Network Security

Our network security news section contains a range of articles relating to securing networks and blocking cyberattacks, ransomware and malware downloads. This section also features articles on recent network security breaches, alerting organizations to the latest attack trends being used by cybercriminals.

Layered cybersecurity defenses are essential given the increase in hacking incidents and the explosion in ransomware and malware variants over the past two years. Organizations can tackle the threat by investing in new security defenses such as next generation firewalls, end point protection systems, web filtering solutions and advanced anti-malware and antivirus defenses.

While much investment goes on tried and tested solutions that have been highly effective in the past, many cybersecurity solutions – antivirus software – are not as effective as they once were. In order to maintain pace with hackers and cybercriminals and get ahead of the curve, organizations should consider implementing a wide range of new cybersecurity solutions to block network intrusions, prevent data breaches and improve protection against the latest malware and ransomware threats.

This category contains information and advice on alternative network security solutions that can be adopted to improve network security and ensure networks are not infiltrated by hackers and infected with malicious software.

Recommended Mitigations Against Black Basta Ransomware Attacks

The Black Basta ransomware-as-a-service (RaaS) group has been aggressively targeting critical infrastructure entities in North America, Europe, and Australia, and attacks have been stepped up, with the group’s affiliates now known to have attacked at least 500 organizations worldwide. In the United States, the group has attacked 12 of the 16 government-designated critical infrastructure sectors, and attacks on healthcare providers have increased in recent months.

Black Basta is thought to be one of multiple splinter groups that were formed when the Conti ransomware group shut down operations in June 2022. The group breaches networks, moves laterally, and exfiltrates sensitive data before encrypting files. A ransom note is dropped and victims are required to make contact with the group to find out how much they need to pay to a) prevent the publication of the stolen data on the group’s leak site and b) obtain the decryption keys to recover their encrypted data.

The group uses multiple methods for initial access to victims’ networks; however, the primary method used by affiliates is spear phishing. The group has also been observed exploiting known, unpatched vulnerabilities in software and operating systems. For instance, in February 2024, the group started exploiting a vulnerability in ConnectWise (CVE-2024-1709). The group has also been observed abusing valid credentials and using Qakbot malware. Qakbot malware is commonly distributed in phishing emails.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) recently issued a cybersecurity alert about Black Basta in response to the increase in attacks. The alert shares indicators of compromise and the tactics, techniques, and procedures used by the group in recent attacks. All critical infrastructure organizations have been advised to implement a range of mitigations to make it harder for Black Basta ransomware affiliates to access internal networks and move laterally. The recommended mitigations will also strengthen defenses against other ransomware groups and should be considered by all businesses and organizations.

Phishing and spear phishing are common access vectors for ransomware groups and the initial access brokers many of the groups work with, including the operators of Qakbot malware. Strengthening phishing defenses should therefore be a priority. TitanHQ offers three products that help improve phishing defenses: SpamTitan Email Security, PhishTitan, and the SafeTitan security awareness training and phishing simulation platform.

SpamTitan is a comprehensive email security and spam filtering service that blocks the full range of threats including spam, phishing, malware, viruses, and other malicious emails. Independent tests have confirmed the solution has a 99.99% spam catch rate, Bayesian autolearning and heuristics defend against advanced email threats, recipient verification using SPF, DKIM, and DMARC, antivirus protection is provided using two leading anti-virus engines, and the solution incorporates sandboxing for deep analysis of suspicious files. The sandbox is capable of detecting threats from their behavior rather than email signatures and is capable of identifying and blocking zero-day malware threats. The solution is regularly rated the best spam filter for business by independent software review sites and is one of the most popular spam filters for MSPs.

PhishTitan is a powerful anti-phishing solution for businesses that use Microsoft 365 that protects against the advanced attacks that Microsoft’s EOP and Defender miss. The solution includes auto-remediation features to help businesses rapidly respond when they are targeted by cybercriminal groups, and integrates seamlessly with Microsoft 365, augmenting Microsoft’s protections to ensure that more phishing threats are identified and blocked. PhishTitan adds banner notifications to emails from external email accounts and warnings about unsafe content, rewrites URLs to show the true destination, provides time-of-click protection against malicious URLs, provides threat data and analytics to help users assess their risk profile, and subjects all emails to AI and LLM analysis, detecting phishing threats with a high degree of accuracy and blocking threats that Microsoft misses. The solution also uses real-time analysis and threat assessments to neutralize business email compromise and spear phishing attacks before they begin.

It is important to train the workforce on how to recognize and report phishing attempts. SafeTitan is a comprehensive security awareness training platform that provides training in bite-sized chunks. The training modules are no longer than 10 minutes and are easy to fit into busy workflows. By providing regular training each month, businesses can develop a security culture and significantly improve resilience to phishing and spear phishing attacks, especially when combined with phishing simulations. The phishing simulator includes templates from real-world ransomware campaigns, and they are regularly updated based on the latest threat intelligence.

As an additional protection, multi-factor authentication should be implemented on all accounts, and phishing-resistant MFA is the gold standard. Since vulnerabilities are often exploited, it is important to ensure that software, firmware, and operating systems are kept up to date with patches applied promptly. Ransomware groups such as Black Basta are quick to exploit known vulnerabilities in their attacks. Remote access software should be secured and disabled if it isn’t used, networks should be segmented to hamper lateral movement, and backups should be regularly made of all critical data, with copies stored securely offsite on air-gapped devices. Further recommended mitigations can be found in CISA’s StopRansomware Guide.

U.S. Government and Education Sectors Targeted in Multi-Malware Phishing Campaign

The U.S. government and education sectors are being targeted by cybercriminals looking to steal sensitive data. These sectors hold large volumes of sensitive data that are easily monetized, victims can be extorted, and access to compromised networks can be sold to other cybercriminal groups such as ransomware gangs. These attacks can result in significant data breaches, major financial losses, and reputational damage that is hard to repair.

The campaign uses a combination of two malware variants and vulnerability exploitation, and the attack starts with phishing emails with malicious attachments. The campaign was identified by researchers at Veriti and delivers the notorious Agent Tesla remote access trojan (RAT) and an information-stealing malware called Taskun. Agent Tesla provides attackers with remote access to networks and is often used by initial access brokers for compromising networks, with the access sold on to other cybercriminal groups. Agent Tesla can be used to download additional payloads and has comprehensive information-stealing capabilities. The malware can log keystrokes, take screenshots, and steal credentials from browsers, wireless profiles, and FTP clients.

Taskun malware is spyware that also has information-stealing capabilities. In this campaign, the malware is used to compromise systems and make it easier for Agent Tesla to be installed, establish persistence, and operate undetected for long periods. The campaign involves emails with malicious attachments, with social engineering techniques used to trick employees into running malicious code that exploits unpatched vulnerabilities in operating systems and Office applications. The campaign involves a reconnaissance phase to identify the vulnerabilities that can be exploited to maximize the chance of a highly impactful compromise. The vulnerabilities exploited in this campaign include several Microsoft Office remote code execution vulnerabilities dating from 2010 to 2018 and takes advantage of businesses with poor patch management practices, incomplete inventories of connected devices, and devices running outdated software due to issues upgrading.

Defending against email-based attacks involving multiple malware variants and vulnerability exploitation requires a multi-layered approach to security, with cybersecurity measures implemented that provide overlapping layers of protection. The first line of defense should be advanced spam filtering software to block inbound spam and phishing emails. SpamTitan from TitanHQ is an AI-driven cloud-based email filtering service that is capable of identifying and blocking spam and phishing emails and has advanced malware detection capabilities. In addition to dual antivirus engines, the SpamTitan hosted spam filter includes email sandboxing for behavioral detection of malware threats. In independent tests, SpamTitan was shown to block 99.983% of spam emails, 99.914% of phishing emails, and 99.511% of malware.

It is important to ensure that employees are made aware of the threats they are likely to encounter. Security awareness training should be provided to teach cybersecurity best practices, eradicate risky practices, and train employees to be vigilant and constantly on the lookout for signs of phishing and malware. The SafeTitan security awareness training platform makes it easy to develop and automate comprehensive training and keep employees up to date on the latest tactics used by threat actors. SafeTitan, in combination with TitanHQ’s cloud-based anti-spam service, will help to ensure that phishing and malware threats are identified and blocked.

Cybersecurity best practices should also be followed, such as implementing multi-factor authentication on accounts, ensuring patches are applied promptly, keeping software up to date, installing endpoint antivirus solutions, and network segmentation to reduce the impact of a successful attack. It is also important to ensure there is a comprehensive inventory of all devices connected to the network and conduct vulnerability scans to ensure weaknesses are detected to allow proactive steps to be taken to improve security.

Phishing Attempts Increase 40% in a Year

Cybercriminals use a variety of methods for initial access to victims’ networks and tactics are constantly changing. Ransomware groups are increasingly targeting boundary devices such as routers, firewalls, and the virtual private networks that sit between the Internet and business networks, with the first quarter of this year seeing a decline in attacks exploiting vulnerabilities for initial access. According to the ransomware remediation firm Coveware, remote access is now favored by ransomware groups. In Q1, 2024, Remote Desktop Protocol (RDP) compromise was the most commonly identified initial attack vector.

Phishing is still commonly used for initial access, although there has been a fall in phishing-based attacks by ransomware groups; however, it is common for ransomware groups to chain email phishing with RDP compromise and the exploitation of software vulnerabilities for more impactful attacks. What is clear from the data is threat actors are conducting more sophisticated attacks and are taking steps to cover their tracks. Coveware reports that the initial access vector was unknown in around 45% of attacks.

While ransomware groups may be concentrating on non-email attack vectors, phishing attempts by cybercriminals have increased significantly over the past year. A new analysis by researchers at the antivirus company Kaspersky found that phishing attempts increased by 40% in 2023, with threat actors increasingly using messaging apps such as Telegram in their attacks as well as social media networks.

Phishing is also becoming more sophisticated and increasingly personalized. There is growing evidence that threat actors are using generative artificial intelligence engines to craft new lures to use in their campaigns, especially spear phishing attacks. The near-perfect messages that GenAI creates can make it difficult for end users to distinguish phishing emails from genuine communications.

The problem for many businesses is threat actors are constantly evolving their tactics and are conducting increasingly sophisticated campaigns, yet email security defenses are not maintaining pace. Many Microsoft 365 users find that while Microsoft Defender and EOP block a good percentage of spam emails and many phishing threats, more sophisticated threats are not detected. Having a cybersecurity solution such as PhishTitan augments Microsoft 365 defenses and ensures sophisticated threats are blocked. For every 80,000 emails received, PhishTitan catches 20 unique and sophisticated phishing attacks that Microsoft’s expensive E5 premium security misses.

PhishTitan helps with post-delivery remediation, allowing security teams to rapidly remove phishing threats from the email system when a threat is reported, adds a banner to emails warning users about suspicious messages, and rewrites URLs to show the true destination to combat spoofing. The solution also includes time-of-click protection to combat phishing links that are weaponized after delivery, and AI- & LLM-driven anti-phishing analysis to identify previously unseen phishing threats.

The use of malware in email campaigns is also increasing. In 2023, 6.06 billion malware attacks were identified worldwide, up 10% from the previous year, with loaders, information stealers, and remote access trojans (RATs) the most common malware threats. While signature-based detection mechanisms once served businesses well, the rate at which new malware variants are released means many threats are not detected as malware signatures have yet to be uploaded to antivirus defenses. The key to blocking these zero-day threats is email sandboxing.

An email sandbox is an isolated environment where messages that meet certain criteria are sent after scans by antivirus engines have shown the messages to be free from malware. In the sandbox, messages are subjected to deep inspection to identify malware from its behavior rather than signature. Many malware variants have been developed to resist analysis or pass sandbox checks, such as delaying malicious actions for a set period. A slight disadvantage of email sandboxing is a small delay in email delivery, but it is important to ensure that messages are analyzed in detail and anti-sandboxing capabilities are defeated. There are, however, ways to get sandbox protection while minimizing the impact on the business.

Whether you are looking for a gateway spam filter or a hosted spam filter to improve protection against email threats or advanced phishing protection, TitanHQ can help. Give the team a call today for detailed information on TitanHQ products and advice on the most effective solutions to meet the needs of your business. You can take advantage of the free trials of TitanHQ products, which are provided with full support to help you get the most out of the trial.

TitanHQ’s Anti-Phishing Solution Now Has Auto-Remediation Feature

TitanHQ has added a new auto-remediation feature to its Microsoft 365 anti-phishing solution, PhishTitan, to better meet the needs of managed service providers (MSP) and M365 administrators.

According to Statista, more than two million companies worldwide use Microsoft 365, including more than 1.3 million in the United States. Given the number of companies that use Microsoft 365, it is naturally a big target for cybercriminals and nation-state actors. If threat actors can steal M365 credentials, they can access a treasure trove of valuable business data and gain a foothold for more extensive and damaging attacks. Microsoft offers protection against spam, phishing, malware, and business email compromise attacks, but the best level of protection is only available with its costly E5 premium license, which is prohibitively expensive for many small businesses. Even companies that can afford this costly license do not get cutting-edge protection against phishing and BEC attacks.

To consistently block sophisticated phishing attempts, BEC attacks, and zero-day threats, businesses need more advanced protection than Microsoft can offer, and many turn to PhishTitan from TitanHQ – an integrated Cloud Email Security Solution (ICES) that provides cutting-edge protection against the most damaging, sophisticated phishing threats, BEC, account takeover, VIP impersonation, and zero-day attacks. In recent Virus Bulletin Tests, the engine that powers PhishTitan achieved an exceptional spam catch rate of 99.983%, a malware catch rate of 99.511%, and a phishing catch rate of 99.914%, with zero false positives. PhishTitan was shown to outperform Microsoft’s highest level of protection. For every 80,000 emails received, PhishTitan blocks 20 more unique and sophisticated attacks than Microsoft’s E5 filtering option.

The latest update to PhishTitan adds a new auto-remediation feature, which allows administrators to tailor the management of malicious emails based on the severity level. When a threat is detected, a banner is added to the email that warns the user about the threat; however, auto-remediation allows administrators to apply rules to deal with these messages according to the threat level, such as automatically diverting the emails to the junk folder. This feature acts like a virtual SOC and minimizes the risk to end users, especially individuals who tend to ignore email banners.

Auto-remediation is just one of the new features PhishTitan has gained since its launch. PhishTitan has also received an update to protect users from the growing threat of QR code phishing attacks (QRishing). QR codes are problematic for many anti-spam and anti-phishing solutions, as they cannot decipher the URLs in QR codes and check the destination URL, which is why cybercriminals are increasingly using QR codes in their phishing emails. PhishTitan can analyze the URLs encoded in QR codes, assess the risk, and notify end users.

PhishTitan also supports allow-listing, which administrators can use to automatically white-list trusted senders to make sure that their emails are always delivered, and notifications can also be fed into Microsoft Teams. Since administrators can spend a considerable amount of time in the application, a dark mode has been added to improve the user experience, and many more updates are planned and will be rolled out soon.

“We are excited to introduce Auto Remediation, QR code protection, and many additional powerful new features to our valued customers. At TitanHQ, we collaborate closely with partners to develop tailored solutions addressing critical customer IT security challenges,” said TitanHQ CEO, Ronan Kavanagh. “PhishTitan provides MSPs with an unmatched value proposition, featuring effortless deployment and lucrative recurring revenue streams, ultimately delivering a positive return on investment.”

If you want to improve protection against email threats or have any questions about PhishTitan, give the TitanHQ team a call. TitanHQ also offers award-winning DNS filtering, spam filtering, email encryption, email archiving, security awareness training, and phishing simulation solutions, all of which are available on a free trial.

Warning About Phobos Ransomware

Phobos ransomware may not be the most prolific ransomware group, but the group poses a significant threat, especially to municipal and county governments, emergency services, education, and healthcare organizations. The group issues ransom demands for millions of dollars and the group’s attacks have caused hundreds of millions of dollars in losses. Phobos is a ransomware-as-a-service operation where the infrastructure to conduct attacks and encrypt files is provided to affiliates – individuals who specialize in breaching company networks – in exchange for a percentage of any ransom payments they can generate. The affiliates benefit from being able to concentrate on what they do best, and the ransomware group makes up for the loss of a percentage of the ransom by conducting many more attacks than would be possible on their own.

The group engages in double extortion tactics involving data theft and file encryption. Threats are issued to publicly leak stolen data on the group’s data leak site and payment is required for the keys to decrypt data and prevent data exposure. Several ransomware variants are connected to Phobos based on the tactics, techniques, and procedures (TTPs) used in attacks, including Elking, Eight, Devos, Faust, and Backmydata ransomware. The latter variant was recently used in an attack in Romania that affected around 100 hospitals.

Affiliates use several methods to gain initial access to victims’ networks, with phishing one of the most common. The phishing attacks conducted by the group usually involve spoofed email attachments with hidden payloads, with one of the favored payloads being the Smokeloader backdoor trojan. Smokeloader gives the group initial access to victims’ networks, from where they use a variety of methods and legitimate networking tools for lateral movement, credential theft, privilege escalation, and data exfiltration. These include 1saas.exe or cmd.exe for privilege escalation, Windows shell functions for control of systems, and built-in Windows API functions to bypass access control and steal authentication tokens. Open source tools such as Bloodhound and Sharphound are used to enumerate the Active Directory, Mimikatz for obtaining credentials, and WinSCP and for file exfiltration. Other methods used for initial access include the use of legitimate scanning tools such as Angry IP Scanner to search for vulnerable RDP ports, and then open source brute-forcing tools are used to guess weak passwords.

To improve defenses against Phobos ransomware attacks, businesses should follow the guidance in the recently published security alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC), which includes latest Indicators of Compromise (IoCs) and TTPs observed in recent attacks. The guidance can be found in the #StopRansomware section of the CISA website.

Mitigations are concerned with improving defenses against the initial access vectors – phishing and remote access software. An email security solution is required to block phishing emails, consider disabling hyperlinks in emails, and adding banners to emails from external sources. An email security solution should be used that has both signature and behavioral threat detection capabilities to identify malicious files. End user training should be provided to improve resilience to phishing attempts, web filtering to block malicious file downloads, phishing-resistant multi-factor authentication to prevent the use of compromised credentials from granting access, strong password policies to improve resilience to brute force attacks, and strict controls on RDP and other remote desktop services. Robust backup processes are required, including maintaining offline backups of data, and an incident response policy for ransomware attacks should be developed and tested to ensure the fastest possible recovery in the event of an attack.

LockBit Ransomware Rebounds After Law Enforcement Takedown

A coordinated law enforcement operation – Operation Cronos – headed by the UK National Crime Agency (NCA) and coordinated by Europol seized the infrastructure of the notorious LockBit ransomware group earlier this month. 34 servers were seized in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom, along with 200 cryptocurrency wallets, and the keys to decrypt the data of some of the group’s victims. Two LockBit actors were also arrested in Poland and Ukraine, and three arrest warrants and five indictments were issued by judicial authorities in France and the United States. The decryption keys allowed an automated decryptor to be developed, which was added to the No More Ransom website.

The group’s affiliate portal was seized along with its data leak sites and messages were uploaded for affiliates warning them that names and locations were known and they could receive a visit from law enforcement very soon. The NCA threatened to release the name of the group’s figurehead, LockBitSupp, and even added a countdown timer to the data leak site, as LockBit would do when adding victims to the leak site. However, the NCA did not disclose the details and instead added a statement confirming LockBitSupp’s real name, location, and financial worth were known. The NCA also added that LockBitSupp has engaged with law enforcement.

LockBit is a ransomware-as-a-service (RaaS) operation where affiliates are recruited to conduct attacks using LockBit ransomware. As payment for those attacks, affiliates receive a percentage of any ransoms they generate. LockBit engaged in double extortion tactics, where sensitive data was stolen in addition to file encryption. Payments are required to prevent the release of the stolen data on the group’s data leak site and to obtain the keys to decrypt data. LockBit then moved to triple extortion, where in addition to data theft and file encryption, Distributed Denial-of-Service (DDoS) attacks are conducted on victims to pile on the pressure and get them to pay the ransom.

LockBit has been in operation since September 2019 and rapidly became a major player in the RaaS market. At the time of the takedown, LockBit was behind 25% of all ransomware attacks and had around 180 affiliates conducting attacks. The next biggest player is Blackcat with an 8.5% market share. The LockBit group has extorted more than $120 million from organizations around the world and its attacks have caused billions of dollars of damage.

The law enforcement operation was significant and a major embarrassment for the group, potentially causing significant damage to the group’s reputation. However, it did not take long for LockBit to respond. A few days after the announcement about the law enforcement action, LockBit created a new data leak site and populated it with the names of 12 recent victims. A note was also added explaining that the FBI most likely exploited an unpatched PHP bug, which hadn’t been addressed out of laziness, which allowed access to be gained to its servers. LockBit claimed the takedown was conducted when it was because data was going to be released from an attack on Fulton County in Georgia, where one of Donald Trump’s lawsuits is being heard, and the release of that data could affect the upcoming Presidential Election.

Typically after a successful law enforcement operation, ransomware gangs rebrand but LockBit appears to be defiant and looks set to continue under the same name. LockBitSupp claimed that the attacks could not stop as long as he was alive, and the group would be updating its infrastructure to make it harder for any future law enforcement operations to succeed. A little more than a week after the law enforcement announcement, the LockBit group appears to be conducting attacks again using new infrastructure, a new data leak site, a new negotiation site, and a new encryptor. It is unclear how many affiliates have been retained but the group has announced that it is recruiting again and is looking for new pen testers, indicating some have decided to leave the operation. What is clear is the group is back and remains a significant threat.

State Sponsored Hackers and Cybercriminal Groups Are Using AI to Improve Their Campaigns

There is growing evidence that cybercriminal groups are leveraging artificial intelligence in their cyberattacks, specifically large language models (LLMs) such as ChatGPT, despite the restrictions OpenAI has put in place. There are also LLMs that are being marketed directly to cybercriminals such as WormGPT. WormGPT is a blackhat AI tool that has been specifically developed for malicious uses and can perform similar tasks to ChatGPT but without any ethical restrictions on uses. The tool can be used for generating convincing phishing and business email compromise emails in perfect English, free from the spelling mistakes and grammatical errors that are often found in these emails.

It is not only cybercriminal groups that are using these AI tools. Nation state hacking groups are exploring how these tools can help them gain initial access to targeted networks. Recently published research from Microsoft and OpenAI confirmed that threat actors from Russia, China, Iran, and North Korea and using AI tools to support their malicious activities. Microsoft and OpenAI found the most common uses of LLMs by nation state actors were for translation, finding coding errors, running basic coding tasks, and querying open-source information. While it does not appear that they are using LLMs to generate new methods of attack or write new malware variants, these tools are being used to improve and accelerate many aspects of their campaigns.

The threat actor tracked by Microsoft as Crimson Sandstorm, which is affiliated with the Islamic Revolutionary Guard Corps (IRGC), a multi-service primary branch of the Iranian Armed Forces, has been using LLMs to improve its phishing campaigns to gain initial access to victims’ networks. Microsoft and OpenAI also report that the hacking group has been using LLMs to enhance its scripting techniques to help them evade detection. The North Korean APT group, Emerald Sleet, is well known for conducting spear phishing and social engineering campaigns and is using LLMs to assist with researching think tanks and key individuals that can be impersonated in its spear phishing campaigns. Threat groups linked to the People’s Republic of China such as Charcoal Typhoon and Salmon Typhoon have been using LLMs to obtain information on high-profile individuals, regional geopolitics, US influence, and internal affairs and for generating content to socially engineer targets. OpenAI says it has terminated the accounts of five malicious state actors and has worked with Microsoft to disrupt their activities, and OpenAI and Microsoft have been sharing data with other AI service providers to allow them to take action to prevent malicious uses of their tools.

It should come as no surprise that cybercriminals and nation state actors are using AI to improve productivity and the effectiveness of their campaigns and are probing the capabilities of AI-based tools, and while this is a cause of concern, there are steps that businesses can take to avoid falling victim to AI-assisted attacks. The best way to combat AI-assisted attacks is to leverage AI for defensive purposes. SpamTitan has AI and machine learning capabilities that can detect zero day and AI-assisted phishing, spear phishing, and business email compromise attacks and better defend against AI-0assisted email campaigns.

With fewer spelling mistakes and grammatical errors in phishing emails, businesses need to ensure they provide their workforce with comprehensive training to help employees recognize email and web-based attacks. The SafeTitan security awareness training and phishing simulation platform is an ideal choice for conducting training and phishing simulations and improves resilience to a range of security threats. TitanHQ’s data shows susceptibility to phishing attacks can be reduced by up to 80% through SafeTitan training and phishing simulations. Businesses should also ensure that all accounts are protected with multi-factor authentication, given the quality of the phishing content that can be generated by AI tools, and ensure that cybersecurity best practices are followed, and cybersecurity frameworks are adopted. The most important advice that we can give is to take action now and proactively improve your defenses, as malicious uses of AI are only likely to increase.

Should Businesses Pay a Ransom After a Ransomware Attack?

If disaster strikes and you discover your network has been encrypted with ransomware and sensitive data has been stolen, you are faced with two choices. Pay the ransom and hope that the attackers are true to their word and will delete the stolen data and provide the decryption keys to allow you to recover your data or attempt to recover from the attack on your own.

There will be several factors that will influence that decision. One of the first questions that must be answered is whether a viable backup exists of your encrypted data, and ideally, one that allows you to recover individual files rather than restoring systems to the date of the most recent backup. Backups are often created but are not tested, and it is only when they are needed that an organization discovers that the backups cannot be used to restore data. Restoring data from backups may result in significant data loss.

If files can be recovered, then it may not be necessary to pay the ransom; however, this is why many ransomware gangs steal data in addition to encrypting files. The exposure of data – publication on a data leak site – or the sale of that data is often far more damaging to a company than the losses due to file encryption. Data leaks can cause significant reputational damage and put organizations at risk of costly lawsuits and regulatory penalties. Determining what data has been stolen is critical to the decision about whether or not to pay the ransom.

For many companies, especially critical infrastructure entities, the ransom demand is far lower than the cost of downtime during the incident response and recovery phase. Backups may allow files to be recovered but that does not mean a quick recovery and extended downtime can be hugely expensive. Paying the ransom may be the most cost-effective option as recovery will often be far quicker.

Companies with cyber insurance policies may be able to claim the ransom payment; however, many insurers now exclude ransomware attacks so it is important to determine, as far as possible, whether the insurance company will pay out and how much will be paid. Some insurers have restrictions in their policies and paying the ransom may invalidate the insurance policy. Cyber insurance is expensive and if a claim against a policy is successful, it is likely that future premiums will increase.

The threat actor that conducted the attack may be on a sanction list, which means that payment may not be permitted. In the United States, the Office of Foreign Asset Control (OFAC) has sanctioned several individuals who have conducted ransomware attacks, and OFAC prohibits payments to sanctioned individuals. If a company makes a ransom payment to a sanctioned individual it is a serious criminal offence, punishable with a severe financial penalty and custodial sentences.

Law enforcement agencies generally advise against paying a ransom for several reasons. If ransoms are paid it encourages ransomware gangs to conduct more attacks and gives them the funds they need to continue and expand their malicious activities. There is also no guarantee that the ransomware group will provide the decryption keys, which means payment may be made and data will remain encrypted. Around 90% of all companies that pay a ransom following a ransomware attack are unable to recover all of their data, and less than a third are able to recover half of their data. Data is often corrupted and decryption keys often do not work.

Paying a ransom to prevent the publication of stolen data may result in your company being removed from a publicly accessible data leak site but it does not mean that the data will be deleted. It may still be sold or misused. There is also a risk that after paying the ransom, another ransom demand will be issued. Any company that is willing to make a payment could face further extortion attempts and multiple ransomware attacks. A study by Cybereason found that 78% of companies that paid a ransom went on to suffer a second attack, with 36% of those attacked by the same threat actor and 42% attacked by a different threat actor.

The decision about whether to pay a ransom is not straightforward, and all factors must be carefully evaluated, but paying a ransom is a gamble and it is one that may not pay off. It should therefore only be considered as the last resort when all other options have been explored and ruled out.

The best approach as far as ransomware is concerned is to take proactive steps and prepare for an attack. You must ensure that you have robust data backup systems in place, with backups stored securely where they cannot be encrypted. Those backups must be tested to make sure file recovery is possible in the event of an attack to keep all options on the table.

Given the number of attacks that are now being conducted, it is important to make sure you have robust defenses in place to protect against all initial access vectors, and that is an area where TitanHQ can help. TitanHQ has a suite of cybersecurity solutions that can improve your security posture and help you recover from an attack should disaster strike. Give the team a call today for advice on how you can improve your defenses against ransomware attacks.

Malicious File Deliveries Increased in 2023

The cyber threat landscape is constantly changing, with cybercriminals and nation-state actors developing new tactics, techniques, and procedures for use in attacks on businesses to steal intellectual property and sensitive customer data, and for extortion. Threat actors gain access to internal networks by exploiting human weaknesses through social engineering and phishing, exploiting vulnerabilities such as unpatched and misconfigured software, and using malware for remote access.

The latter has seen an increase in 2023, with Kaspersky reporting in its end-of-the-year statistics report that malicious file detections have increased by 3% from 2022, with an average of 411,000 malicious files detected each day. The biggest increase was malicious desktop files such as Word documents, Excel spreadsheets, and PDF files, which are used for distributing malware. More than 125 million malicious desktop files were detected in 2023, with documents such as Word files and PDF files seeing the biggest increase, up 53% from 2022.

The company attributed the large increase to the number of email phishing attacks using malicious PDF files. PDF files have become more popular due to the steps Microsoft has taken to block email attacks using Office documents and spreadsheets. In the summer of 2022, Microsoft started blocking Visual Basic Applications (VBA) macros in Office apps by default to stop malicious actors from using them to deliver malware. Macros are now blocked by default in all Office documents that are delivered via the Internet. Threat actors responded by switching to other file formats for delivering malware such as LNK, ISO, RAR, ZIP, and PDF files, with the latter commonly used to hide links to malicious websites from email security solutions. These links direct users to malicious websites where drive-by malware downloads occur and also to phishing sites that steal credentials. The most common malware types in 2023 were Trojans such as Magniber, WannaCry, and Stop/Djvu, with a notable increase in backdoors, which provide threat actors with remote access to victims’ devices and allow them to steal, alter, and delete sensitive data and download other malware variants such as ransomware.

These email-based attacks usually require some user interaction to succeed, such as opening a malicious file or clicking a link. Threat actors are adept at social engineering and trick users into taking the action they need but the availability of artificial intelligence tools has made social engineering even easier. AI has significantly lowered the entry barrier into cybercrime and can be used by anyone to create convincing phishing lures and social engineering tricks. Artificial intelligence tools are also being leveraged to develop new malware variants faster than before, which allows threat actors to defeat signature-based antivirus and antimalware solutions.

With cyberattacks increasing in both number and sophistication, businesses need to ensure they have appropriate defenses in place. To defend against attacks, businesses need to take a defense-in-depth approach to security and implement multiple overlapping layers of protection. Should one single component fail to detect a threat, others will be in place to provide protection. Endpoint detection solutions such as antivirus software are essential. These solutions work after malware has been delivered and can detect and neutralize the threat; however, multiple layers of security should be in place to make sure threats are not delivered, especially due to the increase in zero-day malware threats – novel malware variants that have yet to have their signatures added to the malware definition lists used by these solutions.

TitanHQ offers three layers of protection through SpamTitan Email Security, Web Titan Web Filtering, and SafeTitan Security Awareness Training. SpamTitan is an advanced email security solution that protects against all email threats, including known and zero-day threats. SpamTitan offers protection against malicious links in emails, and features dual antivirus engines and email sandboxing to protect against malware threats, with the latter used to detect previously unseen malware variants. SpamTitan also uses artificial intelligence and machine learning to predict new attacks.

WebTitan is a leading DNS filtering solution that allows businesses to carefully control the web content that can be accessed via wired and wireless networks. The solution blocks access to known malicious websites, and high-risk websites, and can be configured to block the file types that are commonly used for malware delivery, such as executable files. SafeTitan is a comprehensive security awareness training and phishing simulation platform for teaching employees security best practices and improving resilience to the full range of cybersecurity threats. The platform provides training in real-time in response to poor security behaviors, with training sessions triggered immediately when bad behaviors are detected. This ensures that training is delivered when it is likely to have the biggest impact.

To improve protection against the full range of cyber threats, give the TitanHQ team a call today. You can discuss your needs and explain the current security solutions you have, and the TitanHQ team will be more than happy to talk about the TitanHQ solutions that can plug the security gaps. All solutions are competitively priced and are available on a free trial to allow you to test them thoroughly before making a purchase decision.

What is Malware Sandboxing for Email?

Malware sandboxing for email is now vital for email security. Suspicious files that pass AV checks are sent to the sandbox where they are safely detonated and subjected to behavioral analysis.

Email-based Cyberattacks are Increasing

Email is one of the most common initial access vectors used by cybercriminals. Initial access to victims’ networks is gained via two main methods: email attachments and embedded URLs. The first attack type involves emails with attachments that contain malicious code, such as macros. If the files are opened and the code is allowed to execute, it will trigger the download and execution of malware from a remote server, or in some cases, malware will be executed in the memory (fileless malware).

The other method, which is now more common since Microsoft started blocking macros in Office documents by default if they are received via the Internet, is for phishing emails to be sent that contain malicious URLs. These URLs may be added to the message body or be hidden inside documents. These URLs point to an Internet site that hosts malware which is silently downloaded when the link is visited or the user is tricked into installing the malware.

Businesses need to ensure they have adequate defenses to block email-based attacks. The first line of defense is an email security solution that will scan the message headers, message body, and attachments and perform reputation checks on the sender. Email security solutions use blacklists of malicious domains and IP addresses and will block messages from these domains and IPs if they have previously been used for phishing, scams, or malware distribution. Checks will be performed on URLs and the messages are searched for the signatures of spam and phishing content – words and phrases commonly used by threat actors. If these checks are failed, the messages will be quarantined.

To block malware, email security solutions scan email attachments using anti-virus engines, which search for the signatures of malware – specific parts of the malware code that have been identified in previous malware analyses. The anti-virus software is regularly updated, and new signatures are added when new malware variants are identified. While these scans will block all known malware if the signature for malware is not in the definition list, the file will not be classed as malicious, and the message will be delivered to the end user. Unfortunately, new malware variants are being released faster than ever before to get around signature-based detection. To block unknown malware another method is required – malware sandboxing for email.

Malware Sandboxing for Email

Advanced email security solutions include malware sandboxing for email. If an email attachment passes the standard checks and anti-virus scans, it is sent to a sandbox where the behavior of the file is analyzed. A sandbox is an isolated, secure environment where files can be opened and analyzed without risk. Any checks of the environment that are performed by malware when it is executed are often passed as the sandbox is created to look exactly like a real endpoint. Any actions performed by files when they are opened are analyzed in detail and if any checks fail, the file and email will be quarantined and all other copies of that email will be removed from the email system. These checks may take a few minutes to perform, so there will be a slight delay in delivering genuine emails.

SpamTitan, TitanHQ’s award-winning email security solution, includes a powerful next-gen sandbox that is powered by Bitdefender. The malware sandboxing service uses powerful emulation tools to ensure that files are inspected using real-time intelligence along with comprehensive detection techniques, which provide advanced threat protection and zero-day exploit detection. To avoid unnecessary email delivery delays, SpamTitan has strong machine learning, static analysis, and behavior detection technologies which ensure that only files that require further analysis get sent to the sandbox. If all sandbox checks are passed, the message will be delivered. If one or more checks are failed, the message will be quarantined, and the results passed to Bitdefender’s Global Protective Network. If that threat is encountered again, it will be recognized and will be quarantined immediately and will not need to get sent to the sandbox to be detonated again.

With SpamTitan malware sandboxing for email, businesses will be well protected against zero-day malware threats that would otherwise be delivered to inboxes. For more information give the TitanHQ team a call. SpamTitan with malware sandboxing for email is also available on a 14-day free trial.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Sandboxing Technology for Email

Implementing your own sandboxing technology for email can be complex and costly. SpamTitan Email Security has an inbuilt sandbox, so all the hard work is done for you. You get the full cybersecurity benefits of a sandbox at a very low cost.

What are the Benefits of an Email Sandbox?

Email sandboxing is no longer a ’want’ it is now a ‘must-have.’ Cybercriminal groups are conducting huge numbers of attacks, nation-state actors are targeting businesses to steal their proprietary data, and these attacks are getting far more sophisticated and can easily evade standard security solutions. The consequences of a successful cyberattack are severe. IBM’s 2023 Cost of a Data Breach Report indicates that the average cost of a successful attack and data breach has risen to $4.45 million in the United States. It is no surprise that many small to medium-sized businesses fold within 6 months of a successful attack.

As has been the case for many years, one of the easiest ways to gain initial access to a company’s network is via email. Employees are targeted as they can be tricked into disclosing their credentials or installing malware. Email security solutions such as spam filters and secure email gateways are capable of blocking many threats, but they are failing to block zero-day malware threats. Traditional email security solutions are reliant on signature-based detection methods for blocking malware. When a malware threat is detected and analyzed by security researchers, the signature for that malware variant is added to the definition list. Email security solutions use signature-based detection methods to block 100% of known malware.

The problem comes with new malware, for which no signature has been defined. Without a signature, malware will not be identified as malicious if it is encountered. If a novel malware variant is attached to an email, the email will most likely be delivered and can be opened by an end user and new malware variants are now being released at an incredible rate. While signature-based detection has served businesses well, additional protection is now required – email sandboxing.

With an email security solution that has an email sandbox, inbound messages will first be subjected to standard checks. An email sandbox is then used to safely analyze the behavior of files in an environment where no harm can be caused. If malware is executed, it will be detected based on its behavior rather than a signature. The threat will then be blocked, and no harm will be caused.

SpamTitan Email Sandboxing Technology for Email

With SpamTitan, the initial checks include AI-based and machine-learning detection, which is capable of detecting previously unseen phishing threats.  All attachments are scanned with two antivirus engines to ensure 100% of known malware threats are detected and blocked. The sandbox provides an extra layer of protection. When initial checks are passed, suspicious messages are sent to the sandbox for deep analysis. File attachments are safely detonated, their behavior is analyzed, and the results are checked against an extensive array of online repositories. The process usually takes just a few minutes, or in some cases, a maximum of 20 minutes.

If a threat is detected it is reported to the Bitdefender Global Protective Network – Bitdefender’s cloud threat intelligence service. If that threat is detected again by SpamTitan or any device connected to the network, it will not need to be sent to the sandbox again and all devices will be protected against that threat. The latest malware variants often include code that checks for running security solutions and whether it has landed on a real endpoint. If a virtual environment is detected and the malware determines it is in a sandbox, it will not perform its malicious actions and may delete itself to prevent analysis. To get around this, the email sandbox emulates a real endpoint and analyzes files by leveraging purpose-built, advanced machine-learning algorithms. The sandbox incorporates anti-evasion and anti-exploit techniques and performs aggressive behavior analysis. Every evasion attempt by malware is properly marked and the files are flagged.

The sandbox analyzes a broad range of targets, including documents, spreadsheets, and executable files, and is capable of identifying and blocking polymorphic malware and other threats that have been developed for undetectable attacks. With email-based cyberattacks increasing in number and sophistication, businesses need to ensure they have advanced defenses. With SpamTitan sandboxing technology for email you get advanced threat protection at an affordable price. To find out more, call the TitanHQ team today or take advantage of a free 14-day free trial of SpamTitan.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

What is Sandboxing in Cybersecurity?

What is Sandboxing in Cybersecurity?

Sandboxing in cybersecurity terms refers to an isolated virtual machine that is used for testing code and analyzing files. Since the sandbox is isolated from other systems and networks, unverified code, untested programs, email attachments, and files downloaded from the Internet can be executed or detonated safely. Code is executed and files are opened and their behavior is analyzed to determine if they are safe or if they may cause damage to data or systems. In the sandbox, the activities that can be performed are restricted so they can’t cause any real damage. If code is executed in the sandbox and it is determined to be malicious, it will be deleted or quarantined for further analysis. Sandboxing is also used for checking URLs. For instance, some web browsers will first open a URL in a sandbox where permissions are set to the lowest privilege levels. If any attempt is made to perform an action that is not permitted, access to the URL will either be blocked or the user will receive a warning.

Why is Sandboxing Important?

In software development, new code may have unintended consequences, such as causing other systems to malfunction, which in a production environment could cause unacceptable and costly downtime. A sandbox allows code to be fully tested to ensure it is safe. A security sandbox protects against malicious code that has been deliberately written to cause damage and/or provide access to systems and data. For example, ransomware is malicious code that encrypts files to prevent them from being accessed. A threat actor then demands payment for the keys to decrypt files. If that code was allowed to execute on the network, data could be permanently lost, or a ransom would need to be paid to recover files.

Cyberattacks on businesses have been increasing and are now being conducted more frequently than ever before. The average ransom demand in data theft and ransomware attacks is now more than $1.5 million, and data from Rapid7 suggests more than 1,500 organizations fell victim to ransomware attacks in the first half of 2023, with more than 20 new ransom groups emerging. Cybercriminals also still use backdoors, keyloggers, banking trojans, and information stealers to gain access to networks and steal sensitive data. To make matters worse, new malware and ransomware variants are constantly being released and these evade security solutions that rely on signature-based detection. It is vital that all files and applications are thoroughly tested before being allowed anywhere near the network and sandboxing allows even previously unseen malicious files to be identified and neutralized.

Email Sandboxing

Email security solutions often use sandboxing for attachments and URLs. With email attachments, they will first be scanned using standard anti-virus engines to determine if they contain known malware or malicious code. These AV checks will only detect known malware. New malware variants that have not been encountered before cannot be detected, as standard AV solutions search for signatures of known malware. Email sandboxing is used to detect new malware, often referred to as zero-day threats. Files that are determined to be clean after AV scanning are sent to the sandbox for behavioral analysis. Email security solutions may also use a sandbox for testing embedded URLs in messages and will follow the links and check the destination and assess whether it contains any threats.

Email Sandboxing from TitanHQ

SpamTitan is a multi-award-winning email security solution from TitanHQ that offers advanced threat protection at an affordable price. SpamTitan blocks phishing, malware, spam, viruses, and other malicious email threats and includes a Bitdefender-powered email sandbox. Emails that pass the initial barrage of checks, including antivirus scans, are sent to the sandbox where they are safely detonated, and their behavior is analyzed. The SpamTitan sandbox combines the latest threat analysis with powerful emulation tools to ensure that files are inspected using real-time intelligence along with comprehensive detection techniques, ensuring businesses are protected against zero-day threats. For more information on SpamTitan Email Security, give the TitanHQ team a call today.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Advantages and Disadvantages of Email Sandboxing

Sandboxing is the use of a virtual environment for testing code and safely opening untrusted files. The sandbox is an isolated and secure environment that emulates a legitimate endpoint; however, there are no connections to the business network, the sandbox environment contains no real data, and if dangerous code is executed, no harm will be caused.

Advantages of Email Sandboxing

Sandboxing is important because of the sheer number and complexity of threats faced by businesses. Cybercriminal groups are conducting increasing numbers of attacks, new groups are constantly being formed, and their attacks are becoming much more sophisticated. The cost of these attacks and the resultant data breaches are also spiraling. According to the 2023 Cost of a Data Breach Report from IBM, on average, data breaches cost $4.45 million to resolve in the United States and $10.93 million for a healthcare data breach.

Many of these threats come from email. Emails are used to send attachments containing malicious code that downloads malware that provides a cyber actor with access to the network. Links to malicious websites are also distributed via email where malware is downloaded. While businesses have a degree of protection if they have anti-virus software installed, most anti-virus solutions can only detect known malware variants – Malware that has previously been analyzed and had its signature added to the solution’s malware definition list. Antivirus solutions will not detect new malware variants nor fileless malware, which is executed in the memory with no files downloaded to the disk.

Sandboxing provides an additional layer of protection against zero-day malware and ransomware attacks and will allow malicious files to be identified, detected, and quarantined before they can do any harm, even if they have not previously been encountered. In the sandbox, malware is identified by the actions it tries to perform, not by any signature.

Disadvantages of Email Sandboxing

While there are clear benefits, there are some disadvantages of email sandboxing. Businesses may want to add email sandboxing to their cybersecurity arsenal, but email sandboxes can be complicated to set up and run, and they can require a considerable amount of resources and can be expensive to run. Another of the disadvantages of email sandboxing is analyzing file attachments takes time and messages cannot be delivered until all checks have been performed. It is therefore inevitable that there will be email delivery delays.

As with any cybersecurity solution, there is the potential for false positives. An email attachment may be determined to be malicious when it is actually harmless. In such cases, important business emails may be blocked or deleted. The last main disadvantage is malware often contains code that determines if it has landed on the targeted endpoint or if it is in a virtual environment. If the latter is detected, the malware may delete itself or not perform any of its programmed malicious actions. Considering the cost of a successful cyberattack, the advantages of email sandboxing outweigh the disadvantages, provided the right sandboxing solution is chosen.

SpamTitan Email Security with Sandboxing

SpamTitan is an award-winning email security solution from TitanHQ that provides advanced threat protection at an affordable price. The solution is easy to implement and use and protects thousands of SMBs and managed service providers (MSPs) by blocking spam, viruses, malware, ransomware, and links to malicious websites from your emails. SpamTitan’s ATP defense uses inbuilt Bayesian auto-learning and heuristics to defend against advanced threats and evolving cyberattack techniques and features an integrated email sandbox tool that is part of Bitdefender’s Global Protective Network.

SpamTitan uses advanced intelligent technologies, such as AI, to predict and prevent advanced threats and the sandbox accurately mimics a real endpoint to trick malware into determining it has reached its intended target. As with any sandbox, there are delays in delivering emails but this is kept to a minimum. SpamTitan has multiple layers of security and sophisticated sandbox technology, which means only specific and dangerous emails will be sandboxed. Even if a legitimate email lands in a sandbox, the delivery delay will be, at most, twenty minutes. While there may be false positives on occasion, no emails are deleted. They are quarantined to allow administrators to check the validity of the results.

If you want to improve security and get the advantages of email sandboxes while eliminating the disadvantages, give the TitanHQ team a call today. SpamTitan is also available on a free 14-day trial to allow you to test the product and sandbox in your own environment before making a purchase decision.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Malicious File Sandbox for Email

Multiple layers of security are required to protect against increasingly sophisticated email attacks. A malicious file sandbox for email should be one of those layers to ensure your business is protected against zero-day and stealthy malware threats.

Email: The Most Common Initial Access Vector Used by Cybercriminals

There are many ways that cybercriminals can attack businesses, but email is the most common initial access vector. Most employees have email accounts which means they can be easily reached, and social engineering techniques are used to trick employees into opening malicious attachments or visiting links in emails. Cybercriminals have become adept at exploiting human weaknesses in defenses.

One of the main aims of email campaigns is to deliver malware to provide persistent access to victims’ networks. Executable files may be attached to emails and hidden using double file extensions to make the files appear to be legitimate documents, PDF files, or spreadsheets. Office files may be attached that have malicious macros which, if allowed to run, trigger the download of a first-stage malware payload. The problem for businesses is these campaigns are becoming much more sophisticated, they often bypass standard email security defenses, and they land in inboxes where they can be opened by employees.

Defending against sophisticated email attacks requires a defense-in-depth approach, which should include a spam filter/secure email gateway, a web filter, multifactor authentication, an endpoint detection and response solution, and security awareness training for employees. To improve protection further and defend against new and stealthy malware threats, it is important to have a malicious file sandbox for email.

What is a Malicious File Sandbox?

A malicious file sandbox is an isolated virtual environment where untrusted, suspicious files can be detonated securely without risking network or data security. The sandbox is used for analyzing emails, documents, application files, and other executable files to determine their true nature. When an email is received, it must first pass through a spam filter which looks for the common signatures of spam and phishing emails, performs reputation checks on the sender, analyzes the message content, and scans email attachments using antivirus software. The spam filter will filter out the majority of spam and phishing emails and all known malware variants using the antivirus software.

The problem is many email attacks are stealthy and have been developed to be undetectable, and cyber actors are skilled at getting their emails past email defenses and into inboxes. One way this is achieved is by using polymorphic malware, which cannot be detected by standard email security solutions and antivirus software. A malicious file sandbox is needed to protect against these novel threats.

When suspicious files are received that pass the front-end checks, they are sent to the sandbox for in-depth analysis of their behavior. The malicious file sandbox is configured to look like a real target environment to ensure that when an email is sent to the sandbox any malware acts as it would in the wild and is tricked into determining that it has landed on the endpoint of its intended target. No harm can be caused in the sandbox as the environment is isolated and not set up locally. If malware is detected, a report is generated of any malicious intent or unexpected actions, and actionable insights are provided to allow the threat to be blocked.

The SpamTitan Malicious File Sandboxing Service

SpamTitan is an award-winning anti-spam and anti-phishing solution from TitanHQ that is used by thousands of businesses and managed service providers to protect against email-based attacks. The solution leverages artificial intelligence and machine learning algorithms to detect novel threats and predict new attacks, reputation checks are conducted using SPF, DKIM, and DMARC, users are protected from malicious links in emails, and the solution has dual antivirus engines that scan for known malware.

SpamTitan also includes a Bitdefender-powered malicious file sandbox for blocking zero-day malware threats. The sandbox analyzes a broad range of targets, including emails, documents, application files, and other executable files, and leverages purpose-built, advanced machine-learning algorithms, aggressive behavior analysis, anti-evasion techniques, and memory snapshot comparison to detect sophisticated threats and delivers advanced threat protection and zero-day exploit detection. The sandbox also extracts, analyzes, and validates URLs within files.

The sandbox is not located on the endpoint so there are no performance implications, and strong machine learning and behavior detection technologies ensure that only files that require further analysis are sent to the Sandbox. If a malicious file is detected, the sandbox informs Bitdefender’s cloud threat intelligence service to ensure the threat is instantly blocked globally and will not need to be set to the sandbox for analysis again. The sandbox allows businesses to identify and block malicious files such as polymorphic malware and other threats that have been developed for use in undetectable attacks.

The SpamTitan malicious file sandbox delivers best-in-class detection, advanced anti-evasion technologies, innovative pre-filtering, and MITRE ATT&CK framework support. If you want the best protection from dangerous malware, you need a malicious file sandbox for email, and with SpamTitan you get that and more at a very affordable price. For more information on the capabilities of SpamTitan and details of pricing, give the TitanHQ team a call. SpamTitan is also available on a free 14-day trial to allow you to test the product in your own environment before making a purchasing decision.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Email Sandboxing, Pattern Filtering, and Other Much-Loved SpamTitan Features

SpamTitan is a next-generation anti-spam, anti-phishing, and anti-malware solution for businesses that incorporates AI-based threat detection, email sandboxing, and many other advanced email security features. Some of the most important and best-loved features of SpamTitan are explained below:

Email Sandboxing in SpamTitan

Email sandboxing is a vital element of email security, yet many email security solutions lack this feature. An email sandbox is a secure, virtual machine where links can be followed and attachments opened where they cannot cause any harm. A malicious link that leads to an automatic malware download can be followed in safety, and even the nastiest piece of malware can be executed without risk as the sandbox is isolated, not connected to any network, and contains no real data.

The sandbox is configured to appear to be a genuine endpoint in order to trick malicious actors into thinking malware has reached its intended target. When a file is opened in the sandbox it is subject to deep analysis, and any malicious or suspicious actions are detected. Emails are subject to a battery of front-end checks, including scans using two anti-virus engines, and any emails that pass these checks but are determined to potentially pose a risk are sent to the sandbox for behavioral analysis. That includes emails along with any attached documents, spreadsheets, and executable files.

Sandboxing for email is important because of the speed at which novel malware samples are used in attacks. Rather than just use one version of a keylogger in a campaign, a threat actor will use dozens of versions of that keylogger, each differing slightly to evade signature-based detection mechanisms. AI and automation are used by threat actors to churn out new malware variants rapidly, and signature-based detection alone is no longer good enough. With sandboxing, email protection is greatly improved against these zero-day threats which would otherwise be delivered to end users’ inboxes.

Pattern Filtering in SpamTitan

One of the most loved features of SpamTitan is Pattern Filtering. It saves IT security teams a considerable amount of their precious time by ensuring spammy and phishy emails are not delivered. The Pattern Filtering feature allows administrators to use their own terminology to block inbound emails. Simply set a word or phrase through Pattern Filtering, and SpamTitan will search the subject line and message body and can be configured to generate a warning or quarantine the email if the word or phrase is found.

An example of where this can be useful is combating the Nigerian scam/419 fraud, a type of advanced fee fraud. The 419 comes from Section 419 of the Nigerian Criminal Code which prohibits this kind of scam. While the scam is common with Nigerian cybercriminals, cybercriminal groups in many different countries also conduct this type of scam. While the themes of the emails vary, they all have the same aim. An example would be a prominent person who has substantial funds in their account has been unable to transfer the funds out of the country due to unfair restrictions. They offer to transfer these funds to the user’s account to get the money out of the country in exchange for a percentage of those funds as payment, which may be as high as 20%, which is a life-changing amount of money. The catch? In order to proceed, charges need to be covered and they must be paid in advance. The Pattern Filtering option can be used to block these emails by incorporating phrases commonly used in these emails.

Geo-Filtering in SpamTitan

SpamTitan also incorporates geo-filtering, which allows users to block emails from specific countries. If you never do business with countries in Africa, for example, you can simply block all emails coming from African IP addresses with a few clicks of a mouse, rather than manually blocking IP addresses from which you get a lot of spam emails. This feature saves IT teams a considerable amount of time. One user who has benefited greatly from this feature is Benjamin Jeffrey, IT manager at M&M Golf Cars. His company was receiving many requests from countries that the company does not do business with and was getting flooded with spam emails from a specific IP subnet in a country. He configured the geo-filtering and instantly blocked all those messages. When he checked 6 months after configuring that feature, around 12,000 emails had been blocked. Geo-blocking is also useful for blocking malware quickly. Malware distribution campaigns are often launched from a handful of countries, and geo-filtering can be used to block those messages with ease.

AI and Machine Learning in SpamTitan

SpamTitan has AI and machine learning capabilities to improve the detection of spam and phishing emails. These technologies learn about the emails that are typically received by a company and create a baseline against which new emails can be measured. When emails deviate from the norms, they are flagged as risky and are subjected to more stringent security checks or are quarantined for manual inspection. These technologies greatly improve spam and phishing email catch rates and allow SpamTitan to improve day-by-day. These technologies are a vital defense against zero-day phishing threats – new threats that have not been encountered on the 500+ million endpoints from which threat intelligence is gathered.

Find out More About SpamTitan

These are just some of the most loved and most beneficial features of SpamTitan. In addition to having a high catch-rate and low false positive rate, SpamTitan is one of the most affordable email security solutions on the market, it’s quick and easy to set up, and requires little maintenance. The features, price, and ease of use are why it is loved by thousands of small- and medium-sized businesses, enterprises, and managed service providers. To find out more, give the TitanHQ team a call. The product is available on a 100% free trial if you want to put it to the test, and product demonstrations can be arranged on request.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Chinese Hackers Compromising Patched Barracuda Email Security Appliances

The Federal Bureau of Investigation (FBI) has issued a warning that Chinese hackers are continuing to gain access to Barracuda email security appliances, even those that have been patched against a recently disclosed zero day vulnerability, and has urged organizations to immediately remove the appliances.

The vulnerability, tracked as CVE-2023-2868, affects Barracuda Network’s Email Security Gateway (ESG) appliances and occurs when the appliance screens email attachments. The vulnerability is a remote command injection vulnerability that allows the unauthorized execution of system commands with administrator privileges on the ESG appliance. Barracuda issued a patch to fix the flaw on May 20, 2023, after identifying hacks on May 19.

The vulnerability can be exploited via maliciously formatted TAR file attachments that are sent to an email address affiliated with a domain that has an ESG appliance connected to it. When the attachments are scanned it results in a command injection into the ESG, and system commands are executed with the privileges of the ESG. No user interaction is required to exploit the vulnerability.

According to the FBI, Chinese hackers have been exploiting the vulnerability since October 2022 as part of a state-run cyberespionage operation and have compromised hundreds of appliances. Mandiant assisted with investigating the hacks and said this is the broadest cyber espionage campaign conducted by Chinese state-sponsored hackers since the mass exploitation of a Microsoft Exchange vulnerability in 2021.

In a Flash Alert issued on Wednesday, the FBI recommended all affected devices be immediately replaced. “The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately,” and said the patches released by Barracuda to address the flaw were ineffective.

The advice follows that of Barracuda, which said in June that all hacked Email Security Gateway appliances should be immediately replaced, regardless of whether patches had been applied. Even after the patches had been applied, continued malicious activity was observed on the previously compromised devices. A new form of malware, dubbed Submarine, was deployed on compromised appliances, which resides in a structured query language (SQL) database on the appliance and is a backdoor that provides persistent access.

Vulnerabilities can exist in any software solution, even those that are meant to provide protection. This is why it is important to have multiple layers of protection. If one layer fails, others are there to detect and block threats. Many threats start with a malicious email, which is why email security is so important. Having SpamTitan Plus in place will provide a high degree of protection and will stop malware from reaching its intended recipient. SpamTitan Plus is a leading-edge, AI-driven anti-phishing and anti-malware solution with the newest “zero-day” threat protection and intelligence. The solution includes 100% coverage of all current market-leading anti-phishing feeds and provides 1.6x faster detection of threats than the current market leaders. SpamTitan Plus provides unrivaled protection against malicious links in emails and includes signature-based malware detection and behavioral detection through sandboxing. For more information on SpamTitan Plus, give the TiotanHQ team a call.

New Mystic Stealer Malware Proves Popular with Cybercriminal Community

A new information stealing malware variant called Mystic Stealer is proving extremely popular with hackers. The malware is currently being promoted on hacking forums and darknet marketplaces under the malware-as-a-service model, where hackers can rent access to the malware by paying a subscription fee, which ranges from $150 for a month to $390 for three months.

Adverts for the malware first started appearing on hacking sites in April 2023 and the combination of low pricing, advanced capabilities, and regular updates to the malware to incorporate requested features has seen it grow in popularity and become a firm favorite with cybercriminals. The team selling access to the malware operates a Telegram channel and seeks feedback from users on new features they would like to be added, shares development news, and discusses various related topics.

Mystic Stealer has many capabilities with more expected to be added. The first update to the malware occurred just a month after the initial release, demonstrating it is under active development and indicating the developers are trying to make Mystic Stealer the malware of choice for a wide range of malicious actors. Mystic Stealer targets 40 different web browsers, 70 browser extensions, 21 cryptocurrency applications, 9 MFA and password management applications (including LastPass Free, Dashlane, Roboform, and NortPass), and 55 cryptocurrency browser extensions. The malware can also inject ads into browser sessions, redirect searches to malicious websites, and steal Steam and Telegram credentials and other sensitive data. The most recent version is also able to download additional payloads from its command-and-control server. The malware targets all Windows versions, does not need any dependencies, and operates in the memory, allowing it to evade antivirus solutions. The malware is believed to be of Russian origin since it cannot be used in the Commonwealth of Independent States.

Mystic Stealer has recently been analyzed by researchers at InQuest, ZScaler, and Cyfirma, who report that the malware communicates with its C2 server via a custom binary protocol over TCP, and currently has at least 50 C2 servers. When the malware identifies data of interest, it compresses it, encrypts it, then transmits it to its C2 server, where users can access the data through their control panel.

The main methods of distribution have yet to be determined, but as more threat actors start using the malware, distribution methods are likely to become more diverse. The best protection is to follow cybersecurity best practices and adopt a defense-in-depth approach, with multiple overlapping layers of security to protect against all of the main attack vectors: email delivery (phishing), web delivery (pirated software, drive-by downloads, malvertising), and the exploitation of vulnerabilities.

Email security solutions should be used that have signature and behavioral-based detection capabilities and machine learning techniques for detecting phishing emails (SpamTitan). Antivirus software should be used, ideally, a solution that can scan the memory, along with advanced intrusion detection systems. To protect against web-based attacks, a web filter (WebTitan) should be used to block malicious file downloads and prevent access to the websites where malware is often downloaded (known malicious sites/warez/torrent). IT teams should ensure that software updates and patches are applied promptly, prioritizing critical vulnerabilities and known exploited vulnerabilities. In the event of infection, damage can be severely limited by having a tested incident response plan in place.

Finally, it is important to train the workforce on the most common threats and how to avoid them. Employees should be trained on how to identify phishing attempts, be told never to download unauthorized software from the Internet, and be taught security best practices. The SafeTitan security awareness training and phishing simulation platform provides comprehensive training and testing to improve human defenses against malware infections and other cyber threats.

Failure to Stop Phishing Attack Results in £4.4 Million Financial Penalty

The construction firm Interserve has been slapped with a £4.4 million GDPR fine for failing to prevent a phishing attack and the theft of the personal and financial information of up to 113,000 employees.

Interserve is a construction and outsourcing group, which, at the time of the cyberattack in 2020, was a strategic supplier to the UK government, including the Ministry of Defense. An employee received a phishing email and forwarded it to a colleague, who opened the email and downloaded the malicious content, which saw malware installed on its network. What happened next is all too common in cyberattacks. The threat actors had a foothold in the network, then moved laterally, and compromised 283 Interserve systems and 16 accounts.

Interserve’s anti-virus software was then uninstalled by the threat actors, and ransomware was deployed to encrypt files on the network. The information accessed, encrypted, and stolen by the attackers included highly sensitive employee information such as contact information, national insurance numbers, and bank account details. Data classed as special category data under the GDPR was also compromised, including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.

The Information Commissioner’s Office (ICO) investigated the cyberattack and data breach and determined Interserve had failed to put appropriate security measures in place to prevent cyberattacks such as this, and the lack of appropriate safeguards left Interserve vulnerable to cyberattacks from March 2019 to December 2020.

The ICO identified several areas where the attack could have been identified and blocked. The initial phishing email was not blocked, nor was the malicious email detected when it was forwarded internally. The company had anti-virus software installed, which quarantined the malware and generated a security alert, yet Interserve failed to investigate the suspicious activity. Had it been investigated Interserve should have been able to determine that the attacker still had access to its network. The ICO also found outdated software systems and protocols in use, there was a lack of staff training, and insufficient risk assessments had been performed.

The failure to implement appropriate safeguards violated information privacy laws, resulting in a £4.4 million fine being proposed. The response of Interserve to that notice of intent to fine did nothing to warrant any reduction in the penalty.

“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office,” said UK Information Commissioner, John Edwards.

These cybersecurity failures are all too common at businesses and they leave the door wide open for hackers, yet malware and ransomware attacks such as this can easily be prevented. In this case, following cybersecurity best practices, ensuring employees practice good cyber hygiene, and responding to security alerts quickly could have prevented or certainly reduced the severity of the data breach.

An effective email security solution should have been in place for detecting malicious emails, first when the initial email was received and again when it was forwarded. The email should have been quarantined and checked by the IT security team. Had appropriate end-user training been provided, both employees should have been aware of the threat of email-based attacks and known how to identify phishing emails. The IT security team should also have investigated the alert and suspicious network activity.

It is not possible to prevent all cyberattacks but implementing an advanced spam filter and providing security awareness training to employees will go a long way toward improving an organization’s security posture. Those are areas where TitanHQ can help. TitanHQ has developed a suite of cybersecurity solutions including SpamTitan Email Security, the SafeTitan Security Awareness and Phishing Simulation Platform, and the WebTitan DNS Filter for blocking web-based attacks.

For more information on improving your security posture to block cyberattacks, prevent data breaches, and protect against financial penalties from regulators, give the TitanHQ team a call.

What is Callback Phishing?

Phishing attacks are mostly conducted via email but there has been a major increase in hybrid phishing attacks over the past 12 months, especially callback phishing. Here we explain what callback phishing is, why it poses such a threat to businesses, and why threat actors are favoring this new approach.

What is Callback Phishing?

Email phishing is used for credential theft and malware distribution, but one of the problems with this type of phishing is most businesses have email security solutions that scan inbound emails for malicious content. Phishing emails and malicious files distributed via email are often identified as such and are rejected or quarantined. Some threat actors conduct voice phishing, where an individual is contacted by telephone, and attempts are made to trick them into taking an action that benefits the scammer using a variety of social engineering tactics.

Callback phishing is a type of hybrid phishing where these two methods of phishing are combined. Initially, an email is sent to a targeted individual or company that alerts the recipient to a potential problem. This could be an outstanding invoice, an upcoming payment or charge, a fictitious malware infection or security issue, or any of a long list of phishing lures. Instead of further information being provided in an attachment or on a website linked in the email, a telephone number is provided. The recipient must call the number for more information and to address the issue detailed in the email.

The phone number is manned by the threat actor who uses social engineering techniques to trick the caller into taking an action. That action is usually to disclose credentials, download a malicious file, or open a remote desktop session. In the case of the latter, the remote desktop session is used to deliver malware that serves as a backdoor into the victim’s computer and network.

This hybrid approach to phishing allows threat actors to get around email security solutions. The only malicious element in the initial email is a phone number, which is difficult for email security solutions to identify as malicious and block. That means the emails are likely to reach their targets.

Major Increase in Callback Phishing Attacks

Callback phishing was adopted by the Ryuk ransomware threat group in 2019 to trick people into installing BazarBackdoor malware, in a campaign that was dubbed BazarCall/BazaCall. Typically, the lure used in these attacks was to advise the user about an upcoming payment for a subscription or the end of a free trial, with a payment due to be automatically taken unless the trial/subscription is canceled by phone.

The Ryuk ransomware operation is no more. The threat actors rebranded as Conti, and the Conti ransomware operation has also now shut down; however, three threat groups have been formed by members of the Conti ransomware operation – Silent Ransom, Quantum, and Zeon – and all have adopted callback phishing as one of the main methods for gaining initial access to victims’ networks for conducting ransomware attacks. These three groups impersonate a variety of companies in their initial emails and trick people into believing they are communicating with a genuine company. The aim is to get the user to establish a remote desktop session. While the user is distracted by the call, a second member of the team uses that connection to install a backdoor or probe for ways to attack the company, without the user being aware what is happening.

Callback phishing is also used by other threat groups for credentials theft and malware distribution, often by impersonating a cybersecurity firm and alerting the user to a security threat that needs to be resolved quickly. These attacks see the user tricked into installing malware or disclosing their credentials. According to cybersecurity firm Agari, phishing attacks increased by 6% from Q1, 2022 to Q2, 2022, and over that same time frame hybrid phishing attacks increased by an incredible 625%.

How to Protect Against Callback Phishing Attacks

As is the case with other forms of phishing, the key to defending against attacks is to implement layered defenses. Email security solutions should be implemented that perform a range of checks of inbound emails to identify malicious IP addresses. Email security solutions such as SpamTitan incorporate machine learning mechanisms that can detect emails that deviate from those normally received by an organization. Multi-factor authentication should be implemented on accounts to block attempts to use stolen credentials.

The best defense against callback phishing is to provide security awareness training to the workforce. Employees should be told about the social engineering tactics used in these attacks, the checks everyone should perform before responding to any email, and the signs of callback phishing to look out for. Callback phishing simulations should also be conducted to gauge how susceptible the workforce is to callback phishing. A failed simulation can be turned into a training opportunity to proactively address the lack of understanding.

TitanHQ offers a comprehensive security awareness training platform for businesses – SafeTitan – that covers all forms of phishing and the platform included a phishing simulator for conducting phishing tests on employees. For more information, give the TitanHQ team a call today.

Phishing Statistics Infographic

Tips for Effective Security Awareness Training

Providing security awareness training to the workforce is necessary for compliance and is often a requirement for getting cybersecurity insurance, but the real purpose of security awareness training is to reduce risk and avoid costly cyberattacks and data breaches.

To get the full benefits you need an effective security awareness training program, where susceptibility to phishing attacks is reduced and your resilience to cyberattacks targeting employees is significantly improved. To help you, we offer some top tips for creating an effective security awareness training program.

Security Awareness Training Must be a Continuous Process

Security awareness training should not be seen as a checkbox item for compliance. To be effective, training needs to be an ongoing process, where the training is reinforced over time. That if unlikely to happen with a once-a-year training session. Another reason for providing ongoing training is cyber threat actors are constantly changing their tactics and regularly come up with new scams. It would be unreasonable to expect employees to be able to recognize these new threats if they have not been covered in training sessions. Through regular training, provided in bite-sized chunks, you can make your employees are made aware of the latest threats which will help them to recognize them when they are encountered.

Make Sure Your Training Content is Interesting

Different employees will respond to different training methods. A classroom-based training session may be good for some employees, but others will respond better to computer-based training, infographics, videos, and quizzes. Keep your training varied to make sure it appeals to a wide audience and try to make the training interesting and engaging to improve knowledge retention, such as using storytelling to trigger emotions and the imagination, and don’t be afraid to use humor. Cybersecurity can be a pretty dry topic for many people and if they can enjoy it, they are more likely to retain the information and apply the training on a day-to-day basis.

Get Buy-in from the C-Suite

If you want to create a security culture in your organization, you will need to get buy in from the C-suite.  Any change in culture in an organization needs to start at the top. The C-Suite must be made aware of the importance of security awareness training and cybersecurity, and using data is usually the best approach. Using a security awareness training company that can provide data on the effectiveness of training at reducing risk will help. You will be able to prove the return on investment you are likely to achieve.

Conduct Phishing Simulations After Providing Training

Providing security awareness training is only one step toward developing a security culture and reducing risk. You also need to conduct tests to determine whether your training is being applied on a day-to-day basis, and the best way to test that is with phishing simulations. Conduct realistic simulations to determine whether the training has been effective. If employees fail simulations, provide extra training.

Do Not Punish Employees for Failing Phishing Simulations

Many companies operate a three strikes and you’re out policy for failing phishing simulations or penalize employees in other ways for falling for phishing emails. Around 40% of organizations take disciplinary action against employees for cybersecurity errors such as phishing simulation failures. Punishing employees for failing to identify phishing simulations often does not have the desired effect.

If you want to encourage employees to be more security-aware and create a security culture, creating a culture of fear is unlikely to help. This approach is likely to cause stress and anxiety, which can lead to the creation of a hostile working environment, and that does not help employees become more security aware. Further, when mistakes are made, employees will be much less likely to report their mistakes to the security team out of fear of negative consequences.

Conduct Real-Time Security Awareness Training

Training is likely to be most effective immediately after employees have made a mistake. By using a security awareness training solution such as SafeTitan, the only behavior-driven security training solution that delivers contextual training in real-time, you can deliver relevant training immediately and explain how a mistake was made and how similar errors can be avoided in the future. For instance, if an employee is discovered to be downloading free software from the Internet, an immediate alert can be delivered explaining why it is not allowed and the risks of installing software without approval from the IT department. If a phishing simulation is failed, employees can be alerted immediately, and it can be turned into a relevant training session.

Benchmark to Learn the Effectiveness of Security Awareness Training

Businesses conduct security awareness training to reduce susceptibility to phishing attacks and other cyber threats, but to gauge the effectiveness of the training there must be a benchmark to measure against. Conducting phishing simulations prior to providing training will allow you to measure how effective the training has been. You can use pre-training simulations to determine how many employees are falling for scams and the percentage of simulated phishing emails that are being reported. You can then reassess after providing training and can determine exactly how effective the training has been.

Security Awareness Training and Phishing Simulations are Not Enough

Providing regular security awareness training and conducting phishing simulations are important for improving resilience to cyber threats and will allow you to prove training has been provided for compliance or insurance purposes, but you also need to make sure that training has been absorbed by employees. Don’t just provide training – use quizzes to assess whether the training has been absorbed. You should also analyze the results of phishing simulations to identify any knowledge gaps that need to be addressed with future training courses. If employees are still falling for a certain type of scam, it could be your training that is the issue.

For more information about security awareness training, conducting phishing simulations, and to discover the benefits of real-time security awareness training, contact TitanHQ today for more information about SafeTitan. You can also take advantage of a free trial of the solution before deciding on a purchase.


Have You Created a Human Firewall?

It is important for security to implement an advanced spam filtering solution to block email threats such as phishing and malware, but security awareness training for the workforce is still necessary. The reason why phishing attacks are successful is that they target a weak point: employees. Humans make mistakes and are one of the biggest vulnerabilities as far as security is concerned. All it takes is for one phishing email to sneak through your defenses and land in an inbox and for the recipient to click a link in the email or open a malicious attachment for a threat actor to get the foothold they need in your network.

The easiest way to target employees is with phishing emails. The majority of phishing emails will be blocked by your spam filter, but some emails will be delivered. It doesn’t matter how advanced and effective your spam filter is, it will not block every single phishing email without also blocking an unacceptable number of genuine emails.

Phishing emails are used to achieve one of three aims: To trick individuals into disclosing credentials, to trick them into emailing sensitive data, or to trick them into installing malware. There are many tactics, techniques, and procedures (TTPs) employed in phishing attacks to make the emails realistic, convincing, and to get employees to act quickly. The emails may closely match standard business emails related to deliveries, job applications, invoices, or requests for collaboration. Spoofing is used to make the messages appear to have come from a trusted sender. Emails can spoof brands and often include the correct corporate logos, formats, and color schemes. While phishing emails include red flags that indicate all is not what it seems, busy employees may not notice those flags. Further, sophisticated, targeted phishing attacks contain very few red flags and are very difficult to identify. Even system administrators can be fooled by these attacks.

Businesses cannot expect every employee to be an expert at identifying phishing emails and other email threats, nor should they assume that employees have a good understanding of security practices that need to be employed. The only way to ensure employees know about security practices and how to recognize a phishing email is to provide security awareness training.

Security Awareness Training Improves Resilience to Phishing Attacks

The purpose of security awareness training is to make the workforce aware of the threats they are likely to encounter and to provide them with the tools they need to recognize and avoid those threats. Security awareness training is not a checkbox item that needs to be completed for compliance, it is one of the most important steps to take to improve your organization’s security posture and it needs to be an ongoing process. You could provide a classroom-based training session or computer-based training session once a year, but the TTPs of cyber threat actors are constantly changing, so that is not going to be sufficient. More frequent training, coupled with security reminders, newsletters, and updates on the latest threats to be wary of will ensure that security is always fresh in the mind, and it will help you to develop a security culture in your organization.

One of the most effective strategies is to augment training with phishing simulations. Phishing simulations involve sending fake but realistic phishing emails to employees to see how they respond. If you do not conduct these tests, you will not know if your training has been effective. The simulations will identify employees that require further training and the simulations will give employees practice at recognizing malicious emails. Reports from these simulations allow security teams to assess how resilient they are to phishing attacks and other email threats and will allow them to take action and focus their efforts to make immediate improvements.

SafeTitan Security Awareness Training & Phishing Simulations

TitanHQ can now help businesses create a human firewall through SafeTitan Security Awareness Training. SafeTitan is the only behavior-driven security awareness platform that delivers training in real-time and will greatly improve resilience to social engineering and advanced phishing attacks.

If you want to improve your resilience to cyberattacks, prevent more data breaches, and avoid the costs and reputation damage caused by those incidents, you need to be training your workforce and running phishing simulations. Get in touch with TitanHQ today for more information and get started creating your human firewall.

Critical Infrastructure Organizations Targeted by Ransomware Gangs

2019 was a particularly bad year for ransomware attacks, and while there was a reduction in the use of ransomware in 2020, attacks increased sharply in 2021, with the education sector and government organizations the most attacked sectors, although no industry sector is immune to attacks.

There is growing concern about the increase in attacks on critical infrastructure organizations, which are an attractive target for ransomware gangs. According to the data from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA), 14 of the 16 critical infrastructure sectors in the United States reported ransomware attacks in 2021, including the defense industrial base, emergency services, healthcare, food and agriculture, information technology, and government facilities. Cybersecurity agencies in the United Kingdom and Australia have also said critical infrastructure has been targeted.

Critical Infrastructure Organizations Warned About AvosLocker Ransomware Attacks

This week, a warning has been issued by the Federal Bureau of Investigation (FBI), the U.S. Department of the Treasury, and the U.S. Treasury Financial Crimes Enforcement Network (FinCEN) about ransomware attacks using AvosLocker ransomware.

AvosLocker was first identified as a threat in late June 2021 and despite being a relatively new threat, poses a significant risk. Attacks using the ransomware increased in the latter half of 2021, with spikes in attacks occurring in November and December. Variants of AvosLocker ransomware have now been developed to attack Linux as well as Windows systems.

As is now common, the attackers engage in double extortion and demand payment for the keys to decrypt files and to prevent the release of stolen data. The gang operates a data leak site where a sample of stolen data is uploaded and made accessible to the public. The gang says it then sells the stolen data to cybercriminals if payment is not made. AvosLocker is one of a handful of ransomware operations that also makes contact with victims by phone to encourage them to pay the ransom. The gang is known to issue threats of Distributed Denial of Service (DDoS) to further pressure victims into paying the ransom.

AvosLocker is a ransomware-as-a-service operation where affiliates are recruited to conduct attacks for a percentage of any ransom payments they generate. Consequently, the attack vectors used in attacks depend on the skillsets of the affiliates. Common vulnerabilities are known to be exploited to gain initial access to networks, including vulnerabilities associated with Proxy Shell and unpatched vulnerabilities in on-premises Microsoft Exchange Servers. However, over the past year, spam email campaigns have been a primary attack vector.

Email Filtering Vital for Defending Against Ransomware Attacks

Spam email is a common attack vector used by ransomware gangs. Spam email campaigns are effective and provide low-cost access to victim networks. Phishing and spam campaigns either use malicious attachments or embedded hyperlinks in emails, along with social engineering techniques to convince end users to open the attachments or click the links.

The primary defense against these attacks is email filters. Email filters scan all inbound emails and attachments and prevent malicious messages from being delivered to inboxes. Since cyber actors are constantly changing their lures, social engineering methods, and strategies to bypass email security solutions, it is vital to have an email security solution in place that can respond to changing tactics.

Email security solutions that use artificial intelligence and machine learning to identify and block threats outperform solutions that rely on antivirus engines and blacklists of known malicious IP addresses. SpamTitan incorporates artificial intelligence-based detection mechanisms in addition to blacklists, dual antivirus engines, and email sandboxing, which ensures a high detection rate for malicious emails, including zero day threats. SpamTitan also provides time-of-click protection against malicious hyperlinks in emails to ensure users are well protected against phishing, malware, ransomware, and other email threats.

Don’t Neglect Security Awareness Training for the Workforce

It is also important to provide security awareness training to all members of the workforce from the CEO down. The FBI and the U.S. Treasury Department recommended in the latest alert to “Focus on cyber security awareness and training,” and “Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).” TitanHQ can help in this regard with SafeTitan – “The only behavior-driven security awareness solution that delivers security training in real-time.”

For more information on improving your defenses against ransomware and other cyber threats, give the TitanHQ team a call to inquire about email filtering, web filtering, and security awareness training for your workforce.

Lapsus Ransomware Gang Ups the Ante with Impresa and NVIDIA Attacks

The Lapsus ransomware gang has arrived on the scene and has already claimed several high-profile targets, with victims including Impresa – the largest media conglomerate in Portugal, Brazil’s Ministry of Health (MoH), the Brazilian telecommunications operator Claro, and most recently, the Santa Clara, CA-based GPU vendor NVIDIA.

The Lapsus ransomware gang – also referred to as Lapsus$ – is a relatively new threat actor and is making a reputation for itself in an already crowded ransomware market. Most ransomware gangs now practice double extortion, where prior to encrypting files they exfiltrate sensitive data and threaten to publish the data if the ransom is not paid. Triple extortion tactics are now becoming common, where threats are also issued to notify shareholders, partners, and customers about attacks. The Lapsus gang has taken things a step further still and is boasting about its attacks and causing major embarrassment for victims.

In January, the Lapsus ransomware gang attacked the Brazilian car rental firm Localiza, which is one of the largest car rental firms in South America. In addition to stealing data and encrypting files, the gang redirected the company’s website to an adult website and publicly announced that the company is now a porn site. The redirection was only in place for a few hours, but it was enough to damage the company’s reputation.

Also in January, Impresa was targeted. Impresa is the owner of SIC and Expresso, the largest TV channel and weekly newspaper in Portugal. The attack targeted Impresa’s online IT servers resulting in company websites being taken offline and the temporary loss of Internet streaming services. The gang defaced the company’s websites by adding their ransom note and claimed they had taken control of Impresa’s Amazon Web Services account. The gang then used the hijacked Expresso Twitter account and sent a tweet stating, “Lapsus$ is officially the new president of Portugal.” The gang also gained access to its newsletter and sent phishing emails to subscribers informing them in the emails that the President of Portugal had been murdered.

On February 25, NVIDIA experienced a cyberattack that saw parts of its IT infrastructure taken offline for a couple of days. NVIDIA announced that it was investigating a security incident, and then the Lapsus gang said it was behind the attack and issued a threat to leak around 1TB of data. The gang published screenshots indicating they had leaked password hashes for NVIDIA employees, source code, and highly sensitive proprietary company information.

There was some good news – the Lapsus gang then experienced its own ‘ransomware’ attack. There have been reports in the media that NVIDIA hacked back and gained access to the attackers’ virtual machine and encrypted its data, although security research Marcus Hutchins offered an alternative view, suggesting this could have been due to the gang installing Nvidia’s corporate agent on their virtual machine and then triggering a data loss prevention policy.

In addition to demanding a ransom, the Lapsus ransomware gang also demanded NVIDIA remove its lite hast rate (LHR) limitations on its GeForce 30 series firmware – which halve the hash rate when it detects the GPUs are being used for mining Ethereum – and also requested NVIDIA commits to completely open source their GPU drivers forever. If the demands are not met, the gang said it will release the complete silicon, graphics, and computer chipset files for its most recent GPUs.

While many ransomware gangs are focused purely on extortion, the Lapsus gang appears to like the limelight and brags about their attacks, which makes attacks by the gang even more serious for victims due to the brand and reputation damage they cause.

The extent of the attack vectors used by the gang is not known, but they appear to have used phishing emails to gain access to some victims’ networks, including the attack on Impresa. Phishing is a popular attack vector in ransomware attacks. Around half of all ransomware attacks start with a phishing email, according to a recent Statista survey. Employees respond to phishing emails and disclose their credentials, which give the attackers the foothold in the network they need for a deeper compromise.

Businesses could be lulled into a false sense of security with the disbanding of major ransomware operations and arrests of key gang members. The REvil ransomware gang may be no more, and DarkSide has been shut down, but other ransomware gangs are more than happy to plug the gap. Lapsus only announced its presence on the scene at the start of the year but is already growing into a major threat.

The best defense against Lapsus ransomware attacks and other cyberattacks is to adopt a defense-in-depth strategy. That should include an advanced spam filtering solution to block email phishing attacks, content filtering to prevent employees from visiting malicious websites, multi-factor authentication on all email accounts and local/cloud apps, ensuring patches and software updates are applied promptly, and providing ongoing security awareness training to the workforce to help employees identify and avoid phishing and social engineering attempts.

TitanHQ can help organizations improve their defenses against the full range of cyberattacks by providing advanced cybersecurity solutions for SMBs, enterprises, and Managed Service Providers, including spam filtering, DNS filtering, email encryption, email archiving, and security awareness training.

TitanHQ Placed 33 in 2021 Deloitte Technology Fast 50 List

TitanHQ has been included in the 2021 Deloitte Technology Fast 50 List of the fastest-growing tech companies in Ireland. The Award program has now been running for 22 years and celebrates innovation and entrepreneurship in Ireland’s indigenous technology sector.

Deloitte compiles the list based on percentage revenue growth over the past 4 years, with TitanHQ ranking in position 33 in the list after a long period of sustained growth. That growth continued throughout the COVID-19 pandemic when many businesses have struggled. Not only has the company significantly increased its customer base over the past 4 years, the workforce has also had a major expansion. Between September 2020 and April 2021, TitanHQ’s workforce doubled in size.

As well as impressive organic growth, TitanHQ has benefitted from investment from Livingbridge Investor Group which has allowed the company to continue to recruit the best talent to support its business and invest in product development. As well as making improvements to its existing product portfolio, the company released a new product this month – SpamTitan Plus.

SpamTitan Plus builds on the protection provided by SpamTitan Gateway and SpamTitan Cloud but significantly improves detection of the malicious URLs in emails that are used for phishing and malware distribution. SpamTitan Plus has coverage of all major phishing feeds and has the fastest and best detection rates of malicious URLs than any of the market-leading anti-spam solutions.

“As a result of increased demand globally for our solutions, we have invested heavily in product development and embarked on a recruitment campaign to double our workforce in a program that will allow that growth to continue,” said TitanHQ CEO, Ronan Kavanagh. “The quick move to remote working last year has made us all aware of how important it is to be adaptable and have the right security solutions in place to protect users, customers, company data, and systems.”

TitanHQ’s customer base has now increased to more than 12,000 businesses, including over 2,500 managed service providers in 150 countries, with much of TitanHQ’s growth over the past 4 years due to the increase in overseas customers. That growth was also recognized by Deloitte, which awarded TitanHQ runner-up spot in the Scale Up Award. The Scale Up Award recognizes companies that have enjoyed significant overseas growth over the past 4 years.

“Congratulations to all of the companies that ranked this year. This is the first year we have seen the impact the pandemic has had on revenues of Irish tech companies,” said David Shanahan, Partner, Deloitte “It will come as no surprise that many of this year’s winners have achieved accelerated growth and scale as a result of the pandemic and being able to capitalize on the global move to a digital way of life.”

Ransomware Attacks Increased by 900% in 1H 2021

There has been an alarming surge in ransomware attacks in 2021. Attacks have been conducted on businesses of all sizes, from large international enterprises with multi-million-dollar cybersecurity budgets to small businesses with just a handful of employees. The attacks have shown that no business is to large or small to be targeted.

Ransomware is a form of malware that is used to encrypt files to prevent them from being accessed. The attacker holds the keys to allow data to be decrypted, and those keys will only be provided if a ransom is paid. Ransom demands can range from a few thousand dollars for individual devices up to tens of millions of dollars for large companies.

900% Increase in Ransomware Attacks in 2021

This year has seen ransomware attacks conducted at an alarming level. CybSafe‘s data has revealed a 900% increase in ransomware attacks in the first 6 months of 2021 compared to the corresponding period last year. In addition to the increase in number, the cost of mitigating the attacks has increased and the ransom demands have been growing. This week, for example, Europe’s largest consumer electronics retailer – MediaMarkt – confirmed it was the victim of a Hive ransomware attack. The attackers reportedly demanded a payment of $240 million for the keys to decrypt files.

2021 has shown no company is off limits with multiple attacks conducted on critical infrastructure firms. One attack on Colonial Pipeline in the United States resulted in the shutdown of a fuel pipeline serving the Eastern Seaboard of the United States for a week. A ransom payment of $4.4 million was paid to the attackers to recover data.

The U.S. software company Kaseya, which provides a range of software solutions to businesses and managed service providers, suffered a major ransomware attack involving REvil ransomware. The REvil gang demanded a payment of $70 million for the keys to decrypt files. The attack affected around 40 managed service providers and an estimated 1,500 downstream businesses.

Attacks have also been conducted on many healthcare providers, with those attacks disrupting healthcare services and putting patient safety at risk. In May 2021, Ireland’s Health Service Executive (HSE) suffered a ransomware attack which is believed to have started with a phishing email. The response gave the Conti ransomware gang the access needed to encrypt files. A $20 million ransom demand was issued, although the attackers provided the keys free of charge in the end. Even so, the HSE took months to recover from the attack at considerable cost.

Ransomware Gangs Targeted by Law Enforcement

The above attacks represent just a tiny percentage of the ransomware attacks that have been publicly disclosed this year and it is clear that the threat of attack is unlikely to wane any time soon.

There has been some good news, however. The attacks on critical infrastructure firms have forced the U.S. government to step up its efforts to target ransomware-related crime. Following the attacks, ransomware attacks were elevated to a level akin to terrorist attacks, and with that comes additional resources.

Already the United States and law enforcement partners around the world have succeeded in disrupting the activities of several ransomware gangs. The REvil ransomware infrastructure was taken down and arrests were made, the Darkside operation shut down and its suspected successor BlackMatter also. Suspected members of the Clop ransomware operation have been arrested, and Europol has arrested 12 individuals in connection with LockerGoga, MegaCortex, and Dharma ransomware attacks.

While the arrests and infrastructure takedowns will have a short-term effect, ransomware threat actors are likely to regroup, set up new operations, and recommence their attacks as they have done in the past.

An Easy Step to Take to Improve Ransomware Defenses

Businesses need to take steps to combat the ransomware threat, but since many different methods are used to gain access to networks, this can be a challenge. The best place to start is to make sure defenses against phishing emails are put in place. Most ransomware attacks start with a phishing email, which either delivers malware or gives attackers credentials that provide them with the foothold in networks that they need to conduct their attacks.

Email security solutions such as SpamTitan filter out malicious messages and prevent them from reaching inboxes where they can fool employees. Technical solutions such as email security gateways are far more effective than end user training at blocking threats, although it is also important to make sure employees are aware of cybersecurity best practices and are taught how to identify a phishing email.

Email filtering solutions such as SpamTitan perform an in-depth analysis of all email content and can detect malicious links and email attachments. When emails fail the checks, they are sent to the quarantine folder where they can be reviewed. This allows security teams to gain a better understanding of the threats that are targeting their organization and also allows false positives to be identified so filtering rules can be updated.

SpamTitan incorporates dual antivirus engines for detecting known malware variants and email sandboxing where suspicious attachments are sent for in-depth analysis. The Bitdefender-powered sandbox allows new malware variants to be identified, and machine learning technology ensures email filtering improves over time.

A huge array of checks and controls ensure malicious messages are blocked, but that all happens behind the scenes. Administrators benefit from a clean, easy-to-use interface that requires no technical skills to navigate and use. All information and controls are intuitive.

If you would like to find out more about improving your defenses against ransomware, malware, phishing, and other email and web-based threats, give the TitanHQ team a call. All TitanHQ cybersecurity solutions are available on a free trial, allowing you to put them to the test in your own environment before making a decision about a purchase.

OnePercent Ransomware Delivered via Phishing Emails

Ransomware attacks have been rife in 2021, with the increase in attacks seen in 2020 continuing throughout 2021. The number of attacks conducted in 2021 has been staggering. There were more attempted ransomware attacks in the first 6 months of 2021 than there were in all of 2020, according to one report.

Ransomware-as-a-service (RaaS) operations that were active throughout 2020 have increased their attacks, and while some RaaS operations have been shut down, attack volume is showing no sign of reducing. There is also a new ransomware threat to defend against.  The Federal Bureau of Investigation (FBI) has issued a warning about a new ransomware threat actor that has been particularly active in the United States. The group, known as OnePercent, has been using its ransomware to attack U.S. businesses since at least November 2020, according to a recent FBI Flash Alert. The group is known to use the legitimate penetration testing tool Cobalt Strike in its attacks, and prior to using their OnePercent ransomware variant to encrypt files, the attackers exfiltrate sensitive data from victims’ systems.  A ransom demand is issued for the keys to decrypt files and to prevent the publication of the stolen data on the group’s data leak sites on the TOR network and the publicly accessible Internet.

Like many ransomware gangs, the initial attack vector is phishing emails. Phishing emails are sent to targeted organizations that have malicious .ZIP email attachments which contain Word documents or Excel spreadsheets with malicious macros that deliver the IcedID banking Trojan. The Trojan downloads and installs Cobalt Strike on endpoints to allow the attacker to move laterally within victims’ networks to compromise as many devices as possible. The group is also known to use PowerShell, Mimikatz, SharpKatz, BetterSafetyKatz, and SharpSploit, and Rclone for data extraction.

The attackers are known to take their time within networks to identify and steal critical data. In attacks reported to the FBI, the group has spent up to a month from the initial compromise to the deployment of OnePercent ransomware. During that time, considerable volumes of data are exfiltrated. The ransomware itself encrypts files and uses a random 8-character extension for encrypted files.

As is now the norm, there is no fixed ransom payment. Victims are required to make contact with the attackers to receive ‘technical support’ recovering their files and to discover how much needs to be paid for the decryptors and to ensure data deletion. If the ransom is paid, the attackers say they will deliver the decryption keys within 48 hours. The threat group is also known to contact the victim by telephone using spoofed telephone numbers to pressure victims into paying by threatening to publish the stolen data. The group has also threatened to sell the stolen data to the Sodinokibi ransomware gang to list for sale at a public auction.

Since the group uses phishing emails as the initial attack vector, preventing those messages from reaching inboxes is the best defense against attacks. That requires an advanced spam filtering solution such as SpamTitan. It is also recommended to configure emails to display a warning when they are received from a sender that is outside the organization.

It is also important to follow cybersecurity best practices such as network segmentation to limit the potential for lateral movement, to audit user accounts with admin privileges and restrict their use as far as possible, and to configure access controls using the principle of least privilege. All critical data should be backed up offline on an external hard drive or storage device that is disconnected once the backup has been performed. Backups should also be tested to make sure file recovery is possible.

While the OnePercent ransomware gang is only known to use phishing emails as the attack vector, other methods of attack may also be adopted. It is therefore recommended to ensure that remote access and RDP ports are disabled if not used, to monitor remote access/RDP logs, to keep computers and applications up to date and to apply patches promptly, and to ensure that strong passwords are set and multi-factor authentication is implemented.

Ransomware and BEC Attacks Often Start with a Phishing Email: Are Your Phishing Defenses Good Enough?

Ransomware attacks can be incredibly expensive and business email compromise (BEC) scams can result in transfers of millions of dollars to attackers, but these breaches often start with an email.

Phishing emails are sent to employees that ask them to click on a link, which directs them to a webpage where they are asked to provide their login credentials, for Microsoft 365 for example. Once credentials are entered, they are captured and used to access that individual’s account. The employee is often unaware that anything untoward has happened.

The stolen credentials give an attacker the foothold in the network that is needed to launch a major cyberattack on the business. The phisher may use the email account to send further phishing emails to other employees in the company, with the aim being to gain access to the credentials of an individual with administrative privileges or the credentials of an executive.

An executive’s account can be used to send emails to an individual in the company responsible for making wire transfers. A request is sent for a wire transfer to be made and the transfer request is often not recognized as fraudulent until the funds have been transferred and withdrawn from the attacker’s account. These BEC scams often result in tens of thousands of dollars – or even millions – being transferred.

An alternative attack involves compromising the email accounts of employees and sending requests to payroll to have direct deposit information changed. Salaries are then transferred into attacker-controlled accounts.

Phishers may act as affiliates for ransomware-as-a-service (RaaS) gangs and use the access they gain through phishing to compromise other parts of the network, steal data, and then deploy ransomware, or they may simply sell the network access to ransomware gangs.

When email accounts are compromised, they can be used to attack vendors, customers, and other contacts. From a single compromised email account, the damage caused is considerable and often far-reaching. Data breaches often cost millions of dollars to mitigate. All this from a single response to a phishing email.

Phishing campaigns require very little skill to conduct and require next to no capital investment. The ease at which phishing attacks can be conducted and the potential profits that can be gained from attacks make this attack method very attractive for cybercriminals. Phishing can be used to attack small businesses with poor cybersecurity defenses, but it is often just as effective when attacking large enterprises with sophisticated perimeter defenses. This is why phishing has long been one of the most common ways that cybercriminals attack businesses.

See how SpamTitan Plus inspects all URLs to identify links to malicious websites. Book a free demo.
Book Free Demo

How to Deal with the Phishing Threat

Phishing attacks may lead to the costliest data breaches, but they are one of the easiest types of cyberattacks to prevent; however, some investment in cybersecurity and training is required. The most important first step is to purchase an advanced spam filter. This technical control is essential for preventing phishing emails from reaching end users’ inboxes. If the phishing emails do not arrive in an inbox, they cannot be clicked by an employee.

Not all spam filtering solutions are created equal. Basic spam filters are effective at blocking most threats, but some phishing emails will still be delivered to inboxes. Bear in mind that phishers are constantly changing tactics and are trying to get one step ahead of cybersecurity firms. Most spam filtering solutions will block messages from malicious IP addresses and IP addresses with poor reputations, along with any messages identified in previous phishing campaigns and messages containing known variants of malware.

Advanced spam filtering solutions use AI and machine learning techniques to identify messages that deviate from the normal emails a business typically receives, are able to detect previously unseen phishing emails, and incorporate Sender Policy Framework and DMARC to identify email impersonation attacks. Email sandboxing is also included which is used to identify previously unseen malware threats. Greylisting is a feature of advanced spam filters that involves initially rejecting a message and requesting it be resent. The delay in a response, if one is received at all, indicates the mail server is most likely being used for spamming. Spam servers are usually too busy on huge spam runs to resend messages that have initially been rejected.

Advanced spam filters also feature outbound email scanning, which can identify compromised email accounts and can block phishing messages from being sent internally or externally from a hacked mailbox.

SpamTitan incorporates all of these advanced controls, which is why it is capable of blocking more threats than basic spam filters. Independent tests have shown SpamTitan blocks in excess of 99.97% of malicious messages.

SpamTitan Plus provides leading-edge anti-phishing protection with “zero-day” threat protection and intelligence.
Book Free Demo

Don’t Neglect End User Training

No spam filter will be 100% effective at blocking phishing threats, at least not without also blocking an unacceptable number of genuine emails. It is therefore important to provide regular security awareness training to the workforce, with a strong emphasis on phishing. Employees need to be taught how to identify a phishing email and conditioned how to respond when a threat is received (alert their security team).

Since phishing tactics are constantly changing, regular training is required. When training is reinforced, it is easier to develop a security culture and regular training sessions will raise awareness of the latest phishing threats. It is also recommended to conduct phishing simulation exercises to test the effectiveness of the training program and to identify individuals who require further training.

Web Filtering is an Important Anti-Phishing Control

The key to blocking phishing attacks is to adopt a defense-in-depth approach. That means implementing multiple overlapping layers of security. One important additional layer is a web filtering solution. Spam filters target the phishing emails, whereas web filters work by blocking access to the webpages hosting the phishing kits that harvest credentials. With a spam filter and web filter implemented, you are tackling phishing from different angles and will improve your defenses.

A web filter will block access to known malicious websites, providing time-of-click protection against malicious hyperlinks in phishing emails. A web filter will also prevent employees from being redirected to phishing web pages from malicious website adverts when browsing the Internet. Web filters also analyze the content of web pages and will block access to malicious web content that has not previously been identified as malicious. Web filters will also block malware and ransomware downloads.

WebTitan is a highly effective DNS-based web filtering solution that protects against phishing, malware, and ransomware attacks. The solution can protect office workers but also employees who are working remotely.

SpamTitan Plus provides multi-layered detection and blocking of malicious URLs. Book a free demo now.
Book Free Demo

Speak to TitanHQ Today About Improving your Phishing Defenses

TitanHQ has been developing anti-phishing and anti-malware solutions for more than two decades. TitanHQ’s email and web security solutions are cost effective, flexible, easy to implement, and easy to maintain. They are consistently given top marks on software review sites and are a big hit with IT security professionals and managed service providers (MSPs). TitanHQ is the leading provider of email and web security solutions to MSPs serving the SMB market.

If you want to improve your phishing defenses and block more threats, contact the TitanHQ team today for further information on SpamTitan and WebTitan. Both solutions are available on a 100% free trial of the full product complete with product support. Product demonstrations can also be booked on request.

Phishing Attacks Surge and Businesses are Struggling to Deal with the Threat

Ransomware attacks have increased significantly since the start of 2020 and that increase has continued in 2021. While these attacks are occurring more frequently than ever, the threat from phishing has not gone away and attacks are still rife. Phishing attacks may not make headline news like ransomware attacks on hospitals that threaten patient safety, but they can still be incredibly damaging.

The aim of many phishing attacks is to obtain credentials. Email credentials are often targeted as email accounts contain a treasure trove of data. That data can be extremely valuable to cybercriminals. In healthcare for example, email accounts contain valuable healthcare data, health insurance information, and Social Security numbers, which can be used to commit identity theft, obtain medical treatment, and for tax fraud. Entire email accounts are often exfiltrated in the attacks and the accounts used to send tailored phishing emails to other individuals in the company.

Many data breaches start with a phishing email, with phishing often used by an attacker to gain a foothold in a network that can be used in a much more extensive attack on an organization. Phishing emails are often the first step in a malware or ransomware attack.

Multiple surveys have recently been conducted on IT leaders and employees that show phishing is a very real and present danger. Two recent surveys conducted in the United States and United Kingdom indicate almost three quarters of businesses have experienced a data breach as a result of a phishing attack in the past 12 months. One study indicated over 50% of IT leaders had seen an increase in phishing attacks in the past 12 months, while the other put the figure at 80%.

During the pandemic, many businesses were faced with the option of switching to a remote workforce or shutting down. The increase in remote working was a godsend for phishers, who increase their attacks on employees. Many IT departments lacked visibility with a remote workforce and found it harder to block phishing attacks than when employees are in the office. Staff shortages in IT have certainly not helped.

Staff training is important to raise awareness of the threat from phishing, but remote working has made that harder. Training needs to be provided regularly as it can easily be forgotten and bad habits can slip in. Phishing tactics are also constantly changing, so regular training is needed to keep employees aware of the latest threats and phishing techniques, so they know what to look for. It does not help that phishing attacks are increasingly targeted and more sophisticated and can be difficult for employees to spot even if they have received regular training.

So how can businesses combat the threat from phishing and avoid being one of the three quarters of companies that experience a phishing data breach each year? Training is important, but the right technology is required.

Two of the most important technical solutions that should be implemented to block phishing attacks are spam filters and web filters. Both are effective at combatting phishing, albeit from different angles. When both are used together, protection is better than the sum of both parts.

A spam filter must have certain features to block sophisticated phishing threats. Blacklists are great for identifying emails from known malicious IP addresses, but IP addresses frequently change. Machine learning approaches are needed to identify previously unseen phishing tactics and threats from IP addresses not known to be malicious. Multiple AV engines can help block more malware threats, while email sandboxing can identify new malware variants. DMARC is also vital to block email impersonation attacks, while outbound scanning is important to rapidly detect compromised mailboxes. All of these features are employed by SpamTitan, which is why the solution has such a high block rate (over 99.97%) and low false positive rate.

Web filters are primarily used to restrict access to malicious and undesirable websites, whether they are sites with pornographic content or malicious sites used for phishing and malware distribution. Web filters, especially DNS-based filters, greatly improve protection against threats and will block access to known malicious websites. They will also block malware downloads and restrict access to questionable websites that serve no work purpose but increase risk. WebTitan will do this and more, and can easily be configured to protect remote workers, no matter where they choose to access the Internet.

With phishing attacks increasing it is important that businesses deploy solutions to counter the threat to stay one step ahead of the phishers. For further information on SpamTitan and WebTitan, and how they can protect your business, give the TitanHQ team a call. Both solutions are available on a free trial to allow you to see for yourself the difference they make. You can sign up for a free trial of SpamTitan here, and WebTitan on this link.

Fake Windows 11 Installers Being Used to Deliver Malware

On June 24, 2021, Microsoft announced Windows 11 will soon be released. Windows 11 is a major upgrade of the Windows NT operating system, which will be the successor to Windows 10. Such a major release doesn’t happen that often – Windows 10 was released in 2015 – so there has been a lot of interest in the new operating system. The new Windows version is due for public release at the end of 2021, but there is an opportunity to get an early copy for free.

On June 28, Microsoft revealed the first Insider Preview of Windows 11. Upgrading to the new Windows version is straightforward. For a lucky few (or unlucky few if Windows 11 turns out to be exceptionally buggy), an upgrade just requires a user to enroll in the Dev channel of the Windows Insider Program.  That said, many people have been trying to get an upgrade from unofficial sources.

Unsurprisingly, unofficial ISOs that claim to provide Windows 11 do not. Instead, they deliver malware. Threat actors have been distributing these fake Windows 11 installers and using them to deliver a wide range of malicious payloads. At best, these fake Windows 11 installers will deliver adware or unwanted programs. More likely, malware will be installed with various degrees of maliciousness, such as Remote Access Trojans and backdoors that give the attackers full access to the victims’ devices, information stealers such as keyloggers that steal passwords and other sensitive data, cryptocurrency miners, and ransomware.

Researchers at Kaspersky Lab have identified several fake Windows 11 installers doing the rounds, including one seemingly legitimate installer named 86307_windows 11 build 21996.1 x64 + activator.exe. Despite the name and 1.76GB file size, it was not what it seemed. If the user executed the file and agreed to the terms and conditions, the file would proceed to download a different executable that delivers a range of malicious software onto the user’s device.

As the hype builds ahead of the official release date, we can expect there to be many other fake installers released. Hackers do love a major software release, as its easy to get users to double click on executable files. Malicious adverts, websites, and emails offering free copies of Windows 11 will increase, so beware.

Ensure you have an advanced and effective spam filtering solution such as SpamTitan in place to protect against malicious emails, and a web filter such as WebTitan installed to block malicious file downloads. You should also make sure that you only install software or applications from official sources and take care to ensure that you really are on the official website of the software developer before downloading any files. A double click on a malicious executable file could cause a great deal of pain and expense for you and your employer.

10 Reasons MSPs Choose SpamTitan to Protect Against Email Threats

Phishing is the most common way that cybercriminals gain access to business networks, and the primary defense against these attacks is a spam filter. Spam filters inspect all inbound emails for the signatures of spam, phishing, and malware and keep inboxes free of these threats.

There are many spam filtering services on the market that can protect against advanced email threats, but why have so many managed service providers (MSP) chosen TitanHQ has their email security solution provider? What does SpamTitan provide that is proving to be such a bit hit with MSPs?

Why Managed Service Providers Choose SpamTitan Email Security for Their Clients

SpamTitan in a multi-award-winning anti-spam solution that incorporates powerful features to protect against phishing and other email-based attacks. The solution is currently used by more than 1,500 MSPs worldwide with that number growing steadily each month.

We have listed 10 of the main reasons why SpamTitan is proving to be such a popular choice with MSPs.

Excellent malware protection

SpamTitan includes dual anti-virus engines from two leading AV providers and email sandboxing that incorporates machine learning and behavioral analysis to safely detonate suspicious files.

Defense in depth protection for Office 365 environments

SpamTitan includes multiple protection measures that provide defense in depth against email threats, with easy integration into Office 365 environments to significantly improve defenses against phishing and email-based malware attacks.

Advanced email blocking

SpamTitan supports upload block and allow lists per policy, advanced reporting, recipient verification and outbound email scanning, with the ability to whitelist/blacklist at both a global level as well as a domain level.

Protection against zero-day attacks

SpamTitan uses machine learning predictive technology to block zero-day threats, with AI-driven threat intelligence to block zero-minute attacks.

Data leak prevention

Easily set powerful data leak prevention rules and tag data to identify and prevent internal data loss.

Simple integration

SpamTitan is easy to integrate into your existing Service Stack through TitanHQ API’s and MSPs benefit from streamlined management with RMM integrations.

Competitive pricing with monthly billing

MSPs benefit from a fully transparent pricing policy, competitive pricing, generous margins, and monthly billing. There is also a short sales cycle – only 14 days of a free trial is required to fully test the solution.

White label option to reinforce your brand

SpamTitan can be provided to managed service providers as a white label version that can be fully rebranded to reinforce an MSPs brand.

Intuitive multi-tenant dashboard

MSP-client hierarchy enables you to keep clients separated and choose whether to manage client settings in bulk or on an individual basis. SpamTitan is also a set and forget solution, requiring minimal IT service intervention.

Industry-leading customer support

TitanHQ provides the best customer service in the industry. MSPs benefit from world class pre-sales and technical support and sales & technical training. MSPs get a dedicated account manager, assigned sales engineer support, access to the Global Partner Program Hotline, and 24/7 priority technical support.

If you have not yet started offering SpamTitan to your clients, give the TitanHQ channel team a call today for more information, to get started on a free trial, or for a product demonstration.

Colonial Pipeline Ransomware Attack Started with a Compromised Password

In April 2021, hackers gained access to the network of Colonial Pipeline and deployed ransomware that forced the shutdown of a fuel pipeline system serving the Eastern Seaboard of the United States. With fuel supplies threatened, there was panic buying of fuel by Americans on the East Coast which led to local fuel shortages. Gasoline prices rose to their highest level in more than 6 years, and stockpiles of gasoline on the East Coast fell by 4.6 million barrels.

The attack has been attributed to the DarkSide ransomware-as-a-service operation, which has since shut down. Prior to the shutdown, Colonial Pipeline paid a $4.4 million ransom for the keys to unlock the encrypted files.  The decision to pay the ransom was made because of the threat to fuel supplies. Colonial Pipeline supplied 45% of fuel to the East Coast, and while paying the attackers was a difficult decision, payment was made due to the threat to fuel supplies given how long it was likely to take to recover without the attacker-supplied decryption keys.

Such a major attack on a critical infrastructure firm should have been difficult; however, an investigation into the cyberattack revealed gaining access to the company’s computer system couldn’t have been simpler. The attackers used a compromised password to remotely access Colonial Pipeline’s systems, and that account was not protected with multi-factor authentication.

The password was for a virtual private network account, according to Charles Carmakal, senior vice president at cybersecurity firm Mandiant which was involved in the investigation. The account was not in use, but it was still possible to use the login credentials to access Colonial Pipeline’s network.

It is not known how the hackers obtained the password. The password has since been found in a database of breached passwords that was leaked on the darkweb. It is possible that an individual had set a password for the account that had been used on another account that had been breached. It is common for passwords from data breaches to be attempted in brute force attacks as password reuse is common. Passwords are also often obtained in phishing attacks.

Mandiant looked for evidence of how the password was obtained by the hackers. The researchers found no signs of attacker activity before the April 29, 2021 nor any evidence of phishing. How the password was obtained and the username determined may never be known.

What is clear is that the attack could have easily been prevented had cybersecurity best practices been followed such as conducting audits of accounts and shutting down accounts that are no longer in use, setting unique, complex passwords for each account, implementing multi-factor authentication to stop compromised passwords from being used, and implementing an effective anti-spam solution to block phishing emails.

Webinar June 30, 2021: How to Reduce the Risk of Phishing and Ransomware Attacks

The two main cybersecurity threats that businesses now have to deal with are phishing and ransomware attacks and those threats have become even more common over the past 12 months. Cybercriminals stepped up their attacks during the pandemic with many phishing campaigns launched using the novel coronavirus as a lure. These campaigns sought to distribute malware and steal credentials.

Ransomware attacks also increased in 2020. Several new ransomware-as-a-service (RaaS) operations were launched in 2020 and the number of attacks on businesses soared. In addition to encrypting files, data theft was also highly prevalent n 2020, with most ransomware operators stealing data prior to encrypting files. This double extortion tactic proved to be very effective. Many businesses were forced to pay the ransom even though they had backups and could have recovered their files. Payments were made to ensure data stolen in the attack was deleted and not misused, published, or sold.

Phishing and ransomware attacks often go hand in hand and are often used together in the same attack. Phishing emails are used to install malware, which in turn is used to provide access for ransomware gangs. The Emotet and TrickBot Trojans are notable examples. Operators of both of those Trojans teamed up with ransomware gangs and sold access once they had achieved their own objectives. The credentials stolen in phishing attacks are also sold onto RaaS affiliates and provide the foothold they need to conduct their devastating attacks.

Phishing campaigns are easy to conduct, low cost, and they can be very effective. Largescale campaigns involve millions of messages, and while most of those emails will be blocked by email security solutions or will be identified by employees as a threat, all it takes is for one employee to respond to a phishing email for an attacker to gain the access they need.

TitanHQ recently partnered with Osterman Research to explore how these and other cyber threats have affected businesses over the past 12 months. This new and original study involved an in-depth survey of security professionals to find out how those threats have affected their organization and how effective their defenses are at repelling attackers.

The survey showed the most common security incidents suffered by businesses were business email compromise (BEC) attacks, where employees are tricked into taking an action suggested in a scam email from the CEO, CFO or another high-level executive. These attacks often involve the genuine email account of an executive being compromised in a phishing scam and the attacker using that account to target employees in the same organization.

The next biggest threat was phishing emails that resulted in a malware infection, followed by phishing messages that stole credentials and resulted in an account compromise. The survey showed that these attacks are extremely common. 85% of interviewed security professionals said they had experienced one or more of 17 different types of security breaches in the past 12 months. While attacks were common, only 37% of respondents said their defenses against phishing and ransomware attacks were highly effective.

There are several steps that can be taken to improve defenses against phishing and ransomware attacks. End user training is important to teach employees what to look for and how to identify these types of threats. However, there is always potential for human error, so training alone is not the answer. Email security is the best defense. By blocking these threats at source, they will not land in inboxes and employees will not be tested. Email security should be combined with a web security solution to block the web-based component of phishing attacks and stop malware and ransomware downloads from the Internet.

The findings of the Osterman and TitanHQ survey will be explained in detail at an upcoming webinar on June 30, 2021. Attendees will also learn how they can significantly reduce the risk of ransomware and phishing attacks.

The webinar will be conducted by Michael Sampson, Senior Analyst at Osterman Research and Sean Morris, Chief Technology Officer at TitanHQ.  You can Register Your Place Here

How Can MSPs Make Office 365 More Profitable?

Reselling Office 365 doesn’t offer much in the way of profit for MSPs, although there are benefits for MSPs that come from offering Office 365 and it is possible to make Office 365 more profitable.

Before explaining where the margin is for MSPs in Office 365, let’s first take a look at the benefits for MSPs from offering Office 365.

Benefits for MSPs from Offering Office 365 to Clients

SMBs are increasingly moving from on-premises solutions to the cloud and Office 365 is one of the most popular cloud services. Office 365 now has more than 135 million commercial monthly users and that number is growing rapidly.

MSPs may not be able to make much from Office 365 alone, but by providing Office 365 MSPs can win more business and gain a competitive advantage. There is no outlay involved with offering Office 365 to clients, the product is great and meets clients’ needs, and money can be made from handling Office 365 migrations.

MSPs can also benefit from migrating existing clients from Exchange or SBS Exchange to Office 365. Office 365 is far easier to manage so they stand to save a great deal of time on troubleshooting and maintenance, which can be a major headache with Exchange.

By offering Office 365 you can win more business, reduce operational costs, and stay competitive. However, the best way to make money from Office 365 is through add-on services.

How MSPs Can Make Office 365 More Profitable

The margins for MSPs on Office 365 are rather thin to say the least. Many MSPs find that offering Office 365 on its own doesn’t provide any profit at all. Charging extra per license to improve profitability is an option, but clients could just go direct to avoid the extra cost.

The margins may be small, but managing Office 365 does not require a great deal of effort. You may only make around 50c or $1 per user but sign up enough clients and you could get a reasonable return. There is an opportunity for profit at scale; however, to make a decent return you need to sell services around Office 365.

One of the best ways to make Office 365 more profitable is by offering additional security services. Security is an area where Office 365 can be significantly improved, especially spam filtering. Microsoft has incorporated a spam filter and anti-phishing protections into Office 365, but they fall short of the protection offered by a dedicated third-party spam filter.

Phishing is the number one security threat faced by businesses and Office 365 anti-phishing protections leave a lot to be desired. By offering enhanced spam and phishing protection through a third-party spam filter, not only can MSPs make a decent margin on the add-on solution, by blocking phishing attacks and malware at source, a considerable amount of time can be saved on support. Offering spam filtering can help to generate additional recurring revenue, with SpamTitan provided as a high margin, subscription based SaaS solution.

There are plenty of other opportunities for selling third-party solutions to make up for the lack of options in Office 365. Email archiving is an easy sell and a quick win for MSPs. An email archive is important for compliance and security, saves on storage space, and improves efficiency, and gives clients access to emails from any location. Email archiving is available with office 365, but the solution has some severe drawbacks, and may not meet compliance requirements. Offering a feature-rich email archiving solution that is fully compliant, easy to use, with lightning fast search and retrieval should be an easy sell to Office 365 users.

Spam filtering, email archiving, web filtering, and encryption can be bundled together as an enhanced security package, with each element providing a decent return for MSPs. Given the cost of mitigating a data breach, by preventing breaches, an enhanced security offering will pay for itself and should not be too difficult to sell to Office 365 users.

Office 365 MSP Add-ons from TitanHQ

For more than 20 years TitanHQ has been developing innovative security solutions for businesses. Today, more than 7,500 businesses are protected by TitanHQ security solutions and more than 2,000 MSPs have signed up to the TitanHQ Alliance Program.

All TitanHQ solutions have been developed from the ground to meet the needs of the SMB marketplace and MSPs. TitanHQ’s spam filtering solution – SpamTitan, email archiving solution – ArcTitan, and web filtering solution – WebTitan, save MSPs support and engineering time, have great margins, and can be easily integrated into MSPs security stacks to make Office 365 more profitable. All TitanHQ solutions are quick and easy to deploy, and can be implemented into your existing Service Stack through API’s and RMM integrations. The MSP-client hierarchy enables you to keep clients separated and choose whether to manage client settings in bulk or on an individual basis. MSPs benefit from competitive pricing strategies, including monthly billing as we understand your clients are billed monthly.

There are multiple hosting options, including hosting the solution within your own data center, and all TitanHQ products can be supplied as a white label, ready to take your own branding. We have made our solutions as easy as possible to use, with intuitive controls and everything placed at your fingertips. However, should you ever have a problem, you will benefit from the best customer service in the industry, as well as scalable pre-sales and technical support and sales & technical training.

Why SpamTitan is Perfect for MSP’s?

  • The best spam and virus protection for MSPs with dual AV engines and Bitdefender-powered sandboxing
  • Low management overhead – A set and forget solution
  • Use our private cloud or your own data center
  • Extensive suite of APIs for integration into your central management system
  • Multi-tenant solution with multiple management roles
  • Scalable to thousands of users
  • In and outbound email scanning with IP domain protection
  • Extensive drill down reporting
  • Flexible pricing models to suit your needs, including monthly billing
  • Generous margins for MSPs
  • Fully customizable branding

TitanSHIELD Program for MSPs

To make it as easy as possible for MSPs to incorporate our world class network security solutions into their service stacks, TitanHQ developed the TitanSHIELD program. The TitanShield MSP Program allows MSPs to take advantage of TitanHQ’s proven technology so that they can sell, implement and deliver our advanced network security solutions directly to their client base. Under the TitanSHIELD program you get the following benefits:

TitanSHIELD Benefits

Sales Enablement


Partner Support Private or Public Cloud deployment Access to the Partner Portal
Dedicated Account Manager White Label or Co-branding Co-Branded Evaluation Site
Assigned Sales Engineer Support API integration Social Network participation
Access to Global Partner Program Hotline Free 30-day evaluations Joint PR
Access to Partner Knowledge Base Product Discounts Joint White Papers
Technical Support Competitive upgrades Partner Events and Conferences
24/7 Priority Technical Support Tiered Deal Registration TitanHQ Newsletter
5 a.m. to 5 p.m. (PST) Technical Support Renewal Protection Better Together Webinars
Online Technical Training and FAQs Advanced Product Information Partner Certificate – Sales and technical
Access to Partner Technical Knowledge Base Competitive Information and Research Sales Campaigns in a box
Not-for-Resale (NFR) Key Public Relations Program and Customer Testimonials
Product Brochures and Sales Tools TitanHQ Corporate Style Guide and Logo Usage
Partner Advisory Council Eligibility TitanHQ Partner Welcome Kit
QTRLY Business Planning and Review Access to TitanHQ’s MVP Rewards Program
Access to Partner Support

To find out more about TitanHQ’s MSP offerings, for details of pricing and MSP margins, contact the TitanHQ Alliance Program team today and take the first step toward making Office 365 more profitable.

UK Universities Schools Increasingly Targeted by Ransomware Gangs

Ransomware attacks on the education sector in the United Kingdom have increased sharply since February, and the sector was already extensively targeted by threat groups long before then. The education sector is an attractive target for cybercriminals as sizeable amounts of sensitive data are stored within computer systems that can be easily monetized if stolen.

Students’ personally identifiable information is of more value than that of adults, and it can often be used for years before any fraud is detected. Higher education institutions often have intellectual property and research data that is incredibly valuable and can easily be sold on for a huge profit. Ransomware attacks prevent access to essential data, and with the pandemic forcing the education sector to largely switch to online learning, when communication channels and websites are taken out of action learning can grind to a halt.

In the United Kingdom, the reopening of schools and universities has only been possible with COVID-19 testing and contact tracing, which is also disrupted by ransomware attacks. Files are encrypted which prevents access to essential testing and monitoring data, further hampering the ability of schools, colleges, and universities to operate.

As is the case with healthcare, which has also seen a major increase in cyberattacks during the pandemic, services are majorly disrupted without access to computer systems, and there is considerable pressure on both industries to pay the ransom demands to recover from the attacks more quickly. Ransoms are more likely to be paid than in other industry sectors.

What makes the education sector an even more attractive prospect for cybercriminals is poorer security defenses than other industries. The lack of security controls makes attacks much more likely to succeed. On top of that, students often use their own devices to connect to networks so security can be very difficult to police, and many departments make their own IT decisions, which can easily result in vulnerabilities being introduced and remaining unaddressed.

The ease and profitability of attacks has made education a top target for ransomware gangs. Emsisoft reports education was the sector most targeted by ransomware gangs in 2020.

The increase in ransomware attacks on educational institutions in the United Kingdom prompted the UK’s National Cyber Security Center to issue a warning in March to all entities in the education sector about the risk of cyberattacks. NCSC noted in its alert that there was a significant increase in attacks in August and September 2020, and a further rise in attacks since February 2021.

University of Hertfordshire Suffers Major Cyberattack

One of the most damaging university cyberattacks in recent months occurred at the University of Hertfordshire. Late on April 14, cybercriminals struck, with the attack impacting all of the university’s systems. No cloud systems were available, nor MS Teams, Canvas, or Zoom. The attack forced the university to cancel all of its online classes for the following day, although in person teaching was able to continue provided computer access was not necessary.

It has been more than a week since the attack, and while some systems are now back online, disruption is still being experienced with student records, university business services, learning resource centre services, data storage, student services, staff services, and the postgraduate application portal, with the email system also considered to be at risk.

The university has not confirmed the nature of the attack, but it has the hallmarks of a ransomware attack, although the university has issued a statement stating that the attack did not involve data theft.

The University of Hertfordshire is certainly not alone. In March, South and City College of Birmingham was hit with a ransomware attack that took all of its computer systems out of action, with the college forced to switch to online learning for its 13,000 students.

UK Schools also Under Attack

The cyberattacks in the United Kingdom have not been limited to universities. School systems have also suffered more than their fair share of attacks. In March, the Harris Federation, which runs 50 schools in the UK, suffered a ransomware attack that took out communications systems and majorly affecting online learning for 37,000 students.

Also in March, the Nova Education Trust suffered a ransomware attack that took its systems out of action and affected 15 schools, all of which lost access to their communication channels including the phone system, email, and websites. The Castle School Education Trust also suffered a ransomware attack in March that disrupted the online functions of 23 schools.

What Can Be Done to Stop Cyberattacks in Education?

Cybersecurity must become a major focus for schools, colleges, and universities. The attacks are being conducted because they are easy and profitable and, until that changes, the attacks are not likely to slow and, in all likelihood, will continue to increase.

To protect against attacks, the education sector needs to implement multi-layered security defenses and find and address vulnerabilities before they are discovered by ransomware gangs and other cybercriminal operations.

The best place to start is by improving security for the two main attack vectors: email and the Internet. That is an area where TitanHQ can help. To find out more, get in touch with the TitanHQ team today and take the first step towards improving your security posture and better protecting your networks and endpoints from extremely damaging cyberattacks.

Saint Bot Malware: A New Malware Dropper Being Distributed via Phishing Emails

A previously unknown malware variant dubbed Saint Bot malware is being distributed in phishing emails using a Bitcoin-themed lure. With the value of Bitcoin setting new records, many individuals may be tempted into opening the attachment to get access to a bitcoin wallet. Doing so will trigger a sequence of events that will result in the delivery of Saint Bot malware.

Saint Bot malware is a malware dropper that is currently being used to deliver secondary payloads such as information stealers, although it can be used to drop any malware variant. The malware was first detected and analyzed by researchers at Malwarebytes who report that while the malware does not use any novel techniques, there is a degree of sophistication to the malware and it appears that the malware is being actively developed. At present, detections have been at a relatively low level but Saint Bot malware could develop into a significant threat.

The phishing emails used to distribute the malware claim to include a Bitcoin wallet in the attached Zip file. The contents of the Zip file include a text file with instructions and a LNK file that has an embedded PowerShell script. A PowerShell downloader delivers an obfuscated .Net dropper and downloader, which in turn deliver a BAT script that disables Windows Defender and the Saint Bot malware binary.

The malware is capable of detecting if it is in a controlled environment and terminates and deletes itself should that be the case. Otherwise, the malware will communicate with its hardcoded command and control servers, send information gathered from the infected system, and download secondary payloads to the infected device via Discord.

The malware has not been linked with any specific threat group and could well be distributed to multiple actors via darknet hacking forums, but it could well become a major threat and be used in widespread campaigns to take advantage of the gap in the malware-as-a-service (MaaS) market left by the takedown of the Emotet Trojan.

Protecting against malware downloaders such as Saint Bot malware requires a defense in depth approach. The easiest way of blocking infections is to implement an advanced spam filtering solution such as SpamTitan to block the phishing emails that deliver the malware. Antivirus software should also be installed on all endpoints and set to update automatically, and communication with the C2 servers should be blocked via firewall rules.

In addition to technical defenses, it is important to provide security awareness training to the workforce to help employees identify malicious emails and condition them how to respond when a potential threat is detected.

How SpamTitan Can Protect Against Phishing and Malware Attacks

SpamTitan is an award-winning anti-spam and anti-phishing solution that provides protection against the full range of email threats from productivity-draining spam to dangerous phishing and spear phishing emails, malware and ransomware.

SpamTitan has a catch rate in excess of 99.99% with a low false positive rate and uses a variety of methods to detect malicious emails, including dual antivirus engines, email sandboxing for detecting new malware variants, and machine learning techniques to identify zero-day threats.

SpamTitan’s advanced threat protection defenses include inbuilt Bayesian auto learning and heuristics to defend against sophisticated threats and evolving cyberattack techniques, with 6 specialized Real Time Blacklists to block malicious domains and URLs, DMARC to block email impersonation attacks, and outbound email policies for data loss prevention.

SpamTitan is quick and easy to set up and configure and is frequently praised for the level of protection provided and ease of use. SpamTitan is a 5-star rated solution on Spiceworks, Capterra, G2 Crowd and has won no less than 37 consecutive Virus Bulletin Spam awards.

If you want to improve your email defenses at a very reasonable price and benefit from industry-leading customer support, give the TitanHQ team a call today. Product demonstrations can be arranged, and you can trial the solution free of charge, with full support provided during the trial to help you get the most out of SpamTitan.

IcedID Malware Distribution Increases Using Phishing Emails and Hijacked Web Forms

Threat actors are constantly changing their tactics, techniques, and procedures (TTP) to increase the chances of getting their malicious payloads delivered. Spam and phishing emails are still the most common methods used for delivering malware, with the malicious payloads often downloaded via the web via hyperlinks embedded in emails.

A new tactic that has been adopted by the threat group behind the IcedID banking Trojan cum malware downloader involves hijacking contact forms on company websites. Contact forms are used on most websites to allow individuals to register interest. These contact forms typically have CAPTCHA protections which limit their potential for use in malicious campaigns, as they block bots and require each contact request to be performed manually.

However, the threat actors behind the IcedID banking Trojan have found a way of bypassing CATCHA protections and have been using contact forms to deliver malicious emails. The emails generated by contact forms will usually be delivered to inboxes, as the contact forms are trusted and are often whitelisted, which means email security gateways will not block any malicious messages.

In this campaign, the contact forms are used to send messages threatening legal action over a copyright violation. The messages submitted claim the company has used images on its website that have been added without the image owner’s permission. The message threatens legal action if the images are not immediately removed from the website, and a hyperlink is provided in the message to Google Sites that contains details of the copyrighted images and proof they are the intellectual property of the sender of the message.

Clicking the hyperlink to review the supplied evidence will result in the download of zip file containing an obfuscated .js downloader that will deliver the IcedID payload. Once IcedID is installed, it will deliver secondary payloads such as TrickBot, Qakbot, and Ryuk ransomware.

IcedID distribution has increased in recent weeks, not only via this method but also via phishing emails. A large-scale phishing campaign is underway that uses a variety of business-themed lures in phishing emails with Excel attachments that have Excel 4 macros that deliver the banking Trojan.

The increase in IcedID malware distribution is likely part of a campaign to infect large numbers of devices to create a botnet that can be rented out to other threat groups under the malware-as-a-service model. Now that the Emotet botnet has been taken down, which was used to deliver different malware and ransomware variants, there is a gap in the market and IcedID could be the threat that takes over from Emotet. In many ways the IcedID Trojan is very similar to Emotet and could become the leading malware-as-a-service offering for delivering malware payloads.

To find out how you can protect your business against malware and phishing threats at a reasonable price, give the TitanHQ team a call today and discover for yourself why TitanHQ email and web security solutions consistently get 5-star ratings from users for protection, price, ease of use, and customer service and support.

Attack on California State Controller Serves as Warning for All Businesses on Phishing Threat

A phishing attack on an employee of the California State Controller’s Office Unclaimed Property Division highlights how a single response from an employee to a phishing email could easily result in a massive breach. In this case, the phishing attack was detected promptly, with the attacker only having access to an employee’s email account for less than 24 hours from March 18.

In the 24 hours that the attacker had access to the email account, the contents of the account could have been exfiltrated. Emails in the account included unclaimed property holder reports. Those reports included names, dates of birth, addresses, and Social Security numbers – the type of information that could be used to steal identities.

The email that fooled the employee into clicking a link and disclosing login credentials appeared to have been sent from a trusted outside entity, which is why the email was assumed to be legitimate. After stealing the employee’s credentials undetected, the attacker immediately went to work and tried to compromise the email accounts of other state workers.

In the short time that the individual had access to the account, around 9,000 other state workers were sent phishing emails from the compromised account. Fortunately, the attack was detected promptly and all contacts were alerted about the phishing emails and told to delete the messages.  That single compromised account could easily have led to a massive email account breach.

Phishing is now the biggest data security threat faced by businesses. The attacks are easy to conduct, require little skill, and can be extremely lucrative. Email accounts often contain a treasure trove of data that can be easily monetized, the accounts can be used to send further phishing emails internally and to external contacts and customers, and a breach of Microsoft 365 credentials could allow a much more extensive attack on a company. Many ransomware attacks start with a single response to a phishing email.

To improve protection against phishing attacks it is important to train the workforce how to identify phishing emails, teach cybersecurity best practices, and condition employees to stop and think before taking any action requested in emails. However, phishing attacks are often highly sophisticated and the emails can be difficult to distinguish from genuine email communications. As this phishing attack demonstrates, emails often come from trusted sources whose accounts have been compromised in previous phishing attacks.

What is needed is an advanced anti-phishing solution that can detect these malicious emails and prevent them from being delivered to employee inboxes. The solution should also include outbound email scanning to identify messages sent from compromised email accounts.

SpamTitan offers protection against these phishing attacks. All incoming emails are subjected to deep analysis using a plethora of detection mechanisms. Machine learning technology is used to identify phishing emails that deviate from typical emails received by employees, and outbound scanning can identify compromised email accounts and block outbound phishing attacks on company employees and contacts.

If you want to improve your defenses against phishing, give the SpamTitan team a call today to find out more. The full product is available on a free trial, and during the trial you will have full access to the product support team who, will help you get the most out of your trial.

Pysa Ransomware Gang Targeting Education Sector

Throughout 2020 the healthcare sector has been a major target of ransomware gangs, but the education sector is also facing an increase in attacks, with the Pysa (Mespinoza) ransomware gang now targeting the education sector.

Pysa ransomware is a variant of Mespinoza ransomware that was first observed being used in attacks in October 2019. The threat group behind the attacks, like many other ransomware threat groups, uses double extortion tactics on victims. Files are encrypted and a ransom demand is issued for the keys to decrypt files, but to increase the probability of the ransom being paid, data is exfiltrated prior to file encryption. The gang threatens to monetize the stolen data on the darkweb if the ransom is not paid. Many attacked entities have been forced to pay the ransom demand even when they have backups to prevent the sale of their data.

Since October 2019, the Pysa ransomware gang has targeted large companies, the healthcare sector, and local government agencies, but there has been a recent increase in attacks on the education sector. Attacks have been conducted on K12 schools, higher education institutions, and seminaries, with attacks occurring in 12 U.S. states and the United Kingdom. The rise in attacks prompted the FBI to issue a Flash Alert in March 2020 warning the education sector about the increased risk of attack.

Analyses of attacks revealed the gang conducts network reconnaissance using open source tools such as Advanced Port Scanner and Advanced IP Scanner. Tools such as PowerShell Empire, Koadic, and Mimikatz are used to obtain credentials, escalate privileges, and move laterally within networks. The gang identifies and exfiltrates sensitive data before delivering and executing the ransomware payload. The types of data stolen are those that can be used to pressure victims into paying and can easily be monetized on the darkweb.

Identifying a Pysa ransomware attack in progress is challenging, so it is essential for defenses to be hardened to prevent initial access. Several methods have been used to gain access to networks, although in many cases it is unclear how the attack started. In attacks on French companies and government agencies brute force tactics were used against management consoles and exposed Active Directory accounts. Some attacks have involved exploitation of Remote Desktop Protocol vulnerabilities, with the gang is also known to use spam and phishing emails to obtain credentials to get a foothold in networks.

Since several methods are used for gaining access, there is no single solution that can be implemented to block attacks. Educational institutions need to use a combination of security solutions and cybersecurity best practices to harden their defenses.

Antivirus/antimalware solution is a must, as is ensuring it is kept up to date. Since many attacks start with a phishing email, an advanced email security gateway is also important. Choosing a solution such as SpamTitan that incorporates dual AV engines and email sandboxing will maximize the chance of detecting malicious emails. SpamTitan also incorporates machine learning methods to identify new methods of email attacks.

End user training is also important to teach staff how to identify potentially malicious emails and train them on cybersecurity best practices such as setting strong passwords, not reusing passwords, and the dangers of using public Wi-Fi networks. Also consider disabling hyperlinks in emails, flagging emails that arrive from external sources, and implementing multi-factor authentication on accounts.

Patches and security updates should be implemented promptly after they have been released to prevent vulnerabilities from being exploited. You should use the rule of least privilege for accounts, restrict the use of administrative accounts as far as possible, and segment networks to limit the potential for lateral movement. You should also be scanning your network for suspicious activity and configure alerts to allow any potential infiltration to be rapidly identified. All unused RDP ports should be closed, and a VPN used for remote access.

It is essential for backups to be made of all critical data to ensure that file recovery is possible without paying the ransom. Multiple backups of data should be created, those backups should be tested to make sure file recovery is possible, and at least one copy should be stored securely on an air-gapped device.

TitanHQ Wins 3 Experts Insights’ 2021 Best-Of Awards

TitanHQ has been recognized for its email security, web security, and email archiving solutions, collecting not one, not two, but three prestigious awards from Expert Insights.

Expert Insights was launched in 2018 to help businesses find cybersecurity solutions to protect their networks and devices from an ever-increasing number of cyber threats. Researching cybersecurity solutions can be a time-consuming process, and the insights and information provided by Expert Insights considerably shortens that process. Unlike many resources highlighting the best software solutions, Expert Insights includes ratings from verified users of the products to give users of the resource valuable insights about how easy products are to use and how effective they are at blocking threats. Expert Insights has helped more than 100,000 businesses choose cybersecurity solutions and the website is visited by more than 40,000 individuals a month.

Each year, Expert Insights recognizes the best and most innovative cybersecurity solutions on the market in its “Best-Of” Awards. The editorial team at Expert Insights assesses vendors and their products on a range of criteria, including technical features, ease-of-use, market presence, and reviews by verified users of the solutions. Each product is assessed by technology experts to determine the winners in a broad range of categories, including cloud, email, endpoint, web, identity, and backup security.

“2020 was an unprecedented year of cybersecurity challenges, with a rapid rise in remote working causing a massive acceleration in cybercrime,” said Craig MacAlpine, CEO and Founder, Expert Insights. “Expert Insights’ Best-Of awards are designed to recognize innovative cybersecurity providers like TitanHQ that have developed powerful solutions to keep businesses safe against increasingly sophisticated cybercrime.”

Three TitanHQ cybersecurity solutions were selected and named winners in the Expert Insights’ 2021 “Best-Of” Awards in the Email Security Gateway, Web Security, and Email Archiving categories. SpamTitan was named winner in the Email Security Gateway category, WebTitan won in the Web Security category, and ArcTitan was named a winner in the Email Archiving category. SpamTitan and WebTitan were praised for the level of protection provided, while being among the easiest to use and most cost-effective solutions in their respective categories.

All three products are consistently praised for the level of protection provided and are a bit hit with enterprises, SMBs, and MSPs.  The solutions attract many 5-star reviews from real users on the Expert Insights site and many other review sites, including Capterra, GetApp, Software Advice, Google Reviews, and G2 Crowd.  The cybersecurity solutions are now used by more than 8,500 businesses and over 2,500 MSPs.

“The recent pandemic and the growth of remote working initiatives have further highlighted the need for multiple layers of cybersecurity and our award-winning solutions form key pillars in this security strategy,” said Ronan Kavanagh, CEO, TitanHQ. “We will continue to innovate and provide solutions that MSPs can use to deliver a consistent, secure and reliable experience to their customers.”

Most Ransomware Attacks Start with a Phishing Email

Ransomware attacks in 2020 were conducted at twice the rate of the previous year, with many organizations falling victim and having to pay large ransoms to recover their data or risk sensitive information being published or sold to cybercriminal organizations.

At the start of 2020, data exfiltration prior to the deployment of ransomware was still only being conducted by a small number of ransomware gangs, but that soon changed as the year progressed. By the end of the year, at least 17 cybercriminal gangs were using this double extortion tactic and were stealing sensitive data prior to encrypting files. Faced with the threat of publication of sensitive data, many attacked organizations felt they had little alternative other than to pay the ransom demand.

The extent of ransomware attacks in 2020 has been highlighted by various studies by cybersecurity researchers over the past few weeks. Chainalysis recently released a report that suggests more than $350 million has been paid to cybercriminals in 2020 alone, based on an analysis of the transactions to blockchain addresses known to be used by ransomware threat groups. Of course, that figure is likely to be far lower than the true total, as many companies do not disclose that they have suffered ransomware attacks. To put that figure into perspective, a similar analysis in 2019 estimated the losses to be around $90 million. Those figures are for ransom payments alone, not the cost of resolving attacks, which would be several orders of magnitude higher.

The increase in attacks can be partly attributed to the change in working practices due to the pandemic. Many companies switched from office-based working to a distributed remote workforce to prevent the spread of COVID-19 and keep their employees protected. The rapid change involved hastily implementing remote access solutions to support those workers which introduced vulnerabilities that were readily exploited by ransomware gangs.

Most Ransomware Attacks Now Start with Phishing

Throughout 2020, phishing was commonly used as a way to gain access to corporate networks, accounting for between 25% and 30% of all ransomware attacks, but new data released by the ransomware attack remediation firm Coveware shows the attack methods changed in the last quarter of 2020. As companies and organizations addressed vulnerabilities in remote access solutions and VPNs and improved their defenses, phishing became the most common attack method. Coveware’s analysis shows that in the final quarter of 2020, more than 50% of ransomware attacks started with a phishing email.

Ransomware can be delivered directly through phishing emails, although it is more common to use intermediary malware. The most commonly used malware variants for distributing ransomware are Trojans such as Emotet and TrickBot, both of which are extensively delivered via phishing emails. These malware variants are also capable of self-propagating and spreading to other devices on the network.

Access to compromised devices is then sold to ransomware gangs, who access the devices, steal sensitive data, then deploy their ransomware payload. The Emotet botnet played a large role in ransomware attacks in 2020, and while it has now been disrupted following a joint law enforcement operation, other malware variants are certain to take its place.

The same report also highlighted the nature of businesses attacked with ransomware. Far from the gangs targeting large enterprises with deep pockets, most attacks are on small- to medium-sized businesses with under 250 employees. 30.2% of attacks were on businesses with between 11 and 100 employees, with 35.7% on businesses with 101 to 1,000 employees. Healthcare organizations, professional services firms, and financial services companies have all been targeted and commonly fall victim to attacks, although no sector is immune.

70% of ransomware attacks now involve data theft prior to encryption, so even if backups exist and can be used to restore data, it may not be possible to avoid paying the ransom. There is also a growing trend for data to be permanently deleted, which leaves businesses with no way of recovering data after a ransomware attack.

Steps to Take to Block Ransomware Attacks

What all businesses and organizations need to do is to make it as hard as possible for the attacks to succeed. While there is no single solution for blocking ransomware attacks, there are measures that can be taken that make it much harder for the attacks to succeed.

With most ransomware attacks now starting with a phishing email, an advanced email security solution is a must. By deploying best-of-breed solutions such as SpamTitan to proactively protect the Office365 environment it will be much easier to block threats than simply relying on Office 365 anti-spam protections, which are commonly bypassed to deliver Trojans and ransomware.

A web filtering solution can provide protection against ransomware delivered over the internet, including via links sent in phishing emails. Multi-factor authentication should be implemented for email accounts and cloud apps, employees should be trained how to identify threats, and monitoring systems should be implemented to allow attacks in progress to be detected and mitigated before ransomware is deployed.