Security researchers in Israel have developed a proof-of-concept exploit called DoubleAgent that takes advantage of vulnerabilities in antivirus products to turn them against users. The exploit could potentially be incorporated into DoubleAgent malware, although there have been no known attacks that take advantage of the flaws in AV products to the researchers’ knowledge.
The proof-of-concept was developed by Cybellum researchers, who say that most third-party Windows antivirus products are susceptible and could potentially be hijacked. To date only three AV companies have confirmed that they are developing patches to block potential DoubleAgent malware attacks – AVG, Trend Micro and Malwarebytes.
The attack involves the Microsoft Application Verifier, which is used to check for bugs in programs that run on Windows. The researchers use DLL hijack techniques to fool the verifier using a malicious DLL. They claim the technique could be used to insert a custom verifier into any application.
DoubleAgent malware may not yet have been developed to exploit the zero-day vulnerability, although the researchers say they have used their proof-of-concept to take full control of the Norton Security AV program – many other AV products are also susceptible to this type of attack.
The Cybellum-developed DoubleAgent malware could be used in a number of different attack scenarios, all of which are particularly chilling.
Since the antivirus program can be pwned by an attacker, it could be turned on the user and used as malware. Antivirus software is trusted, so any actions taken by the AV program would be treated as legitimate. The researchers warn that the AV program could be turned into a double agent and do anything the attackers wanted.
The AV solution could be instructed to whitelist certain other programs allowing an attacker to install any malware undetected. Once installed, the malware would run totally undetected and the user would be unaware that their AV software had been rendered virtually useless. The AV software would also be prevented from flagging data exfiltration or communications with the attacker’s C&C.
An attacker could cripple a company’s applications using the DoubleAgent malware. If a legitimate program used by the company is marked as malicious by its antivirus software program, it would be prevented from running. It would therefore be possible to perform Denial of Service attacks. Also, since AV software has the highest level of privileges, it could be used to perform any number of malicious actions, such as deleting data or formatting a hard drive. That means a ransomware-style attack could be performed or the company’s computer systems could be sabotaged.
Fortunately, only Cybellum has the code and AV companies that have been found to be susceptible to such an attack have been notified. Patches are therefore likely to be developed to prevent such an attack.
A recent survey conducted by CBT Nuggets has revealed that even tech savvy people are prone to commit cybersecurity howlers and place themselves, and their organization, at risk. In fact, far from intelligence preventing individuals from suffering online identity theft and fraud, it appears to make it far more likely.
The survey, which was conducted on 2,000 respondents, showed that people who believed they were tech savvy were actually 18 times more likely to become victims of online identity theft.
The more educated individuals were, the more likely they were to become victims of cybercrime. The survey revealed that high school graduates were less likely to be victims of cybercrime than individuals who had obtained a Ph.D.
24% of respondents with a Ph. D said they were a victim of identity theft compared to 14% who had a Bachelor’s degree, 13% who were educated to college level and 11% who had been educated only to high school level.
Women were found to be 14% more likely to have their identities stolen than men, and millennials were less likely to suffer identity theft than Baby Boomers and Generation X.
Interestingly, while the vast majority of malware targets Windows users, the survey revealed that users of Apple devices were 22% more likely to be victims of identity theft than Windows users, although Android phone users were 4.3% more likely than iPhone users to suffer identity theft.
There were some interesting results about the level of care used when venturing online. Even though the risk of cyberattacks on law firms has increased in recent years and law firms are a major target for cybercriminals, lawyers were less likely than other professionals to follow online security best practices.
69% of respondents from the legal profession did not follow online security best practices because they were too lazy to do so. Only people in ‘religious industries’ fared worse on the laziness scale (70%).
46% of healthcare industry professionals said they were too lazy when it came to cybersecurity, a particular worry considering the value of healthcare data and the extent to which cybercriminals are conducting attacks on the healthcare industry. The most common reason given for lax security and taking risks online was laziness, being too busy and it being inconvenient to follow security best practices.
65.9% of respondents believed they faced a medium or high risk of being hacked, yet only 3.7% of respondents said they followed all of the basic security recommendations. Perhaps that’s why so many people felt they faced a medium or high risk of being hacked!
One of the biggest risks taken by respondents was avoiding using public Wi-Fi networks. Only 11.8% of respondents said they avoided connecting to the Internet on public Wi-Fi networks. However, when it comes to divulging sensitive information while connected to a public Wi-Fi network, people were more savvy. 83.3% said they avoided transmitting sensitive information when connected to public Wi-Fi networks. Only 40.6% of respondents said they updated their devices every time they were prompted to do so.
The survey also showed which states were the worst for identity theft. While Florida often makes the headlines, the state ranked in the bottom ten for identity theft, with just 11% of respondents from the state saying they had suffered identity theft. The worst states were Maryland with 28% of respondents saying they were victims of identity theft, followed by Alabama with 26% and Kentucky with 22%. The safest states were Alabama (6%) and Louisiana (5%).
Law firms are prime targets for cybercriminals, so it is perhaps unsurprising that there has been an increase in law firm cyberattacks in recent months. With the threat level now at unprecedented levels, protections must be increased to keep data secure.
Many law firm cyberattacks are targeted, with hackers seeking access to highly sensitive data, although law firms can just as easily fall victim to random attacks. Those attacks still have potential to cause considerable harm.
A recent security incident has showed just how easy it is for cybercriminals to conduct attacks and take advantage of unpatched vulnerabilities.
Zero-Day WordPress Vulnerability Discovered
WordPress is a flexible website content management system. It requires relatively little skill to update and WordPress sites can be easily managed. It is therefore no surprise that it has become one of the most popular website content management systems. There are more than 60 million websites running WordPress, with the platform popular with many SMBs, including law firms.
However, the popularity of the platform makes it a target for cybercriminals. Zero-day WordPress vulnerabilities provide cybercriminals with access to the sites and their associated databases.
When a new zero-day vulnerability is discovered, WordPress rapidly issues a patch. One zero-day WordPress vulnerability was recently discovered and the platform was updated rapidly as usual. Users of the site were urged to update to version 4.7.2 as a matter of urgency.
The reason for urgency was not announced until a week later after a significant proportion of WordPress sites had been updated. However, once the vulnerability was disclosed, hackers were quick to take advantage. Within 48 hours of the REST API vulnerability being disclosed, hackers started exploiting it on a grand scale. Sucuri was tracking the attacks and monitoring its WAF network and honeypots closely to see if hackers were actively exploiting the flaw.
The cybersecurity firm reports that it identified four different hacking groups that were exploiting the WordPress vulnerability. They were performing scans to find sites still running outdated WordPress versions and once vulnerable sites were identified they were attacked.
Law Firm Cyberattacks See Websites Defaced
The failure to update WordPress promptly resulted in more than 100,000 websites being attacked, according to figures from Google. Websites were defaced, additional pages added and the sites used for SEO spam. In this case, the aim was not to gain access to data nor to load malware onto the sites, although that is not always the case.
The speed at which the WordPress flaw was exploited shows how important it is to keep WordPress sites updated. Due to the popularity of the platform, had the hacking groups loaded malware onto sites, the number of individuals who could have been infected with malware would have been considerable.
The potential fallout from a website being hacked and defaced, or worse, from malware being loaded, can be considerable. Many small law firms were attacked as a result of failing to update their WordPress site within a week of the update being issued.
A defaced website, in the grand scheme of things, is a relatively quick fix, although such an attack does not inspire confidence in a company’s ability to keep sensitive data protected. For a law firm, that could mean the difference between getting a new client and that individual seeking another law firm.
In this case, the law firm cyberattacks could have been prevented with a quick and simple update. In fact, WordPress updates can be scheduled to occur automatically to keep them secure.
The take home message is not to ignore security warnings, to ensure that someone reads the messages sent from WordPress, and better still, to set updates to occur automatically.
Cyberattacks on law firms have been steadily increasing over the past three years. According to data from PwC’s annual Law Firms Survey last year, 73% of the UK’s top 100 law firms have been attacked by cybercriminals in the past year. In 2014/2015, 62% of the top 100 law firms were attacked. The previous year the figure stood at 45%. In the past two years, cyberattacks on law firms have increased by a staggering 60%.
According to PwC’s figures, large law firms are the most frequently targeted. 90% of the top 25 legal firms had experienced a cyberattack in the past 12 months. The types of attacks are highly varied, although the most common way attacks occur is via the firm’s email system.
Spear phishing emails are sent to solicitors in an attempt to obtain banking credentials and access to email accounts. When solicitors respond to these phishing emails and divulge their banking credentials, client funds are transferred to the criminals’ accounts. According to the survey, 84% of legal firms said they had experienced a phishing attack in the past year.
Solicitors in the UK and Ireland and attorneys in the United States are also being sent bogus emails that claim to be from home buyers or sellers. Instructions are provided asking for funds to be transferred to alternate accounts. Hackers eavesdrop on email conversations and are aware when funds are about to be transferred. They then sent an email to an attorney/solicitor posing as the buyer/seller of a property and provide alternate bank accounts asking for the funds to be transferred to the new account.
Buyers and sellers of properties are also targeted in a similar fashion. They are sent emails with the hacker claiming to be their solicitor. Alternate bank account details are provided for transfers. This is now one of the main types of cyberattacks on law firms and their clients.
Direct attacks on networks still occur, with hackers taking advantage of vulnerabilities in security defenses. However, law firm hacking only accounts for around 16% of incidents. Malware is a much bigger threat. Malware is delivered via spam email or drive-by downloads from the Web. 55% of legal firms say they have experienced a malware attack in the past 12 months. Malware can be ransomware – which locks computers with powerful encryption until a ransom payment is made or keyloggers that record sensitive data such as usernames and passwords. Malware can also enable criminals to gain access to systems to steal sensitive data and extort money out of law firms.
Law firm cyberattacks can be costly to resolve; however, the biggest cost can be loss of reputation. If law firms suffer cyberattacks and client data is stolen or exposed, reputations can be permanently damaged. Legal firms that are unable to ensure that their clients’ information remains confidential may find the cost of removing malware the least of their problems.
To prevent phishing emails and malware from being delivered to inboxes, an advanced spam filter is required. SpamTitan includes a powerful anti-phishing component that recognizes the common signatures of phishing emails and ensures they are not delivered. SpamTitan also blocks 100% of known malware and ransomware, ensuring end users do not receive malicious email attachments and links to malware-ridden websites.
To find out how SpamTitan can improve your security posture, contact the TitanHQ team today and take the first step toward preventing your law firm from being added to next year’s PwC’s law firm cyberattack statistics.
Take a look at the list of the worst passwords of 2016 and you would be forgiven for thinking you are looking at the worst password list for 2015. Or 2014 for that matter. Little appears to have changed year on year, even though the risk to network and data security from the use of weak passwords is considerable.
Every year, SplashData compiles a list of the worst 25 passwords of the year. 2017 is the sixth consecutive year when the company has produced its list. Given the number of largescale data breaches that occurred in 2016, it would be reasonable to assume that organizations would take a proactive step and introduce restrictions on the passwords that can be used to secure corporate networks, computers, and email accounts. Many still don’t. It is still possible for end users to use passwords with no capital letters (or no letters at all), no symbols, and consecutive number strings are still permitted.
Should a hacker attempt a brute force attack – attempting to gain access using an automated system that guesses potential password combinations – a weak password would allow access to be gained incredibly quickly.
If any of the passwords from the list of the worst passwords of 2016 were used, it would be like there was no password required at all. How quickly can a hacker crack one of these passwords? According to Random ize, most of the passcodes on the list of the worst passwords of 2016 could be guessed in under a second. BetterBuys is more pessimistic, claiming most could be guessed in about 0.25 milliseconds.
To compile its list, SplashData scraped data dumps that included passwords. 2016 saw a great deal of data published on darknet sites by cybercriminals that had succeeded in breaching company defenses. For its list, SplashData analyzed more than 5 million credentials, most of which came from data breaches in North America and Europe.
The most commonly used password in 2016 was 123456, as it was in 2015. Password was the second most common password in 2016. There was no change in the top two worst passwords even though cybersecurity awareness has increased. As we saw last year, even John Podesta, chairman of Hillary Clinton’s 2016 presidential campaign, allegedly used a variation of the word password to “secure” his accounts. That poor choice clearly demonstrated that the use of poor passwords offers very little protection against hackers.
The worst password of 2016 was used on an incredible 4% of user accounts, and almost as many individuals used password. SplashData says around 10% of individuals use a password that was on the list of the 25 worst passwords of 2016.
Some individuals have got clever, or so they think. They use a variation of ‘password’. However, password1 and passw0rd are barely any better. The small change would not delay a hacker by any noticeable degree. Hackers are well aware of the use of numbers to replace letters and other techniques to make passwords more secure, such as adding a digit to the end of a word. – Password1 for example.
SplashData’s List of the Worst Passwords of 2016
If you were wondering how the list has changed year on year, take a look at last year’s list and you will see a number of similarities.
List of the Worst Passwords of 2015
In order to make it harder for hackers, complex passwords should be chosen. Passwords should be at least 9 characters, contain numbers, letters (lower and upper case), and symbols. They should not be words, although pass phrases of 15 or more characters would be acceptable. Passwords should also be changed frequently. The use of a password manager is recommended to ensure that these complex passwords can be remembered.
A Barts Health malware attack forced the shutdown of hospital IT systems on Friday last week as the UK NHS Trust attempted to limit the damage caused and contain the infection.
Barts Health is the largest NHS Trust in the United Kingdom, operating six hospitals in the capital: Mile End Hospital, Newham University Hospital, St Bartholomew’s Hospital, The London Chest Hospital, The Royal London Hospital, and Whipps Cross University Hospital.
The Barts Health malware attack occurred on Friday 13, 2016. Given the number of ransomware attacks on healthcare organizations in recent months, rumors started to quickly circulate that this was another healthcare ransomware attack.
A statement was released on Friday claiming the Trust had experienced an ‘IT attack,’ and that as a precaution, a number of drives were taken offline to prevent the spread of the infection. The type of malware that had been installed was not known, although the NHS trust did say in its statement that it did not believe ransomware was involved.
Multiple drives were shut down following the discovery of the malware including those used by the pathology department, although patient data were unaffected and the NHS Trust’s Cerner Millennium patient administration system remained operational, as did the systems used by the radiology department.
Today, Barts Health reports that all of its systems are back online and the infection has been removed. Medical services for patients were not affected, although Barts Health said due to the need for requests to be processed manually, it may take a few days for the pathology department to deal with the backlog.
Barts Health also reiterated that at no point were patient medical records compromised. No mention has been made about how the malware was installed and the type of malware involved was not announced. However, the Barts Health malware attack involved a form of malware that had not previously been seen and was a ‘Trojan Malware.’
The Trust said “whilst it had the potential to do significant damage to computer network files, our measures to contain the virus were successful”.
Ransomware Attacks on UK Hospitals
In November last year, the Northern Lincolnshire and Goole NHS Trust was attacked with ransomware which resulted in IT systems at three hospitals being crippled. As a result of that attack, the NHS Trust was forced to cancel 2,800 operations and appointments while the infection was removed and systems restored. The majority of IT systems had to be taken offline, hence the major disruption to medical services.
While Locky and Samas have been used extensively in attacks on U.S. hospitals, the Northern Lincolnshire and Goole NHS Trust ransomware attack involved a ransomware variant known as Globe2 – A relativity new variant that was first identified in August 2016.
Globe ransomware has been spread primarily via spam email and malicious file attachments. Opening the file attachment triggers the downloading of the ransomware. As with other ransomware variants, the attachments appear to be files such as invoices or medical test results.
Malicious links are also used to spread ransomware infections. Clicking a link directs users to malicious websites where ransomware is automatically downloaded. Fortunately for organizations attacked with Globe ransomware, a decryptor has been developed by Emisoft, which is available for free download.
However, relatively few ransomware variants have been cracked. Recovery can also take time resulting in considerable disruption to business processes. Ensuring backups of all critical data are regularly made will ensure that files can be recovered without giving in to attackers’ demands.
Preventing malware and ransomware attacks requires multi-layered defenses. Since many infections occur as a result of infected email attachments and links, organizations should employ an advanced spam filtering solution such as SpamTitan. SpamTitan has been independently tested and shown to block 99.97% of spam email. SpamTitan will also block 100% of known malware.
Apple malware infections are relatively rare, although Mac users should not get complacent. New threats do appear from time to time and cybercriminals do target Mac users. This month another malware variant has been discovered – a type of screen locker – that is linked to a tech support scam and its Mac users that are being targeted.
The attack starts when the user clicks on a malicious link in a spam email message, although links on social media sites could also be used to direct end users to the malicious website where the attack occurs. When the malicious website is visited, malicious code on the site causes a denial-of-service attack which freezes the device as its memory is consumed.
The method of locking the computer depends on the version of OS X installed on the device. On older OS X versions, a visit to the malicious website will trigger the creation of multiple emails until the Macs memory is overloaded. The emails have the subject “Warning: Virus Detected”. Since no memory is available, users will not be able to launch any other programs. The email messages are only created as drafts – they are not delivered – although this will be sufficient to freeze the device.
Additionally, a message is loaded into the draft folder containing a phone number to call to have the virus removed. While the message appears to have been sent by Apple, this is part of the scam. This is how the attackers make their money. Removal of the infection will require payment. The attackers appear to be after credit card numbers.
The second variant of the attack affects newer OS X versions. Rather than trigger draft emails, a similar style of attack occurs via iTunes. Multiple iTunes windows are launched, similarly using up the Macs memory. As with the first attack, a message also appears with a telephone number to call to remove the infection.
These tech support scams may not involve any downloaded malware, although responding to this type of scam and providing credit card details will result in multiple payments being taken until the card provider blocks the card or credit limits are reached.
Tech support scams such as this frequently target Windows users via Firefox, IE, Edge or Chrome browsers. Multiple browser windows are launched with a tech support number displayed. A call is required to unlock the infection.
These browser-locking attacks are relatively common. Only last month, Symantec identified a new campaign which locks the screen on Windows computers and displays a browser window detailing imagery from the police force of the country where the user is based – Most of the attacks occurred in the US (FBI) and Europe (Europol).
Users are advised that they have been caught engaging in illegal online activity, usually related to pornography or child abuse. A code must be obtained from the police department to unlock the screen. A phone number is supplied which the user must call to make payment. The attackers rely on victims’ fear and embarrassment to obtain payment.
2016 was a particularly bad year for data breaches. A large number of huge data breaches from years gone by were also discovered in 2016.
The largest breach of 2016 – by some distance – affected Yahoo. The credentials of more than 1 billion users were obtained by the gang behind the attack. A massive cyberattack on MySpace was discovered, with the attackers reportedly obtaining 427 million passwords. 171 million vk.com account details were stolen, including usernames, email addresses, and plaintext passwords. 2016 also saw the discovery of a massive cyberattack on the professional networking platform LinkedIn. The credentials of more than 117 million users were stolen in the attack. Then there was the 51-million iMesh account hack, and 43 million Last.fm accounts were stolen….to name but a few.
The data stolen in these attacks are now being sold on darknet marketplaces to cybercriminals and are being used to commit a multitude of fraud.
One of the biggest threats for businesses comes from business email compromise (BEC) scams. BEC scams involve an attacker impersonating a company executive or vendor and requesting payment of a missed invoice. The attacker sends an email to a member of the accounts team and requests payment of an invoice by wire transfer, usually for several thousand dollars. All too often, even larger transfers are made. Some companies have lost tens of millions of dollars to BEC fraudsters.
Since the email appears to have been sent from a trusted email account, transfer requests are often not questioned. Cybercriminals also spend a considerable amount of time researching their targets. If access to corporate email accounts is gained, the attackers are able to look at previous emails sent by the targets and copy their writing style.
They learn about how transfer requests are usually emailed, the terms used by each company and executive, how emails are addressed, and the amounts of the transfers that have been made. With this information an attacker can craft convincing emails that are unlikely to arouse suspicion.
The scale of the problem was highlighted earlier this year when the FBI released figures as part of a public awareness campaign in June. The FBI reported that $3.1 billion had been lost as a result of BEC scams. Just four months earlier, the losses were $2.3 billion, clearly showing that the threat was becoming more severe.
This year also saw a huge increase in W-2 scams in the United States. W-2 data is requested from HR departments in a similar manner to the BEC scams. Rather than trying to fool email recipients into making fraudulent transfers, the attackers request W-2 data on employees in order to allow them to file fraudulent tax returns in their names. The IRS issued a warning earlier this following a huge increase in W2 attacks on organizations in the United States.
Companies large and small were targeted, with major attacks conducted on Seagate, Snapchat, Central Concrete Supply Co. Inc, and Mainline Health. Between January and March 2016, 55 major – and successful – W-2 scams were reported to the IRS.
Attackers do not even need email account passwords to conduct these attacks. Email addresses of CEOs and executives can easily be spoofed to make them appear that they have been sent internally. The sheer number of stolen email addresses – and in many cases also passwords – makes the threat of BEC and W-2 attacks even greater. Security experts predict next year will be even tougher for businesses with even more cyberattacks than in 2016.
Improve Your Defenses Against Email-Borne Threats in 2017
Reducing the risk of these attacks requires multi-layered defenses. It is essential that all employees authorized to make corporate bank transfers receive training on email security and are alerted to the risk of BEC scams. Policies should be introduced that require bank transfer requests to be authorized by a supervisor and/or authenticated by phone prior to the transfer being made.
All employees should be instructed to use strong passwords and never to share work passwords anywhere else online. Many employees still use the same password for work as for personal accounts. However, if one online platform is breached, it can give the attackers access to all other platforms where the same password has been used – including corporate email accounts.
Organizations should also implement controls to block phishing and spear phishing attacks. Blocking phishing emails reduces reliance on the effectiveness of anti-phishing training for employees.
SpamTitan is a highly effective tool for blocking malicious spam emails, including phishing and spear phishing emails. SpamTitan uses a range of techniques to identify spam and scam emails including Bayesian analyses, greylisting and blacklists. SpamTitan incorporates robust anti-malware and anti-phishing protection, as well as outbound email scanning to block spam and scams from corporate email accounts. SpamTitan is regularly tested by independent experts and is shown to block 99.97% of spam email with a low false positive rate of just 0.03%.
2016 may have been a particularly bad year for data breaches and the outlook doesn’t look good for 2017, but by taking affirmative action and implementing better defenses against email-borne attacks, you could ensure that your company is not added to the 2017 list of data breach and scam statistics.
In July, news started to break about a massive Yahoo Inc data breach. It has taken some time, but the Yahoo Inc data breach has now been confirmed. And it was huge.
The Yahoo Inc data breach beats the massive cyberattack on Heartland Payment Systems in 2009 (130 million records), the LinkedIn cyberattack discovered this summer (117 million records), and the 2011 Sony data breach (100 million records). In fact, the Yahoo Inc data breach is the largest ever reported. More records were stolen in the cyberattack than those three breaches combined. More than 500 million accounts were compromised, according to Yahoo.
Yahoo Inc Data Breach Worse than Initially Thought
The Yahoo Inc data breach came to light when a hacker added a listing to the Darknet marketplace, theRealDeal. The credentials of 280 million account holders were offered for sale by a hacker called ‘Peace’. To anyone who follows Internet security news, the name of the hacker selling the data should be familiar. Peace recently listed the data from the LinkedIn hack for sale.
The 280 million Yahoo records were listed for a paltry $1,800. That payment would buy a cybercriminal names, usernames, easily crackable passwords, backup email addresses, and dates of birth. While the data were listed for sale 2 months ago, Yahoo has only just announced the breach.
After being alerted to the listing, Yahoo initiated an internal investigation. The investigation allegedly did not uncover any evidence to suggest that the claims made by “Peace” were genuine. However, the internal investigation did reveal that someone else had hacked Yahoo’s systems. Yahoo claims the hack was performed by a state-sponsored hacker.
Yahoo issued a statement saying “The investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network.” While that is undoubtedly good news, the bad news is that access is no longer required because user’s data have already been stolen.
The stolen data include names, email addresses, dates of birth, telephone numbers, security questions and answers, and hashed passwords. According to Yahoo, users’ bank account information and payment card details do not appear to have been stolen. Those credentials were stored in a separate system.
What is most concerning about the Yahoo Inc data breach is not the fact that its systems were compromised, but how it has taken so long for Yahoo to discover the cyberattack. The breach did not occur over the summer. The hack took place in 2014.
The results of the Yahoo Inc data breach investigation will have come as a nasty shock to Verizon. The company agreed to buy Yahoo’s core web business, including Yahoo email, in the summer for $4.8bn. It is possible that Verizon may now be having second thoughts about that deal. Whether the hack will have an impact on the purchase remains to be seen, but for Yahoo the timing could not be much worse.
Yahoo Account Holders Advised to Change Passwords and Security Q&As
Yahoo account holders are unlikely to be concerned about any potential sale of their email accounts to Verizon. They will however be concerned about the sale of their credentials to cybercriminal gangs. Even if the data that were listed for sale by Peace are not genuine, someone somewhere does have their data. Most likely, their data are in the hands of multiple criminals. Those data can – and will – be used in a variety of malicious ways.
Yahoo has now placed a notice on its website alerting users to the breach of their data. Yahoo has also sent out emails to affected users urging them to login to their accounts and change their passwords and security questions. The old security questions and answers have now been invalidated and Yahoo has told users to check their accounts for any suspicious activity, albeit out of “an abundance of caution”.
Fortunately for account holders, the majority of passwords were encrypted with bcrypt – a relatively secure form of encryption. However, that does not mean that the passwords cannot be cracked nor that email account holders are not at risk as a result of the Yahoo Inc data breach.
Yahoo Users at Risk of Phishing Attacks
Cybercriminals may not be able to crack the passwords and gain access to user accounts, but they have all the data they need to conduct phishing campaigns.
Yahoo has already emailed users alerting them to the breach, but the emails contained links that can be used to change passwords and security questions. Any cybercriminal in possession of the stolen data is likely to copy the official emails sent by Yahoo. However, instead of links to Yahoo’s website, the emails will contain links to phishing sites.
Those sites are likely to look exactly the same as the official Yahoo site. However, any user entering a new password or security question, would simply be disclosing that information to the attacker. Emails are also likely to be sent that direct users to websites containing exploit kits. Clicking the links will result in malware and ransomware downloads.
If the criminals behind the attack – or those in possession of the data – do manage to crack the passwords, it is not only Yahoo email accounts that could be compromised. Any individual who has used the same password on other websites faces a high risk of other accounts being compromised. Bank accounts, social media accounts, other email accounts, E-bay and Amazon.com accounts could all be at risk.
The data could also be used for social engineering scams, via email or telephone. Criminals will be looking to obtain the extra data they need to commit identity theft and other types of fraud.
How to Minimize Risk and Protect Yourself
- Never click on any links contained in emails. Even if an email looks official and contains a link to help.yahoo.com or login.yahoo.com, do not click on the links. Instead, login to your account in the usual way by entering the web address directly into your browser and change your password and security questions.
- Use a strong password containing letters (capitals, and lower case), numbers, and special characters.
- If you have used the same password for multiple websites, change those passwords immediately. Each website requires a different password. Use a password manager – either a free or paid service – to remember all your passwords.
- Use Yahoo Account Key, which will eliminate the need for a password altogether
- Never respond to any email request for personal information
- Never open any attachments sent via email unless you are certain of their genuineness
As the sports spectacular fast approaches it is time to be on high alert for Rio Olympics email scams. The Olympics have not yet started, but the scammers have certainly been active. Many new Rio Olympics email scams have been spotted in recent weeks and the number will certainly increase as the opening ceremony draws closer.
Any large sporting event that attracts massive global media interest is a good opportunity for scammers. With sports fans hungry for news of the latest events, information about competitors, or the latest betting odds, it is all too easy for the guard to be let down. A scramble for last minute tickets sees scammers rake in hundreds of thousands of dollars.
Many scammers feel that the Olympics is shooting fish in a barrel season. Which sadly it is.
Kaspersky Lab has reported that the first Rio Olympics email scams were uncovered as early as 2015; however, as the opening ceremony draws closer activity has increased by several orders of magnitude. In the UK, Action Fraud – the National fraud reporting body – has already received reports of 47 cases of fraud relating to the Rio Olympics, which has resulted in attackers gaining more than £300,000 ($392,800) in funds.
Watch out for these Rio Olympics Email Scams
The Rio Olympics email scams are as diverse as the events being competed over the 17-day competition. It is therefore a time to be particularly cautious.
Criminals are after bank details for fraudulent transfers, credit card details to make purchases, personal data for identity theft, and login credentials for all manner of nefarious activities. It is a time for everyone to be on their guard. Be prepared for a barrage of Rio Olympics email scams over the next few weeks and keep your wits about you online.
Fake Tickets Scams
The price of a ticket to the opening ceremony will cost anywhere between $60 to $1,400, although touts are offering tickets at vastly inflated prices. Ticket prices to see the most popular events can cost several thousand dollars. If a scammer can get a victim to part with their hard earned cash it could potentially be a big payday. If you are still planning on attending and you haven’t yet purchased a ticket, only buy from official sellers.
Scammers have already registered a host of official-looking domain names to fool the unwary into purchasing tickets and parting with their credit card numbers. The websites use official logos that have been lifted from the Internet and appear genuine. Fake or cheap SSL certificates are also purchased making the connections appear secure, yet checks may not have been performed on the company. A SSL (website starting with https) does not guarantee it is genuine. Before parting with your money, at least perform a WHOIS search on the domain owner. Fake domains have usually been purchased in the past few weeks or months. Also perform some online checks to make sure the website is genuine.
Be aware that just because a website ranks highly in the search engines it doesn’t mean it is legitimate. Many scammers use search engine poisoning to increase the rank and position of their websites. They may even appear above those of official ticket vendors.
Many Rio Olympics email scams direct sports fans to unofficial ticket sellers and scam websites. You will at best pay over the odds for a ticket, but most likely you will just be giving your money to a scammer and no tickets will ever arrive in the post.
Congratulations! You Have Won!
If you receive an email informing you that you have won (insert amazing prize here), chances are it is a scam. If it sounds too good to be true, it most probably is. While many Rio Olympics email scams attempt to get individuals to disclose bank details and credit card information, a great deal attempt to obtain money by other means.
Many Rio Olympics email scams direct users to official looking scam websites. Be very careful about disclosing any information on any website during the Olympics.
Emails are sent with fake attachments which, if opened, will infect the email recipients’ computer with malware or ransomware. Malware can log keystrokes and obtain login credentials. Ransomware will encrypt files and a ransom must be paid in order to obtain decryption keys. Links contained in websites often direct users to malicious websites where drive-by malware downloads take place.
Olympics and Zika News
If you are a sports fan and you want to follow the latest news, search for sports sites online and bookmark the pages. Do not click links contained in emails that are delivered to your inbox or spam folder. Many people click on any links contained in emails that seem interesting. Doing so could prove very costly. Scammers are sending out fake news emails or links to legitimate stories. Those links do not direct the recipient to news websites, but to sites loaded with exploit kits which download malware and ransomware onto users’ computers.
Fake Prize Draws
Social media is awash with offers to enter prize draws to win tickets to the Olympics. Be exceptionally careful about disclosing any personal information on social media sites. Scammers often use fake prize draws to obtain sensitive personal data. Those data can be used for future email scams, or to gain access to online accounts. Phishing campaigns are rife during the Olympics.
Fake lottery scams are also commonplace. Emails are sent out in the millions telling recipients they have won a prize draw or lottery. To claim the winnings, it is necessary to pay an admin fee and disclose credit card details or provide bank details for the transfer along with other sensitive information. The golden rule is: If you have not entered the draw, you cannot have won it. If you are asked to make a payment in order to receive winnings it is likely a scam.
If in any doubt as to the legitimacy of an email, delete it. Chances are you have not won a competition you have not entered and you are not lucky enough to have won an all-expenses paid trip to Rio to see the Olympics. It is likely to be one of the many Rio Olympics email scams currently circulating cyberspace.
Protecting Employees and Networks from Attack
Businesses need to take care to protect their networks and prevent their employees from inadvertently downloading malware or giving attackers a foothold in their network. There are plenty of malicious actors that will be using the frenzy surrounding the Rio Olympics to conduct their nefarious activities.
One of the best defenses against Rio Olympics email scams – and other malicious email spam in general – is to use a robust email spam filter such as SpamTitan. SpamTitan blocks 99.97% of email spam, preventing malicious emails from being delivered to end users.
To find out how SpamTitan can help you improve your security posture and prevent malware, ransomware, and phishing emails from being delivered to your employees, give the TitanHQ sales team a call today.
Locky Ransomware Replaces Dridex as the Top Email Security Threat
Locky was first identified in February 2016 and is believed to have been released by the criminal gang behind the Dridex banking malware. In fact, Locky is distributed using the infamous Necurs botnet, one of the largest botnets currently in operation. Necurs was also used to deliver Dridex malware, which was the top email security threat in Q1. Figures from Proofpoint suggest Locky has been used in 69% of email attacks involving malicious documents in Quarter 2, 2016.
Not only is Locky now the top email security threat, malicious message volume also increased significantly in quarter 2. Proofpoint charted the rise in malicious email volume and the Quarterly Threat Summary shows volume has increased by 230% since Q1, 2016.
Bear in mind that the huge rise in malicious emails occurred even though the Necurs botnet went silent in early June and Locky emails essentially stopped being delivered. However, the botnet did not remain inactive for long. By the end of June it was back with a vengeance, with huge volumes of Locky emails delivered as part of a massive new campaign.
Exploit Kits Are Mostly Delivering CryptXXX Crypto-Ransomware
While Locky may be the top email security threat, exploit kits still pose a major risk to businesses and personal computer users. The Angler exploit kit may have died a death in early June, but Neutrino has now taken over as the EK of choice. Neutrino is targeting numerous vulnerabilities and CryptXXX crypto-ransomware is the main threat. The ransomware variant only appeared in Q2, but it has fast become a major problem and the most common EK threat.
CryptXXX may now be the most prevalent EK ransomware variant in use; however, there has been an explosion in the number of ransomware variants in 2016. Since the final quarter of 2015, the number of ransomware variants has increased by a factor of between 5 and 6 according to Proofpoint. The majority of ransomware is delivered via exploit kits, although many users are directed to malicious websites via links delivered by spam email.
Fortunately, EK activity has fallen considerably since April. Angler EK activity started to decline in late April and by the start of June EK activity had dropped by around 96%. Since the end of June, EK activity has started to increase with Neutrino the main EK now in use. Fortunately, EK activity has not returned to pre April levels. So far at least.
CryptXXX has fast become one of the most prevalent strains of ransomware, although until recently infection was only possible via malicious websites. Now researchers at Proofpoint have spotted CryptXXX ransomware emails. The group behind the attacks have added a new attack vector. CryptXXX ransomware emails contain a Word document containing a malicious macro. If the macro is allowed to run it will load a VB script into the memory which will use Powershell to make contact with the attackers’ command and control server. Once a connection has been made, CryptXXX will be downloaded onto the victim’s computer. Authors have realized the benefits to be gained from adopting an affiliate model to help infect machines and now a number of new players have entered the ransomware market.
If a “ransomware kit” is provided, individuals with little hacking skill can conduct their own ransomware campaigns. The ransomware authors can charge a nominal fee for supplying the kit, and can also take a cut on the back end. When an affiliate infects a computer and a ransom is paid, the authors receive a cut of the payment. This model works well and there is no shortage of individuals willing to try their hand at running ransomware campaigns. The CryptXXX ransomware emails are being sent by an affiliate (ID U000022) according to Proofpoint.
Identifying CryptXXX Ransomware Emails
The CryptXXX ransomware emails are being sent with a subject line of “Security Breach – Security Report #Randomnumber.” The emails contain only basic information about a supposed security breach that has occurred. The security report is supplied as an attached Word document. The body of the email contains the date, time of the attack, the provider, location, IP address, and port. The email recipient is instructed to open the file attachment to view details of the attack and find out about the actions that should be taken.
The file attachment is given a name such as “info12.doc” according to Proofpoint. If the attached Word file is opened, a Microsoft Office logo is displayed. The user is informed that the document has been created in a newer version of Microsoft Office. The content of the document will only be displayed if macros are enabled. Enabling the macros will result in the VB script being loaded. Then ransomware will then be downloaded and users’ files encrypted.
There is no fix if files are encrypted. The victim must pay the ransom or lose their files. Once an infection has occurred, files can only be recovered from backups if the victim does not pay the ransom.
CryptXXX Ransomware Still Being Delivered by Neutrino
Since the demise of the Angler exploit kit, CryptXXX was moved over to Neutrino. There was a dramatic fall in infections as activity temporarily stopped; however, Invincea recently reported a surge in activity via compromised business websites. The SoakSoak botnet is being used to scan the Internet for vulnerable websites. The websites being targeted run the WordPress Revslider slideshow plugin. Scripts are appended to the slideshow that redirect visitors to a malicious site containing Neutrino.
CryptXXX will only be downloaded if the endpoint lacks certain security tools that would detect an installation. If Wireshark, ESET, VMware, Fiddler, or a Flash debugging utility is present, the ransomware will not be downloaded.
After a period of quiet, the Necurs botnet is back in action. A number of security companies have reported a massive surge in botnet activity which started on June 21, 2016.
The Necurs botnet has previously been used to send out huge volumes of Dridex malware and Locky; a sophisticated ransomware variant that was first discovered in February 2016. It is too early to tell whether this is just a temporary spike in activity or whether the botnet will be sending emails at the levels seen before the recent lull.
Necurs botnet activity dropped off on May 31. The volume of malicious emails being sent using the botnet fell to as few as 3 million emails per day. However, the number of emails being sent surged on June 21, shooting up to around 80 million emails. 24 hours later the volume of malicious emails had doubled to 160 million. The surge in activity comes is linked to a massive spam email campaign that is delivering emails containing malicious attachments which install Locky ransomware.
It is unclear why there was a period of quiet. Security experts having been pondering this since the dramtic fall in activity on May 31.
The Necurs botnet is massive and is believed to contain approximately 1.7 million computers, spread over 7 separate botnets. It is clear that the botnet had not been taken down, although activity across all seven of the botnets stopped. In April and May of this year, spam email volume was regularly exceeding 150 million emails a day. Now the Necurs botnet appears to be back up to speed.
Around the same time as the pause in activity, Russia’s FSB security service conducted raids resulting in the arrests of approximately 50 hackers. The gang was using the Lurk Trojan to defraud banks and other targets in Russia. It is unclear whether some of those arrests resulted in a disruption to the botnet, or whether the pause was for some other reason. Numerous theories have been suggested for the three-week pause, including the sale or the botnet and issues the operators may have had with the C&C infrastructure. If the botnet has changed hands, a single organization would likely be in control as activity across all seven botnets resumed at the same time.
The resurrection of the Necurs botnet is bad news. According to Proofpoint, the resurrection of the botnet has been accompanied by a new Locky variant which has new capabilities. The latest form of Locky is better at evading detection and determining whether it is running in a sandbox. The new capabilities were detected by Proofpoint shortly before the Necurs botnet went dark.
Spike in Spam Emails Containing Malicious Office Macros
The documents containing the shipping notices contained a malicious macro. In order to open the attached file, users were required to enable macros on their devices. Doing so would trigger a ransomware download. Email recipients who have their office settings configured to automatically allow macros to run are at particularly at risk, as simply opening the email attachment would result in Locky being downloaded onto their devices.
Proofpoint also recorded this spike in malicious spam emails, although the company put the total number of emails in the campaign at over 100 million, making this one of the largest spam email campaigns seen in recent years, and certainly one of the biggest campaigns of 2016.
The Amazon spam email campaign is being distributed using spam botnets on virtual machines and consumer devices. This campaign was notable because the attackers were able to manipulate the email headers. This made the messages appear legitimate to email recipients. Any email recipients who regularly use Amazon.com for purchases could easily be fooled into opening the file attachment.
The emails used the subject line: “Your Amazon.com order has dispatched” along with a code number, closely mimicking the emails sent up Amazon. The body of the email did not contain any text. If users want to find out which order the email refers to, they would need to open the file attachment. The emails also appear to have been sent from the Amazon.com domain, making it much harder for email recipients to determine that the messages are malicious spam.
Surge in Spam Email Highlights the Importance of Using Spam Filtering Solutions
SpamTitan captures 99.97% of spam email and prevents malicious spam emails from being delivered to inboxes. Since malicious actors are getting much better at masking their messages and making them appear legitimate, it is essential to limit the volume that are delivered to end users rather than rely on individuals to be able to identify emails as spam.
A recent report issued by the Anti-Phishing Working Group highlights worrying phishing activity trends. According to the Phishing Activity Trends Report, the number of new phishing websites is growing at an alarming rate.
A recent report published by PhishMe showed that email phishing activity has now reached unprecedented levels. Phishing email volume increased by 789% quarter over quarter. The APWG report shows that cybercriminals are also increasingly conducting web-borne attacks. Phishing websites increased by 250% from the last quarter of 2015 through the first quarter of 2016.
APWG expected to see an increase in the number of phishing websites created in the run up to the holiday season. Every year, criminals take advantage of the increased number of online purchases being made around Christmas. Many new phishing websites are created in November and December and online fraud always increases in December.
However, typically, there is a drop in spamming an online fraud in January. This year that fall did not occur. In fact, the number of new phishing websites continued to rise in January. There was a slight fall in February, before a major increase in March. According to the Phishing Activity Trends Report, in December 2015, 65,885 unique phishing websites were detected. In January 2016, the total had risen to 86,557. By March the total had reached a staggering 123,555 unique phishing websites.
Cybercriminals are most commonly targeting the retail sector and are spoofing websites in an attempt to defraud consumers. 42.71% of phishing websites target the retail sector, with the financial sector in second place with 18.67% of sites. Payment services accounted for 14.74% of sites, ISPs 12.01%, and multimedia sites 3.3%.
The phishing activity trends report indicates an increase in the targeting of cloud-based or SAAS companies, which it is claimed is driving the attacks on the retail sector.
More than 55% of phishing websites contain the name of the target brand somewhere in the URL. Attackers are concentrating the attacks on the most popular brands. By March 2016, APWG reported that 418 different brands were being targeted using phishing websites.
Phishing email campaigns are known to be sent extensively from outside the United States, although when it comes to phishing websites they are usually hosted in the United States. 75.62% of phishing websites are hosted in the US.
The United States also hosts the most phishing-based Trojans and downloaders – 62.36%. China is also being extensively targeted. China hosted 5% of phishing-based Trojans and downloaders in January. By March, the figure had risen to 13.71%.
More than 20 million new malware samples were detected at the start of 2016 – That’s an average of 227,000 new malware samples every day. The majority of new malware are Trojans, which account for 66.81% of new samples. Viruses were second (15.98%) and worms third (11.01%).
The massive rise in phishing websites highlights how important it is for caution to be exercised when purchasing online. Businesses should also take additional precautions. Web filters can be used to block phishing websites from being visited by employees. A web filtering solution – WebTitan for example – can also be used to prevent drive-by downloads of malware and ransomware.
File-encrypting ransomware is now one of the main UK cybersecurity threats. Rather than stealing sensitive corporate data, criminals have taken to locking it with powerful encryption to prevent businesses from performing day to day functions. Without access to data, business often grinds to a halt.
Ransomware is nothing new, but over the past few years it has become much more popular with cybercriminals who are increasingly targeting businesses. If criminals can succeed in breaching businesses’ security defenses and locking critical files, a ransom can be demanded in order to supply security keys to unlock the encryption. If no viable backup copy exists, businesses may be left with no alternative but to give in to attackers’ demands. Those demands include sizable payments in Bitcoin – A virtually anonymous currency.
Ransomware attacks in the United States have attracted the headlines, but across the pond, ransomware attacks on UK businesses have also been increasing. According to the latest research from ESET, ransomware is now one of the main UK cybersecurity threats accounting for more than a quarter of threats. In the week of April 19 to 26, 26.16% of threats involved ransomware.
How to Block Ransomware Infections
Unfortunately, there is no single method of blocking ransomware infections that is 100% effective, although by using a multi-layered approach, small to medium-sized businesses can greatly reduce the probability of ransomware being installed on their computers and networks.
Ransomware is installed via a number of different methods, although one of the most common methods of ransomware delivery is spam email. Spam email is used to send out malicious attachments that install malware, which in turn installs ransomware on computers. One of the most common methods of infection is Word documents containing malicious macros.
Attackers also use emails containing malicious links. End users are enticed to click those links using social engineering techniques. One click is often all that is required to install ransomware. While it is possible to train employees to be more security aware, all it takes is for one member of staff to install malware for a network to be encrypted. The latest strains of ransomware are capable of encrypting files on single computers, connected USB drives, and network drives. It is important to provide staff training, but a software solution should also be used to block spam emails and prevent them from being delivered.
SpamTitan can keep an organization well protected from malware and ransomware infections. SpamTitan uses two leading anti-virus engines – Kaspersky and ClamAV – to block the vast majority of spam email. SpamTitan detects and blocks 99.98% of spam email, which prevents end users’ spam and phishing email detection skills from being put to the test.
SpamTitan blocks malicious emails, infected email attachments, and links to phishing websites and sites where drive-by downloads of malware take place. This single software solution can help organization mitigate the risk from many of the main UK cybersecurity threats.
If you want to block ransomware and malware and reduce the time your employees spend sifting through spam email, contact the sales team today for further information or sign up for a free SpamTitan trial.
Vulnerabilities in Adobe Flash Player are discovered with such regularity that news of another raises few eyebrows, but the latest critical vulnerability – discovered in Adobe Flash Player 126.96.36.199 and earlier versions – is a cause for concern. It is already being exploited by hackers and is being used to infect users with ransomware.
Any device that is running Adobe Flash Player 188.8.131.52 (or earlier) is at risk of the vulnerability being exploited and malicious file-encrypting software being installed. The latest vulnerability can be used to attack Windows, Macs, Linux systems and Chromebooks, according to ProofPoint, although Adobe reports that the vulnerability only affects Windows 10 and earlier versions running the vulnerable versions.
Flash vulnerabilities are usually exploited by visiting malicious websites or webpages that have been compromised and infected with exploit kits. Those exploit kits probe for a range of weaknesses, such vulnerabilities in Adobe Flash Player, and exploit them to download malware or ransomware to the user’s device.
These drive-by attacks occur without users’ knowledge, as the downloaded file is not displayed in the browser and is not saved to the download folder. It is also difficult to determine whether a website has been compromised or is malicious in nature without software solutions that analyze the website content.
Vulnerabilities in Adobe Flash Player Exploited to Deliver Cerber and Locky Ransomware
The latest attack uses the Magnitude exploit kit. The fact that it is Magnitude suggests the latest ransomware attacks are the work of an individual cybercriminal gang. That gang has acted quickly to include the latest Flash vulnerability into Magnitude.
According to Trend Micro, the vulnerability is being used to deliver Locky ransomware – the malicious file-encrypting software that has been used to attack hospitals in the United States in recent weeks. Locky was reportedly the ransomware used in the attack on Hollywood Presbyterian Medical Center in February. That infection cost the healthcare organization $17,000 to remove, not to mention the cost of attempting to remove the infection and restore backup files prior to the ransom being paid.
ProofPoint suggests the vulnerability is being used to deliver Cerber ransomware. Cerber is a new ransomware that has was released in the past month. It can be used to encrypt files on all Windows versions, although not those in Russian.
Cerber and Locky are being downloaded via malicious websites, although these are typically not visited by the vast majority of Internet users. In order to get traffic to these sites the attackers are using spam email containing malicious attachments.
In contrast to many malicious spam emails that install malware using executable files and zip files, the attackers are using Word documents containing malicious macros. The macros do not download the ransomware directly, instead they direct the victim, via a number of redirects, to a malicious site where the drive-by download takes place.
The vulnerability, named as CVE-2016-1019, will crash Adobe Flash when it is exploited. Adobe reports that the vulnerability exists in 184.108.40.206. Trend Micro says the exploit will not work on versions 220.127.116.11 and 18.104.22.168, only on Flash 22.214.171.1246 and earlier versions due to mitigations put in place by Adobe.
ProofPoint’s Ryan Kalember said that the exploit has been engineered to only work on earlier versions of Flash and that attacks have been degraded to evade detection. All versions of Flash could potentially be used for the attack should the criminals behind the Magnitude exploit kit so wish.
Of course, this is just one of many vulnerabilities in Adobe Flash Player that can be exploited and used to deliver ransomware or other forms of malware. To prevent attacks, sysadmins should ensure that all devices are updated to the latest version of the software. Adobe said it was releasing a security update to address the vulnerability on April 7, 2016.
Vulnerabilities in Adobe Flash Player are addressed with updates, although there are two software solutions that can help to protect users from attack. Anti-spam solutions such as SpamTitan can be used to prevent spam email from being delivered, reducing the risk of end users opening Word documents infected with malicious macros.
WebTitan products tackle these attacks by blocking malicious websites, preventing users from visiting sites where drive-by downloads take place. There is usually a wait while vulnerabilities in Adobe Flash Player are addressed, and these two solutions can help keep devices malware free until updates are applied.
The past two months have seen a number of healthcare organizations attacked by cybercriminals; however, the MedStar Health ransomware attack discovered on Monday this week must rank as one of the most severe.
The MedStar Health ransomware attack is the latest in a string of attacks on U.S. healthcare organizations, as hackers up the ante and go for much bigger targets where the potential rewards are greater. It would appear that the 10-hospital health system will not need to pay a ransom to regain access to its data, but for three days MedStar Health has been forced to work without access to some of its computer systems after they were shut down to prevent the spread of the infection.
MedStar Health Ransomware Attack Affects 10 Hospitals and More than 250 Outpatient Facilities
MedStar Health is a large U.S health system operating more than 250 outpatient facilities and ten hospitals in the Washington D.C., area. On Monday morning, a virus was discovered to have been installed. The infection triggered emergency IT procedures and rapid action taken to limit the spread of the virus. Three clinical information systems were shut down, including email and the electronic health record system used to record and view patient data.
Without access to email and patient data, services at the hospital were slowed although business continued as close to normal as possible. No facilities closed their door to patients. However, in the 48 hours since the virus was discovered, IT security teams have been working around the clock to bring systems back online. Yesterday, MedStar Health reported that systems were being brought back online with enhanced functionality added bit by bit.
MedStar Health has kept the media and patients notified of progress via social media. The health system reported that “The malicious malware attack has created many inconveniences and operational challenges for our patients and associates.”
While no information was initially released on the exact nature of the computer virus that was discovered to have infiltrated its systems, a number of sources indicate the malicious software was ransomware. It has since emerged that the MedStar Health ransomware attack involved a ransomware from the Samsam family. The ransomware is also known as MSIL and Samas. The attack occurred at the Union Memorial Hospital in Baltimore.
Some computer users were presented with a message demanding a ransom to unlock files. The Baltimore Sun reported that the MedStar Health ransomware attack saw attackers demand a ransom of 45 Bitcoin (approximately $18,500) to unlock all 18 computers that were infected, with an offer to unlock one machine for 3 Bitcoin (approximately $1233).
FBI Issued Warning About Samsam Ransomware on March 25
The FBI reached out to businesses for assistance dealing with the latest ransomware threat from Samsam. While many ransomware infections use email as the vector, Samsam is installed via a tool called JexBoss. JexBoss is used to discover a vulnerability that exists in JBOSS systems. This attack is not conducted using phishing or website exploit kits, instead it works by compromising servers and spreading the infection laterally.
The vulnerability exploited is in the default configuration of the Boss Management Console (JMX) which is used to control JBoss application servers. In its default state, JMX allows unsecured access from external parties and this is used to gain shell access to install the ransomware.
Once a web application server has been infected, the ransomware does not communicate with a command and control server, but will spread laterally and to infect Windows machines, hence the need to shut down systems. The MedStar Health ransomware attack could have been much more severe had rapid action not been taken.
This attack highlights just how important it is to ensure that all systems are patched and default software configurations are changed. Other attacks recently reported by healthcare organizations in the United States have involved Locky ransomware, which is spread via exploit kits on compromised websites and via email spam. Healthcare organizations can protect against those attacks by using web filtering and anti-spam solutions. However, it is also essential to train staff never to open email attachments from unknown sources.
Over the past 12 months, cybercriminals have used ransomware with increasing frequency to extort money out of businesses, leading some security experts to predict that healthcare ransomware infections would become a major problem in 2016.
Would cybercriminals stoop so low and attack the providers of critical medical care? The answer is yes. This week a U.S. hospital has taken the decision to pay a ransom to obtain the security keys necessary to unlock data that had been encrypted by ransomware. The attack does not appear to have been targeted, but the ransom still needed to be paid to unlock the hospital’s electronic medical record system.
Last year, Cryptowall infections were regularly reported that required individuals to pay a ransom of around $500 to get the security key to recover files. However, when businesses accidentally install ransomware the ransom demand is usually far higher. Cybercriminals can name their price and it is usually well in excess of $500.
Healthcare Ransomware Infection Results in Hospital Paying $16,664 to Unlock EHR
While businesses have been targeted by cybercriminal gangs and have had their critical data locked by ransomware, it is rare for healthcare providers to be attacked. The latest healthcare ransomware infection does not appear to have been targeted, instead a member of staff inadvertently installed malware which locked the hospital’s enterprise-wide electronic health record system (EHR): The system that houses patient health records and critical medical files.
The EHR of Southern California’s Hollywood Presbyterian Medical Center was locked on February 5, 2016., with physicians and other members of the hospital staff unable to access the EHR to view and log patient health information. An investigation into the IT issue was immediately launched and it soon became apparent that the database had been locked by ransomware.
No one wants to have to pay cybercriminals for security keys, and the hospital took steps to try to recover without having to give in to ransom demands. The Police and FBI were contacted and started an investigation. Computer experts were also brought in to help restore the computer system but all to no avail.
The news of the healthcare ransomware attack broke late last week, with early reports suggesting the hospital had received a ransom demand of 9,000 Bitcoin, or around $3.4 million. The EHR was taken out of action for more than a week while the hospital attempted to recover and unlock its files.
Eventually, the decision had to be taken to pay the ransom. While it may have been possible for patient health data to be restored from backups, the time it would take, the resources required to do that, and the disruption it would likely cause was not deemed to be worth it. Allen Stefanek, CEO of Hollywood Presbyterian Medical Center, took the decision to pay the ransom to obtain the security key to unlock the data.
In a statement posted on the company’s website he confirmed that the reports of a ransom demand of 9,000 Bitcoin were untrue. The attackers were asking for 40 Bitcoin, or $16,664, to release the security key to unlock the hospital’s data.
Stefanek said, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”
Fortunately, healthcare ransomware attacks are relatively rare, as many healthcare providers in the United States already have controls in place to reduce the likelihood of an attack being successful. Staff are trained to be vigilant and not to install software on healthcare devices or open suspicious email attachments. Many use a spam filter to quarantine suspect emails. The latter being an essential protection against healthcare ransomware attacks.
The Importance of a Robust Spam Filter to Prevent Healthcare Ransomware Attacks
A healthcare ransomware attack does not just have a financial impact; it has potential to cause actual harm to patients. The delivery of healthcare services is slowed as a result of the inability to access and share healthcare data, and not being able to view patient health records could delay the delivery of critical patient care or result in incorrect medications being prescribed. That could be a life or death matter. Preventing healthcare ransomware attacks is therefore essential. A technological solution should be employed for maximum protection.
TitanHQ’s SpamTitan software has been developed to keep businesses protected from malware and ransomware attacks. SpamTitan uses two anti-malware engines to maximize the probability of spam emails and malicious attachments being caught and prevented from being delivered to end user inboxes. SpamTitan catches 99.9% of Spam email and quarantines emails with suspicious attachments to prevent them from being delivered.
If you want to reduce the risk of a suffering a ransomware attack and having to pay cybercriminals to unlock critical data, using a robust, powerful anti-spam solution such as SpamTitan is the best way to protect computers and networks from attack. Along with staff training to improve understanding of healthcare ransomware and other malware, it is possible to prevent attacks from being successful.
For further information on SpamTitan anti-spam solutions, contact the TitanHQ team today:
US Sales +1 813 304 2544
UK/EU Sales +44 203 808 5467
IRL +353 91 54 55 00
Or email email@example.com
Each January, the PwC Annual Global CEO Survey is published detailing the major perceived threats to corporate growth. This year the results of the survey show that CEOs are more worried about the cost of dealing with cyberthreats, and believe that they can actually have a major negative impact on corporate growth.
Cost of dealing with cyberthreats a major impediment to 2016 growth
The global survey probed 1,409 CEOs about their concerns about impediments to growth, with cyberthreats ranking as one of the top ten major problems. 61% of respondents said they were worried about cyberthreats and the effect they will have on growth this year.
Over-regulation and geopolitical uncertainty were considered to be more pressing concerns, being cited by 79% and 74% or respondents, while the availability of key skills was mentioned as a major threat to growth by 72% of CEOs. The cost of dealing with cyberthreats was ranked as the eighth biggest impediment to growth in 2016.
While 60% of CEOs believe there are more opportunities for growth than 3 years ago, 66% said there were now more threats to growth. 26% said they only saw more opportunities, while 32% saying they only saw more threats.
The cost of dealing with cyberthreats is considerable, although nowhere near as high of the cost of failing to deal with them. Last year the Ponemon Institute calculated the cost of cyberthreats and determined the cost to businesses is soaring, with the IBM sponsored study determining the average cost of dealing with security breaches had risen to $3.8 million.
Some of the large organizations included in the study suffered cybercrime losses as high as $65 million, with the cost of cyberthreats having risen by 23% over the course of the past two years.
The IBM Cost of Data Breach Study determined the cost per stolen record to be between $145 and $154. When cybercriminals manage to steal millions of customer records, the cost to business can therefore be considerable.
Major cyberthreats of 2016
- Cloud computing
- Mobile devices
- State sponsored hacking
- Phishing attacks
- Medical devices
Cyberthreats may be an impediment to growth, but it doesn’t mean that those threats cannot be mitigated. Given the increasing risk it is imperative that adequate security defenses are put in place to repel attacks. Malware and ransomware are becoming more sophisticated and much more difficult to identify, as are the phishing campaigns that are used to deliver the malicious software. Anti-phishing strategies must therefore be implemented to block malicious emails and staff members must be trained how to identify phishing attacks when they do occur.
Implement SpamTitan to block emails from being delivered to employee’s inboxes, conduct regular staff training exercises to better educate employees, and perform phishing email tests to ensure that members of staff get practice at identifying dummy phishing emails.
It is also essential to develop policies and controls to limit the types of websites that employees are able to visit when using their work computers as well as for BYOD. Drive-by malware downloads are an increasing threat. Exploit kits are much more commonly used to probe for security vulnerabilities, such as out of date plugins. These can be exploited and used to download malware to devices without any interaction from the user.
To mitigate the risk, patch management policies must be developed. It is more essential than ever to ensure that all software is updated as soon as patches are released.