Network Security

Confirmation Threat Actors Are Using GenAI Tools for Malware Development

by G Hunt | October 20, 2024 | Network Security

Generative Artificial Intelligence (GenAI) has many benefits for businesses, including streamlining customer support, generating content, and improving productivity and there are many uses in cybersecurity, especially with the analysis of data to provide actional insights. One of the problems, however, is that the capabilities of GenAI for improving cybersecurity can also be leveraged by cybercriminals for malicious purposes.

GenAI tools have guardrails in place to prevent them from being used for malicious purposes. For instance, if you want to use ChatGPT to write a phishing email, it is not possible to ask that directly, as the request will be blocked. That does not mean that it will not write the email, only that you would need to be more subtle. There are, however, other tools that lack the guardrails and have been specifically created to be used for malicious purposes.

It is clear that cybercriminals have been using GenAI for phishing and social engineering to create grammatically perfect phishing emails even when the phisher does not know a language, and the same applies to the landing pages used for phishing. GenAI has been shown to be capable of coming up with new social engineering techniques to trick employees into disclosing their credentials or installing malware. GenAI tools can also be leveraged for malware development, either by writing new malware code from scratch or checking code for errors.

There is growing evidence that GenAI is now being used to write malicious code. This spring, evidence was uncovered that the developer and operator of the DanaBot banking trojan, Skully Spider, had used an artificial intelligence tool to create a Powershell script for loading the Rhadamanthys stealer into the memory. The researchers found that each component of the script included grammatically perfect comments explaining the function of each component. That suggested that either a GenAI tool was used to create the malware or was at least used to check the code and add comments on each function.

One of the most popular GenAI tools is ChatGPT, a tool with extensive guardrails to prevent malicious uses; however, OpenAI, the company behind ChatGPT, confirmed that its platform has been used for malicious purposes, albeit on a small scale. According to the OpenAI report, the company has disrupted more than 20 attempts to use ChatGPTfor the development and debugging of malware, creating spear phishing content, conducting research and reconnaissance, identifying vulnerabilities, researching social engineering themes, enhancing their scripting techniques, and hiding malicious code.

Malware was created by one threat actor with assistance provided by ChatGPT that allowed them to identify the user’s exact location, steal information such as call logs, contact lists, and browser histories, capture screenshots, and obtain files stored on the device. While a certain level of skill is required to abuse these tools for malware creation and other malicious purposes, they can be used to improve efficiency and could be used by relatively low-skilled threat actors to conduct more attacks and improve their effectiveness.

Cybercriminals are using AI for malicious purposes, but network defenders can also harness the power of these tools for defensive purposes. AI-augmented cybersecurity solutions such as spam filtering services are more effective at identifying AI-generated phishing and social engineering attempts and can respond to new threats and triage attacks in real time. Advanced machine learning is used in SpamTitan’s email sandbox for detecting zero-day malware threats that evade standard email security solutions. AI tools can summarize and analyze threat intelligence data, identify trends, and provide actionable insights, including analyzing network traffic logs, system logs, and user behavior to find anomalies.

With growing evidence of cybercriminals’ use of these tools, businesses need to ensure that their cybersecurity solutions also incorporate AI and machine learning capabilities to combat AI-augmented threats.

Ransomware Attacks Often Start with Malware Infections or Phishing Attacks

by G Hunt | September 15, 2024 | Network Security

Ransomware attacks can cause an incredible amount of damage to an organization’s reputation as well as huge financial losses from the downtime they cause. Recovery from an attack, regardless of whether the ransom is paid, can take weeks and the theft and publication of sensitive data on the dark web can prompt customers to leave in their droves. Attacks are still being conducted in high numbers, especially in the United States and the United Kingdom. One recent survey indicates that 90% of businesses in those countries have experienced at least one attack in the past 12 months, with three-quarters of organizations suffering more than one attack in the past year.

The healthcare sector is often attacked as defenses are perceived to be weak and sensitive data can be easily stolen, increasing the chance of the ransom being paid. The Inc Ransom group has been targeting the healthcare sector and conducted an attack on an NHS Trust in Scotland earlier this year, stealing 3 TB of sensitive data and subsequently publishing that data on the dark web when the ransom wasn’t paid.

The Inc Ransom group also conducted an attack on a Michigan healthcare provider, preventing access to its electronic medical record system for 3 weeks in August. A group called Qilin attacked an NHS pathology provider, Synnovis, in June 2024 which had a huge impact on patient services, causing a shortage of blood in London hospitals that caused many surgeries to be postponed. Education is another commonly attacked sector. The Billericay School in Essex had its IT system encrypted, forcing the school to temporarily close. In all of these attacks, highly sensitive data was stolen and held to ransom. The public sector, healthcare, and schools are attractive targets due to the value of the sensitive data they hold, and attacks on businesses cause incredibly costly downtime, both of which can force victims into paying ransoms. What is clear from the reporting of attacks is no sector is immune.

There is increasing evidence that ransomware groups are relying on malware for initial access. Microsoft recently reported that a threat actor tracked as Vanilla Tempest (aka Vice Society) that targets the healthcare and education sectors has started using Inc ransomware in its attacks and uses the Gootloader malware downloader for initial access. A threat actor tracked as Storm-0494 is responsible for the Gootloader infections and sells access to the ransomware group. Infostealer malware is also commonly used in attack chains. The malware is installed by threat groups that act as initial access brokers, allowing them to steal credentials to gain access to networks and then sell that access to ransomware groups. Phishing is also commonly used for initial access and is one of the main initial access vectors in ransomware attacks, providing access in around one-quarter of attacks.

Infostealer malware is often able to evade antivirus solutions and is either delivered via malicious websites, drive-by malware downloads, or phishing emails. Gootloader infections primarily occur via malicious websites, with malvertising used to direct users to malicious sites where they are tricked into downloading and installing malware. Credentials are commonly compromised in phishing attacks, with employees tricked into disclosing their passwords by impersonating trusted individuals and companies.

Advanced cybersecurity defenses are needed to combat these damaging cyberattacks. In addition to traditional antivirus software, businesses need to implement defenses capable of identifying the novel malware threats that antivirus software is unable to detect. One of the best defenses is an email sandbox, where emails are sent for behavioral analysis. In the sandbox – an isolated, safe environment – file attachments are executed, and their behavior is analyzed, rather than relying on malware signatures for detection, and links are followed to identify malicious content.

DNS filters are valuable tools for blocking web-based delivery of malware. They can be used to control access to the Internet, prevent malvertising redirects to malicious websites, block downloads of dangerous file types from the Internet, and access to known malicious URLs. Employees are tricked into taking actions that provide attackers with access to their networks, by installing malware or disclosing their credentials in phishing attacks, so regular security awareness training is important along with tests of knowledge using phishing simulations.

There is unfortunately no silver bullet when it comes to stopping ransomware attacks; however, that does not mean protecting against ransomware attacks is difficult for businesses. TitanHQ offers a suite of easy-to-use cybersecurity solutions that provide cutting-edge protection against ransomware attacks. TitanHQ’s award-winning products combine advanced detection such as email sandboxing, AI and machine-learning-based detection, and are fed threat intelligence from a massive global network of endpoints to ensure businesses are well protected from the full range of threats.

Give the TitanHQ team a call today and have a chat about improving your defenses with advanced anti-spam software, anti-phishing protection, DNS filtering, and security awareness training solutions and put the solutions to the test on a free trial to see for yourself the difference they make.

Training, Automation, AI, and Machine Learning Key to Reducing Data Breach Costs

by G Hunt | July 31, 2024 | Network Security

Each year, IBM conducts a study of data breaches to determine how much these incidents are costing businesses, the main factors that contribute to that cost, and how attackers are gaining access to their victims’ networks. Aside from 2020, data breach costs have continued to increase annually, and this year is no exception. The average cost of a data breach has risen from $3.86 million in 2018 to $4.88 million in 2024 and has increased by 10% since last year. The highest costs were incurred at critical infrastructure entities, especially healthcare organizations. Breaches at the latter were the costliest at an average of $9.77 million per incident.

The report is based on 3,556 interviews with individuals at 604 organizations who had knowledge about data breaches at their respective organizations. The data breaches included in the report involved between 2,100 and 113,000 compromised records and occurred between March 2023 and February 2024. The calculations include direct costs such as the breach response, ransom paid, forensic analysis, and regulatory fines, as well as indirect expenses such as in-house investigations, loss of business, and loss of customers.

This year’s Cost of a Data Breach Report revealed the high cost of breaches stemming from phishing, business email compromise, social engineering, and stolen credentials, which are the costliest incidents to resolve. Breaches stemming from stolen credentials and phishing were the costliest root cause, as was the case in 2023. Compromised credentials were the leading attack vector and were behind 16% of breaches, with phishing the next most common behind 15% of breaches. In terms of cost, phishing attacks cost an average of $4.88 million and compromised credentials cost $4.81 million. Business email compromise attacks were also costly at an average of $4.88 million with social engineering incidents costing an average of $4.77 million.

The report dives into the factors that contribute to the cost of a breach and the main areas where businesses have been able to reduce costs. The main factors that contributed to the cost of a breach were security system complexity, a security skills shortage, and third-party breaches, which are difficult things to address. Businesses have been able to reduce breach costs by implementing a number of measures, and the two biggest factors were employee training and AI/machine learning insights, with one constant identified being the use of AI and automation in security.

Employee training was determined to reduce the average breach cost by $258,629, with the most important aspect of training related to detecting and stopping phishing attacks. If a business is targeted in a phishing campaign, it may not be possible to prevent all employees from being fooled by the campaign, but through regular training and phishing simulations, the severity of the incident can be greatly reduced. For instance, a recent phishing attack on a U.S. healthcare organization resulted in more than 50 email accounts being compromised.  More effective training could have prevented many of those employees from being tricked, greatly reducing the severity of the attack and the cost of remediation.

AI and machine learning insights were determined to reduce the average breach cost by $258,538, a close second in terms of cost reduction. Cybercriminals are leveraging AI in their attacks, especially for phishing and social engineering attacks. Network defenders need to leverage AI and machine learning tools to help them defend against these attacks and identify phishing, social engineering, and BEC threats, which are becoming much harder for humans to spot. Automation is key, especially due to the cybersecurity skills shortage – one of the leading factors that increases breach costs. Network defenders are overworked, and automation is key to reducing their workload, especially since it is difficult to find and retain skilled cybersecurity staff.

At TitanHQ, we understand the importance of staff training, and the benefits of AI, machine learning, and automation and offer businesses an easy way to implement these and better protect themselves from cyberattacks, remediate incidents quickly and efficiently, and ensure that their workforce is well trained and aware of cyber threats and how to avoid them. Security awareness training is provided through the SafeTitan platform, which includes an extensive library of engaging training content to teach security best practices, raise awareness of cyber threats, and teach employees how to recognize and avoid threats including phishing, social engineering, and business email compromise.

The content is constantly refreshed to account for changing work practices, technology, and the latest tactics, techniques, and procedures being used by cybercriminals. The phishing simulator includes hundreds of templates taken from real-world phishing attempts to reinforce training and identify employees who fall for phishing attempts. It is quick and easy to create training courses and phishing simulations, and importantly, to automate them to run continuously throughout the year. The platform also automatically delivers training modules to employees in response to mistakes such as phishing simulation failures, to ensure training is delivered in real-time when it is needed the most and likely to have the greatest impact.

TitanHQ offers two cutting-edge products to protect against email-based attacks, especially phishing and social engineering attempts. SpamTitan is a cloud-based anti-spam service (or can be provided as a gateway spam filter) that incorporates exceptional malware protection, email sandboxing, AI, and machine learning algorithms to identify and quarantine sophisticated threats, including novel threats that have not been seen before. In recent independent tests, the machine learning algorithms and other threat detection features achieved a detection rate of over 99.99%.

PhishTitan incorporates the same AI and machine learning capabilities to identify and block more threats in Office 365 environments. PhishTitan layers extra protection on top of Microsoft 365’s EOP and Defender provides best-in-class phishing protection. PhishTitan is also a remediation solution for automating the response to phishing threats to reduce the burden on IT staff, including instant inbox threat removal of emails containing malicious URLs and tenant-wide remediation with robust cross-tenant features for detection and response.

With these solutions, businesses can improve protection, prevent data breaches, and greatly reduce costs while easing the burden on their IT staff. They are also easy to implement and use, as we understand that IT staff don’t need any more management headaches. For more information, give the TitanHQ team a call to discuss your requirements, find out more about the products, and arrange a product demonstration. All three products are also available in a free trial to allow you to put them to the test and see the difference they make.

Warning About Phobos Ransomware

by G Hunt | February 29, 2024 | Network Security

Phobos ransomware may not be the most prolific ransomware group, but the group poses a significant threat, especially to municipal and county governments, emergency services, education, and healthcare organizations. The group issues ransom demands for millions of dollars and the group’s attacks have caused hundreds of millions of dollars in losses. Phobos is a ransomware-as-a-service operation where the infrastructure to conduct attacks and encrypt files is provided to affiliates – individuals who specialize in breaching company networks – in exchange for a percentage of any ransom payments they can generate. The affiliates benefit from being able to concentrate on what they do best, and the ransomware group makes up for the loss of a percentage of the ransom by conducting many more attacks than would be possible on their own.

The group engages in double extortion tactics involving data theft and file encryption. Threats are issued to publicly leak stolen data on the group’s data leak site and payment is required for the keys to decrypt data and prevent data exposure. Several ransomware variants are connected to Phobos based on the tactics, techniques, and procedures (TTPs) used in attacks, including Elking, Eight, Devos, Faust, and Backmydata ransomware. The latter variant was recently used in an attack in Romania that affected around 100 hospitals.

Affiliates use several methods to gain initial access to victims’ networks, with phishing one of the most common. The phishing attacks conducted by the group usually involve spoofed email attachments with hidden payloads, with one of the favored payloads being the Smokeloader backdoor trojan. Smokeloader gives the group initial access to victims’ networks, from where they use a variety of methods and legitimate networking tools for lateral movement, credential theft, privilege escalation, and data exfiltration. These include 1saas.exe or cmd.exe for privilege escalation, Windows shell functions for control of systems, and built-in Windows API functions to bypass access control and steal authentication tokens. Open source tools such as Bloodhound and Sharphound are used to enumerate the Active Directory, Mimikatz for obtaining credentials, and WinSCP and Mega.io for file exfiltration. Other methods used for initial access include the use of legitimate scanning tools such as Angry IP Scanner to search for vulnerable RDP ports, and then open source brute-forcing tools are used to guess weak passwords.

To improve defenses against Phobos ransomware attacks, businesses should follow the guidance in the recently published security alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC), which includes latest Indicators of Compromise (IoCs) and TTPs observed in recent attacks. The guidance can be found in the #StopRansomware section of the CISA website.

Mitigations are concerned with improving defenses against the initial access vectors – phishing and remote access software. An email security solution is required to block phishing emails, consider disabling hyperlinks in emails, and adding banners to emails from external sources. An email security solution should be used that has both signature and behavioral threat detection capabilities to identify malicious files. End user training should be provided to improve resilience to phishing attempts, web filtering to block malicious file downloads, phishing-resistant multi-factor authentication to prevent the use of compromised credentials from granting access, strong password policies to improve resilience to brute force attacks, and strict controls on RDP and other remote desktop services. Robust backup processes are required, including maintaining offline backups of data, and an incident response policy for ransomware attacks should be developed and tested to ensure the fastest possible recovery in the event of an attack.

LockBit Ransomware Rebounds After Law Enforcement Takedown

by G Hunt | February 29, 2024 | Network Security

A coordinated law enforcement operation – Operation Cronos – headed by the UK National Crime Agency (NCA) and coordinated by Europol seized the infrastructure of the notorious LockBit ransomware group earlier this month. 34 servers were seized in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom, along with 200 cryptocurrency wallets, and the keys to decrypt the data of some of the group’s victims. Two LockBit actors were also arrested in Poland and Ukraine, and three arrest warrants and five indictments were issued by judicial authorities in France and the United States. The decryption keys allowed an automated decryptor to be developed, which was added to the No More Ransom website.

The group’s affiliate portal was seized along with its data leak sites and messages were uploaded for affiliates warning them that names and locations were known and they could receive a visit from law enforcement very soon. The NCA threatened to release the name of the group’s figurehead, LockBitSupp, and even added a countdown timer to the data leak site, as LockBit would do when adding victims to the leak site. However, the NCA did not disclose the details and instead added a statement confirming LockBitSupp’s real name, location, and financial worth were known. The NCA also added that LockBitSupp has engaged with law enforcement.

LockBit is a ransomware-as-a-service (RaaS) operation where affiliates are recruited to conduct attacks using LockBit ransomware. As payment for those attacks, affiliates receive a percentage of any ransoms they generate. LockBit engaged in double extortion tactics, where sensitive data was stolen in addition to file encryption. Payments are required to prevent the release of the stolen data on the group’s data leak site and to obtain the keys to decrypt data. LockBit then moved to triple extortion, where in addition to data theft and file encryption, Distributed Denial-of-Service (DDoS) attacks are conducted on victims to pile on the pressure and get them to pay the ransom.

LockBit has been in operation since September 2019 and rapidly became a major player in the RaaS market. At the time of the takedown, LockBit was behind 25% of all ransomware attacks and had around 180 affiliates conducting attacks. The next biggest player is Blackcat with an 8.5% market share. The LockBit group has extorted more than $120 million from organizations around the world and its attacks have caused billions of dollars of damage.

The law enforcement operation was significant and a major embarrassment for the group, potentially causing significant damage to the group’s reputation. However, it did not take long for LockBit to respond. A few days after the announcement about the law enforcement action, LockBit created a new data leak site and populated it with the names of 12 recent victims. A note was also added explaining that the FBI most likely exploited an unpatched PHP bug, which hadn’t been addressed out of laziness, which allowed access to be gained to its servers. LockBit claimed the takedown was conducted when it was because data was going to be released from an attack on Fulton County in Georgia, where one of Donald Trump’s lawsuits is being heard, and the release of that data could affect the upcoming Presidential Election.

Typically after a successful law enforcement operation, ransomware gangs rebrand but LockBit appears to be defiant and looks set to continue under the same name. LockBitSupp claimed that the attacks could not stop as long as he was alive, and the group would be updating its infrastructure to make it harder for any future law enforcement operations to succeed. A little more than a week after the law enforcement announcement, the LockBit group appears to be conducting attacks again using new infrastructure, a new data leak site, a new negotiation site, and a new encryptor. It is unclear how many affiliates have been retained but the group has announced that it is recruiting again and is looking for new pen testers, indicating some have decided to leave the operation. What is clear is the group is back and remains a significant threat.

State Sponsored Hackers and Cybercriminal Groups Are Using AI to Improve Their Campaigns

by G Hunt | February 29, 2024 | Network Security

There is growing evidence that cybercriminal groups are leveraging artificial intelligence in their cyberattacks, specifically large language models (LLMs) such as ChatGPT, despite the restrictions OpenAI has put in place. There are also LLMs that are being marketed directly to cybercriminals such as WormGPT. WormGPT is a blackhat AI tool that has been specifically developed for malicious uses and can perform similar tasks to ChatGPT but without any ethical restrictions on uses. The tool can be used for generating convincing phishing and business email compromise emails in perfect English, free from the spelling mistakes and grammatical errors that are often found in these emails.

It is not only cybercriminal groups that are using these AI tools. Nation state hacking groups are exploring how these tools can help them gain initial access to targeted networks. Recently published research from Microsoft and OpenAI confirmed that threat actors from Russia, China, Iran, and North Korea and using AI tools to support their malicious activities. Microsoft and OpenAI found the most common uses of LLMs by nation state actors were for translation, finding coding errors, running basic coding tasks, and querying open-source information. While it does not appear that they are using LLMs to generate new methods of attack or write new malware variants, these tools are being used to improve and accelerate many aspects of their campaigns.

The threat actor tracked by Microsoft as Crimson Sandstorm, which is affiliated with the Islamic Revolutionary Guard Corps (IRGC), a multi-service primary branch of the Iranian Armed Forces, has been using LLMs to improve its phishing campaigns to gain initial access to victims’ networks. Microsoft and OpenAI also report that the hacking group has been using LLMs to enhance its scripting techniques to help them evade detection. The North Korean APT group, Emerald Sleet, is well known for conducting spear phishing and social engineering campaigns and is using LLMs to assist with researching think tanks and key individuals that can be impersonated in its spear phishing campaigns. Threat groups linked to the People’s Republic of China such as Charcoal Typhoon and Salmon Typhoon have been using LLMs to obtain information on high-profile individuals, regional geopolitics, US influence, and internal affairs and for generating content to socially engineer targets. OpenAI says it has terminated the accounts of five malicious state actors and has worked with Microsoft to disrupt their activities, and OpenAI and Microsoft have been sharing data with other AI service providers to allow them to take action to prevent malicious uses of their tools.

It should come as no surprise that cybercriminals and nation state actors are using AI to improve productivity and the effectiveness of their campaigns and are probing the capabilities of AI-based tools, and while this is a cause of concern, there are steps that businesses can take to avoid falling victim to AI-assisted attacks. The best way to combat AI-assisted attacks is to leverage AI for defensive purposes. SpamTitan has AI and machine learning capabilities that can detect zero day and AI-assisted phishing, spear phishing, and business email compromise attacks and better defend against AI-0assisted email campaigns.

With fewer spelling mistakes and grammatical errors in phishing emails, businesses need to ensure they provide their workforce with comprehensive training to help employees recognize email and web-based attacks. The SafeTitan security awareness training and phishing simulation platform is an ideal choice for conducting training and phishing simulations and improves resilience to a range of security threats. TitanHQ’s data shows susceptibility to phishing attacks can be reduced by up to 80% through SafeTitan training and phishing simulations. Businesses should also ensure that all accounts are protected with multi-factor authentication, given the quality of the phishing content that can be generated by AI tools, and ensure that cybersecurity best practices are followed, and cybersecurity frameworks are adopted. The most important advice that we can give is to take action now and proactively improve your defenses, as malicious uses of AI are only likely to increase.

Should Businesses Pay a Ransom After a Ransomware Attack?

by G Hunt | February 18, 2024 | Network Security

If disaster strikes and you discover your network has been encrypted with ransomware and sensitive data has been stolen, you are faced with two choices. Pay the ransom and hope that the attackers are true to their word and will delete the stolen data and provide the decryption keys to allow you to recover your data or attempt to recover from the attack on your own.

There will be several factors that will influence that decision. One of the first questions that must be answered is whether a viable backup exists of your encrypted data, and ideally, one that allows you to recover individual files rather than restoring systems to the date of the most recent backup. Backups are often created but are not tested, and it is only when they are needed that an organization discovers that the backups cannot be used to restore data. Restoring data from backups may result in significant data loss.

If files can be recovered, then it may not be necessary to pay the ransom; however, this is why many ransomware gangs steal data in addition to encrypting files. The exposure of data – publication on a data leak site – or the sale of that data is often far more damaging to a company than the losses due to file encryption. Data leaks can cause significant reputational damage and put organizations at risk of costly lawsuits and regulatory penalties. Determining what data has been stolen is critical to the decision about whether or not to pay the ransom.

For many companies, especially critical infrastructure entities, the ransom demand is far lower than the cost of downtime during the incident response and recovery phase. Backups may allow files to be recovered but that does not mean a quick recovery and extended downtime can be hugely expensive. Paying the ransom may be the most cost-effective option as recovery will often be far quicker.

Companies with cyber insurance policies may be able to claim the ransom payment; however, many insurers now exclude ransomware attacks so it is important to determine, as far as possible, whether the insurance company will pay out and how much will be paid. Some insurers have restrictions in their policies and paying the ransom may invalidate the insurance policy. Cyber insurance is expensive and if a claim against a policy is successful, it is likely that future premiums will increase.

The threat actor that conducted the attack may be on a sanction list, which means that payment may not be permitted. In the United States, the Office of Foreign Asset Control (OFAC) has sanctioned several individuals who have conducted ransomware attacks, and OFAC prohibits payments to sanctioned individuals. If a company makes a ransom payment to a sanctioned individual it is a serious criminal offence, punishable with a severe financial penalty and custodial sentences.

Law enforcement agencies generally advise against paying a ransom for several reasons. If ransoms are paid it encourages ransomware gangs to conduct more attacks and gives them the funds they need to continue and expand their malicious activities. There is also no guarantee that the ransomware group will provide the decryption keys, which means payment may be made and data will remain encrypted. Around 90% of all companies that pay a ransom following a ransomware attack are unable to recover all of their data, and less than a third are able to recover half of their data. Data is often corrupted and decryption keys often do not work.

Paying a ransom to prevent the publication of stolen data may result in your company being removed from a publicly accessible data leak site but it does not mean that the data will be deleted. It may still be sold or misused. There is also a risk that after paying the ransom, another ransom demand will be issued. Any company that is willing to make a payment could face further extortion attempts and multiple ransomware attacks. A study by Cybereason found that 78% of companies that paid a ransom went on to suffer a second attack, with 36% of those attacked by the same threat actor and 42% attacked by a different threat actor.

The decision about whether to pay a ransom is not straightforward, and all factors must be carefully evaluated, but paying a ransom is a gamble and it is one that may not pay off. It should therefore only be considered as the last resort when all other options have been explored and ruled out.

The best approach as far as ransomware is concerned is to take proactive steps and prepare for an attack. You must ensure that you have robust data backup systems in place, with backups stored securely where they cannot be encrypted. Those backups must be tested to make sure file recovery is possible in the event of an attack to keep all options on the table.

Given the number of attacks that are now being conducted, it is important to make sure you have robust defenses in place to protect against all initial access vectors, and that is an area where TitanHQ can help. TitanHQ has a suite of cybersecurity solutions that can improve your security posture and help you recover from an attack should disaster strike. Give the team a call today for advice on how you can improve your defenses against ransomware attacks.

Chinese Hackers Compromising Patched Barracuda Email Security Appliances

by G Hunt | August 24, 2023 | Network Security

The Federal Bureau of Investigation (FBI) has issued a warning that Chinese hackers are continuing to gain access to Barracuda email security appliances, even those that have been patched against a recently disclosed zero day vulnerability, and has urged organizations to immediately remove the appliances.

The vulnerability, tracked as CVE-2023-2868, affects Barracuda Network’s Email Security Gateway (ESG) appliances and occurs when the appliance screens email attachments. The vulnerability is a remote command injection vulnerability that allows the unauthorized execution of system commands with administrator privileges on the ESG appliance. Barracuda issued a patch to fix the flaw on May 20, 2023, after identifying hacks on May 19.

The vulnerability can be exploited via maliciously formatted TAR file attachments that are sent to an email address affiliated with a domain that has an ESG appliance connected to it. When the attachments are scanned it results in a command injection into the ESG, and system commands are executed with the privileges of the ESG. No user interaction is required to exploit the vulnerability.

According to the FBI, Chinese hackers have been exploiting the vulnerability since October 2022 as part of a state-run cyberespionage operation and have compromised hundreds of appliances. Mandiant assisted with investigating the hacks and said this is the broadest cyber espionage campaign conducted by Chinese state-sponsored hackers since the mass exploitation of a Microsoft Exchange vulnerability in 2021.

In a Flash Alert issued on Wednesday, the FBI recommended all affected devices be immediately replaced. “The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately,” and said the patches released by Barracuda to address the flaw were ineffective.

The advice follows that of Barracuda, which said in June that all hacked Email Security Gateway appliances should be immediately replaced, regardless of whether patches had been applied. Even after the patches had been applied, continued malicious activity was observed on the previously compromised devices. A new form of malware, dubbed Submarine, was deployed on compromised appliances, which resides in a structured query language (SQL) database on the appliance and is a backdoor that provides persistent access.

Vulnerabilities can exist in any software solution, even those that are meant to provide protection. This is why it is important to have multiple layers of protection. If one layer fails, others are there to detect and block threats. Many threats start with a malicious email, which is why email security is so important. Having SpamTitan Plus in place will provide a high degree of protection and will stop malware from reaching its intended recipient. SpamTitan Plus is a leading-edge, AI-driven anti-phishing and anti-malware solution with the newest “zero-day” threat protection and intelligence. The solution includes 100% coverage of all current market-leading anti-phishing feeds and provides 1.6x faster detection of threats than the current market leaders. SpamTitan Plus provides unrivaled protection against malicious links in emails and includes signature-based malware detection and behavioral detection through sandboxing. For more information on SpamTitan Plus, give the TiotanHQ team a call.

Colonial Pipeline Ransomware Attack Started with a Compromised Password

by G Hunt | June 20, 2021 | Network Security

In April 2021, hackers gained access to the network of Colonial Pipeline and deployed ransomware that forced the shutdown of a fuel pipeline system serving the Eastern Seaboard of the United States. With fuel supplies threatened, there was panic buying of fuel by Americans on the East Coast which led to local fuel shortages. Gasoline prices rose to their highest level in more than 6 years, and stockpiles of gasoline on the East Coast fell by 4.6 million barrels.

The attack has been attributed to the DarkSide ransomware-as-a-service operation, which has since shut down. Prior to the shutdown, Colonial Pipeline paid a $4.4 million ransom for the keys to unlock the encrypted files.  The decision to pay the ransom was made because of the threat to fuel supplies. Colonial Pipeline supplied 45% of fuel to the East Coast, and while paying the attackers was a difficult decision, payment was made due to the threat to fuel supplies given how long it was likely to take to recover without the attacker-supplied decryption keys.

Such a major attack on a critical infrastructure firm should have been difficult; however, an investigation into the cyberattack revealed gaining access to the company’s computer system couldn’t have been simpler. The attackers used a compromised password to remotely access Colonial Pipeline’s systems, and that account was not protected with multi-factor authentication.

The password was for a virtual private network account, according to Charles Carmakal, senior vice president at cybersecurity firm Mandiant which was involved in the investigation. The account was not in use, but it was still possible to use the login credentials to access Colonial Pipeline’s network.

It is not known how the hackers obtained the password. The password has since been found in a database of breached passwords that was leaked on the darkweb. It is possible that an individual had set a password for the account that had been used on another account that had been breached. It is common for passwords from data breaches to be attempted in brute force attacks as password reuse is common. Passwords are also often obtained in phishing attacks.

Mandiant looked for evidence of how the password was obtained by the hackers. The researchers found no signs of attacker activity before the April 29, 2021 nor any evidence of phishing. How the password was obtained and the username determined may never be known.

What is clear is that the attack could have easily been prevented had cybersecurity best practices been followed such as conducting audits of accounts and shutting down accounts that are no longer in use, setting unique, complex passwords for each account, implementing multi-factor authentication to stop compromised passwords from being used, and implementing an effective anti-spam solution to block phishing emails.

Travelex Ransomware Attack Highlights Changing Cyber Ransom Tactics

by G Hunt | January 15, 2020 | Network Security

The Travelex ransomware attack that started around December 31, 2019 is one of several recent ransomware attacks where threat actors have upped the ante by threatening to publish data stolen from victims prior to the deployment of ransomware.

A New Trend in Ransomware Attacks

Most ransomware attacks, especially those conducted by affiliates using ransomware-as-a-service, see ransomware deployed instantly. An employee receives a ransomware attachment via email, opens the attachment, and the encryption process is started. Now, several threat actors have taken steps to increase the probability of their ransom demand being paid.

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has recently issued warnings about changing ransomware tactics, which now involve data theft prior to file encryption. This tactic is nothing new, as several threat actors have been conducting these types of attacks for some time, attacks of this nature have been increasing.

to the network is gained, the attackers then move laterally and gain access to as many devices as possible. Data is stolen and when the attackers have stolen as much as they want, ransomware is deployed. In these types of attacks, the time between the initial compromise and deployment of ransomware is typically several months.

Data may be stolen and sold online with the ransomware deployed as a coup de grace after a long-term compromise to extort money from the company. Now it is increasingly common for a threat to be issued along with the ransom demand that the stolen data will be published or sold if the ransom is not paid.

This tactic has been adopted by the threat actors behind Maze ransomware and they have gone ahead and published stolen data when the ransom was not paid. The threat actors using MegaCortex ransomware and LockerGoga ransomware have similarly issued threats.

Now the gang behind Sodinikibi (REvil) ransomware have also changed tactics and have started issuing threats to publish stolen data. The Sodinokibi gang have made several threats to sell on or publish stolen data but it was only recently that they did just that. The gang attacked Artech Information Systems, one of the largest IT staffing companies in the U.S. When the ransom demand was not paid, 337MB of stolen data was published on a Russian hacking and malware forum. The Travelex ransomware attack is one of the latest Sodinokibi ransomware attacks, and a threat to publish stolen data was similarly issued.

The Travelex Ransomware Attack

On New Year’s Eve, Travelex took its systems offline to contain the infection and limit the damage caused. More than two weeks on, Travelex systems are still offline although the company is now starting to restore some of its systems. The number of branches affected by the attack, and banks and other companies that rely on its currency exchange services, makes this one of the most serious and damaging ransomware attacks ever.

With its systems offline, Travelex has been unable to provide its currency services to banks such as HSBC, Royal Bank of Scotland, NatWest, First Direct, Barclays and Lloyds, all of which rely on Travelex for providing their currency services. Many other companies, such as the supermarket chains Sainsbury’s and Tesco, have also had to stop providing online currency services to their customers. Travelex has been forced to provide services manually using pen and paper for over the counter currency exchanges in its branches. More than 70 countries in which Travelex operates were affected by the attack.

Travelex has only released a limited amount of information about the attack, but the attackers have been in contact with several media outlets. Initial reports suggested a payment of $3 million was required for the keys to unlock the encryption, although the demand doubled to $6 million when payment was not received within the stipulated 2 days. The attackers also threatened to publish data stolen in the attack if the payment was not made within 7 days.

Travelex issued a statement saying no customer data was breached and that the infection was contained, a position that has been maintained since the attack, even though the Sodinokibi gang has threatened to publish customer data.

The Sodinokibi ransomware gang, through a spokesperson, said the gang had stolen 5GB of customer data including customers’ names, dates of birth, credit card information, Social Security numbers, and National Insurance numbers. The gang claimed that all stolen data would be deleted and would not be used if the ransom demand was paid, but that the data would be sold if payment was not received. The gang also said access to Travelex systems was gained 6 months before the ransomware was deployed.

How Was Travelex Attacked?

It is not known at this stage exactly how ransomware was installed on its network, but there have been several security researchers that have offered some clues. According to BleepingComputer, Travelex was using insecure services prior to the attack. Security researcher Kevin Beaumont found Travelex had AWS Windows servers that did not have Network Level Authentication enabled, which could have given the attackers the opportunity they needed to launch an attack.

A critical vulnerability in the Pulse Secure VPN enterprise solution for secure communications – CVE-2019-11510 – was identified and was patched by Pulse Secure on April 24, 2019, but many companies were slow to apply the patch, despite receiving multiple warnings from Pulse Secure. An exploit for the vulnerability was made public on August 21, 2019.

Troy Mursch, chief research officer at Bad Packets, found that Travelex had not applied the patch by the time the exploit was released. The Sodinokibi ransomware gang said they compromised Travelex 6 months prior to the deployment of ransomware. This could have been the vulnerability that was exploited.

Recovery Now Well Underway

On January 13, 2020, more than 2 weeks after the ransomware attack was experienced, Travelex issued a statement confirming that the recovery process was well underway, although the firm’s website was still offline. The company had started restoring its currency services to banks and its own network. Internal order processing has been restored and customer-facing systems are slowly being brought back online. What Travelex has not confirmed is whether the ransom was paid. No Travelex data appears to have been published online so it is possible that a ransom payment has been negotiated with the attackers.

Cost of the Travelex Ransomware Attack

The ransom payment is considerable but is likely to be several orders of magnitude less than the costs of downtime and disruption to its services.

No customer data appears to have been misused, but Travelex could still face a barrage of lawsuits from customers and the Information Commissioner’s Office and other data protection authorities my choose to fine Travelex over the data breach, either for the exposure of data or for the failure to report under GDPR.

GDPR requires data breaches to be reported to data protection authorities within 72 hours and it appears that did not happen. The maximum financial penalty for a GDPR violation is €20 million or 4% of a company’s global annual turnover, whichever is greater. Travelex’s global annual turnover in 2018 was $947.86 million. A fine of $189.57 million could therefore be issued. It should be noted that even if data was not stolen by the attackers and was just made inaccessible, it still counts as a reportable data breach under GDPR.

A payment of $6 million to the attackers would only be a tiny proportion of the total losses from downtime, lost business, lawsuits, and regulatory fines.

Patch This Vulnerability Now to Avoid WannaCry Style Malware Attack

by G Hunt | May 15, 2019 | Network Security

A critical Windows vulnerability has been identified which could be exploited in a WannaCry-style malware attack. The vulnerability is pre-authentication and requires no user interaction to exploit, as such it is wormable. A patch was issued by Microsoft on May 14, 2019 to correct the flaw. The patch should be applied immediately to prevent the flaw from being exploited.

A remote attacker could exploit the flaw to deliver malware to a vulnerable device and, by incorporating the exploit into the malware, move laterally and infect all vulnerable devices on the network.

The vulnerability, tracked as CVE-2019-0708, is in Remote Desktop Services (previously called Terminal Services) and requires a relatively low level of skill to exploit.  To exploit the flaw, an attacker would need to send a specially crafted request to the Remote Desktop Service on a targeted device via RDP. Once exploited, an attacker could download malware and install other programs, view, change, or delete data, create new user accounts with admin privileges, and take full control of a vulnerable device. The vulnerability has been assigned a CVSS v3 base score of 9.8 out of 10.

Microsoft has incorporated security protections into the latest Windows versions, so Windows 8 and Windows 10 users are unaffected. However, earlier versions of Windows contain the vulnerability.

Patches have been released for all vulnerable Windows versions, including Windows XP and Windows 2003, both of which have reached end of life and are no longer supported, as was the case with the Windows Server Message Block (SMB) vulnerability that was exploited by WannaCry.

Affected Windows versions are:

• Windows Server 2008 R2
• Windows Server 2008
• Windows 7
• Windows XP
• Windows 2003

Businesses running machines with the above operating systems should test the patch and apply it as soon as possible. In the meantime, a workaround should be implemented to prevent the flaw from being exploited.

The workaround requires TCP port 3389 to be blocked on the firewall and for Network Level Authentication (NLA) to be enabled on all systems running vulnerable Windows versions. If NLA is enabled, before the flaw can be exploited, an attacker would first need to authenticate to remote Desktop Services using a valid account. While the workaround will reduce the risk of exploitation of the vulnerability, it is not a replacement for the patch, which should still be applied as soon as possible. Businesses should also disable Remote Desktop Services if they are not essential and RDP should not be exposed to the internet.

Microsoft has warned that the failure to mitigate the vulnerability, either by applying the patch or using the workaround, could result in another global attack on the scale of WannaCry. Such an attack is extremely likely. When patches are released to address critical flaws, it doesn’t take long for them to be reverse engineered and for exploits to be crafted. Such a high severity flaw is likely to be exploited quickly. It may only take a few days before the first attacks are conducted.

Year-Old Connectwise Vulnerability Exploited in MSP Ransomware Attacks

by G Hunt | February 15, 2019 | Network Security

A year-old vulnerability in the Connectwise plugin for Kaseya VSA has been exploited in a series of MSP ransomware attacks over the past two weeks. The latest campaign is one of several cyberattacks targeting MSPs in recent months that abuse trusted relationships between MSPs and their clients. The aim of the attacks is to gain access to MSP systems in order to attack their clients.

MSPs are trusted by SMBs to improve security, identify and correct vulnerabilities, and prevent costly cyberattacks. However, if MSPs do not follow cybersecurity best practices such as ensuring patches and software updates are applied on their own systems, they place their clients at risk.

MSP ransomware attacks such as these have potential to cause considerable damage to an MSP’s reputation, could easily result in loss of clients, and also possible legal action.

On MSP Reddit poster explained that cybercriminals recently exploited a vulnerability to gain access to clients’ systems and had installed ransomware on approximately 80% of client machines. Other attacks have also succeeded in encrypting files on client networks.

It is not always possible to update plugins, apply patches, and perform software updates instantly, but in this case the vulnerability was identified in November 2017. A proof of concept exploit was published, and an updated plugin was rapidly released by Connectwise to correct the flaw. Despite this, 126 MSPs are still using the out of date and vulnerable plugin according to a recent Kaseya security warning.

The Connectwise plugin for Kaseya VSA contained a flaw – CVE-2017-18362 – that allowed commands to be run on a Kaseya VSA server without the need for authentication due to an error within the Connectwise API. By exploiting the vulnerability, an attacker would be able to gain access to the Kaseya VSA server and conduct attacks on MSP clients. In this case, GandCrab ransomware was installed.

The group behind this campaign may not be the only criminal gang to attempt to exploit the vulnerability. It is possible that some MSPs who failed to update the plugin may have also had their server compromised and less conspicuous malware may have been installed.

All MSPs that use Connectwise and have the plugin installed on their on-premise server should ensure the latest version of the plugin is installed. Connectwise has made a tool available to users that will conduct a scan to determine if the vulnerable plugin is in use. It is also recommended to disconnect the VSA server from the internet and to perform an audit to determine if the server has been compromised.

Thanks to advanced cybersecurity defenses, many of which are provided by MSPs to their clients, it is becoming harder for cybercriminals to use standard tactics such as mass spam emails to gain access to business networks. As the past few months have shown, cybercriminals are now targeting MSPs to gain access to their clients’ systems. It is therefore essentials that MSPs ensure they scan for vulnerabilities on their own systems to identify potential weaknesses before they are exploited by hackers.

Suspected Use of Ryuk Ransomware in Newspaper Cyberattack

by G Hunt | December 31, 2018 | Network Security

The last weekend of 2018 has seen a major newspaper cyberattack in the United States that has disrupted production of several newspapers produced by Tribune Publishing.

The attacks were malware-related and affected the Saturday editions of the Los Angeles Times, the San Diego Union-Tribune, the Chicago Tribune, the New York Times, the Wall Street Journal, and others. The malware attack occurred on Thursday, December 27, and caused major problems throughout Friday.

All of the affected newspapers shared the same production platform, which was disrupted by the malware infection. While the type of malware used in the attack has not been publicly confirmed, several insiders at the Tribune have reported that the attack involved Ryuk ransomware.

Ransomware is a form of malware that encrypts critical files preventing them from being accessed. The primary goal of attackers is usually to obtain ransom payments in exchange for the keys to decrypt the encrypted files. It is also common for ransomware to be deployed after network access has been gained and sensitive information has been stolen, either to mask a data breach or in an attempt to make an attack even more profitable. It is also not unknown for ransomware attacks to be conducted to cause disruption. It is suspected that this newspaper cyberattack was conducted primarily to disable infrastructure.

The type of ransomware used in an attack is usually easy to identify. After encrypting files, ransomware changes file extensions to an (often) unique extension. In the case of Ryuk ransomware, extensions are changed to .ryk.

The Los Angeles Times has attributed it to threat actors based outside the United States, although it is unclear which group was behind the cyberattacks. If the attack was conducted to disable infrastructure it is probable that this was a nation-state sponsored attack.

The first Ryuk ransomware cyberattacks occurred in August. Three U.S. companies were attacked, and the attackers were paid at least $640,000 for the keys to unlock the data. An analysis of the ransomware revealed it shared code with Hermes malware, which had previously been linked to the Lazarus Group – An APT group with links to North Korea.

While many ransomware campaigns used mass spamming tactics to distribute the ransomware and infect as many end users as possible, the Ryuk ransomware attacks were much more targeted and involved considerable reconnaissance and extensive network mapping before the ransomware is finally deployed. As is the case with SamSam ransomware attacks, the campaign is conducted manually.

Several methods are used to gain access to networks, although earlier this year a warning about Ryuk ransomware was issued by the U.S. Department of Health and Human Services claiming email to be one of the main attack vectors, highlighting the importance of email security and end user training to help employees recognize email-based threats.

Flash Player Vulnerability Being Actively Exploited via Spear Phishing Campaign

by G Hunt | December 6, 2018 | Network Security

Adobe has issued an unscheduled update to correct flaws in Adobe Flash Player, including a zero-day vulnerability that is currently being exploited in the wild by an APT threat group on targets in Russia. One target was a Russian healthcare facility that provides medical and cosmetic surgery services to high level civil servants of the Russian Federation.

The zero-day flaw is a use-after-free vulnerability – CVE-2018-15982 – which allows arbitrary code execution and privilege execution in Flash Player. A malicious Flash object runs malicious code on a victim’s computer which gives command line access to the system.

The vulnerability was discovered by security researchers at Gigamon ATR who reported the flaw to Adobe on November 29. Researchers at Qihoo 360 identified a spear phishing campaign that is being used to deliver a malicious document and associated files that exploit the flaw. The document used in the campaign was a forged employee questionnaire.

The emails included a .rar compressed file attachment which contained a Word document, the vulnerability, and the payload. If the .rar file is unpacked and the document opened, the user is presented with a warning that the document may be harmful to the computer. If the content is enabled, a malicious command is executed which extracts and runs the payload – A Windows executable file named backup.exe that is disguised as an NVIDIA Control Panel application. Backup.exe serves as a backdoor into a system. The malicious payload collects system information which is sent back to the attackers via HTTP POST. The payload also downloads and executes shell code on the infected device.

Qihoo 360 researchers have named the campaign Operation Poison Needles due to the identified target being a healthcare clinic. While the attack appears to be politically motivated and highly targeted, now that details of the vulnerability have been released it is likely that other threat groups will use exploits for the vulnerability in more widespread attacks.

It is therefore important for businesses that have Flash Player installed on some of their devices to update to the latest version of the software as soon as possible. That said, uninstalling Flash Player, if it is not required, is a better option given the number of vulnerabilities that are discovered in the software each month.

The vulnerability is present in Flash Player 31.0.0.153 and all earlier versions. Adobe has corrected the flaw together with a DLL hijacking vulnerability in version 32.0.0.101.

How to Improve the Office 365 Spam Filter

by G Hunt | November 20, 2018 | Network Security

Office 365 has many benefits, so it is no surprise that it is proving so popular with businesses, but one common complaint is the number of spam and malicious emails that sneak past Microsoft’s defenses. If you have a problem with spam and phishing emails still being delivered to your end users, there is an easy solution to improve the Office 365 spam filter and block more threats.

Office 365 Email Protection

More than 155 million commercial users are now on Office 365 and that figure is growing at a rate of around 3 million users per month. Unfortunately, the popularity of Office 365 has made it a target for hackers, who are testing their campaigns in their own Office 365 environments to make sure their malspam messages are delivered. Businesses using Office 365 are being sought out and attacked.

Microsoft has been proactively taking steps to improve the Office 365 spam filter to make it more effective at blocking spam and phishing attempts. Office 365 phishing protections have been improved and more malicious emails are now being blocked; however, even with the recent anti-phish enhancements, many businesses still have to deal with an unacceptable volume of spam, phishing emails are still reaching inboxes, and malware is sneaking past Office 365 protections.

Office 365 Spam Protection

Office 365 provides a reasonable level of protection from spam. You can expect Microsoft to block around 99% of all spam emails. While that figure is good, the 1% that are not blocked can amount to a sizeable number of emails. Around 4.5 billion email messages are sent each day and around 46% of those messages are spam. Each inbox may only receive a handful of spam messages but each message that has to be opened, checked, and dealt with by employees is a drain on productivity.

Office 365 Phishing Protection

Spam is a nuisance, but it does not typically pose a threat to businesses. Malspam on the other hand certainly does. Malspam is the name given to spam email that is used for malicious purposes, such as scam and phishing emails and when spam messages are used to distribute malware. This is an area where default Microsoft Office email protection falls short of requirements for many businesses.

Businesses using Office 365 as a hosted email solution are likely to have their email filtered using Exchange Online Protection (EOP). EOP is included in an Office 365 subscription and it does a reasonable job of blocking spam, phishing emails, and malware.  Given the number of email-based attacks that are now being conducted by cybercriminals, and the high costs of dealing with those attacks, being ‘reasonably’ well protected from malspam is simply not good enough.

Many businesses have found that EOP blocks basic phishing attacks but comes up short at blocking more advanced email threats such as spear phishing and advanced persistent threats. EOP is best at blocking large scale phishing campaigns where attackers use huge email lists and ‘spray and pray’ tactics. These tried and tested techniques are becoming less effective thanks to improvements in spam filtering.

The relatively poor return on these scams has seen many threat actors invest more time in their campaigns and develop new methods of attack. There is a growing trend for more targeted attacks using more sophisticated phishing methods. EOP is not very effective at blocking these types of phishing attacks. One study conducted by Avanan showed 25% of phishing emails were delivered to inboxes and were not blocked by EOP. These targeted attacks are also being conducted on SMBs, not just on large enterprises.

To improve the Office 365 spam filter, you can upgrade to Advanced Threat Protection (APT), the second level of protection for Office 365 offered by Microsoft. The level of protection is much better with this paid service, although APT is still not effective at blocking zero-day threats and falls short of the level of protection provided by most third-party anti-spam and anti-phishing solutions for Office 365. A SE Labs study conducted in the summer of 2017 found that even with the additional level of protection, which is only available in the Office 365 E5 license tier, protection only ranked in the low-middle of the market.

Office 365 Malware Protection

An Osterman Research study showed EOP eliminates 100% of known malware threats but is not nearly as effective at identifying zero-day threats. New malware variants are now being released at a rate of around 350,000 a day, according to AV-TEST.

These new malware threats are a serious risk. If they are not detected as malicious and are delivered to inboxes, malicious attachments can be opened by employees. You can train your workforce to be more security aware, but it is unreasonable to expect every employee to be able to identify every malicious message and act appropriately. Mistakes are inevitable. Those mistakes can be extremely costly. According to the 2019 Ponemon Institute/IBM Security Cost of a Data Breach Study, the global average cost of a data breach is $4.88 million and $8.19 million in the United States!

The number of cases of hackers exploiting vulnerabilities in Office 365 and the volume of direct attacks on Office 365 users have seen an increasing number of businesses turning to third-party email protection solutions for Office 365. These solutions are layered on top of EOP and greatly improve Office 365 spam filter capabilities.

There is another reason why it is wise to choose a third-party solution to improve Office 365 email protection rather than opting for Microsoft’s APT. It is important to have layered defenses to protect against cyberattacks, and while layers can be added through the same company, it pays not to put all your eggs in one basket. When businesses have their email on-premises, they typically have many layers to their defenses, and they do not all come from the same solution provider. If a threat is not detected by one solution provider, there is more chance of it being detected by another solution provider than another solution from the same company. The same thinking should be applied to your cloud-hosted Office 365 environment.

An Easy Way to Improve the Office 365 Spam Filter

Businesses that want to further improve the Office 365 spam filter (and those looking for an Office 365 Advanced Threat Protection alternative) need to consider implementing a third-party anti-spam solution.

Fortunately, there is a solution that will not only improve Office 365 spam filtering, it is quick and easy to implement, requires no software downloads, and no hardware purchases are necessary. In fact, it can be implemented, configured, and be up and running in a few minutes.

SpamTitan is a powerful cloud-based email security solution that has been developed to provide superior protection against spam, phishing, malware, zero-day attacks, and data loss via email.

In contrast to the Office 365 spam filter, SpamTitan uses predictive techniques such as Bayesian analysis, machine learning, and heuristics to block zero-day attacks, advanced persistent threats, new malware variants, and new spear phishing methods.

SpamTitan searches email headers, analyzes domains, and scans email content to identify phishing threats. Embedded hyperlinks, including shortened URLs, are scanned in real time and subjected to multiple URL reputation checks, while dual antivirus engines scan and block 100% of known malware. SpamTitan also includes sandboxing, where potentially malicious files and programs can be subjected to in-depth analysis in safety. In the sandbox, files are analyzed for malicious actions and C2 server callbacks.

SpamTitan also incorporates data loss prevention tools for emails and attachments, which are not available with EOP. Users can create tags for keywords and data elements such as Social Security numbers to protect against theft by insiders. SpamTitan also serves as a backup for your mail server to ensure business continuity.

With SpamTitan you get a greater level of protection against spam and malicious emails, a higher spam catch rate (over 99.9%), greater granularity, improved control over outbound email, and better business continuity protections.

If you have transitioned to Office 365 yet are still having problems with spam, phishing, and other malicious emails, or if you are an MSP that wants to offer your clients enhanced Office 365 email security, contact the TitanHQ team today.

The TitanHQ team will be happy to schedule a personalized product demonstration and help you put SpamTitan through the paces in your own environment in a no-obligation free trial.

FAQs on Improving the Office 365 Spam Filter

How does SpamTitan differ from the Office 365 spam filter?

SpamTitan has many advanced features not included in Office 365 and provides a defense in depth approach against malware, phishing and other email threats. SpamTitan include predictive techniques such as Bayesian analysis, heuristics, and machine learning to block new threats, dual AV engines and sandboxing to block malware threats, data leak prevention measures, dedicated RBLs as standard, and allows customized policies to be created for users, domains, domain groups, and the overall system, along with many more features to improve protection for Office 365 environments.

How does sandboxing work?

SpamTitan incorporates a powerful, next-generation sandbox solution. Suspicious messages that pass initial checks are sent to the sandbox for in-depth analysis to identify any malicious actions such as C2 callbacks. If these checks are passed, the message is delivered, if malicious activity is detected, the message will be quarantined or deleted, depending on the policy set by the administrator. Sandboxing is essential for blocking zero-day malware threats.

Why is it necessary to scan outbound emails?

If spam or malicious emails are sent from your mailboxes, you are likely to have your IP added to a spam blacklist and your emails may not be delivered. Outbound scanning can quickly detect a compromised inbox or rogue employee and block outbound emails before any harm is caused. Rules can be set to prevent certain attachments from being sent and data elements can be tagged to protect against data leaks.

How does SpamTitan protect against email spoofing attacks?

SpamTitan supports DKIM signing and incorporates the DMARC (Domain-based Message Authentication, Reporting and Conformance) email-validation system, which has been designed to detect and block email spoofing attacks. A DNS TXT record is used to create an overall policy governing SPF and DKIM, allowing you to accept messages, quarantine them, or reject them if they fail the DMARC check.

How much does SpamTitan Cost and are there any discounts?

The cost of SpamTitan varies depending on the number of mailboxes you want to protect and the length of the contract, with sizable discounts offered to organizations that commit to a 2- or 3-year term. The easiest way to find out how much SpamTitan is likely to cost is to use our cost calculator.

Cryptocurrency Mining PowerGhost Malware Spreading Like Wildfire

by G Hunt | July 30, 2018 | Network Security

A massive cryptocurrency mining campaign has been uncovered by security researchers at Kaspersky Lab – A campaign that has resulted in the creation of a vast network of devices infected with PowerGhost malware.

PowerGhost malware is being installed on all manner of devices including servers, endpoints, and POS devices. Once infected, each device generates a small amount of a cryptocurrency each day by using the device’s processing power to solve complex computational problems.

While a single device can be used to mine a few dollars of cryptocurrency each day, the returns are significant when the attackers are able to infect server farms and add hundreds of thousands of endpoints to their army of cryptocurrency mining slaves.

Once a device is infected, the cryptocurrency mining tool is downloaded and gets to work. A portion of an infected device’s processing power is then dedicated to mining cryptocurrency until the infection is identified and the malware is removed. PowerGhost malware also spreads laterally to all other vulnerable networked devices.

What makes PowerGhost such a difficult threat to detect is the fact that it doesn’t use any files, instead it is capable of mining cryptocurrency from the memory. PowerGhost is an obfuscated PowerShell script that includes various add-on modules, including the cryptocurrency mining component, mimikatz, and the DLLs required for the operation of the miner. Various fileless techniques are used to infect devices, ensure persistence, and avoid detection by anti-virus solutions. The malware also includes shellcode for the EternalBlue exploit to allow it to spread across a network to other vulnerable devices. Attacks are occurring through the exploitation of unpatched vulnerabilities and through remote administration tools.

PowerGhost malware is primarily being used in attacks on companies in Latin America, although it is far from confined to this geographical region with India and Turkey also heavily targeted and infections detected in Europe and North America.

Companies are being targeted. If a foothold can be gained in a corporate network, hundreds, thousands or tens of thousands of devices can be infected and used for cryptocurrency mining. The potential rewards for a successful attack on a medium to large enterprise is substantial.

In addition to cryptocurrency mining, Kaspersky Lab researchers note that one version of the PowerGhost malware is capable of being used for DDoS attacks, offering another income stream for the cybercriminal gang behind the campaign.

Prompt patching, disabling of remote desktop protocol, and the setting of strong complex passwords can help to protect against this PowerGhost malware campaign.

How to Develop an Effective Security Awareness Program

by G Hunt | March 29, 2018 | Network Security

No matter how many cybersecurity solutions you have deployed or the maturity of your cybersecurity program, it is now essential for develop and effective security awareness program and to ensure all employees and board members are trained how to recognize email threats.

Threat actors are now using highly sophisticated tactics to install malware, ransomware, and obtain login credentials and email is the attack method of choice. Businesses are being targeted and it will only be a matter of time before a malicious email is delivered to an employee’s inbox. It is therefore essential that employees are trained how to recognize email threats and told how they should respond when a suspicious email arrives in their inbox.

The failure to provide security awareness training to staff amounts to negligence and will leave a gaping hole in your security defenses. To help get you on the right track, we have listed some key elements of an effective security awareness program.

Important Elements of an Effective Security Awareness Program

Get the C-Suite Involved

One of the most important starting points is to ensure the C-Suite is on board. With board involvement you are likely to be able to obtain larger budgets for your security training program and it should be easier to get your plan rolled out and followed by all departments in your organization.

In practice, getting executives to support a security awareness program can be difficult. One of the best tactics to adopt to maximize the chance of success is to clearly explain the importance of developing a security culture and to back this up with the financial benefits that come from having an effective security awareness program. Provide data on the extent that businesses are being attacked, the volume of phishing and malicious emails being sent, and the costs other businesses have had to cover mitigating email-based attacks.

The Ponemon Institute has conducted several major surveys and provides annual reports on the cost of cyberattacks and data breaches and is a good source for facts and figures. Security awareness training companies are also good sources of stats. Present information clearly and show the benefit of the program and what you require to ensure it is a success.

Get Involvement from Other Departments

The IT department should not be solely responsible for developing an effective security awareness training program. Other departments can provide assistance and may be able to offer additional materials. Try to get the marketing department on board, human resources, the compliance department, privacy officers. Individuals outside of the security team may have some valuable input not only in terms of content but also how to conduct the training to get the best results.

Develop a Continuous Security Awareness Program

A one-time classroom-based training session performed once a year may have once been sufficient, but with the rapidly changing threat landscape and the volume of phishing emails now being sent, an annual training session is no longer enough.

Training should be an ongoing process provided throughout the year, with up to date information included on current and emerging threats. Each employee is different, and while classroom-based training sessions work for some, they do not work for everyone. Develop a training program using a variety of training methods including annual classroom-based training sessions, regular computer-based training sessions, and use posters, games, newsletters, and email alerts to keep security issues fresh in the mind.

Use Incentives and Gamification

Recognize individuals who have completed training, alerted the organization to a new phishing threat, or have scored highly in security awareness training and tests. Try to create competition between departments by publishing details of departments that have performed particularly well and have the highest percentage of employees who have completed training, have reported the most phishing threats, scored the highest in tests, or have correctly identified the most phishing emails in a round of phishing simulations.

Security awareness training should ideally be enjoyable. If the training is fun, employees are more likely to want to take part and retain knowledge. Use gamification techniques and choose security awareness training providers that offer interesting and engaging content.

Test Employees Knowledge with Phishing Email Simulations

You can provide training, but unless you test your employees’ security awareness you will have no idea how effective your training program has been and if your employees have been paying attention.

Before you commence your training program it is important to have a baseline against which you can measure success. This can be achieved using security questionnaires and conducting phishing simulation exercises.

Conducting phishing simulation exercises using real world examples of phishing emails after training has been completed will highlight which employees are security titans and which need further training. A failed phishing simulation exercise can be turned into a training opportunity.

Comparing the before and after results will show the benefits of your program and could be used to help get more funding.

Train your staff regularly and test their understanding and in a relatively short space of time you can develop a highly effective human firewall that complements your technological cybersecurity defenses. If a malicious email makes it past your spam filter, you can be confident that your employees will have the skills to recognize the threat and alert your security team.

Ransomware Growth in 2017 Has Increased by 2,502%

by G Hunt | October 12, 2017 | Network Security

Ransomware growth in 2017 has increased by 2,502% according to a new report released this week by Carbon Black. The firm has been monitoring sales of ransomware on the darknet, covering more than 6,300 known websites where malware and ransomware is sold, or hired as ransomware-as-a-service. More than 45,000 products have been tracked by the firm.

The file encrypting code has been embraced by the criminal fraternity as a quick and easy method of extorting money from companies. Ransomware growth in 2017 was fueled by the availability of kits that allow campaigns to be easily conducted.

Ransomware-as-a-service now includes the malicious code, admin consoles that allow the code to be tweaked to suit individual preferences, and instructions and guidelines for conducting campaigns. Now, no coding experience is necessary to conduct ransomware campaigns. It is therefore no surprise to see major ransomware growth in 2017, but the extent of that growth is jaw-dropping.

Ransomware sales now generate $6.2 million a year, having increased from $249,287 in 2016. The speed at which ransomware sales have grown has even surprised security experts. According to the report, the developers of a ransomware variant can make as much as $163,000 a year. Compare that to the amount they would make working for a company and it is not hard to see the attraction. That figure is more than double the average earnings for a legitimate software developer.

Ransomware can now be obtained via these darknet marketplaces for pocket change. The report indicates ransomware kits can be purchased for as little as 50 cents to $1 for screen lockers. Some custom ransomware variants, where the source code is supplied, sell for between $1,000 and $3,000, although the median amount for standard ransomware is $10.50. The developers of the code know full well that they can make a fortune on the back end by taking a cut of the ransomware profits generated by their affiliates.

Ransomware attacks are profitable, so there is no shortage of affiliates willing to conduct attacks. Carbon Black suggests 52% of firms are willing to pay to recover encrypted files. Many businesses would pay up to $50,000 to regain access to their files according to the report. A previous study conducted by IBM in 2016 showed that 70% of businesses attacked with ransomware have paid the ransom to recover their files, half of businesses paid more than $10,000 and 20% paid over $40,000.

Figures released by the FBI suggest ransomware revenues were in excess of $1 billion last year, up from $24 million in 2015. However, since many companies keep infections and details of ransomware payments quiet, it is probable that the losses are far higher.

Since the ransomware problem is unlikely to go away, what businesses must do is to improve their defenses against attacks – That means implementing technology and educating the workforce to prevent attacks, deploy software solutions to detect attacks promptly when they occur to limit the damage caused, and make sure that in the event of an attack, data can be recovered.

Since the primary attack vector for ransomware is email, companies should ensure they use an advanced spam filtering solution to prevent the malicious emails from being delivered to end users. SpamTitan block more than 99.9% of spam email, keeping inboxes ransomware free.

Employee education is critical to prevent risky behavior and ensure employees recognize and report potentially malicious emails. To ensure recovery is possible without paying the ransom, firms should ensure multiple backups are made. Those backups should be tested to make sure data can be recovered. Best practices for backing up data are to ensure three copies exist, stored on at least two different media, with one copy stored off site.

Trickbot Malware Now Includes Self-Replicating Worm Module

by G Hunt | August 7, 2017 | Network Security

Trickbot malware is a banking Trojan that has been around for a few years now, although its authors have recently developed a WannaCry ransomware-style worm module that allows it to spread much more rapidly.

The recent NotPetya attacks also included a similar module enabling the malware to be used in devastating attacks that wiped out entire systems.

This new method of speeding up the spread of malware takes advantage of a vulnerability in Windows Server Message Block, which is used to identify all vulnerable computers on a network that connect via the Lightweight Directory Access Protocol (LDAP).

Since the exploit is readily available, cybercriminals can use it in conjunction with malware to spread infections more effectively and quickly. Worms were once popular, although their use has died out. The use of worm-like elements with the WannaCry and NotPetya attacks has shown just how effective they can be, and also served as a reminder of why they were popular in the first place.

Far from isolated malware variants, we could be about to see a rise in the use of worm-like modules. Fortunately, for the time being at least, the worm module in Trickbot malware does not appear to be fully operational. That said, the malware is constantly being redeveloped so it is probable the flaws will be fixed soon.

The malware can gain access to online banking accounts enabling the attackers to empty bank accounts.  It is fast becoming one of the most prevalent banking Trojans, according to IBM X-Force. It is currently being used in targeted attacks on organizations in the financial sector around the world, with recent campaigns targeting banks in the UK and United States. The ability to spread throughout a network rapidly will make it much more dangerous.

Aside from the new worm-like module another change has been detected. PhishMe reports that it has identified a change to how the Trojan is distributed. Attacks have occurred via malvertising campaigns this year that redirect web users to sites hosting the Rig exploit kit, although Trickbot is primarily distributed via spam email sent via the Necurs botnet.

The latest change to the Trickbot malware campaign is helping the threat actors to evade anti-virus solutions. Previously, the Trojan has been installed via macro scripts in specially crafted office documents. The latest campaign update sees the attackers use a Windows Script Component (WSC) containing XML-format scripts. The same delivery mechanism has also been used to deliver GlobeImposter ransomware.

Ovidiy Stealer: A New Password Stealing Malware Priced to Maximize Sales

by G Hunt | July 20, 2017 | Network Security

The Ovidiy Stealer is a password stealing malware that will record login credentials and transmit the information to the attacker’s C2 server. As with many other password stealers, information is recorded as it is entered into websites such as banking sites, web-based email accounts, social media accounts and other online accounts.

The good news is that even if infected, the Ovidiy Stealer will not record information entered via Internet Explorer or Safari. The malware is also not persistent. If the computer is rebooted, the malware will stop running.

The bad news is, if you use Chrome or Opera, your confidential information is likely to be compromised. Other browsers known to be supported include Orbitum, Torch, Amigo and Kometa. However, since the malware is being constantly updated it is likely other browsers will be supported soon.

Ovidiy Stealer is a new malware, first detected only a month ago. It is primarily being used in attacks in Russian-speaking regions, although it is possible that multi-language versions will be developed and attacks will spread to other regions.

Researchers at Proofpoint – who first detected the password stealing malware – believe email is the primary attack vector, with the malware packaged in an executable file sent as an attachment. Proofpoint also suggests that rather than email attachments, links to download pages are also being used. Samples have been detected bundled with LiteBitcoin installers and the malware is also being distributed through file-sharing websites, in particular via Keygen software cracking programs.

New password stealers are constantly being released, but what sets the Ovidiy Stealer aside and makes it particularly dangerous is it is being sold online at a particularly low price. Just $13 (450-750 Rubles) will get one build bundled into an executable ready for delivery via a spam email campaign. Due to the low price there are likely to be many malicious actors conducting campaigns to spread the malware, hence the variety of attack vectors.

Would be attackers willing to part with $13 are able to view the number of infections via a web control panel complete with login. Via the control panel they can manage their account, see the number of infections, build more stubs and view the logs generated by the malware.

Protecting against malware such as Ovidiy Stealer requires caution as it takes time before new malware are detected by AV solutions. Some AV solutions are already detecting the malware, but not all. As always, when receiving an email from an unknown sender, do not open attachments or click on hyperlinks.

Organizations can greatly reduce risk from this password-stealer and other malware spread via spam email by implementing an advanced spam filtering solution such as SpamTitan to prevent malicious emails from reaching end users’ inboxes. SpamTitan uses dual AV engines to maximize detections and blocks over 99.9% of spam email.

Free Dharma Ransomware Decryption Now Possible

by G Hunt | March 6, 2017 | Network Security

Free Dharma ransomware decryption is now possible following the publication of the decryption keys used by the cybercriminal gang behind the ransomware.

The Dharma ransomware decryption keys have now been used to develop a decryptor to unlock Dharma-encrypted files. If your organization has been attacked with Dharma ransomware, you can unlock your files by using the Dharma ransomware decryptor developed by Kaspersky Lab or ESET. A ransom no longer needs to be paid.

The decryptor available from ESET will unlock files encrypted by Dharma and its predecessor, Crysis. Kaspersky Lab has added the keys to its Rakhni ransomware decryptor.

It is easy to determine which ransomware variant has been used by checking the file extension on ransomware-encrypted files. Dharma ransomware adds the ‘.dharma’ extension to files after they have been encrypted.

The keys to unlock the encryption were posted on a BleepingComputer tech support forum last week by an individual with the username ‘gektar’. Where that individual obtained the decryption keys is unknown, although both Kaspersky Lab and ESET have confirmed that the decryption keys are genuine. The decryption keys will work for all variants of Dharma ransomware.

The name gektar is not known to security researchers. No other online posts are believed to have been made with that username. The username seems to have been created solely to post the decryption keys. It would appear the individual responsible wants to keep a low profile.

Unfortunately, there are now more than 200 ransomware families, with many different ransomware variants within each of those families. Dharma may be no more, but the ransomware threat is still severe. There are still no decryptors available for the biggest ransomware threats: Locky, Samsa (Samsam) and CryptXXX, which are still being extensively used by cybercriminal gangs to extort money out of businesses.

The best defense that businesses can adopt to ensure ransomware-encrypted files can be recovered for free is to ensure that backups of critical files are made on a daily basis. Those backups should be stored on an air-gapped device and also in the cloud.

Recovery from backups and removing ransomware infections can be a labor-intensive and time-consuming process, so anti-ransomware defenses should also be employed to prevent infection. We recommend using SpamTitan to block ransomware emails from being delivered to end users’ inboxes and WebTitan to prevent drive-by ransomware downloads.

BugDrop Malware Turns on Microphones and Exfiltrates Recordings

by G Hunt | February 22, 2017 | Network Security

BugDrop malware is a new and highly advanced email-borne threat detected in the past few days. While attacks are currently concentrated on companies in Ukraine, BugDrop malware attacks have already started in other countries. Companies in Austria, Russia and Saudi Arabia have also been attacked.

Due to the nature of the attacks, it is clear that the actors behind the new malware have access to significant resources. So far, BugDrop malware is known to have stolen an incredible 600 GB of data from around 70 confirmed targets. At the rate that the malware is stealing data, the storage required will be considerable. This is therefore unlikely to the work of an isolated hacker. A significant cybercriminal group or most likely, a foreign-government backed hacking group, is likely to be responsible for the attacks.

Companies involved in scientific research, critical infrastructure, news media, engineering, and even human rights organizations have been targeted.

The malware will steal documents stored on infected computers and networks to which the computer connects. Passwords are stolen and screenshots are taken. However, rather than simply gain access to intellectual property and other sensitive data, the malware has another method of obtaining information. BugDrop malware, as the name suggests, bugs organizations and records audio data.

The malware turns on the microphone on an infected computer and records conversations, which accounts for the huge volume of data stolen. The stolen files are then encrypted and uploaded to the attackers’ Dropbox account. Files are retrieved from the Dropbox account and are decrypted. The resources required for analyzing such huge volumes of data – including audio data – are considerable, as are the storage requirements.

The CyberX researchers who discovered the malware suggest that Big Data analytics are likely used rather than manually checking the stolen data. Either way, such an operation must be heavily staffed, which points to a state-sponsored group. CyberX says “Given the sophistication of the code and how well the operation was executed, we have concluded that those carrying it out have previous field experience.”

Since data exfiltration occurs via Dropbox, data exfiltration may not be detected. Many companies allow their employees to access Dropbox and connections to the storage service are often not monitored. Encryption is used, preventing many anti-virus solutions from detecting attacks or sandboxing the malware. The attacks also involve reflective DLL injection – since code is run in the context of other processes, detection is made more difficult.

BugDrop malware is being distributed via spam email using malicious macros in Word documents. If macros are enabled, the malware will be installed when the document is opened. Since many companies now automatically block macros and require them to be enabled on each document, the attackers prompt the user to enable macros by saying the document was created in a newer version of Microsoft Office. To view the contents of the document, macros must be enabled. The Word documents contains a professional image from Microsoft, including branding and Office logos, to make the warning appear genuine.

New Statistics Released on Corporate Email Security Threats

by G Hunt | February 22, 2017 | Network Security

Google has released its latest statistics on the main corporate email security threats, with the search engine giant’s report also delving into the latest email-borne attacks on corporate Gmail account users. The report follows on from a presentation at the RSA Conference, which provided more detail on the biggest corporate email security threats that now have to be blocked.

According to Google’s data, spam is still a major problem for businesses. While the barrage of unsolicited emails is a nuisance that results in many hours of lost productivity, corporate users face a much bigger threat from spam. Malicious messages are a major menace.

Cybercriminals are targeting corporate users to a much higher extent than personal email account holders. The reason is clear. There is more to be gained from infecting corporate computers with malware than personal computers. Businesses are much more likely to pay ransoms if data are encrypted by ransomware. The data stored by businesses has much higher value on the darknet, and plundering business bank accounts nets far higher rewards.

It is therefore no surprise to hear that Google’s stats show that businesses are 6.2 times as likely to receive phishing emails and 4.3 times as likely to be targeted with malware-infected emails. Spam on the other hand is more universal, with business emails accounts 0.4 times as likely to be spammed than personal accounts.

Main Corporate Email Security Threats by Business Sector

Corporate email security threats are not spread evenly. Cybercriminals are conducting highly targeted attacks on specific industry sectors. Google’s data show that nonprofits are most commonly targeted with malware, receiving 2.3 times as many malware-infected emails as business accounts. The education sector is also being extensively targeted. Schools, colleges and universities are 2.1 times as likely to be sent malware-infected emails, followed by government industries, which are 1.3 times as likely to be targeted than businesses.

However, when it comes to email spam and phishing attacks, it is the business sector which is most commonly targeted. Currently, email spam is the biggest problem for businesses in the IT, housing, and entertainment industries, while phishing attacks are much more commonly conducted on IT companies, arts organizations and the financial sector.

Malicious Spam Poses a Major Risk to Corporations

As we have seen on so many occasions in the past two years, email is a major attack vector for businesses. Cybercriminals use spam email to infect end users with information-stealing malware, file-encrypting ransomware, and conduct credential-stealing phishing attacks. Email-borne attacks are still highly profitable. The attacks require little effort and criminals are able to bypass security controls by targeting end users.

Given the massive increase in malware and ransomware variants in the past two years, blocking spam and malicious messages is now more important than ever. Additionally, the cost of mitigating data breaches is rising year on year (According to the Ponemon Institute). Malware and ransomware infections can be extremely costly to resolve, while successful phishing attacks can net cybercriminals huge sums from selling stolen corporate data and making fraudulent bank transfers. Those costs must be absorbed by businesses.

Protecting Your Organization from Email-Borne Threats

Fortunately, it is possible to mitigate corporate email security threats by using an advanced spam filtering solution such as SpamTitan. SpamTitan blocks 99.97% of spam messages and boasts a low false positive rate of just 0.03%. A powerful anti-phishing component prevents phishing emails from being delivered to end users, while dual anti-virus engines (Bitdefender/ClamAV) are used to scan all incoming (and outgoing) messages for malicious links and attachments.

If you want to improve your defenses against the latest corporate email security threats, contact the TitanHQ team today. Since SpamTitan is available on a 30-day free trial, you can also see for yourself how effective our product is at protecting your organization from email-borne threats before committing to a purchase.

Los Angeles Valley College Ransomware Attack Highlights Importance of Solid Ransomware Defenses

by G Hunt | January 10, 2017 | Network Security

A Los Angeles Valley College ransomware attack has resulted in file systems being taken out of action for seven days and considerable costs being incurred to resolve the infection.

Attackers succeeded in taking control of one of the college’s servers on December 30, 2016. When staff returned after the Christmas break they discovered the computer system to be out of action and essential files locked with powerful encryption.

The attackers had succeeded in locking a wide range of file types on network drives and computers. Unfortunately, the college was unable to recover the files from a backup. Administrators therefore faced a tough decision. To try to recover from the attack without paying the ransom and risk file loss or to give in to the attacker’s demands and pay for the keys to unlock the encryption.

Los Angeles Valley College Ransomware Attack Nets Criminal Gang $28,000

Due to the extent of the infection and the number of devices affected, the ransom payment was considerable. The attackers set the price at $28,000 for the decryption keys. The ransom demand was high but the college had little in the way of options.

The ransom note that was loaded onto the college’s X-drive said if the ransom was not paid within 7 days, the unique keys to unlock the encryption would be permanently deleted. That would likely have resulted in all of the locked files being permanently lost.

The college enlisted help from cybersecurity experts to determine the likelihood of files being recovered without paying the ransom. However, college administrators were advised to dig deep and pay the attackers for the key. While there is no guarantee that paying the ransom would result in viable keys being supplied, the college’s cybersecurity experts said there was a high probability of data recovery if the ransom was paid and a very low probability of data being recovered if the ransom demand was ignored. The likely cost of resolving the infection without paying the ransom was also estimated to be higher than attempting to remove the infection. The decision was therefore made to pay the attackers in Bitcoin as requested.

The attackers made good on their promise and supplied the keys to unlock the data. Now IT staff must apply those keys and remove the encryption on the server, network drives, and the many infected computers. Fortunately for the college, a cyber insurance policy will pay out and cover the cost of the ransom and resetting systems. However, there will be other costs that need to be covered, which will must be paid by the district.

Recovery from the Los Angeles Valley College ransomware attack will not be a quick and simple process, even though the decryption keys have been supplied by the attackers. The district’s Chief Information Officer Jorge Mata said “There are often a lot of steps where there’s no coming back, and if you pick the wrong path, there’s no return.” The recovery process therefore requires care and precision and cannot be rushed. The process could well take a number of weeks. The main priority is to recover the email system. Other systems and devices will then be methodically restored.

Los Angeles Valley College Ransomware Attack One of Many Such Attacks on Educational Institutions

The Los Angeles Valley College ransomware attack has hit the headlines due to the extent of the infection and high ransom demand, but it is one of many such attacks to have occurred over the past 12 months. Educational institutions have been heavily targeted by attackers due to the value of college and school data. Educational establishments cannot risk data loss and are therefore likely to pay the ransom to regain access to files.

In the past few months, other educational institutions in the United States that have been attacked with ransomware include M.I.T, University of California-Berkeley, and Harvard University as well as many K-12 schools throughout the country. Figures from Malwarebytes suggest that 9% of ransomware attacks targeted educational establishments.

How Can Educational Institutions Protect Against Ransomware Attacks?

There are a number of steps that educational institutions can take to reduce the risk of ransomware attacks and ensure that recovery is possible without having to resort to paying a ransom. The most important step to take is to ensure that all data is backed up regularly, including the email system. Backups should be stored on air-gapped devices, not on network drives. A separate backup should be stored in the cloud.

However, backups can fail and files can be corrupted. It is therefore important that protections are implemented to prevent ransomware from being delivered via the two most common attack vectors: Email and the Internet.

Email is commonly used to deliver ransomware or malicious code that downloads the file-encrypting software. Preventing these malicious emails from being delivered to staff and students’ inboxes is therefore essential. An advanced spam filter such as SpamTitan should therefore be installed. SpamTitan blocks 99.97% of spam emails and 100% of known malware.

To protect against web-borne attacks and prevent exploit kit activity and drive-by downloads, schools and colleges should use a web filter such as WebTitan. WebTitan uses a variety of methods to block access to malicious webpages where malware and ransomware is downloaded. WebTitan can also be configured to prevent malicious third-party adverts from being displayed. These adverts – called malvertising – are commonly used to infect end users by redirecting their browsers to websites containing exploit kits.

For further information on SpamTitan and WebTitan, to find out more about how both anti-ransomware solutions can prevent infection, and to register for a free 30-day trial of both products, contact TitanHQ today.

HIPAA Guidance on Ransomware Issued by HHS

by G Hunt | September 13, 2016 | Network Security

In response to the massive rise in ransomware attacks on healthcare organizations, the Department of Health and Human Services’ Office for Civil Rights has developed new HIPAA guidance on ransomware for covered entities.

The guidance covers best practices that can be adopted to prevent cybercriminals from installing ransomware, along with helpful advice on how to prepare for ransomware attacks and how to respond when critical files are encrypted by malicious software. Importantly, the new HHS guidance on ransomware also confirms how these security breaches are classified under the Health Insurance Portability and Accountability Act. Many healthcare security professionals feel that HIPAA guidance on ransomware has been long overdue due to the uncertainty about maintaining HIPAA compliance following a ransomware attack. .

HIPAA Guidance on Ransomware Clarifies Attacks ARE Reportable Data Breaches

In the new HIPAA guidance on ransomware, OCR has clarified the reporting requirements for ransomware attacks under HIPAA. Over the past few months, as ransomware attacks on healthcare organizations have soared, there has been much confusion over whether these attacks are classed as security incidents under HIPAA Rules.

It has been argued that since ransomware blindly encrypts files and does not usually involve the attackers actually gaining access to data, the incidents should not be reportable to the HHS. Also, it has been argued that there is no need to issue breach notification letters to patients whose data are temporarily encrypted.

The OCR has now confirmed that ransomware attacks are reportable and require a full breach response, including the mailing of breach notification letters to affected patients and health plan members.

A ransomware attack is considered to be a data breach unless the covered entity can demonstrate that there was only a “low probability that PHI has been compromised.” The OCR considers a breach to have occurred if “unauthorized individuals have taken possession or control of the information.”

How HIPAA Covered Entities Must Respond to Ransomware Attacks

Any HIPAA covered entity that experiences a ransomware attack must orchestrate a full breach response and proceed as they would for a malware attack or if a hacker gained access to PHI.

An accurate and thorough risk assessment must be conducted to determine whether there is any risk to the confidentiality, integrity, or availability of electronic protected health information (ePHI). HIPAA requires the infection to be contained and data must be restored to allow normal operations to continue. Security measures must be implemented to mitigate risks and prevent future attacks.

The Office for Civil Rights must be notified of the breach within 60 days of the discovery of the attack if the breach impacts 500 or more patients, or at the end of the year in the case of a smaller breach of patient records. Breach notification letters must also be mailed to patients within 60 days, in accordance with the HIPAA Breach Notification Rule. A breach notice must also be submitted to the media if the breach impacts 500 or more individuals.

Preparing for a Ransomware Attack

The new HIPAA guidance on ransomware explains that organizations must be prepared to deal with ransomware attacks.

Healthcare organizations should implement cybersecurity protection measures to prevent ransomware attacks, such as installing a robust spam filtering solution such as SpamTitan. Spam filters can prevent the majority of malicious emails from being delivered to end users. Staff members should also be trained on the risk of ransomware and advised how to identify phishing emails and malicious websites.

A risk analysis should be conducted to identify potential cybersecurity vulnerabilities that could be exploited by hackers to install ransomware. Any vulnerabilities that could increase the risk of a ransomware attack being successful should be addressed in a timely fashion.

An emergency operation plan must also be developed that can be immediately put in place upon discovery of a ransomware attack. The new HIPAA guidance on ransomware also states that emergency response plans should be regularly tested to ensure that they are effective.

Ransomware Attacks on Healthcare Organizations Soar

This year has seen an extraordinary number of ransomware attacks on healthcare organizations. In February, ransomware was installed on computers at Hollywood Presbyterian Medical Center in California and a ransom demand of $17,000 was issued. Hollywood Presbyterian Medical Center felt the best course of action to minimize damage was to pay the ransom and obtain the decryption keys to unlock data. On receipt of the funds, the attackers made good on their promise and supplied the keys to unlock the encryption.

However, some organizations have discovered that simply paying a ransom demand does not spell the end of the problem. There have been cases – notably Kansas Heart Hospital – where a ransom has been paid, only for a second ransom demand to be issued. Other companies have paid and not been supplied with working keys. Paying a ransom is no guarantee that data can be decrypted.

The FBI advises against paying ransom demands. Not only is there no guarantee that the attackers will supply working keys, but payment of ransoms only encourages the attackers to continue with their ransomware campaigns. Only by preparing for ransomware attacks can organizations ensure that in the event of ransomware being installed, they will be able to recover their files quickly without giving in to attackers’ demands.

The Ransomware Threat Should Not Be Ignored

The threat to healthcare organizations is severe. Research conducted by anti-phishing company PhishMe showed that in Q1, 2016, 93% of phishing emails contained ransomware. Figures from Symantec Security Response show that on average, 4,000 ransomware attacks have occurred every day since January 1, 2016. A report from security firm Solutionary, shows that in 2016, 88% of ransomware detections were by healthcare organizations.

So far this year, in addition to the attack on Hollywood Presbyterian Medical Center, ransomware attacks have been reported by MedStar Health and DeKalb Health, while Prime Healthcare reported that three of its hospitals – Desert Valley Hospital, Chino Valley Medical Center and Alvarado Hospital Medical Center – were attacked with ransomware. Methodist Hospital in Kentucky, Massachusetts General Hospital, and Yuba Sutter Medical Clinic in California have also reported ransomware attacks this year, to name but a few.

It may not be possible to prevent ransomware attacks, but if healthcare organizations invest in better security protections, the majority of attacks can be prevented. Provided that adequate preparations are made for ransomware attacks, in the event that the malicious software is installed, damage can be limited.

The HIPAA guidance on ransomware can be downloaded from the HHS website.