Our Internet security section covers a wide range of topics including the latest online threats such as new phishing scams, changes in exploit kit activity, and up to date information on new malware and ransomware variants and social media scams.
Here you will find articles on data breaches, together with the causes of attacks and potential mitigations to reduce the risk of similar incidents occurring at your organization. Lessons can be learned from attacks on other organizations and threat intelligence can help security teams prepare for impending cyberattacks.
This section also contains news on the latest remote code execution vulnerabilities and zero day exploits that are being used to gain access to business networks, such as the network worm attacks that were used to spread WannaCry ransomware around the globe in May 2017.
In addition to mitigations – such as news of patches and software upgrades – articles are included to help organizations improve Internet security. Employees are a weak link in security defenses and frequently download malware or engage in risky behavior that could result in a network compromise. This section includes information that can be used by organizations to reduce the risk of employees inadvertently downloading malicious software or disclosing their credentials on phishing websites, turning them from liabilities into security assets.
There has been an increase in phishing attacks on retailers, supermarket chains, and restaurants in recent weeks. The aim of the phishing attacks is to deliver remote access Trojans and remote manipulator software to gain persistent access to computers and, ultimately, obtain banking credentials and sensitive customer data on POS systems.
Several new campaigns have been detected in recent weeks targeting retail and food sector companies, both of which are well into the busiest time of the year. With employees working hard, it is likely that less care will be taken opening emails which gives cybercriminals an opportunity.
PUB Files Used in Phishing Attacks on Retailers
Over the past few weeks, security researchers have noted an uptick in phishing attacks on retailers, with one threat group switching to using.pub files to install malware. Many phishing attacks use Word documents containing malicious macros. The use of macros with .pub files is relatively uncommon. The change to this new attachment type may fool employees, as they will be less likely to associate these files with cyberattacks.
Social engineering techniques are used to fool end users into opening the files, with the .pub files masquerading as invoices. Many emails have been intercepted that appear to have been sent from within a company, which helps to make the files appear genuine.
If opened, the .pub files, via malicious macros, run Microsoft Installer (MSI) files that deliver a remote access Trojan. Since these installers will most likely be familiar to end users, they may not realize the installers are malicious. Further, the MSI files are time delayed so they do not run immediately when the .pub files are opened, increasing the probability that the RAT downloads will go unnoticed.
The TA505 threat group is using this tactic to install the FlawedAmmy remote access Trojan and other malicious payloads such as Remote Manipulator System (RMS) clients.
The phishing emails used to deliver these malicious files are targeted and tailored to a specific business to increase the likelihood of success. These targeted spear phishing attacks are now becoming the norm, as threat actors move away from the spray and pray tactics of old.
Cape Cod Community College Phishing Attack Results in Theft of More Than $800,000
Phishing attacks on retailers have increased, but other industries are also at risk. Educational institutions are also prime targets, as has been highlighted by a recent phishing attack on Cape Cod Community College.
The Cape Cod Community College phishing attack involved sophisticated messages that delivered malware capable of evading the college’s anti-virus software. The malware was used to obtain the banking credentials of the college, and once those credentials had been obtained, the hackers proceeded to make fraudulent transfers and empty bank accounts. Transfers totaling $807,130 were made, and so far, the college and its bank have only been able to recover $278,887.
All too often, fraudulent transfers are not detected quickly enough to recover any funds. Once the transfers have cleared the attacker-controlled bank accounts are emptied, after which the probability of recovering funds falls to near zero.
Defense in Depth the Key to Phishing Protection
Email is the primary vector used to phish for sensitive information and deliver malware to businesses. Regardless of whether businesses use local email systems or cloud-based email services such as Office 365, advanced spam filtering controls are required to block threats. For instance, SpamTitan blocks more than 99.9% of spam email and 100% of known malware. SpamTitan also uses heuristics, machine learning, and Bayesian analysis to identify previously unseen threats – One of the areas of weakness of Office 365’s anti-phishing defenses.
Network segmentation is also essential. Critical services must be separated to ensure that the installation of malware or ransomware on one device will not allow the attackers to gain access to the entire network. This is especially important for retailers and other businesses with POS systems. Network segmentation will help to keep POS systems and the financial data of customers secure.
Advanced endpoint protection solutions offer far greater protection than standard antivirus solutions and are less reliant on malware signatures. Standard AV solutions will only block known malware. With standard AV solutions, new malware variants can easily slip through the net.
End user security awareness training should be mandatory for all employees and training needs to be a continuous process. A once a year training session is no longer sufficient. Regular training throughout the year is required to ensure employees are made aware of the latest threats and tactics being used to gain access to login credentials and install malware.
For further information on improving email security to improve protection against phishing attacks, contact the TitanHQ team today.
A new module has been added to TrickBot malware that adds point-of-sale (POS) data collection capabilities.
TrickBot is a modular malware that is being actively developed. In early November, TrickBot was updated with a password stealing module, but the latest update has made it even more dangerous, especially for hotels, retail outlets, and restaurants: Businesses that process large volumes of card payments.
The new module was identified by security researchers at Trend Micro who note that, at present, the module is not being used to record POS data such as credit/debit card numbers. Currently, the new TrickBot malware module is only collecting data about whether an infected device is part of a network that supports POS services and the types of POS systems in use. The researchers have not yet determined how the POS information will be used, but it is highly likely that the module is being used for reconnaissance. Once targets with networks supporting POS systems have been identified, they will likely be subjected to further intrusions.
The new module, named psfin32, is similar to a previous network domain harvesting module, but has been developed specifically to identify POS-related terms from domain controllers and basic accounts. The module achieves this by using LDAP queries to Active Directory Services which search for a dnsHostName that contains strings such as ‘pos’, ‘retail’, ‘store’, ‘micros’, ‘cash’, ‘reg’, ‘aloha’, ‘lane’, ‘boh’, and ‘term.’
The timing of the update, so close to the holiday period, suggests the threat actors are planning to take advantage of the increase in holiday trade and are gathering as much information as possible before the module is used to harvest POS data.
The recent updates to TrickBot malware have been accompanied by a malicious spam email campaign (identified by Brad Duncan) which is targeting businesses in the United States. The malspam campaign uses Word documents containing malicious macros that download the TrickBot binary.
Protecting against TrickBot and other information stealing malware requires a defense-in-depth approach to cybersecurity. The main attack vector used by the threat actors behind TrickBot is spam email, so it is essential for an advanced anti-spam solution to be deployed to prevent malicious messages from being delivered to end users’ inboxes. End user training is also essential to ensure employees are made aware of the danger of opening emails from unknown senders, launching suspicious email attachments, and clicking hyperlinks in those messages.
Antivirus solutions and endpoint security controls should also be deployed to identify and quarantine potentially malicious files in case malware makes it past perimeter defenses.
There is a more cost-effective alternative to Cisco OpenDNS that provides total protection against web-based threats at a fraction of the price of OpenDNS. If you are currently running OpenDNS or have yet to implement a web filtering solution, you can find out about this powerful web filtering solution in a December 5, 2018 webinar.
Cybersecurity defenses can be implemented to secure the network perimeter, but employees often take risks online that can lead to costly data breaches. The online activities of employees can easily result in malware, ransomware, and viruses being downloaded. Employees may also respond to malicious adverts (malvertising) or visit phishing websites where they are relieved of their login credentials.
Mitigating malware infections, dealing with ransomware attacks, and resolving phishing-related breaches have a negative impact on the business and the resultant data breaches can be incredibly costly. Consequently, the threat from web-based attacks cannot be ignored.
Fortunately, there is an easy solution that offers protection against web-based threats by carefully controlling the web content that their employees can access: A DNS-based web filter.
DNS-based web filtering requires no hardware purchases and no software downloads. Within around 5 minutes, a business will be able to control employee internet access and block web-based threats. Some DNS-based web filters such as OpenDNS can be costly, but there is a more cost-effective alternative to Cisco OpenDNS.
TitanHQ and Celestix Networks will be running a joint webinar to introduce an alternative to Cisco OpenDNS – The WebTitan-powered solution, Celestix WebFilter Cloud.
Celestix will be joined by Rocco Donnino, TitanHQ EVP of Strategic Alliances, and Senior Sales Engineer, Derek Higgins who will explain how the DNS-based filtering technology offers total protection from web-based threats at a fraction of the cost of OpenDNS.
The webinar will be taking place on Wednesday December 5, 2018 at 10:00 AM US Pacific Time
There has been a steady increase in HTTPS phishing websites over the past couple of years, mirroring the transition from HTTP to HTTPS on commercial websites. HTTPS sites are those that have SSL/TLS certificates and display a green padlock next to the URL. The green padlock is an indicator of site security. It confirms to website visitors that the connection between their browser and the website is encrypted. This provides protection against man-in-the-middle attacks by ensuring data sent from the browser to the website cannot be intercepted and viewed by third parties.
HTTPS websites are now used by a large number of businesses, especially e-commerce website owners. This has become increasingly important since search engines such as Google Chrome provide clear indications to Internet users that sites may not be secure if the connection is not encrypted.
This is all good of course, but there is one caveat. Users have been told to look for the green padlock to make sure a site is secure, but the green padlock is viewed by many Internet users as a sign that the site is secure and legitimate. While the former is true, the latter is not. The green padlock does not mean that the site is genuine and just because it is displayed next to the URL it does not mean the site is safe.
If the website is controlled by a cybercriminal, all the green padlock means is that other cybercriminals will not be able to intercept data. Any information entered on the website will be divulged to the criminal operating that site.
It stands to reason for HTTPS phishing websites to be used. If Internet users are aware that HTTPS means insecure, they will be less likely to enter sensitive information if the green padlock is not present. Unfortunately, free SSL certificates can easily be obtained to turn HTTP sites into HTTPS phishing websites.
According to PhishLabs, back in Q1, 2016, fewer than 5% of phishing websites used HTTPS. By Q3, 2016, the percentage started to rise sharply. By Q1, 2017, the percentage had almost reached 10%, and by Q3, 2017, a quarter of phishing websites were using HTTPS. The 30% milestone was passed around Q1, 2018, and at the end of Q3, 2018, 49% of all phishing sites were using HTTPS.
A PhishLabs survey conducted late last year clearly highlighted the lack of understanding of the meaning of the green padlock. 63% of consumers surveyed viewed the green padlock as meaning the website was legitimate, and 72% saw the website as being safe. Only 18% of respondents correctly identified the green padlock as only meaning communications with the website were encrypted.
It is important for all Internet users to understand that HTTPS phishing websites not only exist, but before long the majority of phishing websites will be on HTTPS and displaying the green padlock. A conversation about the true meaning of HTTPS is long overdue and it is certainly something that should be covered in security awareness training sessions.
It is also now important for businesses to deploy a web filtering solution that is capable of SSL inspection – The decryption, scanning, and re-encryption of HTTPS traffic to ensure that access to these malicious websites is blocked. In addition to reading content and assessing websites to determine whether they are malicious, SSL inspection ensures site content can be categorized correctly. This ensures that sites that violate a company’s acceptable usage policies are blocked.
There is a downside to using SSL inspection, and that is the strain placed on CPUs and a reduction in Internet speeds. SSL inspection is therefore optional with many advanced web filters. To ensure that the strain is reduced, IT teams should use whitelisting to prevent commonly used websites from being subjected to SSL filtering.
WebTitan Includes SSL Filtering to Block HTTPS Phishing Websites
WebTitan is a powerful web filtering solution for SMBs and managed service providers (MSPs) that provides protection against web-based threats. There are three products in the WebTitan family – WebTitan Gateway, WebTitan Cloud, and WebTitan Cloud for Wi-Fi; all of which include SSL filtering as standard. If SSL filtering is activated, users will be protected against HTTPS phishing websites and other malicious sites that have SSL certificates.
All WebTitan products can be installed in minutes, require no technical knowledge, and have been designed to be easy to use. An intuitive user interface places all information, settings, and reports at users’ fingertips which makes for easy enforcement of acceptable Internet usage polices and fast reporting to identify potential issues – employees browsing habits and users that are attempting to bypass filtering controls for instance.
Whether you are an MSP that wants to start offering web filtering to your clients or a SMB owner that wants greater protection against web-based threats, the WebTitan suite of products will provide all the features you need and will allow you to improve security and employee productivity, reduce legal liability, and create a safe browsing environment for all users of your wired and wireless networks.
For further information on WebTitan, details of pricing, web filtering advice, to book a product demonstration, or to register for a free trial of the product, contact TitanHQ today.
Reselling Office 365 doesn’t offer much in the way of profit for MSPs, although there are benefits for MSPs that come from offering Office 365 and it is possible to make Office 365 more profitable.
Before explaining where the margin is for MSPs in Office 365, let’s first take a look at the benefits for MSPs from offering Office 365.
Benefits for MSPs from Offering Office 365 to Clients
SMBs are increasingly moving from on-premises solutions to the cloud and Office 365 is one of the most popular cloud services. Office 365 now has more than 135 million commercial monthly users and that number is growing rapidly.
MSPs may not be able to make much from Office 365 alone, but by providing Office 365 MSPs can win more business and gain a competitive advantage. There is no outlay involved with offering Office 365 to clients, the product is great and meets clients’ needs, and money can be made from handling Office 365 migrations.
MSPs can also benefit from migrating existing clients from Exchange or SBS Exchange to Office 365. Office 365 is far easier to manage so they stand to save a great deal of time on troubleshooting and maintenance, which can be a major headache with Exchange.
By offering Office 365 you can win more business, reduce operational costs, and stay competitive. However, the best way to make money from Office 365 is through add-on services.
How MSPs Can Make Office 365 More Profitable
The margins for MSPs on Office 365 are rather thin to say the least. Many MSPs find that offering Office 365 on its own doesn’t provide any profit at all. Charging extra per license to improve profitability is an option, but clients could just go direct to avoid the extra cost.
The margins may be small, but managing Office 365 does not require a great deal of effort. You may only make around 50c or $1 per user but sign up enough clients and you could get a reasonable return. There is an opportunity for profit at scale; however, to make a decent return you need to sell services around Office 365.
One of the best ways to make Office 365 more profitable is by offering additional security services. Security is an area where Office 365 can be significantly improved, especially spam filtering. Microsoft has incorporated a spam filter and anti-phishing protections into Office 365, but they fall short of the protection offered by a dedicated third-party spam filter.
Phishing is the number one security threat faced by businesses and Office 365 anti-phishing protections leave a lot to be desired. By offering enhanced spam and phishing protection through a third-party spam filter, not only can MSPs make a decent margin on the add-on solution, by blocking phishing attacks and malware at source, a considerable amount of time can be saved on support.
There are plenty of other opportunities for selling third-party solutions to make up for the lack of options in Office 365. Email archiving is an easy sell and a quick win for MSPs. An email archive is important for compliance and security, saves on storage space, and improves efficiency, and gives clients access to emails from any location.
Spam filtering, email archiving, web filtering, and encryption can be bundled together as an enhanced security package, with each element providing a decent return for MSPs. Given the cost of mitigating a data breach, by preventing breaches, an enhanced security offering will pay for itself. Consequently, Office 365 security should be an easy sell.
Office 365 MSP Add-ons from TitanHQ
For more than 20 years TitanHQ has been developing innovative security solutions for businesses. Today, more than 7,500 businesses are protected by TitanHQ security solutions and more than 2,000 MSPs have signed up to the TitanHQ MSP Alliance Program.
All TitanHQ solutions have been developed from the ground to meet the needs of the SMB marketplace and MSPs. TitanHQ’s spam filtering solution – SpamTitan, email archiving solution – ArcTitan, and web filtering solution – WebTitan, save MSPs support and engineering time, have great margins, and can be easily integrated into MSPs security stacks to make Office 365 more profitable.
To find out more about TitanHQ’s MSP offerings, for details of pricing and MSP margins, contact the TitanHQ MSP Alliance Program team today and take the first step toward making Office 365 more profitable.
A new Dharma ransomware variant has been developed that is currently evading detection by the majority of antivirus engines. According to Heimdal Security, the latest Dharma ransomware variant captured by its researchers was only detected as malware by one of the 53 AV engines on VirusTotal.
Dharma ransomware (also known as CrySiS) first appeared in 2006 and is still being developed. This year, several new Dharma ransomware variants have been released, each using new file extensions for encrypted files (.bip, .xxxxx, .like, java, .arrow, .gamma, .arena, .betta, and .tron to name but a few). In the past two months alone four new Dharma ransomware variants have been detected.
The threat actors behind Dharma ransomware have claimed many victims in recent months. Successful attacks have been reported recently by Altus Baytown Hospital in Texas, the Arran brewery in Scotland, and the port of San Diego.
While free decryptors for Dharma ransomware have been developed, the constant evolution of this ransomware threat rapidly renders these decryptors obsolete. Infection with the latest variants of the ransomware threat only give victims three options: pay a sizeable ransom to recover files, restore files from backups, or face permanent file loss.
The latter is not an option given the extent of files that are encrypted. Restoring files from backups is not always possible as Dharma ransomware can also encrypt backup files and can delete shadow copies. Payment of a ransom is not advised as there is no guarantee that files can or will be decrypted.
Protecting against ransomware attacks requires a combination of policies, procedures, and cybersecurity solutions. Dharma ransomware attacks are mostly conducted via two attack vectors: The exploitation of Remote Desktop protocol (RDP) and via email malspam campaigns.
The latest Dharma ransomware variant attacks involve an executable file being dropped by a .NET file and HTA file. Infections occur via RDP-enabled endpoints using brute force attempts to guess passwords. Once the password is obtained, the malicious payload is deployed.
While it is not exactly clear how the Arran brewery attack occurred, a phishing attack is suspected. Phishing emails had been received just before file encryption. “We cannot be 100 percent sure that this was the vector that infection occurred through, but the timing seems to be more than coincidental,” said Arran Brewery’s managing director Gerald Michaluk.
To protect against RDP attacks, RDP should be disabled unless it is absolutely necessary. If RDP is required, access should only be possible through a VPN and strong passwords should be set. Rate limiting on login attempts should be configured to block login attempts after a set number of failures.
Naturally, good backup policies are essential. They will ensure that file recovery is possible without payment of a ransom. Multiple copies of backups should be made with one copy stored securely off site.
To protect against email-based attacks, an advanced spam filter is required. Spam filters that rely on AV engines may not detect the latest ransomware variants. Advanced analyses of incoming messages are essential.
SpamTitan can improve protection for businesses through combination of two AV engines and predictive techniques to block new types of malware whose signatures have not yet been uploaded to AV engines.
For further information on SpamTitan and protecting your email gateway from ransomware attacks and other threats, speak to TitanHQ’s security experts today.
Phishing is the number one security threat faced by businesses. In this post we explore why phishing is such as serious threat and the top phishing lures that are proving to be the most effective at getting employees to open malicious attachments and click on hyperlinks and visit phishing websites.
Phishing is the Biggest Security Threat Faced by Businesses
Phishing is a tried and tested social engineering technique that is favored by cybercriminals for one very simple reason. It is very effective. Phishing emails can be used to fool end users into installing malware or disclosing their login credentials. It is an easy way for hackers to gain a foothold in a network to conduct further cyberattacks on a business.
Phishing works because it targets the weakest link in security defenses: End users. If an email is delivered to an inbox, there is a relatively high probability that the email will be opened. Messages include a variety of cunning ploys to fool end users into taking a specific action such as opening a malicious email attachment or clicking on an embedded hyperlink.
Listed below are the top phishing lures of 2018 – The messages that have proven to be the most effective at getting end users to divulge sensitive information or install malware.
Top Phishing Lures of 2018
Determining the top phishing lures is not straightforward. Many organizations are required to publicly disclose data breaches to comply with industry regulations, but details of the phishing lures that have fooled employees are not usually made public.
Instead, the best way to determine the top phishing lures is to use data from security awareness training companies. These companies have developed platforms that businesses can use to run phishing simulation exercises. To obtain reliable data on the most effective phishing lures it is necessary to analyze huge volumes of data. Since these phishing simulation platforms are used to send millions of dummy phishing emails to employees and track responses, they are useful for determining the most effective phishing lures.
In the past few weeks, two security awareness training companies have published reports detailing the top phishing lures of 2018: Cofense and KnowBe4.
Top Phishing Lures on the Cofense Platform
Cofense has created two lists of the top phishing lures of 2018. One is based on the Cofense Intelligence platform which collects data on real phishing attacks and the second list is compiled from responses to phishing simulations.
Both lists are dominated by phishing attacks involving fake invoices. Seven out of the ten most effective phishing campaigns of 2018 mentioned invoice in the subject line. The other three were also finance related: Payment remittance, statement and payment. This stands to reason. The finance department is the primary target in phishing attacks on businesses.
The list of the top phishing lures from phishing simulations were also dominated by fake invoices, which outnumbered the second most clicked phishing lure by 2 to 1.
Number of Reported Emails
New Message in Mailbox
Online Order (Attachment)
Secure Message (MS Office Macro)
Online Order (Hyperlink)
Confidential Scanned document (Attachment)
Conversational Wire transfer (BEC Scam)
Top Phishing Lures on the KnowBe4 Platform
KnowBe4 has released two lists of the top phishing lures of Q3, 2018, which were compiled from responses to simulated phishing emails and real-world phishing attempted on businesses that were reported to IT security departments.
The most common real-world phishing attacks in Q3 were:
You have a new encrypted message
IT: Syncing Error – Returned incoming messages
HR: Contact information
FedEx: Sorry we missed you.
Microsoft: Multiple log in attempts
IT: IMPORTANT – NEW SERVER BACKUP
Wells Fargo: Irregular Activities Detected on Your Credit Card
LinkedIn: Your account is at risk!
Microsoft/Office 365: [Reminder]: your secured message
Coinbase: Your cryptocurrency wallet: Two-factor settings changed
The most commonly clicked phishing lures in Q3 were:
% of Emails Clicked
Password Check Required Immediately
You Have a New Voicemail
Your order is on the way
Change of Password Required Immediately
De-activation of [[email]] in Process
UPS Label Delivery 1ZBE312TNY00015011
Revised Vacation & Sick Time Policy
You’ve received a Document for Signature
Spam Notification: 1 New Messages
[ACTION REQUIRED] – Potential Acceptable Use Violation
The Importance of Blocking Phishing Attacks at their Source
If login credentials to email accounts, Office 365, Dropbox, and other cloud services are obtained by cybercriminals, the accounts can be plundered. Sensitive information can be stolen and Office 365/email accounts can be used for further phishing attacks on other employees. If malware is installed, cybercriminals can gain full control of infected devices. The cost of mitigating these attacks is considerable and a successful phishing attack can seriously damage a company’s reputation.
Due to the harm that can be caused by phishing, it is essential for businesses of all sizes to train staff how to identify phishing threats and implement a system that allows suspicious emails to be reported to security teams quickly. Resilience to phishing attacks can be greatly improved with an effective training program and phishing email simulations. It is also essential to deploy an effective email security solution that blocks threats and ensures they are not delivered to inboxes.
SpamTitan is a highly effective, easy to implement email filtering solution that blocks more than 99.9% of spam and phishing emails and 100% of known malware through dual anti-virus engines (Bitdefender and ClamAV). With SpamTitan protecting inboxes, businesses are less reliant on their employees’ ability to identify phishing threats.
SpamTitan subjects each incoming email to a barrage of checks to determine if a message is genuine and should be delivered or is potentially malicious and should be blocked. SpamTitan also performs checks on outbound emails to ensure that in the event that an email account is compromised, it cannot be used to end spam and phishing emails internally and to clients and contacts, thus helping to protect the reputation of the business.
Improve Office 365 Email Security with SpamTitan
There are more than 135 million subscribers to Office 365, and such high numbers make Office 365 a big target for cybercriminals. One of the main ways that Office 365 credentials are obtained is through phishing. Emails are crafted to bypass Office 365 defenses and hyperlinks are used to direct end users to fake Office 365 login pages where credentials are harvested.
Businesses that have adopted Office 365 are likely to still see a significant number of malicious emails delivered to inboxes. To enhance Office 365 security, a third-party email filtering control is required. If SpamTitan is installed on top of Office 365, a higher percentage of phishing emails and other email threats can be blocked at source.
To find out more about SpamTitan, including details of pricing and to register for a free trial, contact the TitanHQ team today. During the free trial you will discover just how much better SpamTitan is at blocking phishing attacks than standard Office 365 anti-spam controls.
A new Office 365 threat has been detected that stealthily installs malware by hiding communications and downloads by abusing legitimate Windows components.
New Office 365 Threat Uses Legitimate Windows Files to Hide Malicious Activity
The attack starts with malspam containing a malicious link embedded in an email. Various themes could be used to entice users into clicking the link, although one recent campaign masquerades as emails from the national postal service in Brazil.
The emails claim the postal service attempted to deliver a package, but the delivery failed as there was no one in. The tracking code for the package is included in the email and the user is requested to click the link in the email to receive the tracking information.
In this case, clicking the link will trigger a popup asking the user to confirm the download of a zip file, which it is alleged contains the tracking information. If the zip file is extracted, the user is required to click on a LNK file to receive the information. The LNK file runs cmd.exe, which executes a Windows Management Instrumentation (WMI) file: wmic.exe. This legitimate Windows file will be used to communicate with the attacker’s C2 server and will create a copy of another Windows file – certutil.exe in the %temp% folder with the name certis.exe. A script then runs which instructs the certis.exe file to connect to a different C2 server to download malicious files.
The aim of this attack is to use legitimate Windows files to download the malicious payload: A banking Trojan. The use of legitimate Windows files for communication and downloading files helps the attackers bypass security controls and install the malicious payload undetected.
These Windows files have the capability to download other files for legitimate purposes, so it is hard for security teams to identify malicious activity. This campaign targets users in Brazil, but this Office 365 threat should be a concern for all users as other threat actors have also adopted this tactic to install malware.
Due to the difficultly distinguishing between legitimate and malicious wmic.exe and certutil.exe activity, blocking an office 365 threat such as this is easiest at the initial point of attack: Preventing the malicious email from being delivered to an inbox and providing security awareness training to employees to help them identify this Office 365 threat. The latter is essential for all businesses. Employees can be turned into a strong last line of defense through security awareness training. The former can be achieved with a spam filtering solution such as SpamTitan. SpamTitan will prevent the last line of defense from being tested.
How to Block this Office 365 Threat with SpamTitan and Improve Email Security
Microsoft uses several techniques to identify malspam and prevent malicious messages from reaching users’ inboxes; however, while efforts have been made to improve the effectiveness of the spam filtering controls of Office 365, many malicious messages are still delivered.
To improve Office 365 security, a third-party spam filtering solution should be used. SpamTitan has been developed to allow easy integration into Office 365 and provides superior protection against a wide range of email threats.
SpamTitan uses a variety of methods to prevent malspam from being delivered to end users’ inboxes, including predictive techniques to identify threats that are misidentified by Office 365 security controls. These techniques ensure industry-leading catch rates in excess of 99.9% and prevent malicious emails from reaching inboxes.
How SpamTitan Protects Businesses from Email Threats
Security Solutions for MSPs to Block Office 365 Threats
Many MSPs resell Office 365 licenses to their customers. Office 365 allows MSPs to capture new business, but the margins are small. By offering additional services to enhance Office 365 security, MSPs can make their Office 365 offering more desirable to businesses while improving the profitability of Office 365.
TitanHQ has been developing innovative email and web security solutions for more than 25 years. Those solutions have been developed from the ground up with MSPs for MSPs. Three solutions are ideal for use with Office 365 for compliance ad to improve security – SpamTitan email filtering, WebTitan web filtering, and ArcTitan email archiving.
By incorporating these solutions into Office 365 packages, MSPs can provide clients with much greater value as well as significantly boosting the profitability of offering Office 365.
To find out more about each of these solutions, speak to TitanHQ. The MSP team will be happy to explain how the products work, how they can be implemented, and how they can boost margins on Office 365.
TitanHQ, the leading provider of web filtering, spam filtering, and email archiving solutions for managed service providers (MSPs) recently formed a strategic partnership with Datto Networking, the leading provider of MSP-delivered IT solutions to SMBs.
The partnership has seen TitanHQ’s advanced web filtering technology incorporated into the Datto Networking Appliance to ensure all users benefit from reliable and secure internet access.
TitanHQ’s web filtering technology provides enhanced protection from web-based threats while allowing acceptable internet usage policies to be easily enforced for all users at the organization, department, user group, or user level.
On October 18, 2018, Datto and TitanHQ will be hosting a webinar to explain the enhanced functionality of the Datto Networking Appliance to MSPs, including a deep dive into the new web filtering technology.
Webinar: Datto Networking & Titan HQ Deliver Enhanced Web Content Filtering
Date: Thursday, October 18th
Time: 11AM ET | 8AM PT | 4PM GMT/BST
Speakers: John Tippett, VP, Datto Networking; Andy Katz, Network Solutions Engineer; Rocco Donnino, EVP of Strategic Alliances, TitanHQ
Police in Iceland have said a highly sophisticated phishing attack is the largest ever cyberattack the country has ever experienced. The campaign saw thousands of messages sent that attempted to get Icelanders to install a remote access tool that would give the attackers full access to their computers.
The software used in this campaign is a legitimate remote access tool called Remcos. Remcos is used to allow remote access to a computer, often for the purpose of providing IT support, for surveillance, or as an anti-theft tool for laptop computers. However, while it was developed for legitimate use, because it gives the administrator full control over the computer once installed, it has significant potential to be used for malicious purposes. Unsurprisingly, Remcos has been used by cybercriminals in several malware campaigns in the past, often conducted via spear phishing campaigns. One notable attack involved the spoofing of the Turkish Revenue Administration, Turkey’s equivalent of the IRS, to get the RAT installed to provide access to victim’s computers.
The use of Remcos for malicious purposes violates the terms and conditions of use. If discovered, the developer can block the customer’s license to prevent use of the software. However, during the time that Remcos is present on a system, considerable harm can be caused – sabotage, theft of sensitive information, installation of malicious software, and file encryption with ransomware to name but a few.
As was the case in Turkey, the phishing campaign in Iceland attempted to fool end users into installing the program through deception. In this case, the emails claimed to have come from the Icelandic Police. The emails used fear to get recipients of the message to click a link in the email and download the remote access tool.
The emails informed the recipients that they were required to visit the police for questioning. Urgency was added by informing the recipient of the message that an arrest warrant would be issued if they failed to respond. Clicking the link in the email directed the user to what appeared to be the correct website of the Icelandic police. The website was a carbon copy of the legitimate website and required the visitor to enter their Social Security number along with an authentication code sent in the email to find out more information about the police case.
In Iceland, Social Security numbers are often required on websites to access official services, so the request would not appear unusual. On official websites, Social Security numbers are checked against a database and are rejected if they are not genuine. In this case, the attacker was also able to check the validity of the SSN, which means access to a database had been gained, most likely an old database that had been previously leaked or the attacker may have had legitimate access and misused the database.
After entering the information, a password protected archive was downloaded which allegedly contained documents with details of the case. The webpage provided the password to unlock the password protected archive, which contained a .scr file disguised as a Word document.
In this case, the RAT was augmented with a VBS script to ensure it ran on startup. The RAT had keylogging and password stealing capabilities and was used to steal banking credentials. After gaining access to banking credentials, the information was sent back to command and control servers in Germany and the Netherlands.
While the campaign looked entirely legitimate, a common trick was used to fool recipients of the email, which number in the thousands. The domain used in the attack closely resembled the official police website, logreglan.is but contained a lower case i instead of the second l – logregian.is. A casual glance at the sender of the email or the domain name in the address bar would unlikely reveal the domain was not genuine. Further, the link in the email replaced the lower case i with a capital I, which is almost impossible to distinguish from a lower-case L.
The Icelandic police responded quickly to the attack and the malicious domain was taken down the following day. It is unknown how may people fell for the scam.
Cybercriminals have turned to cryptocurrency mining malware as an easy, low-risk way of making money although ransomware is still the main malware threat according to Europol.
While it was common for large-scale spam email campaigns to be sent to random recipients to spread ransomware, tactics used to infect devices with the file-encrypting malware are changing.
There has been a decline in the use of ‘spray and pray’ spam campaigns involving millions of messages toward targeted attacks on businesses. Organized cybercriminal gangs are researching victims and are conducting highly targeted attacks that first involve compromising a network before manually deploying ransomware.
The cybercriminal group behind SamSam ransomware has been particularly prolific. Companies that have failed to address software vulnerabilities are attacked and access is gained to their networks. The SamSam group also conducts brute force attacks on RDP to gain access to business networks. Once access is gained, ransomware is manually installed on as many computers as possible, before the encryption routine is started across all infected devices. With a large number of devices encrypted, the ransom demand can be much higher – Typically around $50,000 per company. The group has collected at least $6 million in ransom payments to date.
Europol warns that ransomware attacks will continue to be a major threat over the following years, although a new threat is emerging – cryptojacking malware. This form of malware is used to hijack computer processors to mine cryptocurrency. Europol warns that if the rise in the use of cryptojacking malware continues it may overtake ransomware and become the biggest malware threat.
Not only does cryptojacking offer considerable rewards, in many cases use of the malware is not classed as illegal, such as when it is installed on websites. This not only means that cybercriminals can generate considerable profits, but the risk involved in these types of attacks is far lower than using ransomware.
Cybercriminals are still extensively using social engineering techniques to fool consumers and employees into disclosing sensitive personal information and login credentials. Social engineering is also extensively used to trick employees into making fraudulent bank transfers. Phishing is the most common form of social engineering, although vishing – voice phishing – and smishing – SMS phishing are also used. Europol notes that social engineering is still the engine of many cybercrimes.
While exploit kits have been extensively used to silently download malware, Europol notes that the use of exploit kits continues to decline. The main attack vectors are spam email and RDP brute-forcing.
As-a-service cyberattacks continue to be a major problem. DDoS-as-a-service and ransomware-as-a-service allow low-level and relatively unskilled individuals to conduct cyberattacks. Europol recommends law enforcement should concentrate on locating and shutting down these criminal operations to make it much harder for low-level criminals to conduct cyberattacks that would otherwise be beyond their skill level.
With spam email still a major attack vector, it is essential for businesses to implement cybersecurity solutions to prevent malicious emails from being delivered to inboxes and ensure cybersecurity best practices are adopted to make them less susceptible to attack. With phishing the main form of social engineering, anti-phishing training for employees is vital.
RDP attacks are now commonplace, so steps must be taken by businesses to block this attack vector, such as disabling RDP if it is not required, using extremely strong passwords for RDP, limiting users who can login, configuring account lockouts after a set number of failed login attempts, and using RDP gateways.
With the largest economy, the United States is naturally a major target for cybercriminals. Various studies have been conducted on the cost of cybercrime in the United States, but little data is available on cybercrime losses in Germany – Europe’s largest economy.
The International Monetary Fund produces a list of countries with the largest economies. In 2017, Germany was ranked fourth behind the United States, China, and Japan. Its GDP of $3,68 trillion represents 4.61% of global GDP.
A recent study conducted by Germany’s federal association for Information Technology – BitKom – has placed a figure on the toll that cybercrime is taking on the German economy.
The study was conducted on security chiefs and managers at Germany’s top 503 companies in the manufacturing sector. Based on the findings of that survey, BitKom estimated cybercrime losses in Germany to be €43 billion ($50.2 billion). That represents 1.36% of the country’s GDP.
Extrapolate those cybercrime losses in Germany and it places the global cost of cybercrime at $1 trillion, substantially higher than the $600 billion figure estimate from cybersecurity firm McAfee and the Center for Strategic and International Studies (CSIS) in February 2018. That study placed the global percentage of GDP lost to cybercrime at between 0.59% and 0.80%, with GDP losses to cybercrime across Europe estimated to be between 0.79 to 0.89% of GDP.
Small to Medium Sized Businesses Most at Risk
While cyberattacks on large enterprises have potential to be highly profitable for cybercriminals, those firms tend to have the resources available to invest heavily in cybersecurity. Attacks on large enterprises are therefore much more difficult and time consuming. It is far easier to target smaller companies with less robust cybersecurity defenses.
Small to medium sized businesses (SMBs) often lack the resources to invest heavily in cybersecurity, and consequently are far easier to attack. The BitKom study confirmed that these companies, which form the backbone of the economy in Germany, are particularly vulnerable to cyberattacks and have been extensively targeted by cybercriminals.
It is not only organized cybercriminal groups that are conducting these attacks. Security officials in Germany have long been concerned about attacks by well-resourced foreign spy agencies. Those agencies are using cyberattacks to gain access to the advanced manufacturing techniques developed by German firms that give them a competitive advantage. Germany is one of the world’s leading manufacturing nations, so it stands to reason that the German firms are an attractive target.
Cybercriminals are extorting money from German firms and selling stolen data on the black market and nation-state sponsored hackers are stealing proprietary data and technology to advance manufacturing in their own countries. According to the survey, one third of companies have had mobile phones stolen and sensitive digital data has been lost by a quarter of German firms. 11% of German firms report that their communications systems have been tapped.
Attacks are also being conducted to sabotage German firms. According to the study, almost one in five German firms (19%) have had their IT and production systems sabotaged through cyberattacks.
Businesses Must Improve Their Defenses Against Cyberattacks
“With its worldwide market leaders, German industry is particularly interesting for criminals,” said Achim Berg, head of BitKom. Companies, SMBs in particular, therefore need to take cybersecurity much more seriously and invest commensurately in cybersecurity solutions to prevent cybercriminals from gaining access to their systems and data.
According to Thomas Haldenweg, deputy president of the BfV domestic intelligence agency, “Illegal knowledge and technology transfer … is a mass phenomenon.”
Preventing cyberattacks is not straightforward. There is no single solution that can protect against all attacks. Only defense-in-depth will ensure that cybercriminals and nation-state sponsored hacking groups are prevented from gaining access to sensitive information.
Companies need to conduct regular, comprehensive organization-wide risk analyses to identify all threats to the confidentiality, integrity, and availability of their data and systems. All identified risks must then be addressed through a robust risk management process and layered defenses implemented to thwart attackers.
One of the main vectors for attack is email. Figures from Cofense suggest that 91% of all cyberattacks start with a malicious email. It stands to reason that improving email security should be a key priority for German firms. This is an area where TitanHQ can help.
TitanHQ is a provider of world-class cybersecurity solutions for SMBs and enterprises that block the most commonly used attack vectors. To find out more about how TitanHQ’s cybersecurity solutions can help to improve the security posture of your company and block email and web-based attacks, contact the TitanHQ sales team today.
Managed service providers (MSPs) are discovering the huge potential for profit from offering security-as-a-service to their clients. Managed security services are now the biggest growth area for the majority of leading MSPs, with security-as-a-service well ahead of cloud migration, cloud management, and managed Office 365 services according to a recent survey conducted by Channel Futures.
Channel Futures conducted the survey as part of its annual MSP 501 ranking initiative, which ranks MSPs based on their ability to act on current trends and ensure they remain competitive in the fast-evolving IT channel market. The survey evaluated MSP revenue growth, hiring trends, workforce dynamics, service deliverables, business models, and business strategies.
The survey revealed that by far the biggest growth area is managed security services. Security-as-a-service was rated the biggest growth area by 73% of MSPs. 55% of MSPs said professional services were a major growth area, 52% said Office 365, and 51% said consulting services.
It is no surprise that security-as-a-service is proving so popular as the volume of attacks on enterprises and SMBs has soared. Cybercriminals are attacking enterprises and SMBs trying to gain access to sensitive data to sell on the black market. Attacks are conducted to sabotage competitors, nation-state-sponsored hackers are attempting to disrupt critical infrastructure, and data is being encrypted to extort money. There is also a thriving market for proprietary data and corporate secrets.
The cost of mitigating attacks when they succeed is considerable. For enterprises, the attacks can make a significant dent in profits, but cyberattacks on SMBs can be catastrophic. A study conducted by the National Cyber Security Alliance suggests as many as 60% of SMBs go out of business in the 6 months following a hacking incident.
Enterprises and SMBs alike have had to respond to the increased threat by investing heavily in security, but simply throwing money at security will not necessarily mean all security breaches are prevented. Companies need to employee skilled IT security professionals to implement, monitor and maintain those cybersecurity solutions, conduct vulnerability scans, and identify and address security gaps. Unfortunately, there is a major shortage of skilled staff and attracting the right talent can be next to impossible. Faced with major challenges, many firms have turned to MSPs to and have signed up for security-as-service offerings.
Forward-thinking MSPs have seized the opportunity and are now providing a comprehensive range of managed security services to meet the needs of their clients. They are offering a wide range of tools and services from phishing protection to breach mitigation services; however, for many MSPs, developing such a package is not straightforward.
Security-as-a-service is in high demand, but MSPs must be able to package the right services to meet customers’ needs and have a platform that can handle the business end. They too must attract the staff who can implement, monitor, and manage those services for their clients.
When devising a security-as-a-service offering, one option is to use a common security architecture for all clients and provide them with a range of solutions from the same provider. Many companies have implemented a slew of different security tools from multiple providers, only to discover they are still experiencing breaches. It is a relatively easy sell to get them to move over to a system where all the component parts are seamlessly integrated and to benefit from an MSP’s expertise in managing those solutions. There is a risk of course that clients will just choose to go direct rather than obtain those services from an MSP. This single platform strategy has been adopted by Liberty Technology – ranked 242 in the MSP 501 list – and is working well, especially for clients that have fewer than 1,000 employees.
At the other end of the spectrum is Valiant Technologies, ranked 206 in the MSP 501 list. Valiant has chosen a wide range of products from multiple cybersecurity solution providers and has built a unique package of products for its security service.
The products were chosen for the level of protection they offered and how well they work together. This approach has been a success for the firm. “Providing a bundle of offerings from different vendors that work well together is the most effective way for an MSP to retain its role as a trusted adviser,” said the firm’s CEO Tom Clancy. The security service has been added to other business services provided by the MSP and has proved to be an easy sell to clients.
ComTec Solutions, which ranked in position 248 in the MSP 501 list, is still deciding on the best way forward. The provision of security-as-a-service is a no brainer, but the company is currently assessing whether it is worthwhile building a security operations center (SOC) and becoming a managed security service provider (MSSP) or outsourcing the SOC service.
There are several different approaches to take when developing a managed security service offering. What is vital is that such a service is provided. The MSP 501 survey has shown that the most successful MSPs have responded to demand and are now helping their clients secure their networks through their security-as-a-service offerings. Those MSPs are clearly reaping the rewards.
If you are an MSP that is considering developing a security-as-a-service offering, be sure to speak to TitanHQ about its world-class cloud-based security solutions for MSPs – WebTitan and SpamTitan – and find out how they can be integrated into your security stack.
While the majority of phishing attempts are conducted via email, there has been a significant rise in the use of other communications platforms such messaging services, with WhatsApp phishing scams now increasing in popularity amongst phishers.
WhatsApp phishing attacks are common for two main reasons. First is the sheer number of people that are on the platform. In January 2018, the number of monthly users of WhatsApp worldwide reached 1.5 billion, up from 1 billion users six months previously. Secondly, is the lack of anti-phishing measures to prevent malicious messages from being delivered.
Many businesses have implemented spam filtering solutions such as SpamTitan, while personal users are benefiting by significant improvements to spam filtering on webmail services such as Gmail. Spam filtering solutions are highly effective at identifying phishing emails and other malicious messages and send them to the spam folder rather than delivering them to inboxes.
Messaging services often lack spam filtering controls. Therefore, malicious messages have a much greater chance of being delivered. Various tactics are used to entice recipients to click the links in the messages, usually an offer of a free gift, an exceptionally good special offer on a product – the new iPhone for instance – or a money off voucher or gift card is offered.
The messages contain a link that directs the recipient to the phishing website. The link usually contains a preview of the website, so even if a shortlink is used for the URL, the recipient can see some information about the site. A logo may be displayed along with the page title. That makes it much more likely that the link will be clicked.
Further, the message often comes from a known individual – A person in the user’s WhatsApp contact list. When a known individual vouches for the site, the probability of the link being clicked is much greater.
To add further legitimacy to the WhatsApp phishing scams, the websites often contact fake comments from social media sites confirming that a gift card has been won or a reward has been received. Some of those comments are positive, and some are neutral, as you would expect from a real prize draw where not everyone is a winner.
The websites used in WhatsApp phishing scams often use HTTPS, which show a green tick next to the URL to show that the site is ‘secure.’ Even though the green tick is no guarantee of the legitimacy of a site, many people believe the green tick means the site is genuine.
Gift cards are often given out for taking part in legitimate surveys, so the offer of either a gift card or entry into a free draw is not out of the ordinary. In return, the visitor to the site is required to answer some standard questions and provide information that would allow them to be contacted – their name, address, phone number, and email address for instance.
The information gathered through these sites is then used for further phishing attempts via email, telephone, or snail mail which aim to obtain even more personal information. After completing the questions, the website may claim that the user has one, which requires entry of bank account information or credit card details… in order for prize money to be paid or for confirmation of age.
These WhatsApp phishing scams often have another component which helps to spread the messages much more efficiently to other potential victims. Before any individual can claim their free prize or even submit their details for a prize draw, they must first agree to share the offer with some of their WhatsApp contacts.
If you receive an unsolicited link from a contact that offers a free gift or money-off voucher, there is a high chance it may not be genuine and is a WhatsApp phishing scam. If an offer seems too good to be true, it most likely is.
The past year has seen a steady increase in the number of reported email account compromises, with the healthcare industry one of the main targets for hackers.
Some of those breaches have seen the protected health information of thousands of patients compromised, with the largest phishing attack in 2018 – The phishing attack on Boys Town National Research Hospital – seeing more than 105,000 patients’ healthcare information exposed. Due to reporting requirements under HIPAA, healthcare phishing attacks are highly visible, although email account compromises are occurring across all industry sectors and the problem is getting worse.
284% Increase in Email Account Compromises in a Year
The increase in successful phishing attacks has been tracked by Beazley, a provider of specialist insurance services. The company’s research shows the number of reported phishing attacks increased every quarter since Q1, 2017 when there were 45 reported breaches that involved email accounts being compromised. In Q2, 2018, there were 184 email account compromises reported. Between Q1, 2017 and Q1, 2018, the number of reported data breaches involving compromised email accounts increased by 284%.
Why are email account compromises increasing? What do hackers gain from accessing email accounts rather than say, gaining access to networks which store vast amounts of data?
It can take a significant amount of time and effort to identify a vulnerability such a missed patch, an exposed S3 bucket, or an unsecured medical device, and exploit it.
By comparison, gaining access to an email account is relatively easy. Once access is gained, accessing further email accounts becomes easier still. If a hacker can gain access to an email account with the right level of administrative privileges, it may be possible for the entire mail system of an organization to be accessed.
If a hacker can gain access to a single email account, the messages in the account can be studied to gain valuable information about a company, its employees, and vendors. The hackers can identify further targets within an organization for spear phishing campaigns – termed Business Email Compromise (BEC) attacks – and attacks on contractors and suppliers.
Once One Account is Breached, Others Will Follow
If an executive’s email account is compromised, it can be used to send requests for wire transfers to the accounts department, HR can be emailed requesting W2-Forms that contain all the information necessary for filing fake tax returns and for identity theft. Requests can be sent via email to redirect employees’ paychecks and phishing emails can be sent to other employees directing them to websites where they have to divulge their email credentials.
Figures from the FBI show just how lucrative these Business Email Compromise (BEC) phishing attacks can be. Since October 2013, more than $12.5 billion has been lost to BEC attacks, up from $5.3 billion in December 2016.
Once access to the email system is gained, it is much easier to craft highly convincing spear phishing emails. Past email conversations can be studied, and an individual’s style of writing emails can be copied to avoid raising any red flags.
Email Account Compromises Are Costly to Resolve
Beazley also notes that email account compromises are some of the costliest breaches to resolve, requiring many hours of painstaking work to manually checking each email in a compromised account for PII and PHI. One example provided involved a programmatic search of compromised email accounts to identify PHI, yet that search uncovered 350,000 documents that required a manual check. The cost of checking those documents alone was $800,000.
Beazley also notes that when investigating breaches, the breached entity often discovers that only half of the compromised email accounts have been identified. The data breaches are usually much more extensive than was initially thought.
Unfortunately, once access to a single email account is gained, it is much harder to prevent further email compromises as technological controls are not so effective at identifying emails sent from within a company. However, it is relatively easy to block the initial phishing attempt.
How to Prevent Email Account Compromises
Many companies fail to implement basic controls to block phishing attacks. Even when a phishing-related breach is experienced, companies often remain susceptible to further breaches. The Ponemon Institute/IBM Security Cost of a Data Breach study showed there is a 27.9% probability of a company experiencing a further breach in the 24 months following a data breach.
To prevent phishing attacks, companies need to:
Deploy an advanced spam filtering solution that blocks the vast majority of malicious messages
Provide ongoing security awareness training to all staff and teach employees how to identify phishing emails
Conduct regular phishing simulation exercises to reinforce training and condition employees to be more security aware
Implement two-factor authentication to prevent attempts to access email accounts remotely
Implement a web filter as an additional control to block the accessing of phishing websites
Use strong, unique passwords or passphrases to make brute force and dictionary attacks harder
Limit or prevent third party applications from connecting to Office 365 accounts, which makes it harder for PowerShell to be used to access email accounts for reconnaissance.
In recent weeks, several large healthcare data breaches have been reported that have seen cybercriminals gain access to employees’ email accounts and sensitive data, although the recently disclosed UnityPoint Health phishing attack stands out due to the huge number of individuals that have been impacted and the extent of sensitive data exposed.
UnityPoint Health is one of the largest healthcare systems serving Iowa residents. The Des Moines-based healthcare provider recently discovered that its employees have been targeted in a phishing campaign that has seen several email accounts compromised. Those email accounts contained the sensitive information of approximately 1.4 million patients.
That not only makes this the largest phishing incident to have been suffered by a U.S. healthcare provider in 2018, it is also the largest healthcare data breach of 2018 and one of the most serious phishing attacks and data breaches ever reported.
The UnityPoint Health phishing attack has seen highly sensitive data compromised, including names, addresses, health insurance information, medical record numbers, diagnoses, treatment information, lab test results, medications, providers, dates of service, Social Security numbers, driver’s license numbers and, for a limited number of patients, their payment card information.
The phishing emails were sent to employees between March 14 and April 3, 2018, although the breach was not detected until May 31. As is common in phishing attacks on businesses, access to email accounts was gained through the impersonation of a senior executive.
A series of spoofed emails were sent to employees that appeared to have come from a trusted executive’s email account. Employees who opened the email were instructed to click a link that required them to enter their email login information. That information was captured by the attackers who were then able to gain access to the employees’ email accounts.
The UnityPoint Health phishing attack potentially gave the hackers access to all the information stored in the compromised email accounts – Information that could be used for identity theft and fraud. It is unclear whether mailboxes were downloaded, although UnityPoint Health said its forensic investigation suggests that the primary goal was to divert payroll payments and to use account access to fool accounts department staff into making fraudulent wire transfers. It is unclear if any of those attempts succeeded.
This is also not the only UnityPoint Health phishing attack to be reported this year. In March, UnityPoint Health announced that 16,400 patients had been affected by a separate phishing attack that saw multiple email accounts compromised.
The latest incident has prompted the healthcare provider to implement new technology to detect phishing and BEC attacks, multi-factor authentication has been implemented, and additional security awareness training has been provided to employees. Credit monitoring and identify theft monitoring services have been offered to patients whose driver’s license or Social Security number has been exposed, and all patients have been notified by mail.
As the Ponemon Institute’s 2018 Cost of a Data Breach Study showed, the cost of these million-record+ data breaches is considerable. The average cost of such a breach was estimated to be around $40 million.
In 2017, data breach mitigation costs fell year-on year; however, that appears to be a blip. The 2018 Cost of a Data Breach Study conducted by the Ponemon Institute (on behalf of IBM Security) has revealed data breach mitigation costs have risen once again.
The Ponemon Institute conducts the Cost of a Data Breach Study every year. For the 2018 study, the Ponemon Institute conducted interviews with 2,200 IT, data security, and compliance professionals from 477 companies in 15 countries, including the United States, United Kingdom, Germany, France, Canada, Brazil, Japan and Australia. The companies represented in the study came from a wide range of industry sectors. Each of those companies had experienced a data breach in the past 12 months.
Naturally, the larger the breach, the higher the cost of mitigation is likely to be. Breaches involving millions of records would naturally cost more to resolve than breaches of 50,000 records. Catastrophic data breaches – those involving millions of records – are not normally included in the study. This year was the first time that mega data breaches – those involving more than 1,000,000 records – were included, although they were treated separately.
The analysis of the main part of the study involved breaches ranging from 2,500 records to a little over 100,000 records. The average breach size was 24,615 records globally, 31,465 records in the United States, 22,800 records in the UK, and 19,200 records in Japan.
The costs associated with those data breaches was analyzed using the activity-based costing (ABC) methodology. The ABC methodology identified four process-related activities and assigned costs based on actual use. Those activities were Detection and Escalation, Post Data Breach Response, Breach Notifications, and Lost Business Cost. The analysis identified the average total cost of a data breach taking all four activity areas into account.
The study also revealed measures taken prior to the breach, during, and after, that can limit losses or increase data breach mitigation costs.
Average Data Breach Mitigation Costs Have Reached $3.86 Million
A data breach now costs an average of $3.86 million to revolve. Last year, the average cost of a data breach was $3.62 million. Data breach costs have therefore increased by 6.4% in the space of a year.
On average, per capita data breach mitigation costs rose by 4.8%, with a data breach costing, on average, $148 per record. Last year, the global average was $141 per record.
In addition to the rising cost, the severity of the breaches also increased, with the data breaches in this year’s sample impacting 2.2% more individuals on average.
Data breaches cost more to resolve in the United States than any other country. The average data breach mitigation costs in the United States is $7.91 million per breach. The lowest costs were in India, where the average breach cost was $1.77 million. The highest per capita costs were also in the United States at £233 per record.
Hackers and malicious insiders caused the most breaches and they were also the costliest to resolve at $157 per record. System glitches cost an average of £131 per record and breaches caused by human error cost the least at $128 per record.
Data breach costs varied considerably by industry sector, with healthcare data breach mitigation costs the highest by some distance at an average of $408 per record, followed by financial services breaches at $206 per record, services at $181 per record, and pharmaceutical industry breaches at $174 per record. Breaches in the education sector cost an average of $166 per record, retail industry breaches were $116 per record, and the lowest data breach mitigation costs were in the public sector at $75 per record.
The study of mega data breaches revealed a breach of 1 million records costs an estimated $39.49 million to resolve, while a breach of 50 million records costs an estimated $350 million. Since there were only 11 breaches of more than 1 million records in the sample it was not possible to accurately calculate the average cost of these breaches.
What Factors Affect Data Breach Mitigation Costs the Most?
For the study, 22 different factors were assessed to determine how they affected data breach mitigation costs. The most important cost saving measures that can be taken to reduce the cost of a data breach are having an incident response team ($14 less per record), widespread use of encryption ($13.1 less per record), BCM involvement ($9.3 less per record), employee training ($9.3 less per record), participation in threat sharing ($8.7 less per record) and use of an artificial intelligence platform ($8.2 less per record).
The main factors that increased data breach mitigation costs were third party involvement ($13.4 more per record), extensive cloud migration at the time of the breach ($11.9 more per record), compliance failures ($11.9 more per record), extensive use of mobile platforms ($10.0 more per record), lost or stolen devices ($6.5 more per record), and extensive use of IoT devices ($5.4 more per record).
With the cost of data breaches rising, more cyberattacks being conducted, and the likelihood of a breach being experienced now higher, it is essential not only for companies to implement layered security defenses, but also to make sure they are prepared for the worst.
Companies need to assume a breach will be experienced and policies and procedures need to be developed to deal with the breach when it happens. An incident response team should be prepared to spring into action to ensure everyone known what needs to be done when disaster strikes. The sooner a breach is identified and mitigated, the lower the breach mitigation costs will be.
There has been a major increase in cryptojacking attacks in recent months. Many cybercriminal gangs now favoring this method of attack over ransomware and other forms of malware and are taking advantage of the high value of cryptocurrencies.
As with ransomware attacks, cybercriminals need to install malicious code on computers. Instead of encrypting files like ransomware, the code is used to mine for cryptocurrency. Mining cryptocurrencies involves a computers CPU being used to solve complex computational problems, which are necessary for verifying cryptocurrency transactions and adding to the blockchain. In exchange for verifying transactions, the miner is paid a small amount for the effort.
Devoting one computer to the task of cryptocurrency mining could generate a few dollars a day. Using multiple computers for the task can generate a substantial return. The more computers that are used, the more blocks can be added to the blockchain and the greater the profits. When a network of cryptocurrency mining slave computers can be amassed, the profits can be considerable. According to Kaspersky Lab, one cryptojacking gang that focusses on infecting enterprise servers and spreading the malicious code using NSA exploits, has generated around 9,000 Monero, which equates to $2 million.
Not all computers are suitable for mining cryptocurrency. One cybercriminal gang has got around this by developing malware that can decide whether to deploy a cryptocurrency miner or ransomware, with the decision based on the processing power of the computer. If its not suitable for use mining cryptocurrency, ransomware is deployed. This tactic helps maximize profits after compromising a device.
The use of cryptocurrency miners increased sharply last year as the value of cryptocurrencies started to soar. The price of those cryptocurrencies may have fallen, but cryptojacking attacks are still on the rise. The volume of new cryptojacking malware variants has also increased considerably over the past few months. Figures from McAfee indicate the number of cryptojacking malware variants increased by a staggering 1,189% in the first three months of 2018 alone, rising from around 400,000 malware variants to more than 2.9 million.
Over the same time frame, there has been a fall in the number of ransomware attacks. In Q1, ransomware attacks fell by around 32%, indicating threat actors who previously used ransomware to make money have changed their tactics and are now using cryptocurrency miners.
Ransomware attacks falling by a third is certainly good news, although the threat from ransomware cannot be ignored. Steps must be taken to prevent the installation of the file encrypting code and good backup practices are essential to ensure files can be recovered in the event of an attack. Certain industries face a higher risk of ransomware attacks than others, such as the healthcare industry, where attacks are still rife.
Cryptojacking attacks are more widespread, although the education sector has proven to be a major target. Many mining operations have been discovered in the education sector, although it is unclear whether these mining operations are legitimate, computers are being used by students to mine cryptocurrency, or if educational institutions are being targeted.
One thing is clear. As the value of cryptocurrencies rose, the number of mining attacks increased. That suggests that should prices fall, cybercriminals will switch to other types of attacks, and there could be a resurgence in ransomware attacks.
It could be argued that the installation of cryptocurrency mining malware on a computer is far less of a problem than ransomware or other forms of malware. When the CPU is mining cryptocurrency, the user is likely to find their computer somewhat sluggish. This can result in a drop in productivity. Heavy processing can also cause computers to overheat and hardware damage can result.
Cryptojacking malware is usually installed by a downloader, which can remain on a computer. If the profits from mining cryptocurrency fall, new malware variants could easily be downloaded in its place. Cryptocurrency mining malware can also be bundled with other malware variants that steal sensitive information. Cryptojacking attacks are therefore a major threat.
Protecting against cryptojacking attacks involves the same security controls that are used to block other forms of malware. Cryptojacking malware can be installed by exploiting vulnerabilities so good patch management is essential. Spam and phishing emails are used to install malware downloaders, so an advanced spam filtering solution is a must. Web filters can prevent web-based mining attacks and malware downloads and offer an important extra layer of protection. It is also important not to neglect end users. Security awareness training can help to eradicate risky behaviors.
Additionally, security audits should be conducted, first to scan for the presence of cryptojacking malware, which includes searching for anomalies that could indicate the presence of the malware. Those audits should include servers, end points, POS systems, and all other systems. Any system connected to the network could potentially be used for mining cryptocurrency.
Rakhni ransomware, a malware variant first detected in 2013, has spawned many variants over the past three years and is still an active threat. Rakhni ransomware locks files on an infected device to prevent the user from accessing their data. A ransom demand is issued and if payment is made, the attackers will supply the keys to unlock the encryption. If the ransom is not paid the files will remain encrypted. In such cases, the only option for file recovery is to restore files from backups.
Now the developers of Rakhni ransomware have incorporated new functionality. Checks are performed on an infected device to determine whether it has sufficient processing power to be used as a cryptocurrency mining slave. If so, cryptocurrency mining malware will be downloaded. If not, ransomware will be deployed.
This new development should not come as a major surprise. The massive rise in the value of many cryptocurrencies has made mining cryptocurrencies far more profitable for cybercriminals than ransomware. When ransomware is installed, many victims choose not to pay and instead recover files from backups. Infection is no guarantee that a payment will be received. If a cryptocurrency miner can be installed, it gets straight to work generating money for the attackers. Ransomware attacks are still a major threat, although many cybercriminals have switched their operations to mining cryptocurrencies. In fact, cryptocurrency mining malware attacks are now much more common than ransomware attacks.
However, not all computers have sufficient CPU processing power to make cryptocurrency mining worthwhile, so the method used by the threat actors behind Rakhni ransomware helps them maximize their profits.
The new Rakhni ransomware campaign was detected by researchers at Kaspersky Lab. The malware used is Delphi-based and is being distributed in phishing emails containing a Microsoft Word file attachment.
The user is advised to save the document and enable editing. The document contains a PDF file icon which, if clicked, launches a fake error message suggesting the DLL file required to open the PDF file has not been found. The user needs to click on the OK box to close the error message.
When the error box is closed, the malware performs a series of checks on the machine to identify the processes running on the device and assesses those processes to determine if it is running in a sandbox environment and the likelihood of it being able to run undetected. After these checks have been performed the system is assessed to determine its capabilities.
If the machine has more than two processors and does not have a Bitcoin folder in the AppData folder, a cryptocurrency miner will be installed. The cryptocurrency miner uses fake root certificates which show the program has been issued by Microsoft Corporation to help disguise the miner as a trusted application.
If a Bitcoin folder does exist, certain processes will be stopped, and Rakhni ransomware will be downloaded and run. If there is no Bitcoin folder and only one processor, the malware will use its worm component and twill attempt to spread to other devices on the network where the process starts over.
Advanced anti-virus software can provide protection against this attack, while spam filtering solutions can prevent the phishing emails from being delivered to end users. Businesses should also ensure that their employees are made aware of the risk of these types of attacks through security awareness training. Employees should be instructed never to open attachments in emails from unknown senders and taught the warning signs of a potential attack in progress. Naturally, good data backup practices are essential to ensure that if all other controls fail, files can be recovered without paying a ransom.
A major Children’s Mercy Hospital phishing attack has highlighted the importance of implementing effective spam filtering controls and the need to provide security awareness training to end users.
Phishing is a method of fraudulently obtaining sensitive information through deception. While attacks can occur over the telephone, via social media sites, or through text messages and chat platforms, the most common attack vector is email.
Convincing emails are sent to end users urging them to open an email attachment or to click on a malicious link. Attachments are used to install malware, either directly through malware attached to the email, or more commonly, using macros or other malicious code in documents which download scripts that in turn download the malicious payload.
In the case of embedded hyperlinks in emails, they typically direct an end user to a website that asks them to login. The website could ask for their email credentials, appear to be a Google login box, Dropbox login page, or other file sharing platform. Disclosing login credentials on that webpage sends the information to the attackers. These login pages are convincing. They look exactly like the sites that they are spoofing.
That was the case with the Children’s Mercy Hospital phishing attack. The Kansas City, MO, hospital received several phishing emails which directed employees to fake login pages on criminally-controlled websites.
The phishing attack occurred on or shortly before December 2, 2017. On Dec 2, Children’s Mercy’s security team identified authorized access to two employees’ email accounts. Access to the accounts was blocked the same day and the passwords were reset. Two weeks later, on December 15 and Dec 16, two further email accounts were accessed by unauthorized individuals. Again, unauthorized access was detected and blocked the same day. A fifth email account was accessed on January 3, 2018 with access blocked the following day.
The prompt action in response to the Children’s Mercy phishing attack limited the potential for those email accounts to be abused. When criminals gain access to email accounts they often use them to send further phishing emails. Since those emails come from a legitimate email account, the recipients of the messages sent from that account are more likely to open the emails as they come from a trusted source. That is why business email compromise scams are so effective – because employees trust the sender of the email and take action as requested in the belief that they are genuine communications.
In the case of the Children’s Mercy phishing attack, the criminals acted quickly. Following a forensic investigation into the attacks, Children’s Mercy discovered on January 19, 2018, that even though access to the accounts was promptly blocked, the attackers had successfully downloaded the mailboxes of four of the five employees. The messages contained a wide range of protected health information (PHI) of 63,049 patients.
The PHI included information such as name, gender, age, height, weight, BMI score, procedure dates, admission dates, discharge dates, diagnosis and procedure codes, diagnoses, health conditions, treatment information, contact details, and demographic information.
While Social Security numbers, insurance information, and financial data were not obtained – information most typically required to commit fraud – such detailed information on patients could be used in impersonation attacks on the patients. It would be quite easy for the attackers to pretend they were from the hospital and convince patients to provide their insurance information for example, which could then be used for medical identity fraud.
Due to the scale of the attack and number of emails in the compromised accounts, it has taken a considerable time to identify the individuals affected. The Kansas City Star reports that some patients are only just being notified.
In response, the hospital implemented 2-factor authentication and other technical controls to prevent further attacks.
2-factor authentication is an important security measure that provides protection after a phishing attack has occurred. If login credentials are supplied, but the location or the device used to access the account is unfamiliar, an additional method of authentication is required before access to the account is granted – a code sent to a mobile phone for example.
Two of the most effective security controls to prevent credential theft via phishing are spam filters and security awareness training.
An advanced spam filter is an essential security measure to block phishing attacks. The changing tactics of cybercriminals means no spam filtering solution will be able to block every single phishing email, although SpamTitan, a highly effective spam filtering solution with advanced anti-phishing protections, blocks more than 99.97% of spam and malicious emails to ensure they do not arrive in end users’ inboxes.
Security awareness training helps to prevent employees from clicking on the small percentage of messages that get past perimeter defenses. Employees need to be trained to give them the skills to identify phishing attempts and report them to their security teams. An ongoing training program, with phishing simulation exercises, will help to condition employees to recognize threats and respond appropriately. Over time, phishing email detection skills will improve considerably.
An effective training program can limit the number of employees that respond to phishing attacks, either preventing the attackers from gaining access to email accounts or severely limiting the number of employees who respond and disclose their credentials.
The Children’s Mercy phishing attack is one of many such attacks on healthcare organizations and businesses, and as those attacks increase and more data is obtained by criminals, implementing advanced phishing protections has never been more important.
For further information on email security controls that can prevent phishing attacks, contact the TitanHQ team today and enquire about SpamTitan.
A recent survey of members of the Spiceworks community investigated the use of web filtering by businesses and the effect of web filtering on security and productivity. The survey was conducted on 645 members of its professional network based in the United States and Europe from a wide range of industries including healthcare, finance, and manufacturing.
Web filtering is an important security control that can provide an additional layer of protection against malware and phishing attacks. Web filters can also be used to improve the productivity of the workforce by limiting access to certain types of websites. The Internet can help to improve productivity, although it can also prove a temptation for workers and a major distraction. When a complicated report must be produced, cat videos can be especially tempting.
The survey sought to find out more about the effect of web filtering on security and productivity, how web filters are being used by businesses, the amount of time that employees are wasting on personal Internet use, and the types of websites that businesses are blocking to improve productivity.
Web Filtering is Used by the Majority of Businesses
The survey revealed widespread use of web filters by businesses. Overall, 89% of organizations have implemented a web filter and use it to block certain types of productivity-draining Internet content such as social media websites, dating sites, gambling sites, and streaming services.
The larger the business, the more likely it is that Internet content control will be implemented. 96% of large organizations (1,000+ employees) use web filters to limit employee Internet activity. The percentage drops to 92% for mid-sized businesses (100-999 employees) and 81% for small businesses (up to 99 employees). 58% of organizations said they use a web filtering solution to monitor Internet use by employees.
The survey asked IT professionals who have not implemented a web filtering solution how many hours they think employees are wasting on personal Internet use each week. 58% of employees were thought to waste around 4 hours a week on personal internet use and around 26% of workers spend more than 7 hours a week on non-work-related websites. Without a web filter, most employees will spend around 26 days a year on personal Internet use which, based on average earnings, corresponds to $4,500 paid per employee to slack off on the Internet.
Compare that to the figures for companies that restrict access to at least one category of website and the percentages fall to 43% of employees spending more than 4 hours a week on personal Internet use and 18% who spend more than 7 hours a week on non-work-related websites. The biggest drain of productivity was social media sites, with the figures falling to 30% of employees spending more than 4 hours a week on non-work-related sites when social media sites were blocked.
What are the Most Commonly Blocked Websites?
How are web filters used by businesses and what types of website are most commonly blocked? Unsurprisingly, the most commonly blocked websites were illegal sites and inappropriate sites (pornography for example). Both categories were blocked by 85% or organizations.
After that, the most commonly blocked category of content was dating sites – blocked by 61% of organizations. Businesses are more permissive about the use of social media websites, with only 38% blocking those sites, while instant messaging services were blocked by 34% of organizations. Even though they can be a major drain on bandwidth, streaming services were only blocked by 26% of companies.
What are the Main Reasons for Implementing a Web Filter?
While Internet content control – in some form – has been implemented by the majority of companies, it was not the main reason for implementing a web filter. Money could be saved by improving productivity, but the biggest reason for implementing a web filter was security. 90% of businesses said they had implemented a web filter to protect against malware and ransomware infections and with good reason: Inappropriate Internet access leads to data breaches.
38% of surveyed companies said they had experienced a data breach in the past 12 months as a result of employees visiting non-work-related websites, most commonly webmail services (15%) and social media sites (11%).
Other reasons for implementing a web filter were to block illegal activity (84%) and discourage inappropriate Internet access (83%). 66% of organizations use a web filter to avoid legal liability while 57% used web filters to prevent data leakage and block hacking.
Web Filtering from TitanHQ
TitanHQ has developed an innovative web filtering solution for businesses that helps them improve their security posture, block malware downloads, prevent employees from visiting phishing websites, and limit personal Internet use.
WebTitan Cloud is a 100% cloud-based web filtering solution that can be easily implemented by businesses, without the need for any hardware purchases or software downloads. The solution has excellent scalability, is cost effective, and easy to configure and maintain.
The solution provides Internet content control and malware protection regardless of the device being used to access the Internet and the solution can provide malware protection and allow content control for on-site and remote workers.
Granular controls ensure accurate content filtering without overblocking, time-based filters can be set to restrict access to certain websites at busy times of the day, and different policies can be applied at the organization, department, group, or individual level.
If you have not yet implemented a web filtering solution, are unhappy with your current provider or the cost of your solution, contact the TitanHQ team today and find out more about WebTitan.
A database of U.S. consumer information has been left unsecured online by the marketing firm Exactis. At 340 million records, this is the largest data breach of 2018.
The Largest Data Breach of 2018 by Some Distance
You will probably be unaware of the existence of the Palm Coast, FL-based data broker Exactis, but chances are the firm has heard of you. The firm holds 3.5 billion consumer, business and digital records while its email database contains 500 million consumer emails and 16 million business emails.
One database maintained by the firm contains around 340 million records, including 230 million consumer records and 110 million records of businesses. That database was recently discovered to have been left exposed on the Internet. The database could be accessed without any authentication. Anyone who knew where to look would have been able to access the database. At least one person did.
Security researcher Vinny Troia who runs NightLion Security, a New York consultancy firm, was searching online for instances of Elasticsearch databases. Troia was curious about the security of the databases as they are designed to be easily queried over the Internet. Troia searched for the databases using the search engine Shodan. Shodan is a search engine that allows people to find specific types of computers that are connected to the Internet.
Troia discovered more than 7,000 Elasticsearch databases that were visible on publicly accessible servers with U.S. IP addresses and set about determining which, if any, had data exposed on the Internet. He wrote a script that queried those databases and searched for keywords that would indicate they contained sensitive information – fields such as date of birth.
2 Terabytes of Data Exposed
One database stood out due to the amount of data it contained – around 2 terabytes of data. The database was not protected by a firewall and could be accessed without authentication. The database was discovered to contain huge numbers of detailed records about consumers. Troia noted, “It seems like this is a database with pretty much every U.S. citizen in it… it’s one of the most comprehensive collections I’ve ever seen.”
He discovered the records contained up to 150 data fields, with highly detailed information on consumers including names, addresses, phone numbers, email addresses and descriptions of the person, including information such as the estimated value of their home, hobbies, mortgage provider, ethnic group, whether the individual owns any stock, their religion, if they have made political donations, number of children, people in the household, whether they are smokers, if they own any pets…the list goes on and on.
While the database did not contain Social Security numbers or financial information, the data could be used by scammers in spear phishing campaigns, telephone scams and social engineering attacks. Around half the records contained email addresses, making it particularly valuable to spammers.
Troia said he is certainly not the only person who has searched for Elasticsearch databases, and the database was easy to find using Shodan: A popular search engine with white hat and black hat hackers. It is unknown whether anyone else found the database, but Troia explains that it would not be hard for anyone to find it. He could not be sure how long the database had been exposed online, but said it was at least 2 months.
After identifying an IP address which he believed belonged to the owner, Troia contacted two hosting companies, one of which notified Exactis. Troia also alerted the FBI. Exactis made contact with Troia and the database has now been secured and is no longer accessible.
At 340 million records, this the largest data breach of 2018 and one of the largest breaches ever discovered. The breach is more than twice the size of the Experian data breach of last year, although not on the scale of the Yahoo data breach that contained around 3 billion records. However, the types of information exposed potentially make the breach far more serious than Yahoo’s.
A database containing such detailed information on consumers should not have been left exposed. Safeguards should have been in place to alert the company that security protections had either been turned off or had not been implemented.
This security breach certainly stands out in terms of scale, but it is sadly only one of many that have been identified in recent months involving databases left freely accessible over the Internet.
The FBI has published its 2017 Internet Crime Report, which details the main types of online crime reported to its Internet Crime Complaint Center (IC3).
In 2017, businesses and consumers reported 301,580 incidents to IC3 and more than $1.4 billion was lost to cybercriminals. Of course, these are only reported losses. Many Internet crimes go unreported, so the true losses are likely to be substantially higher.
2017 saw more complaints of Internet crime than any other year since 2013 when the reports first started to be published.
Identity theft and corporate data breaches often make the headlines, although by far the biggest area of criminal activity are business email compromise (BEC) scams – or email account compromise (EAC) when the scams target individuals.
Business Email Compromise Scams – The Main Cause of Losses in 2017
More than three times as much money was lost to BEC and EAC scams than the next highest cause of losses: confidence fraud/romance scams. In 2017, the reported losses from BEC/EAC scams was $676,151,185.
Business email compromise and email account compromise scams involve the use of a compromised email account to convince individuals to make transfers of funds to accounts controlled by criminals or to send sensitive data via email.
BEC scams usually start with compromising the email account of the CEO, CFO or another board member – which is why this type of scam is also known as CEO fraud. Access to the executive’s email account is gained via brute force guessing of passwords or, most commonly, social engineering techniques and phishing scams.
Once access to the email account is gained, an email conversation is initiated with another member of the workforce, typically an individual responsible for making wire transfers. That individual is instructed to make a transfer to a new bank account – that of the attacker. Alternatively, the data of employees is requested – W2 Forms – or other sensitive company information. These scams often involve large transfers of funds. In 2017 there were 15,690 such scams reported to IC3, making the average loss $43,094.
Phishing Extensively Used in Internet Crime
Phishing, vishing, smishing and pharming were grouped together. They ‘only’ resulted in losses of $29,703,421, although the losses from these crimes are difficult to calculate accurately. The losses associated with phishing are grouped in many other categories. BEC scams often start with a phishing attack and research from Cofense suggests 91% of corporate data breaches start with a phishing email.
The 2017 Internet Crime Report reveals the extent to which phishing is used in cyberattacks. There were 25,344 phishing incidents reported to IC3 in 2017 – the third highest category of Internet crime behind non-payment/non-delivery and personal data breaches. Many personal data breaches start with a phishing email.
Ransomware Attack Mitigation Proves Expensive
In addition to the threat of BEC attacks, the FBI’s 2017 Internet Crime Report warns of the threat from ransomware. Ransomware only resulted in reported losses of $2.3 million and attracted 1,783 complaints, although it is worthy of a mention due to the considerable disruption that attacks can cause. The reported losses – in terms of the ransoms paid – may be low, but actual losses are substantially higher. The ransomware attack on the City of Atlanta in April 2018 saw a ransom demand of $52,000 issued, although the actual cost of mitigating the attack was reported to be at least $2.7 million in April. However, in June 2018, city Information Management head Daphney Rackley indicated a further $9.5 million may be required over the coming year to cover the cost of mitigating the attack.
Tech Support Fraud Losses Increased by 90%
Another hot topic detailed in the 2017 Internet Crime Report is tech support fraud – This is a widespread scam where individuals are fooled into thinking they have a computer problem such as a virus or malware installed, when they do not. Calls are made warning of detected malware, and users are directed to malicious websites via phishing emails where pop-up warnings are displayed, or screen lockers are used.
These scams usually require the victim to pay the scammer to remove a fictitious infection and provide them with remote access to a computer. In addition to the scammers charge for removing the infection, sensitive data such as usernames, passwords, Social Security numbers, and bank account information are often stolen. 2017 saw a 90% increase in losses from tech support scams.
Protecting Against Internet Crime
One of the most important defenses for businesses to implement to protect against the leading cause of financial losses is an advanced spam filtering solution. Business email compromise scams often start with a phishing email and effective spam filtering will reduce the potential for email accounts to be compromised. Ransomware and malware are also primarily distributed via email. An advanced spam filter such as SpamTitan will block 100% of all known malware and prevent malicious messages from being delivered to inboxes.
Security awareness training is also essential. Malicious messages will make it past spam filtering solutions on occasion, so it is important for all end users to be prepared for malicious messages and taught security best practices. Training should be provided to every individual in the company with a corporate email account or access to an Internet facing computer, including board members.
A web filtering solution is also an important consideration. A web filter is an additional anti-malware control that can be used to prevent employees from visiting malicious websites – either via links in emails, redirects, or through general web browsing. A web filter, such as WebTitan, will block ransomware and malware downloads and prevent end users from accessing the types of phishing websites used to initiate BEC attacks.
These three cybersecurity measures should be part of all organizations’ cybersecurity defenses. They will help to prevent businesses from being included in next year’s FBI Internet Crime Report.
TitanHQ, the award-winning provider of email and web security solutions to SMBs, has partnered with the networking giant Datto. The partnership has seen TitanHQ integrate its cutting-edge cloud-based web filtering solutions – WebTitan Cloud and WebTitan Cloud for Wi-Fi – into the Datto networking range.
Datto was formed in 2007 and fast became the leading provider of MSP-delivered IT solutions to SMBs. The company selects the best products and tools for its MSP partners to allow them to meet the needs of their clients and improve their bottom lines.
The company’s solutions include data backup and disaster recovery solutions, cloud-to-cloud data protection services, managed networking services, professional services automation, remote monitoring and management tools, and a wide range of security solutions.
Now that TitanHQ’s DNS-based web filtering solutions have been included, MSPs can offer their clients even greater protection from malware and phishing threats.
WebTitan Cloud and WebTitan Cloud for WiFi use a combination of AI-based services and human-supervised machine learning to block Internet-based threats. The solutions provide real-time protection against malicious URLs and phishing sites by preventing end users from visiting malicious webpages. The solutions also allow companies to carefully control the Internet content that can be accessed through their wired and wireless networks.
The MSP-friendly solutions can be rapidly deployed by MSPs, without the need for site visits, software installations or additional hardware purchases. The multi-tenant solutions allow all client deployments to be managed through a single, intuitive administration console and can be configured in minutes.
MSPs are also offered multiple hosting solutions, including hosting WebTitan in their own environment, and the solutions can be provided in full white-label format.
“We are delighted that Datto has chosen TitanHQ as a partner in web security. By integrating TitanHQ’s secure content and web filtering service, we are well positioned to offer Datto MSPs a best of breed solution for their small to mid-size customers,” said TitanHQ CEO, Ronan Kavanagh.
“We pride ourselves in equipping our community of Managed Service Provider partners with the right products and tools to allow each and every customer to succeed,” said John Tippett, VP, Datto Networking. “With that in mind, I’m delighted to welcome TitanHQ as a security partner and look forward to growing our partnership.”
TitanHQ is a sponsor of the upcoming DattoCon 2018 conference – The largest MSP event in the United States. The full TitanHQ team will be in attendance and Datto’s MSP partners can come and meet the team and see WebTitan in action.
In addition to showcasing WebTitan Cloud, MSPs will also be able to find out more about SpamTitan – TitanHQ’s 100% cloud-based spam filtering solution, and ArcTitan – Its MSP-friendly email archiving solution.
DattoCon 2018 runs from June 18-20 in Austin, Texas at the Fairmont Austin Hotel. The TitanHQ team will be at booth #66 in the exhibition hall for all three days of the conference.
A recent study of commonly used passwords by Dashlane/Virginia Tech has revealed some of the worst passwords of 2018.
For the study, Virginia Tech researchers provided Dashlane with an anonymized copy of 61.5 million passwords. The password list was created from 107 individual lists of passwords available on forums and in data archives, many of which have come from past data breaches.
The analysis of the list revealed many common themes. These include the names of favorite sports teams: In the UK, common password choices were liverpool, chelsea and arsenal – the leading soccer teams in the premier league.
Popular brand names were also chosen, such as cocacola, snickers, mercedes, skittles, mustang, and playboy. MySpace and LinkedIn were also common choices, alarmingly, to secure accounts on those sites.
Bands and movie references were often used, with Spiderman, superman, starwars, and pokemon all common choices as were expressions of frustration – a**hole, bull****, and f***you were often chosen.
The Dashlane report shows that despite warnings about the risk of using easy-to-remember passwords, end users are still choosing weak passwords. One particularly worrying trend is the use of seemingly secure passwords, which are anything but secure.
1q2w3e4r5t6y and 1qaz2wsx3edc may appear to be relatively secure passwords; however, how they are created makes them easy to guess. They are certainly better than “password” or letmein” but not by much.
The passwords are created by a process that Dashlane calls password walking – the use of letters, numbers, and symbols next to each other on a keyboard. Simpler variations on this theme are qwerty and asdfghjk. To get around password rules, the same technique is used with the incorporation of capital letters and symbols.
The study shows that even though many companies require end users to set strong passwords, employees ignore password advice or choose passwords that pass security checks but are really not that secure.
What Makes a Good Password?
A good password will not be in the dictionary, will not use sequential numbers or be created by walking fingers along a keyboard. Brand names and locations should also be avoided. Passwords should be a minimum of 8 characters and should be unique – never used before by the user, and never reused on a different platform.
Passwords should include at least one capital letter, lowercase letter, symbol and number. If all lowercase letters are used, each letter in the password could be one of 26 letters. Add in capitals and the possible options double to 52. There are 10 digits, increasing the options to 62, and let’s say 32 special characters, bringing the total up to 94 options. With so many options and possible combinations, randomly generated passwords are particularly difficult to guess. However, randomly generated passwords are also particularly difficult to remember.
Recently, that problem has been recognized by the National Institute of Standards and Technology (NIST), which has revised its advice on passwords (See special publication 800-63B).
While the use of random strings of characters and symbols makes passwords particularly difficult to guess and more resilient to hackers’ brute force password guessing tactics, end users have trouble remembering their passwords and that leads to particularly risky behaviors such as writing the password down or storing it in a browser.
NIST now suggests the use of longer passphrases rather than passwords – Iboughtacarwithmyfirstpaypacket or ifihadahorseIwouldcallitDave– for example. Passphrases are more user-friendly and easier to remember, but are still secure – provided a sufficient number of characters are used. If passphrases are encouraged rather than difficult to remember passwords, end users will be less likely to set passwords that meet strong password guidelines but are not particularly secure – LetMeIn! for example.
The minimum number of characters can be set by each organization, but rather than restricting the characters at 16, companies should consider expanding this to at least 64. They should also accept all printable ASCII characters, including spaces, and UNICODE characters.
Since some end users will attempt to set weak passwords, it is important to incorporate controls that prevent commonly used passwords from being chosen. Each password choice should be checked against a blacklist before it can be set.
The UK Government’s Department for Digital, Culture, Media, & Sport has published its Cybersecurity Breaches Survey for 2018. The survey, conducted by Ipsos MORI, was a quantitative and qualitative survey conducted in the winter of 2017 on 1,519 UK businesses and 569 UK registered charities.
The purpose of the cybersecurity breaches survey was to identify the nature and significance of cyberthreats, determine how prevalent cyberattacks are, and what is being done to prevent such attacks.
The cybersecurity breaches survey revealed UK businesses and charities are being targeted by cybercriminals intent on gaining access to sensitive information, email accounts, corporate networks, and bank accounts and attacks are on the rise.
43% of businesses and 19% of charities experienced a cybersecurity breach or cyberattack in the past 12 months with large businesses and charities more likely to be attacked. 72% of large businesses – those with more than 250 employees – and 73% of large charities – with incomes over £5 million – experienced a cyberattack in the past year.
While not all security breaches result in material losses such as theft of data or personal information, when there is a material outcome the costs can be significant. The average costs of breaches with a material outcome is £3,100 for businesses and £1,030 for charities, although the larger the business, the greater the cost. Medium sized businesses have average costs of £16,100 and large businesses have an average breach cost of £22,300.
The high probability of a breach occurring and the high cost of remediating breaches has seen cybersecurity become a priority for senior managers. The percentage of businesses (74%) and charities (53%) that say cybersecurity is a high priority has risen year on year and the percentage of businesses (30%) and charities (24%) that say cybersecurity is a low priority has fallen once again. Cybersecurity is also now a high priority for many small businesses (42%) having risen from 33% last year when the survey was conducted. Cybersecurity may be a high priority, but just 3 out of 10 businesses and under a quarter of charities have board members with a responsibility for cybersecurity.
The most common type of breaches and cyberattacks involve fraudulent emails directing employees to malicious websites. 75% of UK businesses and 74% of UK charities that experienced a breach in the past year experienced these types of attacks. Email impersonation attacks were the second most common breach type with 28% of UK businesses and 27% of UK charities saying they had experienced these types of incidents in the past 12 months.
Not only are these types of attacks common, they also cause the most disruption. 48% of UK businesses and charities said fraudulent emails and being directed to malicious websites caused the most disruption out of all cybersecurity breaches experienced, well ahead of malware infections which were rated as the most disruptive cyberattacks by 13% of UK businesses and 12% of UK charities.
The cybersecurity breaches survey clearly highlights the importance of implementing robust defenses to prevent malicious emails from being delivered to employees’ inboxes and to ensure staff are well trained and taught how to identify malicious emails.
TitanHQ offers two cybersecurity solutions that can help UK businesses block the most common and most disruptive types of cyberattack. SpamTitan is a powerful spam filtering solution that blocks more than 99.97% of spam emails and 100% of known malware from being delivered to end users’ inboxes.
WebTitan is a cloud-based web filtering solution that prevents employees from visiting malicious websites, such as those used in phishing emails to steal credentials and spread malware. Implementing these solutions is far cheaper than having to cover the cost of remediating cyberattacks.
There is also clearly a problem with training in the UK. Only 20% of UK businesses and 15% of UK charities have had staff attend internal or external cybersecurity training in the past year, even though security awareness training has clearly been shown to be effective at reducing susceptibility to email-based attacks.
According to data from the UK’s fraud tracking team, Action Fraud, there has been a massive rise in TSB phishing scams in the past few weeks. Customers of TSB have been duped into handing over their online banking credentials to scammers. Action Fraud is now receiving around 10 complaints a day from TSB customers who have fallen for phishing scams.
A Nightmare Scenario for TSB Customers
The problem that made the scams possible was the separation of the TSB banking system from Lloyds Bank, of which TSB was part until 2015. TSB moved over to a new core banking system provided by Banco Sabadell, the Spanish bank which took over TSB. That transition happened in April. Unfortunately for TSB and its customers, it did not go smoothly.
While migrating customer information to the new core banking system, many customers were locked out of their accounts and were unable to access their money. Some customers were presented with other customers’ bank accounts when they logged in online, and there have been cases of customers having money taken from their accounts without authorization, and transfers have been made to the wrong bank accounts. It is almost June, and the problems have still not been completely resolved.
Customers starting to experience problems over the weekend of 21/22 April and the problems were understandably covered extensively by the media with many customers taking to Social Media sites to vent their spleens over the chaos. For scammers, this was too good an opportunity to miss.
Action Fraud had received more than 320 reports of TSB phishing scams in the first three weeks in May. There were only 30 reports of such scams in the entire month of April. That’s an increase of 969%.
TSB Phishing Scams Soar
The situation was ideal for scammers. Many TSB customers could not access their accounts, so there was little chance of customers realizing they had been defrauded until it was too late.
TSB staff were overworked dealing with the IT problems and its helplines were overwhelmed with calls from customers unable to access their money. When customers realized they had been scammed they were unable to contact the bank quickly. There have been reports of customers seeing money taken from their accounts while they were logged in, yet they could not get through to customer support to stop transfers being made.
The TSB phishing scams used a combination of SMS messages, emails, and telephone calls to obtain customers banking credentials. As is typical in these types of scams, customers were sent links and were asked to use them to login to their accounts. The websites the bank’s customers visited looked exactly how they should. The only sign that the website was not genuine was the URL, otherwise the website was a carbon copy of the genuine TSB website.
Many victims of the scam had received an email or text messages, which was followed up with a voice call to obtain the 2-factor authentication code that would allow the scammers to gain access to the victim’s account. While the requests from the scammers may have seemed unusual or suspicious, this was an unusual situation for TSB customers.After that information was obtained, the scammers went to work and emptied bank accounts.
According to data from cybersecurity firm Wandera, TSB has now jumped to second spot in the list of the financial brands most commonly used in impersonation attacks. Prior to the IT problems, TSB wasn’t even in the top five.
With the bank’s IT issues ongoing, the TSB phishing scams are likely to continue at high levels for some time to come. The advice to TSB customers is to be extremely wary of any email, text message or call received from TSB bank. Scammers can spoof email addresses and phone numbers and can make text messages appear as if they have been sent by someone else.
Data breach costs have risen considerably in the past year, according to a recent study of corporate IT security risks by Kaspersky Lab. Compared to 2016, the cost of a data breach for enterprises increased by 24% in 2017, and by even more for SMBs, who saw data breach costs rise by 36% in 2017.
The average cost of data breach recovery for an average-sized enterprise is now $1.23 million per data breach, while the cost for SMBs is now $120,000 per incident.
For the study, Kaspersky Lab surveyed 6,614 business decision makers. Respondents were asked about the main threats they have to deal with, cybersecurity incidents they have experienced in the past year, how much they spent resolving those incidents, and how that money was spent.
When a data breach is experienced, the costs can quickly mount. Enterprises and SMBs must contain the attack, scan systems for malware and backdoors, and pay for improvements to security and infrastructure to prevent similar attacks from occurring in the future. Staff need to receive additional training, new staff often need to be brought in, and third-parties hired to assist with recovery and security assessments.
Data breach recovery can take time and considerable effort. Additional wages have to be paid to staff assisting in the recovery process, there can be losses due to system downtime, repairing damage to a brand prove costly, credit monitoring and identity theft recovery services may have to be provided to breach victims, insurance premiums rise, credit ratings drop, and there may also be regulatory fines to cover.
The largest component of data breach costs is making emergency improvements to security and infrastructure to prevent further attacks, which is around $193,000 per breach for enterprises, the second biggest cost for enterprises is repairing reputation damage, which causes major increases in insurance costs and can severely damage credit ratings. On average, this costs enterprises $180,000. Providing after-the-event security awareness training to the workforce was the third biggest cost for enterprises at $137,000.
It is a similar story for SMBs who typically pay around $15,000 for each of the above three cost categories. A lack of inhouse expertise means SMBs often have to call in cybersecurity experts to assist with making improvements to security and for forensic analyses to determine how access to data was gained.
Data breaches affecting third-party hosted infrastructure are the costliest for SMBs, followed by attacks on non-computing connected devices, third party cloud services, and targeted attacks. For enterprises, the costliest data breaches are targeted attacks followed by attacks on third-party infrastructure, attacks on non-computing connected devices, third party cloud services, and leaks from internal systems.
The high cost of recovering from a data breach means a successful cyberattack on an SMB could be catastrophic, forcing the company to permanently shut its doors. It is therefore no surprise that businesses are allocating more of their IT budgets to improving their security defenses. Enterprises are now spending an average of $8.9 million on cybersecurity each year, while SMBs spend an average of $246,000. Even though the cost of additional cybersecurity defenses is high, it is still far lower than the cost of recovering from data breaches.
While data breach prevention is a key driver for greater investment in cybersecurity, that is far from the only reason for devoting a higher percentage of IT budgets to security. The main drivers for increasing security spending are the increasing complexity of IT infrastructure (34%), improving the level of security expertise (34%), and management wanting to improve security defenses (29%).
A suspected nation-state sponsored hacking group has succeeded in infecting at least half a million routers with VPNFilter malware.
VPNFilter is a modular malware capable of various functions, including the monitoring of all communications, launching attacks on other devices, theft of credentials and data, and even destroying the router on which the malware has been installed. While most IoT malware infections – including those used to build large botnets for DDoS attacks – are not capable of surviving a reboot, VPNFilter malware can survive such a reset.
The malware can be installed on the type of routers often used by small businesses and consumers such as those manufactured by Netgear, Linksys, TP-Link and MikroTik, as well as network-attached storage (NAS) devices from QNAP, according to security researchers at Cisco Talos who have been monitoring infections over the past few months.
The ultimate aim of the attackers is unknown, although the infected devices could potentially be used for a wide range of malicious activities, including major cyberattacks on critical infrastructure, such as disrupting power grids – as was the case with BlackEnergy malware.
Since it is possible for the malware to disable Internet access, the threat actors behind the campaign could easily prevent large numbers of individuals in a targeted region from going online.
While the malware has been installed on routers around the world – infections have been detected in 54 countries – the majority of infections are in Ukraine. Infections in Ukraine have increased significantly in the past few weeks.
While the investigation into the campaign is ongoing, the decision was taken to go public due to a massive increase in infected devices over the past three weeks, together with the incorporation of advanced capabilities which have made the malware a much more significant threat.
While the researchers have not pointed the finger at Russia, they have identified parts of the code which are identical to that used in BlackEnergy malware, which was used in several attacks in Ukraine. BlackEnergy has been linked to Russia by some security researchers. BlackEnergy malware has been used by other threat actors not believed to be tied to Russia to the presence of the same code in both forms of malware is not concrete proof of any link to Russia.
The FBI has gone a step further by attributing the malware campaign to the hacking group Fancy Bear (APT28/Pawn Storm) which has links to the Russian military intelligence agency GRU. Regardless of any nation-state backing, the sophisticated nature of the malware means it is the work of a particularly advanced hacking group.
Most of the attacked routers are aging devices that have not received firmware updates to correct known flaws and many of the attacked devices have not had default passwords changed, leaving them vulnerable to attack. It is not entirely clear exactly how devices are being infected although the exploitation of known vulnerabilities is most probable, rather than the use of zero-day exploits; however, the latter has not been ruled out.
Some progress has been made disrupting the VPNFilter malware campaign. The FBI has seized and sinkholed a domain used by the malware to communicate with the threat group behind the campaign. Without that domain, the attackers cannot control the infected routers and neither identify new devices that have been infected.
Ensuring a router is updated and has the latest firmware will offer some degree of protection, as will changing default passwords on vulnerable devices. Unfortunately, it is not easy to tell if a vulnerable router has been infected. Performing a factory reset of a vulnerable router is strongly recommended as a precaution.
Rebooting the device will not eradicate the malware, but it will succeed in removing some of the additional code downloaded to the device. However, those additional malware components could be reinstalled once contact is re-established with the device.
Ransomware attacks on businesses appear to be declining. In 2017 and 2018 there has been a marked decrease in the number of attacks. While this is certainly good news, it is currently unclear whether the fall in attacks is just a temporary blip or if the trend will continue.
Ransomware attacks may have declined, but there has been a rise in the use of cryptocurrency mining malware, with cybercriminals taking advantage in the high price of cryptocurrencies to hijack computers and turn them into cryptocurrency-mining slaves. These attacks are not as devastating or costly as ransomware attacks, although they can still take their toll, slowing down endpoints which naturally has an impact on productivity.
While ransomware attacks are now occurring at a fraction of the level of 2016 – SonicWall’s figures suggest there were 184 million attacks in 2017 compared to 638 million in 2016 – the risk of an attack is still significant.
Small players are still taking advantage of ransomware-as-a-service – available through darknet forums and marketplaces – to conduct attacks and organized cybercriminal gangs are conducting targeted attacks. In the case of the latter, victims are being selected based on their ability to pay and the likelihood of a payment being made.
These targeted attacks have primarily been conducted on organizations in the healthcare industry, educational institutions, municipalities and the government. Municipalities are targeted because massive disruption can be caused, and attacks are relatively easy to pull off. Municipalities typically do not have the budgets to devote to cybersecurity.
Attacks in healthcare and education industries are made easier by the continued use of legacy software and operating systems and highly complex networks that are difficult to secure. Add to that the reliance on access to data and not only are attacks relatively easy, there is a higher than average chance of a ransom being paid.
In the past, the aim of ransomware gangs was to infect as many users as possible. Now, targeted attacks are conducted with the aim of infecting as many end points as possible within an organization. The more systems and computers that are taken out of action, the greater the disruption and cost of mitigating the attack without paying the ransom.
Most organizations, government agencies, municipalities, have sound backup policies and can recover all data encrypted by ransomware without paying the ransom. However, the time taken to recover files from backups and restore systems – and the cost of doing so – makes payment of the ransom preferable.
The attack on the City of Atlanta shows just how expensive recovery can be. The cost of restoring systems and mitigating the attack was at least $2.6 million – The ransom demand was in the region of $50,000. It is therefore no surprise that so many victims have chosen to pay up.
Even though the ransom payment is relatively low compared to the cost of recovery, it is still far more expensive than the cost of implementing security solutions to prevent attacks.
There is no single solution that can block ransomware and malware attacks. Multi-layered defenses must be installed to protect the entire attack surface. Most organizations have implemented anti-spam solutions to reduce the risk of email-based attacks, and security awareness training is helping to eliminate risky behaviors and teach security best practices, but vulnerabilities still remain with DNS security often lacking.
Vulnerabilities in DNS are being abused to install ransomware and other malware variants and hide communications with command and control servers and call home addresses. Implementing a DNS-based web filtering solution offers protection against phishing, ransomware and malware by preventing users from visiting malicious websites where malware and ransomware is downloaded and blocking C2 server communications. DNS-based web filters also provide protection against the growing threat from cryptocurrency mining malware.
To mount an effective defense against phishing, malware and ransomware attacks, traditional cybersecurity defenses such as ant-virus software, spam filters, and firewalls should be augmented with web filtering to provide security at the DNS layer. To find out more about how DNS layer security can improve your security posture, contact TitanHQ today and ask about WebTitan.
Another school district has fallen victim to a ransomware attack, which has seen files encrypted and systems taken out of action for two weeks. The Leominster school district ransomware attack saw a ransom demand of approximately $10,000 in Bitcoin was issued for the keys to unlock the encrypted files, which includes the school’s entire student database.
School districts attacked with ransomware often face a difficult decision when ransomware is installed. Attempt to restore systems and recover lost data from backups or pay the ransom demand. The first option is time consuming, costly, and can see systems remain out of action for several days. The second option includes no guarantees that the attackers will make good on their promise and will supply valid keys to unlock the encryption. The keys may not be held, it may not be possible to unlock files, or a further ransom demand could be issued. There have been many examples of all three of those scenarios.
The decision not to pay the ransom demand may be the costlier option. The recent ransomware attack on the City of Atlanta saw a ransom demand issued in the region of $50,000. The cost of recovering from the attack was $2.6 million, although that figure does include the cost of improvements to its security systems to prevent further attacks.
School districts are often targeted by cybercriminals and ransomware offers a quick and easy way to make money. The attackers know all too well that data can most likely be recovered from backups and that the ransom does not need to be paid, but the cost of recovery is considerable. Ransom demands are set accordingly – high enough for the attackers to make a worthwhile amount, but low enough to tempt the victims into paying.
In the case of the Leominster ransomware attack, the second option was chosen and the ransom demand of was paid. That decision was taken after carefully weighing up both options. The risk that no keys would be supplied was accepted. In this case, they were supplied, and efforts are well underway to restore files and implement further protections to ensure similar incidents do not occur in the future.
Even though the ransom was paid, the school district was still without access to its database and some of its computer systems two weeks after the attack. Files were encrypted on April 14, but systems were not brought back online until May 1.
Unfortunately for the Leominster School District, ransom payments are not covered by its cyberinsurance policy, so the payment had to come from its general fund.
There is no simple way to defend against ransomware attacks, as no single cybersecurity solution will prove to be 100% effective at blocking the threat. Multiple attack vectors are used, and it is up to school districts to implement defenses to protect the entire attack surface. The solution is to defend in numbers – use multiple security solutions to create layered defenses.
Some of the most important defenses include:
An advanced firewall to defend the network perimeter
Antivirus and anti-malware solutions on all endpoints/servers
Vulnerability scanning and good patch management policies. All software, systems, websites, applications, and operating systems should be kept up to date with patches applied promptly
An advanced spam filtering solution to prevent malicious emails from being delivered to end users. The solution should block all executable files
Disable RDP if it is not required
Provide security awareness training for employees and teach staff and students the skills to enable them to identify malicious emails and stop risky behaviors
A web filtering solution capable of blocking access to malicious websites
The cost of implementing these solutions is likely to be far lower than the cost of a ransom payment and certainly lower than the cost of mitigating a ransomware attack.
The cost of the Equifax data breach has risen to more than $242 million, and that figure will continue to rise and could even double.
According to the Equifax financial report for the first quarter of 2018, the total spent on mitigation and preventative measures to avoid a further security breach is now $242.7 million.
The breach, which was made public in September 2017, affected 147.9 million customers, making it one of the largest data breaches ever discovered and certainly one of the most serious considering the types of data involved. Yahoo may have experienced much larger breaches, but the data exposed in those incidents was far less sensitive.
Fortunately for Equifax, it holds a sizable insurance policy against cybersecurity incidents. The policy will cover up to $125 million of the cost, minus a $7.5 million deductible. That insurance policy has already paid out $60 million, with $10 million in payments received in the first quarter of 2018.
The breakdown of cost of the Equifax data breach so far for Q1, 2018 is:
$45.7 million on IT security
$28.9 million on legal fees and investigation of the breach
$4.1 million on product liability
$10 million has been recovered from an insurance payout.
The net expenses from the breach in the first quarter of 2018 was $68.7 million. That is on top of the $114 million spent in the final quarter of 2017, which is broken down as $64.6 million on product costs and customer support, $99.4 million on professional fees, minus $50 million that was paid by its insurance carrier. The net spend so far for Q4, 2017 and Q1, 2018 is $140.5 million, although Equifax reports that the total costs related to the cybersecurity incident and incremental IT and data security costs has been $242.7 million.
Equifax has also reported that throughout 2018 and 2019 the firm will be investing heavily in IT and is committed to building an industry-leading data security system, although the firm has not disclosed how much it is expecting to spend, as the company does not have visibility into costs past 2018.
Equifax has predicted that there will be at least a further $275 million in expenses related to the cyberattack which must still be covered, although a further $57.5 million should be covered by its insurance policy.
While considerable costs have been incurred so far, the firm has done little to repair the reputational damage suffered as a result of the breach and has yet to hire many of the new staff it plans to bring in to help with the breach recovery, including a new CTO. The firm has said that it is taking a very aggressive approach in attracting the top talent in both IT and data security.
The high cost of the Equifax data breach to date, and the ongoing costs, is likely to make this the most expensive data breach of all time.
The Atlanta ransomware attack that took IT systems and computers out of action and brought many municipal operations to a grinding halt has proven particularly costly for the city.
On March 22, 2018, ransomware was deployed on its network forcing a shutdown of PCs and systems used by some 8,000 employees. Those employees were forced to work on pen and paper while attempts were made to recover from the attack. With IT systems offline, many municipal services stopped entirely.
The attackers sent a ransom demand for approximately $50,000. By paying the ransom, the city could potentially have been given the keys to unlock the files encrypted by the SamSam ransomware variant used in the attack. However, there are never any guarantees decryption keys will be supplied. Many victims have received further demands for payment after the initial demand was paid, and there have been many cases where the attackers have not made good on their promise and did not supply any valid keys.
It is unclear whether the ransom payment was made, although that appears unlikely. The payment portal used by the attackers went offline shortly after the attack and the cleanup costs following the Atlanta ransomware attack have been considerable. The high cost suggests the city opted to recover its data and restore systems from backups.
In the immediate aftermath of the Atlanta ransomware attack, the city awarded emergency procurements to eight firms to assist with recovery efforts. The total cost of those services was $2,667,328.
The city spent $60,000 on incident response services, $50,000 on crisis communication services, and $60,000 on support staff augmentation. Secureworks was paid $650,000 for emergency incident response services, Two contracts were awarded to assist with its Microsoft cloud and Windows environments, including migrating certain on-premises systems to the cloud. Those two contracts totaled $1,330,000 and a further $600,000 was paid to Ernst & Young for advisory services for cyber incident response. The $2.6 million cost could rise further still.
Paying the threat actors who conducted the Atlanta ransomware attack could well have seen sizable savings made, although it would certainly not have cost $50,000. Some of the costs associated with recovery from the attack have been spent on improving security to prevent further incidents, and certainly to make recovery less costly. Those costs would still have to be recovered even if the ransom was paid.
What is clear however, is that $2.6 million paid on reactive services following a ransomware attack will not give tremendous value for money. Had that amount been spent on preventative measures prior to the attack, the city would have got substantially more value for every buck spent. Some industry experts have estimated the cost of preventative measures rather than reactive measures would have been just 20% of the price that was paid.
The attack revealed the City of Atlanta was unprepared and had failed to implement appropriate defenses. The city was vulnerable to attack due to the failure to apply security best practices, such as closing open ports on its systems and segmenting its network. The vulnerabilities made an attack far to easy. However, it would be unfair to single out the city as many others are in exactly the same position.
This incident should therefore serve as a stern warning to other cities and organizations that the failure to adequately prepare for an attack, implement appropriate defenses, and apply security best practices will likely lead to an incredibly costly attack.
It may be difficult to find the money to spend on ransomware attack prevention measures, but it will be much harder to find five times the cost to implement defenses and respond after an attack has taken place.
What is the future of the system administrator? What can sysadmins expect over the coming months and years and how are their jobs likely to change? Our predictions on what is likely to happen to the role in the foreseeable future.
What Does the Future of the System Administrator Have in Store?
The system administrator is an important role in any organization. Without sysadmins to deal with the day to day IT problems faced by organizations, the business would grind to a halt. Sysadmins also play an essential role in ensuring the security of the network by taking proactive steps to keep systems secure as well as responding to threats before they result in a data breach. With more cyberattacks occurring, increasingly complex IT systems being installed, and the fast pace of technological development, one thing is for sure: The future of the system administrator is likely to continue to involve long hours and hard work.
It is also easy to predict that the future of the system administrator will involve major changes to job descriptions. That has always been the case and never more so than now. There will be a continued need for on the job training and new systems and processes must continue to be learned. Being a System administrator is therefore unlikely to be boring.
According to data from the US Bureau of Labor Statistics, there is likely to be sustained growth in the profession for the next two years. While the forecast was previously 12% growth, this has now been reduced to 6% – similar to other occupations. The increased automation of many sysadmin tasks is partly responsible for this decline in growth, since businesses are likely to need less staff as manual processes are reduced. That said, the figures indicate demand for IT workers will remain high. Even with newer, faster technology being implemented, staff are still required to keep everything running smoothly.
XaaS, the Cloud, Virtualization, and VoIP Use to Grow
Unfortunately, while automation means greater efficiency, it can entail many hidden costs. For a start, with more automation it can become harder to determine the source of a problem when something goes wrong. Increased automation also means the system administrator must become even more knowledgeable. Automation typically involves scripting in various languages, so while you may have been able to get away with knowing Python or Windows PowerShell, you will probably need to become proficient in both, and maybe more.
If you are considering becoming a system administrator, now is the time to learn your first scripting language, as it will make it easier to learn others on the job if you understand the basics. It will also help you to get the job in the first place. The more you know, the better.
Use of the cloud is increasing, especially for backup and archiving, which in turn has reduced the need for server-centered tasks. While there has been a reduction in labor-intensive routine data operations, there has been a rise in the need to become proficient in the use of Application Programming Interfaces (APIs).
While many functions are now being outsourced through XaaS, it is still important to understand those functions. The future of the system administrator is likely to require XaaS to be screened and assessed to make sure those services match the IT needs of the organization. Sales staff will likely say their XaaS meets all business needs. Having an SA that understands the functions, the technology, and the needs of the business will be invaluable for screening out the services that are unsuitable.
To cut costs, many businesses are turning to VoIP. While this does offer considerable cost savings, businesses cannot tolerate less than the 99.999% of uptime offered by phone companies. The future of the system administrator is therefore likely to involve a thorough understanding of the dynamics of network load.
Virtualization has also increased, with a myriad of virtual networks making the SA’s job more complex. That means knowledge of switching and routing will have to improve.
Communication, Collaboration, and Negotiation Skills Required
The SA’s job no longer just involves studying manuals and learning new systems. SAs are now expected to be able to communicate more effectively, understand the business, and collaborate with others. SAs will need strong communication skills, must become excellent collaborators, and also be skilled at negotiation. Fortunately, there are many courses available that can help SAs improve in these areas.
Providing security awareness training for employees helps to eradicate risky behaviors that could potentially lead to a network compromise. Training programs should cover all the major threats faced by your organization, including web-based attacks, phishing emails, malware, and social engineering scams via the telephone, text message, or social media channels.
All too often, businesses concentrate on securing the network perimeter with firewalls, deploying advanced anti-malware solutions, and implementing other technological controls such as spam filters and endpoint protection systems, yet they fail to provide effective security awareness training for employees. Even when security awareness training programs are developed, they are often once-a-year classroom-based training sessions that are forgotten quickly.
If you view security awareness training for employees as a once-a-year checkbox item that needs to be completed to ensure compliance with industry regulations, chances are your training will not have been effective.
The threat landscape is changing rapidly. Cybercriminals often change their tactics and develop new methods to attack organizations. If your security program does not incorporate these new methods of attack, and you do not provider refresher security awareness training for employees throughout the year, your employees will be more likely to fall for a scam or engage in actions that threaten the security of your data and the integrity of your network.
Many Businesses Fail to Provide Effective Security Awareness Training for Employees
One recent study has highlighted just own ineffective many security awareness training programs are. Positive Technologies ran a phishing and social engineering study on ten organizations to determine how effective their security awareness programs were and how susceptible employees are to some of the most common email-based scams.
These include emails with potentially malicious attachments, emails with hyperlinks to websites where the employee was required to enter their login credentials, and emails with attachments and links to a website. While none of the emails were malicious in nature, they mirrored real-world attack scenarios.
27% of employees responded to the emails with a link that required them to enter their login credentials, 15% responded to emails with links and attachments, and 7% responded to emails with attachments.
Even a business with 100 employees could see multiple email accounts compromised by a single phishing campaign or have to deal with multiple ransomware downloads. The cost of mitigating real world attacks is considerable. Take the recent City of Atlanta ransomware attack as an example. Resolving the attack has cost the city $2.7 million, according to Channel 2 Action News.
The study revealed a lack of security awareness across each organization. While employees were the biggest threat to network security, accounting for 31% of all individuals who responded to the emails, 25% were team supervisors who would have elevated privileges. 19% were accountants, administrative workers, or finance department employees, whose computers and login credentials would be considerably more valuable to attackers. Department managers accounted for 13% of the responders.
Even the IT department was not immune. While there may not have been a lack of security awareness, 9% of responders were in IT and 3% were in information security.
The study highlights just how important it is not only to provide security awareness training for employees, but to test the effectiveness of training and ensure training is continuous, not just a once a year session to ensure compliance.
Tips for Developing Effective Employee Security Awareness Training Programs
Employee security awareness training programs can reduce susceptibility to phishing attacks and other email and web-based threats. If you want to improve your security posture, consider the following when developing security awareness training for employees:
Create a benchmark against which the effectiveness of your training can be measured. Conduct phishing simulations and determine the overall level of susceptibility and which departments are most at risk
Offer a classroom-style training session once a year in which the importance of security awareness is explained and the threats that employees should be aware of are covered
Use computer-based training sessions throughout the year and ensure all employees complete the training session. Everyone with access to email or the network should receive general training, with job and department-specific training sessions provided to tackle specific threats
Training should be followed by further phishing and social engineering simulations to determine the effectiveness of training. A phishing simulation failure should be turned into a training opportunity. If employees continue to fail, re-evaluate the style of training provided
Use different training methods to help with knowledge retention
Keep security fresh in the mind with newsletters, posters, quizzes, and games
Implement a one-click reporting system that allows employees to report potentially suspicious emails to their security teams, who can quickly take action to remove all instances of the email from company inboxes
The SamSam ransomware attacks are continuing and the threat actors behind the campaign are showing no sign of stopping. So far in 2018 there have been at least 10 attacks in the United States, although many more may have gone unreported. Most of the known attacks have hit government agencies, municipalities, and healthcare organizations – all of whom are required to disclose attacks.
The attacks have caused massive disruption, taking computers, servers, and information systems out of action for several days to several weeks. Faced with the prospect of continued disruption to essential business processes, some organizations have chosen to pay the ransom – a risky strategy since there is no guarantee that the keys to unlock the encryption will work or even be supplied.
Others have refused to be extorted, often at great cost. One U.S. healthcare provider, Erie County Medical Center, took six weeks to fully recover from the attack. Mitigating the attack has cost several million dollars.
Multiple SamSam ransomware attacks are possible as the Colorado Department of Transportation discovered. After recovering from an attack in February, a second attack occurred in March.
It is not only financial harm that is caused by the attacks. Another hospital was attacked, and its outpatient clinic and three physician hospitals were unable to view histories or schedule appointments. The ransomware attack on the electronic medical record provider AllScripts saw its EMR systems taken out of action for several days. During that time, around 1,500 medical centers were unable to access patient health records resulting in many cancellations of non-critical medical appointments.
The March SamSam ransomware attack on the City of Atlanta brought many government services to a grinding halt. The extensive attack forced the shutdown of many systems, many of which remained inaccessible for six days. Bills and parking tickets couldn’t be paid and court proceedings had to be cancelled. The huge backlog of work continued to cause delays when systems were restored.
While the SamSam ransomware attacks have been concentrated on just a few industry sectors, the attacks are not necessarily targeted. What the victims have in common is they have been found to have easily exploitable vulnerabilities on public facing servers. They were attacked because mistakes had been made, vulnerabilities had not been patched promptly, and weak passwords had been set.
The threat actors behind the latest SamSam ransomware attacks have not been confirmed, although researchers at Secureworks believe the attacks are being conducted by the Gold LOWELL threat group. It is not known whether they are a defined group or a network of closely affiliated threat actors. What is known, whether it is GOLD LOWELL or other group, is they are largely staying under the radar.
What is more certain is the SamSam ransomware attacks will continue. In the first four weeks of January, the Bitcoin wallet used by the attackers showed $325,000 of ransom payments had been paid. The total in April is likely to be substantially higher. Hancock Health, one of two Indiana hospitals attacked this year, has confirmed that it paid a ransom demand of approximately $55,000 for the keys to unlock the encryption. As long as the attacks remain profitable and the threat actors can stay under the radar, there is no incentive to stop.
In contrast to many threat actors that use phishing emails and spam messages to deliver ransomware downloaders, this group exploits vulnerabilities on public-facing servers. Access is gained to the network, the attackers spend time navigating the network and moving laterally, before the ransomware payload is finally deployed. Detecting network intrusions quickly may prevent file encryption, or at least limit the damage caused.
The ongoing campaign has now prompted the U.S. Department of Health and Human Services’ Healthcare Cybersecurity Integration and Communications Center (HCCIC) to issue a warning to healthcare organizations about the continued threat of attacks. Healthcare organizations should heed the advice of the HCCIC and not only implement defences to block attacks but also to prepare for the worst. If contingency plans are made and incident response procedures are developed in advance, disruption and cost will be kept to a minimum.
That advice from the HCCIC to prevent SamSam ransomware attacks is:
Conduct vulnerability scans and risk assessments to identify potential vulnerabilities
Ensure those vulnerabilities are remediated
Ensure patches are applied promptly
Use strong usernames and passwords and two-factor authentication
Limit the number of users who can login to remote desktop solutions
Restrict access to RDP behind firewalls and use a VPN or RDP gateway
Use rate limiting to stop brute force attacks
Ensure backups are made for all data to allow recovery without paying the ransom and make sure those backups are secured
Develop a contingency plan to ensure that the business can continue to function while the attack is mitigated
Develop procedures that can easily be followed in the event of a ransomware attack
Implement defenses capable of detecting attacks quickly when they occur
Conduct annual penetration tests to identify vulnerabilities and ensure those vulnerabilities are rapidly addressed
Several new AutoHotKey malware variants have been discovered in recent weeks as threat actors turn to the scripting language to quickly develop new malware variants. The latest discovery – Fauxpersky malware – is very efficient at stealing passwords.
AutoHotKey is a popular open-source scripting language. AutoHotKey make it easy to create scripts to automate and schedule tasks, even inside third-party software. It is possible to use AutoHotKey to interact with the local file system and the syntax is simple, making it straightforward to use, even without much technical knowledge. AutoHotKey allows scripts to be compiled into an executable file that can be easily run on a system.
The usefulness of AutoHotKey has not been lost on malware developers, and AutoHotKey malware is now used for keylogging and to install other malware variants such as cryptocurrency miners, the first of the latter was discovered in February 2018.
Several other AutoHotKey malware variants have since been discovered with the latest known as Fauxpersky, so named because it masquerades as Kaspersky antivirus.
Fauxpersky malware lacks sophistication, but it can be considered a significant threat – One that has potential to cause considerable harm. If undetected, it allows the attackers to steal passwords that can be used for highly damaging attacks and give the attackers a foothold in the network.
Fauxpersky malware was discovered by security researchers Amit Serper and Chris Black. The researchers explained in a recent blog post that the malware may not be particularly advanced and stealthy, but it is a threat and could allow the authors to steal passwords to gain access to data.
Fauxpersky infects USB drives which are used to spread the malware between devices. The malware can also replicate across the system’s listed drives. Communication with the attackers is via a Google Form, that is used to send stolen passwords and keystroke lists to the attackers’ inbox. Since the transmission is encrypted, it doesn’t appear to be data exfiltration by traffic monitoring systems.
Once installed it renames the drive and appends “Protected y Kaspersky Internet Security 2017” to the drive name. The malware records all keystrokes made on a system and also adds context to help the attackers determine what the user is doing. The name of the window where the text is being typed is added to the text file.
Once the list of keystrokes has been sent, it is deleted from the hard drive to prevent detection. The researchers reported the new threat to Google which rapidly took down the malicious form although others may well be created to take its place.
AutoHotKey Malware Likely to become More Sophisticated
AutoHotKey malware is unlikely to replace more powerful scripting languages such as PowerShell, although the rise in use of AHK and the number of new variants detected in recent weeks suggest it will not be dropped any time soon. AHK malware has now been discovered with several obfuscation functions to make it harder to detect, and many AV vendors have yet to implement the capability to detect this type of malware. In the short to medium term, we are likely to see an explosion of AHK malware variants, especially keyloggers designed to steal passwords.
A disaster recovery plan will help to ensure your business continues to function when disaster strikes, and you can recover as quickly as possible. Developing a disaster recovery plan in advance is essential as it will allow you to prevent many lost hours in the early stages of an attack when rapid action is critical.
When Disaster Strikes You Must be Ready for Action
When disaster strikes, you need to act fast to get your systems back online and return to normal business operations. One of the biggest problems for many organizations, is the amount of time that is lost immediately after a cyberattack is discovered. When staff are scrambling around not knowing what to do, precious minutes, hours, and even days can be lost.
The first few hours after a cyberattack can be critical. The time it takes to respond can have a significant impact on the cost of mitigating the attack and the harm caused. In the case of ransomware, that could be movement within your network, with one infected endpoint becoming two, then 4, then 8 and so on until files on your entire network are encrypted. Each lost minute can mean hours of extra work and major productivity losses.
The only way to ensure the fastest possible response is to be prepared for the unexpected. That means you must have a disaster recovery plan formulated that is easily accessible and can be followed by all staff involved in the breach response. Staff not responsible for recovery must be aware how they must operate in the absence of computers and critical systems to ensure the business does not grind to a halt.
Developing a Disaster Recovery Plan
There are many potential disaster scenarios. Natural disasters such as earthquakes, floods, tornados can cause major disruption, as can terrorist attacks and sabotage. The most likely disaster scenario in the current climate is a cyberattack.
All of these disaster scenarios threaten your systems and business data, so your disaster recovery plan must ensure your systems are protected and the confidentiality, integrity, and availability of data is safeguarded while you respond.
While the threat may be similar for all scenarios, priorities will be different for each situation and the order of actions and the actions themselves will be specific to different threats. It is therefore essential to plan for each of the likely disasters and to develop procedures for each. For example, your plan should cover a cyberattack affecting each specific location that you operate, and a separate plan developed for a ransomware attack, malware infection, and system outage.
Assess Business Impact and Set Priorities
A cyberattack could take out multiple systems which will all need to be restored and brought back online. That process could take days or weeks, but some systems must take priority over others. After your disaster recovery policy has been developed, you must set priorities. To effectively prioritize you will need to perform a business impact analysis on all systems. You should conduct a BIA to determine the possible financial, safety, contractual, reputational, and regulatory impact of any disaster and assess the impact on confidentiality, integrity, and availability of data. When the BIA has been completed, it should make it clear what the priorities are for recovery.
Everyone Must Know Their Role
When disaster strikes, everyone in the IT department must be aware of their responsibilities. You must know who will need to be called in when the attack occurs outside office hours, which means you must maintain up to date contact information such as phone numbers, addresses, and email addresses. You will also need to have a list of contractors and cybersecurity firms that can assist. You must know which law enforcement agencies to contact and any regulators or authorities that should be notified. All employees within the organization must be aware how their day-to-day activities will change and the role they will play, and what you will say to your customers, clients, and business associates.
Testing, Testing, Testing
You will naturally have developed a disaster recovery plan and emergency mode operations plan, but those plans rarely need to be put into action. You therefore need to be 100% sure that your disaster recovery plan developed a couple of years previously will work as planned. That is unlikely unless it is thoroughly tested and is regularly updated to take hardware, software, and business changes into account.
Your disaster recovery plan must be tested to make sure that it will work in practice. That means testing individual aspects against specific scenarios and also running through a full test – like a fire drill – to make sure that the whole plan works.
Don’t wait until disaster strikes before developing a disaster recovery plan and don’t wait for a disaster to find out all of your planning has been in vain as system changes have rendered the plan unworkable.
A city of Atlanta ransomware attack has been causing havoc for city officials and Atlanta residents alike. Computer systems have been taken out of action for several days, with city workers forced to work on pen and paper. Many government services have ground to a halt as a result of the attack.
The attack, like many that have been conducted on the healthcare industry, involved a variant of ransomware known as SamSam.
The criminal group behind the attack is well known for conducting attacks on major targets. SamSam ransomware campaigns have been conducted on large healthcare providers, major educational institutions, and government organizations.
Large targets are chosen and targeted as they have deep pockets and it is believed the massive disruption caused by the attacks will see the victims pay the ransom. Those ransom payments are considerable. Demands of $50,000 or more are the norm for this group. The City of Atlanta ransomware attack saw a ransom demand issued for 6 Bitcoin – Approximately $51,000. In exchange for that sum, the gang behind the attack has offered the keys to unlock the encryption.
SamSam ransomware attacks in 2018 include the cyberattack on the electronic health record system provider Allscripts. The Allscripts ransomware attack saw its systems crippled, with many of its online services taken out of action for several days preventing some healthcare organizations from accessing health records. The Colorado Department of Transportation was also attacked with SamSam ransomware.
SamSam ransomware was also used in an attack on Adams Memorial Hospital and Hancock Health Hospital in Indiana, although a different variant of the ransomware was used in those attacks.
A copy of the ransom note from the city of Atlanta ransomware attack was shared with the media which shows the same Bitcoin wallet was used as other major attacks, tying this attack to the same group.
SecureWorks, the cybersecurity firm called in to help the City of Atlanta recover from the attack, has been tracking the SamSam ransomware campaigns over the past few months and attributes the attacks to a cybercriminal group known as GOLD LOWELL, which has been using ransomware in attacks since 2015.
While many ransomware attacks occur via spam email with downloaders sent as attachments, the GOLD LOWELL group is known for leveraging vulnerabilities in software to install ransomware. The gang has exploited vulnerabilities in JBoss in past attacks on healthcare organizations and the education sector. Flaws in VPNs and remote desktop protocol are also exploited.
The ransomware is typically deployed after access to a network has been gained. SecureWorks tracked one campaign in late 2017 and early 2018 that netted the gang $350,000 in ransom payments. The earnings for the group have now been estimated to be in the region of $850,000.
Payment of the ransom is never wise, as this encourages further attacks, although many organizations have no choice. For some, it is not a case of not having backups. Backups of all data are made, but the time taken to restore files across multiple servers and end points is considerable. The disruption caused while that process takes place and the losses suffered as a result are often far higher than any ransom payment. A decision is therefore made to pay the ransom and recover from the attack more quickly. However, the GOLD LOWELL gang has been known to ask for additional payments when the ransom has been paid.
The city of Atlanta ransomware attack commenced on Thursday March 22, and with the gang typically giving victims 7 days to make the payment. The city of Atlanta only has until today to make that decision before the keys to unlock the encryption are permanently deleted.
However, yesterday there were signs that certain systems had been restored and the ransomware had been eradicated. City employees were advised that they could turn their computers back on, although not all systems had been restored and disruptions are expected to continue.
As of today, no statement has been released about whether the ransom was paid or if files were recovered from backups.
How to Defend Against Ransomware Attacks
The city of Atlanta ransomware attack most likely involved the exploitation of a software vulnerability; however, most ransomware attacks occur as a result of employees opening malicious email attachments or visiting hyperlinks sent in spam emails.
Last year, 64% of all malicious emails involved ransomware. An advanced spam filter such as SpamTitan is therefore essential to prevent attacks. End users must also be trained how to recognize malicious emails and instructed never to open email attachments or click on links from unknown senders.
Software must be kept up to date with patches applied promptly. Vulnerability scans should be conducted, and any issues addressed promptly. All unused ports should be closed, RDP and SMBv1 disabled if not required, privileged access management solutions deployed, and sound backup strategies implemented.
2017 ransomware statistics do not make for pleasant reading. Ransomware attacks continued to increase, the cost of mitigating attacks rose, and the number of ransomware variants in use has soared. Further, there are no signs that the attacks will stop and mounting evidence that the ransomware epidemic will get worse in 2018.
Key 2017 Ransomware Statistics
We have compiled some of the important 2017 ransomware statistics from research conducted by a range of firms over the past few months.
Kaspersky Lab’s research suggests ransomware attacks on businesses were happening every 2 minutes in Q1, 2017, but by Q3 attacks were far more frequent, occurring approximately every 40 seconds. Cybersecurity Ventures predicts the frequency of attacks will increase and by 2019 there will be an attack occurring every 14 seconds.
Cybersecurity Ventures also predicts ransomware will continue to be a major problem for businesses throughout 2018 and 2019, with the total cost of ransomware attacks expected to reach $11.5 billion by 2019.
The healthcare industry is likely to be heavily targeted due to the relative ease of conducting attacks and the likelihood of a ransom being paid. Cybersecurity Ventures predicts there will be a fourfold increase in ransomware attacks on healthcare organizations by 2019.
While research from IBM in 2016 suggested 70% of businesses pay ransom demands to recover data, in 2017 the percentage dropped considerably. Far fewer firms are now considering paying ransoms to recover data.
Symantec’s 2017 Internet Security Threat Report indicates ransom demands increased by 266% between 2015 and 2017.
There is considerable variation in published 2017 ransomware statistics. Malwarebytes reports there was a 90% increase in ransomware attacks in 2017. Beazley reports the increase was 18% and the healthcare sector accounted for 45% of those attacks. A recent McAfee Report puts the rise in ransomware attacks at 59% for the year, with a 35% quarter-over-quarter increase in attacks in Q4.
Microsoft’s Security Intelligence Report indicates Asia had the highest number of ransomware attacks in 2017, with Myanmar and Bangladesh the worst hit countries. Mobile devices that were the worst hit, with the most frequently encountered ransomware variant being LockScreen – an Android ransomware variant.
55% of Firms Experienced A Ransomware Attack in 2017
The research and marketing consultancy firm CyberEdge Group conducted a study that showed 55% of surveyed organizations had experienced at least one ransomware attack in 2017. Out of the organizations that had data encrypted by ransomware, 61% did not pay the ransom.
87% of firms that experienced an attack were able to recover the encrypted data from backups. However, 13% of attacked firms lost data due to the inability to recover files from backups.
Organizations that are prepared to pay a ransom are not guaranteed viable keys to recover their encrypted files. The CyberEdge survey revealed approximately half of companies that decided to pay the ransom were unable to recover their data.
FedEx reported in 2017 that the NotPetya attack cost the firm an estimated $300 million, the same figure quoted by shipping firm Maersk and pharma company Merck. Publishing firm WPP said its NotPetya attack cost around $15 million.
Strategies are being developed by businesses to respond to ransomware attacks quickly. Some companies, especially in the UK, have bought Bitcoin to allow fast recovery. However, those that have may find their stash doesn’t go as far as it was first thought thanks to the decline in value of the cryptocurrency. Further, many cybercriminals have switched to other forms of cryptocurrency and are no longer accepting Bitcoin. A third of mid-sized companies in the UK have purchased Bitcoin for ransoms according to Exeltex Consulting Group.