 or so unique passwords you are likely to need will still be hard.
The solution is to use a password manager, and to secure that account with a strong hard to guess password. Then only one complex password must be remembered.
Digimine malware is a new threat that was first identified from a campaign in South Korea; however, the attacks have now gone global.
Ransomware is still a popular tool that allows cybercriminals to earn a quick payout, but raised awareness of the threat means more companies are taking precautions. Ransomware defenses are being improved and frequent backups are made to ensure files can be recovered without paying the ransom. Not only is it now much harder to infect systems with ransomware, rapid detection means large-scale attacks on companies are prevented. It’s harder to get a big payday and the ability to restore files from backups mean fewer organizations are paying up.
The surge in popularity of cryptocurrency, and its meteoric rise in value, have presented cybercriminals with another lucrative opportunity. Rather than spread ransomware, they are developing and distributing cryptocurrency miners. By infecting a computer with a cryptocurrency miner, attackers do not need to rely on a victim paying a ransom.
Rather than locking devices and encrypting files, malware is installed that starts mining (creating) the cryptocurrency Monero, an alternative to Bitcoin. Mining cryptocurrency is the verification of cryptocurrency transactions for digital exchanges, which involves using computers to solve complex numeric problems. For verifying transactions, cryptocurrency miners are rewarded with coins, but cryptocurrency mining requires a great deal of processing power. To make it profitable, it must be performed on an industrial scale.
The processing power of hundreds of thousands of devices would make the operation highly profitable for cybercriminals, a fact that has certainly not been lost on the creators of Digimine malware.
Infection with Digimine malware will see the victim’s device slowed, as its processing power is being taken up mining Monero. However, that is not all. The campaign spreading this malware variant works via Facebook Messenger, and infection can see the victim’s contacts targeted, and could potentially result in the victim’s Facebook account being hijacked.
The Digimine malware campaign is being spread through the Desktop version of Facebook Messenger, via Google Chrome rather than the mobile app. Once a victim is infected, if their Facebook account is set to login automatically, the malware will send links to the victim’s contact list. Clicking those links will result in a download of the malware, the generation of more messages to contacts and more infections, building up an army of hijacked devices for mining Monero.
Infections were first identified in South Korea; however, they have now spread throughout east and south-east Asia, and beyond to Vietnam, Thailand, Philippines, Azerbaijan, Ukraine, and Venezuela, according to Trend Micro.
A similar campaign has also been detected by FortiGuard Labs. That campaign is being conducted by the actors behind the ransomware VenusLocker, who have similarly switched to Monero mining malware. That campaign also started in South Korea and is spreading rapidly. Rather than use Facebook Messenger, the VenusLocker gang is using phishing emails.
Phishing emails for this campaign contain infected email attachments that download the miner. One of the emails claims the victim’s credentials have been accidentally exposed in a data breach, with the attachment containing details of the attack and instructions to follow to mitigate risk.
These attacks appear to mark a new trend and as ransomware defenses continue to improve, it is likely that even more gangs will change tactics and switch to cryptocurrency mining.
A Q3 malware threat report from McAfee charts the continued rise in malware threats throughout the year. Malware variants have now reached an all time high, with the volume of threats having risen each quarter in 2017.
In 2016, there were high levels of malware in Q1, rising slightly in Q2 before tailing off in Q3 and A4. That trend has not been seen this year. The malware threat report shows Q1 figures were higher than the previous two quarters, with a massive rise in Q3 and a continued increase in Q3. Malware threats rose 10% quarter over quarter, rising to a quarterly total of 57.6 million new samples of malware: The highest quarterly total detected by McAfee. That averages out at a new malware sample detected every quarter of a second!
The ransomware epidemic has also got worse in Q3, with new ransomware variants increasing by 36% last quarter, fueled by a sharp increase in Android screen lockers. In total, new mobile malware variants increased by 60% in Q3.
In its Q3 Malware Threat Report, McAfee noted that attackers were continuing to rely on spam email to distribute malware, with the Gamut botnet the most prevalent spamming botnet in Q3, closely followed by the Necurs botnet. The latter was used to spread ransomware variants such as Locky. Mac malware rose by 7% in Q3, and macro malware increased by 8%.
Vulnerabilities in software and operating systems were also extensively exploited, even though patches to address those vulnerabilities were released promptly.
McAfee notes that employees and organizations are making it far too easy for attackers. Employees are responding to phishing emails, are visiting malicious links and are opening attachments and enabling the content. Employers are no better. Patches are released, yet they are not being applied promptly, opening the door to attackers. In many cases, patches have still not been applied several months after they have been released.
One of the most commonly exploited vulnerabilities in Q3, 2017 was CVE-2017-0199 which affected WordPad and Microsoft Office. An exploit for the vulnerability was made available through GitHub, making remote code execution attacks easy; provided employees could be convinced to open specially crafted files. Many employees fell for the scam emails.
The McAfee Q3 Malware Threat Report highlighted several continuing malware trends, including the increase in the use of fileless malware. PowerShell malware increased by 119% in Q3 alone.
Q3 saw a new Locky variant released – Lukitus. Lukitus was spread via spam email, with more than 23 million messages delivered in the first 24 hours since its release. That, combined with other new ransomware threats, have contributed to a 44% increase in ransomware samples in the past 12 months.
Q3 also saw the release of a new variant of the Trickbot Trojan, which incorporated the EternalBlue exploit that was also used in the WannaCry and NotPetya attacks.
While no industry is immune to attack, it is the healthcare and public sectors that are taking the brunt of the attacks, accounting for 40% of all reported security incidents in Q3. In the United States, healthcare was the most commonly attacked industry.
The extensive use of spam and phishing emails to spread malware highlights the importance of using an advanced spam filtering solution such as SpamTitan, especially considering how employees are still struggling to identify malicious emails. Blocking these threats and preventing malicious messages from being delivered will help organizations prevent costly data breaches.
The high level of infections that occurred as a result of exploited vulnerabilities also shows how important it is to apply patches promptly. McAfee notes that many of the exploited vulnerabilities in Q3 were patched as early as January. If patches are not applied promptly, they will be exploited by cybercriminals to install malware.
In this article we explore the cost of HIPAA noncompliance for healthcare organizations, including the financial penalties and data breach costs, and one of the most important technologies to deploy to prevent healthcare data breaches.
The Health Insurance Portability and Accountability Act (HIPAA)
In the United States, healthcare organizations that transmit health information electronically are required to comply with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA was introduced in 1996 with the primary aim of improving healthcare coverage for employees between jobs, although it has since been expanded to include many privacy and security provisions following the introduction of the HIPAA Privacy and Security Rules.
These rules require HIPAA-covered entities – health plans, healthcare providers, healthcare clearinghouses and business associates – to implement a range of safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). Those safeguards include protections for stored PHI and PHI in transit.
HIPAA is not technology specific, if that were the case, the legislation would need to be frequently updated to include new protections and the removal of outdated technologies that are discovered not to be as secure as was initially thought. Instead, HIPAA leaves the actual technologies to the discretion of each covered entity.
In order to determine what technologies are required to keep PHI secure, covered entities must first conduct a risk analysis: A comprehensive, organization-wide analysis of all risks to the confidentiality, integrity, and availability of PHI. All risks identified must be managed and reduced to an appropriate and acceptable level.
The risk analysis is one of the most common areas where healthcare organizations fall afoul of HIPAA Rules. Healthcare organizations have been discovered not to have included all systems, hardware and software in the risk analysis, or fail to conduct the analysis on the entire organization. Vulnerabilities are missed and gaps remain in security controls. Those gaps allow hackers to take advantage and gain access to computers, servers, and databases.
When vulnerabilities are exploited, and a data breach occurs, HIPAA-covered entities must report the security breach to the Department of Health and Human Services’ Office for Civil Rights (OCR): The main enforcer of HIPAA Rules. OCR investigates data breaches to determine whether they could realistically have been prevented and if HIPAA Rules have been violated.
What is the Cost of HIPAA Noncompliance?
When healthcare organizations are discovered not to have complied with HIPAA Rules, financial penalties are often issued. Fines of up to $1.5 million per violation category (per year that the violation has been allowed to persist) can be issued by OCR. The cost of HIPAA noncompliance can therefore be severe. Multi-million-dollar fines can, and are, issued.
The cost of HIPAA noncompliance is far more than any financial penalty issued by OCR, or state attorneys general, who are also permitted to issue fines for noncompliance. HIPAA requires covered entities to notify individuals impacted by a data breach. The breach notification costs can be considerable if the breach has impacted hundreds of thousands of patients. Each patient will need to be notified by mail. If Social Security numbers or other highly sensitive information is exposed, identity theft protection services should be offered to all breach victims.
Forensic investigations must be conducted to determine how access to data was gained, and to establish whether all malware and backdoors have been removed. Security must then be enhanced to prevent similar breaches from occurring in the future.
A data breach often sees multiple lawsuits filed by the victims, who seek damages for the exposure of their information. Data breaches have a major negative impact on brand image and increase patient churn rate. Patients often switch providers after their sensitive information is stolen.
On average, a data breach of less than 50,000 records costs $4.5 million to resolve according to the Ponemon Institute and has an average organizational cost of $7.35 million.
The 78.8 million-record breach experienced by Anthem Inc. in 2015 is expected to have cost the insurer upwards of $200 million. That figure does not include lost brand value and reputation damage, and neither a HIPAA fine from OCR.
A summary of the cost of HIPAA noncompliance, including recent fines issued by attorneys general and OCR has been detailed in the infographic below.
The Importance of Protecting Email Accounts
There are many ways that unauthorized individuals can gain access to protected health information – via remote desktop applications, by exploiting vulnerabilities that have not been patched, accessing databases that have been left exposed on the Internet, or when devices containing unencrypted PHI are stolen. However, the biggest single threat to healthcare data comes from phishing.
Research from PhishMe indicates more than 90% of data breaches start with a phishing email, and a recent HIMSS Analytics survey confirmed that phishing is the biggest threat, with email ranked as the most likely source of a healthcare data breach.
Protecting email accounts is therefore an essential part of HIPAA compliance. OCR has already fined healthcare organizations for data breaches that have resulted from phishing emails.
Healthcare organizations should implement a solution that blocks malicious emails and scans for malware and ransomware. In addition to technology, employees must also be trained how to identify malicious emails and taught to be more security aware.
How TitanHQ Can Help with HIPAA Compliance
TitanHQ developed SpamTitan to keep inboxes secure and prevent email spam, phishing messages, and malware from being delivered to inboxes. SpamTitan blocks more than 99.9% of spam email, and dual anti-virus engines ensure emails with malicious attachments are identified and quarantined. With SpamTitan, your organization’s email accounts will be protected – an essential part of HIPAA compliance.
WebTitan compliments SpamTitan and offers an additional layer of protection. WebTitan is a web filtering solution that allows you to carefully control the websites that your employees visit. WebTitan will prevent employees from visiting malicious websites via emailed hyperlinks, general web browsing, malvertising or redirects, protecting your organization from web-based attacks, drive by downloads of ransomware and malware, and exploit kit attacks.
For more information on TitanHQ’s cybersecurity solutions for healthcare, contact the TitanHQ team today.
Antivirus software vendor Symantec has detected a massive spam email campaign that is spreading Adwind RAT variants. While the Adwind RAT may sound like relatively harmless adware, that could not be further from the truth.
The latest Adwind RAT variants have a wide range of malicious functions, and serve as keyloggers that can record login credentials and monitor user activity, take screenshots, hijack the microphone and webcam to record audio and video, and as if that was not enough, the Adwind RAT allows the attacker to download further malicious files.
As is now the norm, the emails spreading Adwind RAT variants are convincing and appear to be genuine communications from legitimate firms. At a time when parcels are likely to arrive in the mail, the attackers have chosen a particularly relevant ploy to maximize the chance of emails being opened. Notifications about parcels that could not be delivered.
Businesses are also being targeted with malicious attachments claiming to be account statements, invoices, purchase orders, and payment receipts. The emails are well written and appear to have been sent from legitimate firms.
The spam emails include two malicious email attachments, a JAR file and what appears to be a PDF file. In the case of the latter, it has a double file extension, which will appear as a PDF file if file extensions are not displayed. In reality, it is another JAR file. The files contain layers of obfuscation in an attempt to bypass antivirus controls.
If the JAR files are executed, they drop a further JAR file and run VBS scripts which launch legitimate Windows tools to investigate the environment, identify the firewall in use, and other security products installed on the device. They then set about disabling monitoring controls.
The timing of this Adwind RAT campaign is ideal to catch out as many people as possible. The festive period is a busy time, and the rush to find bargains and purchase presents online sees many Internet users let their guard down. Further, as many businesses close over the festive period it gives the attackers more time to explore networks.
Infection with the Adwind RAT can see sensitive data stolen, and login credentials obtained, email accounts to be pilfered and abused and access to be gained to corporate bank accounts. A single successful installation of the Adwind RAT can be devastating.
The AdWind RAT is one of 360,000 New Daily Threats
Of course, the Adwind RAT spam email campaign is just one example of a malicious actor spreading malware. One example from tens of thousands, each spreading different malware and ransomware variants.
Each day new campaigns are launched. Figures from Kaspersky Lab indicate 2017 has seen an astonishing 360,000 new malicious files detected each day.
While consumers must be alert to the threat from spam email, the threat to businesses is far greater. The threat is multiplied by the number of employees who have a work email account.
A single computer infected with malware is serious, although once a foothold has been gained, the infection can spread rapidly. Recent research by SafeBreach, published in the Hacker’s Playbook Findings Report, suggests that 70% of the time, hackers are able to navigate the network and move laterally once access has been gained. A single malware attack can turn into an organization-wide nightmare infection.
The recent ransomware attacks in the United States are a good example. A ransomware attack on the Mecklenburg County government in South Carolina resulted in 48 servers being taken out of action, and that attack was identified rapidly. The Texas Department of Agriculture experienced a similar attack that impacted 39 schools via its network connections.
It is now essential to implement a host of defenses to prevent malware attacks. One of the most effective defenses is to upgrade your spam filter to an advanced solution such as SpamTitan.
SpamTitan blocks more than 99.9% of spam emails and detects and blocks malware using dual anti-virus engines. SpamTitan not only scans messages for the presence of malware and malware downloaders, but also message content for the common signatures of spam and malicious links. When threats are detected, the emails are quarantined before they can do any harm.
If you have a spam filter, yet have still experienced an email-based malware or ransomware attack, now is the ideal time to switch providers and discover the difference SpamTitan can make. If you have yet to install a third-party spam filter, there is no time to lose. Take advantage of the free trial and start protecting your organization from email spam and malware attacks.
Call the TitanHQ team today for further information on SpamTitan, details of pricing, and for further details on how you can sign up for the no-obligation free trial. The knowledgeable sales team will be able to answer any questions you have.
A particularly nasty new threat has emerged: Spider ransomware. The new crypto-ransomware variant was discovered by security researchers at Netskope on December 10, and the campaign is ongoing.
While many ransomware variants give victims a week to make contact and pay the ransom, the actors behind Spider ransomware are far less patient. If the ransom payment is not made within 96 hours of infection, the key to unlock files will be blocked and files will be permanently encrypted. Further, victims are warned “do not try anything stupid, the program has several security measures to delete all your files and cause damage to your PC.”
Naturally, that something stupid is not attempting to recover files from backups. If viable backups exist, victims will be able to recover their files without paying the ransom, but the warning may put off some victims from trying.
Such a short window for payment does not give victims much time. Many ransomware attacks occur on a Friday, and are only discovered when employees return to work on a Monday. Discovering a Spider ransomware attack in this scenario means businesses will have to act particularly quickly in order to avoid file loss.
While the threat is severe, the attackers have made it as easy as possible for victims to pay by providing a detailed help section. Payment must be made in Bitcoin via the Tor browser and detailed instructions are provided. The attackers say in the ransom note, “This all may seem complicated to you, actually it’s really easy.” They even provide a video tutorial showing victims how to pay the ransom and unlock their files. They also point out that the process of unlocking files is similarly easy. Pasting the encryption key and clicking on a button to start the decryption process is all that is required.
As with the majority of crypto-ransomware variants, Spider ransomware is being distributed by spam email. The emails use the hook of ‘Debt Collection’ to encourage recipients of the email to open the attachment. That attachment is a Microsoft Office document containing an obfuscated macro. If allowed to run, the macro will trigger the download of the malicious payload via a PowerShell script.
The latest Spider ransomware campaign is being used to attack organizations in Croatia and Bosnia and Herzegovina, with the ransom note and instructions written in Croatian and English. It is possible that attacks will spread to other geographical areas.
There is currently no free decryptor for spider ransomware. Protecting against this latest ransomware threat requires technological solutions to block the attack vector. If spam emails are not delivered to end user’s inboxes, the threat is mitigated.
Using an advanced cloud-based anti-spam service such as SpamTitan is strongly advisable. SpamTitan blocks more than 99.9% of spam emails ensuring malicious email messages are not delivered.
As an additional protection against ransomware and malware threats such as this, organizations should disable macros to prevent them from running automatically if a malicious attachment is opened. IT teams should also enable the ‘view known file extensions’ option on Windows PCs to prevent attacks using double file extensions.
End users should also receive security awareness training to teach them not to engage in risky behaviors. They should be taught never to enable macros on emailed documents, told how to recognize a phishing or ransomware emails, and instructed to forward messages on to the security team if they are received. This will allow spam filter rules to be updated and the threat to be mitigated.
It is also essential for regular backups to be performed, with multiple copies stored on at least two different media, with one copy kept on an air-gapped device. Backups are the only way of recovering from most ransomware attacks without paying the ransom.
A large-scale North Carolina ransomware attack has encrypted data on 48 servers used by the Mecklenburg County government, causing considerable disruption to the county government’s activities – disruption that is likely to continue for several days while the ransomware is removed and the servers are rebuilt.
This North Carolina ransomware attack is one of the most serious ransomware attacks to have been reported this year. The attack is believed to have been conducted by individuals operating out of Ukraine or Iran and the attack is understood to have involved a ransomware variant called LockCrypt.
The attack started when a county employee opened an email attachment containing a ransomware downloader. As is now common, the email appeared to have been sent from another employee’s email account. It is unclear whether that email account was compromised, or if the attacker simply spoofed the email address.
Opening the email and malicious attachment resulted in the installation of ransomware. The infection then spread to 48 of the 500 servers used by the county. A ransom demand of $23,000 was issued by the attackers, the payment of which would see keys supplied to unlock the encryption.
While many businesses pay the ransom demands to allow them to recover files quickly and limit disruption, Mecklenburg County refused to give in to the extortionist’s demands.
After the deadline for paying the ransom passed, the individuals behind the attack attempted another email-based attack on county employees although those attempts failed.
Recovery from the attack is possible without data loss as the county has backup files that were not encrypted in the attack; however, restoring data on all the affected servers will be a slow and laborious task and the county will continue to experience severe disruption to its services.
A similarly large-scale ransomware attack hit Texas school districts in October. The attack occurred at the Texas Department of Agriculture. The Texas Department of Agriculture overseas breakfast and lunch programs at Texas Schools and has access to computer networks used by Texas school districts.
Similarly, the attack involved a single employee being fooled into downloading ransomware by a phishing email. The ransomware spread across the network affecting 39 independent Texas schools, and potentially resulting in the exposure of hundreds of student records.
Such extensive ransomware attacks are becoming much more common. Rather than simply infecting one device, ransomware is now capable of scanning networks for other vulnerable devices and rapidly spreading laterally to affect multiple computers. In the case of the Texas Department of Agriculture ransomware attack, it was rapidly identified, but not in time to prevent it spreading across the network.
As these incidents show, all it takes is for a single employee to open a malicious email attachment for an entire network of computers and servers to be taken out of action. Even if the ransom demand is paid, recovery can be a slow and costly process.
Ransomware attacks are increasing, as is the sophistication of both the ransomware and the scams that fool employees into downloading the malicious software. Fortunately, it is possible to implement defenses against these attacks.
Both of these attacks could have easily been prevented with basic security measures – An advanced and effective spam filter to prevent malicious emails from being delivered to employees and an effective security awareness training program to raise awareness of the threat from ransomware and phishing emails.
Security awareness training and phishing email simulations can reduce susceptibility to email-based cyberattacks by up to 95% according to several anti-phishing training firms, while a spam filter such as SpamTitan can ensure that employees are not tested. SpamTitan blocks more than 99.9% of spam emails, ensuring ransomware and other malware-laced emails are quarantined so they can cause no harm.
To find out more about SpamTitan and how you can secure your organization and mount an impressive defense against email and web-based threats, call the TitanHQ team today.
Black Friday deals and Cyber Monday discounts see consumers head online in droves looking for bargain Christmas presents, but each year many thousands of consumers are fooled by holiday season email scams. This year will be no different. Scammers are already hard at work developing new ruses to fool unwary online shoppers into parting with their credentials or installing malware.
In the rush to purchase at discounted rates, security awareness often goes out the window and cybercriminals are waiting to take advantage. Hidden among the countless emails sent by retailers to advise past customers of the latest special offers and deals are a great many holiday season email scams. To an untrained eye, these scam emails appear to be no different from those sent by legitimate retailers. Then there are the phishing websites that capture credentials and credit card numbers and websites hosting exploit kits that silently download malware. It is a dangerous time to be online.
Fortunately, if you take care, you can avoid holiday season email scams, phishing websites, and malware this holiday period. To help you stay safe, we have compiled some tips to avoid holiday season email scams, phishing websites and malware this festive period.
Tips to Keep You Safe This Holiday Season
In the run up to Christmas there will be scams aplenty. To stay safe online, consider the following:
Always carefully check the URL of websites before parting with your card details
Spoofed websites often look exactly like the genuine sites that they mimic. They use the same layouts, the same imagery, and the same branding as retail sites. The only thing different is the URL. Before entering your card details or parting with any sensitive information, double check the URL of the site and make sure you are not on a scam website.
Never allow retailers to store your card details for future purchases
It is a service that makes for quick purchases. Sure, it is a pain to have to enter your card details each time you want to make a purchase, but by taking an extra minute to enter your card details each time you will reduce the risk of your account being emptied by scammers. Cyberattacks on retailers are rife, and SQL injection attacks can give attackers access to retailer’s websites – and a treasure trove of stored card numbers.
Holiday season email scams are rife – Be extra vigilant during holiday season
While holiday season email scams used to be easy to detect, phishers and scammers have become a lot better at crafting highly convincing emails. It is now difficult to distinguish between a genuine offer and a scam email. Emails contain images and company branding, are free from spelling and grammatical errors, and the email requests are highly convincing. Be wary of unsolicited emails, never open email attachments from unknown senders, and check the destination URL of any links before clicking.
If a deal sounds too good to be true, it probably is
What better time than holiday season to discover you have won a PlayStation 4 or the latest iPhone in a prize draw. While it is possible that you may have won a prize, it is very unlikely if you haven’t actually entered a prize draw. Similarly, if you are offered a 50% discount on a purchase via email, there is a high chance it is a scam. Scammers take advantage of the fact that everyone loves a bargain, and never more so than during holiday season.
If you buy online, use your credit card
Avoid the holiday season crowds and buy presents online, but use your credit card for purchases rather than a debit card. If you have been fooled by a holiday season scam or your debit card details are stolen from a retailer, it is highly unlikely that you be able to recover stolen funds. With a credit card, you have better protections and getting a refund is much more likely.
Avoid HTTP sites
Websites secured by the SSL protocol are safer. If a website starts with HTTPS it means the connection between your browser and the website is encrypted. It makes it much harder for sensitive information to be intercepted. Never give out your credit card details on a website that does not start with HTTPS.
Beware of order and delivery confirmations
If you order online, you will no doubt want to check the status of your order and find out when your purchases will be delivered. If you recent an email with tracking information or a delivery confirmation, treat the email as potentially malicious. Always visit the delivery company’s website by entering in the URL into your browser, rather than clicking links sent via email. Fake delivery confirmations and parcel tracking links are common. The links can direct you to phishing websites and sites that download malware, while email attachments often contain malware and ransomware downloaders.
Holiday season is a busy, but take your time online
One of the main reason that holiday season email scams are successful is because people are in a rush and fail to take the time to read emails carefully and check attachments and links are genuine. Scammers take advantage of busy people. Check the destination URL of any email link before you click. Take time to think before you take any action online or respond to an email request.
Don’t use the same password on multiple websites
You may choose to buy all of your Christmas gifts on Amazon, but if you need to register on multiple sites, never reuse your password. Password reuse is one of the easiest ways that hackers can gain access to your social media networks and bank accounts. If there is a data breach at one retailer and your password is stolen, hackers will attempt to use that password on other websites.
Holiday season is a time for giving, but take care online and when responding to emails to make sure your hard-earned cash is not given to scammers.
A spam email campaign has been detected that is distributing a form of Cobalt malware. The attackers use the Cobalt Strike penetration testing tool to take full control of an infected device. The attack uses an exploit for a recently patched Microsoft Office vulnerability.
The spam emails appear to have been sent by Visa, informing the recipient about recent changes to its payWave service. The emails contain a compressed file attachment that is password-protected. The password required to extract the contents of the zip file is contained in the body of the email.
This is an apparent attempt to make email recipients believe Visa had included security controls to prevent unauthorized individuals from viewing the information in the email – a reasonable security measure for a financial communication. Also contained in the email is a RTF file that is not password protected. Opening that file will launch a PowerShell script that will download a Cobalt Strike client that will ultimately give the attackers full control of the infected device.
The attackers leverage a vulnerability in Microsoft Office – CVE-2017-11882 – which was patched by Microsoft earlier this month. The attackers use legitimate Windows tools to execute a wide range of commands and spread laterally across a network.
The campaign was detected by researchers at Fortinet, who report that by exploiting the Office flaw, the attackers download a Cobalt Strike client and multiple stages of scripts which are then used to download the main malware payload.
The flaw has existed in Office products for 17 years, although it was only recently detected by Microsoft. Within a few days of the vulnerability being detected, Microsoft issued a patch to correct the flaw. Within a few days of the patch being released, threat actors started leveraging the vulnerability. Any device that has a vulnerable version of Office installed is vulnerable to attack.
This campaign shows just how important it is for patches to be applied promptly. As soon as a vulnerability is disclosed, malicious actors will use the vulnerability in attacks. When patches are released, malicious actors get straight to work and reverse engineer the patch, allowing them to identify and exploit vulnerabilities. As these attacks show, it may only take a few hours or days before vulnerabilities are exploited.
The recent WannaCry and NotPetya malware attacks showed just how easy it is for vulnerable systems to be exploited. Both of those attacks leveraged a vulnerability in Windows Server Message Block to gain access to systems. A patch had been released to address the vulnerability two months before the WannaCry ransomware attacks occurred. Had patches been applied promptly, it would not have been possible to install the ransomware.
Protecting against this Cobalt malware campaign is straightforward. Users simply need to apply the Microsoft patch to prevent the vulnerability from being exploited. Using a spam filter such as SpamTitan is also recommended, to prevent malicious emails from reaching end users’ inboxes.
Millions of spam emails containing Scarab ransomware have been detected over the past few days. The massive spam campaign is being conducted using the Necurs botnet – one of the largest botnets currently in use.
The Necurs botnet has been active for at least five years and now contains more than 6 million zombie computers that are used to send masses of spam emails. Necurs has previously been used to send banking Trojans and many other forms of malware, although recently, the operators of the botnet have turned to spreading ransomware, including Locky.
The latest campaign saw the Necurs botnet send out spam emails to more than 12.5 million email accounts in the space of just 6 hours, with individuals in the United States, France, Germany, Australia, and the UK targeted.
The emails were typical of other phishing campaigns conducted in recent months. The emails appear to have been sent from well known, trusted brands to increase the likelihood of the malicious attachments being opened. This campaign spoofs printer manufacturers such as HP, Canon, Lexmark and Epson.
The emails contain a 7zip file attachment which claims to be a scanned document, with the subject line “Scanned from [Printer company]. The zip file contains a VBScript which, if run, will download Scarab ransomware.
Scarab ransomware is a relatively new ransomware variant, first detected over the summer. While most ransomware variants have a fixed price for obtaining the key to unlock the encryption, the authors of Scarab ransomware do not ask for a specific amount. Instead, the ransom payment depends on how quickly the victim responds.
As with the NotPetya wiper, users are required to make contact with the attackers via email. This method of communication has caused problems for victims in the past, as if the domain is taken down, victims have no method of contacting the attackers. In this case, an alternative contact method is provided – victims can also contact the attackers via BitMessage.
Even though Scarab ransomware is unsophisticated, it is effective. There is no free decryptor available to recover files encrypted by Scarab ransomware. Recovery without paying the ransom is only possible if backups of the encrypted files exist, and if the backup has not also been encrypted.
Scarab ransomware is believed to be the work of relatively small players in the ransomware arena. However, the scale of the campaign and the speed at which the spam emails are being sent shows that even small players can conduct massive, global ransomware campaigns by teaming up with the operators of botnets.
By using ransomware-as-a-service, anyone can conduct a ransomware campaign. Ransomware can be hired on darknet forums for next to nothing and used to extort money from businesses. More players mean more ransomware attacks, and the ease of conducting campaigns and the fact that many victims pay up, mean ransomware is still highly profitable.
Security experts are predicting that 2018 will see even more ransomware attacks. AV firm McAfee has predicted that next year will see cybercriminal gangs step up their attacks and target high-net worth individuals and small businesses, while the campaigns will become more sophisticated.
With the threat likely to increase, businesses need to ensure that they have solutions in place to prevent ransomware from being delivered to end users. By implementing an advanced spam filtering solution, businesses can ensure that phishing and spam emails do not get delivered to end users, mitigating the threat from ransomware. Fail to block malicious emails, and it will only be a matter of time before an employee responds, opens an infected email attachment, and installs ransomware on the network.
If you are looking for the best spam filter for business use, contact the TitanHQ team today for further information on SpamTitan.
All organizations should take steps to mitigate the risk of phishing, and one of those steps should be training employees how to spot a phishing email. Employees will frequently have their phishing email identification skills put to the test.
Since all it takes is for one employee to fall for a phishing scam to compromise a network, not only is it essential that all employees are trained how to spot a phishing email, their skills should assessed post-training, otherwise organizations will not know how effective the training has been.
How Common are Phishing Attacks?
Phishing is now the number one security threat faced by businesses in all sectors. Research conducted by the security awareness training company PhishMe suggests that more than 90% of cyberattacks start with a phishing or spear phishing email. While all industry sectors have to deal with the threat from phishing, the education and healthcare industries are particularly at risk. They are commonly targeted by scammers and spammers, and all too often those phishing attacks are successful.
The Intermedia 2017 Data Vulnerability Report showed just how common phishing attacks succeed. Workers were quizzed on security awareness training and successful phishing attacks at their organizations. 34% of high level execs admitted falling for a phishing scam, as did 25% of IT professionals – Individuals who should, in theory, be the best in an organization at identifying phishing scams. The same study revealed 30% of office workers do not receive regular security awareness training. 11% said they were given no training whatsoever and have not been taught how to spot a phishing email.
Overconfidence in Phishing Detection Capabilities Results in Data Breaches
Studies on data breaches and cybersecurity defenses often reveal that many organizations are confident in their phishing defenses. However, many of those companies still suffer data breaches and fall for phishing attacks. Overconfidence in phishing detection and prevention leaves many companies at risk. This was recently highlighted by a study conducted by H.R. Rao at the University of Texas at San Antonio. Rao explained that many people believe they are smarter than phishers and scammers, which plays into the scammers’ hands.
Training Should be Put to The Test
You can train employees how to spot a phishing email, but how can you tell how effective your training has been? If you do not conduct phishing simulation exercises, you cannot be sure that your training has been effective. There will always be some employees that require more training than others and employees that do not pay attention during training. You need to find these weak links. The best way to do that is with phishing simulation exercises.
Conduct dummy phishing exercises and see whether your employees are routinely putting their training into action. If an employee fails a phishing test, you can single them out to receive further training. Each failed simulation can be taken as a training opportunity. With practice, phishing email identification skills will improve.
How to Spot a Phishing Email
Most employees receive phishing emails on a daily basis. Some are easy to identify, others less so. Fortunately spam filters catch most of these emails, but not all of them. It is therefore essential to train employees how to spot a phishing email and to conduct regular training sessions. One training session a year is no longer sufficient. Scammers are constantly changing tactics. It is important to ensure employees are kept up to speed on the latest threats.
During your regular training sessions, show your employees how to spot a phishing email and what to do when they receive suspicious messages. In particular, warn them about the following tactics:
Spoofed Display Names
The 2017 Spear Phishing Report from GreatHorn indicates 91% of spear phishing attacks spoof display names. This tactic makes the recipient believe the email has been sent from a trusted colleague, friend, family member or company. This is one of the most important ways to spot a phishing email.
Mitigation: Train employees to hover their mouse arrow over the sender to display the true email address. Train employees to forward emails rather than reply. The true email address will be displayed.
Email Account Compromises
This year, business email compromise (BEC) scams have soared. These scams were extensively used to obtain W-2 Form tax information during tax season. This attack method involves the use of real email accounts – typically those of the CEO or senior executives – to send requests to employees to make bank transfers and send sensitive data.
Mitigation: Implement policies that require any email requests for sensitive information to be verified over the phone, and for all new bank transfer requests and account changes to be verified.
Hyperlinks to Phishing Websites
The Proofpoint Quarterly Threat Report for Q3 showed there was a 600% increase in the use of malicious URLs in phishing emails quarter over quarter, and a 2,200% increase from this time last year. These URLs usually direct users to sites where they are asked to login using their email credentials. Oftentimes they link to sites where malware is silently downloaded.
Mitigation: Train employees to hover their mouse arrow over the URL to display the true URL. Encourage employees to visit websites by entering the URL manually, rather than using embedded links.
Security Alerts and Other Urgent Situations
Scammers want email recipients to take action quickly. The faster the response the better. If employees stop and think about the request, or check the email carefully, there is a high chance the scam will be detected. Phishing emails often include some urgent request or immediate need for action. “Your account will be closed,” “You will lose your credit,” “Your parcel will not be delivered,” “Your computer is at risk,” Etc.
Mitigation: Train employees to stop and think. An email request may seem urgent and contain a threat, but this tactic is commonly used to get people to take quick action without engaging their brains.
Look for Spelling Mistakes and Grammatical Errors
Many phishing scams come from African countries, Eastern Europe and Russia – Places where English is not the main language. While phishing scams are becoming more sophisticated, and more care is taken crafting emails, spelling mistakes and poor grammar are still common and are a key indicator that emails are not genuine.
Mitigation: Train employees to look for spelling mistakes and grammatical errors. Companies check their emails carefully before sending them.
Why a Spam Filter is Now Essential
Training employees how to spot a phishing email should be included in your cybersecurity strategy, but training alone will not prevent all phishing-related data breaches. There may be a security culture at your organizations, and employees skilled phish detectors, but every employee can have an off day from time to time. It is therefore important to make sure as few phishing emails as possible reach employees’ inboxes, and for that to happen, you need an advanced spam filtering solution.
SpamTitan blocks more than 99.9% of spam email and includes dual anti-virus engines to ensure malicious messages are blocked. The low false positive rate also ensures genuine emails do not trigger the spam filter and are delivered.
If you want to improve your security defenses, train employees how to spot a phishing email and implement SpamTitan to stop phishing emails from reaching inboxes. With technological and human solutions you will be better protected.
Handy Infographic to Help Train Staff How to Spot a Phishing Email
We have compiled a useful infographic to highlight how important it is to train staff how to spot a phishing email and some of the common identifiers that an email is not genuine:
The Ponemon Institute has published the findings of a new report on endpoint security risk, which shows that ransomware attacks have occurred at most companies, the risk of fileless malware attacks has increased significantly, and successful cyberattacks are resulting in average losses of more than $5 million.
For the Barkly-sponsored endpoint security risk study, the Ponemon Institute surveyed 665 IT security professionals that were responsible for the management of their organization’s security risk.
7 out of ten respondents claimed endpoint security risk was significantly higher this year than in 2016, and one of the biggest threats was now fileless malware. Companies are still using traditional anti-virus and anti-malware solutions, although they are not effective at preventing fileless malware attacks.
Fileless malware is not detected by most anti-virus solutions since no files are written to the hard drive. Instead, fileless malware remains in the memory, oftentimes leveraging legitimate system tools to gain persistence and spread to other devices on the network.
These fileless malware attacks are occurring far more frequently, with respondents estimating a 20% rise in attacks in 2017. 29% of all cyberattacks in 2017 involved fileless malware, and the threat is expected to continue to increase, and will account for more than a third of all attacks in 2018.
The switch from file-based malware to fileless malware is understandable. The attacks are often successful. 54% of companies surveyed said they had experienced at least one cyberattack that resulted in data being compromised, and 77% of those attacks involved exploits or fileless malware. 42% of respondents said they had experienced a fileless malware attack that resulted in systems or data being compromised in 2017.
Fileless malware attacks are increasing, but so are ransomware attacks. Over half of companies that took part in the endpoint security risk study said they had experienced at least one ransomware attack in 2017, while four out of ten firms experienced multiple ransomware attacks. Even though most companies backup their files, 65% of respondents said they had paid a ransom to recover their data, with the average amount being $3,675. The primary method of ransomware delivery is email.
While the ransom payments may be relatively low, that represents only a small proportion of the costs of such attacks. For the endpoint security risk study, firms were asked to estimate the total cost of cyberattacks – On average, each successful attack on endpoints cost an average of $5,010,600 to resolve – $301 per employee.
Protect Against Malware Attacks by Blocking the Primary Delivery Vector
Email is the primary method for distributing malware. Implementing a spam filtering solution, preferably a gateway solution, can keep an organization protected from malicious emails and will prevent malicious messages from being delivered to end users, and is important for helping organizations manage endpoint security risk.
Many companies opt for an email gateway filtering appliance – an appliance located between the firewall and email server. These solutions are powerful, but they come at a cost since the appliance must be purchased. These appliance-based solutions also lack scalability.
If you want the power of an appliance, but want to keep costs to a minimum, consider a solution such as SpamTitan. SpamTitan offers the same power as a dedicated appliance, without the need to purchase any additional hardware. SpamTitan can be deployed as a virtual appliance on existing hardware, offering the same level of protection as an email gateway filtering appliance at a fraction of the cost.
Don’t Forget to Train Your Employees to be More Security Conscious
A recent InfoBlox survey on healthcare organizations in the United States and United Kingdom revealed that companies in this sector are realizing the benefits of training employees to be more security aware, although only 35% of firms currently provide training to employees.
No matter what email filtering solution you use, there will be times when spammers succeed, and messages are delivered. It is therefore important that staff are trained how to identify and respond to suspicious emails. If end users are not aware of the threats, and do not know how to recognize potential phishing emails, there is a higher chance of them engaging in risky behavior and compromising their device and the network.
A serious MS Office remote code execution vulnerability has been patched by Microsoft – One that would allow malware to be installed remotely with no user interaction required. The flaw has been present in MS Office for the past 17 years.
The flaw, which was discovered by researchers at Embedi, is being tracked as CVE-2017-11882. The vulnerability is in the Microsoft Equation Editor, a part of MS Office that is used for inserting and editing equations – OLE objects – in documents: Specifically, the vulnerability is in the executable file EQNEDT32.exe.
The memory corruption vulnerability allows remote code execution on a targeted computer, and would allow an attacker to take full control of the system, if used with Windows Kernel privilege exploits. The flaw can be exploited on all Windows operating systems, including unpatched systems with the Windows 10 Creators Update.
Microsoft addressed the vulnerability in its November round of security updates. Any unpatched system is vulnerable to attack, so it is strongly advisable to apply the patch promptly. While the vulnerability could potentially have been exploited at any point in the past 17 years, attacks exploiting this MS Office remote code execution vulnerability are much more likely now that a patch has been released.
The flaw does not require the use of macros, only for the victim to open a specially crafted malicious Office document. Malicious documents designed to exploit the vulnerability would likely arrive via spam email, highlighting the importance of implementing a spam filtering solution such as SpamTitan to block the threat.
End users who are fooled into opening a malicious document can prevent infection by closing the document without enabling macros. In this case, malware would be installed simply by opening the document.
Microsoft has rated the vulnerability as important, rather than critical, although researchers at Embedi say this flaw is “extremely dangerous.” Embedi has developed a proof of concept attack that allowed them to successfully exploit the vulnerability. The researchers said, “By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g. to download an arbitrary file from the Internet and execute it),”
EQNEDT32.exe is run outside of the Microsoft Office environment, so it is therefore not subject to Office and many Windows 10 protections. In addition to applying the patch, security researchers at Embedi recommend disabling EQNEDT32.EXE in the registry, as even with the patch applied, the executable still has a number of other vulnerabilities. Disabling the executable will not impact users since this is a feature of Office that is never needed by most users.
Ordinypt malware is currently being used in targeted attacks on companies in Germany. While Ordinypt malware appears to victims to be ransomware, the malware is actually a wiper.
Infection sees files made inaccessible, and as with ransomware, a ransom demand is issued. The attackers ask for 0.12 Bitcoin – around $836 – to restore files.
Ordinypt malware does not encrypt files – it simply deletes the original file name and replaces it with a random string of letters and numbers. The contents of files are also replaced with random letters and numbers.
Even if the ransom demand is paid, the attackers do not have a mechanism to allow victims to recover their original files. The only sure-fire way to recover files is to restore them from a backup. In contrast to many ransomware variants that make it difficult to recover files by deleting Windows Shadow Volume copies, those are left intact, so it may be possible for users to recover some of their files.
Ordinypt malware – or HSDFSDCrypt as it was originally known – was discovered by Michael Gillespie. A sample of the malware was obtained and analyzed by German security researcher Karsten Hahn from G Data Security. G Data Security renamed the malware Ordinypt.
Hahn notes that Ordinypt malware is poorly written with a bad coding style, indicating this is not the work of a skilled hacker. Hahn said, this is “A stupid malware that destroy information of enterprises and innocent people and try steal money.”
The attackers are using a common technique to maximize the number of infections. The malware is disguised as PDF files which are distributed via spam email. The messages claim to be applications in reply to job adverts. Two files are included in a zip file attachment, which appear to be a resume and a CV.
While the files appear to be PDFs, and are displayed as such, they actually have a double extension. If the user’s computer has file extensions hidden, all that will be displayed is filename.pdf, when in actual fact the file is filename.pdf.exe. Clicking on either of the files will run the executable and launch Ordinypt malware.
In recent months there have been several wiper malware variants detected that pretend to be ransomware. The attackers are taking advantage of the publicity surrounding ransomware attacks, and are fooling end users into paying a ransom, when there is no way of recovering files. It is not clear whether the reason for the attacks is to make money. It is possible that these attacks are simply intended to cause disruption to businesses, as was the case with the NotPetya wiper attacks.
Regardless of how poorly written this malware is, it is still effective and can cause significant disruption to businesses. Protecting against this, and other email-based malware threats, requires a combination of end user training and technology.
End users should be informed of the risks of opening attachments from unknown senders and should assume that all such emails could be malicious. In this case, the malware is poorly written but the emails are not. They use perfect German and are highly believable. HR employees could be easily fooled by a ruse such as this.
The best protection against threats such as these is an advanced spam filter such as SpamTitan. Preventing these emails from reaching inboxes is the best defense.
By configuring the spam filter to block executable files, the messages will be rerouted to a quarantine folder rather than being delivered, mitigating the threat.
For further information on how a spam filter can help to block email-based threats and to register for a free trial of SpamTitan for your business, contact the TitanHQ team today.
A new variant of the Ursnif banking Trojan has been detected and the actors behind the latest campaign have adopted a new tactic to spread the malware more rapidly.
Ransomware attacks may make the headlines, but banking Trojans can cause considerably more damage. The $60 million heist from a Taiwanese bank last month shows just how serious infection with banking Trojans can be. The Dridex Trojan raked in more than $40 million in 2015.
The Ursnif banking Trojan is one of the most commonly used Trojans. As with other banking Trojans, the purpose of the Ursnif Trojan is to steal credentials such as logins to banking websites, corporate bank details, and credit card numbers. The stolen credentials are then used for financial transactions. It is not uncommon for accounts to be emptied before the transactions are discovered, by which time the funds have cleared, have been withdrawn, and the criminal’s account has been closed. Recovering the stolen funds can be impossible.
Infection will see the malware record a wide range of sensitive data, capturing credentials as they are entered through the browser. The Ursnif banking Trojan also takes screenshots of the infected device and logs keystrokes. All of that information is silently transmitted to the attacker’s C2 server.
Banking Trojans can be installed in a number of ways. They are often loaded onto websites where they are downloaded in drive-by attacks. Traffic is generated to the malicious websites via malvertising campaigns or spam emails contacting hyperlinks. Legitimate websites are compromised using brute force tactics, and kits loaded to the sites that prey on individuals who have failed to keep their software up to date. Oftentimes, downloads are sent via spam email, hidden in attachments.
Spam email has previously been used to spread the Ursnif banking Trojan, and the latest campaign is no different in that respect. However, the latest campaign uses a new tactic to maximize the chance of infection and spread infections more rapidly and widely. Financial institutions have been the primary target of this banking Trojan, but with this latest attack method they are far more widespread.
Infection will see the user’s contact list abused and spear phishing emails sent to each of the user’s contacts. Since the spear phishing emails arrive from a trusted email account, the likelihood of the emails being opened is significantly increased. Simply opening the email will not result in infection. For that to occur, the recipient must open the email attachment. Again, since it has come from a trusted sender, that is more likely.
The actors behind this latest Ursnif banking Trojan campaign have another trick to increase trust and ensure their payload is delivered. The spear phishing emails contain message threads from past conversations. The email appears to be a response to a previous email, and include details of past conversations.
A short line of text is included as a prompt to get the recipient to open the email attachment – A Word document containing a malicious macro. That macro needs to be authorized to run – if macros have not been set to run automatically, but it will not until the Word document is closed. When the macro runs, it launches PowerShell commands that download the Ursnif Trojan, which then starts logging activity on the infected device and sends further spear phishing emails to the new victim’s contact list.
This is not a brand-new tactic, but it is new to Ursnif – and it is likely to see infections spread much more quickly. Further, the malware incorporates a number of additional tactics to hamper detection, allowing information to be stolen and bank accounts emptied before infection is detected – the Trojan even deletes itself once it has run.
Malware is constantly evolving, and new tactics are constantly developed to increase the likelihood of infection. The latest campaign shows just how important it is to block email threats before they reach end users’ inboxes.
With an advanced spam filter such as SpamTitan in place, malicious emails can be blocked to stop them from reaching end user’s inboxes, greatly reducing the risk of malware infections.
A new wave of cyberattacks on financial institutions using malware called the Silence Trojan has been detected. In contrast to many attacks on banks that target the bank customers, this attack targets the bank itself. The attack method bears a number of similarities to the attacks conducted by the Eastern European hacking group, Carbanak.
The Silence Trojan is being used to target banks and other financial institutions in several countries, although so far, the majority of victims are in Russia. The similarity of the Silence Trojan attacks to Carbanak suggests these attacks could be conducted by Carbanak, or a spinoff of that group, although that has yet to be established.
The attacks start with the malicious actors behind the campaign gaining access to banks’ networks using spear phishing campaigns. Spear phishing emails are sent to bank employees requesting they open an account. The emails are well written, and the premise is believable, especially since in many cases the emails are sent from within using email addresses that have previously been compromised in other attacks. When emails are sent from within, the requests seem perfectly credible.
Some of these emails were intercepted by Kaspersky Lab. Researchers report that the emails contain a Microsoft Compiled HTML Help file with the extension .chm.
The attackers gain persistent access to an infected computer and spend a considerable amount of time gathering data. Screen activity is recorded and transmitted to the C2, with the bitmaps combined to form a stream of activity from the infected device, allowing the attackers to monitor day to day activities on the bank network.
This is not a quick smash and grab raid, but one that takes place over an extended period. The aim of the attack is to gather as much information as possible to maximize the opportunity to steal money from the bank.
Since the attackers are using legitimate administration tools to gather intelligence, detecting the attacks in progress is complicated. Implementing solutions to detect and block phishing attacks can help to keep banks protected.
Since security vulnerabilities are often exploited, organizations should ensure that all vulnerabilities are identified and corrected. Kaspersky Lab recommends conducting penetration tests to identify vulnerabilities before they are exploited by hackers.
Kaspersky Lab notes that when an organization has already been compromised, the use of .chm attachments in combination with spear phishing emails from within the organization has proved to be a highly effective attack method for conducting cyberattacks on financial institutions.
2017 has seen a major rise in malicious spam email volume. As the year has progressed, the volume of malicious messages sent each month has grown. A new report from Proofpoint shows malicious spam email volume rose by 85% in Q3, 2017.
A deeper dive into the content of those messages shows cybercriminals’ tactics have changed. In 2017, there has been a notable rise in the use of malicious URLs sent via email compared to malicious attachments containing malware. URL links to sites hosting malware have jumped by an astonishing 600% in Q3, which represents a 2,200% increase since this time last year. This level of malicious URLs has not been seen since 2014.
The links direct users to malicious websites that have been registered by cybercriminals, and legitimate sites that have been hijacked and loaded hacking toolkits. In many cases, simply clicking on the links is all that is required to infect the user’s computer with malware.
While there is a myriad of malware types now in use, the biggest threat category in Q3 was ransomware, which accounted for 64% of all email-based malware attacks. There are many ransomware variants in use, but the undisputed king in Q3 was Locky, accounting for 55% of total message volume and 86% of all ransomware attacks. There was also a rising trend in destructive ransomware – ransomware that encrypts files but does not include the option of letting victims’ recover their files.
The second biggest malware threat category was banking Trojans, which accounted for 24% of malicious spam email volume. Dridex has long been a major threat, although in Q3 it was a Trojan called The Trick that become the top banking Trojan threat. The Trick Trojan was used in 70% of all banking Trojan attacks.
Unsurprisingly, with such as substantial rise in malicious spam email volume, email fraud has also risen, up 12% quarter over quarter and up 32% from this time last year.
Cybercriminals are constantly changing tactics and frequently switch malware variants and attack methods, but for the time being at least, exploit kits are still not favored. Exploit kit attacks are at just 10% of the level of last year’s high, with spam email now the main method of malware delivery.
With malicious spam email volume having increased once again, and a plethora of new threats and highly damaging malware attacks posing a very real risk, it is essential that businesses double down on their defenses. The best way to defend against email threats is to improve spam defenses. An advanced spam filtering solution is essential for blocking email threats. The more malicious emails that are captured and prevented from being delivered, the lower the chance of end users clicking on malicious links and downloading malware.
SpamTitan blocks more than 99.9% of spam emails and is one of the most advanced and best spam filters for business use. SpamTitan helps keep inboxes free from malware threats. No single solution can block all email threats, so a spam filtering solution should be accompanied with endpoint security solutions, web filters to block malicious links from being visited, antimalware and antivirus solutions, and email authentication technology.
While it is easy to concentrate on technology to protect against email threats, it is important not to forget to train employees to be more security aware. Regular training sessions, cybersecurity newsletters and bulletins about the latest threats, and phishing simulation exercises can help employees improve their threat detection skills and raise cybersecurity awareness.
A global data breach study by Gemalto provides valuable insights into data breaches reported over the first six months of 2017, showing there has been a significant increase in data breaches and the number of records exposed.
Barely a day has gone by without a report of a data breach in the media, so it will probably not come as a surprise to hear that data breaches have risen again in 2017. What is surprising is the scale of the increase. Compared to the first six months of 2016 – which saw huge numbers of data breaches reported – 2017 saw a 13% increase in incidents. However, it is the scale of those breaches that is shocking. 2017 saw 164% more records exposed than in 2016.
During the first six months of 2017, a staggering 918 data breaches were confirmed, resulting in 1.9 billion records and email credentials being exposed or stolen. Further, that figure is a conservative. According to Gemalto’s global data breach study, it is unknown how many records were compromised in 59.3% of data breaches between January and June 2017.
What is clear is the data breaches are increasing in size. Between January and the end of June, there were 22 breaches reported that each impacted more than 1 million individuals.
To put the global data breach study figures into perspective, more than 10.5 million records were exposed each day in the first half of 2017 – or 122 records per second.
What is the Biggest Cause of Data Breaches in the First Half of 2017?
While malicious insiders pose a significant threat, and caused 8% of breaches, accidental loss of devices or records accounted for 18% of incidents. But the biggest cause of data breaches was malicious outsiders, who caused 74% of all tracked data breaches.
However, in terms of the severity of breaches, it is accidental loss that tops the list. There many have only been 166/918 breaches due to accidental loss according to the global data breach study, but those incidents accounted for 86% of all records – That’s 1.6 billion.
Malicious outsiders may have caused the most breaches – 679/918 – but those breaches involved just 13% of the total number of records – 254 million. In the first half of 2016, malicious outsiders were the leading breach cause and data breaches and accounted for 76% of breached records.
It is worth noting that while malicious insiders were responsible for just 8% of incidents, those incidents saw 20 million records exposed. Compared to 2016, that’s a 4114% increase.
Which Regions Had the Most Data Breaches in the First Half of 2017?
While North America was the hardest hit, accounting for 88% of all reported breaches, that does not necessarily mean that most breaches are occurring in the United States. In the U.S. there are far stricter reporting requirements, and companies are forced to disclose data breaches.
In Europe, many companies choose not to announce data breaches. It will therefore be interesting to see how the figures change next year. From May 2018, there will be far stricter reporting requirements due to the introduction of the General Data Protection Regulation (GDPR). For this report, there were 49 reported breaches in Europe – 5% of the total. 40% of those breaches were in the United Kingdom. There were 47 breaches in the Asia Pacific region – 5% of the total – with 15 in India and the same percentage in Australia.
Which Industries Suffer the Most Data Breaches?
The worst affected industry was healthcare, accounting for 25% of all breaches. However, bear in mind that HIPAA requires healthcare organizations to report all breaches in the United States. The financial services industry was in second place with 14% of the total, followed by education with 13% of breaches. The retail industry recorded 12% of breaches, followed by the government on 10% and technology on 7%.
In terms of the number of records breached, it is ‘other industries’ that were the worst hit. Even though that group accounted for just 6% of breaches they resulted in the exposure of 71% of records. Government breaches accounted for 21% of the total, followed by technology (3%), education (2%), healthcare (2%) and social media firms (1%).
How Can These Breaches be Stopped?
In the most part, these data breaches occurred due to poor cybersecurity protections, basic security failures, poor internal security practices, and the failure to use data encryption. Previous research by PhishMe has shown that 91% of data breaches start with a phishing email. Anti-spam defenses are therefore critical in preventing data breaches. If phishing emails are prevented from being delivered, a large percentage of external attacks can be stopped.
Organizations that have yet to use two factor authentication should ensure that this basic security control is employed. Employees should receive cybersecurity awareness training, and training programs should be ongoing. In particular, employees should be trained how to identify phishing emails and the actions they should take when a suspicious email is encountered.
Accidental loss of data from lost and stolen devices can be prevented with the use of encryption, although most accidental losses were due to poorly configured databases. Organizations should pay particular attention to their databases and cloud instances, to make sure they are appropriately secured and cannot be accessed by unauthorized individuals.
Bad Rabbit ransomware attacks have been reported throughout Russia, Ukraine, and Eastern Europe. While new ransomware variants are constantly being developed, Bad Rabbit ransomware stands out due to the speed at which attacks are occurring, the ransomware’s ability to spread within a network, and its similarity to the NotPetya attacks in June 2017.
Bad Rabbit Ransomware Spreads via Fake Flash Player Updates
While Bad Rabbit ransomware has been likened to NotPetya, the method of attack differs. Rather than exploit the Windows Server Message Block vulnerability, the latest attacks involve drive-by downloads that are triggered when users respond to a warning about an urgent Flash Player update. The Flash Player update warnings have been displayed on prominent news and media websites.
The malicious payload packed in an executable file called install_flash_player.exe. That executable drops and executes the file C:\Windows\infpub.dat, which starts the encryption process. The ransomware uses the open source encryption software DiskCryptor to encrypt files with AES, with the keys then encrypted with a RSA-2048 public key. There is no change to the file extension of encrypted files, but every encrypted file has the .encrypted extension tacked on.
Once installed, it spreads laterally via SMB. Researchers at ESET do not believe bad rabbit is using the ETERNALBLUE exploit that was incorporated into WannaCry and NotPetya. Instead, the ransomware uses a hardcoded list of commonly used login credentials for network shares, in addition to extracting credentials from a compromised device using the Mimikatz tool.
Similar to NotPetya, Bad Rabbit replaces the Master Boot Record (MBR). Once the MBR has been replaced, a reboot is triggered, and the ransom note is then displayed.
Victims are asked to pay a ransom payment of 0.5 Bitcoin ($280) via the TOR network. The failure to pay the ransom demand within 40 hours of infection will see the ransom payment increase. It is currently unclear whether payment of the ransom will result in a valid key being provided.
So far confirmed victims include the Russian news agencies Interfax and Fontanka, the Ministry of Infrastructure of Ukraine, the Odessa International Airport, and the Kiev Metro. In total there are believed to have been more than 200 attacks so far in Russia, Ukraine, Turkey, Bulgaria, Japan, and Germany.
How to Block Bad Rabbit Ransomware
To prevent infection, Kaspersky Lab has advised companies to restrict the execution of files with the paths C:\windows\infpub.dat and C:\Windows\cscc.dat.
Alternatively, those files can be created with read, write, and execute permissions removed for all users.
On Friday, the U.S. Department of Homeland Security’s (DHS) computer emergency readiness team (US-CERT) issued a new warning about phishing attacks on energy companies and other critical infrastructure sectors.
Advanced persistent threat (APT) actors are conducting widespread attacks on organizations in the energy, aviation, nuclear, water, and critical manufacturing sectors. Those attacks, some of which have been successful, have been occurring with increasing frequency since at least May 2017. The group behind the attack has been called Dragonfly by AV firm Symantec, which reported on the attacks in September.
DHS believes the Dragonfly group is a nation-state sponsored hacking group whose intentions are espionage, open source reconnaissance and cyberattacks designed to disrupt energy systems.
These cyberattacks are not opportunistic like most phishing campaigns. They are targeted attacks on specific firms within the critical infrastructure sectors. While some firms have been attacked directly, in many cases the attacks occur through a ‘staging’ company that has previously been compromised. These staging companies are trusted vendors of the targeted organization. By conducting attacks through those companies, the probability of an attack on the target firm succeeding is increased.
DHS warns that the attackers are using several methods to install malware and obtain login credentials. The phishing attacks on energy companies have included spear phishing emails designed to get end users to reveal their login credentials and malicious attachments that install malware.
In the case of the former, emails direct users to malicious websites where they are required to enter in their credentials to confirm their identity and view content. While some websites have been created by the attackers, watering hole attacks are also occurring on legitimate websites that have been compromised with malicious code. DHS warns that approximately half of the attacks have occurred through sites used by trade publications and informational websites “related to process control, ICS, or critical infrastructure.”
Phishing emails containing malicious attachments are used to directly install malware or the files contain hyperlinks that direct the user to websites where a drive-by malware download occurs. The links are often shortened URLS creating using the bit.ly and tinyurl URL shortening services. The attackers are also using email attachments to leverage Windows functions such as Server Message Block (SMB) protocol to retrieve malicious files. A similar SMB technique is also used to harvest login credentials.
The malicious attachments are often PDF files which claim to be policy documents, invitations, or resumés. Some of the phishing attacks on energy companies have used a PDF file attachment with the name “AGREEMENT & Confidential.” In this case, the PDF file does not include any malicious code, only a hyperlink to a website where the user is prompted to download the malicious payload.
US-CERT has advised companies in the targeted sectors that the attacks are ongoing, and action should be taken to minimize risk. Those actions include implementing standard defenses to prevent web and email-based phishing attacks such as spam filtering solutions and web filters.
Since it is possible that systems may have already been breached, firms should be regularly checking for signs of an intrusion, such as event and application logs, file deletions, file changes, and the creation of new user accounts.
The average enterprise data breach cost has risen to $1.3 million, according to a new report from antivirus firm Kaspersky Lab – An increase of $100,000 year over year. Small to medium size businesses are also having to dig deeper to remediate data breaches. The average data breach cost for SMBs is now $117,000.
For the cost of a data breach study, Kaspersky Lab surveyed more than 5,000 businesses, asking questions about how much firms are spending on data breach resolution and how those costs are split between various aspects of the breach response. Businesses were also asked about future spending and how much their IT security budgets are increasing year over year.
The survey reveals that in North America, the percentage of the budget being spent on IT security is increasing. However, overall budgets are reducing, so the net spend on IT security has decreased year over year. Last year, businesses were allocating 16% of their budgets to IT security, which has risen to 18% this year. However, average enterprise IT security budgets have dropped from $25.5 million last year to just $13.7 million this year.
Breaking Down the Enterprise Data Breach Cost
So how is the enterprise data breach cost broken down? What is the biggest cost of resolving a data breach? The biggest single data breach resolution cost is additional staff wages, which costs an average of $207,000 per breach.
Other major costs were infrastructure improvements and software upgrades ($172,000), hiring external computer forensics experts and cybersecurity firms ($154,000), additional staff training ($153,000), lost business ($148,000), and compensation payments ($147,000).
The average SMB data breach resolution cost was $117,000. The biggest costs were contracting external cybersecurity firms to conduct forensic investigations and the loss of business as a direct result of a breach, both cost an average of $21,000 each. Additional staff wages cost $16,000, increases in insurance premiums and credit rating damage cost an average of $11,000, new security software and infrastructure costs were $11,000, and new staff and brand damage repair cost $10,000 each. Further staff training and compensation payouts cost $9,000 and $8,000 respectively.
The high cost of data breach mitigation shows just how important it is for enterprises and SMBs to invest in data breach prevention and detection technologies. Blocking cyberattacks is essential, but so too is detecting breaches when they do occur. As the IBM/Ponemon Institute 2017 Cost of a Data Breach Study showed, the faster a breach is detected, the lower the enterprise data breach cost will be.
The Importance of an Effective Spam Filter
There are many potential vulnerabilities that can be exploited by hackers, so it is important for businesses of all sizes to conduct regular risk assessments to find holes in their defenses before cybercriminals do. A risk management plan should be devised to address any vulnerabilities uncovered during the risk assessment. Priority should be given to the most serious risks and those that would have the greatest impact if exploited.
While there is no single cybersecurity solution that can be adopted to prevent data breaches, one aspect of data breach prevention that should be given priority is a software solution that can block email threats. Spam email represents the biggest threat to organizations. Research conducted by PhishMe suggests 91% of all data breaches start with a phishing email. Blocking those malicious emails is therefore essential.
TitanHQ has developed a highly effective spam filtering solution for enterprises – and SMBs – that blocks more than 99.9% of spam email, preventing phishing emails, malware, and ransomware from reaching employees’ inboxes.
To find out how SpamTitan can protect your business from email threats, for a product demonstration and to register for a free trial of SpamTitan, contact the TitanHQ team today.
The U.S. Department of Homeland Security (DHS) has made the use of email authentication technology mandatory for all federal agencies.
There have been numerous email security incidents affecting government agencies in recent years. Federal agencies are a major target for spammers, scammers, and phishers and the email security defenses of federal agencies are constantly tested.
One of the latest incidents involved the spoofing of an email account used by Jared Kushner, causing considerable embarrassment for White House officials. Homeland Security Adviser Tom Bosser was one of the individuals who was fooled into believing the emails were genuine. In his case, the emails were not part of a phishing campaign but were just ‘a bit of fun’ by a UK prankster. However, there are plenty of individuals and groups that have much more sinister motives.
When those cybercriminals succeed, not only is it a major embarrassment for government agencies, it can pose a major threat to national security. When national security is at stake, it pays to have excellent email defenses. However, in the United States (and elsewhere) they are often found to be lacking.
Action clearly needs to be taken to prevent phishing attacks, reduce the potential for government domains to be spoofed, and to make it much harder for phishing emails to be delivered to federal employees’ inboxes. Agari has reported that 90% of 400 government agencies’ protected domains have been targeted with deceptive emails and 25% of all federal agency emails are fraudulent. Even so, email authentication technology is often not used. That is, until now.
DHS Makes DMARC Mandatory for Federal Agencies
Now the DHS has taken action and has made it mandatory for all federal agencies to adopt DMARC. While some federal agencies have already implemented DMARC – the Social Security Administration and the Federal Trade Commission for example – they number in the few. Only 9% of domains have implemented DMARC and use it to block unauthenticated emails, while 82% of federal domains do not use the DMARC email authentication standard at all. Now all federal agencies have been given just 30 days to submit a plan of action and 90 days to implement DMARC. DHS has also made it mandatory for all federal websites to be switched to a secure connection (HTTPS) and for STARTTLS to be implemented for email.
DMARC is an email authentication technology that can be adopted to help authenticate emails, block spam, and reduce the volume of phishing emails that are delivered to inboxes. DMARC is not infallible, but it does offer an additional layer of protection for email, reducing the volume of email threats by around 77%. DMARC also restricts use of domains to legitimate senders. By adopting DMARC, when consumers receive an email from a federal agency such as the IRS, FEMA, or DHHS, they should be able to trust that email, at least once DMARC is implemented.
Many Businesses Struggle with DMARC
While some large enterprises have already adopted DMARC, two thirds of Fortune 500 companies do not use DMARC at all. Implementing the email authentication control is not without its problems. For small to medium sized businesses, implementing DMARC can be problematic. Part of the problem is many businesses need to secure their own internal email systems, but also cloud-based email, and third-party mailing services such as MailChimp or Salesforce. The task of implementing DMARC is often seen as too complex, and even when DMARC is used, it often fails and rarely are the full benefits gained. Consider that even when DMARC is adopted, 23% of phishing emails still make it past defenses, and it is easy to see why it is often not implemented. That said, email authentication technology is required to keep businesses protected from phishing threats.
SpamTitan Protects Businesses from Email Threats
Office 365 uses DMARC to help filter out phishing emails, but on its own it is not sufficient to block all threats. Businesses that use Office 365 can greatly improve their defenses against malicious emails by also adopting a third-party spam filtering solution such as SpamTitan.
SpamTitan incorporates many of the control mechanisms used by Microsoft, but also adds greylisting to greatly improve spam detection rates. Greylisting involves rejecting all emails and requesting they are resent. Since genuine emails are resent quickly, and spam emails are typically not resent as spam servers are busy conducting huge spamming campaigns, this additional control helps to identify far more malicious and unwanted emails. This additional control, along with the hundreds of checks performed by SpamTitan helps to keep spam detection rates well above 99.9%.
If you want to secure your email and block more phishing threats, contact the TitanHQ team today for more information on how SpamTitan can help to keep your inboxes spam free and your networks protected from malware and ransomware.
DoubleLocker ransomware is a new Android threat, which as the name suggests, uses two methods to lock the device and prevent victims from accessing their files and using their device.
As with Windows ransomware variants, DoubleLocker encrypts files on the device to prevent them from being accessed. DoubleLocker ransomware uses a powerful AES encryption algorithm to encrypt stored data, changing files extensions to .cryeye
While new ransomware variants sometimes have a poorly developed encryption process with flaws that allow decryptors to be developed, with DoubleLocker ransomware victims are out of luck.
While it is possible for victims to recover their files from backups, first they must contend with the second lock on the device. Rather than combine the encryption with a screen locker, DoubleLocker ransomware changes the PIN on the device. Without the PIN, the device cannot be unlocked.
Researchers at ESET who first detected this new ransomware variant report that the new PIN is a randomly generated number, which is not stored on the device and neither is it transmitted to the attacker’s C&C. The developers allegedly have the ability to remotely delete the PIN lock and supply a valid key to decrypt data.
The ransom demand is much lower than is typical for Windows ransomware variants, which reflects the smaller quantity of data users store on their smartphones. The ransom demand is set at 0.0130 Bitcoin – around $54. The payment must be made within 24 hours of infection, otherwise the attackers claim the device will be permanently locked. The malware is set as the default home app on the infected device, which displays the ransom note. The device will be permanently locked, so the attackers claim, if any attempts are made to block or remove DoubleLocker.
Researchers at ESET have analyzed DoubleLocker ransomware and report that it is based on an existing Android banking Trojan called Android.BankBot.211.origin, although the ransomware variant does not have the functionality to steal banking credentials from the user’s device.
While many Android ransomware variants are installed via bogus or compromised applications, especially those available through unofficial app stores, DoubleLocker is spread via fake Flash updates on compromised websites.
Even though this ransomware variant is particularly advanced, it is possible to recover files if they have been backed up prior to infection. The device can also be recovered by performing a factory reset. If no backup exists, and the ransom is not paid, files will be lost unless the device has been rooted and debugging mode has been switched on prior to infection.
This new threat shows just how important it is to backup files stored on mobile devices, just as it is with those on your PC or Mac and to think before downloading any web content or software update.
Healthcare organizations are being targeted by hackers and scammers and email is the No1 attack vector. 91% of all cyberattacks start with a phishing email and figures from the Anti-Phishing Working Group indicate end users open 30% of phishing emails that are delivered to their inboxes. Stopping emails from reaching inboxes is therefore essential, as is training healthcare employees to be more security aware.
Since so many healthcare data breaches occur as a result of phishing emails, healthcare organizations must implement robust defenses to prevent attacks. Further, email security is also an important element of HIPAA compliance. Fail to follow HIPAA Rules on email security and a financial penalty could follow a data breach.
Email Security is an Important Element of HIPAA Compliance
HIPAA Rules require healthcare organizations to implement safeguards to secure electronic protected health information to ensure the confidentiality, integrity, and availability of health data.
Email security is an important element of HIPAA compliance. With so many attacks on networks starting with phishing emails, it is essential for healthcare organizations to implement anti-phishing defenses to keep their networks secure.
The Department of Health and Human Services’ Office for Civil Rights has already issued fines to healthcare organizations that have experienced data breaches as a result of employees falling for phishing emails. UW medicine paid OCR $750,000 following a malware-related breach caused when an employee responded to a phishing email. Metro Community Provider Network settled a phishing-related case for $400,000.
One aspect of HIPAA compliance related to email is the risk assessment. The risk assessment should cover all systems, including email. Risk must be assessed and then managed and reduced to an appropriate and acceptable level.
Managing the risk of phishing involves the use of technology and training. All email should be routed through a secure email gateway, and it is essential for employees to receive training to raise awareness of the risk of phishing and the actions to take if a suspicious email is received.
How to Secure Email, Prevent and Identify Phishing Attacks
Email phishing scams today are sophisticated, well written, and highly convincing. It is often hard to differentiate a phishing email from a legitimate communication. However, there are some simple steps that all healthcare organizations can take to improve email security. Simply adopting the measures below can greatly reduce phishing risk and the likelihood of experiencing an email-related breach.
While uninstalling all email services is the only surefire way to prevent email phishing attacks, that is far from a practical solution. Email is essential for communicating with staff members, stakeholders, business associates, and even patients.
Since email is required, two steps that covered entities should take to improve email security are detailed below:
Implement a Third-Party AntiSpam Solution Into Your Email Infrastructure
Securing your email gateway is the single most important step to take to prevent phishing attacks on your organization. Many healthcare organizations will already have added an antispam solution to block spam emails from being delivered to end users’ inboxes, but what about cloud-based email services? Have you secured your Office 365 email gateway with a third-party solution?
You will already be protected by Microsoft’s spam filter, but when all it takes is for one malicious email to reach an inbox, you really need more robust defenses. SpamTitan integrates perfectly with Office 365, offering an extra layer of security that blocks known malware and more than 99.9% of spam email.
Continuously Train Employees and they Will Become Security Assets
End users – the cause of countless data breaches and a constant thorn in the side of IT security staff. They are a weak link and can easily undo the best security defenses, but they can be turned into security assets and an impressive last line of defense. That is unlikely to happen with a single training session, or even a training session given once a year.
End user training is an important element of HIPAA compliance. While HIPAA Rules do not specify how often training should be provide, given the fact that phishing is the number one security threat, training should be a continuous process.
The Department of Health and Human Services’ Office for Civil Rights recently highlighted some email security training best practices in its July cybersecurity newsletter, suggesting “An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them.”
The frequency of training should be dictated by the level of risk faced by an organization. Many covered entities have opted for bi-annual training sessions for the workforce, with monthly newsletters and security updates provided via email, including information on the latest threats such as new phishing scams and social engineering techniques.
OCR also reminded HIPAA covered entities that not all employees respond to the same training methods. It is best to mix it up and use a variety of training tools, such as CBT training, classroom sessions, newsletters, posters, email alerts, team discussions, and phishing email simulation exercises.
Simple Steps to Verify Emails and Identify Phishing Scams
Healthcare employees can greatly reduce the risk of falling of a phishing scam by performing these checks. With practice, these become second nature.
- Hovering the mouse over an email hyperlink to check the true domain. Any anchor text –hyperlinked text other than the actual URL – should be treated as suspicious until the true domain is identified. Also check that the destination URL starts with HTTPS.
- Never reply directly to an email – Always click forward. It’s a little slower, but you will get to see the full email address of the person who sent the message. You can then check that domain name against the one used by the company.
- Pay close attention to the email signature – Any legitimate email should contain contact information. This can be faked, or real contact information may be used in a spam email, but phishers often make mistakes in signatures that are easy to identify.
- Never open an email attachment from an unknown sender – If you need to open the attachment, never click on any links in the document, or on any embedded objects, or click to enable content or run macros. Forward the email to your IT department if you are unsure and ask for verification.
- Never make any bank transfers requested by email without verifying the legitimacy of the request.
- Legitimate organizations will not ask for login credentials by email
- If you are asked to take urgent action to secure your account, do not use any links contained in the email. Visit the official website by typing the URL directly into your browser. If you are not 100% of the URL, check on Google.
Microsoft Office documents containing malicious macros are commonly used to spread malware and ransomware. However, security researchers have now identified Microsoft Office attacks without macros, and the technique is harder to block.
Microsoft Office Attacks Without Macros
While it is possible to disable macros so they do not run automatically, and even disable macros entirely, that will not protect you from this new attack method, which leverages a feature of MS Office called Dynamic Data Exchange or DDE, according to researchers at SensePost. This in-built feature of Windows allows two applications to share the same data, for example MS Word and MS Excel. DDE allows a one- time exchange of data between two applications or continuous sharing of data.
Cybercriminals can use this feature of MS Office to get a document to execute an application without the use of macros as part of a multi-stage attack on the victim. In contrast to macros which flash a security warning before being allowed to run, this attack method does not present the user with a security warning as such.
Opening the MS Office file will present the user with a message saying “This document contains links that may refer to other files. Do you want to open this document with the data from the linked files?” Users who regularly use files that use the DDE protocol may automatically click on yes.
A second dialog box is then displayed asking the user to confirm that they wish to execute the file specified in the command, but the researchers explain that it is possible to suppress that warning.
This technique has already been used by at least one group of hackers in spear phishing campaigns, with the emails and documents appearing to have been sent from the Securities and Exchange Commission (SEC). In this case, the hackers were using the technique to infect users with DNSMessenger fileless malware.
Unlike macros, disabling DDE is problematic. While it is possible to monitor for these types of attacks, the best defense is blocking the emails that deliver these malicious messages using a spam filter, and to train staff to be more security aware and to verify the source of the email before opening any attachments.
Locky Ransomware Updated Again (..and again)
If you have rules set to detect ransomware attacks by scanning for specific file extensions, you will need to update your rules with two new extensions to detect two new Locky ransomware variants. The authors of Locky ransomware have updated their code again, marking four new changes now in a little over a month.
In August and September, Locky was using the .lukitus and .diablo extensions. Then the authors switched to the .ykcol extension. In the past week, a further campaign has been detected using the .asasin extension.
The good news regarding the latter file extension, is it is being distributed in a spam email campaign that will not result in infection. An error was made adding the attachment. However, that is likely to be corrected soon.
The authors of Locky are constantly changing tactics. They use highly varied spam campaigns, a variety of social engineering techniques, and various attachments and malicious URLs to deliver their malicious payload.
For this reason, it is essential to implement a spam filtering solution to prevent these emails from being delivered to end users’ inboxes. You should also ensure you have multiple copies of backups stored in different locations, and be sure to test those backups to make sure file recovery is possible.
To find out more about how you can protect your networks from malicious email messages – those containing macros as well as non-macro attacks – contact the TitanHQ team today.
Ransomware growth in 2017 has increased by 2,502% according to a new report released this week by Carbon Black. The firm has been monitoring sales of ransomware on the darknet, covering more than 6,300 known websites where malware and ransomware is sold, or hired as ransomware-as-a-service. More than 45,000 products have been tracked by the firm.
The file encrypting code has been embraced by the criminal fraternity as a quick and easy method of extorting money from companies. Ransomware growth in 2017 was fueled by the availability of kits that allow campaigns to be easily conducted.
Ransomware-as-a-service now includes the malicious code, admin consoles that allow the code to be tweaked to suit individual preferences, and instructions and guidelines for conducting campaigns. Now, no coding experience is necessary to conduct ransomware campaigns. It is therefore no surprise to see major ransomware growth in 2017, but the extent of that growth is jaw-dropping.
Ransomware sales now generate $6.2 million a year, having increased from $249,287 in 2016. The speed at which ransomware sales have grown has even surprised security experts. According to the report, the developers of a ransomware variant can make as much as $163,000 a year. Compare that to the amount they would make working for a company and it is not hard to see the attraction. That figure is more than double the average earnings for a legitimate software developer.
Ransomware can now be obtained via these darknet marketplaces for pocket change. The report indicates ransomware kits can be purchased for as little as 50 cents to $1 for screen lockers. Some custom ransomware variants, where the source code is supplied, sell for between $1,000 and $3,000, although the median amount for standard ransomware is $10.50. The developers of the code know full well that they can make a fortune on the back end by taking a cut of the ransomware profits generated by their affiliates.
Ransomware attacks are profitable, so there is no shortage of affiliates willing to conduct attacks. Carbon Black suggests 52% of firms are willing to pay to recover encrypted files. Many businesses would pay up to $50,000 to regain access to their files according to the report. A previous study conducted by IBM in 2016 showed that 70% of businesses attacked with ransomware have paid the ransom to recover their files, half of businesses paid more than $10,000 and 20% paid over $40,000.
Figures released by the FBI suggest ransomware revenues were in excess of $1 billion last year, up from $24 million in 2015. However, since many companies keep infections and details of ransomware payments quiet, it is probable that the losses are far higher.
Since the ransomware problem is unlikely to go away, what businesses must do is to improve their defenses against attacks – That means implementing technology and educating the workforce to prevent attacks, deploy software solutions to detect attacks promptly when they occur to limit the damage caused, and make sure that in the event of an attack, data can be recovered.
Since the primary attack vector for ransomware is email, companies should ensure they use an advanced spam filtering solution to prevent the malicious emails from being delivered to end users. SpamTitan block more than 99.9% of spam email, keeping inboxes ransomware free.
Employee education is critical to prevent risky behavior and ensure employees recognize and report potentially malicious emails. To ensure recovery is possible without paying the ransom, firms should ensure multiple backups are made. Those backups should be tested to make sure data can be recovered. Best practices for backing up data are to ensure three copies exist, stored on at least two different media, with one copy stored off site.
Email may be the primary vector used to conduct cyberattacks on businesses, but there has been a massive rise in cyberattacks on websites in recent months. The second quarter of 2017 saw a 186% increase in cyberattacks on websites, rising from an average of 22 attacks per day in Q1 to 63 attacks per day in Q2, according to a recent report from SiteLock. These sites were typically run by small to mid-sized companies.
WordPress websites were the most commonly attacked – The average number of attacks per day was twice as high for WordPress sites as other content management platforms. That said, security on WordPress sites is typically better than other content management platforms.
Joomla websites were found to contain twice the number of vulnerabilities as WordPress sites, on average. Many users of Joomla were discovered to be running versions of the CMS that are no longer supported. One in five Joomla sites had a CMS that had not been updated in the past 5 years. Typically, users of Joomla do not sign up for automatic updates.
WordPress sites are updated more frequently, either manually or automatically, although that is not the case for plugins used on those sites. While the CMS may be updated to address vulnerabilities, the updates will not prevent attacks that leverage vulnerabilities in third party plugins.
The study revealed 44% of 6 million websites assessed for the study had plugins that were out of date by a year or more. Even when websites were running the latest version of the CMS, they are still being compromised by cybercriminals who exploited out of date plugins. Seven out of 10 compromised WordPress sites were running the latest version of the WordPress.
There is a common misconception than website security is the responsibility of the hosting provider, when that is not the case. 40% of the 20,000 website owners who were surveyed believed it was their hosting company that was responsible for securing their websites.
Most cyberattacks on websites are automated. Bots are used to conduct 85% of cyberattacks on websites. The types of attacks were highly varied, including SQL injection, cross-site scripting attacks, local and remote file inclusion, and cross-site request forgery.
SiteLock noted that in 77% of cases where sites had been compromised with malware, this was not picked up by the search engines and warnings were not being displayed by browsers. Only 23% of sites that were compromised with malware triggered a browser warning or were marked as potentially malicious websites by search engines.
Due to major increase in attacks, it is strongly recommended that SMBs conduct regular scans of their sites for malware, ensure their CMS is updated automatically, and updates are performed on all plugins on the site. Taking proactive steps to secure websites will help SMBs prevent website-related breaches and stop their sites being used to spread malware or be used for phishing.
FormBook malware is being used in targeted attacks on the manufacturing and aerospace sectors according to researchers at FireEye, although attacks are not confined to these industries.
So far, the attacks appear to have been concentrated on organizations in the United States and South Korea, although it is highly likely that attacks will spread to other areas due to the low cost of this malware-as-a-service, the ease of using the malware, and its extensive functionality.
FormBook malware is being sold on underground forms and can be rented cheaply for as little as $29 a month. Executables can be generated using an online control panel, a process that requires next to no skill. This malware-as-a-service is therefore likely to be used by many cybercriminals.
FormBook malware is an information stealer that can log keystrokes, extract data from HTTP sessions and steal clipboard content. Via the connection to its C2 server, the malware can receive and run commands and can download files, including other malware variants. Malware variants discovered to have already been downloaded by FormBook include the NanoCore RAT.
FireEye researchers also point out that the malware can steal passwords and cookies, start and stop Windows processes, and force a reboot of an infected device.
FormBook malware is being spread via spam email campaigns using compressed file attachments (.zip, .rar), .iso and .ace files in South Korea, while the attacks in the United States have mostly involved .doc, .xls and .pdf files. Large scale spam campaigns have been conducted to spread the malware in both countries.
The U.S campaigns detected by FireEye used spam emails related to shipments sent via DHL and FedEx – a common choice for cybercriminals. The shipment labels, which the emails say must be printed in order to collect the packages, are in PDF form. Hidden in the document is a tny.im URL that directs victims to a staging server that downloads the malware. The campaigns using Office documents deliver the malware via malicious macros. The campaigns conducted in South Korea typically include the executables in the attachments.
While the manufacturing industry and aerospace/defense contractors are being targeted, attacks have been conducted on a wide range of industries, including education, services/consulting, energy and utility companies, and the financial services. All organizations, regardless of their sector, should be alert to this threat.
Organizations can protect against this new threat by adopting good cybersecurity best practices such as implementing a spam filtering solution to block malicious messages and stop files such as ISOs and ACE files from being delivered to end users. Organizations should also alert their employees to the threat of attack and provide training to help employees recognize this spam email campaign. Macros should also be disabled on all devices if they are not necessary for general work duties, and at the very least, should be set to be run manually.
The 2013 Yahoo data breach was already the largest data breach in U.S. history, now it has been confirmed that it was even larger than first thought.
Verizon has now confirmed that rather than the breach impacting approximately 1 billion email accounts, the 2013 Yahoo data breach involved all of the company’s 3 billion email accounts.
Prior to the disclosure of the 2013 Yahoo data breach, a deal had been agreed with Yahoo to Verizon. The disclosure of a 1-billion record data breach and a previous breach impacting 500 accounts during the final stages of negotiations saw the sale price cut to $4.48 billion – A reduction of around $350 million or 7% of the sale price. It is unclear whether this discovery will prompt Verizon to seek a refund of some of that money.
Verizon reports that while Yahoo’s email business was being integrated into its new Oath service, new intelligence was obtained to suggest all of Yahoo’s 3 billion accounts had been compromised. Third party forensic experts made the discovery. That makes it the largest data breach ever reported by a considerable distance, eclipsing the 360 million record breach at MySpace discovered in 2016 and the 145 million record breach at E-Bay in 2015.
The data breach involved the theft of email addresses and user ID’s along with hashed passwords. No stored clear-text passwords are understood to have been obtained, and neither any financial information. However, since the method used to encrypt the data was outdated, and could potentially be cracked, it is possible that access to the email accounts was gained. Security questions and backup email addresses were also reportedly obtained by the attackers.
The scale of the cyberattack is astonishing, and so is the potential fallout. Already there have been more than 40 class action lawsuits filed by consumers, with the number certain to grow considerably since the announcement that the scale of the breach has tripled.
Verizon has said all of the additional breach victims have been notified by email, but that many of the additional accounts were opened and never used, or had only been used briefly. Even so, this is still the largest data breach ever reported.
The 2013 Yahoo data breach was investigated and has been linked to state-sponsored hackers, four of whom have been charged with the hack and data theft, including two former Russian intelligence officers.One of those individuals is now in custody in the Untied States.
Today is the start of the 14th National Cyber Security Month – A time when U.S. citizens are reminded of the importance of practicing good cyber hygiene, and awareness is raised about the threat from malware, phishing, and social engineering attacks.
The cybersecurity initiative was launched in 2004 by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS) with the aim of creating resources for all Americans to help them stay safe online.
While protecting consumers has been the main focus of National Cyber Security Month since its creation, during the past 14 years the initiative has been expanded considerably. Now small and medium-sized businesses, corporations, and healthcare and educational institutions are assisted over the 31 days of October, with advice given to help develop policies, procedures, and implement technology to keep networks and data secure.
National Cyber Security Month Themes
2017 National Cyber Security Month focuses on a new theme each week, with resources provided to improve understanding of the main cybersecurity threats and explain the actions that can be taken to mitigate risk.
Week 1: Oct 2-6 – Simple Steps to Online Safety
It’s been 7 years since the STOP. THINK. CONNECT campaign was launched by the NCSA and the Anti-Phishing Workshop. As the name suggests, the campaign encourages users learn good cybersecurity habits – To assume that every email and website may be a scam, and to be cautions online and when opening emails. Week one will see more resources provided to help consumers learn cybersecurity best practices.
Week 2: Oct 9-13 – Cybersecurity in the Workplace
With awareness of cyber threats raised with consumers, the DHS and NCSA turn their attention to businesses. Employees may be the weakest link in the security chain, but that need not be the case. Education programs can be highly effective at improving resilience to cyberattacks. Week 2 will see businesses given help with their cyber education programs to develop a cybersecurity culture and address vulnerabilities. DHS/NCSA will also be promoting the NIST Cybersecurity Framework and explaining how its adoption can greatly improve organizations’ security posture.
Week 3: Oct 16-20 –Predictions for Tomorrow’s Internet
The proliferation of IoT devices has introduced many new risks. The aim of week three is to raise awareness of those risks – both for consumers and businesses – and to provide practical advice on taking advantage of the benefits of smart devices, while ensuring they are deployed in a secure and safe way.
Week 4: Oct 23-27 –Careers in Cybersecurity
There is a crisis looming – A severe lack of cybersecurity professionals and not enough students taking up cybersecurity as a profession. The aim of week 4 is to encourage students to consider taking up cybersecurity as a career, by providing resources for students and guidance for key influencers to help engage the younger generation and encourage them to pursue a career in cybersecurity.
Week 5: Oct 30-31 – Protecting Critical Infrastructure
As we have seen already this year, nation-state sponsored groups have been sabotaging critical infrastructure and cybercriminals have been targeting critical infrastructure to extort money. The last two days of October will see awareness raised of the need for cybersecurity to protect critical infrastructure, which will serve as an introduction to Critical Infrastructure Security and Resilience Month in November.
European Cyber Security Month
While National Cyber Security Month takes place in the United States, across the Atlantic, European Cyber Security Month is running in tandem. In Europe, similar themes will be covered with the aim of raising awareness of cyber threats and explaining the actions EU citizens and businesses can take to stay secure.
This year is the 5th anniversary of European Cyber Security Month – a collaboration between The European Union Agency for Network and Information Security (ENISA), the European Commission DG CONNECT and public and private sector partners.
As in the United States, each week of October has a different theme with new resources and reports released, and events and activities being conducted to educate the public and businesses on cybersecurity.
European Cyber Security Month Themes
This year, the program for European Cyber Security Month is as follows:
Week 1: Oct 2-6 – Cybersecurity in the Workplace
A week dedicated to helping businesses train their employees to be security assets and raise awareness of the risks from phishing, ransomware, and malware. Resources will be provided to help businesses teach their employees about good cyber hygiene.
Week 2: Oct 9-13 – Governance, Privacy & Data Protection
With the GDPR compliance date just around the corner, businesses will receive guidance on compliance with GDPR and the NIS Directive to help businesses get ready for May 2018.
Week 3: Oct 16-20 – Cybersecurity in the Home
As more IoT devices are being used in the home, the risk of cyberattacks has grown. The aim of week 3 is to raise awareness of the threats from IoT devices and to explain how to keep home networks secure. Awareness will also be raised about online fraud and scams targeting consumers.
Week 4: Oct 23-27 – Skills in Cyber Security
The aim in week 4 is to encourage the younger generation to gain the cyber skills they will need to embark upon a career in cybersecurity. Educational resources will be made available to help train the next generation of cybersecurity professionals.
Use October to Improve Your Cybersecurity Defenses and Train Your Workforce to Be Security Titans
This Cyber Security Month, why not take advantage of the additional resources available and use October to improve your cybersecurity awareness and train your employees to be more security conscious.
When the month is over, don’t shelve cybersecurity for another 12 months. The key to remaining secure and creating a security culture in the workplace is to continue training, assessments, and phishing tests throughout the year. October should be taken as a month to develop and implement training programs and to work toward creating a secure work environment and build a cybersecurity culture in your place of work.
A warning has been issued to digital civil liberties activists by the Electronic Frontier Foundation about the risk of targeted spear phishing attacks. The phishing warning comes after spate of phishing attacks on digital civil liberties groups over the summer, at least one of which resulted in the disclosure of login credentials.
The attacks were directed at two NGOs – Free Press and Fight for Future – both of which are advocates of net neutrality. The campaign appears to have been conducted by the same individual and included at least 70 phishing attempts between July and August. The attacks started on July 12, which is Save Net Neutrality Day of Action – a day of protest against the FCC’s proposed rollback of net neutrality protections.
While phishing emails are often sent with the purpose of installing malware, in this case the aim was to obtain login credentials to LinkedIn, Google, and Dropbox accounts.
Spear phishing emails were sent using a variety of themes from standard phishing emails to sophisticated and highly creative scams. While most of the attempts failed, the scammer was able to obtain the credentials of at least one account. The compromised Google account was used to send further spear phishing emails to other individuals in the organization. It is unclear what other goals the attacker had, and what the purpose of gaining access to the accounts was.
The phishing campaign was analysed by Eva Galperin and Cooper Quintin at the Electronic Frontier Foundation. They said some of the phishing emails were simple phishing attempts, where the attacker attempted to direct end users to a fake Google document. Clicking the link would direct the user to a site where they were required to enter their Google account details to view the document. Similar phishing emails were sent in an attempt to obtain LinkedIn credentials, using fake LinkedIn notifications. Others contained links to news stories that appeared to have been shared by contacts.
As the campaign progressed, the attacker got more inventive and the attacker started researching the targets and using personal information in the emails. One email was sent in which the scammer pretended to be the target’s husband, signing the email with his name. Another email was sent masquerading as a hateful comment on a video the target had uploaded to YouTube.
A pornography-related phishing scam was one of the most inventive attempts to gain access to login credentials. Emails were sent to targets masquerading as confirmations from well-known pornographic websites such as Pornhub and RedTube. The emails claimed the recipient had subscribed to the portals.
The initial email was then followed up with a further email containing a sexually explicit subject line. The sender name was spoofed to make it appear that the email was sent from Pornhub. The unsubscribe link on the email directed the user to a Google login page where they were asked for their credentials.
It is not clear whether the two NGOs were the only organizations targeted. Since these attacks may be part of a wider campaign, EFF is alerting all digital civil liberties activists to be aware of the threat. Indicators of compromise have been made available here.
A new malware threat named RedBoot has been discovered that bears some similarities to NotPetya. Like NotPetya, RedBoot malware appears to be a form of ransomware, when in actual fact it is a wiper at least in its current form.
RedBoot malware is capable of encrypting files, rendering them inaccessible. Encrypted and given the .locked extension. Once the encryption process is completed, a ‘ransom’ note is shown to the user, providing an email address to use to find out how to unlock the encrypted files. Like NotPetya, RedBoot malware also makes changes to the master boot record.
RedBoot includes a module that overwrites the current master boot record and it also appears that changes are made to the partition table, but there is currently no mechanism for restoring those changes. There is also no command and control server and even though an email address is provided, no ransom demand appears to be issued. RedBoot is therefore a wiper, not ransomware.
According to Lawrence Abrams at BeepingComputer who has obtained a sample of the malware and performed an analysis, RedBoot is most likely a poorly designed ransomware variant in the early stages of development. Abrams said he has been contacted by the developer of the malware who claimed the version that was studied is a development version of the malware. He was told an updated version will be released in October. How that new version will be spread is unknown at this stage.
Even if it is the intention of the developer to use this malware to extort money from victims, at present the malware causes permanent damage. That may change, although this malware variant may remain a wiper and be used simply to sabotage computers.
It is peculiar that an incomplete version of the malware has been released and advance notice has been issued about a new version that is about to be released, but it does give businesses time to prepare.
The attack vector is not yet known, so it is not possible to give specific instructions on how to prevent RedBoot malware attacks. The protections that should be put in place are therefore the same as for blocking any malware variant.
A spam filtering solution should be implemented to block malicious emails, users should be alerted to the threat of phishing emails and should be training how to identify malicious emails and told never to open attachments or click on hyperlinks sent from unknown individuals.
IT teams should ensure all computers and servers are fully patched and that SMBv1 has been disabled or SMBv1 vulnerabilities have been addressed and antivirus software should be installed on all computers.
It is also essential to back up all systems to ensure that in the event of an attack, systems can be restored and data recovered.
Ransomware developers have leveraged the EternalBlue exploit, now the criminals behind the Retefe banking Trojan have added the NSA exploit to their arsenal.
The EternalBlue exploit was released in April by the hacking group Shadow Brokers and was used in the global WannaCry ransomware attacks. The exploit was also used, along with other attack vectors, to deliver the NotPetya wiper and more recently, has been incorporated into the TrickBot banking Trojan.
The Retefe banking Trojan is distributed via malicious Microsoft Office documents sent via spam email. In order for the Trojan to be installed, the emails and the attachments must be opened and code must be run. The attackers typically use Office documents with embedded objects which run malicious PowerShell code if clicked. Macros have also been used in some campaigns to deliver the malicious payload.
Researchers at Proofpoint have now obtained a sample of the Retefe banking Trojan that includes the EternalBlue SMBv1 exploit. The EternalBlue module downloads a PowerShell script and an executable. The script runs the executable, which installs the Trojan.
The researchers noted the module used in the WannaCry attacks that allowed rapid propagation within networks – Pseb – was lacking in Retefe, although that may be added at a later date. It would appear that the criminals behind the campaign are just starting to experiment with EternalBlue.
Other banking Trojans such as Zeus have been used in widespread attacks, although so far attacks using the Retefe banking Trojan have largely been confined to a limited number of countries – Austria, Sweden, Switzerland, Japan, and the United Kingdom.
Businesses in these countries will be vulnerable to Retefe, although due to the number of malware variants that are now using EternalBlue, all businesses should ensure they mitigate the threat. Other malware variants will almost certainly be upgraded to include EternalBlue.
Mitigating the threat from EternalBlue (CVE-2017-0144) includes applying the MS17-010 patch and also blocking traffic associated with the threat through your IDS system and firewall. Even if systems have been patched, a scan for vulnerable systems should still be conducted to ensure no devices have been missed.
Since the Retefe Trojan is primarily being spread via spam email, a spam filter should be implemented to prevent malicious messages from reaching end users. By implementing SpamTitan, businesses can protect their networks against this and other malware threats delivered via spam email.
While most ransomware attacks occur via phishing emails or exploit kits and require some user interaction, SMBv1 ransomware attacks occur remotely with no user interaction required.
These attacks exploit a vulnerability in Windows Server Message Block protocol (SMB), a communication protocol typically used for sharing printers and other network resources. SMB operates in the application layer and is typically used over TCP/IP Port 445 and 139.
A critical flaw in SMBv1 was identified and addressed by Microsoft in a March 14, 2017 security update – MS17-010. At the time, Microsoft warned that exploitation of the flaw could allow remote code execution on a vulnerable system.
An exploit for the flaw, termed EternalBlue, was reportedly used by the U.S. National Security Agency’s Equation Group for four years prior to the vulnerability being plugged. That exploit, along with several others, was obtained by a hacking group called Shadow Brokers. The EternalBlue exploit was disclosed publicly in April, after attempts to sell the exploit failed. Following its release, it was not long before malware developers incorporated the exploit and used it to remotely attack vulnerable systems.
The exploit was primarily used to attack older operating systems such as Windows 7 and Windows Server 2012, although other systems are also vulnerable, including Windows Server 2016. The security update addresses the flaw in all vulnerable systems. Microsoft also released a patch for the long-retired Windows XP.
The most widely reported SMBv1 ransomware attacks occurred in May and involved WannaCry ransomware. WannaCry exploited the SMBv1 vulnerability and used TCP Port 445 to propagate. These SMBv1 ransomware attacks were conducted around the globe, although fortunately a kill switch was found which was used to disable the ransomware and prevent file encryption.
While that spelled the end of WannaCry, the SMBv1 attacks continued. NotPetya – not a ransomware variant but a wiper – also used the EternalBlue exploit to attack systems, and with the code still publicly available, other malware developers have incorporated the exploit into their arsenal. Any business that has not yet applied the MS17-010 patch will still be vulnerable to SMBv1 ransomware attacks. Other malware developers are now using the exploit to deliver banking Trojans.
While most businesses have now applied the patch, there are some that are still running vulnerable operating systems. There is also a risk that even when patches have been applied, devices may have been missed.
All businesses should therefore make sure their systems have been patched, but should also perform a scan to ensure no devices have slipped through the net and remain vulnerable. All it takes is for one unpatched device to exist on a network for ransomware or malware to be installed.
There are several commercially available tools that can be used to scan for unpatched devices, including this free tool from ESET. It is also recommended to block traffic associated with EternalBlue through your IDS system or firewall.
If you still insist on using Windows XP, you can at least stop the SMB flaw from being exploited with this patch, although an upgrade to a supported OS is long overdue. The MS17-010 patch for all other systems can be found on this link.
The CCleaner hack that saw a backdoor inserted into the CCleaner binary and distributed to at least 2.27 million users was far from the work of a rogue employee. The attack was much more sophisticated and bears the hallmarks of a nation state actor. The number of users infected with the first stage malware may have been be high, but they were not being targeted. The real targets were technology firms and the goal was industrial espionage.
Avast, which acquired Piriform – the developer of Cleaner – in the summer, announced earlier this month that the CCleaner v5.33.6162 build released on August 15 was used as a distribution vehicle for a backdoor. Avast’s analysis suggested this was a multi-stage malware, capable of installing a second-stage payload; however, Avast did not believe the second-stage payload ever executed.
Swift action was taken following the discovery of the CCleaner hack to take down the attacker’s server and a new malware-free version of CCleaner was released. Avast said in a blog post that simply updating to the new version of CCleaner – v5.35 – would be sufficient to remove the backdoor, and that while this appeared to be a multi-stage malware
Further analysis of the CCleaner hack has revealed that was not the case, at least for some users of CCleaner. The second stage malware did execute in some cases.
The second payload differed depending on the operating system of the compromised system. Avast said, “On Windows 7+, the binary is dumped to a file called “C:\Windows\system32\lTSMSISrv.dll” and automatic loading of the library is ensured by autorunning the NT service “SessionEnv” (the RDP service). On XP, the binary is saved as “C:\Windows\system32\spool\prtprocs\w32x86\localspl.dll” and the code uses the “Spooler” service to load.”
Avast determined the malware was an Advanced Persistent Threat that would only deliver the second-stage payload to specific users. Avast was able to determine that 20 machines spread across 8 organizations had the second stage malware delivered, although since logs were only collected for a little over 3 days, the actual total infected with the second stage was undoubtedly higher. Avast estimates the number of devices infected was likely “in the hundreds”.
Avast has since issued an update saying, “At the time the server was taken down, the attack was targeting select large technology and telecommunication companies in Japan, Taiwan, UK, Germany.”
The majority of devices infected with the first backdoor were consumers, since CCleaner is a consumer-oriented product; however, consumers are believed to be of no interest to the attackers and that the CCleaner hack was a watering hole attack. The aim was to gain access to computers used by employees of tech firms. Some of the firms targeted in this CCleaner hack include Google, Microsoft, Samsung, Sony, Intel, HTC, Linksys, D-Link, and Cisco.
The second stage of the attack delivered keylogging and data collection malware. Kaspersky and FireEye researchers have connected the attack to the hacking group APT 17, noting similarities in the infrastructure with the nation state actor. It was APT 17 that was behind the Operation Aurora attack which similarly targeted tech companies in 2009. Cisco Talos researchers noted that one of the configuration files was set to a Chinese time zone, further suggesting this was the work of a nation-state hacking group based in China.
While Avast previously said upgrading to the latest version would be sufficient to remove the backdoor, it would not remove the second-stage malware. Data could still be exfiltrated to the attackers C2 server, which was still active. Avast is currently working with the targeted companies and is providing assistance.
Cisco Talos criticized Avast’s stance on the attack, explaining in a recent blog post, “it’s imperative to take these attacks seriously and not to downplay their severity,” also suggesting users should “restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.”
A new spam email ransomware campaign has been launched that has potential to infect users twice, with both Locky and FakeGlobe ransomware.
The campaign, which was launched earlier this month, sees the attackers alternate the payload between Locky and FakeGlobe ransomware. The researchers that discovered the campaign suggest the payload alternates each hour.
This method of distribution cpould result in victims being infected twice, first having their files encrypted by Locky ransomware, and then re-encrypted by FakeGlobe ransomware or vice versa. In such cases, two ransom payments would have to be paid if files could not be recovered from backups.
While the use of two malware variants for spam email campaigns is not new, it is much more typical for different forms of malware to be used, such as pairing a keylogger with ransomware. In such cases, if the ransom is paid to unlock data, the keylogger would likely remain and allow data to be stolen for use in further attacks.
As with previous attacks involving Locky, this double ransomware campaign involves fake invoices – one of the most effective ways of getting business users to open infected email attachments. In this campaign, the attachment claims to be the latest invoice which takes the form of a zip file. Opening that zip file and clicking to open the extracted file launches a script that downloads the malicious payload.
The emails also contain a hyperlink with the text “View Your Bill Online,” which will download a PDF file containing the same script as the attachment, although it connects to different URLs.
This campaign is widespread, being distributed in more than 70 countries with the large-scale spam campaign involving hundreds of thousands of messages.
Infections with Locky and FakeGlobe ransomware see a wide range of file types encrypted and there is no free decryptor to unlock the infections. Victims must either restore their files from backups or pay the ransom to recover their data.
If businesses are targeted, they can easily see multiple users fall for the campaigns, requiring multiple computers to be decrypted. However, since ransomware can spread across networks, all it takes is for one user to be fooled into downloading the ransomware for entire systems to be taken out of action. If data cannot be recovered from backups, multiple ransom payments will need to be made.
Good backup policies will help protect businesses against file loss and prevent them from having to pay ransoms; although, even if backups exist, organizations can experience considerable downtime while the malware is removed, files are restored, and networks are analyzed for other malware infections and backdoors.
Spam email remains the vector of choice for distributing ransomware. Organizations can reduce the risk of ransomware attacks by implementing an advanced spam filter such as SpamTitan. SpamTitan blocks more than 99.9% of spam emails, preventing malicious emails from reaching end users’ inboxes.
While most organizations are now using spam filtering software to prevent attacks, a recent study conducted by PhishMe suggests 15% of businesses are still not using email gateway filtering, leaving them at a high risk of ransomware attacks. Given the volume of phishing and ransomware emails now being sent, email filtering solutions are a necessity.
CCleaner malware infections continued for a month before the compromised binary was detected and the backdoor was removed.
Avast, which acquired Piriform over the summer, announced that between August 15 and September 15, a rogue version of the application was available on its server and was being downloaded by users. During that time, around 3% of users of the PC cleaning application had been infected according to Piriform.
Cisco Talos, which independently discovered the build of CCleaner had malware included, reported around 5 million users download the program each week, potentially meaning up to 20 million users may have been affected. However, Piriform suggests around 2.27 users had downloaded and installed the backdoor along with the legitimate application. On Monday this week, around 730,000 users had not yet updated to the latest, clean version of the program.
Any individual that downloaded the application on a 32-bit system between August 15 and September 15 was infected with the CCleaner malware, which was capable of gathering information about the users’ system. The malware in question was the Floxif Trojan, which had been incorporated into the build before Avast acquired Piriform.
The CCleaner malware collected details of users’ IP addresses, computer names, details of software installed on their systems and the MAC addresses of network adaptors, which were exfiltrated to the attackers C2 server. The CCleaner malware laced application was only part of the story. Avast says the attack involved a second stage payload, although it would appear the additional malware never executed.
The versions of the software affected were v5.33.6162 and CCleaner Cloud v1.07.3191. The malware reportedly did not execute on 64-bit systems and the Android app was unaffected. The malware was detected on September 13, 2017, although an announcement was not initially made as Avast and Piriform were working with law enforcement and did not want to alert the attackers that the malware had been detected.
The individuals behind the attack used a valid digital signature that was issued to Piriform by Symantec along with a Domain Generation Algorithm to ensure that new domains could be generated to receive exfiltrated data from compromised systems in the event that the main domain was taken down.
Now that the malware has been removed, users can simply download version 5.34 of the application which will remove the backdoor. Users of the Cloud version need do nothing, as the application has been updated to a clean version automatically. While simply updating the software should resolve all issues, users are advised to perform a full virus scan to make sure no additional malware has been introduced onto their system.
At present, it is unclear who was responsible for this supply chain attack or how the Floxif Trojan was introduced. It is possible that external hackers gained access to the development or build environment or that the Trojan was introduced from within.
Attacks such as this have potential to infect many millions of users since downloads from the developers of an application are trusted. In this case, the malware was included in the binary which was hosted on Piriform’s server – not on a third-party site.
A similar supply chain attack saw a software update for the Ukrainian accounting application MeDoc compromised. That attack resulted in the download of the NotPetya wiper, which caused billions of dollars of losses for companies.
Consumers should be wary of Equifax phishing scams in the wake of the massive data breach announced earlier this month. The 143 million records potentially stolen in the breach will be monetized, which means many will likely be sold to scammers.
Trend Micro has suggested a batch of data of this scale could easily be sold for $27 million on underground marketplaces and there would be no shortage of individuals happy to pay for the data. The records include the exact types of information that is sought by identity thieves, phishers, and scammers.
However, it is not necessary to have access to the stolen records to pull of scams. Many opportunistic cybercriminals are taking advantage of consumer interest in the breach and are preparing phishing websites to fool the unwary into revealing their sensitive information. Equifax’s response to the breach has also made it easier for phishers to ply their trade.
Equifax has taken the decision not to inform all breach victims by mail. Only the 209,000 individuals whose credit card numbers were exposed will be receiving a breach notification letter in the mail. All the remaining breach victims will have to check the Equifax website to find out if their information was compromised in the breach. With almost half the population affected, and next to no one being directly informed, virtually the entire population of the United States will need to head online to find out if they have been affected by the breach.
Equifax has set up a new domain where information is provided to consumers on the steps they can take to secure their accounts and minimize the risk of financial harm. The official website is equifaxsecurity2017.com. Via this website, U.S consumers can get regular updates and enroll in the free credit monitoring services being offered.
To obtain the free credit monitoring services, consumers will be routed to a website with the domain trustedidpremier.com and will need to enter their name and the last six digits of their social security number to start the process. Cybercriminals have been quick to take advantage and have registered swathes of websites and are using them to phish for sensitive information.
Consumers Should Be Wary of Equifax Phishing Scams
USA Today reports that 194 domains closely resembling the site used by Equifax have already been registered in the past few days. Those domains closely mimic the site used by Equifax, with transposed letters and common typos likely to be made by careless typists. Many of the sites have already been shut down, but more are likely to be registered.
The purpose of these sites is simple. To obtain sensitive information such as names, addresses, Social Security numbers and dates of birth.
The technique is called typosquatting. It is extremely common and very effective. The websites use the same logos and layouts as the genuine sites and they fool many visitors into revealing their sensitive information. Links to the websites are sneaked into malicious adverts displayed via third-party ad networks and are emailed out in large scale phishing campaigns. Consumers should therefore exercise extreme caution and be alert to Equifax phishing scams sent via email and text message.
Consumers should also be careful about revealing sensitive information online and should treat all email attachments and emailed hyperlinks as potentially malicious. Consumers should look for the warning signs of phishing attacks in any email received, especially if it appears to have been sent from Equifax or another credit monitoring bureau, a credit card company, bank or credit union. Email, text messages and telephone scams are likely to be rife following an attack on this scale.
Additionally, all U.S. citizens should closely monitor their credit and bank accounts, Explanation of Benefits Statements, and check their credit reports carefully. Criminals already have access to a large amount of data and will be using that information for identity theft and fraud over the coming days, weeks, months and years.
It has been confirmed that poor patch management policies opened the door for hackers and allowed them to gain access to the consumer data stored by the credit monitoring bureau Equifax. The massive Equifax data breach announced earlier this month saw the personal information – including Social Security numbers – of almost half the population of the United States exposed/stolen by hackers.
Poor Patch Management Policies to Blame for Yet Another Major Cyberattack
The vulnerability may have been different to that exploited in the WannaCry ransomware attacks in May, but it was a similar scenario. In the case of WannaCry, a Microsoft Server Message Block vulnerability was exploited, allowing hackers to install WannaCry ransomware.
The vulnerability, tracked as CVE-2017-010, was corrected in March 2017 and a patch was issued to prevent the flaw from being exploited. Two months later, the WannaCry ransomware attacks affected organizations around the world that had not yet applied the patch.
Few details about the Equifax data breach were initially released, with the firm only announcing that access to consumer data was gained via a website application vulnerability. Equifax has now confirmed that access to data was gained by exploiting a vulnerability in Apache Struts, specifically, the Apache Struts vulnerability tracked as CVE-2017-5638.
As with WannaCry, a patch had been released two months before the attack took place. Hackers took advantage of poor patch management policies and exploited the vulnerability to gain access to consumer information.
The Exploited Apache Struts Vulnerability
Apache Struts is used by many Fortune 100 firms and is popular with banks, airlines, governments, and e-commerce stores. Apache Struts is an open-source, MVC framework that allows organizations to create front and back-end Java web applications, such as applications on the public website of Equifax.
The CVE-2017-5638 Apache Struts vulnerability is well known. Details of the vulnerability were published in March 2017 and a patch was issued to correct the flaw. The flaw is relatively easy to exploit, and within three days of the patch being issued, hackers started to exploit the vulnerability and attack web applications that had not been patched.
The remote code execution vulnerability allows an attacker to execute arbitrary code in the context of the affected application. While many organizations acted quickly, for some, applying the patch was not straightforward. The process of upgrading and fixing the flaw can be a difficult and labor-intensive task. Some websites have hundreds of apps that all need to be updated and tested. While it is currently unclear if Equifax was in the process of upgrading the software, two months after the patch had been released, Equifax had still not updated its software. In mid-May, the flaw was exploited by hackers and access was gained to consumer data.
Poor Patch Management Policies Will Lead to Data Breaches
All software contains vulnerabilities that can be exploited. It is just a case of those vulnerabilities being found. Already this year, there have been several vulnerabilities discovered in Apache Struts of varying severity. As soon as new vulnerabilities are discovered, patches are developed to correct the flaws. It is up to organizations to ensure patches are applied promptly to keep their systems and data secure. Had the patch been applied promptly, the breach could have been prevented.
Even though a widely exploited vulnerability was known to exist, Equifax was not only slow to correct the flaw but also failed to detect that a breach had occurred for several weeks. In this case, it would appear that the attackers were throttling down on data exfiltration to avoid detection, although questions will certainly be asked about why it took so long for the Equifax cyberattack to be discovered.
Since zero-day vulnerabilities are often exploited before software developers become aware of flaws and develop patches, organizations – especially those of the size of Equifax – should be using intrusion detection solutions to monitor for abnormal application activity. This will help to ensure any zero-day exploits are rapidly identified and action is taken to limit the severity of any breach.
What Will the Cost of the Equifax Data Breach Be?
The cost of the Equifax data breach will be considerable. State attorneys general are lining up to take action against the credit monitoring bureau for failing prevent the breach. 40 attorneys general have already launched and Massachusetts attorney general Maura Healey has announced the state will be suing Equifax for breaching state laws.
Healey said, the Equifax data breach was “the most egregious data breach we have ever seen. It is as bad as it gets.” New York Attorney General Eric Schneiderman has also spoken out about the breach promising an in-depth investigation to determine whether state laws have been violated. If they have, action will certainly be taken.
U.S. consumers are also extremely angry that their highly sensitive information has been breached, especially since they did not provide their data to Equifax directly. Class-action lawsuits are certain to be launched to recover damages.
As if the breach itself is not bad enough, questions have been raised about the possibility of insider trading. Three Equifax executives allegedly sold $2 million in stock just days after the breach was discovered and before it had been made public.
The final cost of the Equifax data breach will not be known for years to come, although already the firm has lost 35% of its stock value – wiping out around $6 billion. Multiple lawsuits will be filed, there are likely to be heavy fines. The cost of the Equifax breach is therefore certain to be of the order of hundreds of millions. Some experts have suggested a figure of at least 300 million is likely, and possibly considerably more.
Cyberattacks on Office 365 users are increasing and Office 365 email security controls are not preventing account compromises at many businesses. If you want to block phishing and malware attacks and prevent costly data breaches, there is no better time than the present to improve Office 365 email security.
Microsoft Office 365 – An Attractive Target for Cybercriminals
Microsoft’s figures suggest there are now more than 70 million active users of Office 365 making it the most widely adopted enterprise cloud service by some distance. 78% of IT decision makers say they have already signed up to Office 365 or plan to do so in 2017 and Microsoft says it is now signing up a further 50,000 small businesses to Office 365 every month. 70% of Fortune 500 companies are already using Office 365 and the number of enterprises transitioning to Office 365 is likely to significantly increase.
Office 365 offers many advantages for businesses but as the number of users grows, the platform becomes and even bigger target for hackers. Hackers are actively seeking flaws in Office 365 and users of the service are increasingly coming under attack. The more users an operating system or service has, the more likely hackers are to concentrate their resources on developing new methods to attack that system.
Cyberattacks on Office 365 are Soaring
Microsoft is well aware of the problem. Its figures show that malware attacks on Office 365 users increased by a staggering 600% last year and a recent survey conducted by Skyhigh Networks showed 71.4% of Office 365 business users have to deal with at least one compromised email account every month. Surveys often overestimate security problems due to having a limited sample size. That is unlikely to be the case here. The survey was conducted on 27 million users of Office 365 and 600 enterprises.
The majority of new malware targets Windows systems simply because there are substantially more users of Windows than Macs. As Apple increases its market share, it becomes more profitable to develop malware to attack MacOS. Consequently, MacOS malware is becoming more common. The same is true for Office 365. More users means successful attacks are much more profitable. If a flaw is found and a new attack method developed, it can be used on millions of users, making searching for flaws and developing exploits well worth the time and effort.
Phishers and hackers are also studying how the security functions of O365 work and are searching for flaws and developing exploits to take advantage. For a few dollars a month, hackers can sign up for accounts to study Office 365. Hackers are also taking advantage of poor password choices to gain access to other users’ accounts to trial their phishing campaigns to ensure they bypass Office 365 email security controls.
Office 365 Email Security Controls are Often Lacking
Given the resources available to Microsoft and its frequent updates you would expect the Office 355 email security to be pretty good. While Office 365 email security is not terrible, for standard users it is not great. Standard subscriptions include scant security features. To get enhanced security, the enterprise subscription must be purchased or extra email security add-ons must be purchased separately at a not insignificant cost.
Pay for the enterprise subscription and you will get a host of extra security features provided through the Advanced Threat Protection (ATP) security package. This includes message sandboxing, phishing protection, URL tracking and reporting, and link reputation checking. Even when Advanced Threat Protection is used, getting the settings right to maximize protection is not always straightforward.
APT will certainly improve email security, but it is worth bearing in mind that hackers can also sign up for those features and have access to the sandbox. That makes it easier for them to develop campaigns that bypass Office 365 security protections.
The Cost of Mitigating an Cybersecurity Incident is Considerable
The cost of mitigating a cyberattack can be considerable, and certainly substantially more than the cost of prevention. The Ponemon Institute/IBM Security 2017 Cost of a Data Breach study shows the average cost of mitigating a cyberattack is $3.62 million.
The recent NotPetya and WannaCry attacks also highlighted the high cost of breach mitigation. The NotPetya attack on Maersk, for example, has been estimated to cost the company up to $300 million, the vast majority of which could have been saved if the patches released by Microsoft in March had been applied promptly.
These large companies can absorb the cost of mitigating cyberattacks to a certain extent, although smaller businesses simply do not have the funds. It is no therefore no surprise that 60% of SMBs end up permanently closing their doors within 6 months of experiencing a cyberattack. Even cash-strapped businesses should be able to afford to improve security to prevent email-based attacks – The most common vector used by cybercriminals to gain access to systems and data.
Increase Office Email 365 Security with a Specialist Email Security Solution
No system can be made totally impervious to hackers and remain usable, but it is possible to improve Office 365 email security and reduce the potential for attacks to an minimal level. To do that, many enterprises are turning to third-party solution providers – specialists in email security – to increase Office 365 email security instead of paying extra for the protection offered by APT.
According to figures from Gartner, an estimated 40% of Microsoft Office 365 deployments will incorporate third-party tools by the end of 2018 with the figure predicted to rise to half of all deployments by 2020.
One of the best ways of improving Office 365 email security is to use an advanced, comprehensive email spam filtering solution developed by a specialist in email security, TitanHQ.
TitanHQ’s SpamTitan offers excellent protection against email-based attacks. The solution has also been developed to perfectly compliment Office 365 to block more attacks and keep inboxes spam and malware free. SpamTitan filters out more than 99.9% of spam and malicious emails giving businesses the extra level of protection they need. Furthermore, it is also one of the most cost-effective enterprise email security solutions for Office 365 on the market.
To find out more about SpamTitan and how it can improve Microsoft Office 365 email security at your business, contact TitanHQ today.
MSPs Can Profit from Providing Additional Office 365 Email Security
The days when MSPs could offer email box services to clients and make big bucks are sadly gone. MSPs can sell Office 365 subscriptions to their clients, but the margins are small and there is little money to be made. However, there are good opportunities for selling support services for MS products and also for providing enhanced email security for Office 365 users.
SpamTitan can be sold as an add-on service to enhance security for clients subscribing to Office 365, and since the solution is easy to implement and has a very low management overhead, it allows MSPs to easily boost monthly revenues.
SpamTitan can also be provided in white label form; ready to accept MSPs branding and the solution can even be hosted within an MSPs infrastructure. On top of that, there are generous margins for MSPs.
With SpamTitan it is easy for MSPs to provide valued added service, enhance Office 365 email services, and improve Microsoft Office 365 email security for all customers.
To find out more about how you can partner with SpamTitan and improve Office 365 email security for your customers, contact the MSP Sales team at TitanHQ today.
A new attack method – termed Bashware – could allow attackers to install malware on Windows 10 computers without being detected by security software, according to research conducted by Check Point.
The Windows Subsystem for Linux (WSL) was introduced to make it easier for developers to run Linux tools on Windows without having to resort to virtualization; however, the decision to add this feature could open the door to cybercriminals and allow them to install and run malware undetected.
Checkpoint researchers have conducted tests on Bashware attacks against leading antivirus and antimalware security solutions and in all cases, the attacks went undetected. Check Point says no current antivirus or security solutions are capable of detecting Bashware attacks as they have not been configured to search for these threats. Unless cybersecurity solutions are updated to search for the processes of Linux executables on Windows systems, attacks will not be detected.
Microsoft says the Bashware technique has been reviewed and has been determined to be of low risk, since WSL is not turned on by default and several steps would need to be taken before the attack is possible.
For an attack to take place, administrator privileges would need to be gained. As has been demonstrated on numerous occasions, those credentials could easily be gained by conducting phishing or social engineering attacks.
The computer must also have WSL turned on. By default, WSL is turned off, so the attacks would either be limited to computers with WSL turned on or users would have to turn on WSL manually, switching to development mode and rebooting their device. The potential for Bashware attacks to succeed is therefore somewhat limited.
That said, Check Point researchers explained that WSL mode can be switched on by changing a few registry keys. The Bashware attack method automates this process and will install all the necessary components, turn on WSL mode and could even be used to download and extract the Linux file system from Microsoft.
It is also not necessary for Linux malware to be written for use in these attacks. The Bashware technique installs a program called Wine that allows Windows malware to be launched and run undetected.
WSL is now a fully supported feature of Windows. Check Point says around 400 million computers are running Windows 10 are currently exposed to Bashware attacks.
Researchers Gal Elbaz and Dvir Atias at Check Point said in a recent blog post, “Bashware is so alarming because it shows how easy it is to take advantage of the WSL mechanism to allow any malware to bypass security products.”
Check Point has already updated its solutions to detect these types of attacks, and Kaspersky Lab is making changes to its solutions to prevent these types of attacks. Symantec said its solutions already check for malware created using WSL.
Microsoft has corrected 27 critical vulnerabilities this Patch Tuesday, including a Microsoft .Net Framework flaw that is being actively exploited to install Finspy surveillance software on devices running Windows 10.
Microsoft .Net Framework Flaw Exploited by ‘Multiple’ Actors
Finspy is legitimate software developed by the UK-based Gamma Group, which is used by governments around the world for cyber-surveillance. The software has been installed in at least two attacks in the past few months according to FireEye researchers, the latest attack leveraged the Microsoft .Net Framework flaw.
The attack starts with a spam email containing a malicious RTF document. The document uses the CVE-2017-8759 vulnerability to inject arbitrary code, which downloads and executes a VB script containing PowerShell commands, which in turn downloads the malicious payload, which includes Finspy.
FireEye suggests at least one attack was conducted by a nation-state against a Russian target; however, FireEye researchers also believe other actors may also be leveraging the vulnerability to conduct attacks.
According to a blog post on Tuesday, the Microsoft .Net Framework flaw has been detected and neutralized. Microsoft strongly recommends installing the latest update promptly to reduce exposure. Microsoft says the flaw could allow a malicious actor to take full control of an affected system.
BlueBorne Bluetooth Bug Fixed
Several Bluetooth vulnerabilities were discovered and disclosed on Tuesday by security firm Aramis. The vulnerabilities affect billions of Bluetooth-enabled devices around the world. The eight vulnerabilities, termed BlueBorne, could be used to perform man-in-the-middle attacks on devices via Bluetooth, rerouting traffic to the attacker’s computer. The bugs exist in Windows, iOS, Android and Linux.
In order to exploit the vulnerabilities, Bluetooth would need to be enabled on the targeted device, although it would not be necessary for the device to be in discoverable mode. An attacker could use the vulnerabilities to connect to a device – a TV or speaker for example – and initiate a connection to a computer without the user’s knowledge. In order to pull off the attack, it would be necessary to be in relatively close proximity to the targeted device.
In addition to intercepting communications, an attacker could also take full control of a device and steal data, download ransomware or malware, or perform other malicious activities such as adding the device to a botnet. Microsoft corrected one of the Bluetooth driver spoofing bugs – CVE-2017-8628 – in the latest round of updates.
Critical NetBIOS Remote Code Execution Vulnerability Patched
One of the most pressing updates is for a remote code execution vulnerability in NetBIOS (CVE-2017-0161). The vulnerability affects both servers and workstations. While the vulnerability is not believed to be currently exploited in the wild, it is of note as it can be exploited simply by sending specially crafted NetBT Session Service packets.
The Zero Day Initiative (ZDI) said the flaw “is practically wormable within a LAN. This could also impact multiple virtual clients if the guest OSes all connect to the same (virtual) LAN.”
In total, 81 updates have been released by Microsoft this Patch Tuesday. Adobe has corrected eight flaws, including two critical memory corruption bugs (CVE-2017-11281, CVE-2017-11282) in Flash Player, a critical XML parsing vulnerability in ColdFusion (CVE-2017-11286) and two ColdFusion remote code execution vulnerabilities (CVE-2017-11283, CVE-2017-11284) concerning deserialization of untrusted data.
Xafecopy malware is a new Trojan that is being used to steal money from victims via their smartphones. The malware masquerades as useful apps that function exactly as expected, although in addition to the useful functions, the apps have a malicious purpose.
Installing the apps activates Xafecopy malware, which silently subscribes the infected smartphone to a number of online services via websites that use the WAP billing payment method. Rather than require a credit card for purchases, this payment method adds the cost of the service to the user’s mobile phone bill. Consequently, it can take up to a month before the victim realizes they have been defrauded.
Additional features of Xafecopy malware include the ability to send text messages from the user’s device to premium rate phone numbers. The malware can also delete incoming text messages, such as text messages notifying users about services they have subscribed to and warnings from network operators about potential fraud.
To date, there are more than 4,800 victims spread across 47 countries around the world, although most of the WAP billing attacks have been seen in India, Mexico, Turkey and Russia, with India accounting for 37.5% of the WAP billing attacks. WAP billing attacks are concentrated in countries where WAP billing is most popular.
Kaspersky Lab senior malware analyst Roman Unucheck said, “WAP billing can be particularly vulnerable to so-called ‘clickjacking’ as it has a one-click feature that requires no user authorization. Our research suggests WAP billing attacks are on the rise.”
While most PC users have antivirus software installed, the same is not true for users of Android devices. Many users still do not use a security suite on their mobile devices to protect them from malware, even though they often use their smartphones to sign up and pay for online services or access their bank accounts.
Installing antivirus software can help to prevent Xafecopy malware infections. It is also important not to download apps from unofficial stores and to scan all apps with the Verify Apps utility.
Shadow Brokers are offering a new National Security Agency (NSA) hacking tool – UNITEDRAKE malware – making good on their promise to issue monthly releases of NSA exploits. The latest malware variant is one of several that were allegedly stolen from the NSA last year.
Shadow Brokers previously released the ETERNALBLUE exploit which was used in the WannaCry ransomware attacks in May that affected thousands of businesses around the world. There is no reason to suggest that this new hacking tool is not exactly what they claim.
UNITEDRAKE malware is a modular remote access and control tool that can capture microphone and webcam output, log keystrokes, and gain access to external drives. Shadow Brokers claim UNITEDRAKE malware is a ‘fully extensive remote collection system’ that includes a variety of plugins offering a range of functions that allow malicious actors to perform surveillance and gather information for use in further cyberattacks. UNITEDRAKE malware gives attackers the ability to take full control of an infected device.
Plugins include CAPTIVATEDAUDIENCE, which records conversations via an infected computer’s microphone, GUMFISH gives the attackers control of the webcam and allows them to record video and take images. FOGGYBOTTOM steals data such as login credentials, browsing histories and passwords, SALVAGERABBIT can access data on external drives such as flash drives and portable hard drives when they are connected, and GROK is a keylogger plugin. The malware is also able to self-destruct when its tasks have been performed.
The malware works on older Windows versions including Windows XP, Vista, Windows 7 and 8 and Windows Server 2012.
According to documents released by Edward Snowden in 2014, the malware has been used by the NSA to infect millions of computers around the world. The malware will soon be in the hands of any cybercriminal willing to pay the asking price of 500 Zcash – around $124,000. Shadow Brokers have released a manual for the malware explaining how it works and its various functions.
TrendMicro said in a recent blog post there is currently no way of blocking or stopping the malware. When attacks occur, they will be analyzed by security researchers looking for clues as to how the malware works. That should ultimately lead to the development of tools to block attacks.
In the meantime, organizations need to improve their security posture by ensuring all systems are patched and operating systems are upgraded to the latest versions. An incident response plan should also be developed to ensure it can be implemented promptly in the event of an attack.
A further NSA exploit is expected to be released later this month, with the monthly dumps scheduled for at least the next two months.
Dropbox phishing attacks are relatively common and frequently fool employees into revealing their sensitive information or downloading malware.
Dropbox is a popular platform for sharing files and employees are used to receiving links advising them that files have been shared with them by their colleagues and contacts and phishers are taking advantage of familiarity with the platform.
There are two main types of Dropbox phishing attacks. One involves sending a link that asks users to verify their email address. Clicking the link directs them to a spoofed Dropbox website that closely resembles the official website. They are then asked to enter in their login credentials as part of the confirmation process.
Dropbox phishing attacks are also used to deliver malware such as banking Trojans and ransomware. A link is sent to users relating to a shared file. Instead of accessing a document, clicking the link will result in malware being downloaded.
Over the past few days, there has been a massive campaign using both of these attack methods involving millions of spam email messages. Last week, more than 23 million messages were sent in a single day.
Most of the emails were distributing Locky ransomware, with a smaller percentage used to spread Shade ransomware. There is no free decryptor available to unlock files encrypted by Locky and Shade ransomware. If files cannot be recovered from backups, victioms will have to dig deep.
Due to the rise in value of Bitcoin of late the cost of recovery is considerable. The malicious actors behind these attacks are demanding 0.5 Bitcoin per infected device – Around $2,400. For a business with multiple devices infected, recovery will cost tens if not hundreds of thousands of dollars.
According to F-Secure, the majority of malware-related spam messages detected recently – 90% – are being used to distribute Locky. Other security researchers have issued similar reports of a surge in Locky infections and spam email campaigns.
To prevent Locky ransomware attacks, businesses should install an advanced spam filtering solution to prevent malicious emails from being delivered to end users’ inboxes. Occasional emails are likely to make it past spam filtering defenses so it is important that all users receive security awareness training to help them identify malicious emails.
A web filter can be highly effective at blocking attempts to visit malicious websites where malware is downloaded, while up to date antivirus and anti-malware solutions can detect and quarantine malicious files before they are opened.
Backups should also be made of all data and systems and those backups should be stored on an air-gapped device. Ransomware variants such as Locky can delete Windows Shadow Volume Copies and if a backup device remains connected, it is probable that backup files will also be encrypted.
Best practices for backing up data involve three backup files being created, on two different media, with one copy stored offsite and offline. Backups should also be tested to make sure files can be recovered in the event of disaster.
The increase in ransomware attacks has prompted the National Institute of Standards and Technology (NIST) to develop new guidance (NIST SPECIAL PUBLICATION 1800-11) on recovering from ransomware attacks and other disasters. The draft guidance can be downloaded on this link.
A Netherlands-based spambot has recently been discovered that is being used to send massive volumes of spam email containing ransomware and malware. What sets this spambot aside from the many others in use is the scale of the spamming operations. Paris-based cybersecurity firm Benkow says the spambot contains an astonishing 711,000,000 email addresses.
To put that absurdly high figure into perspective, it corresponds to the entire population of Europe or two email addresses for every resident in the United States and Canada.
The spambot – called Onliner – is being used as part of a massive malware distribution network that has been distributing Ursnif banking malware. Not only are these email addresses being used for spamming and malware distribution, the passwords associated with many of those accounts are also publicly available on the same server. Malicious actors could access the data and use the information to gain access to the compromised accounts to search for sensitive information.
All of the email addresses in the list have now been uploaded to HaveIBeenPwned. Troy Hunt of HaveIBeenPwned recently explained in a blog post that this is the single largest set of email addresses that has ever been uploaded to the database. Hunt said it took 110 separate data breaches and more than two and a half years for the site to amass a database of that size.
Hunt explained that an analysis of some of the email addresses in one of the text files were all present in the data from the LinkedIn breach, another set related to the Badoo breach and another batch were all in the exploit.in list, suggesting this massive collection of email addresses has been amalgamated from past data breaches. That shows data is being extensively bought and sold on forums and darknet marketplaces. However, not all of the email addresses were already in the database, suggesting they came either from previously undisclosed breaches and scrapes of Internet sites.
Some of the lists obtained contained email addresses, corresponding passwords, SMTP servers and ports, which allow spammers to abuse those accounts and servers in their spamming campaigns. Hunt says the list includes approximately 80 million email servers that are being used in spamming campaigns.
The problem is these are legitimate accounts and servers, which the spammers can abuse to send massive amounts of spam and even defeat some spam filters, ensuring malicious messages get delivered. Hunt says authorities in the Netherlands are currently attempting to shut down Onliner.
As a precaution, everyone is recommended to visit HaveIBeenPwned to check if their email addresses/passwords have been added to the database. If they are present, it is important to update the passwords for those email accounts and never to use those passwords again.