Blog
by titanadmin | Jul 26, 2024 | Phishing & Email Spam |
CrowdStrike has confirmed that a significant proportion of Windows devices that were rendered inoperable following a faulty update last Friday have now been restored to full functionality; however, businesses are still facing disruption and many scams have been identified by cybercriminals looking to take advantage.
One of those scams involves a fake recovery manual that is being pushed in phishing emails. The emails claim to provide a Recovery Tool that fixes the out-of-bounds memory read triggered by the update that caused Windows devices to crash and display the blue screen of death. The phishing emails include a document attachment named “New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows. docm.” The document is a copy of a Microsoft support bulletin, which claims that a new Microsoft Recovery Tool has been developed that automates recovery by deleting the CrowdStrike driver that is causing the crash. The user is prompted to enable content; however, doing so will allow a macro to run, which will download a malicious DLL, which launches the Daolpu stealer – an information stealer that collects and exfiltrates credentials, login information, and cookies stored in Chrome and Firefox.
Another campaign has been identified that capitalizes on the defective Falcon Sensor update. The spear phishing campaign targeted German firms and attempts to distribute a fake CrowdStrike Crash Reporter installer via a website that spoofs a legitimate German company. The website was registered a day after the CrowdStrike disruptions started. If the user attempts to download the installer by clicking the download button in the email, a ZIP archive will be delivered that includes a malicious InnoSetup installer. If executed, the user is shown a fake CrowdStrike branded installer. The installer is password-protected to prevent analysis and the final payload could not be determined.
Another campaign attempts to distribute Lumma information-stealing malware. The campaign uses the domain, crowdstrike-office365[.]com, and tricks the recipient into downloading a fake recovery tool to deal with the boot loop that prevents Windows devices from booting up. If the downloaded file is executed, it delivers a malware loader, which will, in turn, deliver the Lumma infostealer.
These are just three campaigns that use the CrowdStrike outage to deliver malware, all of which use email as the way to make contact with individuals affected by the outage. Many other campaigns are being conducted and a large number of CrowdStrike-themed domains have been registered since the problems started. Other malicious domains used in campaigns include the following, all of which should be blocked.
crowdstrike-helpdesk.com
crowdstrike.black
crowdstrikefix.zip
crowdstrikebluescreen.com
crashstrike.com
fix-crowdstrike-bsod.com
crowdstrike-falcon.online
crowdstrike-bsod.com
crowdstrikedoomsday.com
crowdstrikedown.site
crowdstrikefix.com
isitcrowdstrike.com
crowdstriketoken.com
crowdstrike0day.com
crowdstrikeoutage.com
These scams are likely to continue for some time, so it is important to remind employees of the high risk of malicious emails and warn them to exercise extreme caution with any emails received. Employees should be told to report any suspicious emails to their security team.
TitanHQ offers a range of cybersecurity solutions to block phishing and malware distribution campaigns, all of which are quick and easy to implement and can protect you in a matter of minutes. They include the WebTitan web filter for blocking access to known malicious websites, such as those detailed in this email; the PhishTitan anti-phishing solution for Office 365, and the SpamTitan corporate email filter for blocking phishing emails. The latter incorporates email sandboxing for blocking novel and obfuscated malware threats. TitanHQ also provides a comprehensive security awareness training platform and phishing simulator for improving your human defenses by raising awareness of cyber threats and providing timely training content on the latest tactics used by cybercriminals in targeted attacks on employees.
Give the TitanHQ team a call today for further information on improving your defenses, or take advantage of the free trial available with all TitanHQ products to get immediate protection.
by titanadmin | Jul 25, 2024 | Industry News |
TitanHQ has announced a new strategic alliance with ATS Network Management, a provider of network management solutions, monitoring, security, and performance management services across South Africa and the African continent. Under the alliance, ATS Network Management will become a value-added distributor and will incorporate TitanHQ’s portfolio of cybersecurity and compliance solutions into its service stack, packaging the solutions with other tools and services to provide a more comprehensive range of services to its clients and ensuring they are shielded from constantly evolving cyber threats.
ATS Network Management will now be able to offer its clients email security and phishing prevention and remediation through TitanHQ’s PhishTitan solution for Office 365, as well as email filtering to remove malware, phishing, and unwanted emails from email systems and protect against malicious links with TitanHQ’s SpamTitan solution. SpamTitan is an award-winning email security solution with email sandboxing that protects against the full range of email threats. Independent tests have recently confirmed that SpamTitan has a 99.99% phishing catch rate and 100% malware catch rate, and it is one of the best-loved MSP spam filtering solutions.
To protect against web-borne threats and control access to the Internet, ATS Network Management will be providing DNS filtering using WebTitan. WebTitan blocks access to known malicious sites, prevents user-specified file types from being downloaded from the internet to protect against malware and control shadow IT, and restricts access to categories of web pages to improve employee productivity. To protect against the interception of sensitive email data in transit, ATS Network Management will be using EncryptTitan, and email archiving services will be offered through ArcTitan for compliance purposes.
Due to the number of threats targeting employees directly, it is vital for businesses to raise awareness of cyber threats and teach employees cybersecurity best practices. This is an area where many businesses turn to their MSPs for assistance. ATS Network Management will be offering its clients comprehensive security awareness training through SafeTitan, TitanHQ’s security awareness training platform. In addition to allowing businesses to create and automate tailored training courses with engaging content, the platform includes a phishing simulator to allow them to automate phishing simulations to identify knowledge gaps and provide targeted training where it is needed.
The partnership will help TitanHQ expand its footprint in Africa while ensuring that African businesses can benefit from TitanHQ’s cutting-edge security solutions and defend their businesses from increasingly sophisticated cyber threats.
by titanadmin | Jul 22, 2024 | Phishing & Email Spam |
On July 19, 2024, Windows workstations and servers were disabled as a result of a bug in a software update for CrowdStrike Falcon Sensor. When the update was installed on Windows devices, it caused them to show the Blue Screen of Death or get stuck in a boot loop, rendering the devices unusable. Microsoft revealed that its telemetry showed 8.5 million Windows devices had been affected in around 78 minutes.
CrowdStrike Falcon platform is a cybersecurity solution that incorporates anti-virus protection, endpoint detection and response, threat intelligence, threat hunting, and security hygiene, and it is used by many large businesses around the world, including around half of Fortune 500 firms. The disruption caused by the update has been colossal. Airlines had to ground flights, airports were unable to check people in, healthcare providers were unable to access electronic patient records and had to cancel appointments and surgeries, financial institutions faced major disruption, and some media companies were unable to broadcast live television for hours. Even organizations that did not use the Falcon product were adversely affected if any of their vendors used the product. The incident has been called the worst-ever IT outage, with huge financial implications.
It did not take long for cybercriminals to take advantage of the chaos. Within hours, cybercriminals were registering fake websites impersonating CrowdStrike offering help fixing the problem, and domains were registered and used in phishing campaigns promising a rapid resolution of the problem. Given the huge financial impact of suddenly not having access to any Windows devices, there was a pressing need to get a rapid resolution but the fixes being touted by cybercriminals involved downloading fake updates and hotfixes that installed malware.
Those fake updates are being used to deliver a range of different malware types including malware loaders, remote access Trojans, data wipers, and information stealers, while the phishing campaigns direct users to websites where they are prompted to enter their credentials, which are captured and used to access accounts. Cybercriminals have been posing as tech specialists and independent researchers and have been using deepfake videos and voice calls to get users to unwittingly grant them access to their devices, disclose their passwords, or divulge other sensitive codes.
CrowdStrike has issued a fix and provided instructions for resolving the issue, but those instructions require each affected device to be manually fixed. The fix was rolled out rapidly, but CrowdStrike CEO George Kurtz said it will likely take some time for a full recovery for all affected users, creating a sizeable window of opportunity for threat actors. Due to the surge in criminal activity related to the outage, everyone should remain vigilant and verify the authenticity of any communications, including emails, text messages, and telephone calls, and only rely on trusted sources for guidance. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reminded all organizations of the importance of having robust cybersecurity measures in place to protect their users, assets, and data, and to remind all employees to avoid opening suspicious emails or clicking on unverified links in emails.
It is important to have multiple layers of security protection to identify, detect, and avoid these attacks, including AI-driven phishing protection, web filtering to block access to malicious websites, anti-virus software to detect and neutralize malware, and security awareness training for employees. TitanHQ can help to secure your business in all of these areas and offers a cloud-based spam filtering service (SpamTitan) which includes email sandboxing and email antivirus filter, phishing protection for Office 365 (PhishTitan), and the SafeTitan security awareness training and phishing simulator.
by titanadmin | Jul 1, 2024 | Phishing & Email Spam |
Phishing attacks and business email compromise scams are leading causes of losses to cybercrime and attacks have increased in 2024. According to the Federal Bureau of Investigation, phishing is the leading cause of complaints to its Internet Crime Complaint Center and business email compromise currently ranks second out of all tracked forms of cybercrime in terms of total losses.
Over the coming days and weeks, there are several events that cybercriminals take advantage of in their attacks and scams. The UEFA European Football Championship is currently taking place in Germany and thousands of individual phishing campaigns have been detected so far that are piggybacking on the popularity of the championship in Europe and beyond.
Cybercriminals often take advantage of sporting events and commonly use lures related to tickets, which usually sell out months before the first football is kicked and this year is no exception. Now that the tournament is underway and broadcasters and other legitimate entities are running competitions offering free tickets to the finals, scammers are doing the same and are using email and social media networks to advertise their scams. These campaigns use realistic websites that are almost identical to the brands they spoof and attempt to steal sensitive information such as credit card numbers and login credentials.
Many of the phishing attacks and scams impersonate businesses associated with the tournament. These include accommodation providers, airlines and travel companies, and others. The Wimbledon tennis tournament is underway, which will be shortly followed by another major sporting event in Paris – The 2024 Olympics. The latter has a huge global audience and there is a high risk of cyber threat activity using Olympics-themed lures. Cybercriminals are impersonating event organizations, sponsors, ticketing systems, and travel companies. Many cyber espionage groups and nation-state actors are likely to target the Olympics, in addition to financially motivated threat actors.
This week, there is a major celebration in the United States on July 4. Independence Day is a very active time for a host of malicious actors who conduct scams related to the celebrations, including holiday-themed texts and emails, fake giveaways and vouchers, and Independence Day event ticket scams. Being a major holiday in the United States when staffing levels are greatly reduced, it is a time when many ransomware groups choose to strike as their activities are less likely to be identified.
Also on July 4, 2024, a major event is taking place across the Atlantic in the UK. The UK general election will be taking place to decide the next government and scammers are already taking advantage and are using deepfake scams and malicious websites used to steal information and influence voters. It will be a similar story in the United States in the run-up to the November Presidential election.
With so many events taking place, it is vital for everyone to be on their guard and be constantly alert to the threat of scams, phishing, and malware attacks. Due to the elevated threat from phishing, businesses should step up their security awareness training to raise awareness of cyber threats and teach cybersecurity best practices. It is a good idea to use these events in your internal phishing simulations to identify any knowledge gaps and provide immediate training to any individual who fails a phishing simulation.
Security awareness training is made simple with SafeTitan from TitanHQ. SafeTitan is a comprehensive security awareness training platform that teaches security best practices to eradicate risky behaviors, raises awareness of the threat from phishing and malware, teaches the red flags to look for in emails and texts, and what to do if a potential threat is found. The phishing simulator can be used to automate internal phishing simulations to test awareness of threats and how employees are applying their training.
It is also a good time for businesses to bolster email security with an advanced email security solution. SpamTitan from TitanHQ is an advanced email security solution that uses predictive techniques to identify malicious emails, including AI and machine learning to block phishing threats and email sandboxing to block malware. SpamTitan integrates seamlessly with Microsoft 365 and is consistently rated as one of the best spam filters for Outlook, improving the native defenses that Microsoft offers. TitanHQ also offers a host of cybersecurity solutions for managed services providers, including advanced phishing protection, to help them better protect their clients.
If you want to improve protection this summer against increasingly sophisticated cyberattacks and scams, give the TitanHQ team a call to find out more about improving your security posture.
by titanadmin | Jun 30, 2024 | Phishing & Email Spam |
Many malware infections start with a malicious email that contains a file attachment with a malicious script that downloads malware if executed. One response to a single email is all it takes to infect the user’s device with malware, which may be able to spread across the network or at least provide the threat actor with the foothold they need in the network for follow-on activities. There is a much worse scenario, however. Rather than a single user infecting the network with one malware variant, that single response to the malicious email results in multiple malware infections. One campaign has been identified that does just that. A malware cluster bomb is delivered that can infect the user’s device with up to 10 different malware variants.
The campaign was identified by researchers at KrakenLabs and has been attributed to a threat actor known as Unfurling Hemlock. The campaign is being conducted globally with at least 10 countries known to have been attacked, although most of the victims have so far been located in the United States. The campaign has been running since at least February 2024 and uses two methods to deliver the malware variants – malicious emails and malware loaders installed by other threat groups. The threat actor has already distributed hundreds of thousands of malicious files in the 5 months since the operation is believed to have commenced.
In the email campaign conducted by Unfurling Hemlock, the victim is tricked into downloading a file called WExtract.exe which contains nested cabinet files, each containing a different malware variant. If the file is executed, the malware is extracted in sequence, and each malware variant is executed in reverse order, starting with the last malware variant to be extracted. Each malware cluster bomb has between four and seven stages, with some of those stages delivering multiple malware variants.
The malware variants delivered vary but they consist of information stealers, backdoors, malware loaders, and botnets. Information stealers include Redline Stealer, Mystic Stealer, and RisePro, and malware loaders including Amadey and SmokeLoader. Other malware variants are used to disable security solutions such as Windows Defender, help with obfuscation and hiding malware payloads, gathering system information, and reporting on the status of the malware infections.
It is not clear how the threat actor is using these malware infections. They could be delivering malware for other threat actors and selling the access, using the malware to harvest credentials to sell on the darkweb, conducting their own attacks using whatever malware variant serves their purpose, or a combination of the three. What the attack does ensure is maximum flexibility, as there are high levels of redundancy to ensure that if some of the malware variants are detected, some are likely to remain.
The delivery of multiple malware variants means this campaign could be highly damaging, but it also increases the chance of detection. While antivirus software is a must and may detect some of the malware variants, others are likely to go undetected. The key to blocking attacks is to prevent the initial phishing emails from reaching end users and to provide training to the workforce to help with the identification and avoidance of these malicious emails.
Many email security solutions rely on antivirus engines to detect malware but cybercriminals are skilled at bypassing these signature-based defenses. TitanHQ’s SpamTitan anti-spam software, SpamTitan, uses dual antivirus engines as part of the initial checks but also email sandboxing for behavioral analysis. Suspicious emails are sent to the sandbox where files are unpacked and their behavior is analyzed in depth. The behavioral analysis identifies malicious actions, resulting in the messages being quarantined for further analysis by the security team. SpamTitan also includes AI and machine-learning algorithms to check how messages deviate from the emails typically received and can identify new threats that have previously not been seen. SpamTitan is a highly effective Microsoft 365 spam filter and can be provided as a gateway spam filter or a cloud-based anti-spam service.
End user training is an important extra layer of security that helps eradicate bad security practices and teaches employees how to recognize and avoid malicious emails. Should a malicious bypass email security defenses, trained employees will be more likely to recognize and report the threat to the security team. Training data from SafeTitan, TitanHQ’s security awareness training platform and phishing simulator, shows the training and phishing simulations can reduce susceptibility to email attacks by up to 80% when provided regularly throughout the year.
Give the TitanHQ sales team a call today for more information on these and other cybersecurity solutions to improve your defenses against the full range of cyber threats.
