Internet Security
Our Internet security section covers a wide range of topics including the latest online threats such as new phishing scams, changes in exploit kit activity, and up to date information on new malware and ransomware variants and social media scams.
Here you will find articles on data breaches, together with the causes of attacks and potential mitigations to reduce the risk of similar incidents occurring at your organization. Lessons can be learned from attacks on other organizations and threat intelligence can help security teams prepare for impending cyberattacks.
This section also contains news on the latest remote code execution vulnerabilities and zero day exploits that are being used to gain access to business networks, such as the network worm attacks that were used to spread WannaCry ransomware around the globe in May 2017.
In addition to mitigations – such as news of patches and software upgrades – articles are included to help organizations improve Internet security. Employees are a weak link in security defenses and frequently download malware or engage in risky behavior that could result in a network compromise. This section includes information that can be used by organizations to reduce the risk of employees inadvertently downloading malicious software or disclosing their credentials on phishing websites, turning them from liabilities into security assets.
by G Hunt |
March 31, 2025 |
Internet Security, Phishing & Email Spam, Security Awareness
RansomHub is one of the most prolific ransomware-as-a-service (RaaS) groups now that the ALPHV/BlackCat operation has shut down and the LockBit operation has been hit with successive law enforcement actions. RansomHub engages in double extortion tactics, exfiltrating sensitive data from victims’ networks and encrypting files. Victims must pay to obtain the keys to decrypt their data and to prevent the publication of the stolen data on the RansomHub data leak site. Since emerging in early 2024, the group has conducted more than 200 attacks.
As a RaaS operation, RansomHub uses affiliates to conduct attacks in exchange for a percentage of any ransom payments they generate. The affiliates each have their specialties for breaching victims’ systems, including phishing, remote desktop protocol attacks, and the exploitation of unpatched vulnerabilities. Now, a new tactic is being used – The group is using the SocGholish malware-as-a-service (MaaS) framework for initial access, especially in attacks on the government sector.
SocGholish, also known as FakeUpdates, uses an obfuscated JavaScript loader that is primarily delivered via compromised legitimate websites. After compromising a website, malicious scripts are added that redirect users to webpages that display browser update notifications. These sites use social engineering to trick visitors into downloading a browser update, as they are told that their browser has a security issue or is not functioning correctly. If the user agrees, they download a zip file that contains a JavaScript file. If that file is executed, SocGholish malware is installed.
SocGholish is a malware downloader that provides initial access to a victim’s network. The malware has been used to deliver a wide range of payloads, including AZORult, Gootloader, NetSupport, and Dridex. SocGholish has also previously been used to deliver DoppelPaymer ransomware, and now RansomHub ransomware. In the case of RansomHub, the group deploys Python-based backdoor components for RansomHub affiliates to use for initial access.
Preventing SocGholish infections is critical to preventing RansomHub ransomware attacks; however, prevention requires a defense-in-depth approach. Traffic to the compromised websites can come from emails that include embedded hyperlinks, malvertising, SEO poisoning, and links to compromised websites are also delivered to users via Google Alerts. The webpages that host the fake browser updates filter traffic, blocking access by sandboxes, which can make detection difficult.
The best approach is to use an advanced anti-spam software such as SpamTitan to block malicious emails. In the last quarterly round of testing at VirusBulletin, SpamTitan, a cloud-based antispam service from TitanHQ, ranked #1 for malware detection, phishing detection and spam blocking with a 0% false positive rate, and in the February 2025 tests, achieved a perfect score blocking 100% of malware, phishing, and spam emails. The high detection rate is due to extensive front-end tests, email sandboxing, and machine learning.
A web filter adds an important layer of protection by scanning websites for malicious content and blocking access to known malicious websites. The WebTitan DNS filter is fed extensive threat intelligence to block access to known compromised webpages, can filter websites by category, and can be configured to block downloads of executable files from the Internet. Security awareness training is vital for creating a human firewall. Employees should be informed about the risks of interacting with security warnings on the Internet, and taught how to identify phishing attempts and be instructed on security best practices. The SafeTitan security awareness training platform and phishing simulator platform make creating and automating training courses and phishing simulations a quick and easy process.
by G Hunt |
November 30, 2024 |
Internet Security, Phishing & Email Spam
Holiday season officially started the day after Thanksgiving in the United States, or Black Friday as it is now known. Taking its name from a term used by police officers in Philadelphia to describe the chaos in the city caused by the deluge of suburban shoppers heading to the city to do their holiday shopping, it has become a day when retailers offer bargains to entice the public to buy their goods and services. While the jury is still out on how good many of those bargains are, the consensus is that there are bargains to be found in stores and online, with the official day for the latter being the Monday after Black Friday – Cyber Monday.
The holiday season for shoppers is boom time for cybercriminals who take advantage of the increase in online shoppers looking to buy gifts for Christmas and pick up a bargain of two. Many people time major purchases to take advantage of Black Friday and Cyber Monday offers and cybercriminals are poised to pounce on the unwary. The losses to scams over the holiday period are staggering. According to the Federal Bureau of Investigation (FBI), more than $73 million was lost to holiday season scams in 2022; however, the true total is likely to be considerably higher since many losses go unreported. Those figures do not include the losses to phishing, malware, ransomware, BEC attacks, and other cyberattacks that occur over the holiday period. For instance, the surge in ransomware attacks over Thanksgiving weekend and Christmas when the IT staff is spread thin.
Given the heightened risk of scams and cyberattacks over the holiday season, consumers should be on their guard and take extra care online and ensure that vendors are legitimate before handing over their card details and double-checking the legitimacy of any email requests. While consumers face elevated risks during the holiday season, so do businesses. There are end-of-year deadlines to meet and it’s a short month with many workers taking annual leave over Christmas and the New Year. As the year draws to a close it is common for vigilance to slip, and threat actors are ready to take advantage. Businesses need to ensure that their defenses are up to scratch, especially against phishing – the most common initial access vector in cyberattacks – as a slip in vigilance can easily lead to a costly cyberattack.
Businesses can take several proactive steps to ensure they are protected against holiday season cyber threats, and conducting a security awareness training session is a good place to start. Employees should be reminded about the increase in malicious cyber activity over the holiday period and be reminded about the risks they may encounter online, via email, SMS, instant messaging services, and the phone. With TitanHQ’s SafeTitan security awareness training platform, it is easy to spin up training courses for employees to remind them to be vigilant and warn them about seasonal and other cyber threats. The training platform makes it quick and easy to create and automate training courses, with the training delivered in modules of no more than 10 minutes to ensure employees can maintain concentration and fit the training into their workflows. The SafeTitan platform also incorporates a phishing simulator, which businesses can use to reinforce training and identify individuals who are fooled by phishing scams and ensure they receive the additional training they need.
Due to the high risk of phishing attacks, it is a good idea to implement an advanced spam filter service, one that reliably identifies and neutralizes phishing and business email compromise attempts and provides cutting-edge protection against malware. You need look no further than SpamTitan for that protection. SpamTitan incorporates machine learning and AI-based detection capabilities for detecting phishing, BEC, and scam emails, and dual antivirus engines and email sandboxing for detecting malware threats, including novel malware variants. In Q3, VirusBulletin’s tests of SpamTitan confirmed a phishing detection rate of 99.99% and a malware catch rate of 99.511%. The interim figures for November 2024 are a 100% phishing catch rate and a 100% malware catch rate, demonstrating the reliability of TitanHQ’s cloud-based email filtering solution.
TitanHQ also offers online protection through the WebTitan DNS filter, which prevents access to known malicious websites, blocks malware downloads from the Internet, and can be used to control the web content employees can access, providing an important extra layer of security against web-based threats. At TitanHQ we hope you have a happy holiday period and above all else that you are well protected against cyber threats. Give the team a call today to find out more about how we can help protect your business this holiday season and beyond.
by G Hunt |
October 30, 2024 |
Internet Security
A new malvertising campaign has been identified that abuses the Meta advertising platform to deliver an information stealer malware variant called SYS01 Stealer. Similar to other malvertising campaigns, popular brands are impersonated to trick users into downloading the information stealer in the belief they are installing legitimate software. In this campaign, the impersonated brands include popular software tools that are commonly used by businesses, including the video and imaging editing tools CapCut, Adobe Photoshop, and Canva, as well as productivity tools such as Office 365, instant messaging platforms such as Telegram, VPN providers such as Express VPN, and a host of other software products and services to ensure a wide reach, including video games and streaming services.
The adverts claim that these software solutions games and services are available free of charge, which is a red flag as the genuine products and services usually require a purchase or subscription. The advertisements are published via hijacked Facebook business accounts, which according to an analysis by Bitdefender, have been used to create thousands of ads on the platform, many of which remain active for months. If a user interacts with one of the adverts, they are directed to sites hosted on Google Sites or True Hosting. Those sites impersonate trusted brands and offer the application indicated in the initial ad. If the user is tricked and progresses to a download, a zip file is delivered that contains an executable file that sideloads a malicious DLL, which launches the infection process.
The DLL will run PowerShell commands that will prevent the malware from executing in sandboxes and will prepare the environment for the malware to be installed, including disabling security solutions to ensure the malware is not detected, and maintaining persistence ensured through scheduled tasks. Some identified samples include an Electron application with JavaScript code embedded that drops and executes the malware.
The cybercriminals behind the campaign respond to detections of the malware by security solutions and change the code when the malware starts to be blocked, with the new variant rapidly pushed out via Facebook ads. The information stealer primarily targets Facebook business accounts and steals credentials allowing those accounts to be hijacked. Personal data is stolen, and the accounts are used to launch more malicious ads. Since legitimate Facebook business accounts are used, the attackers can launch malicious ads at scale without arousing suspicion. This malvertising campaign stands out due to its scale, with around 100 malicious domains currently used for malware distribution and command and control operations.
Businesses should take steps to ensure they are protected by using a web filter to block the malicious domains used to distribute the malware, the Facebook site for employees, and to prevent malware downloads from the Internet. Since business Facebook accounts are targeted, it is important to ensure that 2-factor authentication is enabled in the event of credentials being compromised and business Facebook accounts should be monitored for unauthorized access. Business users should not install any software unless it comes from an official source, which should be reinforced through security awareness training.
TitanHQ has developed an easy-to-use web filter called WebTitan that is constantly updated with threat intelligence to block access to malicious sites as soon as they are discovered. WebTitan can be configured to block certain file downloads from the Internet by extension to reduce the risk of malware infections and control shadow IT, and WebTitan makes it easy for businesses to enhance productivity while improving security by blocking access to known distractions such as social media platforms and video streaming sites. WebTitan provides real-time protection against clicks in phishing emails by preventing a click from launching a malicious website and the solution can be used to protect all users on the network as well as off-network users on portable devices through the WebTitan on-the-go roaming agent. For more information about improving your defenses against malware delivered via the internet and malvertising campaigns, give the TitanHQ team a call today.
by G Hunt |
September 30, 2024 |
Internet Security, Network Security
Spear phishing attacks are being conducted by a cyber threat group working on behalf of Iran’s Islamic Revolutionary Guard Corps. The cyber threat actors have been gaining access to the personal and business accounts of targeted individuals to obtain information to support Iran’s information operations.
According to a joint cybersecurity advisory issued by the Federal Bureau of Investigation (FBI), U.S. Cyber Command – Cyber National Mission Force (CNMF), the Department of the Treasury (Treasury), and the United Kingdom’s National Cyber Security Centre (NCSC), the campaign has been targeting individuals with a nexus to Iranian and Middle Eastern affairs, including journalists, political activists, government officials, think tank personnel, and individuals associated with US political campaign activity.
Individuals are typically contacted via email or messaging platforms. As is common in spear phishing attacks, the cyber threat actors impersonate trusted contacts, who may be colleagues, associates, acquaintances, or family members. In some of the group’s attacks, they have impersonated known email service providers, well-known journalists seeking interviews, contacts offering invitations to conferences or embassy events, or individuals offering speaking engagements. There have been instances where an individual is impersonated who is seeking foreign policy discussions and opinions.
In contrast to standard phishing attacks where the victim is sent a malicious email attachment or link to a phishing website in the initial email, more effort is put into building a rapport with the victim to make them believe they are engaging with the person the scammer is impersonating. There may be several exchanges via email or a messaging platform before the victim is sent a malicious link, which may be embedded in a shared document rather than being directly communicated via email or a messaging app.
If the link is clicked, the victim is directed to a fake email account login page where they are tricked into disclosing their credentials. If entered, the credentials are captured and used to login to the victim’s account. If the victim’s account is protected with multi-factor authentication, they may also be tricked into disclosing MFA codes. If access to the account is gained, the cyber threat actor can exfiltrate messages and attachments, set up email forwarding rules, delete or manipulate messages, and use the account to target other individuals of interest.
Spear phishing attempts are harder to identify than standard phishing attempts as greater effort is put in by the attackers, including personalizing the initial contact messages, engaging in conversations spanning several messages, and using highly plausible and carefully crafted lures. These emails may bypass standard spam filtering mechanisms since the emails are not sent in mass campaigns and the IP addresses and domains used may not have been added to blacklists.
It is important to have robust anti-phishing, anti-spam, and anti-spoofing solutions in place to increase protection and prevent these malicious emails from reaching their intended targets. An advanced spam filtering solution should be used that incorporates Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) to identify spoofing and validate inbound emails. SpamTitan also incorporates machine learning and AI-based detection to help identify spear phishing attempts.
If you are a Microsoft 365 user, the anti-spam and anti-phishing mechanisms provided by Microsoft should be augmented with a third-party anti-phishing solution. PhishTitan can detect the spear phishing emails that Microsoft’s EOP and Defender often miss while adding a host of detection mechanisms and anti-phishing features including adding banners to emails from external sources.
One of the main defenses against these attacks is vigilance. An end-user security awareness training program should be implemented to improve awareness of spear phishing attacks. SafeTitan makes this as easy as possible and covers all possible attack scenarios, with training provided in short and easy-to-assimilate training modules. It is also important to conduct phishing simulations to raise and maintain awareness. These simulations can be especially effective at raising awareness about spear phishing emails and giving end users practice at identifying these threats.
Multifactor authentication should be enabled on all accounts, with phishing-resistant multi-factor authentication providing the highest degree of protection. IT teams should also consider prohibiting email forwarding rules from automatically forwarding emails to external addresses and conducting regular scans of the company email server to identify any custom rules that have been set up or changes to the configuration. Alerts should also be configured for any suspicious activity such as logins from foreign IP addresses.
by G Hunt |
June 19, 2024 |
Internet Security
Ascension, one of the largest private healthcare systems in the United States, fell victim to a ransomware attack on May 8, 2024, that forced systems offline, including patients’ medical records which were not fully restored for a month. The attack caused massive disruption, and without access to electronic health records, staff were forced to record patient information manually.
Patient care was seriously affected, with delays in diagnosis and treatment, and the lack of access to medical records resulted in medical errors. Without technology to perform routine safety checks, patient safety was put at risk. The investigation into the attack is still ongoing, but evidence has already been found that files containing sensitive data were stolen in the attack. The scale of the data breach has yet to be determined but for a healthcare system as large as Ascension, the breach could be considerable.
The ransomware attack occurred as a result of a simple error by a single employee, who was tricked into downloading a malicious file from the internet. That file provided the attackers with a foothold in the network, from where they were able to launch a devastating ransomware attack. Ascension said it has no reason to believe that the file download was a malicious act and is satisfied that it was an honest mistake by the employee. Sadly, it is the type of mistake that frequently results in ransomware attacks and costly data breaches.
Ascension has not disclosed how the file was downloaded, whether it was from general web browsing, malvertising that directed the employee to a malicious website, or if they clicked a link in a phishing email. Regardless of how the employee arrived at the malicious site, the attack could have been prevented with the right technology in place. It is possible to protect against all of the above-mentioned methods of malware delivery with a web filter. WebTitan from TitanHQ is a DNS-based web filter for businesses to prevent employees from visiting websites hosting malware and to block the web-based component of phishing attacks.
WebTitan is fed threat intelligence to provide real-time protection against malicious websites. As soon as a malicious website is detected, it is added to the database and all WebTitan users are prevented from visiting that URL. WebTitan categorizes and blocks around 60,000 malware and spyware domains each day and if an attempt is made to visit one of those URLs, whether it is via a link in an email, malvertising, or general web browsing, the attempt is blocked and the user is directed to a locally hosted block page.
WebTitan is updated constantly with vast click stream traffic from actively visited URLs from 500 million end users, and the data is used to categorize websites. WebTitan users can then place restrictions on 53 categories of websites that employees can visit on their work devices, eliminating risks from common sources of malware such as torrent and file-sharing sites for which there is no business reason for access. Further, as an additional protection against malware, WebTitan can be configured to block downloads of certain file types from the internet, such as executable files that are commonly used to deliver malware. For the majority of employees, there is rarely a business need to download executable files.
Malware is commonly delivered via email, either via attachments containing malicious scripts and macros or via embedded hyperlinks. It is important to have an advanced email security solution in place to block this method of malware delivery. SpamTitan is a cloud-based anti-spam service that protects against known malware using twin antivirus engines that scan attachments for the signatures of malware. To protect against novel malware threats, SpamTitan incorporates a Bitdefender-powered email sandbox, where suspicious messages are sent for deep inspection. An email sandbox is key to blocking malware threats and essential due to the volume of novel malware variants now being distributed.
While technological solutions are essential, it is also important to provide security awareness training to the workforce to improve awareness of cyber threats and teach security best practices. This is another area where TitanHQ can help. SafeTitan is a comprehensive security awareness training platform and phishing simulator that is proven to reduce susceptibility to phishing attacks that helps businesses develop a human firewall and combat the many threats that target employees.
For more information on improving your defenses against malware and phishing threats, give the TitanHQ team a call. All TitanHQ cybersecurity solutions are also available on a free trial to allow you to put them to the test before making a purchase decision.
by G Hunt |
May 31, 2024 |
Internet Security
Downloading unofficial and pirated software from the Internet carries a significant risk of malware infections. Malware is often packaged with the installers or with the cracks/key generators that provide the serial keys or codes to activate the software.
Cybercriminals use a variety of methods for driving traffic to their malicious websites, including malicious Google Ads, adverts on other third-party ad networks, SEO poising to get their malicious sites appearing high in the search engine listings, and via torrent and warez sites. A warning has recently been issued about the latter by AhnLab Security Intelligence Center (ASEC).
The campaign identified by the researchers distributes Microsoft Office, Microsoft Windows, and the Hangul Word Processor. The pirated software is available through torrent sites and includes a professional-looking installer. The installer for Microsoft Office allows users to select the Office products they want to install in either the 32-bit or 64-bit version and select the language.
If the installer is run, the user will get the software they are looking for; however, in the background, a malware cocktail will be installed. The threat actor behind this campaign is distributing several different malware payloads, including coinminers, remote access trojans (RATs), downloaders, and anti-AV malware.
When the installer is run, an obfuscated .NET downloader is executed which connects to the attacker’s Telegram/Mastadon channels and obtains a Google Drive or GitHub URL from where Base64 encrypted strings are obtained. Those strings are decrypted on the device and are PowerShell commands. Task Scheduler is used to execute the PowerShell commands, which install the malware. The scheduled tasks also allow the threat actor to consistently install other malware variants on the infected device.
By using Task Scheduler, the threat actor can reinstall malware if it is detected and removed, and since an updater is installed, the PowerShell commands can change. Even if the initial URLs are blocked, others will be added to ensure malware can still be delivered.
Initially, the threat actor was installing the updater together with either the Orcus RAT or the XMRig cryptocurrency miner. Orcus RAT provides the threat actor with remote control of an infected device, and has keylogging capabilities, can take screenshots, access the webcam, and exfiltrate data. XMRig is configured to only run when it is unlikely to be detected and will quit when system resource usage is high.
In the latest campaign, the threat actor also installs 3Proxy, which allows abuse of the infected device as a proxy, PureCrypter for downloading and executing additional malware payloads, and AntiAV malware, which disables antivirus and other security software by modifying the configuration files.
While this campaign appears to be targeting users in South Korea, it clearly shows the risks of downloading pirated software. Due to the inclusion of the updater and the installation of PureCrypter, remediation is difficult. Further, new malware variants are being distributed every week to evade detection.
Employees often download software to make it easier for them to do their jobs, and Torrent sites are a common source of unauthorized software. Businesses should therefore implement policies that prohibit employees from downloading software that has not been authorized by the IT department and should also implement controls to prevent Torrent and other software distribution sites from being accessed.
With TitanHQ’s WebTitan DNS filter, blocking access to malicious and risky websites could not be simpler. Simply install the cloud-based web filter and configure the solution by using the checkboxes in the user interface to block access to these categories of websites. WebTitan is constantly updated with the latest threat intelligence to block access to known malicious websites, and it is also possible to block downloads of executable files from the Internet.
For more information on improving Internet security with a DNS-based web filter, give the TitanHQ team a call. WebTitan, like all other TitanHQ products, is available on a free trial, with product support provided to ensure you get the most out of the solution during the trial.
by G Hunt |
June 22, 2023 |
Internet Security, Network Security, Phishing & Email Spam
A new information stealing malware variant called Mystic Stealer is proving extremely popular with hackers. The malware is currently being promoted on hacking forums and darknet marketplaces under the malware-as-a-service model, where hackers can rent access to the malware by paying a subscription fee, which ranges from $150 for a month to $390 for three months.
Adverts for the malware first started appearing on hacking sites in April 2023 and the combination of low pricing, advanced capabilities, and regular updates to the malware to incorporate requested features has seen it grow in popularity and become a firm favorite with cybercriminals. The team selling access to the malware operates a Telegram channel and seeks feedback from users on new features they would like to be added, shares development news, and discusses various related topics.
Mystic Stealer has many capabilities with more expected to be added. The first update to the malware occurred just a month after the initial release, demonstrating it is under active development and indicating the developers are trying to make Mystic Stealer the malware of choice for a wide range of malicious actors. Mystic Stealer targets 40 different web browsers, 70 browser extensions, 21 cryptocurrency applications, 9 MFA and password management applications (including LastPass Free, Dashlane, Roboform, and NortPass), and 55 cryptocurrency browser extensions. The malware can also inject ads into browser sessions, redirect searches to malicious websites, and steal Steam and Telegram credentials and other sensitive data. The most recent version is also able to download additional payloads from its command-and-control server. The malware targets all Windows versions, does not need any dependencies, and operates in the memory, allowing it to evade antivirus solutions. The malware is believed to be of Russian origin since it cannot be used in the Commonwealth of Independent States.
Mystic Stealer has recently been analyzed by researchers at InQuest, ZScaler, and Cyfirma, who report that the malware communicates with its C2 server via a custom binary protocol over TCP, and currently has at least 50 C2 servers. When the malware identifies data of interest, it compresses it, encrypts it, then transmits it to its C2 server, where users can access the data through their control panel.
The main methods of distribution have yet to be determined, but as more threat actors start using the malware, distribution methods are likely to become more diverse. The best protection is to follow cybersecurity best practices and adopt a defense-in-depth approach, with multiple overlapping layers of security to protect against all of the main attack vectors: email delivery (phishing), web delivery (pirated software, drive-by downloads, malvertising), and the exploitation of vulnerabilities.
Email security solutions should be used that have signature and behavioral-based detection capabilities and machine learning techniques for detecting phishing emails (SpamTitan). Antivirus software should be used, ideally, a solution that can scan the memory, along with advanced intrusion detection systems. To protect against web-based attacks, a web filter (WebTitan) should be used to block malicious file downloads and prevent access to the websites where malware is often downloaded (known malicious sites/warez/torrent). IT teams should ensure that software updates and patches are applied promptly, prioritizing critical vulnerabilities and known exploited vulnerabilities. In the event of infection, damage can be severely limited by having a tested incident response plan in place.
Finally, it is important to train the workforce on the most common threats and how to avoid them. Employees should be trained on how to identify phishing attempts, be told never to download unauthorized software from the Internet, and be taught security best practices. The SafeTitan security awareness training and phishing simulation platform provides comprehensive training and testing to improve human defenses against malware infections and other cyber threats.
by G Hunt |
September 6, 2022 |
Email Scams, Internet Security, Phishing & Email Spam
When multifactor authentication is set up on accounts, attempts to access those accounts using stolen credentials will be prevented, as in addition to a correct username and password, another factor must be provided to authenticate users. Phishing attacks may allow credentials to be stolen, but that does not guarantee accounts can be accessed. More companies are implementing multifactor authentication which means phishing attacks need to be more sophisticated to bypass the protection provided by multifactor authentication.
One of the ways that multifactor authentication can be bypassed is by using a reverse proxy. In a phishing attack, an email is sent to a target and a link is provided to a malicious website hosting a phishing form that spoofs the service of the credentials being targeted – Microsoft 365 for example. Instead of just collecting the login credentials and using them to try to remotely access the user’s account, a reverse proxy is used.
The reverse proxy sits between the phishing site and the genuine service that the attacker is attempting to access and displays the login form on that service. When the credentials are entered, they are relayed in real-time to the legitimate service, and requests are returned from that service, such as MFA requests. When the login process is successfully completed, a session cookie is returned which allows the threat actor to access the genuine service as the victim. The session cookie can also contain the authentication token. In these attacks, once the session cookie has been obtained, the victim is usually presented with a notification telling them the login attempt has failed or they are directed to another site and will likely be unaware that their credentials have been stolen and their account is being accessed.
These attacks allow the victim’s account to be accessed for as long as the session cookie remains valid. If it expires or is revoked, the attacker will lose access to the account. To get around this and gain persistent access, account details may be changed or other authentication methods will be set up.
These types of phishing attacks are much more sophisticated than standard phishing attacks, but the extra effort is worth the investment of time, money, and resources. Many advanced persistent threat actors use reverse proxies in their phishing campaigns and have developed their own custom reverse proxies and tools. There are, however, publicly available kits that can be used in phishing campaigns such as Modlishka, Necrobrowser, and Evilginx2. These kits can be used at a cost and allow MFA to be bypassed, although they can be complicated to set up and use.
Now a new phishing-as-a-Service (PaaS) platform has been identified – EvilProxy – that is being pushed on hacking forums. EvilProxy allows authentication tokens to be stolen from a range of vendors including Microsoft, Apple, Twitter, Facebook, Google, and more, according to Resecurity which recently reported on the phishing kit.
EvilProxy lowers the bar considerably and makes conducting reverse proxy phishing attacks far simpler. The service includes instructional videos, provides a user-friendly graphical interface, and even supplies templates of cloned phishing pages for stealing credentials and auth tokens. Through the graphical interface, threat actors can set up and manage their phishing campaigns with ease. EvilProxy comes at a cost, starting at $150 for 10 days up to $400 for a month. While the service is not cheap, the potential rewards can be considerable. EvilProxy allows low-skill threat actors to gain access to valuable accounts, which could be used or sold on to other threat actors such as ransomware gangs.
Multifactor authentication is strongly recommended as it will block the majority of attacks on accounts; however, it can be bypassed by using reverse proxies. Protecting against reverse proxy phishing attacks requires a defense-in-depth approach. An email security solution – SpamTitan for example – should be implemented to block the initial phishing email. A web filter – WebTitan – should be used to block attempts to visit the malicious websites used in these man-in-the-middle attacks. Security awareness training is important for training employees on how to recognize and avoid phishing threats, and employers should conduct phishing simulation tests as part of the training process. TitanHQ’s SafeTitan platform allows businesses to conduct regular training and phishing simulations with ease.
by G Hunt |
August 5, 2021 |
Internet Security, Network Security, Phishing & Email Spam
Ransomware attacks have increased significantly since the start of 2020 and that increase has continued in 2021. While these attacks are occurring more frequently than ever, the threat from phishing has not gone away and attacks are still rife. Phishing attacks may not make headline news like ransomware attacks on hospitals that threaten patient safety, but they can still be incredibly damaging.
The aim of many phishing attacks is to obtain credentials. Email credentials are often targeted as email accounts contain a treasure trove of data. That data can be extremely valuable to cybercriminals. In healthcare for example, email accounts contain valuable healthcare data, health insurance information, and Social Security numbers, which can be used to commit identity theft, obtain medical treatment, and for tax fraud. Entire email accounts are often exfiltrated in the attacks and the accounts used to send tailored phishing emails to other individuals in the company.
Many data breaches start with a phishing email, with phishing often used by an attacker to gain a foothold in a network that can be used in a much more extensive attack on an organization. Phishing emails are often the first step in a malware or ransomware attack.
Multiple surveys have recently been conducted on IT leaders and employees that show phishing is a very real and present danger. Two recent surveys conducted in the United States and United Kingdom indicate almost three quarters of businesses have experienced a data breach as a result of a phishing attack in the past 12 months. One study indicated over 50% of IT leaders had seen an increase in phishing attacks in the past 12 months, while the other put the figure at 80%.
During the pandemic, many businesses were faced with the option of switching to a remote workforce or shutting down. The increase in remote working was a godsend for phishers, who increase their attacks on employees. Many IT departments lacked visibility with a remote workforce and found it harder to block phishing attacks than when employees are in the office. Staff shortages in IT have certainly not helped.
Staff training is important to raise awareness of the threat from phishing, but remote working has made that harder. Training needs to be provided regularly as it can easily be forgotten and bad habits can slip in. Phishing tactics are also constantly changing, so regular training is needed to keep employees aware of the latest threats and phishing techniques, so they know what to look for. It does not help that phishing attacks are increasingly targeted and more sophisticated and can be difficult for employees to spot even if they have received regular training.
So how can businesses combat the threat from phishing and avoid being one of the three quarters of companies that experience a phishing data breach each year? Training is important, but the right technology is required.
Two of the most important technical solutions that should be implemented to block phishing attacks are spam filters and web filters. Both are effective at combatting phishing, albeit from different angles. When both are used together, protection is better than the sum of both parts.
A spam filter must have certain features to block sophisticated phishing threats. Blacklists are great for identifying emails from known malicious IP addresses, but IP addresses frequently change. Machine learning approaches are needed to identify previously unseen phishing tactics and threats from IP addresses not known to be malicious. Multiple AV engines can help block more malware threats, while email sandboxing can identify new malware variants. DMARC is also vital to block email impersonation attacks, while outbound scanning is important to rapidly detect compromised mailboxes. All of these features are employed by SpamTitan, which is why the solution has such a high block rate (over 99.97%) and low false positive rate.
Web filters are primarily used to restrict access to malicious and undesirable websites, whether they are sites with pornographic content or malicious sites used for phishing and malware distribution. Web filters, especially DNS-based filters, greatly improve protection against threats and will block access to known malicious websites. They will also block malware downloads and restrict access to questionable websites that serve no work purpose but increase risk. WebTitan will do this and more, and can easily be configured to protect remote workers, no matter where they choose to access the Internet.
With phishing attacks increasing it is important that businesses deploy solutions to counter the threat to stay one step ahead of the phishers. For further information on SpamTitan and WebTitan, and how they can protect your business, give the TitanHQ team a call. Both solutions are available on a free trial to allow you to see for yourself the difference they make. You can sign up for a free trial of SpamTitan here, and WebTitan on this link.
by G Hunt |
November 18, 2020 |
Email Scams, Internet Security, Network Security
Black Friday and Cyber Monday are fast approaching and this year even more shoppers will be heading online to secure their Christmas bargains due to the COVID-19 pandemic. In many countries, such as the UK, lockdowns are in place that have forced retailers to close the doors of their physical shops, meaning Black Friday deals will only be available online. 2020 is likely to see previous records smashed with even more shoppers opting to purchase online due to many shops being closed and to reduce the risk of infection.
Surge in Phishing Attacks in the Run Up to Black Friday
The fact that many consumers have been forced to shop online due to COVID-19 has not been missed by cybercriminals, who have started their holiday season scams early this year. Every year sees a sharp rise in phishing emails and online scams that take advantage of the increase in sales in the run up to Christmas, but this year the data show cybercriminals have stepped up their efforts to spread malware, steal sensitive data, and fool the unwary into making fraudulent purchases.
Recent figures released by Check Point show there has been a 13-fold increase in phishing emails in the past 6 weeks with one in every 826 emails now a phishing attempt. To put that figure into perspective, 1 in 11,000 emails in October 2020 were phishing emails. Check Point reports 80% of the phishing emails were related to online sales, discounts, and special offers, and as Black Friday and Cyber Monday draws ever closer, the emails are likely to increase further.
Local lockdowns have piled pressure on smaller retailers, who are at risk of losing even more busines to the large retailers such as Amazon. In order to get their much-needed share of sales in the run up to Christmas, many have started conducting marketing campaigns via email to showcase their special offers and discounts. Those messages are likely to make it easier for cybercriminals to operate and harder for individuals to distinguish the genuine special offers from the fraudulent messages.
Cybercriminals have also started using a range of different techniques to make it harder for individuals to identify phishing and scam messages. Some campaigns involved the use of CAPTCHAs to fool both security solutions and end users, and the use of legitimate cloud services such as Google Drive and Dropbox for phishing and malware distribution is also rife.
With the scams even harder to spot and the volume of phishing and other scam emails up considerably, it is even more important for businesses to ensure their security measures are up to scratch and scam websites and phishing emails are identified and blocked.
How to Improve your Defenses Against Black Friday Phishing Scams and Other Threats
This is an area where TitanHQ can help. TitanHQ has developed two security solutions that work seamlessly together to provide protection from phishing and malware attacks via email and the Internet, not just protecting against previously seen threats, but also zero-day malware and phishing threats.
The SpamTitan email security and WebTitan web security solutions use a layered approach to threat detection, each incorporating multiple layers of protection to ensure that threats are identified and blocked. Both solutions leverage threat intelligence using a crowd sourced approach, to provide protection against emerging and even zero-minute threats.
SpamTitan uses smart email filtering and scanning, incorporating machine learning and behavioral analysis techniques to detect and isolate suspicious emails, dual antivirus engines, sandboxing to trick cybercriminals into thinking they have reached their target, and SPF, DKIM, and DMARC to detect and block email impersonation attacks.
WebTitan is an AI-powered cloud-based DNS web filtering solution that provides protection from online threats such as malware and ransomware and the web-based component of phishing attacks. The solution uses automation and advanced analytics to search through billions of URLs/IPs and phishing sites that could lead to a malware or ransomware infection or the compromising of employee credentials. The solution is an effective cybersecurity measure for protecting against web-based threats for office-based employees and remote workers alike.
If you want to protect your business this holiday season and beyond and improve your defenses against email and web-based threats, give the TitanHQ team a call. Product demonstrations can be arranged, advice offered on the best deployments, and if the solutions are not suitable for your business, we will tell you so. You can also trial both solutions free of charge to evaluate their performance in your own environment before making a decision on a purchase.
by G Hunt |
January 22, 2020 |
Industry News, Internet Security, Network Security
TitanHQ has announced a new partnership with Pax8. The partnership means Pax8 partners now have access to TitanHQ’s cloud-based email security solution – SpamTitan – and its DNS filtering solution, WebTitan.
Pax8 is the leader in cloud distribution. The company simplifies the cloud buying process and empowers businesses to achieve more with the cloud. The company has been named Best in Show for two consecutive years at the Next Gen and XChange conferences and is positioned at number 60 in the 2019 Inc. 5000 list of the fastest growing companies.
Pax8 carefully selects the vendors it works with and only offers market-leading channel friendly solutions to its partners. When searching for further cybersecurity solutions for its partners, TitanHQ was determined to be the perfect fit. TitanHQ is the leading provider of cloud-based email and web security solutions for managed service providers (MSPs) serving the SMB marketplace and its cybersecurity solutions are much loved by users. This was clearly shown in the 2019 G2 Crowd Report on Email Security Gateways where SpamTitan was named leader, having achieved 4- or 5-star ratings by 97% of its users, with 92% saying they would recommend the solution to other businesses.
Phishing, malware, and ransomware attacks have all increased in the past year and the cost of mitigating those attacks continues to rise. By implementing SpamTitan and WebTitan, SMBs and MSPs can secure their email environments and block web-based threats and keep their networks secure.
SpamTitan provides excellent protection for Office 365 environments. The solution detects and blocks phishing and email impersonation attacks and prevents known and zero-day malware and ransomware threats from reaching inboxes. The WebTitan Cloud DNS filtering solution blocks the web-based component of cyberattacks by preventing end users from visiting malicious websites, such as those harboring malware and phishing kits.
Both solutions are quick and easy to implement, can be seamlessly integrated into MSPs service stacks and cloud-management platforms, and Pax8 partners benefit from highly competitive and transparent pricing, centralized billing, and leading customer support.
“I am delighted to partner with the Pax8 team,” said Ronan Kavanagh, CEO, TitanHQ. “Their focus and dedication to the MSP community are completely aligned with ours at TitanHQ, and we look forward to delivering our integrated solutions to their partners and customers.”
by G Hunt |
July 1, 2019 |
Internet Security
You may have heard of ransomware-as-a-service – where ransomware is rented for a cut of the profits generated – but now there are a growing number of hackers offering phishing-as-a-service.
Ransomware-as-a-service proved popular as it allowed people without the skill set to create their own ransomware to conduct attacks and take a share of the profits. Conducting phishing attacks is easier. It requires no knowledge of malware or ransomware. All that is required is a hosted web page that mimics a brand you want to target, a phishing kit, and an email account to send phishing emails far and wide.
There is still entry barrier to cross before it is possible to conduct phishing attacks. Phishing requires some knowledge and skill as a spoofed phishing web page must be created and emails crafted that will attract a click. The web page will also need to be hosted somewhere so a compromised domain will therefore be required.
Phishing-as-a-service provides all of that. To get started, you purchase one of several phishing templates based on what you are targeting – Office 365, SharePoint, OneDrive, Google, or DocuSign credentials for example. The phishing pages are sold complete with phishing kits loaded and one month’s hosting.
One group offering phishing-as-a-service guarantees the phishing page will be hosted for one month and includes a three-link backup. If one URL fails or is reported as a phishing website, a further two links can be provided on request followed by a further three after that.
Phishing-as-a-service takes all the time-consuming work out of starting a phishing campaign and allows phishing campaigns to be conducted by individuals with next to no specific skills. Once payment is made for the web page, all that is required is the ability to conduct a spam campaign. The service also comes with the option of purchasing lists of email addresses for the country of choice. All that is required to conduct a phishing campaign is payment ($30+) for phishing-as-a-service and a convincing phishing email.
With the entry barrier being substantially lowered, phishing attacks are likely to become much more frequent. It is therefore essential for businesses of all sizes to take steps to improve protections and reduce susceptibility to phishing attacks.
If you are defending against any attack it pays to know your enemy. It is therefore essential for all employees with an email account to be provided with security awareness training and be taught how to recognize a phishing attack.
It is also important to implement cybersecurity solutions that help to ensure your last line of defense will not be tested. You should have an advanced anti-spam solution in place to block the vast majority of phishing threats. If you use Office 365 for your business email, a third-party anti-spam solution will provide a greater level of protection.
An additional protection against phishing attacks that is often overlooked is a DNS filter or web filter. A web filter gives organizations control over what their employees can do online and which websites they can visit. Any website that has been reported as malicious is automatically blocked using blacklists and webpages are scanned in real-time and blocked if malicious. If a phishing email reaches an inbox and attracts a click, the attempt to access the phishing website can be blocked.
If you want to improve your email and web security posture or you are looking for better value cybersecurity solutions, TitanHQ can help. Contact TitanHQ today to discuss your email and web security requirements and you will be advised on the best solutions to meet your needs.
TitanHQ offers a free trial on all products and is happy to arrange product demonstrations on request.
by G Hunt |
December 30, 2018 |
Internet Security
There are many costs associated with cyberattacks and data breaches, but one of the hardest to quantify is damage to a brand. Brand damage following a data breach is one of the most serious issues, and one that money cannot easily resolve.
Businesses can invest in cybersecurity solutions to prevent further security breaches, but when customers lose trust in a brand, they will simply take their business elsewhere. Winning customers back can be a long process. In many cases, once trust in a brand is lost, customers will leave and never return.
Consumers Expect Businesses to Protect Their Personal Data
If a company asks consumers to provide them with personal data, it is essential that steps are taken to ensure that information remains private and confidential. Consumers believe that any company that collects personal data has an obligation to protect it. A Ponemon Institute study in 2017 confirmed that to be the case. 71% of consumers believed companies that collect personal data have a responsibility to protect it. When a cyberattack occurs that results in the exposure or theft of personal data, consumers are naturally angry at a company for failing to take sufficient precautions to keep their data private.
The same survey revealed that following a data breach, two thirds of consumers lost trust in the breached company and almost a third of consumers said they had terminated their relationship with a brand following a data breach. Companies that were surveyed reported customer churn rates increased up to 7% following a breach. Another study suggests customer loss is more severe and up to 20% of customers have switched brands after their personal information was stolen from a company they did business with. A 2017 study by Gemalto suggests those figures are very conservative. The Gemalto study suggested 70% of customers would switch brands following a data breach.
Loss of Trust in a Brand can have Catastrophic Consequences
Large businesses may be able to weather the storm and regain customer trust over time, but smaller businesses can really struggle. On top of the considerable costs of mitigating a data breach, a loss of anywhere between 20% and 70% of customers would likely be the final nail in the coffin. Loss of customer trust is part of the reason why 60% of SMBs fold within 6 months of a data breach (National Cyber Security Alliance).
Blocking cyberattacks and preventing data breaches requires investment in cybersecurity solutions. Naturally, an advanced firewall is required, and solutions should be introduced to block the most common attack vectors – email for instance – but one area of cybersecurity that is often overlooked is WiFi filtering. WiFi filtering and protecting your brand go hand in hand.
WiFi Filtering and Protecting your Brand
The importance of WiFi Filtering for protecting your brand should not be underestimated. Implementing a web filtering solution shows your customers that you care about security and want to ensure they are protected when they access the Internet through your WiFi network. By implementing a WiFi filter you can prevent customers from downloading malware and ransomware and stop them from connecting to phishing websites.
A WiFi filter can also prevent users from accessing illegal content on your WiFi network. There have been cases of businesses having Internet access terminated by their ISPs over illegal online activity by users – the accessing of banned web content or copyright infringing downloads for instance.
One of the most important uses of a WiFi filter is to prevent users from accessing unacceptable content such as pornography. There is growing pressure on businesses to prevent adult content from being accessed on WiFi networks that are used by customers. McDonalds decided to implement a WiFi filter in 2016 following campaigns by consumers to make its access points family-friendly and in 2018 Starbucks was pressured into doing the same. The coffee shop chain will finally start filtering the internet on its WiFi networks in 2019.
A WiFi filter will also prevent employees from visiting malicious websites and downloading malware that gives criminals access to your internal networks and customer data, thus preventing costly, reputation damaging data breaches.
Businesses that fail to block web-based attacks are taking a major risk, and an unnecessary one considering the low cost of WiFi filtering.
Benefits of WebTitan Cloud for WiFi
Benefits of WebTitan Cloud for WiFi for include:
- Create a family-friendly, safe and secure web browsing environment
- Manage access points through a single web-based administration panel
- Protect any number of Wi-Fi access points
- Filter by website, website category, keyword term, or keyword score
- Reduce the risk of phishing attacks
- Block malware and ransomware downloads
- Inspect encrypted websites with SSL certificates
- Schedule and run reports on demand
- Gain a real-time view of internet activity
- Gain insights into bandwidth use and restrict activities to conserve bandwidth
- Integrate the solution into existing billing, auto provisioning and monitoring system through a suite of APIs
- Apply time-based filtering controls
- Multiple hosting options, including within your own data center
- Can be supplied as a white label for MSPs and resellers
- World class customer service
- Highly competitive pricing and a fully transparent pricing policy
For further information on WiFi Filtering and protecting your brand, contact the TitanHQ team today. Our cybersecurity experts will explain how WebTitan can protect your business and will be happy to schedule a product demonstration and help you set up a free trial of WebTitan to evaluate the solution in your own environment.
by G Hunt |
December 4, 2018 |
Internet Security
There is a more cost-effective alternative to Cisco OpenDNS that provides total protection against web-based threats at a fraction of the price of OpenDNS. If you are currently running OpenDNS or have yet to implement a web filtering solution, you can find out about this powerful web filtering solution in a December 5, 2018 webinar.
Cybersecurity defenses can be implemented to secure the network perimeter, but employees often take risks online that can lead to costly data breaches. The online activities of employees can easily result in malware, ransomware, and viruses being downloaded. Employees may also respond to malicious adverts (malvertising) or visit phishing websites where they are relieved of their login credentials.
Mitigating malware infections, dealing with ransomware attacks, and resolving phishing-related breaches have a negative impact on the business and the resultant data breaches can be incredibly costly. Consequently, the threat from web-based attacks cannot be ignored.
Fortunately, there is an easy solution that offers protection against web-based threats by carefully controlling the web content that their employees can access: A DNS-based web filter.
DNS-based web filtering requires no hardware purchases and no software downloads. Within around 5 minutes, a business will be able to control employee internet access and block web-based threats. Some DNS-based web filters such as OpenDNS can be costly, but there is a more cost-effective alternative to Cisco OpenDNS.
TitanHQ and Celestix Networks will be running a joint webinar to introduce an alternative to Cisco OpenDNS – The WebTitan-powered solution, Celestix WebFilter Cloud.
Celestix will be joined by Rocco Donnino, TitanHQ EVP of Strategic Alliances, and Senior Sales Engineer, Derek Higgins who will explain how the DNS-based filtering technology offers total protection from web-based threats at a fraction of the cost of OpenDNS.
The webinar will be taking place on Wednesday December 5, 2018 at 10:00 AM US Pacific Time
Advance registration is required. You can register for the webinar on this link.
by G Hunt |
June 29, 2018 |
Internet Security
A recent survey of members of the Spiceworks community investigated the use of web filtering by businesses and the effect of web filtering on security and productivity. The survey was conducted on 645 members of its professional network based in the United States and Europe from a wide range of industries including healthcare, finance, and manufacturing.
Web filtering is an important security control that can provide an additional layer of protection against malware and phishing attacks. Web filters can also be used to improve the productivity of the workforce by limiting access to certain types of websites. The Internet can help to improve productivity, although it can also prove a temptation for workers and a major distraction. When a complicated report must be produced, cat videos can be especially tempting.
The survey sought to find out more about the effect of web filtering on security and productivity, how web filters are being used by businesses, the amount of time that employees are wasting on personal Internet use, and the types of websites that businesses are blocking to improve productivity.
Web Filtering is Used by the Majority of Businesses
The survey revealed widespread use of web filters by businesses. Overall, 89% of organizations have implemented a web filter and use it to block certain types of productivity-draining Internet content such as social media websites, dating sites, gambling sites, and streaming services.
The larger the business, the more likely it is that Internet content control will be implemented. 96% of large organizations (1,000+ employees) use web filters to limit employee Internet activity. The percentage drops to 92% for mid-sized businesses (100-999 employees) and 81% for small businesses (up to 99 employees). 58% of organizations said they use a web filtering solution to monitor Internet use by employees.
The survey asked IT professionals who have not implemented a web filtering solution how many hours they think employees are wasting on personal Internet use each week. 58% of employees were thought to waste around 4 hours a week on personal internet use and around 26% of workers spend more than 7 hours a week on non-work-related websites. Without a web filter, most employees will spend around 26 days a year on personal Internet use which, based on average earnings, corresponds to $4,500 paid per employee to slack off on the Internet.
Compare that to the figures for companies that restrict access to at least one category of website and the percentages fall to 43% of employees spending more than 4 hours a week on personal Internet use and 18% who spend more than 7 hours a week on non-work-related websites. The biggest drain of productivity was social media sites, with the figures falling to 30% of employees spending more than 4 hours a week on non-work-related sites when social media sites were blocked.
What are the Most Commonly Blocked Websites?
How are web filters used by businesses and what types of website are most commonly blocked? Unsurprisingly, the most commonly blocked websites were illegal sites and inappropriate sites (pornography for example). Both categories were blocked by 85% or organizations.
After that, the most commonly blocked category of content was dating sites – blocked by 61% of organizations. Businesses are more permissive about the use of social media websites, with only 38% blocking those sites, while instant messaging services were blocked by 34% of organizations. Even though they can be a major drain on bandwidth, streaming services were only blocked by 26% of companies.
What are the Main Reasons for Implementing a Web Filter?
While Internet content control – in some form – has been implemented by the majority of companies, it was not the main reason for implementing a web filter. Money could be saved by improving productivity, but the biggest reason for implementing a web filter was security. 90% of businesses said they had implemented a web filter to protect against malware and ransomware infections and with good reason: Inappropriate Internet access leads to data breaches.
38% of surveyed companies said they had experienced a data breach in the past 12 months as a result of employees visiting non-work-related websites, most commonly webmail services (15%) and social media sites (11%).
Other reasons for implementing a web filter were to block illegal activity (84%) and discourage inappropriate Internet access (83%). 66% of organizations use a web filter to avoid legal liability while 57% used web filters to prevent data leakage and block hacking.
Web Filtering from TitanHQ
TitanHQ has developed an innovative web filtering solution for businesses that helps them improve their security posture, block malware downloads, prevent employees from visiting phishing websites, and limit personal Internet use.
WebTitan Cloud is a 100% cloud-based web filtering solution that can be easily implemented by businesses, without the need for any hardware purchases or software downloads. The solution has excellent scalability, is cost effective, and easy to configure and maintain.
The solution provides Internet content control and malware protection regardless of the device being used to access the Internet and the solution can provide malware protection and allow content control for on-site and remote workers.
Granular controls ensure accurate content filtering without overblocking, time-based filters can be set to restrict access to certain websites at busy times of the day, and different policies can be applied at the organization, department, group, or individual level.
If you have not yet implemented a web filtering solution, are unhappy with your current provider or the cost of your solution, contact the TitanHQ team today and find out more about WebTitan.
by G Hunt |
May 10, 2018 |
Internet Security
Ransomware attacks on businesses appear to be declining. In 2017 and 2018 there has been a marked decrease in the number of attacks. While this is certainly good news, it is currently unclear whether the fall in attacks is just a temporary blip or if the trend will continue.
Ransomware attacks may have declined, but there has been a rise in the use of cryptocurrency mining malware, with cybercriminals taking advantage in the high price of cryptocurrencies to hijack computers and turn them into cryptocurrency-mining slaves. These attacks are not as devastating or costly as ransomware attacks, although they can still take their toll, slowing down endpoints which naturally has an impact on productivity.
While ransomware attacks are now occurring at a fraction of the level of 2016 – SonicWall’s figures suggest there were 184 million attacks in 2017 compared to 638 million in 2016 – the risk of an attack is still significant.
Small players are still taking advantage of ransomware-as-a-service – available through darknet forums and marketplaces – to conduct attacks and organized cybercriminal gangs are conducting targeted attacks. In the case of the latter, victims are being selected based on their ability to pay and the likelihood of a payment being made.
These targeted attacks have primarily been conducted on organizations in the healthcare industry, educational institutions, municipalities and the government. Municipalities are targeted because massive disruption can be caused, and attacks are relatively easy to pull off. Municipalities typically do not have the budgets to devote to cybersecurity.
Attacks in healthcare and education industries are made easier by the continued use of legacy software and operating systems and highly complex networks that are difficult to secure. Add to that the reliance on access to data and not only are attacks relatively easy, there is a higher than average chance of a ransom being paid.
In the past, the aim of ransomware gangs was to infect as many users as possible. Now, targeted attacks are conducted with the aim of infecting as many end points as possible within an organization. The more systems and computers that are taken out of action, the greater the disruption and cost of mitigating the attack without paying the ransom.
Most organizations, government agencies, municipalities, have sound backup policies and can recover all data encrypted by ransomware without paying the ransom. However, the time taken to recover files from backups and restore systems – and the cost of doing so – makes payment of the ransom preferable.
The attack on the City of Atlanta shows just how expensive recovery can be. The cost of restoring systems and mitigating the attack was at least $2.6 million – The ransom demand was in the region of $50,000. It is therefore no surprise that so many victims have chosen to pay up.
Even though the ransom payment is relatively low compared to the cost of recovery, it is still far more expensive than the cost of implementing security solutions to prevent attacks.
There is no single solution that can block ransomware and malware attacks. Multi-layered defenses must be installed to protect the entire attack surface. Most organizations have implemented anti-spam solutions to reduce the risk of email-based attacks, and security awareness training is helping to eliminate risky behaviors and teach security best practices, but vulnerabilities still remain with DNS security often lacking.
Vulnerabilities in DNS are being abused to install ransomware and other malware variants and hide communications with command and control servers and call home addresses. Implementing a DNS-based web filtering solution offers protection against phishing, ransomware and malware by preventing users from visiting malicious websites where malware and ransomware is downloaded and blocking C2 server communications. DNS-based web filters also provide protection against the growing threat from cryptocurrency mining malware.
To mount an effective defense against phishing, malware and ransomware attacks, traditional cybersecurity defenses such as ant-virus software, spam filters, and firewalls should be augmented with web filtering to provide security at the DNS layer. To find out more about how DNS layer security can improve your security posture, contact TitanHQ today and ask about WebTitan.
by G Hunt |
December 29, 2017 |
Internet Security
Every December, a list of terrible passwords is published by SplashData, and this year the list of the worst passwords of 2017 contains the same horrors as years gone by. Passwords that not only would take a hacker next to no time to guess, but in many cases, could be cracked at the first attempt.
The list of the worst passwords of 2017 is compiled from databases of leaked and stolen passwords that have been published online throughout 2017. This year, SplashData compiled its list from more than 5 million leaked passwords.
The minimum password length on many websites has now been increased to eight characters; however, it is still possible to use passwords of six characters in many places. This year, the worst password is six characters long and is the extremely unimaginative: 123456. A password so easy to guess, it is barely worth setting a password at all.
In second place is an eight-character password, which is similarly not worth using at all: password. In third place is 12345678. Those three passwords retained the same positions as last year.
Each year, the same passwords appear on the list, with slight fluctuations in their positions in the list. However, there are some new entries this year. The rebooting of the Star Wars saga has spurred many people to choose Star Wars related passwords, with starwars featuring in 16th position on the list.
An interesting entry makes it into 25th place – trustno1. Good advice, but even with the addition of a number, it is still a poor password choice. At first glance, number 24 in the list appears to be reasonable, but qazwsx is the first six characters on the left-hand side of the keyboard.
Using the passwords letmein, passw0rd, admin, master, and whatever, are all equally bad. All of those words make the top 25 in the list of the worst passwords of 2017.
Top 25 Worst Passwords of 2017
- 123456
- password
- 12345678
- qwerty
- 12345
- 123456789
- letmein
- 1234567
- football
- iloveyou
- admin
- welcome
- monkey
- login
- abc123
- starwars
- 123123
- dragon
- passw0rd
- master
- hello
- whatever
- qazwsx
- trustno1
The list of the worst passwords of 2017 reveals many people are extremely unimaginative when choosing a password to secure their email, social media, and online accounts.
SplashData estimates 3% of people have used the worst password on the list, while 10% have used one of the first 25 passwords to “secure” at least one online account.
Most people know that strings of consecutive numbers are bad, as is any variation of the word password, but changing to a dictionary word or a pop culture reference is just as bad, as Morgan Slain, CEO of SplashData, Inc., explained, “Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words.”
That means using football (or any other sport) or starwars will not prevent a hacker from gaining access to an account for very long.
What Makes a Bad Password?
Brute force attacks, those where repeated attempts are made to guess passwords, does not involve a hacker sitting at a computer typing bad passwords until the correct one is guessed. Those attacks are performed by bots, and it doesn’t take long for a bot to guess a poor password.
Without rate limiting – setting a maximum number of failed attempts before access is temporarily blocked – to slow down the process, the bots can cycle through the list of the worst passwords of 2017 quickly, followed by those used in other years and other dictionary words.
Hackers also know the tricks that people use to keep passwords easy to remember, while meeting the strong password requirements set by IT departments, such as adding an explanation mark to the end of an easy to remember word or replacing certain letters with their numerical equivalent: An A with a 4, or an O with a zero for instance.
What Makes a Good Password?
A good password should contain upper and lowercase letters, numbers, and special characters, and should preferably be a random string of 10 or more characters. That of course makes passwords very difficult to remember. Writing the password down so you don’t forget it is also a very bad idea, as is reusing passwords on multiple sites and recycling old passwords.
In 2017, NIST revised its advice on choosing passwords as its research showed that forcing people to choose upper and lower-case passwords and special characters did not always ensure people chose strong passwords. Instead, they get around the technology by simply changing the first letter to a capital letter and adding a special character and number to the end, for instance.
Instead, NIST recommended using a passphrase rather than a password. A phrase that only you would know.
A list of four or five unrelated words would work well. Dogforkliftmonkeyhousecar would be a strong password phrase to use (other than the fact it has now been published online). It would be difficult to crack but easy to remember with a mnemonic.
To keep your accounts secure, make sure you choose strong and complex passwords, ideally long passwords of at least 15 characters. However, remembering the 20 or so unique passwords you are likely to need will still be hard.
The solution is to use a password manager, and to secure that account with a strong hard to guess password. Then only one complex password must be remembered.
by G Hunt |
October 19, 2017 |
Internet Security
DoubleLocker ransomware is a new Android threat, which as the name suggests, uses two methods to lock the device and prevent victims from accessing their files and using their device.
As with Windows ransomware variants, DoubleLocker encrypts files on the device to prevent them from being accessed. DoubleLocker ransomware uses a powerful AES encryption algorithm to encrypt stored data, changing files extensions to .cryeye
While new ransomware variants sometimes have a poorly developed encryption process with flaws that allow decryptors to be developed, with DoubleLocker ransomware victims are out of luck.
While it is possible for victims to recover their files from backups, first they must contend with the second lock on the device. Rather than combine the encryption with a screen locker, DoubleLocker ransomware changes the PIN on the device. Without the PIN, the device cannot be unlocked.
Researchers at ESET who first detected this new ransomware variant report that the new PIN is a randomly generated number, which is not stored on the device and neither is it transmitted to the attacker’s C&C. The developers allegedly have the ability to remotely delete the PIN lock and supply a valid key to decrypt data.
The ransom demand is much lower than is typical for Windows ransomware variants, which reflects the smaller quantity of data users store on their smartphones. The ransom demand is set at 0.0130 Bitcoin – around $54. The payment must be made within 24 hours of infection, otherwise the attackers claim the device will be permanently locked. The malware is set as the default home app on the infected device, which displays the ransom note. The device will be permanently locked, so the attackers claim, if any attempts are made to block or remove DoubleLocker.
Researchers at ESET have analyzed DoubleLocker ransomware and report that it is based on an existing Android banking Trojan called Android.BankBot.211.origin, although the ransomware variant does not have the functionality to steal banking credentials from the user’s device.
While many Android ransomware variants are installed via bogus or compromised applications, especially those available through unofficial app stores, DoubleLocker is spread via fake Flash updates on compromised websites.
Even though this ransomware variant is particularly advanced, it is possible to recover files if they have been backed up prior to infection. The device can also be recovered by performing a factory reset. If no backup exists, and the ransom is not paid, files will be lost unless the device has been rooted and debugging mode has been switched on prior to infection.
This new threat shows just how important it is to backup files stored on mobile devices, just as it is with those on your PC or Mac and to think before downloading any web content or software update.
by G Hunt |
September 27, 2017 |
Internet Security
While most ransomware attacks occur via phishing emails or exploit kits and require some user interaction, SMBv1 ransomware attacks occur remotely with no user interaction required.
These attacks exploit a vulnerability in Windows Server Message Block protocol (SMB), a communication protocol typically used for sharing printers and other network resources. SMB operates in the application layer and is typically used over TCP/IP Port 445 and 139.
A critical flaw in SMBv1 was identified and addressed by Microsoft in a March 14, 2017 security update – MS17-010. At the time, Microsoft warned that exploitation of the flaw could allow remote code execution on a vulnerable system.
An exploit for the flaw, termed EternalBlue, was reportedly used by the U.S. National Security Agency’s Equation Group for four years prior to the vulnerability being plugged. That exploit, along with several others, was obtained by a hacking group called Shadow Brokers. The EternalBlue exploit was disclosed publicly in April, after attempts to sell the exploit failed. Following its release, it was not long before malware developers incorporated the exploit and used it to remotely attack vulnerable systems.
The exploit was primarily used to attack older operating systems such as Windows 7 and Windows Server 2012, although other systems are also vulnerable, including Windows Server 2016. The security update addresses the flaw in all vulnerable systems. Microsoft also released a patch for the long-retired Windows XP.
The most widely reported SMBv1 ransomware attacks occurred in May and involved WannaCry ransomware. WannaCry exploited the SMBv1 vulnerability and used TCP Port 445 to propagate. These SMBv1 ransomware attacks were conducted around the globe, although fortunately a kill switch was found which was used to disable the ransomware and prevent file encryption.
While that spelled the end of WannaCry, the SMBv1 attacks continued. NotPetya – not a ransomware variant but a wiper – also used the EternalBlue exploit to attack systems, and with the code still publicly available, other malware developers have incorporated the exploit into their arsenal. Any business that has not yet applied the MS17-010 patch will still be vulnerable to SMBv1 ransomware attacks. Other malware developers are now using the exploit to deliver banking Trojans.
While most businesses have now applied the patch, there are some that are still running vulnerable operating systems. There is also a risk that even when patches have been applied, devices may have been missed.
All businesses should therefore make sure their systems have been patched, but should also perform a scan to ensure no devices have slipped through the net and remain vulnerable. All it takes is for one unpatched device to exist on a network for ransomware or malware to be installed.
There are several commercially available tools that can be used to scan for unpatched devices, including this free tool from ESET. It is also recommended to block traffic associated with EternalBlue through your IDS system or firewall.
If you still insist on using Windows XP, you can at least stop the SMB flaw from being exploited with this patch, although an upgrade to a supported OS is long overdue. The MS17-010 patch for all other systems can be found on this link.
Comment arrêter les attaques de ransomware SMBv1 ?
by G Hunt |
March 24, 2017 |
Internet Security
Security researchers in Israel have developed a proof-of-concept exploit called DoubleAgent that takes advantage of vulnerabilities in antivirus products to turn them against users. The exploit could potentially be incorporated into DoubleAgent malware, although there have been no known attacks that take advantage of the flaws in AV products to the researchers’ knowledge.
The proof-of-concept was developed by Cybellum researchers, who say that most third-party Windows antivirus products are susceptible and could potentially be hijacked. To date only three AV companies have confirmed that they are developing patches to block potential DoubleAgent malware attacks – AVG, Trend Micro and Malwarebytes.
The attack involves the Microsoft Application Verifier, which is used to check for bugs in programs that run on Windows. The researchers use DLL hijack techniques to fool the verifier using a malicious DLL. They claim the technique could be used to insert a custom verifier into any application.
DoubleAgent malware may not yet have been developed to exploit the zero-day vulnerability, although the researchers say they have used their proof-of-concept to take full control of the Norton Security AV program – many other AV products are also susceptible to this type of attack.
The Cybellum-developed DoubleAgent malware could be used in a number of different attack scenarios, all of which are particularly chilling.
Since the antivirus program can be pwned by an attacker, it could be turned on the user and used as malware. Antivirus software is trusted, so any actions taken by the AV program would be treated as legitimate. The researchers warn that the AV program could be turned into a double agent and do anything the attackers wanted.
The AV solution could be instructed to whitelist certain other programs allowing an attacker to install any malware undetected. Once installed, the malware would run totally undetected and the user would be unaware that their AV software had been rendered virtually useless. The AV software would also be prevented from flagging data exfiltration or communications with the attacker’s C&C.
An attacker could cripple a company’s applications using the DoubleAgent malware. If a legitimate program used by the company is marked as malicious by its antivirus software program, it would be prevented from running. It would therefore be possible to perform Denial of Service attacks. Also, since AV software has the highest level of privileges, it could be used to perform any number of malicious actions, such as deleting data or formatting a hard drive. That means a ransomware-style attack could be performed or the company’s computer systems could be sabotaged.
Fortunately, only Cybellum has the code and AV companies that have been found to be susceptible to such an attack have been notified. Patches are therefore likely to be developed to prevent such an attack.
by G Hunt |
March 2, 2017 |
Internet Security
Law firms are prime targets for cybercriminals, so it is perhaps unsurprising that there has been an increase in law firm cyberattacks in recent months. With the threat level now at unprecedented levels, protections must be increased to keep data secure.
Many law firm cyberattacks are targeted, with hackers seeking access to highly sensitive data, although law firms can just as easily fall victim to random attacks. Those attacks still have potential to cause considerable harm.
A recent security incident has showed just how easy it is for cybercriminals to conduct attacks and take advantage of unpatched vulnerabilities.
Zero-Day WordPress Vulnerability Discovered
WordPress is a flexible website content management system. It requires relatively little skill to update and WordPress sites can be easily managed. It is therefore no surprise that it has become one of the most popular website content management systems. There are more than 60 million websites running WordPress, with the platform popular with many SMBs, including law firms.
However, the popularity of the platform makes it a target for cybercriminals. Zero-day WordPress vulnerabilities provide cybercriminals with access to the sites and their associated databases.
When a new zero-day vulnerability is discovered, WordPress rapidly issues a patch. One zero-day WordPress vulnerability was recently discovered and the platform was updated rapidly as usual. Users of the site were urged to update to version 4.7.2 as a matter of urgency.
The reason for urgency was not announced until a week later after a significant proportion of WordPress sites had been updated. However, once the vulnerability was disclosed, hackers were quick to take advantage. Within 48 hours of the REST API vulnerability being disclosed, hackers started exploiting it on a grand scale. Sucuri was tracking the attacks and monitoring its WAF network and honeypots closely to see if hackers were actively exploiting the flaw.
The cybersecurity firm reports that it identified four different hacking groups that were exploiting the WordPress vulnerability. They were performing scans to find sites still running outdated WordPress versions and once vulnerable sites were identified they were attacked.
Law Firm Cyberattacks See Websites Defaced
The failure to update WordPress promptly resulted in more than 100,000 websites being attacked, according to figures from Google. Websites were defaced, additional pages added and the sites used for SEO spam. In this case, the aim was not to gain access to data nor to load malware onto the sites, although that is not always the case.
The speed at which the WordPress flaw was exploited shows how important it is to keep WordPress sites updated. Due to the popularity of the platform, had the hacking groups loaded malware onto sites, the number of individuals who could have been infected with malware would have been considerable.
The potential fallout from a website being hacked and defaced, or worse, from malware being loaded, can be considerable. Many small law firms were attacked as a result of failing to update their WordPress site within a week of the update being issued.
A defaced website, in the grand scheme of things, is a relatively quick fix, although such an attack does not inspire confidence in a company’s ability to keep sensitive data protected. For a law firm, that could mean the difference between getting a new client and that individual seeking another law firm.
In this case, the law firm cyberattacks could have been prevented with a quick and simple update. In fact, WordPress updates can be scheduled to occur automatically to keep them secure.
The take home message is not to ignore security warnings, to ensure that someone reads the messages sent from WordPress, and better still, to set updates to occur automatically.
by G Hunt |
January 23, 2017 |
Internet Security
Take a look at the list of the worst passwords of 2016 and you would be forgiven for thinking you are looking at the worst password list for 2015. Or 2014 for that matter. Little appears to have changed year on year, even though the risk to network and data security from the use of weak passwords is considerable.
Every year, SplashData compiles a list of the worst 25 passwords of the year. 2017 is the sixth consecutive year when the company has produced its list. Given the number of largescale data breaches that occurred in 2016, it would be reasonable to assume that organizations would take a proactive step and introduce restrictions on the passwords that can be used to secure corporate networks, computers, and email accounts. Many still don’t. It is still possible for end users to use passwords with no capital letters (or no letters at all), no symbols, and consecutive number strings are still permitted.
Should a hacker attempt a brute force attack – attempting to gain access using an automated system that guesses potential password combinations – a weak password would allow access to be gained incredibly quickly.
If any of the passwords from the list of the worst passwords of 2016 were used, it would be like there was no password required at all. How quickly can a hacker crack one of these passwords? According to Random ize, most of the passcodes on the list of the worst passwords of 2016 could be guessed in under a second. BetterBuys is more pessimistic, claiming most could be guessed in about 0.25 milliseconds.
To compile its list, SplashData scraped data dumps that included passwords. 2016 saw a great deal of data published on darknet sites by cybercriminals that had succeeded in breaching company defenses. For its list, SplashData analyzed more than 5 million credentials, most of which came from data breaches in North America and Europe.
The most commonly used password in 2016 was 123456, as it was in 2015. Password was the second most common password in 2016. There was no change in the top two worst passwords even though cybersecurity awareness has increased. As we saw last year, even John Podesta, chairman of Hillary Clinton’s 2016 presidential campaign, allegedly used a variation of the word password to “secure” his accounts. That poor choice clearly demonstrated that the use of poor passwords offers very little protection against hackers.
The worst password of 2016 was used on an incredible 4% of user accounts, and almost as many individuals used password. SplashData says around 10% of individuals use a password that was on the list of the 25 worst passwords of 2016.
Some individuals have got clever, or so they think. They use a variation of ‘password’. However, password1 and passw0rd are barely any better. The small change would not delay a hacker by any noticeable degree. Hackers are well aware of the use of numbers to replace letters and other techniques to make passwords more secure, such as adding a digit to the end of a word. – Password1 for example.
SplashData’s List of the Worst Passwords of 2016
- 123456
- password
- 12345
- 12345678
- football
- qwerty
- 1234567890
- 1234567
- princess
- 1234
- login
- welcome
- solo
- abc123
- admin
- 121212
- flower
- passw0rd
- dragon
- sunshine
- master
- hottie
- loveme
- zaq1zaq1
- password1
If you were wondering how the list has changed year on year, take a look at last year’s list and you will see a number of similarities.
List of the Worst Passwords of 2015
- 123456
- password
- 12345678
- qwerty
- 12345
- 123456789
- football
- 1234
- 1234567
- baseball
- welcome
- 1234567890
- abc123
- 111111
- 1qaz2wsx
- dragon
- master
- monkey
- letmein
- login
- princess
- qwertyuiop
- solo
- passw0rd
- starwars
In order to make it harder for hackers, complex passwords should be chosen. Passwords should be at least 9 characters, contain numbers, letters (lower and upper case), and symbols. They should not be words, although pass phrases of 15 or more characters would be acceptable. Passwords should also be changed frequently. The use of a password manager is recommended to ensure that these complex passwords can be remembered.
by G Hunt |
July 22, 2016 |
Internet Security
CryptXXX has fast become one of the most prevalent strains of ransomware, although until recently infection was only possible via malicious websites. Now researchers at Proofpoint have spotted CryptXXX ransomware emails. The group behind the attacks have added a new attack vector. CryptXXX ransomware emails contain a Word document containing a malicious macro. If the macro is allowed to run it will load a VB script into the memory which will use Powershell to make contact with the attackers’ command and control server. Once a connection has been made, CryptXXX will be downloaded onto the victim’s computer. Authors have realized the benefits to be gained from adopting an affiliate model to help infect machines and now a number of new players have entered the ransomware market.
If a “ransomware kit” is provided, individuals with little hacking skill can conduct their own ransomware campaigns. The ransomware authors can charge a nominal fee for supplying the kit, and can also take a cut on the back end. When an affiliate infects a computer and a ransom is paid, the authors receive a cut of the payment. This model works well and there is no shortage of individuals willing to try their hand at running ransomware campaigns. The CryptXXX ransomware emails are being sent by an affiliate (ID U000022) according to Proofpoint.
Identifying CryptXXX Ransomware Emails
The CryptXXX ransomware emails are being sent with a subject line of “Security Breach – Security Report #Randomnumber.” The emails contain only basic information about a supposed security breach that has occurred. The security report is supplied as an attached Word document. The body of the email contains the date, time of the attack, the provider, location, IP address, and port. The email recipient is instructed to open the file attachment to view details of the attack and find out about the actions that should be taken.
The file attachment is given a name such as “info12.doc” according to Proofpoint. If the attached Word file is opened, a Microsoft Office logo is displayed. The user is informed that the document has been created in a newer version of Microsoft Office. The content of the document will only be displayed if macros are enabled. Enabling the macros will result in the VB script being loaded. Then ransomware will then be downloaded and users’ files encrypted.
There is no fix if files are encrypted. The victim must pay the ransom or lose their files. Once an infection has occurred, files can only be recovered from backups if the victim does not pay the ransom.
CryptXXX Ransomware Still Being Delivered by Neutrino
Since the demise of the Angler exploit kit, CryptXXX was moved over to Neutrino. There was a dramatic fall in infections as activity temporarily stopped; however, Invincea recently reported a surge in activity via compromised business websites. The SoakSoak botnet is being used to scan the Internet for vulnerable websites. The websites being targeted run the WordPress Revslider slideshow plugin. Scripts are appended to the slideshow that redirect visitors to a malicious site containing Neutrino.
CryptXXX will only be downloaded if the endpoint lacks certain security tools that would detect an installation. If Wireshark, ESET, VMware, Fiddler, or a Flash debugging utility is present, the ransomware will not be downloaded.
by G Hunt |
April 8, 2016 |
Internet Security
Vulnerabilities in Adobe Flash Player are discovered with such regularity that news of another raises few eyebrows, but the latest critical vulnerability – discovered in Adobe Flash Player 21.0.0.197 and earlier versions – is a cause for concern. It is already being exploited by hackers and is being used to infect users with ransomware.
Any device that is running Adobe Flash Player 21.0.0.197 (or earlier) is at risk of the vulnerability being exploited and malicious file-encrypting software being installed. The latest vulnerability can be used to attack Windows, Macs, Linux systems and Chromebooks, according to ProofPoint, although Adobe reports that the vulnerability only affects Windows 10 and earlier versions running the vulnerable versions.
Flash vulnerabilities are usually exploited by visiting malicious websites or webpages that have been compromised and infected with exploit kits. Those exploit kits probe for a range of weaknesses, such vulnerabilities in Adobe Flash Player, and exploit them to download malware or ransomware to the user’s device.
These drive-by attacks occur without users’ knowledge, as the downloaded file is not displayed in the browser and is not saved to the download folder. It is also difficult to determine whether a website has been compromised or is malicious in nature without software solutions that analyze the website content.
Vulnerabilities in Adobe Flash Player Exploited to Deliver Cerber and Locky Ransomware
The latest attack uses the Magnitude exploit kit. The fact that it is Magnitude suggests the latest ransomware attacks are the work of an individual cybercriminal gang. That gang has acted quickly to include the latest Flash vulnerability into Magnitude.
According to Trend Micro, the vulnerability is being used to deliver Locky ransomware – the malicious file-encrypting software that has been used to attack hospitals in the United States in recent weeks. Locky was reportedly the ransomware used in the attack on Hollywood Presbyterian Medical Center in February. That infection cost the healthcare organization $17,000 to remove, not to mention the cost of attempting to remove the infection and restore backup files prior to the ransom being paid.
ProofPoint suggests the vulnerability is being used to deliver Cerber ransomware. Cerber is a new ransomware that has was released in the past month. It can be used to encrypt files on all Windows versions, although not those in Russian.
Cerber and Locky are being downloaded via malicious websites, although these are typically not visited by the vast majority of Internet users. In order to get traffic to these sites the attackers are using spam email containing malicious attachments.
In contrast to many malicious spam emails that install malware using executable files and zip files, the attackers are using Word documents containing malicious macros. The macros do not download the ransomware directly, instead they direct the victim, via a number of redirects, to a malicious site where the drive-by download takes place.
The vulnerability, named as CVE-2016-1019, will crash Adobe Flash when it is exploited. Adobe reports that the vulnerability exists in 21.0.0.197. Trend Micro says the exploit will not work on versions 21.0.0.197 and 21.0.0.182, only on Flash 20.0.0.306 and earlier versions due to mitigations put in place by Adobe.
ProofPoint’s Ryan Kalember said that the exploit has been engineered to only work on earlier versions of Flash and that attacks have been degraded to evade detection. All versions of Flash could potentially be used for the attack should the criminals behind the Magnitude exploit kit so wish.
Of course, this is just one of many vulnerabilities in Adobe Flash Player that can be exploited and used to deliver ransomware or other forms of malware. To prevent attacks, sysadmins should ensure that all devices are updated to the latest version of the software. Adobe said it was releasing a security update to address the vulnerability on April 7, 2016.
Vulnerabilities in Adobe Flash Player are addressed with updates, although there are two software solutions that can help to protect users from attack. Anti-spam solutions such as SpamTitan can be used to prevent spam email from being delivered, reducing the risk of end users opening Word documents infected with malicious macros.
WebTitan products tackle these attacks by blocking malicious websites, preventing users from visiting sites where drive-by downloads take place. There is usually a wait while vulnerabilities in Adobe Flash Player are addressed, and these two solutions can help keep devices malware free until updates are applied.
by G Hunt |
January 25, 2016 |
Internet Security
Each January, the PwC Annual Global CEO Survey is published detailing the major perceived threats to corporate growth. This year the results of the survey show that CEOs are more worried about the cost of dealing with cyberthreats, and believe that they can actually have a major negative impact on corporate growth.
Cost of dealing with cyberthreats a major impediment to 2016 growth
The global survey probed 1,409 CEOs about their concerns about impediments to growth, with cyberthreats ranking as one of the top ten major problems. 61% of respondents said they were worried about cyberthreats and the effect they will have on growth this year.
Over-regulation and geopolitical uncertainty were considered to be more pressing concerns, being cited by 79% and 74% or respondents, while the availability of key skills was mentioned as a major threat to growth by 72% of CEOs. The cost of dealing with cyberthreats was ranked as the eighth biggest impediment to growth in 2016.
While 60% of CEOs believe there are more opportunities for growth than 3 years ago, 66% said there were now more threats to growth. 26% said they only saw more opportunities, while 32% saying they only saw more threats.
The cost of dealing with cyberthreats is considerable, although nowhere near as high of the cost of failing to deal with them. Last year the Ponemon Institute calculated the cost of cyberthreats and determined the cost to businesses is soaring, with the IBM sponsored study determining the average cost of dealing with security breaches had risen to $3.8 million.
Some of the large organizations included in the study suffered cybercrime losses as high as $65 million, with the cost of cyberthreats having risen by 23% over the course of the past two years.
The IBM Cost of Data Breach Study determined the cost per stolen record to be between $145 and $154. When cybercriminals manage to steal millions of customer records, the cost to business can therefore be considerable.
Major cyberthreats of 2016
- Cloud computing
- Mobile devices
- Malware
- State sponsored hacking
- Phishing attacks
- Ransomware
- Medical devices
Cyberthreats may be an impediment to growth, but it doesn’t mean that those threats cannot be mitigated. Given the increasing risk it is imperative that adequate security defenses are put in place to repel attacks. Malware and ransomware are becoming more sophisticated and much more difficult to identify, as are the phishing campaigns that are used to deliver the malicious software. Anti-phishing strategies must therefore be implemented to block malicious emails and staff members must be trained how to identify phishing attacks when they do occur.
Implement SpamTitan to block emails from being delivered to employee’s inboxes, conduct regular staff training exercises to better educate employees, and perform phishing email tests to ensure that members of staff get practice at identifying dummy phishing emails.
It is also essential to develop policies and controls to limit the types of websites that employees are able to visit when using their work computers as well as for BYOD. Drive-by malware downloads are an increasing threat. Exploit kits are much more commonly used to probe for security vulnerabilities, such as out of date plugins. These can be exploited and used to download malware to devices without any interaction from the user.
To mitigate the risk, patch management policies must be developed. It is more essential than ever to ensure that all software is updated as soon as patches are released.
