by titanadmin | Mar 31, 2018 | Internet Security, Network Security |
Several new AutoHotKey malware variants have been discovered in recent weeks as threat actors turn to the scripting language to quickly develop new malware variants. The latest discovery – Fauxpersky malware – is very efficient at stealing passwords.
AutoHotKey is a popular open-source scripting language. AutoHotKey make it easy to create scripts to automate and schedule tasks, even inside third-party software. It is possible to use AutoHotKey to interact with the local file system and the syntax is simple, making it straightforward to use, even without much technical knowledge. AutoHotKey allows scripts to be compiled into an executable file that can be easily run on a system.
The usefulness of AutoHotKey has not been lost on malware developers, and AutoHotKey malware is now used for keylogging and to install other malware variants such as cryptocurrency miners, the first of the latter was discovered in February 2018.
Several other AutoHotKey malware variants have since been discovered with the latest known as Fauxpersky, so named because it masquerades as Kaspersky antivirus.
Fauxpersky Malware
Fauxpersky malware lacks sophistication, but it can be considered a significant threat – One that has potential to cause considerable harm. If undetected, it allows the attackers to steal passwords that can be used for highly damaging attacks and give the attackers a foothold in the network.
Fauxpersky malware was discovered by security researchers Amit Serper and Chris Black. The researchers explained in a recent blog post that the malware may not be particularly advanced and stealthy, but it is a threat and could allow the authors to steal passwords to gain access to data.
Fauxpersky infects USB drives which are used to spread the malware between devices. The malware can also replicate across the system’s listed drives. Communication with the attackers is via a Google Form, that is used to send stolen passwords and keystroke lists to the attackers’ inbox. Since the transmission is encrypted, it doesn’t appear to be data exfiltration by traffic monitoring systems.
Once installed it renames the drive and appends “Protected y Kaspersky Internet Security 2017” to the drive name. The malware records all keystrokes made on a system and also adds context to help the attackers determine what the user is doing. The name of the window where the text is being typed is added to the text file.
Once the list of keystrokes has been sent, it is deleted from the hard drive to prevent detection. The researchers reported the new threat to Google which rapidly took down the malicious form although others may well be created to take its place.
AutoHotKey Malware Likely to become More Sophisticated
AutoHotKey malware is unlikely to replace more powerful scripting languages such as PowerShell, although the rise in use of AHK and the number of new variants detected in recent weeks suggest it will not be dropped any time soon. AHK malware has now been discovered with several obfuscation functions to make it harder to detect, and many AV vendors have yet to implement the capability to detect this type of malware. In the short to medium term, we are likely to see an explosion of AHK malware variants, especially keyloggers designed to steal passwords.
by titanadmin | Mar 30, 2018 | Internet Security, Network Security |
A disaster recovery plan will help to ensure your business continues to function when disaster strikes, and you can recover as quickly as possible. Developing a disaster recovery plan in advance is essential as it will allow you to prevent many lost hours in the early stages of an attack when rapid action is critical.
When Disaster Strikes You Must be Ready for Action
When disaster strikes, you need to act fast to get your systems back online and return to normal business operations. One of the biggest problems for many organizations, is the amount of time that is lost immediately after a cyberattack is discovered. When staff are scrambling around not knowing what to do, precious minutes, hours, and even days can be lost.
The first few hours after a cyberattack can be critical. The time it takes to respond can have a significant impact on the cost of mitigating the attack and the harm caused. In the case of ransomware, that could be movement within your network, with one infected endpoint becoming two, then 4, then 8 and so on until files on your entire network are encrypted. Each lost minute can mean hours of extra work and major productivity losses.
The only way to ensure the fastest possible response is to be prepared for the unexpected. That means you must have a disaster recovery plan formulated that is easily accessible and can be followed by all staff involved in the breach response. Staff not responsible for recovery must be aware how they must operate in the absence of computers and critical systems to ensure the business does not grind to a halt.
Developing a Disaster Recovery Plan
There are many potential disaster scenarios. Natural disasters such as earthquakes, floods, tornados can cause major disruption, as can terrorist attacks and sabotage. The most likely disaster scenario in the current climate is a cyberattack.
All of these disaster scenarios threaten your systems and business data, so your disaster recovery plan must ensure your systems are protected and the confidentiality, integrity, and availability of data is safeguarded while you respond.
While the threat may be similar for all scenarios, priorities will be different for each situation and the order of actions and the actions themselves will be specific to different threats. It is therefore essential to plan for each of the likely disasters and to develop procedures for each. For example, your plan should cover a cyberattack affecting each specific location that you operate, and a separate plan developed for a ransomware attack, malware infection, and system outage.
Assess Business Impact and Set Priorities
A cyberattack could take out multiple systems which will all need to be restored and brought back online. That process could take days or weeks, but some systems must take priority over others. After your disaster recovery policy has been developed, you must set priorities. To effectively prioritize you will need to perform a business impact analysis on all systems. You should conduct a BIA to determine the possible financial, safety, contractual, reputational, and regulatory impact of any disaster and assess the impact on confidentiality, integrity, and availability of data. When the BIA has been completed, it should make it clear what the priorities are for recovery.
Everyone Must Know Their Role
When disaster strikes, everyone in the IT department must be aware of their responsibilities. You must know who will need to be called in when the attack occurs outside office hours, which means you must maintain up to date contact information such as phone numbers, addresses, and email addresses. You will also need to have a list of contractors and cybersecurity firms that can assist. You must know which law enforcement agencies to contact and any regulators or authorities that should be notified. All employees within the organization must be aware how their day-to-day activities will change and the role they will play, and what you will say to your customers, clients, and business associates.
Testing, Testing, Testing
You will naturally have developed a disaster recovery plan and emergency mode operations plan, but those plans rarely need to be put into action. You therefore need to be 100% sure that your disaster recovery plan developed a couple of years previously will work as planned. That is unlikely unless it is thoroughly tested and is regularly updated to take hardware, software, and business changes into account.
Your disaster recovery plan must be tested to make sure that it will work in practice. That means testing individual aspects against specific scenarios and also running through a full test – like a fire drill – to make sure that the whole plan works.
Don’t wait until disaster strikes before developing a disaster recovery plan and don’t wait for a disaster to find out all of your planning has been in vain as system changes have rendered the plan unworkable.
by titanadmin | Mar 29, 2018 | Network Security, Phishing & Email Spam, Spam Advice, Spam News |
No matter how many cybersecurity solutions you have deployed or the maturity of your cybersecurity program, it is now essential for develop and effective security awareness program and to ensure all employees and board members are trained how to recognize email threats.
Threat actors are now using highly sophisticated tactics to install malware, ransomware, and obtain login credentials and email is the attack method of choice. Businesses are being targeted and it will only be a matter of time before a malicious email is delivered to an employee’s inbox. It is therefore essential that employees are trained how to recognize email threats and told how they should respond when a suspicious email arrives in their inbox.
The failure to provide security awareness training to staff amounts to negligence and will leave a gaping hole in your security defenses. To help get you on the right track, we have listed some key elements of an effective security awareness program.
Important Elements of an Effective Security Awareness Program
Get the C-Suite Involved
One of the most important starting points is to ensure the C-Suite is on board. With board involvement you are likely to be able to obtain larger budgets for your security training program and it should be easier to get your plan rolled out and followed by all departments in your organization.
In practice, getting executives to support a security awareness program can be difficult. One of the best tactics to adopt to maximize the chance of success is to clearly explain the importance of developing a security culture and to back this up with the financial benefits that come from having an effective security awareness program. Provide data on the extent that businesses are being attacked, the volume of phishing and malicious emails being sent, and the costs other businesses have had to cover mitigating email-based attacks.
The Ponemon Institute has conducted several major surveys and provides annual reports on the cost of cyberattacks and data breaches and is a good source for facts and figures. Security awareness training companies are also good sources of stats. Present information clearly and show the benefit of the program and what you require to ensure it is a success.
Get Involvement from Other Departments
The IT department should not be solely responsible for developing an effective security awareness training program. Other departments can provide assistance and may be able to offer additional materials. Try to get the marketing department on board, human resources, the compliance department, privacy officers. Individuals outside of the security team may have some valuable input not only in terms of content but also how to conduct the training to get the best results.
Develop a Continuous Security Awareness Program
A one-time classroom-based training session performed once a year may have once been sufficient, but with the rapidly changing threat landscape and the volume of phishing emails now being sent, an annual training session is no longer enough.
Training should be an ongoing process provided throughout the year, with up to date information included on current and emerging threats. Each employee is different, and while classroom-based training sessions work for some, they do not work for everyone. Develop a training program using a variety of training methods including annual classroom-based training sessions, regular computer-based training sessions, and use posters, games, newsletters, and email alerts to keep security issues fresh in the mind.
Use Incentives and Gamification
Recognize individuals who have completed training, alerted the organization to a new phishing threat, or have scored highly in security awareness training and tests. Try to create competition between departments by publishing details of departments that have performed particularly well and have the highest percentage of employees who have completed training, have reported the most phishing threats, scored the highest in tests, or have correctly identified the most phishing emails in a round of phishing simulations.
Security awareness training should ideally be enjoyable. If the training is fun, employees are more likely to want to take part and retain knowledge. Use gamification techniques and choose security awareness training providers that offer interesting and engaging content.
Test Employees Knowledge with Phishing Email Simulations
You can provide training, but unless you test your employees’ security awareness you will have no idea how effective your training program has been and if your employees have been paying attention.
Before you commence your training program it is important to have a baseline against which you can measure success. This can be achieved using security questionnaires and conducting phishing simulation exercises.
Conducting phishing simulation exercises using real world examples of phishing emails after training has been completed will highlight which employees are security titans and which need further training. A failed phishing simulation exercise can be turned into a training opportunity.
Comparing the before and after results will show the benefits of your program and could be used to help get more funding.
Train your staff regularly and test their understanding and in a relatively short space of time you can develop a highly effective human firewall that complements your technological cybersecurity defenses. If a malicious email makes it past your spam filter, you can be confident that your employees will have the skills to recognize the threat and alert your security team.
by titanadmin | Mar 28, 2018 | Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam Advice |
A city of Atlanta ransomware attack has been causing havoc for city officials and Atlanta residents alike. Computer systems have been taken out of action for several days, with city workers forced to work on pen and paper. Many government services have ground to a halt as a result of the attack.
The attack, like many that have been conducted on the healthcare industry, involved a variant of ransomware known as SamSam.
The criminal group behind the attack is well known for conducting attacks on major targets. SamSam ransomware campaigns have been conducted on large healthcare providers, major educational institutions, and government organizations.
Large targets are chosen and targeted as they have deep pockets and it is believed the massive disruption caused by the attacks will see the victims pay the ransom. Those ransom payments are considerable. Demands of $50,000 or more are the norm for this group. The City of Atlanta ransomware attack saw a ransom demand issued for 6 Bitcoin – Approximately $51,000. In exchange for that sum, the gang behind the attack has offered the keys to unlock the encryption.
SamSam ransomware attacks in 2018 include the cyberattack on the electronic health record system provider Allscripts. The Allscripts ransomware attack saw its systems crippled, with many of its online services taken out of action for several days preventing some healthcare organizations from accessing health records. The Colorado Department of Transportation was also attacked with SamSam ransomware.
SamSam ransomware was also used in an attack on Adams Memorial Hospital and Hancock Health Hospital in Indiana, although a different variant of the ransomware was used in those attacks.
A copy of the ransom note from the city of Atlanta ransomware attack was shared with the media which shows the same Bitcoin wallet was used as other major attacks, tying this attack to the same group.
SecureWorks, the cybersecurity firm called in to help the City of Atlanta recover from the attack, has been tracking the SamSam ransomware campaigns over the past few months and attributes the attacks to a cybercriminal group known as GOLD LOWELL, which has been using ransomware in attacks since 2015.
While many ransomware attacks occur via spam email with downloaders sent as attachments, the GOLD LOWELL group is known for leveraging vulnerabilities in software to install ransomware. The gang has exploited vulnerabilities in JBoss in past attacks on healthcare organizations and the education sector. Flaws in VPNs and remote desktop protocol are also exploited.
The ransomware is typically deployed after access to a network has been gained. SecureWorks tracked one campaign in late 2017 and early 2018 that netted the gang $350,000 in ransom payments. The earnings for the group have now been estimated to be in the region of $850,000.
Payment of the ransom is never wise, as this encourages further attacks, although many organizations have no choice. For some, it is not a case of not having backups. Backups of all data are made, but the time taken to restore files across multiple servers and end points is considerable. The disruption caused while that process takes place and the losses suffered as a result are often far higher than any ransom payment. A decision is therefore made to pay the ransom and recover from the attack more quickly. However, the GOLD LOWELL gang has been known to ask for additional payments when the ransom has been paid.
The city of Atlanta ransomware attack commenced on Thursday March 22, and with the gang typically giving victims 7 days to make the payment. The city of Atlanta only has until today to make that decision before the keys to unlock the encryption are permanently deleted.
However, yesterday there were signs that certain systems had been restored and the ransomware had been eradicated. City employees were advised that they could turn their computers back on, although not all systems had been restored and disruptions are expected to continue.
As of today, no statement has been released about whether the ransom was paid or if files were recovered from backups.
How to Defend Against Ransomware Attacks
The city of Atlanta ransomware attack most likely involved the exploitation of a software vulnerability; however, most ransomware attacks occur as a result of employees opening malicious email attachments or visiting hyperlinks sent in spam emails.
Last year, 64% of all malicious emails involved ransomware. An advanced spam filter such as SpamTitan is therefore essential to prevent attacks. End users must also be trained how to recognize malicious emails and instructed never to open email attachments or click on links from unknown senders.
Software must be kept up to date with patches applied promptly. Vulnerability scans should be conducted, and any issues addressed promptly. All unused ports should be closed, RDP and SMBv1 disabled if not required, privileged access management solutions deployed, and sound backup strategies implemented.
by titanadmin | Mar 21, 2018 | Internet Security, Network Security, Phishing & Email Spam |
2017 ransomware statistics do not make for pleasant reading. Ransomware attacks continued to increase, the cost of mitigating attacks rose, and the number of ransomware variants in use has soared. Further, there are no signs that the attacks will stop and mounting evidence that the ransomware epidemic will get worse in 2018.
Key 2017 Ransomware Statistics
We have compiled some of the important 2017 ransomware statistics from research conducted by a range of firms over the past few months.
Kaspersky Lab’s research suggests ransomware attacks on businesses were happening every 2 minutes in Q1, 2017, but by Q3 attacks were far more frequent, occurring approximately every 40 seconds. Cybersecurity Ventures predicts the frequency of attacks will increase and by 2019 there will be an attack occurring every 14 seconds.
Cybersecurity Ventures also predicts ransomware will continue to be a major problem for businesses throughout 2018 and 2019, with the total cost of ransomware attacks expected to reach $11.5 billion by 2019.
The healthcare industry is likely to be heavily targeted due to the relative ease of conducting attacks and the likelihood of a ransom being paid. Cybersecurity Ventures predicts there will be a fourfold increase in ransomware attacks on healthcare organizations by 2019.
While research from IBM in 2016 suggested 70% of businesses pay ransom demands to recover data, in 2017 the percentage dropped considerably. Far fewer firms are now considering paying ransoms to recover data.
Symantec’s 2017 Internet Security Threat Report indicates ransom demands increased by 266% between 2015 and 2017.
There is considerable variation in published 2017 ransomware statistics. Malwarebytes reports there was a 90% increase in ransomware attacks in 2017. Beazley reports the increase was 18% and the healthcare sector accounted for 45% of those attacks. A recent McAfee Report puts the rise in ransomware attacks at 59% for the year, with a 35% quarter-over-quarter increase in attacks in Q4.
Microsoft’s Security Intelligence Report indicates Asia had the highest number of ransomware attacks in 2017, with Myanmar and Bangladesh the worst hit countries. Mobile devices that were the worst hit, with the most frequently encountered ransomware variant being LockScreen – an Android ransomware variant.
55% of Firms Experienced A Ransomware Attack in 2017
The research and marketing consultancy firm CyberEdge Group conducted a study that showed 55% of surveyed organizations had experienced at least one ransomware attack in 2017. Out of the organizations that had data encrypted by ransomware, 61% did not pay the ransom.
87% of firms that experienced an attack were able to recover the encrypted data from backups. However, 13% of attacked firms lost data due to the inability to recover files from backups.
Organizations that are prepared to pay a ransom are not guaranteed viable keys to recover their encrypted files. The CyberEdge survey revealed approximately half of companies that decided to pay the ransom were unable to recover their data.
FedEx reported in 2017 that the NotPetya attack cost the firm an estimated $300 million, the same figure quoted by shipping firm Maersk and pharma company Merck. Publishing firm WPP said its NotPetya attack cost around $15 million.
Strategies are being developed by businesses to respond to ransomware attacks quickly. Some companies, especially in the UK, have bought Bitcoin to allow fast recovery. However, those that have may find their stash doesn’t go as far as it was first thought thanks to the decline in value of the cryptocurrency. Further, many cybercriminals have switched to other forms of cryptocurrency and are no longer accepting Bitcoin. A third of mid-sized companies in the UK have purchased Bitcoin for ransoms according to Exeltex Consulting Group.
