Our industry news section covers a broad range of news items of particular relevance to the cybersecurity industry and managed service providers (MSPs).
This section also included details of the latest white papers and research studies relating to malware, ransomware, phishing and data breaches. These articles provide some insight into the general state of cybersecurity, the industries currently most heavily targeted by cybercriminals, and figures and statistics for your own reports.
Hackers and scammers conduct massive spam campaigns designed to infect as many computers as possible. These attacks are random, using email addresses stolen in large data breaches such as the cyberattacks on LinkedIn, MySpace, Twitter and Yahoo. However, highly targeted attacks are increasing in frequency, with campaigns geared to specific industries. These industry-specific cyberattacks and spam and malware campaigns are detailed in this section, along with possible mitigations for reducing the risk of a successful attack.
This category is therefore of relevance to organizations in the education, healthcare, and financial services industries – the most common attacked industries according to recent security reports.
The articles contain information about current campaigns, spam email identifiers and details of the social engineering tactics used to fool end users and gain access to business networks. By following the advice in these articles, it may be possible to prevent similar attacks on your organization.
Titan HQ has announced from March 5, 2018 all new customers signing up to use the SpamTitan cloud-based anti-spam service will benefit from leading antivirus and anti-malware protection from Bitdefender. All existing customers will similarly be protected by Bitdefender, although first they will need to upgrade to SpamTitan v7.00. v7.00 was released on March 5.
The primary AV engine used in previous versions of SpamTitan was provided by Kaspersky Lab, with ClamAV used as a secondary AV engine. SpamTitan v7.00 will also incorporate ClamAV as a secondary AV engine. Kaspersky AV will no longer be supported on SpamTitan suite of products from May 1, 2018.
The change to the new primary AV engine is due to a growing strategic relationship with Bitdefender. Further collaboration with the Romanian cybersecurity firm is planned for the future. Customers already using SpamTitan are encouraged to upgrade to the latest version of the product as soon as possible as several other updates have been incorporated into the latest version, including patches for recently discovered vulnerabilities in ClamAV.
These include the use-after-free vulnerability CVE-2017-12374; buffer overflow vulnerabilities CVE-2017-12375 and CVE-2017-12376; Mew Packet Heap Overflow vulnerability CVE-2017-12377; Buffer Overflow in messageAddArgument vulnerability CVE-2017-12379; and Null Dereference vulnerability CVE-2017-12380. TitanHQ has also included patches for openssl, openssh, php, and wget and updates have been included to resolve potential denial of service attacks.
Customers already on v6.x of the platform who have enabled prefetch of system updates will find the latest patches in the list of available updates on the System updates page. If this option is disabled, they should use the ‘Check for Updates Now’ option in the user interface.
Customers using SpamTitan v4 and v5 have been advised that support for both versions of SpamTitan will cease on May 1, 2018. An upgrade to version 7.00 will therefore be required before the deadline. It is important to note that the update process requires v4/5 to first be upgraded to v6 before installing SpamTitan v7.00. Upgrading to the new version will not change the existing configuration of the product.
Customers should allow 10-20 minutes for the installation of the new version and should read all product notes before installation.
A Colorado Department of Transportation ransomware attack on February 21, 2018 affected at least 21 computers preventing files from being accessed by employees. A prompt response to the ransomware attack limited the harm caused, although to prevent the spread of the ransomware more than 2,000 computers were shut down.
The attack has already caused considerable disruption, which is ongoing as the cleanup operation continues.
The DOT says it received a ransom demand which would need to be paid in order to obtain the keys to unlock encrypted files, but that the DOT has no intention of paying any money to the attackers. Instead the firm has called in an external cybersecurity firm (McAfee) to restore data on the affected workstations and ensure all devices are clean and protected from infection. All encrypted files will be recovered from backups.
Fortunately, the ransomware attack was limited to certain endpoints. Other computer systems that are used with surveillance cameras and traffic alerts were not affected.
The Colorado Department of Transportation ransomware attack is one of several high-profile attacks involving SamSam ransomware to have been reported this year. Hancock Health Hospital in Indiana was one notable victim. The hospital was issued with a ransom demand and paid the attackers for the keys to unlock the encryption, even though backups could have been used to recover files. A Bitcoin payment worth approximately $55,000 is believed to have been paid. The payment was believed to be considerably less than the cost of disruption while files were recovered from backups.
Another Indiana hospital – Adams Memorial Hospital was also attacked with a variant of SamSam ransomware, and Allscripts – an electronic health record provider – also suffered an attack that took down some of its web services.
SamSam ransomware first surfaced in 2015, and while some antivirus and antimalware solutions can detect the malware, the attackers continue to release new variants that are much better at evading detection.
Bleeping Computer reported on January 19 that one of the Bitcoin wallets used by the gang involved in SamSam ransomware campaign had already made approximately $300,000 from ransom payments, although that figure will almost certainly be higher since multiple Bitcoin wallets are believed to be used and the campaign is ongoing.
On February 15, Secureworks reported that the profits from the attacks had increased to at least $350,000, with the firm attributing the attacks to a hacking group called Gold Lowell.
It is unclear how the Colorado Department of Transportation ransomware attack occurred. Some sources report that the attack involved phishing emails, although Gold Lowell’s modus operandi is leveraging vulnerabilities in Remote Desktop Protocol (RDP) services.
With the campaign ongoing, all businesses should be alert to the threat from phishing and RDP attacks. Spam filters, such as TitanHQ’s cloud-based anti-spam service, are essential as is anti-phishing training for employees. If RDP is necessary, strong passwords should be set and controls implemented to reduce the potential for brute force attacks. Rate limiting on login attempts for example. It is also important to make sure that multiple data backups are performed to ensure files can be recovered in the event of an attack.
A new report has been released that shows there has been a massive rise in the global cost of cybercrime, highlighting the seriousness of the threat from hackers and scammers. 2017 global cybercrime costs exceeded $600 billion, according to the McAfee report. That represents a 20% increase since 2014, when the global cybercrime costs were calculated to be around $500 billion. The current global cybercrime costs equate to 0.8% of global GDP.
The report shows that in spite of increases in cybersecurity spending, hackers and scammers are still managing to breach organizations’ defenses and gain access to sensitive data, login credentials, corporate bank accounts, and intellectual property.
Accurately Determining the Global Cost of Cybercrime
Any calculation of global cybercrime costs involves some margin of error, as the figures cannot be totally based on reported losses by businesses. Many companies do not disclose details of data breaches, and even fewer publish information of the financial impact of cyberattacks. When details about financial losses are published, typically only a fraction of the losses are reported. In many cases the losses are not known until many years after the event. It is therefore difficult to obtain a true picture of the losses due to cybercrime because of the shortage of data.
To try to gain an accurate picture of the total cost of cybercrime, McAfee had to turn to the same modelling techniques used by government agencies to determine the costs of criminal activities such as drug trafficking, prostitution, maritime piracy, and organizational crime groups.
McAfee is not the only company to make these predictions. Compared to some reports the figures from McAfee seem quite conservative. The true cost could be considerably higher.
Factors Contributing to the Increase in Losses
McAfee reports that several factors have contributed to the large increase in cybercrime costs over the past few years. The growth in popularity of ransomware has played a part. Ransomware has proved to be a particularly plump cash cow, allowing cybercriminals to rake in millions by extorting companies. The anonymity of cryptocurrencies has helped these cybercriminal gangs obtain payments without detection, while the use of TOR has helped the gangs stay under the radar of law enforcement agencies.
Ransomware-as-a-service has also boosted profits for cybercriminals. The increase in the number of individuals conducting attacks has made it possible to increase the scale of operations and distribute the malicious code more effectively. State-sponsored hacks have also increased, including attacks aimed at sabotaging businesses and critical infrastructure as well as major heists that have seen millions of dollars stolen.
McAfee cites research showing around 300,000 new malware samples are now being identified on a daily basis, while data breaches are exposing a staggering 780,000 records a day.
Personal records can sell for big bucks on darknet forums; however, one of the biggest costs is the theft of intellectual property, which McAfee estimates has resulted in at least 25% of the annual losses to cybercrime. When patented processes are obtained, the benefits of millions in research and development is lost and companies can lose their competitive advantage.
One thing is clear from the report. With global cybercrime costs rising, and the sophistication and frequency of attacks increasing, companies have little alternative than to invest more in cybersecurity and develop more sophisticated defenses.
Last week news broke that government supercomputers in Russia had been turned into cryptocurrency miners, now comes news that many UK government websites have been infected with cryptocurrency mining code.
More than 4,200 Websites Infected with Cryptocurrency Mining Code
The latest attack affects government websites around the globe, with more than 4,200 websites turning visitors’ computers into cryptocurrency miners.
The attack involved a popular website plugin called Browsealoud. Browsealoud is used to convert written website content into audio for the blind and partially sighted. The browser plugin was compromised by hackers who altered the source code of the plugin to include cryptocurrency mining code. By altering the plugin, the malicious code runs every time a site user visits a webpage that offers the audio function using the Browsealoud plugin.
When a visitor arrived at such as webpage, the code ran and turned that user’s computer into a cryptocurrency miner, using the computer’s processing power to mine Monero. Mining is the term given to verifying cryptocurrency transfers. Mining requires a computer to solve a complex problem. Once that problem is solved, the miner is rewarded with a small payment. In this case, the individual(s) who altered the code.
Using one computer to mine cryptocurrency will only generate a small return. However, by hijacking a browser plugin on a website that is visited by many thousands of individuals, the potential returns are considerable. The processing power of millions of computers can be harnessed.
Browsealoud was developed by the British company Texthelp. According to its website, its plugin has been installed on 4,275 domains. In the United Kingdom, many government websites use the plugin, including the Financial Ombudsman Service, the Information Commissioner’s Office, the Student Loans Company, many National Health Service (NHS) websites, and local government websites including the .gov.uk sites used by Camden, Croydon, Manchester, and Newham to name but a few. Many federal and state government websites in the US have turned their visitors’ devices into cryptocurrency miners, and it is the same story in Australia, Ireland, Sweden, and beyond.
The Browsealoud plugin is understood to have been infected with cryptocurrency mining code at some point between 0300 and 1145 UTC on February 11, 2018. The code was only active for a few hours before the change was identified and Texthelp disabled the plugin.
The mining only took place while a visitor was on a webpage that used the Browsealoud plugin. As soon as the tab or browser was closed, the mining stopped. Visiting the website that had been infected with cryptocurrency mining code via the plugin would not result in a malware infection. The only noticeable effect for any visitors to the websites would have been a slowing down of their computers or the fan starting as their computer started going into overdrive.
This incident has however made it quite clear to government agencies that their websites are not secure and using third party plugins on their sites to improve services for website users introduces risk.
These supply-chain attacks exploit a trusted relationship between the website owner and a third-party software/plugin supplier and the benefits for cybercriminals are clear. All it takes is for one plugin to be hacked to have malicious code run on many thousands of websites, thus targeting millions of website visitors. In this case, the damage caused was minimal, but the attack could have been much worse. The goal on this occasion was to mine cryptocurrency. The attackers could easily have inserted much more malicious code and attempted to steal login credentials.
That means a new hash is required if the vendor does not include a version number in their updated code. However, it will ensure that attacks such as this, or worse attacks with much more malicious code, will be blocked.
Following a slew of cyber extortion attacks on schools, the FBI and the Department of Education’s Office of the Inspector General have issued a warning. Schools need to be alert to the threat of cyber extortion and must take steps to mitigate risk by addressing vulnerabilities, developing appropriate policies and procedures, and using technologies to secure their networks.
K12 schools and other educational institutions are an attractive target for cybercriminals. They hold large quantities of valuable data – The types of data that can be used to commit identity theft and tax fraud. Further, in education, security defenses are typically of a much lower standard than in other industries. Poor defenses and large volumes of valuable data mean cyberattacks are inevitable.
The warning comes after several cyber extortion attacks on schools by a group of international hackers known collectively as TheDarkOverlord. The hacking group has conducted numerous attacks on the healthcare industry the public school system since April 2016.
The modus operandi of the hacking group is to search for vulnerabilities that can be easily exploited to gain access to internal networks. Once network access is gained, sensitive data is identified and exfiltrated. A ransom demand is then issued along with the threat to publish the data if payment is not made. The hacking group does not make empty threats. Several organizations that have failed to pay have seen their data dumped online. Recent attacks have also included threats of violence against staff and students.
Access to networks is typically gained by exploiting vulnerabilities such as weak passwords, poor network security, unpatched software, and misconfigured databases and cloud storage services.
The FBI reports that the hacking group has conducted at least 69 cyber extortion attacks on schools, healthcare organizations, and businesses and has stolen more that 100 million records containing personally identifiable information. More than 200,000 of those records have been released online after ransom demands were ignored. More than 7,000 students have had their PII exposed by the hackers.
The escalation of the threats to include violence have caused panic and some schools have been temporarily closed as a result. Sensitive data has been released which has placed staff and students at risk of financial losses due to fraud. The FBI recommends not paying any ransom demand as it just encourages further criminal activity. What schools must do is take steps to mitigate risk and make it harder for their institution to be attacked. By doing so, cybercriminals are likely to continue their search for organizations that are easier to attack.
Ransomware and DDoS Attacks are Rife
TDO is not the only criminal group conducting cyber extortion attacks on schools, and these direct attacks are not the only way access to school networks is gained.
The past two years have seen a massive rise in the use of ransomware on schools. Ransomware attacks are often indiscriminate, taking advantage of vulnerabilities in human firewalls: A lack of security awareness of staff and students. These attacks commonly involve email, with malicious attachments and links used to deliver the ransomware payload.
Ransomware is malicious code that is used to search for stored files and encrypt them to prevent access. With files encrypted, organizations must either restore files from backups or pay the ransom demand to obtain the key to unlock the encryption. Since the code can also encrypt backup files, many organizations have had no alternative other than paying the ransom, since data loss is not an option.
Other cyber extortion attacks on schools do not involve data theft. DoS and DDoS attacks bombard servers with thousands or millions of requests preventing access and often damaging hardware. Cybercriminal gangs use mafia-style tactics to extort money, threatening to conduct DoS/DDoS attacks unless payment is made. Alternatively, they may conduct the attacks and demand payment to stop the attack.
The rise in cyber extortion attacks on schools means action must be taken to secure networks. A successful attack often results in educational institutions suffering major losses. The ransom payment is only a small part of the total cost. Removing ransomware, rebuilding systems, and protecting individuals whose sensitive data has been exposed can cost hundreds of thousands of dollars.
How to Protect Against Cyber Extortion Attacks on Schools
Schools and other educational institutions can develop policies and procedures and use technologies to deter cybercriminals and improve network and email security. By adhering to IT best practices and adopted a layered approach to security, it is possible to mount a robust defense and prevent cyber extortion attacks on schools.
Educational institutions should:
Implement strong passwords: Weak passwords can easily be cracked using brute force methods. Set strong passwords (Upper/lower case letters, numbers, and special characters or long 15+ digit passphrases) and use rate limiting to block access attempts after a set number of failures. Never reuse passwords for multiple accounts.
Patch promptly: Vulnerabilities in software and operating systems can easily be exploited to gain access to networks. Develop good patch management policies and ensure all software and operating systems are updated promptly.
Implement an advanced spam filter: Phishing and spam emails are commonly used to deliver ransomware and obtain login credentials. Do not rely on the spam filters of email service providers. Implement separate, advanced anti spam software or a cloud-based filtering service to block email-based threats and prevent them from reaching inboxes.
Provide security awareness training: Cybersecurity should be taught. Staff and students should be made aware of email and web-based threats and told how to identify malicious emails and potential web-based threats.
Implement a web filter: A web filter is necessary for CIPA compliance to protect students from harm caused by viewing obscene images online. A web filter is also an important cybersecurity defense that can block malware and ransomware and stop staff and students from visiting phishing websites. Web filters protect staff and students at school, but also protect devices that are taken home.
Secure remote desktop/access services: Conduct audits to determine which devices have remote access enabled. If remote access is not necessary, ensure it is disabled. If the services cannot be disabled, ensure they are secured. Use Secure Sockets Layer (SSL) Transport Layer Security for server authentication, ensure sessions are encrypted, and use strong passwords. Whitelist access is strongly recommended to ensure only authorized devices can connect.
Use two-factor authentication: Use two-factor authentication on all accounts to prevent access if a password is used on an unfamiliar device.
Limit administrator accounts: Administrator accounts should be limited. When administrator access is not required, log out from those accounts and use an account with fewer privileges.
Segment your network: Segmenting the network can limit the damage caused when malware and ransomware is installed, preventing it from spreading across the entire network.
Scan for open ports and disable: Conduct a scan to identify all open ports and ensure those open, unused ports are disabled.
Monitor audit logs: Audit logs for all remote connection protocols, check logs to ensure all accounts were intentionally created, and audit access logs to check for unauthorized activity.
Backup all data: Good backup polices are essential for recovery from ransomware attacks: Adopt a 3-2-1 approach. Make three copies of backups, store them on at least two different media, and keep one copy off site. Backups should be on air-gapped devices (not connected to the Internet or network).
It has been pretty difficult to avoid the news of Meltdown and Spectre – Two vulnerabilities recently discovered that could potentially be exploited to gain access to sensitive information on PCs, Macs, servers, and smartphones. Meltdown and Spectre affect virtually all devices that contain CPUs, which amounts to billions of devices worldwide.
What are Meltdown and Spectre?
Meltdown and Spectre are two separate vulnerabilities affecting CPUs – central processing units. The chips that power a wide range of electronic devices. The flaws make devices vulnerable to side-channel attacks, in which it is possible to extract information from instructions that have been run on CPUs, using the CPU cache as a side channel.
There are three types of attacks, two for Spectre and one for Meltdown. Spectre Variant 1 – tracked as CVE-2017-5753- is a bounds check bypass, while Spectre variant 2 – tracked as CVE-2017-5715 – is a branch target injection. Variant 3, termed Meltdown – tracked as CVE-2017-5754 – is a rogue data cache load, memory access permission check that is performed after kernel memory read.
The less technical explanation is the attacks leverage the prediction capabilities of the CPU. The CPU will predict processes, load them to an easily accessible, fast sector of the memory to save time and ensure fast performance. Spectre allows data to be read from the memory, but also for information to be loaded into the memory and read that would otherwise not be possible.
Meltdown also reads information from the memory, stealing information from memory used by the kernel that would not normally be possible.
What Devices are Affected by Meltdown and Spectre?
US-CERT has warned that the following vendors have been affected by Meltdown and Spectre: AMD, Apple, Arm, Google, Intel, Linux Kernel, Microsoft, and Mozilla. Apple has said that virtually all of its Macs, iPhones, and iPads are affected. PCs and laptops with Intel, Arm, and AMD chips are affected by Spectre, as are Android smartphones. while Meltdown affects desktops, laptops, and servers with Intel chips. Since servers are affected, that has major implications for cloud service providers.
How Serious are Meltdown and Spectre?
How serious are Meltdown and Spectre? Serious enough for the Intel chief executive officer, Brian Krzanich, to sell $25 million of his shares in the company prior to the announcement of the flaws, although he maintains there was no impropriety and the sale of the shares was unrelated to the announcement of the flaws a little over a month later.
For users of virtually all devices that contain CPUs, the flaws are certainly serious. They could potentially be exploited by malicious actors to gain access to highly sensitive data stored in the memory, which can include passwords and credit card data.
What makes these flaws especially serious is the number of devices that are affected – billions of devices. Since one of the flaws affects the hardware itself, which cannot be easily corrected without a redesign of the chips, resolving the problem will take a considerable amount of time. Some security experts have predicted it could take decades before the flaws are totally eradicated.
At present, it would appear that the flaws have not been exploited in the wild, although now the news has broken, there will certainly be no shortage of individuals attempting to exploit the flaws. Whether they are able to do so remains to be seen.
What Can You do to Prevent Meltdown and Spectre Attacks?
As is the case when any vulnerability is identified, protecting against Meltdown and Spectre requires patches to be applied. All software should be updated to the latest versions, including operating systems, software packages, and browsers. Keeping your systems 100% up to date is the best protection against these and other attacks.
Some third-party antivirus software will prevent Windows patches from being installed, so before Windows can be updated, antivirus must be updated. Ensure that your AV program is kept up to date, and if you have automatic updates configured for Windows, as soon as your system is ready for the update it will be installed.
Chrome and Firefox have already been updated, Microsoft will be rolling out a patch for Windows 10 on Thursday, and over the next few days, updates will be released for Windows 7 and 8. Apple has already updated MacOS version 10.13.2, with earlier versions due to receive an update soon.
Google has already issued updates for Android phones, although only Google devices have so far been updated, with other manufactures due to roll out the updates shortly. Google has already updates its Cloud Platform, and Amazon Web Services has also reportedly been updated. Linux updates will also be issued shortly.
Fixes for Meltdown are easier to implement, while Spectre will be harder as true mitigations would require major changes to the way the chips work. It is unlikely, certainly in the short term, for Intel to attempt that. Instead, mitigations will focus on how programs interact with the CPUs. As US-CERT has warned, “[The] Underlying vulnerability is caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware,” although that advice is no longer detailed in its updated vulnerability warning.
Applying patches will help to keep computers protected, but that may come at a cost. For example, the fix for the Meltdown vulnerability changes the way the computer works, which means the processor will have to work harder as it has to repeatedly access information from the memory – tasks that would otherwise not normally need to be performed.
That will undoubtedly have an impact on the performance of the machine. How much of a dip in performance can be expected? Some experts predict the changes could slow computers down by as much as 30%, which would certainly be noticed at times when processor activity is particularly high.
A recently discovered Forever 21 POS malware attack has seen customers’ credit card data compromised. While malware attacks on retail POS systems are now commonplace, in the case of the Forever 21 POS malware attack, the security breach stands out due to the length of time malware was present on its systems. Attackers first gained access to its POS system seven months before the infection was discovered.
The Forever 21 POS malware infections were first identified in October, when a third-party linked credit card fraud to customers who had previously visited Forever 21 stores. The potential malware infections were investigated and a third-party cybersecurity firm was called in to assist.
Forever 21 first made the announcement about a data breach in November, although the investigation has been ongoing and now new details about the attack have been released.
The investigation has revealed the attack was extensive and affected many POS devices used in its U.S. stores. The Forever 21 POS malware attack started on April 3, 2017, with further devices compromised over the following 7 months until action was taken to secure its systems on November 18, 2017. Forever 21 reports that some POS devices in its stores were only compromised for a few days, others for a few weeks, while some were compromised for the entire timeframe.
In response to the increased threat of cyberattacks on retailers, Forever 21 started using encryption technology on its payment processing systems in 2015; however, the investigation revealed the encryption technology was not always active.
While the encryption technology was active, the attackers would have been prevented from obtaining the credit card details of its customers, although the information could be stolen at times when the encryption technology was turned off.
Further, some devices that were compromised by the malware maintained logs of completed credit card transactions. When the encryption technology was not active, details of completed transactions were stored in the logs and could therefore be read by the attackers. Since those logs contained details of transactions prior to the malware infections, it is possible that customers who visited affected Forever 21 stores prior to April 3, 2017 may also have had their credit card details stolen.
Each store uses multiple POS devices to take payments from consumers, and in most cases only one device per store was compromised. The attackers concentrated their efforts on stores where POS devices did not have encryption enabled. Further, the attackers main aim appeared to be to find and infect devices that maintained logs of transactions.
On most POS devices, the attackers searched for track data read from payment cards, and in most cases, while the number, expiry date and CVV code was obtained, the name of the card holder was not.
The investigation into the Forever 21 POS malware attack is ongoing, and at present it is unclear exactly how many of the company’s 700+ stores have been affected, how many devices were infected, and how many customers have had their credit and debit card details stolen. However, it is fair to assume that an attack of this duration will have affected many thousands of customers.
The type of malware used in the attack is not known, and no reports have been released that indicate how the attackers gained access to its systems. It is not yet known if stores outside the US have been affected.
Digimine malware is a new threat that was first identified from a campaign in South Korea; however, the attacks have now gone global.
Ransomware is still a popular tool that allows cybercriminals to earn a quick payout, but raised awareness of the threat means more companies are taking precautions. Ransomware defenses are being improved and frequent backups are made to ensure files can be recovered without paying the ransom. Not only is it now much harder to infect systems with ransomware, rapid detection means large-scale attacks on companies are prevented. It’s harder to get a big payday and the ability to restore files from backups mean fewer organizations are paying up.
The surge in popularity of cryptocurrency, and its meteoric rise in value, have presented cybercriminals with another lucrative opportunity. Rather than spread ransomware, they are developing and distributing cryptocurrency miners. By infecting a computer with a cryptocurrency miner, attackers do not need to rely on a victim paying a ransom.
Rather than locking devices and encrypting files, malware is installed that starts mining (creating) the cryptocurrency Monero, an alternative to Bitcoin. Mining cryptocurrency is the verification of cryptocurrency transactions for digital exchanges, which involves using computers to solve complex numeric problems. For verifying transactions, cryptocurrency miners are rewarded with coins, but cryptocurrency mining requires a great deal of processing power. To make it profitable, it must be performed on an industrial scale.
The processing power of hundreds of thousands of devices would make the operation highly profitable for cybercriminals, a fact that has certainly not been lost on the creators of Digimine malware.
Infection with Digimine malware will see the victim’s device slowed, as its processing power is being taken up mining Monero. However, that is not all. The campaign spreading this malware variant works via Facebook Messenger, and infection can see the victim’s contacts targeted, and could potentially result in the victim’s Facebook account being hijacked.
The Digimine malware campaign is being spread through the Desktop version of Facebook Messenger, via Google Chrome rather than the mobile app. Once a victim is infected, if their Facebook account is set to login automatically, the malware will send links to the victim’s contact list. Clicking those links will result in a download of the malware, the generation of more messages to contacts and more infections, building up an army of hijacked devices for mining Monero.
Infections were first identified in South Korea; however, they have now spread throughout east and south-east Asia, and beyond to Vietnam, Thailand, Philippines, Azerbaijan, Ukraine, and Venezuela, according to Trend Micro.
A similar campaign has also been detected by FortiGuard Labs. That campaign is being conducted by the actors behind the ransomware VenusLocker, who have similarly switched to Monero mining malware. That campaign also started in South Korea and is spreading rapidly. Rather than use Facebook Messenger, the VenusLocker gang is using phishing emails.
Phishing emails for this campaign contain infected email attachments that download the miner. One of the emails claims the victim’s credentials have been accidentally exposed in a data breach, with the attachment containing details of the attack and instructions to follow to mitigate risk.
These attacks appear to mark a new trend and as ransomware defenses continue to improve, it is likely that even more gangs will change tactics and switch to cryptocurrency mining.
A Q3 malware threat report from McAfee charts the continued rise in malware threats throughout the year. Malware variants have now reached an all time high, with the volume of threats having risen each quarter in 2017.
In 2016, there were high levels of malware in Q1, rising slightly in Q2 before tailing off in Q3 and A4. That trend has not been seen this year. The malware threat report shows Q1 figures were higher than the previous two quarters, with a massive rise in Q3 and a continued increase in Q3. Malware threats rose 10% quarter over quarter, rising to a quarterly total of 57.6 million new samples of malware: The highest quarterly total detected by McAfee. That averages out at a new malware sample detected every quarter of a second!
The ransomware epidemic has also got worse in Q3, with new ransomware variants increasing by 36% last quarter, fueled by a sharp increase in Android screen lockers. In total, new mobile malware variants increased by 60% in Q3.
In its Q3 Malware Threat Report, McAfee noted that attackers were continuing to rely on spam email to distribute malware, with the Gamut botnet the most prevalent spamming botnet in Q3, closely followed by the Necurs botnet. The latter was used to spread ransomware variants such as Locky. Mac malware rose by 7% in Q3, and macro malware increased by 8%.
Vulnerabilities in software and operating systems were also extensively exploited, even though patches to address those vulnerabilities were released promptly.
McAfee notes that employees and organizations are making it far too easy for attackers. Employees are responding to phishing emails, are visiting malicious links and are opening attachments and enabling the content. Employers are no better. Patches are released, yet they are not being applied promptly, opening the door to attackers. In many cases, patches have still not been applied several months after they have been released.
One of the most commonly exploited vulnerabilities in Q3, 2017 was CVE-2017-0199 which affected WordPad and Microsoft Office. An exploit for the vulnerability was made available through GitHub, making remote code execution attacks easy; provided employees could be convinced to open specially crafted files. Many employees fell for the scam emails.
The McAfee Q3 Malware Threat Report highlighted several continuing malware trends, including the increase in the use of fileless malware. PowerShell malware increased by 119% in Q3 alone.
Q3 saw a new Locky variant released – Lukitus. Lukitus was spread via spam email, with more than 23 million messages delivered in the first 24 hours since its release. That, combined with other new ransomware threats, have contributed to a 44% increase in ransomware samples in the past 12 months.
Q3 also saw the release of a new variant of the Trickbot Trojan, which incorporated the EternalBlue exploit that was also used in the WannaCry and NotPetya attacks.
While no industry is immune to attack, it is the healthcare and public sectors that are taking the brunt of the attacks, accounting for 40% of all reported security incidents in Q3. In the United States, healthcare was the most commonly attacked industry.
The extensive use of spam and phishing emails to spread malware highlights the importance of using an advanced spam filtering solution such as SpamTitan, especially considering how employees are still struggling to identify malicious emails. Blocking these threats and preventing malicious messages from being delivered will help organizations prevent costly data breaches.
The high level of infections that occurred as a result of exploited vulnerabilities also shows how important it is to apply patches promptly. McAfee notes that many of the exploited vulnerabilities in Q3 were patched as early as January. If patches are not applied promptly, they will be exploited by cybercriminals to install malware.
In this article we explore the cost of HIPAA noncompliance for healthcare organizations, including the financial penalties and data breach costs, and one of the most important technologies to deploy to prevent healthcare data breaches.
The Health Insurance Portability and Accountability Act (HIPAA)
In the United States, healthcare organizations that transmit health information electronically are required to comply with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA was introduced in 1996 with the primary aim of improving healthcare coverage for employees between jobs, although it has since been expanded to include many privacy and security provisions following the introduction of the HIPAA Privacy and Security Rules.
These rules require HIPAA-covered entities – health plans, healthcare providers, healthcare clearinghouses and business associates – to implement a range of safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). Those safeguards include protections for stored PHI and PHI in transit.
HIPAA is not technology specific, if that were the case, the legislation would need to be frequently updated to include new protections and the removal of outdated technologies that are discovered not to be as secure as was initially thought. Instead, HIPAA leaves the actual technologies to the discretion of each covered entity.
In order to determine what technologies are required to keep PHI secure, covered entities must first conduct a risk analysis: A comprehensive, organization-wide analysis of all risks to the confidentiality, integrity, and availability of PHI. All risks identified must be managed and reduced to an appropriate and acceptable level.
The risk analysis is one of the most common areas where healthcare organizations fall afoul of HIPAA Rules. Healthcare organizations have been discovered not to have included all systems, hardware and software in the risk analysis, or fail to conduct the analysis on the entire organization. Vulnerabilities are missed and gaps remain in security controls. Those gaps allow hackers to take advantage and gain access to computers, servers, and databases.
When vulnerabilities are exploited, and a data breach occurs, HIPAA-covered entities must report the security breach to the Department of Health and Human Services’ Office for Civil Rights (OCR): The main enforcer of HIPAA Rules. OCR investigates data breaches to determine whether they could realistically have been prevented and if HIPAA Rules have been violated.
What is the Cost of HIPAA Noncompliance?
When healthcare organizations are discovered not to have complied with HIPAA Rules, financial penalties are often issued. Fines of up to $1.5 million per violation category (per year that the violation has been allowed to persist) can be issued by OCR. The cost of HIPAA noncompliance can therefore be severe. Multi-million-dollar fines can, and are, issued.
The cost of HIPAA noncompliance is far more than any financial penalty issued by OCR, or state attorneys general, who are also permitted to issue fines for noncompliance. HIPAA requires covered entities to notify individuals impacted by a data breach. The breach notification costs can be considerable if the breach has impacted hundreds of thousands of patients. Each patient will need to be notified by mail. If Social Security numbers or other highly sensitive information is exposed, identity theft protection services should be offered to all breach victims.
Forensic investigations must be conducted to determine how access to data was gained, and to establish whether all malware and backdoors have been removed. Security must then be enhanced to prevent similar breaches from occurring in the future.
A data breach often sees multiple lawsuits filed by the victims, who seek damages for the exposure of their information. Data breaches have a major negative impact on brand image and increase patient churn rate. Patients often switch providers after their sensitive information is stolen.
On average, a data breach of less than 50,000 records costs $4.5 million to resolve according to the Ponemon Institute and has an average organizational cost of $7.35 million.
The 78.8 million-record breach experienced by Anthem Inc. in 2015 is expected to have cost the insurer upwards of $200 million. That figure does not include lost brand value and reputation damage, and neither a HIPAA fine from OCR.
A summary of the cost of HIPAA noncompliance, including recent fines issued by attorneys general and OCR has been detailed in the infographic below.
The Importance of Protecting Email Accounts
There are many ways that unauthorized individuals can gain access to protected health information – via remote desktop applications, by exploiting vulnerabilities that have not been patched, accessing databases that have been left exposed on the Internet, or when devices containing unencrypted PHI are stolen. However, the biggest single threat to healthcare data comes from phishing.
Research from PhishMe indicates more than 90% of data breaches start with a phishing email, and a recent HIMSS Analytics survey confirmed that phishing is the biggest threat, with email ranked as the most likely source of a healthcare data breach.
Protecting email accounts is therefore an essential part of HIPAA compliance. OCR has already fined healthcare organizations for data breaches that have resulted from phishing emails.
Healthcare organizations should implement a solution that blocks malicious emails and scans for malware and ransomware. In addition to technology, employees must also be trained how to identify malicious emails and taught to be more security aware.
How TitanHQ Can Help with HIPAA Compliance
TitanHQ developed SpamTitan to keep inboxes secure and prevent email spam, phishing messages, and malware from being delivered to inboxes. SpamTitan blocks more than 99.9% of spam email, and dual anti-virus engines ensure emails with malicious attachments are identified and quarantined. With SpamTitan, your organization’s email accounts will be protected – an essential part of HIPAA compliance.
WebTitan compliments SpamTitan and offers an additional layer of protection. WebTitan is a web filtering solution that allows you to carefully control the websites that your employees visit. WebTitan will prevent employees from visiting malicious websites via emailed hyperlinks, general web browsing, malvertising or redirects, protecting your organization from web-based attacks, drive by downloads of ransomware and malware, and exploit kit attacks.
For more information on TitanHQ’s cybersecurity solutions for healthcare, contact the TitanHQ team today.
The Ponemon Institute has published the findings of a new report on endpoint security risk, which shows that ransomware attacks have occurred at most companies, the risk of fileless malware attacks has increased significantly, and successful cyberattacks are resulting in average losses of more than $5 million.
For the Barkly-sponsored endpoint security risk study, the Ponemon Institute surveyed 665 IT security professionals that were responsible for the management of their organization’s security risk.
7 out of ten respondents claimed endpoint security risk was significantly higher this year than in 2016, and one of the biggest threats was now fileless malware. Companies are still using traditional anti-virus and anti-malware solutions, although they are not effective at preventing fileless malware attacks.
Fileless malware is not detected by most anti-virus solutions since no files are written to the hard drive. Instead, fileless malware remains in the memory, oftentimes leveraging legitimate system tools to gain persistence and spread to other devices on the network.
These fileless malware attacks are occurring far more frequently, with respondents estimating a 20% rise in attacks in 2017. 29% of all cyberattacks in 2017 involved fileless malware, and the threat is expected to continue to increase, and will account for more than a third of all attacks in 2018.
The switch from file-based malware to fileless malware is understandable. The attacks are often successful. 54% of companies surveyed said they had experienced at least one cyberattack that resulted in data being compromised, and 77% of those attacks involved exploits or fileless malware. 42% of respondents said they had experienced a fileless malware attack that resulted in systems or data being compromised in 2017.
Fileless malware attacks are increasing, but so are ransomware attacks. Over half of companies that took part in the endpoint security risk study said they had experienced at least one ransomware attack in 2017, while four out of ten firms experienced multiple ransomware attacks. Even though most companies backup their files, 65% of respondents said they had paid a ransom to recover their data, with the average amount being $3,675. The primary method of ransomware delivery is email.
While the ransom payments may be relatively low, that represents only a small proportion of the costs of such attacks. For the endpoint security risk study, firms were asked to estimate the total cost of cyberattacks – On average, each successful attack on endpoints cost an average of $5,010,600 to resolve – $301 per employee.
Protect Against Malware Attacks by Blocking the Primary Delivery Vector
Email is the primary method for distributing malware. Implementing a spam filtering solution, preferably a gateway solution, can keep an organization protected from malicious emails and will prevent malicious messages from being delivered to end users, and is important for helping organizations manage endpoint security risk.
Many companies opt for an email gateway filtering appliance – an appliance located between the firewall and email server. These solutions are powerful, but they come at a cost since the appliance must be purchased. These appliance-based solutions also lack scalability.
If you want the power of an appliance, but want to keep costs to a minimum, consider a solution such as SpamTitan. SpamTitan offers the same power as a dedicated appliance, without the need to purchase any additional hardware. SpamTitan can be deployed as a virtual appliance on existing hardware, offering the same level of protection as an email gateway filtering appliance at a fraction of the cost.
Don’t Forget to Train Your Employees to be More Security Conscious
A recent InfoBlox survey on healthcare organizations in the United States and United Kingdom revealed that companies in this sector are realizing the benefits of training employees to be more security aware, although only 35% of firms currently provide training to employees.
No matter what email filtering solution you use, there will be times when spammers succeed, and messages are delivered. It is therefore important that staff are trained how to identify and respond to suspicious emails. If end users are not aware of the threats, and do not know how to recognize potential phishing emails, there is a higher chance of them engaging in risky behavior and compromising their device and the network.
A serious MS Office remote code execution vulnerability has been patched by Microsoft – One that would allow malware to be installed remotely with no user interaction required. The flaw has been present in MS Office for the past 17 years.
The flaw, which was discovered by researchers at Embedi, is being tracked as CVE-2017-11882. The vulnerability is in the Microsoft Equation Editor, a part of MS Office that is used for inserting and editing equations – OLE objects – in documents: Specifically, the vulnerability is in the executable file EQNEDT32.exe.
The memory corruption vulnerability allows remote code execution on a targeted computer, and would allow an attacker to take full control of the system, if used with Windows Kernel privilege exploits. The flaw can be exploited on all Windows operating systems, including unpatched systems with the Windows 10 Creators Update.
Microsoft addressed the vulnerability in its November round of security updates. Any unpatched system is vulnerable to attack, so it is strongly advisable to apply the patch promptly. While the vulnerability could potentially have been exploited at any point in the past 17 years, attacks exploiting this MS Office remote code execution vulnerability are much more likely now that a patch has been released.
The flaw does not require the use of macros, only for the victim to open a specially crafted malicious Office document. Malicious documents designed to exploit the vulnerability would likely arrive via spam email, highlighting the importance of implementing a spam filtering solution such as SpamTitan to block the threat.
End users who are fooled into opening a malicious document can prevent infection by closing the document without enabling macros. In this case, malware would be installed simply by opening the document.
Microsoft has rated the vulnerability as important, rather than critical, although researchers at Embedi say this flaw is “extremely dangerous.” Embedi has developed a proof of concept attack that allowed them to successfully exploit the vulnerability. The researchers said, “By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g. to download an arbitrary file from the Internet and execute it),”
EQNEDT32.exe is run outside of the Microsoft Office environment, so it is therefore not subject to Office and many Windows 10 protections. In addition to applying the patch, security researchers at Embedi recommend disabling EQNEDT32.EXE in the registry, as even with the patch applied, the executable still has a number of other vulnerabilities. Disabling the executable will not impact users since this is a feature of Office that is never needed by most users.
A new wave of cyberattacks on financial institutions using malware called the Silence Trojan has been detected. In contrast to many attacks on banks that target the bank customers, this attack targets the bank itself. The attack method bears a number of similarities to the attacks conducted by the Eastern European hacking group, Carbanak.
The Silence Trojan is being used to target banks and other financial institutions in several countries, although so far, the majority of victims are in Russia. The similarity of the Silence Trojan attacks to Carbanak suggests these attacks could be conducted by Carbanak, or a spinoff of that group, although that has yet to be established.
The attacks start with the malicious actors behind the campaign gaining access to banks’ networks using spear phishing campaigns. Spear phishing emails are sent to bank employees requesting they open an account. The emails are well written, and the premise is believable, especially since in many cases the emails are sent from within using email addresses that have previously been compromised in other attacks. When emails are sent from within, the requests seem perfectly credible.
Some of these emails were intercepted by Kaspersky Lab. Researchers report that the emails contain a Microsoft Compiled HTML Help file with the extension .chm.
The attackers gain persistent access to an infected computer and spend a considerable amount of time gathering data. Screen activity is recorded and transmitted to the C2, with the bitmaps combined to form a stream of activity from the infected device, allowing the attackers to monitor day to day activities on the bank network.
This is not a quick smash and grab raid, but one that takes place over an extended period. The aim of the attack is to gather as much information as possible to maximize the opportunity to steal money from the bank.
Since the attackers are using legitimate administration tools to gather intelligence, detecting the attacks in progress is complicated. Implementing solutions to detect and block phishing attacks can help to keep banks protected.
Since security vulnerabilities are often exploited, organizations should ensure that all vulnerabilities are identified and corrected. Kaspersky Lab recommends conducting penetration tests to identify vulnerabilities before they are exploited by hackers.
Kaspersky Lab notes that when an organization has already been compromised, the use of .chm attachments in combination with spear phishing emails from within the organization has proved to be a highly effective attack method for conducting cyberattacks on financial institutions.
A global data breach study by Gemalto provides valuable insights into data breaches reported over the first six months of 2017, showing there has been a significant increase in data breaches and the number of records exposed.
Barely a day has gone by without a report of a data breach in the media, so it will probably not come as a surprise to hear that data breaches have risen again in 2017. What is surprising is the scale of the increase. Compared to the first six months of 2016 – which saw huge numbers of data breaches reported – 2017 saw a 13% increase in incidents. However, it is the scale of those breaches that is shocking. 2017 saw 164% more records exposed than in 2016.
During the first six months of 2017, a staggering 918 data breaches were confirmed, resulting in 1.9 billion records and email credentials being exposed or stolen. Further, that figure is a conservative. According to Gemalto’s global data breach study, it is unknown how many records were compromised in 59.3% of data breaches between January and June 2017.
What is clear is the data breaches are increasing in size. Between January and the end of June, there were 22 breaches reported that each impacted more than 1 million individuals.
To put the global data breach study figures into perspective, more than 10.5 million records were exposed each day in the first half of 2017 – or 122 records per second.
What is the Biggest Cause of Data Breaches in the First Half of 2017?
While malicious insiders pose a significant threat, and caused 8% of breaches, accidental loss of devices or records accounted for 18% of incidents. But the biggest cause of data breaches was malicious outsiders, who caused 74% of all tracked data breaches.
However, in terms of the severity of breaches, it is accidental loss that tops the list. There many have only been 166/918 breaches due to accidental loss according to the global data breach study, but those incidents accounted for 86% of all records – That’s 1.6 billion.
Malicious outsiders may have caused the most breaches – 679/918 – but those breaches involved just 13% of the total number of records – 254 million. In the first half of 2016, malicious outsiders were the leading breach cause and data breaches and accounted for 76% of breached records.
It is worth noting that while malicious insiders were responsible for just 8% of incidents, those incidents saw 20 million records exposed. Compared to 2016, that’s a 4114% increase.
Which Regions Had the Most Data Breaches in the First Half of 2017?
While North America was the hardest hit, accounting for 88% of all reported breaches, that does not necessarily mean that most breaches are occurring in the United States. In the U.S. there are far stricter reporting requirements, and companies are forced to disclose data breaches.
In Europe, many companies choose not to announce data breaches. It will therefore be interesting to see how the figures change next year. From May 2018, there will be far stricter reporting requirements due to the introduction of the General Data Protection Regulation (GDPR). For this report, there were 49 reported breaches in Europe – 5% of the total. 40% of those breaches were in the United Kingdom. There were 47 breaches in the Asia Pacific region – 5% of the total – with 15 in India and the same percentage in Australia.
Which Industries Suffer the Most Data Breaches?
The worst affected industry was healthcare, accounting for 25% of all breaches. However, bear in mind that HIPAA requires healthcare organizations to report all breaches in the United States. The financial services industry was in second place with 14% of the total, followed by education with 13% of breaches. The retail industry recorded 12% of breaches, followed by the government on 10% and technology on 7%.
In terms of the number of records breached, it is ‘other industries’ that were the worst hit. Even though that group accounted for just 6% of breaches they resulted in the exposure of 71% of records. Government breaches accounted for 21% of the total, followed by technology (3%), education (2%), healthcare (2%) and social media firms (1%).
How Can These Breaches be Stopped?
In the most part, these data breaches occurred due to poor cybersecurity protections, basic security failures, poor internal security practices, and the failure to use data encryption. Previous research by PhishMe has shown that 91% of data breaches start with a phishing email. Anti-spam defenses are therefore critical in preventing data breaches. If phishing emails are prevented from being delivered, a large percentage of external attacks can be stopped.
Organizations that have yet to use two factor authentication should ensure that this basic security control is employed. Employees should receive cybersecurity awareness training, and training programs should be ongoing. In particular, employees should be trained how to identify phishing emails and the actions they should take when a suspicious email is encountered.
Accidental loss of data from lost and stolen devices can be prevented with the use of encryption, although most accidental losses were due to poorly configured databases. Organizations should pay particular attention to their databases and cloud instances, to make sure they are appropriately secured and cannot be accessed by unauthorized individuals.
Bad Rabbit ransomware attacks have been reported throughout Russia, Ukraine, and Eastern Europe. While new ransomware variants are constantly being developed, Bad Rabbit ransomware stands out due to the speed at which attacks are occurring, the ransomware’s ability to spread within a network, and its similarity to the NotPetya attacks in June 2017.
Bad Rabbit Ransomware Spreads via Fake Flash Player Updates
While Bad Rabbit ransomware has been likened to NotPetya, the method of attack differs. Rather than exploit the Windows Server Message Block vulnerability, the latest attacks involve drive-by downloads that are triggered when users respond to a warning about an urgent Flash Player update. The Flash Player update warnings have been displayed on prominent news and media websites.
The malicious payload packed in an executable file called install_flash_player.exe. That executable drops and executes the file C:\Windows\infpub.dat, which starts the encryption process. The ransomware uses the open source encryption software DiskCryptor to encrypt files with AES, with the keys then encrypted with a RSA-2048 public key. There is no change to the file extension of encrypted files, but every encrypted file has the .encrypted extension tacked on.
Once installed, it spreads laterally via SMB. Researchers at ESET do not believe bad rabbit is using the ETERNALBLUE exploit that was incorporated into WannaCry and NotPetya. Instead, the ransomware uses a hardcoded list of commonly used login credentials for network shares, in addition to extracting credentials from a compromised device using the Mimikatz tool.
Similar to NotPetya, Bad Rabbit replaces the Master Boot Record (MBR). Once the MBR has been replaced, a reboot is triggered, and the ransom note is then displayed.
Victims are asked to pay a ransom payment of 0.5 Bitcoin ($280) via the TOR network. The failure to pay the ransom demand within 40 hours of infection will see the ransom payment increase. It is currently unclear whether payment of the ransom will result in a valid key being provided.
So far confirmed victims include the Russian news agencies Interfax and Fontanka, the Ministry of Infrastructure of Ukraine, the Odessa International Airport, and the Kiev Metro. In total there are believed to have been more than 200 attacks so far in Russia, Ukraine, Turkey, Bulgaria, Japan, and Germany.
How to Block Bad Rabbit Ransomware
To prevent infection, Kaspersky Lab has advised companies to restrict the execution of files with the paths C:\windows\infpub.dat and C:\Windows\cscc.dat.
Alternatively, those files can be created with read, write, and execute permissions removed for all users.
On Friday, the U.S. Department of Homeland Security’s (DHS) computer emergency readiness team (US-CERT) issued a new warning about phishing attacks on energy companies and other critical infrastructure sectors.
Advanced persistent threat (APT) actors are conducting widespread attacks on organizations in the energy, aviation, nuclear, water, and critical manufacturing sectors. Those attacks, some of which have been successful, have been occurring with increasing frequency since at least May 2017. The group behind the attack has been called Dragonfly by AV firm Symantec, which reported on the attacks in September.
DHS believes the Dragonfly group is a nation-state sponsored hacking group whose intentions are espionage, open source reconnaissance and cyberattacks designed to disrupt energy systems.
These cyberattacks are not opportunistic like most phishing campaigns. They are targeted attacks on specific firms within the critical infrastructure sectors. While some firms have been attacked directly, in many cases the attacks occur through a ‘staging’ company that has previously been compromised. These staging companies are trusted vendors of the targeted organization. By conducting attacks through those companies, the probability of an attack on the target firm succeeding is increased.
DHS warns that the attackers are using several methods to install malware and obtain login credentials. The phishing attacks on energy companies have included spear phishing emails designed to get end users to reveal their login credentials and malicious attachments that install malware.
In the case of the former, emails direct users to malicious websites where they are required to enter in their credentials to confirm their identity and view content. While some websites have been created by the attackers, watering hole attacks are also occurring on legitimate websites that have been compromised with malicious code. DHS warns that approximately half of the attacks have occurred through sites used by trade publications and informational websites “related to process control, ICS, or critical infrastructure.”
Phishing emails containing malicious attachments are used to directly install malware or the files contain hyperlinks that direct the user to websites where a drive-by malware download occurs. The links are often shortened URLS creating using the bit.ly and tinyurl URL shortening services. The attackers are also using email attachments to leverage Windows functions such as Server Message Block (SMB) protocol to retrieve malicious files. A similar SMB technique is also used to harvest login credentials.
The malicious attachments are often PDF files which claim to be policy documents, invitations, or resumés. Some of the phishing attacks on energy companies have used a PDF file attachment with the name “AGREEMENT & Confidential.” In this case, the PDF file does not include any malicious code, only a hyperlink to a website where the user is prompted to download the malicious payload.
US-CERT has advised companies in the targeted sectors that the attacks are ongoing, and action should be taken to minimize risk. Those actions include implementing standard defenses to prevent web and email-based phishing attacks such as spam filtering solutions and web filters.
Since it is possible that systems may have already been breached, firms should be regularly checking for signs of an intrusion, such as event and application logs, file deletions, file changes, and the creation of new user accounts.
The average enterprise data breach cost has risen to $1.3 million, according to a new report from antivirus firm Kaspersky Lab – An increase of $100,000 year over year. Small to medium size businesses are also having to dig deeper to remediate data breaches. The average data breach cost for SMBs is now $117,000.
For the cost of a data breach study, Kaspersky Lab surveyed more than 5,000 businesses, asking questions about how much firms are spending on data breach resolution and how those costs are split between various aspects of the breach response. Businesses were also asked about future spending and how much their IT security budgets are increasing year over year.
The survey reveals that in North America, the percentage of the budget being spent on IT security is increasing. However, overall budgets are reducing, so the net spend on IT security has decreased year over year. Last year, businesses were allocating 16% of their budgets to IT security, which has risen to 18% this year. However, average enterprise IT security budgets have dropped from $25.5 million last year to just $13.7 million this year.
Breaking Down the Enterprise Data Breach Cost
So how is the enterprise data breach cost broken down? What is the biggest cost of resolving a data breach? The biggest single data breach resolution cost is additional staff wages, which costs an average of $207,000 per breach.
Other major costs were infrastructure improvements and software upgrades ($172,000), hiring external computer forensics experts and cybersecurity firms ($154,000), additional staff training ($153,000), lost business ($148,000), and compensation payments ($147,000).
The average SMB data breach resolution cost was $117,000. The biggest costs were contracting external cybersecurity firms to conduct forensic investigations and the loss of business as a direct result of a breach, both cost an average of $21,000 each. Additional staff wages cost $16,000, increases in insurance premiums and credit rating damage cost an average of $11,000, new security software and infrastructure costs were $11,000, and new staff and brand damage repair cost $10,000 each. Further staff training and compensation payouts cost $9,000 and $8,000 respectively.
The high cost of data breach mitigation shows just how important it is for enterprises and SMBs to invest in data breach prevention and detection technologies. Blocking cyberattacks is essential, but so too is detecting breaches when they do occur. As the IBM/Ponemon Institute 2017 Cost of a Data Breach Study showed, the faster a breach is detected, the lower the enterprise data breach cost will be.
The Importance of an Effective Spam Filter
There are many potential vulnerabilities that can be exploited by hackers, so it is important for businesses of all sizes to conduct regular risk assessments to find holes in their defenses before cybercriminals do. A risk management plan should be devised to address any vulnerabilities uncovered during the risk assessment. Priority should be given to the most serious risks and those that would have the greatest impact if exploited.
While there is no single cybersecurity solution that can be adopted to prevent data breaches, one aspect of data breach prevention that should be given priority is a software solution that can block email threats. Spam email represents the biggest threat to organizations. Research conducted by PhishMe suggests 91% of all data breaches start with a phishing email. Blocking those malicious emails is therefore essential.
TitanHQ has developed a highly effective spam filtering solution for enterprises – and SMBs – that blocks more than 99.9% of spam email, preventing phishing emails, malware, and ransomware from reaching employees’ inboxes.
To find out how SpamTitan can protect your business from email threats, for a product demonstration and to register for a free trial of SpamTitan, contact the TitanHQ team today.
Healthcare organizations are being targeted by hackers and scammers and email is the No1 attack vector. 91% of all cyberattacks start with a phishing email and figures from the Anti-Phishing Working Group indicate end users open 30% of phishing emails that are delivered to their inboxes. Stopping emails from reaching inboxes is therefore essential, as is training healthcare employees to be more security aware.
Since so many healthcare data breaches occur as a result of phishing emails, healthcare organizations must implement robust defenses to prevent attacks. Further, email security is also an important element of HIPAA compliance. Fail to follow HIPAA Rules on email security and a financial penalty could follow a data breach.
Email Security is an Important Element of HIPAA Compliance
HIPAA Rules require healthcare organizations to implement safeguards to secure electronic protected health information to ensure the confidentiality, integrity, and availability of health data.
Email security is an important element of HIPAA compliance. With so many attacks on networks starting with phishing emails, it is essential for healthcare organizations to implement anti-phishing defenses to keep their networks secure.
The Department of Health and Human Services’ Office for Civil Rights has already issued fines to healthcare organizations that have experienced data breaches as a result of employees falling for phishing emails. UW medicine paid OCR $750,000 following a malware-related breach caused when an employee responded to a phishing email. Metro Community Provider Network settled a phishing-related case for $400,000.
One aspect of HIPAA compliance related to email is the risk assessment. The risk assessment should cover all systems, including email. Risk must be assessed and then managed and reduced to an appropriate and acceptable level.
Managing the risk of phishing involves the use of technology and training. All email should be routed through a secure email gateway, and it is essential for employees to receive training to raise awareness of the risk of phishing and the actions to take if a suspicious email is received.
How to Secure Email, Prevent and Identify Phishing Attacks
Email phishing scams today are sophisticated, well written, and highly convincing. It is often hard to differentiate a phishing email from a legitimate communication. However, there are some simple steps that all healthcare organizations can take to improve email security. Simply adopting the measures below can greatly reduce phishing risk and the likelihood of experiencing an email-related breach.
While uninstalling all email services is the only surefire way to prevent email phishing attacks, that is far from a practical solution. Email is essential for communicating with staff members, stakeholders, business associates, and even patients.
Since email is required, two steps that covered entities should take to improve email security are detailed below:
Implement a Third-Party AntiSpam Solution Into Your Email Infrastructure
Securing your email gateway is the single most important step to take to prevent phishing attacks on your organization. Many healthcare organizations will already have added an antispam solution to block spam emails from being delivered to end users’ inboxes, but what about cloud-based email services? Have you secured your Office 365 email gateway with a third-party solution?
You will already be protected by Microsoft’s spam filter, but when all it takes is for one malicious email to reach an inbox, you really need more robust defenses. SpamTitan integrates perfectly with Office 365, offering an extra layer of security that blocks known malware and more than 99.9% of spam email.
Continuously Train Employees and they Will Become Security Assets
End users – the cause of countless data breaches and a constant thorn in the side of IT security staff. They are a weak link and can easily undo the best security defenses, but they can be turned into security assets and an impressive last line of defense. That is unlikely to happen with a single training session, or even a training session given once a year.
End user training is an important element of HIPAA compliance. While HIPAA Rules do not specify how often training should be provide, given the fact that phishing is the number one security threat, training should be a continuous process.
The Department of Health and Human Services’ Office for Civil Rights recently highlighted some email security training best practices in its July cybersecurity newsletter, suggesting “An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them.”
The frequency of training should be dictated by the level of risk faced by an organization. Many covered entities have opted for bi-annual training sessions for the workforce, with monthly newsletters and security updates provided via email, including information on the latest threats such as new phishing scams and social engineering techniques.
OCR also reminded HIPAA covered entities that not all employees respond to the same training methods. It is best to mix it up and use a variety of training tools, such as CBT training, classroom sessions, newsletters, posters, email alerts, team discussions, and phishing email simulation exercises.
Simple Steps to Verify Emails and Identify Phishing Scams
Healthcare employees can greatly reduce the risk of falling of a phishing scam by performing these checks. With practice, these become second nature.
- Hovering the mouse over an email hyperlink to check the true domain. Any anchor text –hyperlinked text other than the actual URL – should be treated as suspicious until the true domain is identified. Also check that the destination URL starts with HTTPS.
- Never reply directly to an email – Always click forward. It’s a little slower, but you will get to see the full email address of the person who sent the message. You can then check that domain name against the one used by the company.
- Pay close attention to the email signature – Any legitimate email should contain contact information. This can be faked, or real contact information may be used in a spam email, but phishers often make mistakes in signatures that are easy to identify.
- Never open an email attachment from an unknown sender – If you need to open the attachment, never click on any links in the document, or on any embedded objects, or click to enable content or run macros. Forward the email to your IT department if you are unsure and ask for verification.
- Never make any bank transfers requested by email without verifying the legitimacy of the request.
- Legitimate organizations will not ask for login credentials by email
- If you are asked to take urgent action to secure your account, do not use any links contained in the email. Visit the official website by typing the URL directly into your browser. If you are not 100% of the URL, check on Google.
Email may be the primary vector used to conduct cyberattacks on businesses, but there has been a massive rise in cyberattacks on websites in recent months. The second quarter of 2017 saw a 186% increase in cyberattacks on websites, rising from an average of 22 attacks per day in Q1 to 63 attacks per day in Q2, according to a recent report from SiteLock. These sites were typically run by small to mid-sized companies.
WordPress websites were the most commonly attacked – The average number of attacks per day was twice as high for WordPress sites as other content management platforms. That said, security on WordPress sites is typically better than other content management platforms.
Joomla websites were found to contain twice the number of vulnerabilities as WordPress sites, on average. Many users of Joomla were discovered to be running versions of the CMS that are no longer supported. One in five Joomla sites had a CMS that had not been updated in the past 5 years. Typically, users of Joomla do not sign up for automatic updates.
WordPress sites are updated more frequently, either manually or automatically, although that is not the case for plugins used on those sites. While the CMS may be updated to address vulnerabilities, the updates will not prevent attacks that leverage vulnerabilities in third party plugins.
The study revealed 44% of 6 million websites assessed for the study had plugins that were out of date by a year or more. Even when websites were running the latest version of the CMS, they are still being compromised by cybercriminals who exploited out of date plugins. Seven out of 10 compromised WordPress sites were running the latest version of the WordPress.
There is a common misconception than website security is the responsibility of the hosting provider, when that is not the case. 40% of the 20,000 website owners who were surveyed believed it was their hosting company that was responsible for securing their websites.
Most cyberattacks on websites are automated. Bots are used to conduct 85% of cyberattacks on websites. The types of attacks were highly varied, including SQL injection, cross-site scripting attacks, local and remote file inclusion, and cross-site request forgery.
SiteLock noted that in 77% of cases where sites had been compromised with malware, this was not picked up by the search engines and warnings were not being displayed by browsers. Only 23% of sites that were compromised with malware triggered a browser warning or were marked as potentially malicious websites by search engines.
Due to major increase in attacks, it is strongly recommended that SMBs conduct regular scans of their sites for malware, ensure their CMS is updated automatically, and updates are performed on all plugins on the site. Taking proactive steps to secure websites will help SMBs prevent website-related breaches and stop their sites being used to spread malware or be used for phishing.
Today is the start of the 14th National Cyber Security Month – A time when U.S. citizens are reminded of the importance of practicing good cyber hygiene, and awareness is raised about the threat from malware, phishing, and social engineering attacks.
The cybersecurity initiative was launched in 2004 by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS) with the aim of creating resources for all Americans to help them stay safe online.
While protecting consumers has been the main focus of National Cyber Security Month since its creation, during the past 14 years the initiative has been expanded considerably. Now small and medium-sized businesses, corporations, and healthcare and educational institutions are assisted over the 31 days of October, with advice given to help develop policies, procedures, and implement technology to keep networks and data secure.
National Cyber Security Month Themes
2017 National Cyber Security Month focuses on a new theme each week, with resources provided to improve understanding of the main cybersecurity threats and explain the actions that can be taken to mitigate risk.
Week 1: Oct 2-6 – Simple Steps to Online Safety
It’s been 7 years since the STOP. THINK. CONNECT campaign was launched by the NCSA and the Anti-Phishing Workshop. As the name suggests, the campaign encourages users learn good cybersecurity habits – To assume that every email and website may be a scam, and to be cautions online and when opening emails. Week one will see more resources provided to help consumers learn cybersecurity best practices.
Week 2: Oct 9-13 – Cybersecurity in the Workplace
With awareness of cyber threats raised with consumers, the DHS and NCSA turn their attention to businesses. Employees may be the weakest link in the security chain, but that need not be the case. Education programs can be highly effective at improving resilience to cyberattacks. Week 2 will see businesses given help with their cyber education programs to develop a cybersecurity culture and address vulnerabilities. DHS/NCSA will also be promoting the NIST Cybersecurity Framework and explaining how its adoption can greatly improve organizations’ security posture.
Week 3: Oct 16-20 –Predictions for Tomorrow’s Internet
The proliferation of IoT devices has introduced many new risks. The aim of week three is to raise awareness of those risks – both for consumers and businesses – and to provide practical advice on taking advantage of the benefits of smart devices, while ensuring they are deployed in a secure and safe way.
Week 4: Oct 23-27 –Careers in Cybersecurity
There is a crisis looming – A severe lack of cybersecurity professionals and not enough students taking up cybersecurity as a profession. The aim of week 4 is to encourage students to consider taking up cybersecurity as a career, by providing resources for students and guidance for key influencers to help engage the younger generation and encourage them to pursue a career in cybersecurity.
Week 5: Oct 30-31 – Protecting Critical Infrastructure
As we have seen already this year, nation-state sponsored groups have been sabotaging critical infrastructure and cybercriminals have been targeting critical infrastructure to extort money. The last two days of October will see awareness raised of the need for cybersecurity to protect critical infrastructure, which will serve as an introduction to Critical Infrastructure Security and Resilience Month in November.
European Cyber Security Month
While National Cyber Security Month takes place in the United States, across the Atlantic, European Cyber Security Month is running in tandem. In Europe, similar themes will be covered with the aim of raising awareness of cyber threats and explaining the actions EU citizens and businesses can take to stay secure.
This year is the 5th anniversary of European Cyber Security Month – a collaboration between The European Union Agency for Network and Information Security (ENISA), the European Commission DG CONNECT and public and private sector partners.
As in the United States, each week of October has a different theme with new resources and reports released, and events and activities being conducted to educate the public and businesses on cybersecurity.
European Cyber Security Month Themes
This year, the program for European Cyber Security Month is as follows:
Week 1: Oct 2-6 – Cybersecurity in the Workplace
A week dedicated to helping businesses train their employees to be security assets and raise awareness of the risks from phishing, ransomware, and malware. Resources will be provided to help businesses teach their employees about good cyber hygiene.
Week 2: Oct 9-13 – Governance, Privacy & Data Protection
With the GDPR compliance date just around the corner, businesses will receive guidance on compliance with GDPR and the NIS Directive to help businesses get ready for May 2018.
Week 3: Oct 16-20 – Cybersecurity in the Home
As more IoT devices are being used in the home, the risk of cyberattacks has grown. The aim of week 3 is to raise awareness of the threats from IoT devices and to explain how to keep home networks secure. Awareness will also be raised about online fraud and scams targeting consumers.
Week 4: Oct 23-27 – Skills in Cyber Security
The aim in week 4 is to encourage the younger generation to gain the cyber skills they will need to embark upon a career in cybersecurity. Educational resources will be made available to help train the next generation of cybersecurity professionals.
Use October to Improve Your Cybersecurity Defenses and Train Your Workforce to Be Security Titans
This Cyber Security Month, why not take advantage of the additional resources available and use October to improve your cybersecurity awareness and train your employees to be more security conscious.
When the month is over, don’t shelve cybersecurity for another 12 months. The key to remaining secure and creating a security culture in the workplace is to continue training, assessments, and phishing tests throughout the year. October should be taken as a month to develop and implement training programs and to work toward creating a secure work environment and build a cybersecurity culture in your place of work.
The CCleaner hack that saw a backdoor inserted into the CCleaner binary and distributed to at least 2.27 million users was far from the work of a rogue employee. The attack was much more sophisticated and bears the hallmarks of a nation state actor. The number of users infected with the first stage malware may have been be high, but they were not being targeted. The real targets were technology firms and the goal was industrial espionage.
Avast, which acquired Piriform – the developer of Cleaner – in the summer, announced earlier this month that the CCleaner v5.33.6162 build released on August 15 was used as a distribution vehicle for a backdoor. Avast’s analysis suggested this was a multi-stage malware, capable of installing a second-stage payload; however, Avast did not believe the second-stage payload ever executed.
Swift action was taken following the discovery of the CCleaner hack to take down the attacker’s server and a new malware-free version of CCleaner was released. Avast said in a blog post that simply updating to the new version of CCleaner – v5.35 – would be sufficient to remove the backdoor, and that while this appeared to be a multi-stage malware
Further analysis of the CCleaner hack has revealed that was not the case, at least for some users of CCleaner. The second stage malware did execute in some cases.
The second payload differed depending on the operating system of the compromised system. Avast said, “On Windows 7+, the binary is dumped to a file called “C:\Windows\system32\lTSMSISrv.dll” and automatic loading of the library is ensured by autorunning the NT service “SessionEnv” (the RDP service). On XP, the binary is saved as “C:\Windows\system32\spool\prtprocs\w32x86\localspl.dll” and the code uses the “Spooler” service to load.”
Avast determined the malware was an Advanced Persistent Threat that would only deliver the second-stage payload to specific users. Avast was able to determine that 20 machines spread across 8 organizations had the second stage malware delivered, although since logs were only collected for a little over 3 days, the actual total infected with the second stage was undoubtedly higher. Avast estimates the number of devices infected was likely “in the hundreds”.
Avast has since issued an update saying, “At the time the server was taken down, the attack was targeting select large technology and telecommunication companies in Japan, Taiwan, UK, Germany.”
The majority of devices infected with the first backdoor were consumers, since CCleaner is a consumer-oriented product; however, consumers are believed to be of no interest to the attackers and that the CCleaner hack was a watering hole attack. The aim was to gain access to computers used by employees of tech firms. Some of the firms targeted in this CCleaner hack include Google, Microsoft, Samsung, Sony, Intel, HTC, Linksys, D-Link, and Cisco.
The second stage of the attack delivered keylogging and data collection malware. Kaspersky and FireEye researchers have connected the attack to the hacking group APT 17, noting similarities in the infrastructure with the nation state actor. It was APT 17 that was behind the Operation Aurora attack which similarly targeted tech companies in 2009. Cisco Talos researchers noted that one of the configuration files was set to a Chinese time zone, further suggesting this was the work of a nation-state hacking group based in China.
While Avast previously said upgrading to the latest version would be sufficient to remove the backdoor, it would not remove the second-stage malware. Data could still be exfiltrated to the attackers C2 server, which was still active. Avast is currently working with the targeted companies and is providing assistance.
Cisco Talos criticized Avast’s stance on the attack, explaining in a recent blog post, “it’s imperative to take these attacks seriously and not to downplay their severity,” also suggesting users should “restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.”
It has been confirmed that poor patch management policies opened the door for hackers and allowed them to gain access to the consumer data stored by the credit monitoring bureau Equifax. The massive Equifax data breach announced earlier this month saw the personal information – including Social Security numbers – of almost half the population of the United States exposed/stolen by hackers.
Poor Patch Management Policies to Blame for Yet Another Major Cyberattack
The vulnerability may have been different to that exploited in the WannaCry ransomware attacks in May, but it was a similar scenario. In the case of WannaCry, a Microsoft Server Message Block vulnerability was exploited, allowing hackers to install WannaCry ransomware.
The vulnerability, tracked as CVE-2017-010, was corrected in March 2017 and a patch was issued to prevent the flaw from being exploited. Two months later, the WannaCry ransomware attacks affected organizations around the world that had not yet applied the patch.
Few details about the Equifax data breach were initially released, with the firm only announcing that access to consumer data was gained via a website application vulnerability. Equifax has now confirmed that access to data was gained by exploiting a vulnerability in Apache Struts, specifically, the Apache Struts vulnerability tracked as CVE-2017-5638.
As with WannaCry, a patch had been released two months before the attack took place. Hackers took advantage of poor patch management policies and exploited the vulnerability to gain access to consumer information.
The Exploited Apache Struts Vulnerability
Apache Struts is used by many Fortune 100 firms and is popular with banks, airlines, governments, and e-commerce stores. Apache Struts is an open-source, MVC framework that allows organizations to create front and back-end Java web applications, such as applications on the public website of Equifax.
The CVE-2017-5638 Apache Struts vulnerability is well known. Details of the vulnerability were published in March 2017 and a patch was issued to correct the flaw. The flaw is relatively easy to exploit, and within three days of the patch being issued, hackers started to exploit the vulnerability and attack web applications that had not been patched.
The remote code execution vulnerability allows an attacker to execute arbitrary code in the context of the affected application. While many organizations acted quickly, for some, applying the patch was not straightforward. The process of upgrading and fixing the flaw can be a difficult and labor-intensive task. Some websites have hundreds of apps that all need to be updated and tested. While it is currently unclear if Equifax was in the process of upgrading the software, two months after the patch had been released, Equifax had still not updated its software. In mid-May, the flaw was exploited by hackers and access was gained to consumer data.
Poor Patch Management Policies Will Lead to Data Breaches
All software contains vulnerabilities that can be exploited. It is just a case of those vulnerabilities being found. Already this year, there have been several vulnerabilities discovered in Apache Struts of varying severity. As soon as new vulnerabilities are discovered, patches are developed to correct the flaws. It is up to organizations to ensure patches are applied promptly to keep their systems and data secure. Had the patch been applied promptly, the breach could have been prevented.
Even though a widely exploited vulnerability was known to exist, Equifax was not only slow to correct the flaw but also failed to detect that a breach had occurred for several weeks. In this case, it would appear that the attackers were throttling down on data exfiltration to avoid detection, although questions will certainly be asked about why it took so long for the Equifax cyberattack to be discovered.
Since zero-day vulnerabilities are often exploited before software developers become aware of flaws and develop patches, organizations – especially those of the size of Equifax – should be using intrusion detection solutions to monitor for abnormal application activity. This will help to ensure any zero-day exploits are rapidly identified and action is taken to limit the severity of any breach.
What Will the Cost of the Equifax Data Breach Be?
The cost of the Equifax data breach will be considerable. State attorneys general are lining up to take action against the credit monitoring bureau for failing prevent the breach. 40 attorneys general have already launched and Massachusetts attorney general Maura Healey has announced the state will be suing Equifax for breaching state laws.
Healey said, the Equifax data breach was “the most egregious data breach we have ever seen. It is as bad as it gets.” New York Attorney General Eric Schneiderman has also spoken out about the breach promising an in-depth investigation to determine whether state laws have been violated. If they have, action will certainly be taken.
U.S. consumers are also extremely angry that their highly sensitive information has been breached, especially since they did not provide their data to Equifax directly. Class-action lawsuits are certain to be launched to recover damages.
As if the breach itself is not bad enough, questions have been raised about the possibility of insider trading. Three Equifax executives allegedly sold $2 million in stock just days after the breach was discovered and before it had been made public.
The final cost of the Equifax data breach will not be known for years to come, although already the firm has lost 35% of its stock value – wiping out around $6 billion. Multiple lawsuits will be filed, there are likely to be heavy fines. The cost of the Equifax breach is therefore certain to be of the order of hundreds of millions. Some experts have suggested a figure of at least 300 million is likely, and possibly considerably more.
A new attack method – termed Bashware – could allow attackers to install malware on Windows 10 computers without being detected by security software, according to research conducted by Check Point.
The Windows Subsystem for Linux (WSL) was introduced to make it easier for developers to run Linux tools on Windows without having to resort to virtualization; however, the decision to add this feature could open the door to cybercriminals and allow them to install and run malware undetected.
Checkpoint researchers have conducted tests on Bashware attacks against leading antivirus and antimalware security solutions and in all cases, the attacks went undetected. Check Point says no current antivirus or security solutions are capable of detecting Bashware attacks as they have not been configured to search for these threats. Unless cybersecurity solutions are updated to search for the processes of Linux executables on Windows systems, attacks will not be detected.
Microsoft says the Bashware technique has been reviewed and has been determined to be of low risk, since WSL is not turned on by default and several steps would need to be taken before the attack is possible.
For an attack to take place, administrator privileges would need to be gained. As has been demonstrated on numerous occasions, those credentials could easily be gained by conducting phishing or social engineering attacks.
The computer must also have WSL turned on. By default, WSL is turned off, so the attacks would either be limited to computers with WSL turned on or users would have to turn on WSL manually, switching to development mode and rebooting their device. The potential for Bashware attacks to succeed is therefore somewhat limited.
That said, Check Point researchers explained that WSL mode can be switched on by changing a few registry keys. The Bashware attack method automates this process and will install all the necessary components, turn on WSL mode and could even be used to download and extract the Linux file system from Microsoft.
It is also not necessary for Linux malware to be written for use in these attacks. The Bashware technique installs a program called Wine that allows Windows malware to be launched and run undetected.
WSL is now a fully supported feature of Windows. Check Point says around 400 million computers are running Windows 10 are currently exposed to Bashware attacks.
Researchers Gal Elbaz and Dvir Atias at Check Point said in a recent blog post, “Bashware is so alarming because it shows how easy it is to take advantage of the WSL mechanism to allow any malware to bypass security products.”
Check Point has already updated its solutions to detect these types of attacks, and Kaspersky Lab is making changes to its solutions to prevent these types of attacks. Symantec said its solutions already check for malware created using WSL.
Shadow Brokers are offering a new National Security Agency (NSA) hacking tool – UNITEDRAKE malware – making good on their promise to issue monthly releases of NSA exploits. The latest malware variant is one of several that were allegedly stolen from the NSA last year.
Shadow Brokers previously released the ETERNALBLUE exploit which was used in the WannaCry ransomware attacks in May that affected thousands of businesses around the world. There is no reason to suggest that this new hacking tool is not exactly what they claim.
UNITEDRAKE malware is a modular remote access and control tool that can capture microphone and webcam output, log keystrokes, and gain access to external drives. Shadow Brokers claim UNITEDRAKE malware is a ‘fully extensive remote collection system’ that includes a variety of plugins offering a range of functions that allow malicious actors to perform surveillance and gather information for use in further cyberattacks. UNITEDRAKE malware gives attackers the ability to take full control of an infected device.
Plugins include CAPTIVATEDAUDIENCE, which records conversations via an infected computer’s microphone, GUMFISH gives the attackers control of the webcam and allows them to record video and take images. FOGGYBOTTOM steals data such as login credentials, browsing histories and passwords, SALVAGERABBIT can access data on external drives such as flash drives and portable hard drives when they are connected, and GROK is a keylogger plugin. The malware is also able to self-destruct when its tasks have been performed.
The malware works on older Windows versions including Windows XP, Vista, Windows 7 and 8 and Windows Server 2012.
According to documents released by Edward Snowden in 2014, the malware has been used by the NSA to infect millions of computers around the world. The malware will soon be in the hands of any cybercriminal willing to pay the asking price of 500 Zcash – around $124,000. Shadow Brokers have released a manual for the malware explaining how it works and its various functions.
TrendMicro said in a recent blog post there is currently no way of blocking or stopping the malware. When attacks occur, they will be analyzed by security researchers looking for clues as to how the malware works. That should ultimately lead to the development of tools to block attacks.
In the meantime, organizations need to improve their security posture by ensuring all systems are patched and operating systems are upgraded to the latest versions. An incident response plan should also be developed to ensure it can be implemented promptly in the event of an attack.
A further NSA exploit is expected to be released later this month, with the monthly dumps scheduled for at least the next two months.
A Netherlands-based spambot has recently been discovered that is being used to send massive volumes of spam email containing ransomware and malware. What sets this spambot aside from the many others in use is the scale of the spamming operations. Paris-based cybersecurity firm Benkow says the spambot contains an astonishing 711,000,000 email addresses.
To put that absurdly high figure into perspective, it corresponds to the entire population of Europe or two email addresses for every resident in the United States and Canada.
The spambot – called Onliner – is being used as part of a massive malware distribution network that has been distributing Ursnif banking malware. Not only are these email addresses being used for spamming and malware distribution, the passwords associated with many of those accounts are also publicly available on the same server. Malicious actors could access the data and use the information to gain access to the compromised accounts to search for sensitive information.
All of the email addresses in the list have now been uploaded to HaveIBeenPwned. Troy Hunt of HaveIBeenPwned recently explained in a blog post that this is the single largest set of email addresses that has ever been uploaded to the database. Hunt said it took 110 separate data breaches and more than two and a half years for the site to amass a database of that size.
Hunt explained that an analysis of some of the email addresses in one of the text files were all present in the data from the LinkedIn breach, another set related to the Badoo breach and another batch were all in the exploit.in list, suggesting this massive collection of email addresses has been amalgamated from past data breaches. That shows data is being extensively bought and sold on forums and darknet marketplaces. However, not all of the email addresses were already in the database, suggesting they came either from previously undisclosed breaches and scrapes of Internet sites.
Some of the lists obtained contained email addresses, corresponding passwords, SMTP servers and ports, which allow spammers to abuse those accounts and servers in their spamming campaigns. Hunt says the list includes approximately 80 million email servers that are being used in spamming campaigns.
The problem is these are legitimate accounts and servers, which the spammers can abuse to send massive amounts of spam and even defeat some spam filters, ensuring malicious messages get delivered. Hunt says authorities in the Netherlands are currently attempting to shut down Onliner.
As a precaution, everyone is recommended to visit HaveIBeenPwned to check if their email addresses/passwords have been added to the database. If they are present, it is important to update the passwords for those email accounts and never to use those passwords again.
What is biggest cybersecurity threat currently faced by organizations? According to a recent survey of government IT professionals, the biggest cybersecurity threat is employees. 100% of respondents to the survey said employees were the biggest cybersecurity threat faced by their organziation.
The survey, conducted by Netwrix, explored IT security and compliance risks at a wide range of organizations around the globe, including government agencies.
Government agencies are an attractive target for cybercriminals. They store vast quantities of sensitive data on consumers and cybersecurity protections are often inferior to private sector organizations. Consequently, cyberattacks are easier to pull off. In addition to a treasure trove of consumer data, government agencies hold highly sensitive information critical to national security. With access to that information, hackers can take out critical infrastructure.
There are plenty of hackers attempting to gain access to government networks and oftentimes attacks are successful. The Office of Personnel Management breach in 2015 resulted in the Social Security numbers of 21.5 million individuals being compromised. In 2015, there was also a 6.2 million record breach at the Georgia Secretary of State Office and 191 million individuals were affected by a hack of the U.S. voter database.
The survey revealed 72% of government entities around the world had experienced at least one data breach in 2016 and only 14% of respondents felt their department was well protected against cyberattacks.
Employees Are the Biggest Cybersecurity Threat
Last year, 57% of data breaches at government entities were caused by insider error, while 43% of respondents from government agencies said they had investigated instances of insider misuse. Given the high percentage of security incidents caused by insiders – deliberate and accidental – it is no surprise that insiders are perceived to be the biggest cybersecurity threat.
How Can Employees be Turned from Liabilities into Security Titans?
Employees may be widely regarded as liabilities when it comes to information security, but that need not be the case. With training, employees can be turned into security titans. For that to happen, a onetime security awareness training program is not going to cut it. Creating a security culture requires considerable effort, resources and investment.
Security awareness training needs to be a continuous process with training sessions for employees scheduled at least twice a year, with monthly updates and weekly security bulletins distributed to highlight the latest threats. Training must also be backed up with testing – both to determine how effective training has been and to provide employees with the opportunity to test their skills. Phishing simulations are highly effective in this regard. If an employee fails a simulation it can be turned into a training opportunity. Studies by security training companies have shown susceptibility to phishing attacks can be reduced by more than 90% with effective training and phishing simulation exercises.
However, fail to invest in an effective security awareness program and employees will remain the biggest cybersecurity threat and will continue to cause costly data breaches.
How to Reduce Exposure to Phishing and Malware Threats
With the workforce trained to respond correctly to phishing emails, employees can be turned into a formidable last line of defense. The defensive line should be tested with simulated phishing emails, but technological solutions should be introduced to prevent real phishing emails from being delivered to end users’ inboxes.
The majority of malware and ransomware attacks start with a phishing email, so it is essential that these malicious messages are filtered out. An advanced spam filtering solution should therefore be at the heart of an organization’s email defenses.
SpamTitan is a highly effective enterprise-class spam filtering solution that blocks malicious messages and more than 99.9% of spam email, helping organizations to mount an impressive defense against email-based attacks. Dual anti-virus engines are used to identity and block malware and ransomware, with each email subjected to deep analysis using Sender Policy Framework (SPF), SURBL’s, RBL’s and Bayesian analysis to block threats.
If you want to improve your defenses against phishing and email-based malware attacks, SpamTitan should be at the heart of your email defenses. To find out more about SpamTitan and how it can prevent your employees having their phishing email identification skills frequently put to the test, contact the TitanHQ team today.
The busiest day of the week for email spam is Tuesday and spammers concentrate on sending messages during working hours, Monday to Friday, according to a 2017 spam study conducted by IBM X-Force.
The study was conducted over a 6-month period from December 2016 to June 2017. The study analyzed more than 20 million spam messages and 27 billion webpages and images a day. The researchers also incorporated data provided by several anti-spam organizations, making the 2017 spam study one of the largest ever conducted.
The 2017 spam study showed the majority of spam emails – 83% – were sent to arrive in inboxes during office hours with Tuesday, Wednesday, and Thursday the spammiest days. Spam volume was much lower on Mondays and Fridays.
While spam is sent 24/7, the busiest times are between 1am and 4pm ET. If an email arrives at an inbox when a worker is at his/her desk, it is more likely to be opened. Spammers therefore concentrate their messages during office hours.
Malicious spam messages increase around the holidays and during tax season when email scams are rife. The increase in numbers of individuals heading online to shop for goods means rich pickings for spammers. Spam volume also increases during sporting events such as the Olympics, the Super Bowl and the Football World Cup, with sports-themed spam messages capitalizing on interest in the events.
Malicious messages aim to get email recipients to reveal their banking credentials, logins and passwords and install malware. The researchers found 44% of spam emails contained malicious code, and out of those emails, 85% were used to spread ransomware.
While the majority of spam messages are automated, the IBM researchers point out that spammers work at their campaigns. There is also considerable manual work required to control botnets and spam mailers. The process is not entirely automated. Considerable work is put into malicious messages that spread ransomware and malware, with these campaigns requiring the highest level of manual control. These campaigns also involve extensive planning to maximize the number of victims.
Spam is sent from countries all around the world, although the biggest percentage hails from India, which sends 30% of all spam emails. South America and China also send a high percentage of global spam. Only 7% of spam emails are sent from the United States and Canada.
Companies are getting better at filtering out spam emails and preventing the messages from reaching inboxes. Spam filtering technology has improved enormously in recent years, meaning fewer messages are being delivered; however, spam is still the main method of distributing malware and phishing scams are rife. Spammers are also getting much better at masking their malicious messages and they frequently change delivery vehicles develop new methods of hiding malicious code to avoid detection.
The researchers say spam email volume has increased fourfold over the past 12 months and malicious messages are now being increasingly targeted at organizations and individuals, rather than being sent randomly in huge spamming campaigns. Targeting allows the attackers to send carefully crafted campaigns which are more likely to result in the recipients taking the desired action.
The retail industry is under attack with cybercriminals increasing their efforts to gain access to PoS systems. Retail industry data breaches are now being reported twice as frequently as last year, according to a recent report from UK law firm RPC.
Retailers are an attractive target. They process many thousands of credit card transactions each week and store huge volumes of personal information of consumers. If cybercriminals can gain access to Point of Sale systems, they can siphon off credit and debit card information and stolen consumer data can be used for a multitude of nefarious purposes.
Many retailers lack robust cybersecurity defenses and run complex systems on aging platforms, making attacks relatively easy.
While cyberattacks are common, the increase in data breaches does not necessarily mean hacks are on the rise. RPC points out that there are many possible causes of data breaches, including theft of data by insiders. Retailers need to improve they defenses against attacks by third parties, although it is important not to forget that systems need to be protected from internal threats.
Preventing retail industry data breaches requires a range of cybersecurity protections, but technology isn’t always the answer. Errors made by staff can easily result in cybercriminals gaining easy access to systems, such as when employees respond to phishing emails.
Employees are the last line of defense and that defensive line is frequently tested. It is therefore essential to improve security awareness. Security awareness training should be provided to all employees to raise awareness of the threat from phishing, malware and web-based attacks.
Phishing emails are the primary method of spreading malware and ransomware. Training staff how to identify phishing emails – and take the correct actions when email-based threats are received – will go a long way toward preventing retail industry data breaches. Employees should be taught the security basics such as never opening email attachments or clicking hyperlinks in emails from unknown individuals and never divulging login credentials online in response to email requests.
Employees can be trained to recognize email-based threats, although it is important to take steps to prevent threats from reaching inboxes. An advanced spam filtering solution is therefore a good investment. Spam filters can block the vast majority of spam and malicious emails, ensuring employees security awareness is not frequently put to the test. SpamTitan blocks more than 99.9% of spam and malicious emails, ensuring threats never reach inboxes.
Web-based attacks can be blocked with a web filtering solution. By carefully controlling the types of websites employees can access, retailers can greatly reduce the risk of malware downloads.
As the recent WannaCry and NotPetya malware attacks have shown, user interaction is not always required to install malware. Both of those global attacks were conducted remotely without any input from employees. Vulnerabilities in operating systems were exploited to download malware.
In both cases, patches had been released prior to the attacks that would have protected organizations from the threat. Keeping software up to date is therefore essential. Patches must be applied promptly and regular checks conducted to ensure all software is kept 100% up to date.
This is not only important for preventing retail industry data breaches. Next year, the General Data Protection Regulation (GDPR) comes into force and heavy fines await retailers that fail to do enough to improve data security. Ahead of the May 25, 2018 deadline for compliance, retailers need to improve security to prevent breaches and ensure systems are in place to detect breaches rapidly when they do occur.
Security researchers have discovered a wave of cyberattacks on hotel WiFi networks that leverage an NSA exploit – EternalBlue – for a vulnerability that was fixed by Microsoft in March.
The same exploit was used in the WannaCry ransomware attacks in May and the NotPetya wiper attacks in June. Even though the malware campaigns affected hundreds of companies and caused millions (if not billions) of dollars of losses, there are still companies that have yet to apply the update.
The recent cyberattacks on hotel WiFi networks have affected establishments in the Middle East and Europe. Once access is gained to hotel networks, the attackers spy on guests via hotel WiFi networks and steal their login credentials.
Researchers at FireEye discovered the new campaign, which they have attributed to the Russian hacking group APT28, also known as Fancy Bear. Fancy Bear is believed to receive backing from the Russian government and has performed many high profile cyberattacks in recent years, including the cyberattack on the World Anti-Doping agency (WADA). Following that attack, Fancy Bear published athletes’ therapeutic use exemption (TUE) data.
In contrast to the WannaCry and NotPetya attacks that were conducted remotely without any user involvement, the latest campaign is being conducted via a spear phishing campaign. The hacking group sends malicious emails to hotel employees and uses email attachments to download their backdoor – Gamefish. In this case, the attachment appears to be a reservation form for a hotel booking. Gamefish is installed if hotel employees run the macros in the document.
Once the backdoor is installed, the hackers search for internal and guest WiFi networks using EternalBlue and spread to other devices. Once embedded in computers that control the WiFi networks, the attackers can launch attacks on devices that attempt to connect to the hotel WiFi network.
The hackers use the open-source Responder tool to listen for MBT-NS (UDP/137) broadcasts from devices that are attempting to connect to WiFi network resources. Instead of connecting, they connect to Responder which obtains usernames and hashed passwords. That information is transferred to a computer controlled by the attackers. Once the hashed passwords have been cracked they can be used to attack hotel guests.
The names of the affected hotels have not been disclosed, although FireEye has confirmed that at least one Middle Eastern hotel and seven in Europe have been attacked. The hotels were well respected establishments likely to be frequented by high-net worth guests and business travelers.
The advice for travelers is to exercise caution when connecting to hotel WiFi networks, such as avoiding accessing online bank accounts or better still, avoiding connecting to hotel WiFi networks altogether. While the use of a VPN when connecting to hotel WiFi networks is a good idea, in this case the attack can occur before a secure VPN connection is made.
FireEye reports that this type of attack is difficult to detect and block. The attackers passively collect data and leave virtually no traces. Once login credentials have been obtained, guests are vulnerable and not just while they are at the hotel. FireEye believes the credentials are then used to attack individuals when they return home and connect to their home networks.
The best way for hotels to prevent cyberattacks on hotel WiFi networks such as this is by blocking the phishing and spear phishing attacks that lead to installation of the malware. Hotels should ensure all employees are provided with security awareness training and a spam filtering solution such as SpamTitan is deployed to stop malicious emails from being delivered to employees’ inboxes.
A WiFi Security Solution from TitanHQ
Any WiFi access point provider should ensure that controls are implemented to restrict access to illegal or inappropriate website content, block access to known malicious URLs that are used for phishing and malware distribution, and to prevent downloads of files commonly associated with malware.
TitanHQ developed WebTitan Cloud for WiFi to help businesses and service providers secure their WiFi networks, block cyberattacks, and provide a sanitized Internet service to customers. WebTitan Cloud for WiFi is a DNS-based filtering solution that can be used to carefully control the Internet content individuals can access when connected to the business WiFi network, with no impact on Internet speed.
Benefits of WebTitan Cloud for WiFi for Hotels
- Create a family-friendly, safe and secure web browsing environment.
- Accurately filter web content through 53 pre-set categories and up to 10 custom categories.
- Filter by keyword and keyword score.
- Filter content in 200 languages.
- Apply time-based filtering controls.
- Filter the Internet across multiple WiFi hotspots.
- Manage access points through a single web-based administration panel.
- Delegate management of access points.
- Low management overhead.
- Reduce the risk of phishing attacks.
- Block malware and ransomware downloads.
- Inspect encrypted websites with SSL certificates.
- Schedule and run reports on demand with real time-views of Internet activity and extensive drill down reporting.
- Industry-leading customer service and support.
- Highly competitive pricing.
Cyberattacks are continuing to rise, according to the latest threat report from NTT Security. Cyberattacks in Q2 2017 jumped considerably, while phishing emails are now being extensively used to spread malware. The majority of cyberattacks in Q2 2017 affected the manufacturing, finance and healthcare industries, which accounted for 72% of all detected attacks.
Cyberattacks in Q2 2017 Increased by Almost a Quarter
Cyberattacks in Q2 2017 were 24% higher than the previous quarter and the manufacturing industry is in hackers’ crosshairs. Manufacturing accounted for 34% of all malicious attacks last quarter, followed by finance with 25% of attacks and healthcare on 13%.
Cyberattacks on manufacturing firms are not limited geographically. Manufacturing was the most attacked industry in five out of the six geographical regions tracked by NTT Security. The attacks have involved ransomware, industrial espionage, sabotage and data theft. Even though cyberattacks on manufacturing firms have increased sharply, 37% of firms in the sector have yet to develop an incident response plan.
Flash Continues to Cause Security Headaches for Businesses
Unpatched vulnerabilities continue to cause headaches for businesses, with Adobe Flash the main culprit. Adobe will finally retire Flash in 2020, but until then, it remains something of a liability. 98% of vulnerabilities corrected by Adobe were in Flash, and in Q2, an Adobe Flash vulnerability was the most commonly exploited. The Adobe Flash remote code execution vulnerability CVE-2016-4116 was exploited in 57% of vulnerability exploitation attacks.
The message to businesses is clear. If Adobe Flash is not essential it should be disabled or uninstalled. If it is necessary, it is essential that patches are applied as soon as humanly possible. NTT Security notes that attacks increase exponentially once proof-of-concept code is published.
Increase in Use of Phishing Emails for Malware Delivery
The NTT Security report shows 67% of malware attacks on organizations were the result of phishing emails. The NTT Security report ties in with the findings of a recent threat report issued by Symantec, which showed that malware emails were at now at the highest levels seen this year.
The use of phishing emails to deliver malware is understandable. The emails target employees – a weak link in most organizations’ defenses. Phishing emails take just a few minutes to craft and can be sent in large volumes quickly and easily. The phishing scams are also highly effective, taking advantages of flaws in human nature.
Many organizations are still only providing annual security awareness training, rather than regular refresher training sessions, ongoing CBT courses and monthly bulletins detailing the new threats. Ineffective spam filtering also results in more messages reaching end users’ inboxes, increasing the chance of one of those emails being opened and malware being downloaded.
Improving defenses against phishing is now critical, yet many organizations are failing to appreciate how serious the threat from phishing really is. The volume of malware infections now occurring via phishing emails should be a wakeup call for organizations.
Technical solutions such as advanced spam filters, link blocking technology such as web filters and employee security awareness training should all now feature in organizations’ cybersecurity defenses.
Ransomware attacks on small businesses can be devastating. Many small businesses have little spare capital and certainly not enough to be handing out cash to cybercriminals, let alone enough to cover the cost of loss of business while systems are taken out of action. Many small businesses are one ransomware attack away from total disaster. One attack and they may have to permanently shut their doors.
A recent research study commissioned by Malwarebytes – conducted by Osterman Research – has highlighted the devastating effect of ransomware attacks on small businesses.
1,054 businesses with fewer than 1,000 employees were surveyed and asked about the number of ransomware attacks they had experienced, the cost of mitigating those attacks and the impact of the ransomware attacks on their business.
Anyone following the news should be aware of the increase in ransomware attacks. Barely a week goes by without a major attack being announced. The latest study has confirmed the frequency of attacks has increased. More than one third of companies that took part in the survey revealed they had experienced at least one ransomware attack in the past 12 months.
22% of Small Businesses Shut Down Operations Immediately Following a Ransomware Attack
The survey also showed the devastating impact of ransomware attacks on small businesses. More than one fifth of small businesses were forced to cease operations immediately after an attack. 22% of businesses were forced to close their businesses.
Those companies able to weather the storm incurred significant costs. 15% of companies lost revenue as a result of having their systems and data locked by ransomware and one in six companies experienced downtime in excess of 25 hours. Some businesses said their systems were taken out of action for more than 100 hours.
Paying a ransom is no guarantee that systems can be brought back online quickly. Each computer affected requires its own security key. Those keys must be used carefully. A mistake could see data locked forever. A ransomware attack involving multiple devices could take several days to resolve. Forensic investigations must also be conducted to ensure all traces of the ransomware have been removed and no backdoors have been installed. That can be a long-winded, painstaking process.
Multiple-device attacks are becoming more common. WannaCry-style ransomware attacks that incorporate a worm component see infections spread rapidly across a network. However, many ransomware variants can scan neworks and self-replicate. One third of companies that experienced attack, said it spread to other devices and 2% said all devices had been encrypted.
Can Ransomware Attacks on Small Businesses be Prevented?
Can ransomware attacks on small businesses be prevented? Confidence appears to be low. Almost half of respondents were only moderately confident they could prevent a ransomware attack on their business. Even though a third of businesses had ‘anti-ransomware’ defenses in place, one third still experienced attacks.
Unfortunately, there is no single solution that can prevent ransomware attacks on small businesses. What organizations must do is employ multi-layered defenses, although that can be a major challenge, especially with limited resources.
A risk assessment is a good place to start. Organizations need to look at their defenses critically and assess their infrastructure for potential vulnerabilities that could be exploited.
Improving Defenses Against Ransomware
Ransomware attacks on small businesses usually occur via email with employees targeted using phishing emails. Organizations should consider implementing a spam filtering solution to reduce the number of malicious emails that reach inboxes.
Some emails will inevitably slip past these defenses, so it is important for staff to be security aware. Security awareness training should be ongoing and should involve phishing simulations to find out how effective training has been and to single out employees that need further training.
While ransomware can arrive as an attachment, it is usually downloaded via scripts of when users visit malicious websites. By blocking links and preventing end users from visiting malicious sites, ransomware downloads can be blocked. A web filtering solution can be used to block malicious links and sites.
Anti-virus solutions should be kept up to date, although traditional signature-based detection technology is not as effective as it once was. Alone, anti-virus software will not offer sufficient levels of protection.
As was clearly shown by the WannaCry and NotPetya attacks, malware can be installed without any user interaction if systems are not configured correctly and patches and software updates are not applied promptly. Sign up to alerts and regularly check for updated software and don’t delay patching computers.
A ransomware attack need not be devastating. If organizations back up their data to the cloud, on a portable (unplugged) local storage device and have a copy of data off site, in the event of an attack, data will not be lost.
A new survey from CSO shows ransomware and phishing attacks in 2017 have increased, although companies have reported a decline in the number of cyber incidents experienced over the past year. While it is certainly good news that organizations are experiencing fewer cyberattacks, the report suggests that the severity of the attacks has increased and more organizations have reported suffering losses as a result of security incidents.
CSO conducted the annual U.S State of Cybercrime survey on 510 respondents, 70% of whom were at the vice president level or higher. Companies had an average IT security budget of $11 million.
This year’s report suggests organizations are struggling to keep up with the number of patches and software upgrades now being issued, although the consequences of the delays have been clearly shown this year with the NotPetya and WannaCry attacks. The failure to patch promptly has seen many organizations attacked, with some companies still struggling to recover. Nuance Communications was badly affected by NotPetya, and a month after the attacks, only 75% of its customers have regained access to its services. TNT also suffered extensive disruption to services in the weeks following the attacks, although these are just two companies out of many to experience extended disruption.
IT security budgets have increased by an average of 7.5% year over year with 10% of companies saying they have increased IT security spending by 20% or more in the past 12 months. While new technologies are taking up the bulk of the new budgets, organizations are also investing in audits and knowledge assessments, information sharing, redeveloping their cybersecurity strategy, policies and processes and are adding new skills. 67% of respondents said they have now expanded their security capabilities in include mobile devices, the cloud and IoT.
Even though the threat of attack is severe, many companies still believe a cyber response plan should not be part of their cybersecurity strategy, although acceptance that cyberattacks will occur has seen 19% of respondents plan to implement a response strategy in the next 12 months.
Even though there was a fall in the number of security incidents, losses experienced as a result of those attacks have remained constant or have increased over the past 12 months for 68% of respondents. Only 30% of companies said they had experienced no losses as a result of security incidents, down 6 percentage points from last year.
More CSOs and CISOs are now reporting directly to the board on a monthly basis, up 17% since last year. However, as was also confirmed by a recent survey conducted by KPMG, many boards still view cybersecurity as an IT issue – The CSO survey suggests 61% of boards believe cybersecurity is a concern of the IT department not a matter for the board, a drop of just two percentage points since last year.
Phishing attacks in 2017 have increased significantly, with 36% of companies reporting attacks – up from 26% last year. 17% of companies experienced ransomware attacks – up from 14% – and financial fraud increased from 7% to 12%. Business email compromise scams are also increasing, up from 5% to 9% in the past 12 months.
The increase in ransomware and phishing attacks in 2017 highlights the need for security awareness training for employees and an improvement to spam filtering controls. Organizations need to ensure they have sufficient staffing levels to ensure patches are applied promptly, while investment in people must improve to ensure they have the skills, resources and training to respond to the latest threats. Boards must also appreciate that cybersecurity is not just a matter for IT departments, and the CSO survey shows that too much faith is being placed in cybersecurity protections. Currently only 53% of companies are testing the effectiveness of their security programs.
A U.S senator is urging the Department of Homeland Security and other federal agencies to adopt DMARC to prevent impersonation attacks via email. Over the past few months, several government agencies have been targeted by phishers who have used government domains to send huge numbers of spam emails.
The emails appear legitimate as they have been sent from government-owned domains, and while the text in the emails often contains clues to suggest the emails are not genuine, the official domain adds sufficient authenticity to see many email recipients fooled.
The use of official domains by phishers is nothing new of course, but government-owned domains should be protected to prevent them being used in phishing campaigns. The problem is that in the vast majority of cases, insufficient controls have been implemented to prevent impersonation attacks.
Sen. Ron Wyden (D-Oregon) wrote to the Department of Homeland Security voicing his concerns about the problem, and specifically, the failure of federal agencies – including DHS – to use the Domain-based Message Authentication Reporting and Conformance (DMARC) standard.
DMARC is a proven tool that can help to prevent impersonation attacks via email by allowing email recipients to verify the sender of an email. If DMARC is used, it is possible to determine whether the emails have genuinely been sent from federal agencies or if they have been sent by a third party unauthorized to use the domain. In short, it will prevent impersonation attacks and protect consumers. If DMARC was used, it would make it much harder for government agencies to be impersonated.
The standard is recommended by the National Institute of Standards & Technology (NIST) as well as the Federal Trade Commission (FTC). DMARC has also recently been adopted in the UK by the British government with hugely positive results. Since DMARC has been implemented, the UK Tax agency alone has reduced impersonation attacks to the tune of 300 million messages in a single year.
The UK’s National Cyber Security Center (NCSC) has also created a central system where it processes all of the DMARC reports from all government agencies to monitor impersonation attacks across all government departments
Currently the Department of Homeland Security does not use DMARC and it is not used on the majority of government owned domains. The U.S. government owns approximately 1,300 domains, yet DMARC is only used on an estimated 2% of those domains.
Impersonation attacks are on the rise and numerous government agencies have been impersonated in recent months including the Department of Health and Human Services, the IRS and even the Defense Security Service – part of the U.S. Department of Defense.
Sen. Wyden suggests the Department of Homeland Security should immediately adopt DMARC and mandate its use across all federal agencies. DHS already scans other federal agencies for vulnerabilities under the Cyber Hygiene program. Sen. Wyden says DMARC scanning should be incorporated into that program. As in the UK, Sen. Wyden suggests a central repository should be created for all DMARC reports by the General Services Administration (GSA) to give DHA visibility into impersonation attacks across all federal agencies.
You’ve secured the network perimeter, installed a spam filter, trained your employees to recognize phishing emails and have an intrusion detection system in place, but are you deprovisioning former employees to prevent data theft? According to a new report from OneLogin, 58% of companies are lax when it comes to blocking network access when employees leave the company.
For the study, 600 IT professionals with responsibility or partial responsibility for security decisions about hardware, software or cloud services were interviewed. When asked about the time delay between employees leaving the company and their accounts being deactivated, 58% said that it takes more than a day for that to happen and a quarter said it takes more than a week. 28% of respondents said deprovisioning former employees takes a month or longer.
48% of respondents said they were aware that former employees still had access to applications after they had left the company and 44% said they were not confident that deprovisioning former employees had actually occurred.
Even though there is a significant time delay involved in blocking access for former employees, only four out of ten organizations are using a security information and event management solution (SIEM). A SIEM would allow them to monitor app usage by former employees and would alert them if systems were still being accessed, yet only 45% of respondents said they used such a solution.
Organizations are taking a big risk by not ensuring accounts are deactivated before employees walk through the door for the final time. The study revealed that the risk is considerable. When asked if they had suffered data breaches due to former employees, 24% said they had.
Deprovisioning employees is time consuming, especially when they have been employed for a long time and have access to many business applications and networks. 92% of respondents said it takes up to an hour to deprovision employees and many must complete the process manually. Time may be pressed, but failing to block access promptly is a data breach waiting to happen.
Trump Hotels has announced that guests at some of its hotels have been impacted by the Sabre Hospitality Solutions data breach and have had their credit/debit card details stolen. Sabre Hospitality Solutions provides the hotel reservation system used at certain Trump Hotels, and it was this system that was compromised not the systems used at Trump Hotels. Sabre’s system is used by more than 32,000 hotels and lodging establishments around the world.
Attackers gained access to the Sabre SynXis Central Reservations system (CRS) which is used by hotels and travel agencies to make hotel bookings. Sabre discovered the breach on June 5, 2017, with the attacker understood to have obtained account credentials that enabled access to the CRS and the payment card data processed through the system.
The data breach affected 13 Trump Hotels (Central Park, Chicago, Doonbeg, Doral, Las Vegas, Panama, Soho, Toronto, Turnberry, Vancouver, Waikiki, DC, Rio de Janeiro) and the Albemarle Estate. Each hotel was affected at a different time and for a different duration, with the first instance occurring on August 10, 2016. The last data access was on March 9, 2017. The hotel reservation system was compromised at most of the affected hotels for a few days up to three weeks in November 2016, with the exception of Trump Las Vegas, Trump Panama, and Trump DC, which saw systems compromised for around four months.
When the Sabre Hospitality Solutions data breach was detected, the company contracted cybersecurity firm Mandiant to conduct a forensic analysis to determine how the breach occurred, which hotels were affected and to ensure that access to its systems was blocked. Sabre reports that after March 9, 2017, no further unauthorized access to its system has occurred.
During the time that access to data was possible, the attackers were able to obtain the names of card holders, card numbers, expiration dates and in some cases, CVV codes. Other information potentially accessed includes guests’ names, addresses, phone numbers and potentially other information, although not Social Security numbers or driver’s licenses.
The Sabre Hospitality Solutions data breach affected many organizations, with Google recently announcing that some of its employees have had information exposed. In the case of Google, it was a travel agency – Carlson Wagonlit Travel (CWT) – that was affected. CWT was one of the companies used by Google to book hotels for its staff.
The hospitality industry has been hit with numerous POS system breaches over the past few years. The industry is an attractive target for cybercriminals. Most hotel bookings are made with credit and debit cards, cybersecurity protections are often poor and once access is gained to the systems it can be months before a data breach is detected.
A variety of attack vectors are used, although login credentials are commonly stolen in phishing attacks. Phishing emails are sent to company employees and social engineering tricks are used to convince those employees to disclose their login credentials or open malicious email attachments that install malware.
Email security solutions that prevent spam emails from being delivered to end users’ inboxes offer protection against phishing attacks. As an additional precaution, security awareness training should be provided to all hotel employees who have access to corporate email accounts.
With SpamTitan installed, hotel chains are well protected from phishing attacks. SpamTitan blocks more than 99.9% of spam emails, adding an important layer of protection for hotels to prevent data breaches.
Phishing and social engineering attacks are the biggest cyber risks faced by organizations. Not only are attacks on the rise, they are becoming more sophisticated. The increase in attacks and cost of mitigating cyber incidents is having a major negative impact on businesses.
Organizations can tackle the problem of phishing and social engineering by implementing technologies that preventing phishing emails from reaching end users’ inboxes and ensuring employees know how to identify threats and response when a malicious email arrives in their inbox.
One of the most effective ways of blocking these phishing and social engineering attacks is implementing an advanced spam filtering solution. SpamTitan blocks more than 99.9% of email spam and uses two antivirus engines to identify and block emails with malicious attachments.
Many organizations provide security training to their employees and teach them to be more security aware, although a new report from the Business Continuity Institute calls for businesses to do more in this regard. In order to tackle phishing and improve resilience to attacks BCI says user education needs to improve.
A one-off training program as part of an employee’s induction is no longer sufficient. Training should be an ongoing process with regular refresher training sessions provided throughout the year. Phishing simulation exercises are also highly beneficial for reinforcing training and gauging how effective training has been.
However, the study suggests only 52% of companies conduct awareness-raising seminars and just 55% conduct regular exercises on likely cybersecurity scenarios. Only 46% run desktop exercises such as attack simulations.
The BCI study confirmed just how often phishing and social engineering attacks result in cyber incidents. The report shows that 57% of cyber incidents involve phishing or social engineering emails. Malware is responsible for 41% of cyber disruptions, with spear phishing emails accounting for 30% of attacks. Ransomware has grown into a major issue in recent months and is behind 19% of cyber disruptions.
The survey was conducted on 734 individuals from 69 countries. Two thirds of respondents had experienced a cybersecurity incident in the past 12 months with 15% saying they had experienced 10 or more disruptions in the past year. 5% said they experienced between 11 and 20 incidents in the past 12 months, a further 5% experienced between 21 and 50 incidents and 5% said they experienced 51 or more incidents. Responding to these incidents takes up valuable time. 67% of attacks take more than an hour to resolve with 16% taking more than four hours.
These incidents are costing businesses dearly. 33% of organizations said the cost of those attacks exceeded €50,000, while 13% of respondents said they had spent over €250,000 remediating attacks. It should be noted that 40% of respondents that took part in the survey were from SMEs with an annual turnover of less than €1 million.
Cybercriminals are only likely to increase their efforts and conduct more phishing and social engineering attacks. It is therefore essential for businesses to have a high commitment to cyber resilience and to do more to improve cybersecurity defenses. The survey suggests only 60% of senior management are committed to improving their defenses, so there is still plenty of room for improvement.
NotPetya ransomware attacks have spread globally, with the latest figures from Microsoft suggesting there are now more than 12,500 reported victims spread across 65 countries. The attacks first started to be reported on Tuesday morning with companies in the Ukraine hit particularly hard.
At first it appeared that the attacks involved Petya ransomware, although it has since been confirmed that this is a new ransomware variant. The ransomware has already attracted a variety of names such as GoldenEye, SortaPetya, ExPetr, and NotPetya. We shall use the latter.
Security researchers believe the NotPetya ransomware attacks started in Ukraine. The first attacks occurred the day before a national holiday – a common time to launch an attack. IT staff were unlikely to be working, so the probability of the attacks being halted before the ransomware was allowed to run would be increased.
The NotPetya ransomware attacks have been discovered to have occurred via a variety of vectors. Ukraine was hit particularly hard, which suggested a country-specific attack vector. Some security researchers have suggested the first attacks occurred via a Ukrainian accounting package called M.E. Doc, with the attackers managing to compromise a software update. M.E.Doc hinted that this may be the case initially, but later denied they were the cause of the attack. If it is true that a software update was involved, it would not be the first time M.E.Doc was attacked. A similar ransomware attack occurred via M.E.Doc software updates in May.
However, that is only one potential attack vector used in the NotPetya ransomware attacks. It has been confirmed that the attackers are also using two NSA exploits that were released by Shadow Brokers in April. As was the case with the WannaCry ransomware attacks, the EternalBlue exploit is being used. The latest attacks are also using another exploit released at the same time called EternalRomance.
In contrast to the WannaCry ransomware attacks last month, the exploits used in the NotPetya ransomware attacks only scan for vulnerable devices on local networks, not via the Internet.
Both exploits will not work if computers have already been patched with MS17-010 released by Microsoft in March. Following the WannaCry attacks, Microsoft also issued a patch for older, unsupported Windows versions to prevent further ransomware attacks.
However, patching would not necessarily have prevented infection. In contrast to WannaCry, NotPetya ransomware attacks have been reported by companies that have patched their computers. Security researchers have confirmed that all it takes for infection to occur is for one computer to have been missed when applying the patches. That allows the attackers to attack that machine, and also any other machines connected to the local network, even if the patch has been applied.
The attacks also appear to be occurring via phishing emails containing malicious Microsoft Office documents. As has been the case with many other ransomware attacks, the failure to implement spam defenses can result in infection. The use of an advanced spam filter such as SpamTitan offers excellent protection against email-based ransomware attacks, preventing those emails from reaching end users’ inboxes.
Upon infection, the ransomware waits one hour before executing and forcing a reboot. When the computer restarts, the ransom note appears. The ransom demand is for $300 per infected machine. In contrast to the majority of ransomware variants, NotPetya does not encrypt files. Instead it replaces the Master File Table (MFT). Since the MFT shows the computer where files are located on the hard drive, without it files cannot be found. Files are not encrypted, but they still cannot be accessed.
Preventing ransomware attacks such as this requires regular patching to address vulnerabilities and anti-spam solutions to prevent malicious emails from being delivered.
Fortunately, NotPetya ransomware attacks can be blocked. Cybereason security researcher Amit Serber has found a way to vaccinate computers against this specific ransomware variant. He suggests IT teams “Create a file called perfc in the C:\Windows folder and make it read only.” This method has been confirmed as effective by other security researchers, although it will not work if infection has already occurred.
Unfortunately, recovery following an attack may not be possible if infected computers cannot be restored from backups. Kaspersky Lab reports there is a flaw in the ransomware saying, “We have analyzed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks.” Further, the email account used by the attacker to verify ransom payments has been shut down by a German email provider.
A $1 million ransom payment has been made to cybercriminals who used Erebus ransomware to attack the South Korean web hosting firm Nayana.
Erebus ransomware was first detected in September last year and was downloaded via websites hosting the Rig exploit kit. Traffic was directed to the malicious website hosting the Rig EK via malvertising campaigns. Vulnerable computers then had Erebus ransomware downloaded. This Erebus ransomware attack is unlikely to have occurred the same way. Trend Micro suggests the attackers leveraged vulnerabilities on the comapny’s Linux servers, used a local exploit or both.
The infection spread to all 153 Linux servers used by Nayana. Those servers hosted the websites of 3,400 businesses. All of the firm’s customers appear to have been affected, with website files and databases encrypted.
Nayana was attacked on June 10, 2017 in the early hours. The hosting company responded rapidly. Law enforcement was contacted and it was initially hoped that it would be possible to crack the ransomware and decrypt files without paying the ransom. It soon became clear that was not an option.
Companies can avoid paying ransom payments following ransomware attacks by ensuring backups are made of all data. Having multiple backups increases the likelihood of files being recoverable. In this case, Nayana had an internal and external backup; however, both of those backups were also encrypted in the attack. Nayana therefore had no alternative but to negotiate with the attackers.
While ransom payments for businesses are often in the $10,000 to $25,000 price bracket, the gang behind this attack demanded an astonishing 550 Bitcoin for the keys to unlock the encryption – Approximately $1.62 million. On June 14, Nayana reported that it had negotiated a ransom payment of 397.6 Bitcoin – Approximately $1.01 million, making this the largest ransomware ransom payment reported to date.
That payment is being made in three instalments, with keys supplied to restore files on the servers in batches. When one batch of servers was successfully recovered, the second ransom payment was made. Nayana said that the recovery process would take approximately 2 weeks for each of the three batches of servers, resulting in considerable downtime for the company’s business customers. Nayana experienced some problems restoring databases but says it is now paying the final payment.
This incident shows how costly ransomware resolution can be and highlights how important it is to ensure that operating systems and software are updated regularly. Patches should be applied promptly to address vulnerabilities before they can be exploited by cybercriminals.
Simply having a backup is no guarantee that files can be recovered. If the backup device is connected to a networked machine when a ransomware attack occurs, backup files can also be encrypted. This is why it is essential for organizations to ensure one backup is always offline. It is also wise to segment networks to limit the damage caused by a ransomware attack. If ransomware is installed, only part of the network will be affected.
A recent Southern Oregon University phishing attack has clearly demonstrated why so many cybercriminals have chosen phishing as their main source of income.
Hacking an organization takes considerable planning and effort, typically requiring many hours of hard work and a considerable amount of skill. Phishing on the other hand is easy by comparison, requiring little work. Furthermore, the potential profits from phishing can be considerable.
The Southern Oregon University Phishing Attack Required a Single Email
The Southern Oregon University phishing attack involved a single phishing email. The attackers impersonated a construction company – Andersen Construction – that was building a pavilion and student recreation center at the University.
The attackers spoofed the email address of the construction firm and requested all future payments be directed to a different bank account. The university then wired the next payment to the new account in April. The payment was for $1.9 million.
The university discovered the construction firm had not received the funds three days later. The FBI was contacted as soon as the fraud was discovered and efforts are continuing to recover the funds. The university reports that the attackers have not withdrawn all of the funds from their account, although a sizeable chunk is missing. Joe Mosley, a spokesperson for SOU said, “It’s certainly not all of the money that was transferred, but it’s not just nickels and dimes, either.”
In order to pull off a scam such as this, the attackers would need to know that the construction project was taking place and the name of the firm. Such information is not hard to find and universities often have construction projects taking place.
These attacks are known as Business Email Compromise (BEC) scams. They typically involve a contractor’s email account being hacked and used to send an email to a vendor. It is not clear whether the vendors email account had been hacked, but that step may not be required to pull off a phishing attack such as this.
Rise in BEC Attacks Prompts FBI Warning to Universities
In this case, the payment was substantial but it is far from an isolated incident. Last month, the FBI released a public service announcement warning universities of attacks such as this.
The FBI warned that access to a construction firm’s email account is not necessary. All that is required is for the scammer to purchase a similar domain to the one used by the firm. Accounts department employees may check the email address and not notice that there is a letter different.
By the time the university discovered a payment has not been received, the funds have already been cleared from the scammer’s account and cannot be recovered. Payments are commonly of the order of several hundred thousand dollars.
The FBI informed SOU that there have been 78 such attacks in the past year, some of which have been conducted on universities. However, all organizations are at risk from these BEC scams.
The Southern Oregon University phishing attack shows just how easy it can be for scammers to pull off a BEC attack. Protecting against this time of scam requires employees to be vigilant and to exercise extreme caution when requests are made to change bank accounts. Such a request should always be verified by a means other than email. A telephone call to the construction firm could easily have stopped this scam before any transfer was made.
Microsoft took the decision to issue emergency Windows XP updates to prevent exploitation of the Windows Server Message Block (SMB) vulnerability used to infect worldwide computers with ransomware on May 12, 2017.
The move came as a surprise since the operating system is no longer supported. Extended support came to an end on April 8, 2014. Yesterday, saw further Microsoft Windows XP updates released. The patches prevent further flaws in the operating system from being exploited by cybercriminals in WannaCry ransomware-style attacks.
Microsoft’s Cyber Defense Operations Center head, Adrienne Hall, said “Due to the elevated risk for destructive cyber-attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt.”
In total, nearly 100 vulnerabilities were patched this Patch Tuesday, including 18 critical flaws that can be remotely exploited by cybercriminals to take full control of vulnerable systems. In some cases, as was the case with the WannaCry ransomware attacks, no user interaction is required for the flaws to be exploited.
One of the flaws – tracked as CVE-2017-8543 – similarly affects the Windows Server Message Block service. Microsoft says CVE-2017-8543 is being actively exploited in the wild, with Windows Server 2008, 2012, and 2016 all affected as well as more recent versions of Windows – v7, 8.1 and Windows 10. It is this flaw that has been patched for Windows Server 2003 and Windows XP. As was the case on May 12, once the attackers infect one device, they can search for other vulnerable devices. Infection can spread incredibly quickly to many other networked devices.
Some security experts have criticized Microsoft for issuing yet more Windows XP updates, arguing that this sends a message to users of outdated operating systems that it is OK not to upgrade the OS. Windows XP has many unpatched flaws, but the recent Windows XP updates suggest that if a particularly serious vulnerability is discovered that is being actively exploited, patches will be issued.
While Microsoft Windows XP updates have been released, this should not be taken as signaling a change in Microsoft’s standard servicing policies. Further patches may not be released for unsupported Windows versions, so organizations should not delay upgrading their OS. Microsoft’s general manager of its Security Response Center, Eric Doerr, said “The best protection is to be on a modern, up-to-date system that incorporates the latest defense-in-depth innovations. Older systems, even if fully up-to-date, lack the latest security features and advancements.”
In total, there were 95 updates issued this patch Tuesday. Like CVE-2017-8543, a LNK remote code execution vulnerability (CVE-2017-8464) is also being exploited in the wild.
The latest round of updates also includes a patch for a serious flaw in Microsoft Outlook (CVE-2017-8507). Typically, in order to exploit vulnerabilities an end user would be required to open a specially crafted email attachment. However, if an attacker were to send a specially crafted message to an Outlook user, simply viewing the message would allow the attacker to take full control of the machine.
Adobe has also issued a slew of updates to address 21 vulnerabilities spread across four products (Flash, Shockwave Player, Captivate and Adobe Digital editions). 15 of those vulnerabilities have been marked as critical and would allow remote code execution.
As the WannaCry ransomware attacks clearly showed, the failure to apply patches promptly leaves the door wide open to cybercriminals. These updates should therefore not be delayed, especially since two of the flaws are being actively exploited.