Our network security news section contains a range of articles relating to securing networks and blocking cyberattacks, ransomware and malware downloads. This section also features articles on recent network security breaches, alerting organizations to the latest attack trends being used by cybercriminals.
Layered cybersecurity defenses are essential given the increase in hacking incidents and the explosion in ransomware and malware variants over the past two years. Organizations can tackle the threat by investing in new security defenses such as next generation firewalls, end point protection systems, web filtering solutions and advanced anti-malware and antivirus defenses.
While much investment goes on tried and tested solutions that have been highly effective in the past, many cybersecurity solutions – antivirus software – are not as effective as they once were. In order to maintain pace with hackers and cybercriminals and get ahead of the curve, organizations should consider implementing a wide range of new cybersecurity solutions to block network intrusions, prevent data breaches and improve protection against the latest malware and ransomware threats.
This category contains information and advice on alternative network security solutions that can be adopted to improve network security and ensure networks are not infiltrated by hackers and infected with malicious software.
Ransomware attacks have been rife in 2021, with the increase in attacks seen in 2020 continuing throughout 2021. The number of attacks conducted in 2021 has been staggering. There were more attempted ransomware attacks in the first 6 months of 2021 than there were in all of 2020, according to one report.
Ransomware-as-a-service (RaaS) operations that were active throughout 2020 have increased their attacks, and while some RaaS operations have been shut down, attack volume is showing no sign of reducing. There is also a new ransomware threat to defend against. The Federal Bureau of Investigation (FBI) has issued a warning about a new ransomware threat actor that has been particularly active in the United States. The group, known as OnePercent, has been using its ransomware to attack U.S. businesses since at least November 2020, according to a recent FBI Flash Alert. The group is known to use the legitimate penetration testing tool Cobalt Strike in its attacks, and prior to using their OnePercent ransomware variant to encrypt files, the attackers exfiltrate sensitive data from victims’ systems. A ransom demand is issued for the keys to decrypt files and to prevent the publication of the stolen data on the group’s data leak sites on the TOR network and the publicly accessible Internet.
Like many ransomware gangs, the initial attack vector is phishing emails. Phishing emails are sent to targeted organizations that have malicious .ZIP email attachments which contain Word documents or Excel spreadsheets with malicious macros that deliver the IcedID banking Trojan. The Trojan downloads and installs Cobalt Strike on endpoints to allow the attacker to move laterally within victims’ networks to compromise as many devices as possible. The group is also known to use PowerShell, Mimikatz, SharpKatz, BetterSafetyKatz, and SharpSploit, and Rclone for data extraction.
The attackers are known to take their time within networks to identify and steal critical data. In attacks reported to the FBI, the group has spent up to a month from the initial compromise to the deployment of OnePercent ransomware. During that time, considerable volumes of data are exfiltrated. The ransomware itself encrypts files and uses a random 8-character extension for encrypted files.
As is now the norm, there is no fixed ransom payment. Victims are required to make contact with the attackers to receive ‘technical support’ recovering their files and to discover how much needs to be paid for the decryptors and to ensure data deletion. If the ransom is paid, the attackers say they will deliver the decryption keys within 48 hours. The threat group is also known to contact the victim by telephone using spoofed telephone numbers to pressure victims into paying by threatening to publish the stolen data. The group has also threatened to sell the stolen data to the Sodinokibi ransomware gang to list for sale at a public auction.
Since the group uses phishing emails as the initial attack vector, preventing those messages from reaching inboxes is the best defense against attacks. That requires an advanced spam filtering solution such as SpamTitan. It is also recommended to configure emails to display a warning when they are received from a sender that is outside the organization.
It is also important to follow cybersecurity best practices such as network segmentation to limit the potential for lateral movement, to audit user accounts with admin privileges and restrict their use as far as possible, and to configure access controls using the principle of least privilege. All critical data should be backed up offline on an external hard drive or storage device that is disconnected once the backup has been performed. Backups should also be tested to make sure file recovery is possible.
While the OnePercent ransomware gang is only known to use phishing emails as the attack vector, other methods of attack may also be adopted. It is therefore recommended to ensure that remote access and RDP ports are disabled if not used, to monitor remote access/RDP logs, to keep computers and applications up to date and to apply patches promptly, and to ensure that strong passwords are set and multi-factor authentication is implemented.
Ransomware attacks can be incredibly expensive and business email compromise (BEC) scams can result in transfers of millions of dollars to attackers, but these breaches often start with an email.
Phishing emails are sent to employees that ask them to click on a link, which directs them to a webpage where they are asked to provide their login credentials, for Microsoft 365 for example. Once credentials are entered, they are captured and used to access that individual’s account. The employee is often unaware that anything untoward has happened.
The stolen credentials give an attacker the foothold in the network that is needed to launch a major cyberattack on the business. The phisher may use the email account to send further phishing emails to other employees in the company, with the aim being to gain access to the credentials of an individual with administrative privileges or the credentials of an executive.
An executive’s account can be used to send emails to an individual in the company responsible for making wire transfers. A request is sent for a wire transfer to be made and the transfer request is often not recognized as fraudulent until the funds have been transferred and withdrawn from the attacker’s account. These BEC scams often result in tens of thousands of dollars – or even millions – being transferred.
An alternative attack involves compromising the email accounts of employees and sending requests to payroll to have direct deposit information changed. Salaries are then transferred into attacker-controlled accounts.
Phishers may act as affiliates for ransomware-as-a-service (RaaS) gangs and use the access they gain through phishing to compromise other parts of the network, steal data, and then deploy ransomware, or they may simply sell the network access to ransomware gangs.
When email accounts are compromised, they can be used to attack vendors, customers, and other contacts. From a single compromised email account, the damage caused is considerable and often far reaching. Data breaches often cost millions of dollars to mitigate. All this from a single response to a phishing email.
Phishing campaigns require very little skill to conduct and require next to no capital investment. The ease at which phishing attacks can be conducted and the potential profits that can be gained from attacks make this attack method very attractive for cybercriminals. Phishing can be used to attack small businesses with poor cybersecurity defenses, but it is often just as effective when attacking large enterprises with sophisticated perimeter defenses. This is why phishing has long been one of the most common ways that cybercriminals attack businesses.
How to Deal with the Phishing Threat
Phishing attacks may lead to the costliest data breaches, but they are one of the easiest types of cyberattacks to prevent; however, some investment in cybersecurity and training is required. The most important first step is to purchase an advanced spam filter. This technical control is essential for preventing phishing emails from reaching end users’ inboxes. If the phishing emails do not arrive in an inbox, they cannot be clicked by an employee.
Not all spam filtering solutions are created equal. Basic spam filters are effective at blocking most threats, but some phishing emails will still be delivered to inboxes. Bear in mind that phishers are constantly changing tactics and are trying to get one step ahead of cybersecurity firms. Most spam filtering solutions will block messages from malicious IP addresses and IP addresses with poor reputations, along with any messages identified in previous phishing campaigns and messages containing known variants of malware.
Advanced spam filtering solutions use AI and machine learning techniques to identify messages that deviate from the normal emails a business typically receives, are able to detect previously unseen phishing emails, and incorporate Sender Policy Framework and DMARC to identify email impersonation attacks. Sandboxing is also included which is used to identify previously unseen malware threats. Greylisting is a feature of advanced spam filters that involves initially rejecting a message and requesting it be resent. The delay in a response, if one is received at all, indicates the mail server is most likely being used for spamming. Spam servers are usually too busy on huge spam runs to resend messages that have initially been rejected.
Advanced spam filters also feature outbound email scanning, which can identify compromised email accounts and can block phishing messages from being sent internally or externally from a hacked mailbox.
SpamTitan incorporates all of these advanced controls, which is why it is capable of blocking more threats than basic spam filters. Independent tests have shown SpamTitan blocks in excess of 99.97% of malicious messages.
Don’t Neglect End User Training
No spam filter will be 100% effective at blocking phishing threats, at least not without also blocking an unacceptable number of genuine emails. It is therefore important to provide regular security awareness training to the workforce, with a strong emphasis on phishing. Employees need to be taught how to identify a phishing email and conditioned how to respond when a threat is received (alert their security team).
Since phishing tactics are constantly changing, regular training is required. When training is reinforced, it is easier to develop a security culture and regular training sessions will raise awareness of the latest phishing threats. It is also recommended to conduct phishing simulation exercises to test the effectiveness of the training program and to identify individuals who require further training.
Web Filtering is an Important Anti-Phishing Control
The key to blocking phishing attacks is to adopt a defense-in-depth approach. That means implementing multiple overlapping layers of security. One important additional layer is a web filtering solution. Spam filters target the phishing emails, whereas web filters work by blocking access to the webpages hosting the phishing kits that harvest credentials. With a spam filter and web filter implemented, you are tackling phishing from different angles and will improve your defenses.
A web filter will block access to known malicious websites, providing time-of-click protection against malicious hyperlinks in phishing emails. A web filter will also prevent employees from being redirected to phishing web pages from malicious website adverts when browsing the Internet. Web filters also analyze the content of web pages and will block access to malicious web content that has not previously been identified as malicious. Web filters will also block malware and ransomware downloads.
WebTitan is a highly effective DNS-based web filtering solution that protects against phishing, malware, and ransomware attacks. The solution can protect office workers but also employees who are working remotely.
Speak to TitanHQ Today About Improving your Phishing Defenses
TitanHQ has been developing anti-phishing and anti-malware solutions for more than two decades. TitanHQ’s email and web security solutions are cost effective, flexible, easy to implement, and easy to maintain. They are consistently given top marks on software review sites and are a big hit with IT security professionals and managed service providers (MSPs). TitanHQ is the leading provider of email and web security solutions to MSPs serving the SMB market.
If you want to improve your phishing defenses and block more threats, contact the TitanHQ team today for further information on SpamTitan and WebTitan. Both solutions are available on a 100% free trial of the full product complete with product support. Product demonstrations can also be booked on request.
Ransomware attacks have increased significantly since the start of 2020 and that increase has continued in 2021. While these attacks are occurring more frequently than ever, the threat from phishing has not gone away and attacks are still rife. Phishing attacks may not make headline news like ransomware attacks on hospitals that threaten patient safety, but they can still be incredibly damaging.
The aim of many phishing attacks is to obtain credentials. Email credentials are often targeted as email accounts contain a treasure trove of data. That data can be extremely valuable to cybercriminals. In healthcare for example, email accounts contain valuable healthcare data, health insurance information, and Social Security numbers, which can be used to commit identity theft, obtain medical treatment, and for tax fraud. Entire email accounts are often exfiltrated in the attacks and the accounts used to send tailored phishing emails to other individuals in the company.
Many data breaches start with a phishing email, with phishing often used by an attacker to gain a foothold in a network that can be used in a much more extensive attack on an organization. Phishing emails are often the first step in a malware or ransomware attack.
Multiple surveys have recently been conducted on IT leaders and employees that show phishing is a very real and present danger. Two recent surveys conducted in the United States and United Kingdom indicate almost three quarters of businesses have experienced a data breach as a result of a phishing attack in the past 12 months. One study indicated over 50% of IT leaders had seen an increase in phishing attacks in the past 12 months, while the other put the figure at 80%.
During the pandemic, many businesses were faced with the option of switching to a remote workforce or shutting down. The increase in remote working was a godsend for phishers, who increase their attacks on employees. Many IT departments lacked visibility with a remote workforce and found it harder to block phishing attacks than when employees are in the office. Staff shortages in IT have certainly not helped.
Staff training is important to raise awareness of the threat from phishing, but remote working has made that harder. Training needs to be provided regularly as it can easily be forgotten and bad habits can slip in. Phishing tactics are also constantly changing, so regular training is needed to keep employees aware of the latest threats and phishing techniques, so they know what to look for. It does not help that phishing attacks are increasingly targeted and more sophisticated and can be difficult for employees to spot even if they have received regular training.
So how can businesses combat the threat from phishing and avoid being one of the three quarters of companies that experience a phishing data breach each year? Training is important, but the right technology is required.
Two of the most important technical solutions that should be implemented to block phishing attacks are spam filters and web filters. Both are effective at combatting phishing, albeit from different angles. When both are used together, protection is better than the sum of both parts.
A spam filter must have certain features to block sophisticated phishing threats. Blacklists are great for identifying emails from known malicious IP addresses, but IP addresses frequently change. Machine learning approaches are needed to identify previously unseen phishing tactics and threats from IP addresses not known to be malicious. Multiple AV engines can help to block more malware threats, while sandboxing can be used identify new malware variants. DMARC is also vital to block email impersonation attacks, while outbound scanning is important to rapidly detect compromised mailboxes. All of these features are employed by SpamTitan, which is why the solution has such a high block rate (over 99.97%) and low false positive rate.
Web filters are primarily used to restrict access to malicious and undesirable websites, whether they are sites with pornographic content or malicious sites used for phishing and malware distribution. Web filters, especially DNS-based filters, greatly improve protection against threats and will block access to known malicious websites. They will also block malware downloads and restrict access to questionable websites that serve no work purpose but increase risk. WebTitan will do this and more, and can easily be configured to protect remote workers, no matter where they choose to access the Internet.
With phishing attacks increasing it is important that businesses deploy solutions to counter the threat to stay one step ahead of the phishers. For further information on SpamTitan and WebTitan, and how they can protect your business, give the TitanHQ team a call. Both solutions are available on a free trial to allow you to see for yourself the difference they make. You can sign up for a free trial of SpamTitan here, and WebTitan on this link.
On June 24, 2021, Microsoft announced Windows 11 will soon be released. Windows 11 is a major upgrade of the Windows NT operating system, which will be the successor to Windows 10. Such a major release doesn’t happen that often – Windows 10 was released in 2015 – so there has been a lot of interest in the new operating system. The new Windows version is due for public release at the end of 2021, but there is an opportunity to get an early copy for free.
On June 28, Microsoft revealed the first Insider Preview of Windows 11. Upgrading to the new Windows version is straightforward. For a lucky few (or unlucky few if Windows 11 turns out to be exceptionally buggy), an upgrade just requires a user to enroll in the Dev channel of the Windows Insider Program. That said, many people have been trying to get an upgrade from unofficial sources.
Unsurprisingly, unofficial ISOs that claim to provide Windows 11 do not. Instead, they deliver malware. Threat actors have been distributing these fake Windows 11 installers and using them to deliver a wide range of malicious payloads. At best, these fake Windows 11 installers will deliver adware or unwanted programs. More likely, malware will be installed with various degrees of maliciousness, such as Remote Access Trojans and backdoors that give the attackers full access to the victims’ devices, information stealers such as keyloggers that steal passwords and other sensitive data, cryptocurrency miners, and ransomware.
Researchers at Kaspersky Lab have identified several fake Windows 11 installers doing the rounds, including one seemingly legitimate installer named 86307_windows 11 build 21996.1 x64 + activator.exe. Despite the name and 1.76GB file size, it was not what it seemed. If the user executed the file and agreed to the terms and conditions, the file would proceed to download a different executable that delivers a range of malicious software onto the user’s device.
As the hype builds ahead of the official release date, we can expect there to be many other fake installers released. Hackers do love a major software release, as its easy to get users to double click on executable files. Malicious adverts, websites, and emails offering free copies of Windows 11 will increase, so beware.
Ensure you have an advanced and effective spam filtering solution such as SpamTitan in place to protect against malicious emails, and a web filter such as WebTitan installed to block malicious file downloads. You should also make sure that you only install software or applications from official sources and take care to ensure that you really are on the official website of the software developer before downloading any files. A double click on a malicious executable file could cause a great deal of pain and expense for you and your employer.
Phishing is the most common way that cybercriminals gain access to business networks, and the primary defense against these attacks is a spam filter. Spam filters inspect all inbound emails for the signatures of spam, phishing, and malware and keep inboxes free of these threats.
There are many spam filtering solutions on the market that can protect against advanced email threats, but why have so many managed service providers (MSP) chosen TitanHQ has their email security solution provider? What does SpamTitan provide that is proving to be such a bit hit with MSPs?
Why Managed Service Providers Choose SpamTitan Email Security for Their Clients
SpamTitan in a multi-award-winning anti-spam solution that incorporates powerful features to protect against phishing and other email-based attacks. The solution is currently used by more than 1,500 MSPs worldwide with that number growing steadily each month.
We have listed 10 of the main reasons why SpamTitan is proving to be such a popular choice with MSPs.
Excellent malware protection
SpamTitan includes dual anti-virus engines from two leading AV providers and sandboxing that incorporates machine learning and behavioral analysis to safely detonate suspicious files.
Defense in depth protection for Office 365 environments
SpamTitan includes multiple protection measures that provide defense in depth against email threats, with easy integration into Office 365 environments to significantly improve defenses against phishing and email-based malware attacks.
Advanced email blocking
SpamTitan supports upload block and allow lists per policy, advanced reporting, recipient verification and outbound email scanning, with the ability to whitelist/blacklist at both a global level as well as a domain level.
Protection against zero-day attacks
SpamTitan uses machine learning predictive technology to block zero-day threats, with AI-driven threat intelligence to block zero-minute attacks.
Data leak prevention
Easily set powerful data leak prevention rules and tag data to identify and prevent internal data loss.
SpamTitan is easy to integrate into your existing Service Stack through TitanHQ API’s and MSPs benefit from streamlined management with RMM integrations.
Competitive pricing with monthly billing
MSPs benefit from a fully transparent pricing policy, competitive pricing, generous margins, and monthly billing. There is also a short sales cycle – only 14 days of a free trial is required to fully test the solution.
White label option to reinforce your brand
SpamTitan can be provided to managed service providers as a white label version that can be fully rebranded to reinforce an MSPs brand.
Intuitive multi-tenant dashboard
MSP-client hierarchy enables you to keep clients separated and choose whether to manage client settings in bulk or on an individual basis. SpamTitan is also a set and forget solution, requiring minimal IT service intervention.
Industry-leading customer support
TitanHQ provides the best customer service in the industry. MSPs benefit from world class pre-sales and technical support and sales & technical training. MSPs get a dedicated account manager, assigned sales engineer support, access to the Global Partner Program Hotline, and 24/7 priority technical support.
If you have not yet started offering SpamTitan to your clients, give the TitanHQ channel team a call today for more information, to get started on a free trial, or for a product demonstration.
In April 2021, hackers gained access to the network of Colonial Pipeline and deployed ransomware that forced the shutdown of a fuel pipeline system serving the Eastern Seaboard of the United States. With fuel supplies threatened, there was panic buying of fuel by Americans on the East Coast which led to local fuel shortages. Gasoline prices rose to their highest level in more than 6 years, and stockpiles of gasoline on the East Coast fell by 4.6 million barrels.
The attack has been attributed to the DarkSide ransomware-as-a-service operation, which has since shut down. Prior to the shutdown, Colonial Pipeline paid a $4.4 million ransom for the keys to unlock the encrypted files. The decision to pay the ransom was made because of the threat to fuel supplies. Colonial Pipeline supplied 45% of fuel to the East Coast, and while paying the attackers was a difficult decision, payment was made due to the threat to fuel supplies given how long it was likely to take to recover without the attacker-supplied decryption keys.
Such a major attack on a critical infrastructure firm should have been difficult; however, an investigation into the cyberattack revealed gaining access to the company’s computer system couldn’t have been simpler. The attackers used a compromised password to remotely access Colonial Pipeline’s systems, and that account was not protected with multi-factor authentication.
The password was for a virtual private network account, according to Charles Carmakal, senior vice president at cybersecurity firm Mandiant which was involved in the investigation. The account was not in use, but it was still possible to use the login credentials to access Colonial Pipeline’s network.
It is not known how the hackers obtained the password. The password has since been found in a database of breached passwords that was leaked on the darkweb. It is possible that an individual had set a password for the account that had been used on another account that had been breached. It is common for passwords from data breaches to be attempted in brute force attacks as password reuse is common. Passwords are also often obtained in phishing attacks.
Mandiant looked for evidence of how the password was obtained by the hackers. The researchers found no signs of attacker activity before the April 29, 2021 nor any evidence of phishing. How the password was obtained and the username determined may never be known.
What is clear is that the attack could have easily been prevented had cybersecurity best practices been followed such as conducting audits of accounts and shutting down accounts that are no longer in use, setting unique, complex passwords for each account, implementing multi-factor authentication to stop compromised passwords from being used, and implementing an effective anti-spam solution to block phishing emails.
The two main cybersecurity threats that businesses now have to deal with are phishing and ransomware attacks and those threats have become even more common over the past 12 months. Cybercriminals stepped up their attacks during the pandemic with many phishing campaigns launched using the novel coronavirus as a lure. These campaigns sought to distribute malware and steal credentials.
Ransomware attacks also increased in 2020. Several new ransomware-as-a-service (RaaS) operations were launched in 2020 and the number of attacks on businesses soared. In addition to encrypting files, data theft was also highly prevalent n 2020, with most ransomware operators stealing data prior to encrypting files. This double extortion tactic proved to be very effective. Many businesses were forced to pay the ransom even though they had backups and could have recovered their files. Payments were made to ensure data stolen in the attack was deleted and not misused, published, or sold.
Phishing and ransomware attacks often go hand in hand and are often used together in the same attack. Phishing emails are used to install malware, which in turn is used to provide access for ransomware gangs. The Emotet and TrickBot Trojans are notable examples. Operators of both of those Trojans teamed up with ransomware gangs and sold access once they had achieved their own objectives. The credentials stolen in phishing attacks are also sold onto RaaS affiliates and provide the foothold they need to conduct their devastating attacks.
Phishing campaigns are easy to conduct, low cost, and they can be very effective. Largescale campaigns involve millions of messages, and while most of those emails will be blocked by email security solutions or will be identified by employees as a threat, all it takes is for one employee to respond to a phishing email for an attacker to gain the access they need.
TitanHQ recently partnered with Osterman Research to explore how these and other cyber threats have affected businesses over the past 12 months. This new and original study involved an in-depth survey of security professionals to find out how those threats have affected their organization and how effective their defenses are at repelling attackers.
The survey showed the most common security incidents suffered by businesses were business email compromise (BEC) attacks, where employees are tricked into taking an action suggested in a scam email from the CEO, CFO or another high-level executive. These attacks often involve the genuine email account of an executive being compromised in a phishing scam and the attacker using that account to target employees in the same organization.
The next biggest threat was phishing emails that resulted in a malware infection, followed by phishing messages that stole credentials and resulted in an account compromise. The survey showed that these attacks are extremely common. 85% of interviewed security professionals said they had experienced one or more of 17 different types of security breaches in the past 12 months. While attacks were common, only 37% of respondents said their defenses against phishing and ransomware attacks were highly effective.
There are several steps that can be taken to improve defenses against phishing and ransomware attacks. End user training is important to teach employees what to look for and how to identify these types of threats. However, there is always potential for human error, so training alone is not the answer. Email security is the best defense. By blocking these threats at source, they will not land in inboxes and employees will not be tested. Email security should be combined with a web security solution to block the web-based component of phishing attacks and stop malware and ransomware downloads from the Internet.
The findings of the Osterman and TitanHQ survey will be explained in detail at an upcoming webinar on June 30, 2021. Attendees will also learn how they can significantly reduce the risk of ransomware and phishing attacks.
The webinar will be conducted by Michael Sampson, Senior Analyst at Osterman Research and Sean Morris, Chief Technology Officer at TitanHQ. You can Register Your Place Here
Reselling Office 365 doesn’t offer much in the way of profit for MSPs, although there are benefits for MSPs that come from offering Office 365 and it is possible to make Office 365 more profitable.
Before explaining where the margin is for MSPs in Office 365, let’s first take a look at the benefits for MSPs from offering Office 365.
Benefits for MSPs from Offering Office 365 to Clients
SMBs are increasingly moving from on-premises solutions to the cloud and Office 365 is one of the most popular cloud services. Office 365 now has more than 135 million commercial monthly users and that number is growing rapidly.
MSPs may not be able to make much from Office 365 alone, but by providing Office 365 MSPs can win more business and gain a competitive advantage. There is no outlay involved with offering Office 365 to clients, the product is great and meets clients’ needs, and money can be made from handling Office 365 migrations.
MSPs can also benefit from migrating existing clients from Exchange or SBS Exchange to Office 365. Office 365 is far easier to manage so they stand to save a great deal of time on troubleshooting and maintenance, which can be a major headache with Exchange.
By offering Office 365 you can win more business, reduce operational costs, and stay competitive. However, the best way to make money from Office 365 is through add-on services.
How MSPs Can Make Office 365 More Profitable
The margins for MSPs on Office 365 are rather thin to say the least. Many MSPs find that offering Office 365 on its own doesn’t provide any profit at all. Charging extra per license to improve profitability is an option, but clients could just go direct to avoid the extra cost.
The margins may be small, but managing Office 365 does not require a great deal of effort. You may only make around 50c or $1 per user but sign up enough clients and you could get a reasonable return. There is an opportunity for profit at scale; however, to make a decent return you need to sell services around Office 365.
One of the best ways to make Office 365 more profitable is by offering additional security services. Security is an area where Office 365 can be significantly improved, especially spam filtering. Microsoft has incorporated a spam filter and anti-phishing protections into Office 365, but they fall short of the protection offered by a dedicated third-party spam filter.
Phishing is the number one security threat faced by businesses and Office 365 anti-phishing protections leave a lot to be desired. By offering enhanced spam and phishing protection through a third-party spam filter, not only can MSPs make a decent margin on the add-on solution, by blocking phishing attacks and malware at source, a considerable amount of time can be saved on support. Offering spam filtering can help to generate additional recurring revenue, with SpamTitan provided as a high margin, subscription based SaaS solution.
There are plenty of other opportunities for selling third-party solutions to make up for the lack of options in Office 365. Email archiving is an easy sell and a quick win for MSPs. An email archive is important for compliance and security, saves on storage space, and improves efficiency, and gives clients access to emails from any location. Email archiving is available with office 365, but the solution has some severe drawbacks, and may not meet compliance requirements. Offering a feature-rich email archiving solution that is fully compliant, easy to use, with lightning fast search and retrieval should be an easy sell to Office 365 users.
Spam filtering, email archiving, web filtering, and encryption can be bundled together as an enhanced security package, with each element providing a decent return for MSPs. Given the cost of mitigating a data breach, by preventing breaches, an enhanced security offering will pay for itself and should not be too difficult to sell to Office 365 users.
Office 365 MSP Add-ons from TitanHQ
For more than 20 years TitanHQ has been developing innovative security solutions for businesses. Today, more than 7,500 businesses are protected by TitanHQ security solutions and more than 2,000 MSPs have signed up to the TitanHQ Alliance Program.
All TitanHQ solutions have been developed from the ground to meet the needs of the SMB marketplace and MSPs. TitanHQ’s spam filtering solution – SpamTitan, email archiving solution – ArcTitan, and web filtering solution – WebTitan, save MSPs support and engineering time, have great margins, and can be easily integrated into MSPs security stacks to make Office 365 more profitable. All TitanHQ solutions are quick and easy to deploy, and can be implemented into your existing Service Stack through API’s and RMM integrations. The MSP-client hierarchy enables you to keep clients separated and choose whether to manage client settings in bulk or on an individual basis. MSPs benefit from competitive pricing strategies, including monthly billing as we understand your clients are billed monthly.
There are multiple hosting options, including hosting the solution within your own data center, and all TitanHQ products can be supplied as a white label, ready to take your own branding. We have made our solutions as easy as possible to use, with intuitive controls and everything placed at your fingertips. However, should you ever have a problem, you will benefit from the best customer service in the industry, as well as scalable pre-sales and technical support and sales & technical training.
Why SpamTitan is Perfect for MSP’s?
The best spam and virus protection for MSPs with dual AV engines and Bitdefender-powered sandboxing
Low management overhead – A set and forget solution
Use our private cloud or your own data center
Extensive suite of APIs for integration into your central management system
Multi-tenant solution with multiple management roles
Scalable to thousands of users
In and outbound email scanning with IP domain protection
Extensive drill down reporting
Flexible pricing models to suit your needs, including monthly billing
Generous margins for MSPs
Fully customizable branding
TitanSHIELD Program for MSPs
To make it as easy as possible for MSPs to incorporate our world class network security solutions into their service stacks, TitanHQ developed the TitanSHIELD program. The TitanShield MSP Program allows MSPs to take advantage of TitanHQ’s proven technology so that they can sell, implement and deliver our advanced network security solutions directly to their client base. Under the TitanSHIELD program you get the following benefits:
Private or Public Cloud deployment
Access to the Partner Portal
Dedicated Account Manager
White Label or Co-branding
Co-Branded Evaluation Site
Assigned Sales Engineer Support
Social Network participation
Access to Global Partner Program Hotline
Free 30-day evaluations
Access to Partner Knowledge Base
Joint White Papers
Partner Events and Conferences
24/7 Priority Technical Support
Tiered Deal Registration
5 a.m. to 5 p.m. (PST) Technical Support
Better Together Webinars
Online Technical Training and FAQs
Advanced Product Information
Partner Certificate – Sales and technical
Access to Partner Technical Knowledge Base
Competitive Information and Research
Sales Campaigns in a box
Not-for-Resale (NFR) Key
Public Relations Program and Customer Testimonials
Product Brochures and Sales Tools
TitanHQ Corporate Style Guide and Logo Usage
Partner Advisory Council Eligibility
TitanHQ Partner Welcome Kit
QTRLY Business Planning and Review
Access to TitanHQ’s MVP Rewards Program
Access to Partner Support
To find out more about TitanHQ’s MSP offerings, for details of pricing and MSP margins, contact the TitanHQ Alliance Program team today and take the first step toward making Office 365 more profitable.
Ransomware attacks on the education sector in the United Kingdom have increased sharply since February, and the sector was already extensively targeted by threat groups long before then. The education sector is an attractive target for cybercriminals as sizeable amounts of sensitive data are stored within computer systems that can be easily monetized if stolen.
Students’ personally identifiable information is of more value than that of adults, and it can often be used for years before any fraud is detected. Higher education institutions often have intellectual property and research data that is incredibly valuable and can easily be sold on for a huge profit. Ransomware attacks prevent access to essential data, and with the pandemic forcing the education sector to largely switch to online learning, when communication channels and websites are taken out of action learning can grind to a halt.
In the United Kingdom, the reopening of schools and universities has only been possible with COVID-19 testing and contact tracing, which is also disrupted by ransomware attacks. Files are encrypted which prevents access to essential testing and monitoring data, further hampering the ability of schools, colleges, and universities to operate.
As is the case with healthcare, which has also seen a major increase in cyberattacks during the pandemic, services are majorly disrupted without access to computer systems, and there is considerable pressure on both industries to pay the ransom demands to recover from the attacks more quickly. Ransoms are more likely to be paid than in other industry sectors.
What makes the education sector an even more attractive prospect for cybercriminals is poorer security defenses than other industries. The lack of security controls makes attacks much more likely to succeed. On top of that, students often use their own devices to connect to networks so security can be very difficult to police, and many departments make their own IT decisions, which can easily result in vulnerabilities being introduced and remaining unaddressed.
The ease and profitability of attacks has made education a top target for ransomware gangs. Emsisoft reports education was the sector most targeted by ransomware gangs in 2020.
The increase in ransomware attacks on educational institutions in the United Kingdom prompted the UK’s National Cyber Security Center to issue a warning in March to all entities in the education sector about the risk of cyberattacks. NCSC noted in its alert that there was a significant increase in attacks in August and September 2020, and a further rise in attacks since February 2021.
University of Hertfordshire Suffers Major Cyberattack
One of the most damaging university cyberattacks in recent months occurred at the University of Hertfordshire. Late on April 14, cybercriminals struck, with the attack impacting all of the university’s systems. No cloud systems were available, nor MS Teams, Canvas, or Zoom. The attack forced the university to cancel all of its online classes for the following day, although in person teaching was able to continue provided computer access was not necessary.
It has been more than a week since the attack, and while some systems are now back online, disruption is still being experienced with student records, university business services, learning resource centre services, data storage, student services, staff services, and the postgraduate application portal, with the email system also considered to be at risk.
The university has not confirmed the nature of the attack, but it has the hallmarks of a ransomware attack, although the university has issued a statement stating that the attack did not involve data theft.
The University of Hertfordshire is certainly not alone. In March, South and City College of Birmingham was hit with a ransomware attack that took all of its computer systems out of action, with the college forced to switch to online learning for its 13,000 students.
UK Schools also Under Attack
The cyberattacks in the United Kingdom have not been limited to universities. School systems have also suffered more than their fair share of attacks. In March, the Harris Federation, which runs 50 schools in the UK, suffered a ransomware attack that took out communications systems and majorly affecting online learning for 37,000 students.
Also in March, the Nova Education Trust suffered a ransomware attack that took its systems out of action and affected 15 schools, all of which lost access to their communication channels including the phone system, email, and websites. The Castle School Education Trust also suffered a ransomware attack in March that disrupted the online functions of 23 schools.
What Can Be Done to Stop Cyberattacks in Education?
Cybersecurity must become a major focus for schools, colleges, and universities. The attacks are being conducted because they are easy and profitable and, until that changes, the attacks are not likely to slow and, in all likelihood, will continue to increase.
To protect against attacks, the education sector needs to implement multi-layered security defenses and find and address vulnerabilities before they are discovered by ransomware gangs and other cybercriminal operations.
The best place to start is by improving security for the two main attack vectors: email and the Internet. That is an area where TitanHQ can help. To find out more, get in touch with the TitanHQ team today and take the first step towards improving your security posture and better protecting your networks and endpoints from extremely damaging cyberattacks.
A previously unknown malware variant dubbed Saint Bot malware is being distributed in phishing emails using a Bitcoin-themed lure. With the value of Bitcoin setting new records, many individuals may be tempted into opening the attachment to get access to a bitcoin wallet. Doing so will trigger a sequence of events that will result in the delivery of Saint Bot malware.
Saint Bot malware is a malware dropper that is currently being used to deliver secondary payloads such as information stealers, although it can be used to drop any malware variant. The malware was first detected and analyzed by researchers at Malwarebytes who report that while the malware does not use any novel techniques, there is a degree of sophistication to the malware and it appears that the malware is being actively developed. At present, detections have been at a relatively low level but Saint Bot malware could develop into a significant threat.
The phishing emails used to distribute the malware claim to include a Bitcoin wallet in the attached Zip file. The contents of the Zip file include a text file with instructions and a LNK file that has an embedded PowerShell script. A PowerShell downloader delivers an obfuscated .Net dropper and downloader, which in turn deliver a BAT script that disables Windows Defender and the Saint Bot malware binary.
The malware is capable of detecting if it is in a controlled environment and terminates and deletes itself should that be the case. Otherwise, the malware will communicate with its hardcoded command and control servers, send information gathered from the infected system, and download secondary payloads to the infected device via Discord.
The malware has not been linked with any specific threat group and could well be distributed to multiple actors via darknet hacking forums, but it could well become a major threat and be used in widespread campaigns to take advantage of the gap in the malware-as-a-service (MaaS) market left by the takedown of the Emotet Trojan.
Protecting against malware downloaders such as Saint Bot malware requires a defense in depth approach. The easiest way of blocking infections is to implement an advanced spam filtering solution such as SpamTitan to block the phishing emails that deliver the malware. Antivirus software should also be installed on all endpoints and set to update automatically, and communication with the C2 servers should be blocked via firewall rules.
In addition to technical defenses, it is important to provide security awareness training to the workforce to help employees identify malicious emails and condition them how to respond when a potential threat is detected.
How SpamTitan Can Protect Against Phishing and Malware Attacks
SpamTitan is an award-winning anti-spam and anti-phishing solution that provides protection against the full range of email threats from productivity-draining spam to dangerous phishing and spear phishing emails, malware and ransomware.
SpamTitan has a catch rate in excess of 99.99% with a low false positive rate and uses a variety of methods to detect malicious emails, including dual antivirus engines, sandboxing for detecting new malware variants, and machine learning techniques to identify zero-day threats.
SpamTitan’s advanced threat protection defenses include inbuilt Bayesian auto learning and heuristics to defend against sophisticated threats and evolving cyberattack techniques, with 6 specialized Real Time Blacklists to block malicious domains and URLs, DMARC to block email impersonation attacks, and outbound email policies for data loss prevention.
SpamTitan is quick and easy to set up and configure and is frequently praised for the level of protection provided and ease of use. SpamTitan is a 5-star rated solution on Spiceworks, Capterra, G2 Crowd and has won no less than 37 consecutive Virus Bulletin Spam awards.
If you want to improve your email defenses at a very reasonable price and benefit from industry-leading customer support, give the TitanHQ team a call today. Product demonstrations can be arranged, and you can trial the solution free of charge, with full support provided during the trial to help you get the most out of SpamTitan.
Threat actors are constantly changing their tactics, techniques, and procedures (TTP) to increase the chances of getting their malicious payloads delivered. Spam and phishing emails are still the most common methods used for delivering malware, with the malicious payloads often downloaded via the web via hyperlinks embedded in emails.
A new tactic that has been adopted by the threat group behind the IcedID banking Trojan cum malware downloader involves hijacking contact forms on company websites. Contact forms are used on most websites to allow individuals to register interest. These contact forms typically have CAPTCHA protections which limit their potential for use in malicious campaigns, as they block bots and require each contact request to be performed manually.
However, the threat actors behind the IcedID banking Trojan have found a way of bypassing CATCHA protections and have been using contact forms to deliver malicious emails. The emails generated by contact forms will usually be delivered to inboxes, as the contact forms are trusted and are often whitelisted, which means email security gateways will not block any malicious messages.
In this campaign, the contact forms are used to send messages threatening legal action over a copyright violation. The messages submitted claim the company has used images on its website that have been added without the image owner’s permission. The message threatens legal action if the images are not immediately removed from the website, and a hyperlink is provided in the message to Google Sites that contains details of the copyrighted images and proof they are the intellectual property of the sender of the message.
Clicking the hyperlink to review the supplied evidence will result in the download of zip file containing an obfuscated .js downloader that will deliver the IcedID payload. Once IcedID is installed, it will deliver secondary payloads such as TrickBot, Qakbot, and Ryuk ransomware.
IcedID distribution has increased in recent weeks, not only via this method but also via phishing emails. A large-scale phishing campaign is underway that uses a variety of business-themed lures in phishing emails with Excel attachments that have Excel 4 macros that deliver the banking Trojan.
The increase in IcedID malware distribution is likely part of a campaign to infect large numbers of devices to create a botnet that can be rented out to other threat groups under the malware-as-a-service model. Now that the Emotet botnet has been taken down, which was used to deliver different malware and ransomware variants, there is a gap in the market and IcedID could be the threat that takes over from Emotet. In many ways the IcedID Trojan is very similar to Emotet and could become the leading malware-as-a-service offering for delivering malware payloads.
To find out how you can protect your business against malware and phishing threats at a reasonable price, give the TitanHQ team a call today and discover for yourself why TitanHQ email and web security solutions consistently get 5-star ratings from users for protection, price, ease of use, and customer service and support.
A phishing attack on an employee of the California State Controller’s Office Unclaimed Property Division highlights how a single response from an employee to a phishing email could easily result in a massive breach. In this case, the phishing attack was detected promptly, with the attacker only having access to an employee’s email account for less than 24 hours from March 18.
In the 24 hours that the attacker had access to the email account, the contents of the account could have been exfiltrated. Emails in the account included unclaimed property holder reports. Those reports included names, dates of birth, addresses, and Social Security numbers – the type of information that could be used to steal identities.
The email that fooled the employee into clicking a link and disclosing login credentials appeared to have been sent from a trusted outside entity, which is why the email was assumed to be legitimate. After stealing the employee’s credentials undetected, the attacker immediately went to work and tried to compromise the email accounts of other state workers.
In the short time that the individual had access to the account, around 9,000 other state workers were sent phishing emails from the compromised account. Fortunately, the attack was detected promptly and all contacts were alerted about the phishing emails and told to delete the messages. That single compromised account could easily have led to a massive email account breach.
Phishing is now the biggest data security threat faced by businesses. The attacks are easy to conduct, require little skill, and can be extremely lucrative. Email accounts often contain a treasure trove of data that can be easily monetized, the accounts can be used to send further phishing emails internally and to external contacts and customers, and a breach of Microsoft 365 credentials could allow a much more extensive attack on a company. Many ransomware attacks start with a single response to a phishing email.
To improve protection against phishing attacks it is important to train the workforce how to identify phishing emails, teach cybersecurity best practices, and condition employees to stop and think before taking any action requested in emails. However, phishing attacks are often highly sophisticated and the emails can be difficult to distinguish from genuine email communications. As this phishing attack demonstrates, emails often come from trusted sources whose accounts have been compromised in previous phishing attacks.
What is needed is an advanced anti-phishing solution that can detect these malicious emails and prevent them from being delivered to employee inboxes. The solution should also include outbound email scanning to identify messages sent from compromised email accounts.
SpamTitan offers protection against these phishing attacks. All incoming emails are subjected to deep analysis using a plethora of detection mechanisms. Machine learning technology is used to identify phishing emails that deviate from typical emails received by employees, and outbound scanning can identify compromised email accounts and block outbound phishing attacks on company employees and contacts.
If you want to improve your defenses against phishing, give the SpamTitan team a call today to find out more. The full product is available on a free trial, and during the trial you will have full access to the product support team who, will help you get the most out of your trial.
Throughout 2020 the healthcare sector has been a major target of ransomware gangs, but the education sector is also facing an increase in attacks, with the Pysa (Mespinoza) ransomware gang now targeting the education sector.
Pysa ransomware is a variant of Mespinoza ransomware that was first observed being used in attacks in October 2019. The threat group behind the attacks, like many other ransomware threat groups, uses double extortion tactics on victims. Files are encrypted and a ransom demand is issued for the keys to decrypt files, but to increase the probability of the ransom being paid, data is exfiltrated prior to file encryption. The gang threatens to monetize the stolen data on the darkweb if the ransom is not paid. Many attacked entities have been forced to pay the ransom demand even when they have backups to prevent the sale of their data.
Since October 2019, the Pysa ransomware gang has targeted large companies, the healthcare sector, and local government agencies, but there has been a recent increase in attacks on the education sector. Attacks have been conducted on K12 schools, higher education institutions, and seminaries, with attacks occurring in 12 U.S. states and the United Kingdom. The rise in attacks prompted the FBI to issue a Flash Alert in March 2020 warning the education sector about the increased risk of attack.
Analyses of attacks revealed the gang conducts network reconnaissance using open source tools such as Advanced Port Scanner and Advanced IP Scanner. Tools such as PowerShell Empire, Koadic, and Mimikatz are used to obtain credentials, escalate privileges, and move laterally within networks. The gang identifies and exfiltrates sensitive data before delivering and executing the ransomware payload. The types of data stolen are those that can be used to pressure victims into paying and can easily be monetized on the darkweb.
Identifying a Pysa ransomware attack in progress is challenging, so it is essential for defenses to be hardened to prevent initial access. Several methods have been used to gain access to networks, although in many cases it is unclear how the attack started. In attacks on French companies and government agencies brute force tactics were used against management consoles and exposed Active Directory accounts. Some attacks have involved exploitation of Remote Desktop Protocol vulnerabilities, with the gang is also known to use spam and phishing emails to obtain credentials to get a foothold in networks.
Since several methods are used for gaining access, there is no single solution that can be implemented to block attacks. Educational institutions need to use a combination of security solutions and cybersecurity best practices to harden their defenses.
Antivirus/antimalware solution is a must, as is ensuring it is kept up to date. Since many attacks start with a phishing email, an advanced email security gateway is also important. Choosing a solution such as SpamTitan that incorporates dual AV engines and sandboxing will maximize the chance of detecting malicious emails. SpamTitan also incorporates machine learning methods to identify new methods of email attacks.
End user training is also important to teach staff how to identify potentially malicious emails and train them on cybersecurity best practices such as setting strong passwords, not reusing passwords, and the dangers of using public Wi-Fi networks. Also consider disabling hyperlinks in emails, flagging emails that arrive from external sources, and implementing multi-factor authentication on accounts.
Patches and security updates should be implemented promptly after they have been released to prevent vulnerabilities from being exploited. You should use the rule of least privilege for accounts, restrict the use of administrative accounts as far as possible, and segment networks to limit the potential for lateral movement. You should also be scanning your network for suspicious activity and configure alerts to allow any potential infiltration to be rapidly identified. All unused RDP ports should be closed, and a VPN used for remote access.
It is essential for backups to be made of all critical data to ensure that file recovery is possible without paying the ransom. Multiple backups of data should be created, those backups should be tested to make sure file recovery is possible, and at least one copy should be stored securely on an air-gapped device.
TitanHQ has been recognized for its email security, web security, and email archiving solutions, collecting not one, not two, but three prestigious awards from Expert Insights.
Expert Insights was launched in 2018 to help businesses find cybersecurity solutions to protect their networks and devices from an ever-increasing number of cyber threats. Researching cybersecurity solutions can be a time-consuming process, and the insights and information provided by Expert Insights considerably shortens that process. Unlike many resources highlighting the best software solutions, Expert Insights includes ratings from verified users of the products to give users of the resource valuable insights about how easy products are to use and how effective they are at blocking threats. Expert Insights has helped more than 100,000 businesses choose cybersecurity solutions and the website is visited by more than 40,000 individuals a month.
Each year, Expert Insights recognizes the best and most innovative cybersecurity solutions on the market in its “Best-Of” Awards. The editorial team at Expert Insights assesses vendors and their products on a range of criteria, including technical features, ease-of-use, market presence, and reviews by verified users of the solutions. Each product is assessed by technology experts to determine the winners in a broad range of categories, including cloud, email, endpoint, web, identity, and backup security.
“2020 was an unprecedented year of cybersecurity challenges, with a rapid rise in remote working causing a massive acceleration in cybercrime,” said Craig MacAlpine, CEO and Founder, Expert Insights. “Expert Insights’ Best-Of awards are designed to recognize innovative cybersecurity providers like TitanHQ that have developed powerful solutions to keep businesses safe against increasingly sophisticated cybercrime.”
Three TitanHQ cybersecurity solutions were selected and named winners in the Expert Insights’ 2021 “Best-Of” Awards in the Email Security Gateway, Web Security, and Email Archiving categories. SpamTitan was named winner in the Email Security Gateway category, WebTitan won in the Web Security category, and ArcTitan was named a winner in the Email Archiving category. SpamTitan and WebTitan were praised for the level of protection provided, while being among the easiest to use and most cost-effective solutions in their respective categories.
All three products are consistently praised for the level of protection provided and are a bit hit with enterprises, SMBs, and MSPs. The solutions attract many 5-star reviews from real users on the Expert Insights site and many other review sites, including Capterra, GetApp, Software Advice, Google Reviews, and G2 Crowd. The cybersecurity solutions are now used by more than 8,500 businesses and over 2,500 MSPs.
“The recent pandemic and the growth of remote working initiatives have further highlighted the need for multiple layers of cybersecurity and our award-winning solutions form key pillars in this security strategy,” said Ronan Kavanagh, CEO, TitanHQ. “We will continue to innovate and provide solutions that MSPs can use to deliver a consistent, secure and reliable experience to their customers.”
Ransomware attacks in 2020 were conducted at twice the rate of the previous year, with many organizations falling victim and having to pay large ransoms to recover their data or risk sensitive information being published or sold to cybercriminal organizations.
At the start of 2020, data exfiltration prior to the deployment of ransomware was still only being conducted by a small number of ransomware gangs, but that soon changed as the year progressed. By the end of the year, at least 17 cybercriminal gangs were using this double extortion tactic and were stealing sensitive data prior to encrypting files. Faced with the threat of publication of sensitive data, many attacked organizations felt they had little alternative other than to pay the ransom demand.
The extent of ransomware attacks in 2020 has been highlighted by various studies by cybersecurity researchers over the past few weeks. Chainalysis recently released a report that suggests more than $350 million has been paid to cybercriminals in 2020 alone, based on an analysis of the transactions to blockchain addresses known to be used by ransomware threat groups. Of course, that figure is likely to be far lower than the true total, as many companies do not disclose that they have suffered ransomware attacks. To put that figure into perspective, a similar analysis in 2019 estimated the losses to be around $90 million. Those figures are for ransom payments alone, not the cost of resolving attacks, which would be several orders of magnitude higher.
The increase in attacks can be partly attributed to the change in working practices due to the pandemic. Many companies switched from office-based working to a distributed remote workforce to prevent the spread of COVID-19 and keep their employees protected. The rapid change involved hastily implementing remote access solutions to support those workers which introduced vulnerabilities that were readily exploited by ransomware gangs.
Most Ransomware Attacks Now Start with Phishing
Throughout 2020, phishing was commonly used as a way to gain access to corporate networks, accounting for between 25% and 30% of all ransomware attacks, but new data released by the ransomware attack remediation firm Coveware shows the attack methods changed in the last quarter of 2020. As companies and organizations addressed vulnerabilities in remote access solutions and VPNs and improved their defenses, phishing became the most common attack method. Coveware’s analysis shows that in the final quarter of 2020, more than 50% of ransomware attacks started with a phishing email.
Ransomware can be delivered directly through phishing emails, although it is more common to use intermediary malware. The most commonly used malware variants for distributing ransomware are Trojans such as Emotet and TrickBot, both of which are extensively delivered via phishing emails. These malware variants are also capable of self-propagating and spreading to other devices on the network.
Access to compromised devices is then sold to ransomware gangs, who access the devices, steal sensitive data, then deploy their ransomware payload. The Emotet botnet played a large role in ransomware attacks in 2020, and while it has now been disrupted following a joint law enforcement operation, other malware variants are certain to take its place.
The same report also highlighted the nature of businesses attacked with ransomware. Far from the gangs targeting large enterprises with deep pockets, most attacks are on small- to medium-sized businesses with under 250 employees. 30.2% of attacks were on businesses with between 11 and 100 employees, with 35.7% on businesses with 101 to 1,000 employees. Healthcare organizations, professional services firms, and financial services companies have all been targeted and commonly fall victim to attacks, although no sector is immune.
70% of ransomware attacks now involve data theft prior to encryption, so even if backups exist and can be used to restore data, it may not be possible to avoid paying the ransom. There is also a growing trend for data to be permanently deleted, which leaves businesses with no way of recovering data after a ransomware attack.
Steps to Take to Block Ransomware Attacks
What all businesses and organizations need to do is to make it as hard as possible for the attacks to succeed. While there is no single solution for blocking ransomware attacks, there are measures that can be taken that make it much harder for the attacks to succeed.
With most ransomware attacks now starting with a phishing email, an advanced email security solution is a must. By deploying best-of-breed solutions such as SpamTitan to proactively protect the Office365 environment it will be much easier to block threats than simply relying on Office 365 anti-spam protections, which are commonly bypassed to deliver Trojans and ransomware.
A web filtering solution can provide protection against ransomware delivered over the internet, including via links sent in phishing emails. Multi-factor authentication should be implemented for email accounts and cloud apps, employees should be trained how to identify threats, and monitoring systems should be implemented to allow attacks in progress to be detected and mitigated before ransomware is deployed.
To protect their clients from phishing attacks, Managed Service Providers (MSPs) need to provide a comprehensive range of cybersecurity solutions. This post explores the risks from phishing and suggests some easy to implement anti-phishing solutions for MSPs to add to their security offerings.
Phishing is the Number One Cyber Threat Faced by SMBs
Phishing is the number one cyber threat faced by businesses and one of the hardest to defend against. All it takes is for an employee to respond to a single phishing email for a costly data breach to occur. The consequences for the company can be severe.
Email accounts contain a wide range of sensitive information. A phishing attack on a UnityPoint Health hospital in Des Moines, IA, in 2018 saw the protected health information of 1.4 million patients compromised. Also in 2018, a phishing attack on the Boys Town National Research Hospital saw one account compromised that contained the information of more than 105,300 patients. Phishing emails are also used to introduce malware and ransomware. These attacks can be even more damaging and costly to mitigate.
The healthcare industry is extensively targeted by phishers due to the high value of healthcare data, although all industry sectors are at risk. In response to the high number of cyberattacks and the current threat levels, the Trump administration recently launched the “Know the Risk, Raise your Shield” campaign. The campaign aims to raise awareness of the threat from phishing and other attack methods and encourage private businesses to do more to improve their defenses.
Phishing will continue to be a major threat to businesses for the foreseeable future. Attacks will continue because they require relatively little skill to conduct, phishing is highly effective, and attacks can be extremely lucrative.
Easy to Implement Anti-Phishing Solutions for MSPs
There is no single solution that will provide total protection against phishing attacks. Businesses need layered defenses, which provides an opportunity for MSPs. SMBs can struggle to implement effective defenses against phishing on their own and look to MSPs for assistance.
MSPs that can provide a comprehensive anti-phishing package will be able to protect their clients, prevent costly phishing attacks, and generate more business. Effective anti-phishing controls are also an easy sell. Given the cost of mitigating attacks, the package is likely to pay for itself. But what solutions should be included in MSPs anti-phishing offerings?
Listed below are three easy-to-implement anti-phishing solutions for MSPs to offer to their clients, either individually or part of an anti-phishing security package.
Advanced Spam Filtering
Advanced spam filtering solutions are essential. They block phishing emails on the server before they can be delivered to inboxes or employees’ spam folders. An advanced spam filter will block in excess of 99.9% of spam and malicious emails and by itself, is the single most important solution to implement.
SpamTitan is an ideal anti-phishing solution for MSPs. This cloud-based solution supports an unlimited number of domains, all of which can be protected through an easy to use interface. The solution supports per domain administrators, with each able to implement elements of their own email such as searches and the release of messages from the quarantine folder. Reports can be generated per domain and those reports can be scheduled and automatically sent to clients. The solution can be fully rebranded to take an MSP logo and color scheme, and the solution can be hosted in TitanHQ’s private cloud or within your own data center.
Security Awareness Training and Testing
While the majority of malicious emails will be blocked at source, a very small percentage may slip through the net. It is therefore essential for employees to be aware of the risks from phishing and to have the skills to identify potential phishing emails. MSPs can help their clients by providing a staff training program. Many security awareness training companies offer MSP programs to help manage training for clients and a platform to conduct phishing simulation exercises to test security awareness.
DNS-Based Web Filtering
Even with training, some employees may be fooled by phishing emails. This is to be expected, since many phishing campaigns use messages which are highly realistic and virtually indistinguishable from genuine emails. Spam filters will block malicious attachments, but a web filter offers protection from malicious hyperlinks that direct users to phishing websites.
A DNS-based web filter blocks attempts by employees to access phishing websites at the DNS-level, before any content is downloaded. When an employee clicks on a phishing email, they will be directed to a block screen rather than the phishing website. Being DNS-based, web filters are easy to implement and no appliances are required.
WebTitan is an ideal web filtering solution for MSPs. WebTitan can be configured in just a couple of minutes and can protect all clients from web-based phishing attacks, with the solution managed and controlled through a single easy-to-use interface. Reports can be automatically scheduled and sent to clients, and the solution is available in full white-label form ready for MSPs branding. A choice of hosting solutions is also offered, and the solution can connect with deployment, billing and management tools through APIs.
Key Product Features of SpamTitan and WebTitan for MSPs
Easy to manage: There is a low management overhead. SpamTitan and WebTitan are set and forget solution. We handle all the updates and are constantly protecting against new threats globally, in real-time.
Scalability: Regardless of your size you can deploy the solution within minutes. SpamTitan and WebTitan are scalable to thousands of users.
Extensive API: MSPs provided with API integration to provision customers through their own centralized management system; a growth-enabling licensing program, with usage-based pricing and monthly billing.
Hosting Options: SpamTitan and WebTitan can be deployed as a cloud based service hosted in the TitanHQ cloud, as a dedicated private cloud, or in the service provider’s own data center.
Extensive drill down reporting: Integration with Active Directory allows detailed end user reporting. Comprehensive reports can be created on demand or via the scheduled reporting options.
Support: World class support – we are renowned for our focus on supporting customers.
Tried & Tested: TitanHQ solutions are used by over 1500 Managed Service Providers worldwide.
Rebrandable: Rebrand the platform with your corporate logo and corporate colors to reinforce your brand or to resell it as a hosted service.
TitanSHIELD Program for MSPs
To make it as easy as possible for MSPs to incorporate our world class network security solutions into their service stacks, TitanHQ developed the TitanSHIELD program. The TitanShield MSP Program allows MSPs to take advantage of TitanHQ’s proven technology so that they can sell, implement and deliver our advanced network security solutions directly to their client base. Under the TitanSHIELD program you get the following benefits:
Private or Public Cloud deployment
Access to the Partner Portal
Dedicated Account Manager
White Label or Co-branding
Co-Branded Evaluation Site
Assigned Sales Engineer Support
Social Network participation
Access to Global Partner Program Hotline
Free 30-day evaluations
Access to Partner Knowledge Base
Joint White Papers
Partner Events and Conferences
24/7 Priority Technical Support
Tiered Deal Registration
5 a.m. to 5 p.m. (PST) Technical Support
Better Together Webinars
Online Technical Training and FAQs
Advanced Product Information
Partner Certificate – Sales and technical
Access to Partner Technical Knowledge Base
Competitive Information and Research
Sales Campaigns in a box
Not-for-Resale (NFR) Key
Public Relations Program and Customer Testimonials
Product Brochures and Sales Tools
TitanHQ Corporate Style Guide and Logo Usage
Partner Advisory Council Eligibility
TitanHQ Partner Welcome Kit
QTRLY Business Planning and Review
Access to TitanHQ’s MVP Rewards Program
Access to Partner Support
For further information on TitanHQ’s anti-phishing solutions for MSPs, contact the TitanHQ team today and enquire about joining the TitanSHIELD program.
Recently, a new technique has been identified that is being used by hackers to conduct cross-site scripting attacks from within PDF files.
PDF files have long been used by hackers for phishing attacks and malware delivery. Oftentimes, emails are sent with PDF file attachments that contain hyperlinks to malicious websites. By adding these links into the files rather than the body of the email message, it is harder for security solutions to identify those malicious links.
The latest attack method also uses PDF files, but instead of tricking employees into revealing their login credentials or visiting a malicious website where malware is downloaded, the attackers attempt to obtain sensitive information contained in PDF files.
The technique is similar to those used to by hackers in web application attacks. Cross-site scripting attacks – or XXS attacks for short – typically involve injecting malicious scripts into trusted websites and applications. When a user visits a website or a hacked application, the script executes. The scripts give the attackers access to user information such as cookies, session tokens, and sensitive data saved in browsers, such as passwords. Since the website or application is trusted, the web browser will not recognize the script as malicious. These attacks are possible in websites and web applications where user input is used to generate output without properly validating or encoding it.
What sort of data could be captured in such an attack? A substantial amount of sensitive data is contained in PDF files. PDF files are used extensively for reports, statements, logs, e-tickets, receipts, boarding passes, and much more. PDF files may contain passport numbers, driver’s license numbers, bank account information, and a range of other sensitive data. The presenters at the conference explained they found some of the largest libraries of PDF files worldwide were sensitive to XXS attacks.
In the most part, the vulnerabilities in PDF files that allow XXS attacks are not due to the PDF files themselves, but improper coding. If PDF libraries fail to properly parse code of escape characters and allow unprotected formats, they will be vulnerable. Fortunately, Adobe released an update on December 9 which prevents this type of security vulnerability from being exploited, although companies that create PDF files must update their software and apply the update to be protected.
This is just one way that malicious attachments can be used to obtain sensitive information. As previously mentioned, malicious macros are commonly added to office documents, executable files are added as attachments to emails and masquerade as legitimate files, and malicious code can be injected into a range of different file types.
One of the best ways to protect against attacks via email using malicious attachments is to use an advanced email security solution that can detect not just known malware but also never-before-seen malicious code. This is an area where SpamTitan Email Security excels.
SpamTitan incorporates dual anti-virus engines (Bitdefender/ClamAV) to catch known malware threats and sandboxing to identify malicious code that has been added to email attachments. Files are subjected to in-depth analysis in the security of the sandbox and are checked for any malicious actions.
To find out more about protecting your organization from malicious emails and malware, give the TitanHQ team a call.
The healthcare industry in the United States has long been targeted by cybercriminals seeking access to sensitive patient data. Patient data is a valuable commodity, as it can be used for a multitude of fraudulent purposes including identity theft, tax fraud, insurance fraud, and blackmail and understandably has a high black market value.
Some of the largest healthcare data breaches ever reported have started with a phishing attack, including the 78.8 million-record data breach at the health insurer Anthem Inc. and the cyberattack on Premera Blue Cross, another U.S. health insurer, which affected around 11 million individuals, both of which were reported in 2015.
While healthcare data breaches on the scale of Anthem’s have been avoided since, large phishing-related breaches are still occurring. The latest phishing-related data breach to be reported by a U.S. health insurer resulted in the exposure of the health records of almost 500,000 Aetna health plan members.
The phishing attack saw the attackers gain access to the email system of a business associate of Aetna. EyeMed manages vision benefits services for the health insurer and has several other healthcare clients. The compromised account contained highly sensitive information such as names, addresses, dates of birth, and full or partial Social Security numbers – information that is extremely valuable to phishers and identity thieves. In total, the records of 484,157 Aetna members were potentially compromised, along with the data of 60,000 members of Tufts Health Plan, and around 1,000 members of Blue Cross Blue Shield of Tennessee. While it was not the largest healthcare data breach of 2020, it does rank in the top 10 healthcare data breaches of the year.
Unfortunately, healthcare industry phishing attacks involving the exposure and/or theft of more than 100,000 patient records are far from unusual. There have been more than a dozen such breaches reported by healthcare organizations and their business associates in 2020, and several dozen smaller phishing attacks.
The healthcare industry is extensively targeted and is vulnerable to phishing attacks. Unfortunately, all it takes is for one employee to respond to a phishing email for their account to be compromised. Emails often contain personal and protected health information and can be downloaded by the attackers, and the compromised account can be used to send further phishing emails to other employees in the organization. In addition to gaining access to multiple email accounts, phishing can give attackers the foothold they need for a more extensive compromise, as was the case with the Anthem and Premera data breaches.
According to a report released by the Healthcare Information and Management Systems Society (HIMSS), its survey of healthcare cybersecurity professionals revealed 57% had experienced a successful phishing attack in the past year.
Securing the email system can be a challenge in healthcare and preventing phishing attacks is a constant struggle. Unfortunately, while there are excellent email security solutions available that will ensure the vast majority of phishing emails are blocked, it is not possible to deploy a single solution and prevent all phishing attacks from succeeding. What is required is a layered approach to phishing defenses. With multiple layers of protection, if one layer fails to block a threat, others will help to ensure the threat is blocked.
At the heart of phishing defenses should be an advanced machine-learning/AI-based anti-phishing solution such as SpamTitan. SpamTitan itself provides multiple layers of protection to block known phishing threats, while the machine-learning components identify new phishing threats that have yet to be seen. SpamTitan also incorporates multiple measures to identify and block email impersonation attacks, has a data loss protection feature, and anti-malware capabilities that block both known and zero-day malware threats.
A web filter is an often-overlooked anti-phishing measure. Web filters target the web-based component of phishing attacks and provide time-of-click protection to stop employees from visiting phishing websites via links in malicious emails.
As Microsoft pointed out in a summer blog post this year, multi-factor authentication is a must. Multi-factor authentication kicks in when credentials are obtained in phishing attacks and stops those credentials from being used to access email accounts. MFA can block more than 99.9% of attacks using compromised credentials.
End user training should also not be neglected. Conditioning employees how to recognize phishing emails and respond appropriately is essential, not just for cybersecurity but also HIPAA compliance.
These measures can be the difference between a successfully thwarted attack and a costly data breach, and the cost of implementing these solutions is cheaper than many people think. To find out more, give the TitanHQ team a call.
After a 2-month break, the Emotet botnet is back up and running and has been observed conducting a phishing email campaign that is delivering between 100,000 and 50,0000 messages to inboxes a day.
Emotet first appeared in 2014 and started life as a banking Trojan; however, over the years the malware has evolved. While Emotet remains a banking Trojan, it is now best known as a malware downloader that is used to deliver a range of secondary payloads. The malware payloads it delivers also act as malware downloaders, so infection with Emotet often results in multiple malware infections, with ransomware often delivered as the final payload.
Once Emotet is installed on an endpoint it is added to the Emotet botnet and is used for spam and phishing campaigns. Emotet sends copies of itself via email to the user’s contacts along with other self-propagation mechanisms to infect other computers on the network. Emotet can be difficult to eradicate from the network. Once one computer is cleaned, it is often reinfected by other infected computers on the network.
Emotet often goes dormant for several weeks or even months, but even with long gaps in activity, Emotet is still the biggest malware threat. Emotet went dormant around February 2020, with activity resuming five months later in July. Activity continued until late October when activity stopped once again until Tuesday this week when it returned in time for Christmas. In 2020, Emotet has been observed delivering TrickBot and other payloads such as Qakbot and ZLoader.
During the periods of inactivity, the threat actors behind the malware are not necessarily inactive, they just stop their distribution campaigns. During the breaks they update their malware and returned with a new and improved version that is more effective at evading defenses.
The latest campaign uses similar tactics to past campaigns to maximize the probability of end users opening a malicious Office document. The phishing emails are usually personalized to make them appear more authentic, with Emotet using hijacked message threats with malicious content inserted. Since the emails appear to be responses to past conversations between colleagues and contacts, there is a greater chance that the recipient will open the email attachment or click a malicious hyperlink.
This campaign favors password-protected files, with the password to open the file supplied in the message body of the email. Since email security solutions cannot open these files, it is more likely that they will be delivered to inboxes. The malicious documents delivered in this campaign contain malicious macros. If the macros are enabled – which the user is told is necessary to view the content of the document – Emotet will be downloaded, after which the TrickBot Trojan will be delivered, usually followed by a ransomware variant such as Ryuk.
Previous campaigns have not displayed any additional content when the macros are enabled; however, this campaign displays an error message after the macros have been enabled instructing the user that Word experienced an error opening the file. This is likely to make the user believe the Word document has been corrupted. A variety of themes are used for the emails, with the latest campaign using holiday season and COVID-19 related lures.
An analysis by Cofense identified several changes in the latest campaign, including switching the malware binary from an executable (.exe) file to a Dynamic Link Library (.dll) file, which is executed using rundll32.exe. The command-and-control infrastructure has been changed and now uses binary data rather than plain text, both of which make the malware harder to detect.
Businesses need to be particularly vigilant and should act quickly if infections are detected and should take steps to ensure their networks are protected with anti-virus software, security policies, spam filters, and web filters.
The threat of phishing is ever present, especially for the healthcare industry which is often targeted by phishers due to the high value of healthcare data and compromised email accounts. Phishing attacks are having a major impact on healthcare providers in the United States, which are reporting record numbers of successful phishing attacks. The industry is also plagued by ransomware attacks, with many of the attacks having their roots in a successful phishing attack. One that delivers a ransomware downloader such as the Emotet and TrickBot Trojans, for example.
A recent survey conducted by HIMSS on U.S. healthcare cybersecurity professionals has confirmed the extent to which phishing attacks are succeeding. The survey, which was conducted between March and September 2020, revealed phishing to be the leading cause of cybersecurity incidents at healthcare organizations in the past year, being cited as the cause of 57% of incidents.
One interesting fact to emerge from the survey is the lack of appropriate protections against phishing and other email attacks. While it is reassuring that 91% of surveyed organizations have implemented antivirus and antimalware solutions, it is extremely concerning that 9% appear to have not. Only 89% said they had implemented firewalls to prevent cybersecurity incidents.
Then there is multi-factor authentication. Multifactor authentication will do nothing to stop phishing emails from being delivered, but it is highly effective at preventing stolen credentials from being used to remotely access email accounts. Microsoft suggested in a Summer 2020 blog post that multifactor authentication will stop 99.9% of attempts to use stolen credential to access accounts, yet multifactor authentication had only been implemented by 64% of healthcare organizations.
That does represent a considerable improvement from 2015 when the survey was last conducted, when just 37% had implemented MFA, but it shows there is still considerable for improvement, especially in an industry that suffers more than its fair share of phishing attacks.
In the data breach reports that are required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Rules, which healthcare organizations in the U.S are required to comply with, it is common for breached organizations to state they are implementing MFA after experiencing a breach, when MFA could have prevented that costly breach from occurring in the first place. The HIMSS survey revealed 75% of organizations augment security after suffering a cyberattack.
These cyberattacks not only take up valuable resources and disrupt busines operations, but they can also have a negative impact on patient care. 28% of respondents said cyberattacks disrupted IT operations, 27% said they disrupted business operations, and 20% said they resulted in monetary losses. 61% of respondents said the attacks had an impact on non-emergency clinical care and 28% said the attacks had disrupted emergency care, with 17% saying they had resulted in patient harm. The latter figure could be underestimated, as many organizations do not have the mechanisms in place to determine whether patient safety has been affected.
The volume of phishing attacks that are succeeding cannot be attributed to a single factor, but what is clear is there needs to be greater investment in cybersecurity to prevent these attacks from succeeding. An effective email security solution should be top of the list – One that can block phishing emails and malware attacks. Training on cybersecurity must be provided to employees for HIPAA compliance, but training should be provided regularly, not just once a year to meet compliance requirements. Implementation of multifactor authentication is also an essential anti-phishing measure.
One area of phishing protection that is often overlooked is a web filter. A web filter blocks the web-based component of phishing attacks, preventing employees from accessing webpages hosting phishing forms. With the sophisticated nature of today’s phishing attacks, and the realistic fake login pages used to capture credentials, this anti-phishing measure is also important.
Many hospitals and physician practices have limited budgets for cybersecurity, so it is important to not only implement effective anti-phishing and anti-malware solutions, but to get effective solutions at a reasonable price. That is an area where TitanHQ excels.
TitanHQ can provide cost-effective cloud-based anti-phishing and anti-malware solutions to protect against the email- and web-based components of cyberattacks and both of these solutions are provided at a very reasonable cost, with flexible payment options.
Further, these solutions have been designed to be easy to use and require no technical skill to set up and maintain. The ease of use, effectiveness, and low price are part of the reason why the solutions are ranked so highly by users, achieving the best rankings on Capterra, GetApp and Software Advice.
If you want to improve your defenses against phishing, prevent costly cyberattacks and data breaches, and the potential regulatory fines that can follow, give the TitanHQ team today and inquire about SpamTitan Email Security and WebTitan Web Security.
Black Friday and Cyber Monday are fast approaching and this year even more shoppers will be heading online to secure their Christmas bargains due to the COVID-19 pandemic. In many countries, such as the UK, lockdowns are in place that have forced retailers to close the doors of their physical shops, meaning Black Friday deals will only be available online. 2020 is likely to see previous records smashed with even more shoppers opting to purchase online due to many shops being closed and to reduce the risk of infection.
Surge in Phishing Attacks in the Run Up to Black Friday
The fact that many consumers have been forced to shop online due to COVID-19 has not been missed by cybercriminals, who have started their holiday season scams early this year. Every year sees a sharp rise in phishing emails and online scams that take advantage of the increase in sales in the run up to Christmas, but this year the data show cybercriminals have stepped up their efforts to spread malware, steal sensitive data, and fool the unwary into making fraudulent purchases.
Recent figures released by Check Point show there has been a 13-fold increase in phishing emails in the past 6 weeks with one in every 826 emails now a phishing attempt. To put that figure into perspective, 1 in 11,000 emails in October 2020 were phishing emails. Check Point reports 80% of the phishing emails were related to online sales, discounts, and special offers, and as Black Friday and Cyber Monday draws ever closer, the emails are likely to increase further.
Local lockdowns have piled pressure on smaller retailers, who are at risk of losing even more busines to the large retailers such as Amazon. In order to get their much-needed share of sales in the run up to Christmas, many have started conducting marketing campaigns via email to showcase their special offers and discounts. Those messages are likely to make it easier for cybercriminals to operate and harder for individuals to distinguish the genuine special offers from the fraudulent messages.
Cybercriminals have also started using a range of different techniques to make it harder for individuals to identify phishing and scam messages. Some campaigns involved the use of CAPTCHAs to fool both security solutions and end users, and the use of legitimate cloud services such as Google Drive and Dropbox for phishing and malware distribution is also rife.
With the scams even harder to spot and the volume of phishing and other scam emails up considerably, it is even more important for businesses to ensure their security measures are up to scratch and scam websites and phishing emails are identified and blocked.
How to Improve your Defenses Against Black Friday Phishing Scams and Other Threats
This is an area where TitanHQ can help. TitanHQ has developed two security solutions that work seamlessly together to provide protection from phishing and malware attacks via email and the Internet, not just protecting against previously seen threats, but also zero-day malware and phishing threats.
The SpamTitan email security and WebTitan web security solutions use a layered approach to threat detection, each incorporating multiple layers of protection to ensure that threats are identified and blocked. Both solutions leverage threat intelligence using a crowd sourced approach, to provide protection against emerging and even zero-minute threats.
SpamTitan uses smart email filtering and scanning, incorporating machine learning and behavioral analysis techniques to detect and isolate suspicious emails, dual antivirus engines, sandboxing to trick cybercriminals into thinking they have reached their target, and SPF, DKIM, and DMARC to detect and block email impersonation attacks.
WebTitan is an AI-powered cloud-based DNS web filtering solution that provides protection from online threats such as malware and ransomware and the web-based component of phishing attacks. The solution uses automation and advanced analytics to search through billions of URLs/IPs and phishing sites that could lead to a malware or ransomware infection or the compromising of employee credentials. The solution is an effective cybersecurity measure for protecting against web-based threats for office-based employees and remote workers alike.
If you want to protect your business this holiday season and beyond and improve your defenses against email and web-based threats, give the TitanHQ team a call. Product demonstrations can be arranged, advice offered on the best deployments, and if the solutions are not suitable for your business, we will tell you so. You can also trial both solutions free of charge to evaluate their performance in your own environment before making a decision on a purchase.
The cybercriminal organization behind Ryuk ransomware – believed to be an eastern European hacking group known as Wizard Spider – has stepped up attacks on hospitals and health systems in the United States. This week has seen a wave of attacks on hospitals from the Californian coast to the eastern seaboard, with 6 Ryuk ransomware attacks on hospitals reported in a single day.
Ryuk ransomware causes widespread file encryption across entire networks, crippling systems and preventing clinicians from accessing patient data. Even when the attacks are detected quickly, systems must be shut down to prevent the spread of the ransomware. While hospitals have disaster protocols for exactly this kind of scenario and patient data can be recorded using pen and paper, the disruption caused is considerable. Non-essential surgeries and appointments often need to be cancelled and, in some cases, hospitals have been forced to divert patients to alternative medical facilities.
It is unclear if any ransomware attacks on U.S. hospitals have resulted in fatalities, but there was recently a fatality in an attack in Germany, where a patient was rerouted to a different hospital and died before lifesaving treatment could be provided. Had the ransomware attack not occurred, treatment could have been provided in time to save the patient’s life. The attacks in the United States also have the potential to result in loss of life, especially in such as large-scale, coordinated campaign.
Earlier in the week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services (HHS) issued an advisory after credible evidence emerged indicating Ryuk ransomware attacks on U.S. hospitals and healthcare providers were about to increase.
It is unclear why the attacks have increased now and the exact motives behind the current campaign, but recently Microsoft and U.S. Cyber Command, in conjunction with several cybersecurity firms, disrupted the TrickBot botnet – A network of devices infected with the TrickBot Trojan. The TrickBot Trojan is operated by a different cybercriminal group to Ryuk, but it was extensively used to deliver Ryuk ransomware. The botnet is back up and running, with the threat actors switching to alternative infrastructure, but there have been suggestions that this could be a response to the takedown.
The Ryuk ransomware attacks on hospitals come at a time when healthcare providers are battling the coronavirus pandemic. In the United States the number of new cases is higher than at any time since the start of the pandemic. Hospitals cannot afford to have systems taken out of action and patient care disrupted. The timing of the attacks is such that hospitals may feel there is little alternative other than paying the ransom to ensure that disruption is kept to a minimum. Ransomware gangs are known to time their attacks to cause maximum disruption.
Ryuk ransomware attacks on hospitals have been steadily increasing in the United States prior to the latest spike. Figures released by Check Point Research in the past few days show ransomware attacks on hospitals increased 71% from September, with healthcare the most targeted industry sector, not only in October, but also Q3, 2020. Ryuk ransomware attacks account for 75% of all ransomware attacks on hospitals in the United States.
There is concern that the latest attacks will be just the tip of the iceberg. Some security experts suggest the gang is looking to target hundreds of hospitals and health systems in the United States in this campaign. Each attack on a health system could see several hospitals affected. The attack this week on the University of Vermont Health Network impacted 7 hospitals.
Defending against ransomware attacks can be a challenge, as multiple methods are used to gain access to healthcare networks. Ryuk ransomware is commonly delivered by the TrickBot Trojan, which is delivered as a secondary payload by the Emotet Trojan. The Buer loader and BazarLoader are also being used to deliver Ryuk ransomware. These malware downloaders are delivered via phishing emails so a good spam filter is therefore important.
Employees should be made aware of the increased threat of attack and advised to exercise extra caution with emails. Software updates need to be applied promptly and all systems kept fully patched and up to date. Default passwords should be changed, and complex passwords used, with multi-factor authentication implemented where possible. If it is not necessary for systems to be connected to the Internet, they should be disconnected, and RDP should be disabled where possible.
It is also essential for regular backups of critical data to be made and for those backups to be stored securely on non-networked devices to ensure that in the event of an attack hospitals have the option to recover their data without having to pay the ransom.
Further information on indicators of compromise and other mitigations are available in the CISA Ryuk ransomware advisory.
The Emotet Trojan is one of the main malware threats currently used to attack businesses. The Trojan is primarily distributed using spam emails, using a variety of lures to convince users to install the Trojan.
The spam emails are generated by the Emotet botnet – an army of zombie devices infected with the Emotet Trojan. The Trojan hijacks the victim’s email account and uses it to send copies of itself to the victim’s business contacts using the email addresses in victims’ address books.
Emotet emails tend to have a business theme, since it is business users that are targeted by the Emotet actors. Campaigns often use tried and tested phishing lures such as fake invoices, purchase orders, shipping notices, and resumes, with the messages often containing limited text and an email attachments that the recipient is required to open to view further information.
Word documents are often used – although not exclusively – with malicious macros which install the Emotet Trojan on the victim’s device. In order for the macros to run, the user is required to ‘Enable Content’ when they open the email attachment.
Users are instructed in the documents to enable content using a variety of tricks, oftentimes the documents state that the Word document has been created on an IoS or mobile device, and content needs to be enabled to allow the content to be viewed or that the contents of the document have been protected and will not be displayed unless content is enabled.
Earlier this month, a new lure was used by the Emotet actors. Spam emails were sent explaining a Windows update needed to be installed to upgrade apps on the device, which were preventing Microsoft Word from displaying the document contents. Users were instructed to Enable Editing – thus disabling Protected View – and then Enable Content – which allowed the macro to run.
The Emotet Trojan does not simply add devices to a botnet and use them to conduct further phishing attacks. One of the main uses of Emotet is to download other malware variants onto infected devices. The operators of the Emotet botnet are paid by other threat actors to distribute their malware payloads, such as the TrickBot Trojan and QBot malware.
The TrickBot Trojan was initially a banking Trojan that first appeared in 2016, but the modular malware has been regularly updated over the past few year to add a host of new functions. TrickBot still acts as a banking Trojan, but is also a stealthy information stealer and malware downloader, as is QBot malware.
As with Emotet, once the operators of these Trojans have achieved their aims, they deliver a secondary malware payload. TrickBot has been used extensively to deliver Ryuk ransomware, one of the biggest ransomware threats currently in use. QBot has teamed up with another threat group and delivers Conti ransomware. From a single phishing email, a victim could therefore receive Emotet, TrickBot/QBot, and then suffer a ransomware attack.
It is therefore essential for businesses to implement an effective spam filtering solution to block the initial malicious emails at source and prevent them from being delivered to their employee’s inboxes. It is also important to provide security awareness training to employees to help them identify malicious messages such as phishing emails in case a threat is not blocked and reaches employees’ inboxes.
Organizations that rely on the default anti-spam defenses that are provided with Office 365 licenses should consider implementing an additional spam filtering solution to improve protection against Emotet and other malware and phishing campaigns. Phishing emails often slip past Office 365 defenses and are delivered to inboxes. With a powerful, advanced spam filtering solution such as SpamTitan layered on top of Office 365 anti-spam protections, users will be better protected.
To find out more about the full features of SpamTitan and how the solution protects businesses from threats such as malware, ransomware, phishing, and spear phishing attacks, give the SpamTitan team a call today.
A product demonstration can be arranged, your questions will be answered, and assistance will be provided to help set you up for a free trial to evaluate the solution in your own environment.
Phishing is a cybersecurity threat that businesses of all sizes are likely to face and one that requires multiple phishing protection measures to prevent. Phishing is the term given to fraudulent attempts to obtain sensitive information such as login credentials to email accounts or employee/customer information. Phishing can take place over the telephone (vishing), via text message (SMiShing), or through social media networks and websites, but the most common phishing attacks take place over email.
When phishing occurs over email, an attack usually consists of two elements. A lure – a reason given in the email that encourages the user to take a particular action – and a web-based component, where sensitive information is collected.
For instance, an email is sent telling the recipient that there has been a security breach that requires immediate action. A link is supplied in the email that directs the recipient to a website where they are required to login and verify their identity. The website is spoofed to make it look like the site it is impersonating and when information is entered it is captured by the attacker.
Phishing protection measures should be deployed to block both of these components. First, you need a solution that stops the phishing attack at source and prevents phishing emails from being delivered to inboxes. You should also have security measures in place to prevent information from being handed over to the attackers at the web stage of the attack. As an additional protection, in case both of those measures fail, you need to prevent stolen credentials from being used to gain access to the account.
Four Essential Phishing Protection Measures
Phishing protection measures should consist of four elements: a spam filter, a web filter, end user training, and multi-factor authentication – often referred to as layered phishing defenses. If one layer should fail, others are in place to make sure the attack does not succeed.
A spam filter is your first line of defense and one that will block the vast majority of email threats. An advanced spam filter will block in excess of 99.9% of spam, phishing, and malware-laced emails. Spam filters incorporate several layers of protection. They use blacklists of known spammers – domains, email accounts, and IP addresses that have previously been used for spamming, phishing, and other nefarious activities. Checks are performed on the message headers and the message body is subjected to multiple checks to identify malicious URLs and keywords commonly used in spam and phishing emails. Each message is given a score, and if that score is higher than a pre-defined threshold, the message will be either deleted or quarantined. Spam filters also incorporate antivirus engines that check messages for malicious attachments.
Cybercriminals are constantly changing tactics and developing new methods to obfuscate their phishing attempts to bypass spam filters. Spam filters are updated to block these new attacks, but there will be a lag and some messages will slip through the net on occasion. This is where a web filter kicks into action. A web filter will check a website against several blacklists and will assess the content of the website in real-time. If the website is deemed to be malicious, the user will not be permitted to connect, instead they will be directed to a local block page. Web filters also have AV software to prevent malware being downloaded and can be used to control the types of content users can access – blocking pornography for instance, or social media networks, gaming sites and other productivity drains.
End user training
Technical anti-phishing measures are important, but they will not block all attacks. It is therefore essential to provide end user training to help employees identify phishing and other malicious emails. A once-a-year formal training session should be conducted, with ongoing, regular shorter training sessions throughout the year to raise awareness of new threats and to reinforce the annual training. Phishing simulations should also be conducted to test whether training has been effective and to ensure that any knowledge gaps are identified and addressed.
If credentials are stolen in a phishing attack, or are otherwise obtained by a cybercriminal, multi-factor authentication can prevent those credentials from being used. In addition to a password, a second factor must be provided before account access is granted. This could be a token, code, or one-time password, with the latter usually sent to a mobile phone. While multi-factor authentication will block the majority of attempts by unauthorized individuals to access accounts, it is not infallible and should not be considered as a replacement for the other protections. Multi-factor authentication will also not stop malware infections.
Phishing Protection Solutions from TitanHQ
TitanHQ has developed two powerful cybersecurity solutions to help you protect against phishing and malware attacks: SpamTitan email security and the WebTitan web filter. Both of these solutions have multiple deployment options and are easy to implement, configure, and use. The solutions are consistently rated highly by end users for the level of protection provided, ease of deployment, ease of use, and for the excellent customer support if you ever have any problems or questions.
On top of that, pricing is totally transparent with no hidden extras, and the solutions are very competitively priced. Both are available on a free trial to allow you to test them in your own environment before committing to a purchase.
Over the past few months, cyberattacks involving Netwalker ransomware have been steadily increasing and Netwalker has now become one of the biggest ransomware threats of 2020.
Netwalker ransomware is the new name for a ransomware variant called Mailto, which first appeared a year ago in August 2019. The threat actors behind the ransomware rebranded their malware as Netwalker in late 2019 and in 2020 started advertising for affiliates to distribute the ransomware under the ransomware-as-a-service model. In contrast to many RaaS offerings, the threat group is being particularly choosy about who they recruit to distribute the ransomware and has been attempting to build a select group of affiliates with the ability to conduct network attacks on enterprises that have the means to pay large ransoms and the data to warrant such large payments if attacked.
Netwalker ransomware was used in an attack in February on Toll Group, an Australian logistics and transportation company, which caused widespread disruption although the firm claims not to have paid the ransom. Like several other ransomware gangs, the Netwalker gang took advantage of the COVID-19 pandemic and was using COVID-19 lures in phishing emails to spread the ransomware payload via a malicious email attachment, opting for a Visual Basic Scripting (.vbs) loader attachments.
Then followed attacks on Michigan State University and Columbia College of Chicago, with the frequency of attacks increasing in June. The University of California San Francisco, which was conducting research into COVID-19, was attacked and had little choice other than to pay the $1.14 million ransom demand to regain access to essential research data that was encrypted in the attack. More recently Lorien Health Services, a Maryland operator of assisted living facilities, also had files encrypted by the Netwalker gang.
The recent attacks have seen the attack vector change, suggesting the attacks have been the work of affiliates and the recruitment campaign has worked. Recent attacks have seen a range of techniques used in attacks, including brute force attacks on RDP servers, exploitation of vulnerabilities in unpatched VPN systems such as Pulse Secure VPNs that have not had the patch applied to correct the CVE-2019-11510 vulnerability. Attacks have also been performed exploiting user interface components of web apps, such as the Telerik UI vulnerability CVE-2019-18935, in addition to vulnerabilities in Oracle WebLogic and Apache Tomcat servers.
With the ransoms paid so far, the group is now far better funded and appears to have skilled affiliates working at distributing the ransomware. Netwalker has now become one of the biggest ransomware threats and has joined the ranks of Ryuk and Sodinokibi. Like those threat groups, data is stolen prior to file encryption and threats are issued to publish or sell the data if the ransom is not paid.
The increase in activity and skill of the group at gaining access to enterprise networks prompted the FBI to issue a flash alert warning of the risk of attack in late July. The group appears to be targeting government organizations, educational institutions, healthcare providers and entities involved in COVID-19 research, and the attacks are showing no sign of slowing, in fact they are more than likely to increase.
Defending against the attacks requires a defense in depth approach and adoption of good cyber hygiene. An advanced spam filtering solution should be used to block email attacks, end users should be taught how to recognize malicious emails and shown what to do if a suspicious email is received. Vulnerabilities in software are being exploited so prompt patching is essential. All devices should be running the latest software versions.
Antivirus and anti-malware software should be used on all devices and kept up to date, and policies requiring strong passwords to be implemented should be enforced to prevent brute force tactics from succeeding. Patched VPNs should be used for remote access, two-factor authentication should be implemented, web filters used for secure browsing of the internet, and backups should be performed regularly. Backups should be stored on a non-networked device that is not accessible over the internet to ensure they too are not encrypted in an attack.
A recent survey by Capterra on British SMEs has revealed 30% have fallen victim to a phishing attack during the COVID-19 lockdown. Just under half of the phishing emails received (45%) were related to coronavirus or COVID-19.
COVID-19 phishing emails increased significantly during the first quarter of 2020 as the coronavirus spread around the world. Since the virus was unknown to science, scientists have been working tirelessly to learn about the virus, the disease it causes, how the virus is spread, and what can be done to prevent infection. The public has been craving information as soon as it is available, which creates the perfect environment for phishing attacks. People want information and threat actors are more than happy to offer to provide it.
The Capterra survey highlights the extent to which these campaigns are succeeding. Employees are receiving phishing emails and being fooled by the social engineering tactics the scammers have adopted. The high success rate has seen many threat actors temporarily abandon their tried and tested phishing campaigns that they were running before the SARS-CoV-2 outbreak, and have repurposed their campaigns to take advantage of the public’s thirst for knowledge about the virus. In the first quarter of 2020, KnowBe4 reported a 600% increase in COVID-19 and coronavirus themed phishing emails.
The high percentage of businesses that have experienced phishing attacks during the COVID-19 lockdown indicates many SMEs need to augment their anti-phishing defenses. There is also a need for further training to be provided to employees, as the emails are being opened and links are being clicked.
On the training front, formal training sessions may be harder to administer with so many employees working remotely. Consider conducting short training sessions via teleconferencing platforms and sending regular email alerts warning about the latest techniques, tactics and procedures being used in targeted attacks on remote workers. Phishing simulation exercises can be hugely beneficial and will help to condition workers to check emails thoroughly and report any threats received. These simulations also help identify which employees need further training to help them recognize potential phishing attacks.
Of course, the best way to ensure that employees do not open phishing emails and malicious attachments is to ensure they are not delivered to employees’ inboxes. That requires an advanced spam filtering solution.
Many SMEs and SMBs have now moved to an Office 365 hosted email solution, in which case email filtering will be taking place using Microsoft’s Exchange Online Protection – The default spam filtering service that protects all office 365 users. If you are reliant on this solution for filtering out phishing emails and other types of malicious messages, you should consider adding a third-party solution on top of EOP.
Exchange Online Protection provides a reasonable level of security and can block phishing emails and known malware threats, but it lacks the features of more advanced spam filtering solutions and cloud-based email security gateways, such as machine learning and predictive technology to identify attacks that have not been seen before.
As an additional protection against phishing attacks, a web filtering solution should be considered. In the event of a phishing email arriving in an inbox, a web filter serves as an additional layer of protection to prevent attempts by employees to visit websites linked in the emails. When an attempt is made to visit a known phishing website or web content that violates your acceptable internet usage policies, access will be blocked and the user will be directed to a local web page telling them why access has been denied.
Multi-factor authentication should also be implemented for email to ensure that in the event that credentials are compromised, a second factor must be provided before access to the email account is granted.
For more information on spam filtering and web filtering, and further information on TitanHQ’s advanced cloud-based email security solution – SpamTitan – and DNS-based web filtering solution – WebTitan – give the TitanHQ team a call today.
Security awareness for remote workers has never been more important. It is fair to say that there have never been more people working from home as there are now during the COVID-19 pandemic, and home workers are now being actively targeted by cybercriminals who see them as providing an easy way to gain access to their corporate networks to steal sensitive information, and install malware and ransomware.
Businesses may have already given their employees security awareness training to make sure they are made aware of the risks that they are likely to encounter and to teach them how to recognize threats and respond. However, working from home introduces many more risks and those risks may not have been covered in security awareness training sessions geared toward protecting office workers. It is also important to provide security training for employees, and this is especially important for remote workers, as risk increases when employees are working remotely.
In this post we will highlight some of the key areas that must be addressed in work from home (WFH) security awareness training for the workforce.
Increased Security Awareness for Remote Workers Required as COVID-19 Crisis Deepens
Naturally, as an email security solution provider, we strongly advocate the use of a powerful email security solution and layered technical defenses to protect against phishing, but technical controls, while effective, will not stop all threats from reaching inboxes. It is all too easy to place too much reliance on technical security solutions for securing email environments and work computers. The truth is that even with the best possible email security defenses in place, some threats will end up reaching inboxes.
The importance of providing security awareness training to the workforce and the benefits of doing so have been highlighted by several studies. One benchmarking study, conducted by the security awareness training provider KnowBe4, revealed 37.9% of employees fail phishing tests if they are not provided with security awareness and social engineering training. That figure has increased by 8.3% from the previous year. With security awareness training and phishing email simulations, the figure dropped to 14.1% after 90 days.
During the COVID-19 pandemic, the volume of phishing emails being sent has increased significantly and campaigns are being conducted targeting remote workers. The aim of the phishing campaigns is to obtain login credentials to email accounts, VPNs, and SaaS platforms and to spread malware and ransomware.
With so many employees now working from home, and the speed at which companies have had to transition from a largely office based workforce to having virtually everyone working from home may have seen security awareness training for remote workers put on the back burner. However, with the lockdown likely to be extended for several months and attacks on the rise, it is important to make sure that training is provided, and as soon as possible.
Increase in COVID-19 Domain Registrations and Rise in Web-Based Attacks
Security awareness training for remote workers also needs to cover internet security as not all threats will arrive in inboxes. Most phishing attacks have a web-based component, and malicious websites are being set up for drive-by malware downloads. Currently, the vast majority of threats are using COVID-19 and the Novel Coronavirus as a lure to get remote workers to download malware, ransomware, or part with their login credentials.
Unsurprisingly, cybercriminals have increased web-based attacks, which are being conducted using a plethora of COVID-19 and Novel-Coronavirus themed domains. By the end of March, approximately 42,000 domains related to COVID-19 and coronavirus had been registered. An analysis by Check Point Research revealed those domains were 50% more likely to be malicious than other domains registered over the same period.
It is important to raise awareness of the risks of using corporate laptops for personal use such as browsing the Internet. Steps should also be taken to limit the websites that can be accessed by employees and, at the very least, a solution should be implemented and configured to block access to known malicious websites that are used for phishing, fraud, and malware distribution.
Shadow IT is a Major Security Risk
When employees are office based and connected to the network, identifying shadow IT – unauthorized software and hardware used by employees – is more straightforward. The problem not only becomes harder to identify when employees work from home, the risk of unauthorized software being loaded onto corporate-issued devices increases.
Software downloaded onto work computers carries a risk of a malware infection and potentially offers an easy way to attack the user’s device and the corporate network. IT teams will have little visibility into the unauthorized software on users’ devices and whether it is running the latest version and has been patched against known vulnerabilities. It is important to cover shadow IT in security awareness training for remote workers and to make it clear that no software should be installed on work devices and that personal USB devices should not be connected to corporate devices without the go-ahead being given from the IT department.
The COVID-19 pandemic has seen many workers turn to teleconferencing platforms to communicate with the office, friends, and family. One of the most popular teleconferencing platforms is Zoom. Malicious installers have been identified that install the genuine Zoom client but have been bundled with malware. Installers have been identified that also install adware, Remote Access Trojans, and cryptocurrency miners.
How TitanHQ Can Help Improve Email Security
Several security awareness training firms have made resources available to businesses free of charge during the COVID-19 crisis to help them train the workforce, such as the SANS Institute. Take advantage of these resources and push them out to your workforce. If you are a small SMB, you may also be able to get access to free phishing simulation emails to test the workforce and reinforce training.
TitanHQ can’t help you with your remote worker cybersecurity awareness training, but we can help by ensuring employees have to deal with fewer threats by protecting against email and web-based attacks.
SpamTitan is an advanced and powerful cloud-based email security solution that will protect remote workers from phishing, spear phishing, malware, virus, and ransomware attacks by blocking attacks at source and preventing the threats from reaching inboxes. SpamTitan features dual anti-virus engines to protect against known malware threats and sandboxing to block unknown (zero-day) malware threats. SpamTitan incorporate several real-time threat intelligence feeds to block current and emerging phishing attacks and machine learning technology detects and blocks previously unseen phishing threats. SpamTitan has been developed to work seamlessly with Office 365 to allow businesses to create layered defenses, augmenting Microsoft’s protections and adding advanced threat detection and blocking capabilities.
WebTitan is a DNS filtering solution that will protect all workers from web-based attacks, no matter where they access the internet. WebTitan incorporates zero-minute threat intelligence and blocks malicious domains and webpages as soon as they are identified. The solution can also be used to carefully control the types of websites that remote workers can access on their corporate-owned devices, via keyword and category-based controls. WebTitan can also be configured to block the downloading of malicious files and software installers to control shadow IT.
For more information on protecting your business during the COVID-19 crisis, to arrange a product demonstration of SpamTitan and/or WebTitan, and to register for a free trial of either solution to allow you to start instantly protecting against email and web-based threats, contact TitanHQ today!
When it comes to cybersecurity and home working, CIOs and IT teams have a challenge – How to ensure the same level of protection is provided for remote workers as they get when they are in the office. To help we have compiled a set of cybersecurity best practices for home workers to help IT teams prepare for a massive increase in telecommuting
The cybersecurity protections at home will not be nearly as good for home workers as protections in the office, which are much easier to implement and maintain. IT departments will therefore need to teach telecommuting workers cybersecurity best practices for home working and their devices will need to be configured to access applications and work resources securely. With so many workers having to telecommute, this will be a major challenge.
The coronavirus pandemic has forced businesses to rapidly expand the number of telecommuting workers and having to increase capacity in such a short space of time increases the potential for mistakes. Further, testing may not be nearly as stringent as necessary given the time pressure IT workers are under. Their teams too are likely to be depleted due to self-isolating workers.
One area where standards are likely to slip is staff training on IT. Many employees will be working from home for the first time and will have to use new methods and applications they will not be familiar with. The lack of familiarity can easily lead to mistakes being made. It is important that even though resources are limited you still teach cybersecurity best practices for home workers. Do not assume that telecommuting workers will be aware of the steps they must take to work securely away from the office.
Steps for IT Teams to Take to Improve Cybersecurity for Home Workers
Listed below are some of the key steps that IT teams need to take to improve security for employees that must now work from home.
Ensure VPNs are Provided and Updated
Telecommuting workers should not be able to access their work environment unless they use a VPN. A VPN will ensure that all traffic is encrypted, and data cannot be intercepted in transit. Enterprise-grade VPNs should be used as they are more robust and provide greater security. Ensure there are sufficient licenses for all workers, and you have sufficient bandwidth available. You must also make sure that the VPN is running the latest software version and patches are applied, even if this means some downtime to perform the updates. VPN vulnerabilities are under active attack.
Set up Firewalls for Remote Workers
You will have a firewall in place at the office and remote workers must have similar protections in place. Software firewalls should be implemented to protect remote workers’ devices. Home routers may have inbuilt firewalls. Talk employees through activating hardware firewalls if they have them on their home routers and ensure that passwords are set to prevent unauthorized individuals from connecting to their home Wi-Fi network.
Apply the Rule of Least Privilege
Remote workers introduce new risks, and with large sections of the workforce telecommuting, that risk is considerable. Remote workers are being targeted by cybercriminals and through web- and email-based attacks. In the event of a malware infection or credential theft, damage can be limited by ensuring workers only have access to resources absolutely necessary for them to perform their work duties. If possible, restrict access to sensitive systems and data.
Ensure Strong Passwords are Being Set
To protect against brute force attacks, ensure good password practices are being followed. Consider using a password manager to help employees remember their passwords. The use of complex passwords should be enforced.
Implement Multifactor Authentication
Multifactor authentication should be implemented on all applications that are accessed by remote workers. This measure will ensure that if credentials are compromised, system access is not granted unless a second factor is provided.
Ensure Remote Workers’ Devices Have Antivirus Software installed
Antivirus software must be installed on all devices that are allowed to connect to work networks and the solutions must be set to update automatically.
Set Windows Updates to Automatic
Working remotely makes it harder to monitor user devices and perform updates. Ensure that Windows updates are set to occur automatically outside of office hours. Instruct workers to leave their devices on to allow updates to take place.
Use Cloud-Based Backup Solutions
To prevent accidental data loss and to protect against ransomware attacks, all data must be backed up. By using cloud-based backups, in the event of data loss, data can be restored from the cloud-backup service.
Teach Cybersecurity Best Practices for Home Workers
All telecommuting workers must be shown how they need to access their work environment securely when working away from the office. Reinforce IT best practices with home workers, provide training on the use of VPNs, provide training on cybersecurity dos and don’ts when working remotely, and explain procedures for reporting problems.
Define Procedures for Dealing with a Security Incident
Members of the IT team are also likely to be working remotely so it is essential that everyone is aware of their role and responsibilities. In the event of a security incident, workers should have clear procedures to follow to ensure the incident is resolved quickly and efficiently.
Implement a Web Filter
A web filter will help to protect against web-based malware attacks by blocking access to malicious websites and will help to prevent malware downloads and the installation of shadow IT. Also consider applying content controls to limit employee activities on corporate-owned devices. Drive-by malware attacks have increased and the number of malicious domains registered in the past few weeks has skyrocketed.
Use Encrypted Communication Channels
When you need to communicate with telecommuting workers, ensure you have secure communications channels to use where sensitive information cannot be intercepted. Use encryption for email and secure text message communications, such as Telegram or WhatsApp.
Ensure Your Email Security Controls are Sufficient
One of the most important cybersecurity best practices for home workers is to take extra care when opening emails. Phishing and email-based malware attacks have increased significantly during the coronavirus pandemic. Ensure training is provided to help employees identify phishing emails and other email threats.
Consider augmenting email security to ensure more threats are blocked. If you use Office 365, a third-party email security solution layered on top will provide much better protection. Exchange Online Protection (EOP) is unlikely to provide the level of protection you need against phishing and zero-day malware threats. Consider an email security solutions with data loss protection functions to protect against insider threats.
Monitor for Unauthorized Access
More devices connecting to work environments makes it much easier for threat actors to hide malicious activity. Make sure monitoring is stepped up. An intrusion detection system that can identify anomalous user behavior would be a wide investment.
For further information on enhancing email security and web filtering to protect remote workers during the coronavirus pandemic, contact TitanHQ today.
The first California Consumer Privacy Act lawsuit has been filed over an alleged failure to adequately protect consumer data. The lawsuit has been filed against Hanna Andersson, a children’s clothing company, and its ecommerce platform provider, Salesforce.com.
The California Consumer Privacy Act took effect on January 1, 2020. Under Civil Code 1798.100 – 1798.199, consumers could start exercising their new rights under CCPA from the compliance date. One of those rights is being able to take legal action against companies for privacy violations, such as the theft of personal data in a data breach.
The California Consumer Privacy Act lawsuit was filed in the U.S. District Court for the Northern District of California on behalf of a victim of a 2019 data breach. The lawsuit alleges negligence and a failure to implement reasonable safeguards to protect consumer data, and that the data breach occurred as a direct result of the alleged negligence. A claim for damages has not been stated, although the right has been reserved to seek damages and relief at a later date.
The breach in question was announced by Hanna Andersson on January 15, 2020. Hackers had gained access to its systems and downloaded malware, which allowed the attackers to steal information such as names, personal information, and payment card data. That information was subsequently listed for sale on the dark web.
The California Consumer Privacy Act allows Californians to file for damages of up to $750 per data breach, so a class action California Consumer Privacy Act lawsuit arising from a sizeable data breach could prove extremely costly for a company. In this case, the data breach affected approximately 10,000 California residents, so damages up to $7,500,000 could potentially be claimed.
Enforcement of CCPA
Enforcement of compliance by the California Attorney General has been delayed and will start 6 months after the publication of the final regulations or July 1, 2020, whichever comes sooner. Since the final regulations have yet to be published, the enforcement date will be July 1, 2020. California Attorney General Xavier Bercerra has already stated that he will make an example of businesses that fail to comply with CCPA.
It should be noted that there is nothing in CCPA that prevents the state attorney general from issuing notices of noncompliance before that date and consumers can already file lawsuits to claim damages. It is therefore essential for all entities covered by CCPA to ensure that they are honoring the new consumer rights and have implemented safeguards to protect consumer data.
How TitanHQ Can Help with CCPA Compliance
TitanHQ offers two powerful security solutions that can help covered entities ensure the data of consumers is protected and data breaches are prevented. These two cybersecurity solutions protect against the two most common attack vectors – Email and the internet.
SpamTitan is a powerful anti-spam, anti-malware, and anti-phishing solution that protects email systems from phishing and spear phishing attacks, known and zero-day malware threats, and email-based ransomware attacks.
WebTitan is a companion solution that blocks the web-based element of phishing attacks, exploit kits, and drive-by malware downloads over the internet, while also controlling the content that employees can access on wired and wireless networks.
TitanHQ can also help covered entities comply with the right to know and right to delete consumer rights afforded by CCPA through ArcTitan. ArcTitan is an email archiving solution that allows organizations to meet state and federal email data retention requirements and quickly find emails containing consumer data. If a California resident exercises their right to know what data is held on them by a company, or requests all of their personal data is deleted, that information can quickly be found in the archive. ArcTitan will also allow you to quickly find email data for eDiscovery in the event of any legal disputes.
For further information on these solutions, to schedule a product demonstration, or to arrange a free trial of the full solutions (with full customer support), give the TitanHQ team a call today.
TitanHQ has announced a new partnership with Pax8. The partnership means Pax8 partners now have access to TitanHQ’s cloud-based email security solution – SpamTitan – and its DNS filtering solution, WebTitan.
Pax8 is the leader in cloud distribution. The company simplifies the cloud buying process and empowers businesses to achieve more with the cloud. The company has been named Best in Show for two consecutive years at the Next Gen and XChange conferences and is positioned at number 60 in the 2019 Inc. 5000 list of the fastest growing companies.
Pax8 carefully selects the vendors it works with and only offers market-leading channel friendly solutions to its partners. When searching for further cybersecurity solutions for its partners, TitanHQ was determined to be the perfect fit. TitanHQ is the leading provider of cloud-based email and web security solutions for managed service providers (MSPs) serving the SMB marketplace and its cybersecurity solutions are much loved by users. This was clearly shown in the 2019 G2 Crowd Report on Email Security Gateways where SpamTitan was named leader, having achieved 4- or 5-star ratings by 97% of its users, with 92% saying they would recommend the solution to other businesses.
Phishing, malware, and ransomware attacks have all increased in the past year and the cost of mitigating those attacks continues to rise. By implementing SpamTitan and WebTitan, SMBs and MSPs can secure their email environments and block web-based threats and keep their networks secure.
SpamTitan provides excellent protection for Office 365 environments. The solution detects and blocks phishing and email impersonation attacks and prevents known and zero-day malware and ransomware threats from reaching inboxes. The WebTitan Cloud DNS filtering solution blocks the web-based component of cyberattacks by preventing end users from visiting malicious websites, such as those harboring malware and phishing kits.
Both solutions are quick and easy to implement, can be seamlessly integrated into MSPs service stacks and cloud-management platforms, and Pax8 partners benefit from highly competitive and transparent pricing, centralized billing, and leading customer support.
“I am delighted to partner with the Pax8 team,” said Ronan Kavanagh, CEO, TitanHQ. “Their focus and dedication to the MSP community are completely aligned with ours at TitanHQ, and we look forward to delivering our integrated solutions to their partners and customers.”
The Travelex ransomware attack that started around December 31, 2019 is one of several recent ransomware attacks where threat actors have upped the ante by threatening to publish data stolen from victims prior to the deployment of ransomware.
A New Trend in Ransomware Attacks
Most ransomware attacks, especially those conducted by affiliates using ransomware-as-a-service, see ransomware deployed instantly. An employee receives a ransomware attachment via email, opens the attachment, and the encryption process is started. Now, several threat actors have taken steps to increase the probability of their ransom demand being paid.
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has recently issued warnings about changing ransomware tactics, which now involve data theft prior to file encryption. This tactic is nothing new, as several threat actors have been conducting these types of attacks for some time, attacks of this nature have been increasing.
to the network is gained, the attackers then move laterally and gain access to as many devices as possible. Data is stolen and when the attackers have stolen as much as they want, ransomware is deployed. In these types of attacks, the time between the initial compromise and deployment of ransomware is typically several months.
Data may be stolen and sold online with the ransomware deployed as a coup de grace after a long-term compromise to extort money from the company. Now it is increasingly common for a threat to be issued along with the ransom demand that the stolen data will be published or sold if the ransom is not paid.
This tactic has been adopted by the threat actors behind Maze ransomware and they have gone ahead and published stolen data when the ransom was not paid. The threat actors using MegaCortex ransomware and LockerGoga ransomware have similarly issued threats.
Now the gang behind Sodinikibi (REvil) ransomware have also changed tactics and have started issuing threats to publish stolen data. The Sodinokibi gang have made several threats to sell on or publish stolen data but it was only recently that they did just that. The gang attacked Artech Information Systems, one of the largest IT staffing companies in the U.S. When the ransom demand was not paid, 337MB of stolen data was published on a Russian hacking and malware forum. The Travelex ransomware attack is one of the latest Sodinokibi ransomware attacks, and a threat to publish stolen data was similarly issued.
The Travelex Ransomware Attack
On New Year’s Eve, Travelex took its systems offline to contain the infection and limit the damage caused. More than two weeks on, Travelex systems are still offline although the company is now starting to restore some of its systems. The number of branches affected by the attack, and banks and other companies that rely on its currency exchange services, makes this one of the most serious and damaging ransomware attacks ever.
With its systems offline, Travelex has been unable to provide its currency services to banks such as HSBC, Royal Bank of Scotland, NatWest, First Direct, Barclays and Lloyds, all of which rely on Travelex for providing their currency services. Many other companies, such as the supermarket chains Sainsbury’s and Tesco, have also had to stop providing online currency services to their customers. Travelex has been forced to provide services manually using pen and paper for over the counter currency exchanges in its branches. More than 70 countries in which Travelex operates were affected by the attack.
Travelex has only released a limited amount of information about the attack, but the attackers have been in contact with several media outlets. Initial reports suggested a payment of $3 million was required for the keys to unlock the encryption, although the demand doubled to $6 million when payment was not received within the stipulated 2 days. The attackers also threatened to publish data stolen in the attack if the payment was not made within 7 days.
Travelex issued a statement saying no customer data was breached and that the infection was contained, a position that has been maintained since the attack, even though the Sodinokibi gang has threatened to publish customer data.
The Sodinokibi ransomware gang, through a spokesperson, said the gang had stolen 5GB of customer data including customers’ names, dates of birth, credit card information, Social Security numbers, and National Insurance numbers. The gang claimed that all stolen data would be deleted and would not be used if the ransom demand was paid, but that the data would be sold if payment was not received. The gang also said access to Travelex systems was gained 6 months before the ransomware was deployed.
How Was Travelex Attacked?
It is not known at this stage exactly how ransomware was installed on its network, but there have been several security researchers that have offered some clues. According to BleepingComputer, Travelex was using insecure services prior to the attack. Security researcher Kevin Beaumont found Travelex had AWS Windows servers that did not have Network Level Authentication enabled, which could have given the attackers the opportunity they needed to launch an attack.
A critical vulnerability in the Pulse Secure VPN enterprise solution for secure communications – CVE-2019-11510 – was identified and was patched by Pulse Secure on April 24, 2019, but many companies were slow to apply the patch, despite receiving multiple warnings from Pulse Secure. An exploit for the vulnerability was made public on August 21, 2019.
Troy Mursch, chief research officer at Bad Packets, found that Travelex had not applied the patch by the time the exploit was released. The Sodinokibi ransomware gang said they compromised Travelex 6 months prior to the deployment of ransomware. This could have been the vulnerability that was exploited.
Recovery Now Well Underway
On January 13, 2020, more than 2 weeks after the ransomware attack was experienced, Travelex issued a statement confirming that the recovery process was well underway, although the firm’s website was still offline. The company had started restoring its currency services to banks and its own network. Internal order processing has been restored and customer-facing systems are slowly being brought back online. What Travelex has not confirmed is whether the ransom was paid. No Travelex data appears to have been published online so it is possible that a ransom payment has been negotiated with the attackers.
Cost of the Travelex Ransomware Attack
The ransom payment is considerable but is likely to be several orders of magnitude less than the costs of downtime and disruption to its services.
No customer data appears to have been misused, but Travelex could still face a barrage of lawsuits from customers and the Information Commissioner’s Office and other data protection authorities my choose to fine Travelex over the data breach, either for the exposure of data or for the failure to report under GDPR.
GDPR requires data breaches to be reported to data protection authorities within 72 hours and it appears that did not happen. The maximum financial penalty for a GDPR violation is €20 million or 4% of a company’s global annual turnover, whichever is greater. Travelex’s global annual turnover in 2018 was $947.86 million. A fine of $189.57 million could therefore be issued. It should be noted that even if data was not stolen by the attackers and was just made inaccessible, it still counts as a reportable data breach under GDPR.
A payment of $6 million to the attackers would only be a tiny proportion of the total losses from downtime, lost business, lawsuits, and regulatory fines.
Cyberattacks on managed service providers have been increasing over the past few months and they are now a key target for hackers. If a hacker can gain access to the systems of a managed service provider, their remote administration tools can be used to launch attacks on their clients.
There have been several major cyberattacks on managed services providers in the past few weeks, with nation state-backed hacking groups targeting MSPs serving enterprises and ransomware gangs are conducting attacks on MSPs serving small and medium sized businesses.
Three major cyberattacks on managed service providers serving healthcare organizations in the United States have been reported in the past two months. All three have affected more than 100 healthcare clients and one impacted 400.
In late November, the Milwaukee-based managed IT service provider, Virtual Care Provider Inc., was attacked with Ryuk ransomware. The attack started on November 17, 2019 and affected all of its clients’ data. Around 110 nursing homes and acute care facilities were prevented them from accessing their patients’ medical records. The consequences for its clients were dire. Assisted living facilities and nursing homes were prevented from billing for Medicaid, which meant essential funding was not provided and nursing homes were prevented from ordering essential drugs for patients. Virtual Care Provider was issued with a $14 million ransom demand, which the company could not afford to pay. The managed service provider had around 20% of its services affected and had to rebuild around 100 servers.
The ransomware was deployed as a secondary payload by the TrickBot Trojan. TrickBot had been installed on its network 14 months previously via a malicious email attachment.
A few weeks later, a Colorado-based managed service provider serving dental practices was attacked with ransomware. Complete Technology Solutions was infected with a ransomware variant called Sodinokibi. First the MSP was attacked, then its remote administration tools were used deploy ransomware on the networks of more than 100 dental practices. A ransom demand of $700,000 was issued, which the MSP refused to pay. Its clients are now having to pay the attackers for the keys to decrypt their files. Only a few that had backups stored off the network were able to recover without paying the ransom.
This is the second such attack to affect a company serving the dental industry. The dental record backup service provider, PerCSoft, was also attacked with Sodinokibi ransomware. That attack affected approximately 400 dental practices. CyrusOne was also attacked with Sodinokibi ransomware and its managed services division and six of its clients were affected.
It is not only ransomware that is being used in the attacks. Nation-state threat groups such as APT10 are also targeting MSPs. Their aims are different. The attacks are being conducted to gain access to the intellectual property of their enterprise customers.
As cyberattacks on managed service providers increase, MSPs must ensure that they have adequate defenses in place to keep the hackers at bay. This is an area where TitanHQ can help. TitanHQ is the leading provider of cloud-based email and web security solutions for managed service providers that serve the SMB market.
TitanHQ offers a trio of solutions for MSPs under the TitanShield program. SpamTitan email security is a powerful cloud-based solution that keeps inboxes free of spam, phishing emails, and malware. SpamTitan incorporates SPF and DMARC to block email impersonation attacks, uses dual antivirus engines to detect known malware threats, and heuristics and sandboxing to identify and block zero-day threats.
WebTitan Cloud is a 100% cloud-based DNS filtering solution that works seamlessly with SpamTitan to block web-based phishing attacks and malware downloads. The solution allows you to monitor and identify malicious threats in real time, and includes AI-driven protection against active and emerging phishing URLs, including zero-minute threats.
The third solution is ArcTitan, a cloud-based email archiving solution that provides protection against data loss and helps MSPs and their clients meet their compliance obligations. ArcTitan serves as a black box flight recorder for email and stores email data securely in the cloud on Replicated Persistent Storage on AWS S3. When emails need to be searched and recovered, the searches are lightning fast. ArcTitan can search up to 30 million emails a second.
ArcTitan has recently been moved to a brand new system, with the service delivered as a highly available, self-healing horizontally scaled Kubernetes cluster. Within that cluster are many different components working in harmony together, but independently. Should any component go down, that component can be taken offline and repaired with no impact on the others, ensuring a much more reliable service with minimal or no disruption during an outage. With ArcTitan, email is protected from cyberattacks.
These solutions are not only an ideal for improving the security posture of MSP clients, they can help to ensure that MSP systems are protected from attack. All TitanHQ solutions are quick and easy to implement, have a low management overhead, and are API-driven so they can easily be incorporated into MSP’s remote management and monitoring systems.
To find out more about the TitanShield program for managed service providers and to discover how TitanHQ’s cybersecurity solutions can improve yours and your clients’ security posture, give the TitanHQ channel team a call today.
Cybercriminals are inventive and their attacks are becoming increasingly sophisticated. To help ensure you are prepared and can defend your business against these attacks, we have listed the top 10 cybersecurity threats your business is likely to face, along with some tips to help you prevent a costly data breach.
Cybercriminals are not just trying to attack large enterprises. Sure, a cyberattack on a large healthcare system or blue-chip company can be incredibly rewarding, but the defenses they have in place make attacks very difficult. SMBs on the other hand have far fewer resources to devote to cybersecurity and as a result they are easier to attack. The potential rewards may not be as great, but attacks are more likely to succeed which means a better return on effort. That is why so many SMBs are now being attacked.
There is a myriad of ways that a company can be attacked, and the tactics, techniques and procedures used by cybercriminals are constantly changing. The top 10 cybersecurity threats listed below include the main attack vectors that need to be blocked and will serve as a good starting point on which you can build a robust cybersecurity program.
Top 10 Cybersecurity Threats Faced by SMBs
We have listed the top 10 cybersecurity threats that SMBs need to defend against. All the threats listed below need to be addressed as any one of them could easily result in a costly data breach, data loss, or could cripple your business. Some of the threats listed below will be harder to address than others, and it will take time for your cybersecurity defenses to mature. The important thing is to start the ball rolling and address as many of these areas as soon as possible.
Human Error and Insider Threats
We have listed human error first, as it doesn’t matter what hardware and software solutions you implement, human error can easily undo much of your good work. Mistakes will be made by employees on occasion. What you need to do is reduce the potential for errors and limit the harm that can be caused.
Developing robust policies and procedures and providing training will help to ensure that your employees know how to act and more importantly, how not to.
Mistakes are not the only thing you need to take steps to try to prevent. There may also be individuals on your payroll who will take advantage of poor security for personal gain. You will also need to tackle the problem of insider threats and make it harder for rogue employees to cause harm and steal data. The measures listed below will help address threats from within and reduce risk.
Enforce the use of strong passwords but make it easier for your employees to remember them so they don’t try to circumvent your password policy or, heaven forbid, write their passwords down. Implement a password manager to store their passwords so they only have one password or pass phrase to remember.
Rule of Least Privilege
It is obvious, but often overlooked. Don’t give employees access to resources they do not need for their day-to-day work duties. If their credentials are compromised, this will limit the harm caused. It will also limit the harm that can be caused by rogue employees.
Block the Use of USB Devices
USB devices make it easy for rogue employees to steal data and for malware to be accidentally or deliberately be introduced. Implement technical controls to prevent USB devices from being connected, and if they are required for work purposes only give permission to certain individuals to use them. Ideally, use more secure methods of transferring or storing data.
Monitor Employee Activity
If rogue employees are stealing data, you are only likely to find out if you are monitoring their computer activity. Similarly, if credentials are compromised, system logs will highlight any suspicious activity. Make sure logs are created and monitored. Consider using a security information and event management (SIEM) solution to automate this as much as possible.
Terminate Access at Point of Termination
Terminating an employee? Terminate their access to your systems at the point of termination. It is surprising how often employee access rights are not terminated for days, weeks, or even months after an employee has left the company.
We will cover some more important safeguards to implement to protect against user error in the following 9 SMB cybersecurity threats.
Phishing and Social Engineering Attacks
Phishing is arguably the biggest cybersecurity threat faced by SMBs. Phishing is the use of social engineering techniques to persuade people to divulge sensitive information or take an action such as installing malware or ransomware. This is most commonly achieved via email, but can also occur via text messages, social media websites, or over the telephone.
Do not assume that your employees have common sense and know not to open email attachments from unknown individuals or respond to enticing offers from legal representatives of Nigerian princes. You must train your employees and teach cybersecurity best practices and show them how to identify phishing emails. Refresher training should be provided at regular intervals and you should conduct phishing simulation exercises (which can largely be automated) to find out who has taken the training on board and who is a liability that needs further training.
Employees are the last line of defense. You need a layer of security above your employees to make sure their security awareness training is never required. That means an advanced anti-spam/anti-phishing solution needs to be in place to block threats before they reach inboxes. If you use Office 365, you should still implement an antispam solution. A recent study by Avanan revealed 25% of phishing emails bypass Office 365 antispam defenses.
Another layer of protection should also be implemented to protect against phishing: Multi-factor authentication. This is the use of an additional authentication factor that will kick into action if an attempt is made to use credentials from an untrusted device or location. If credentials are compromised in a phishing attack, multi-factor authentication should stop them from being used to gain access to email accounts, computers, or network resources.
Malware and Ransomware
Malware, viruses, ransomware, spyware, Trojans, worms, botnets, and cryptocurrency miners are all serious threats that you must take steps to block. It goes without saying, but we will say it none the less, you need to have antivirus software installed on all endpoints and your servers.
Malware can be installed in many ways. As previously mentioned, blocking USB devices is important and spam filtering software with sandboxing will protect you from email-based attacks. Most malware infections now occur via the internet, so a web filtering solution is also important. This will also add an extra layer to your phishing defenses. A web filter will block drive-by malware downloads, prevent employees from visiting malicious sites (including phishing websites) and also allows you to enforce your internet usage policies. A DNS filtering solution is the best choice. All filtering takes place in the cloud before any content is downloaded and it will not add to your patching burden.
Shadow IT – The term given for any hardware or software in use that has not been authorized by your IT department. This could be a portable storage device such as a zip drive, a VPN client to bypass your web filter, an application to help with work tasks, or all manner of other software. It is surprising to find exactly how many of these programs are installed on users’ devices when IT support staff are called upon to sort out a problem!
So, what is the problem? Anything installed without authorization is a potential security and compliance risk. Your security team has no control over patching, and vulnerabilities in those applications could easily go addressed for months and give hackers an easy entry point into your network. Fake applications could be downloaded that are really malware, software packages often include a host of potentially unwanted programs and spyware, and any data stored in these applications could be transmitted to unsecure locations. Those applications and data contained therein are also unlikely to be backed up by the IT department. If anything happens, data can easily be lost.
The importance of prompt patching cannot be understated. Vulnerabilities exist in all software solutions. Sooner or later those vulnerabilities will be found, and exploits will be developed to take advantage. Security researchers are constantly looking for flaws that could potentially be exploited by threat actors to gain access to sensitive information, install malware, or remotely execute code. When these flaws are identified and patches are released, they need to be applied promptly. Oftentimes, vulnerabilities are being actively exploited by the time a patch is released. It is essential for these vulnerabilities to be addressed as soon as possible and for all software to be kept up to date.
When software or operating systems are approaching end of life, you must upgrade. When patches stop being issued and software is unsupported, any vulnerabilities will remain unaddressed and can easily be exploited.
Out of Date Hardware
Not all vulnerabilities come from out of date software. The hardware you use can also introduce risks. You must keep an inventory of all your hardware, so nothing slips through the cracks. Firmware updates should be applied as soon as it is made available and you should monitor for any devices that are approaching end of life. If your devices do not support the latest operating systems, then it is time to replace your hardware. This will naturally come at a cost, but so do cyberattacks and data breaches.
Unsecured IoT Devices
The Internet-of-Things offers convenience but IoT devices are a potential liability. IoT devices can send, store or transmit data so they must be be secured.
Unfortunately, in the hurry to connect everything to the internet device manufacturers often overlook security as do users of these devices. Take security cameras for instance. You may be able to access your cameras remotely, but you may not be the only person who can. If your security cameras are hacked, thieves could see what you have, where it is located, and where and when security is lax. There have been cases of security cameras being hacked due to the failure to change default credentials for remote management.
Ensure you change the default credentials on the devices and use strong passwords. Keep the devices up to date, and if the devices need to connect the network, make sure they are isolated from other resources. Cybercriminals can also take advantage of flaws in the applications to which these IoT devices connect. They must also be kept up to date.
Man-in-the-Middle Attacks and Public Wi-Fi
A man-in-the-middle (MITM) attack is an attack scenario where communications between two individuals (or one individual and a website or network) are intercepted and potentially altered. An employee may believe they are communicating securely, when everything they are saying or doing is being seen or recorded. An attacker could even control the conversation between two people and be communicating with each separately while both individuals believe they are communicating with each other. This method of attack most commonly occurs through unsecured Wi-Fi hotspots or evil twin hotspots – Fake Wi-Fi hotspots set up in coffee shops, airports, and any other location where free Wi-Fi is offered.
If you have remote workers, you need to take steps to ensure that all communications are kept private. This can be achieved in two main ways. By making sure employees use a secure VPN that encrypts their communications over public or unsecured Wi-Fi networks and also by implementing a DNS filtering solution. The DNS filtering solution provides the same protection for remote workers as it does for on-premises workers and will prevent malware downloads and employees from accessing malicious websites.
Mobile Security Threats
There is no denying the convenience of mobile devices (laptops, tablets, smartphones). They allow workers to be instantly contacted and lets them work from any location. Mobile devices improve employee mobility, can lead to greater employee satisfaction, and will help you to boost productivity. However, the devices also introduce new risks. Whether you supply these devices or operate a BYOD policy, you need to implement a range of security controls to ensure those risks are managed.
You need to make sure you know of every device that you allow to connect to the network. A mobile device security solution can help you gain visibility into mobile device use and allow you to control your applications and data.
You should ensure the devices have security controls applied, can only access your network via secure channels (VPN), ensure the devices are covered by a DNS filtering solution, and any work data stored on the devices needs to be encrypted.
Remote Desktop Protocol
Remote desktop protocol (RDP) allows employees remotely connect to your computers and servers when they are not in the office and lets your managed service provider quickly sort out your problems and maintain your systems without having to pay a visit. RDP also gives hackers an easy way to gain access your computers, servers, and steal data or install malware. Do you need RDP enabled? If not, disable it. Does it need to be used internally only? Make sure that RDP is not exposed to the internet.
If you do need RDP, then you need to exercise extreme caution. Make sure that users can only connect via a VPN or set firewall rules. Limit the individuals who have permissions to use RDP, ensure strong passwords are set, and that rate limiting is implemented to protect against brute force attacks. Also use multi-factor authentication.
Stolen RDP credentials are often used by hackers to gain access to systems, brute force attempts are often conducted, and vulnerabilities in RDP that have not been patched are frequently exploited. This is one of the main ways that ransomware is installed.
These are just the top 10 cybersecurity threats faced by SMBs. There are many more risks that need to be identified and mitigated to ensure you are protected. However, by addressing the above issues you will have already made it much harder for hackers and cybercriminals to do your business harm.
TitanHQ is Here to Help!
TitanHQ can assist by providing you with advanced cybersecurity solutions to protect against several of the above listed top 10 cybersecurity threats and will the two most commonly used attack vectors – email and the web-based attacks. These solutions – SpamTitan and WebTitan – are 100% cloud based, easy to implement and maintain, and will provide superior protection against malware, ransomware, viruses, botnets, and phishing attacks.
Further, these powerful solutions are affordable for SMBs. You are likely to be surprised to find out how little these enterprise-grade security solutions will cost. If you are a managed service provider that services the SMB market, you should also get in touch. SpamTitan and WebTitan have been developed by MSPs for MSPs. There is a host of reasons why TitanHQ is the leading provider of cloud-based email and web security solutions to MSPs that service the SMB market!
Contact our friendly (and non-pushy) sales team today to find out more, book a product demo, and register for a free trial.
Q3, 2019 has seen TitanHQ register record-breaking growth in the MSP market with its busiest ever quarter for MSP sales. TitanHQ now has more than 2,200 MSP partners and its cloud-based email security, web security, and email archiving platforms are now used by more than 8,200 businesses around the world.
Many great success stories start from humble beginnings, and TitanHQ is no exception. The company started life as Copperfasten Technologies in 1999 and sold anti-spam appliances to local businesses from its Galway, Ireland base. The company then developed its own cybersecurity solutions, starting with the anti-spam and anti-phishing solution, SpamTitan.
The product portfolio grew to include WebTitan web filtering, a powerful DNS-based web security solution to protect businesses from the full range of internet threats. That was followed by the launch of ArcTitan, a cloud-based email archiving solution for businesses that eases their email storage and compliance burden.
That trio of core TitanHQ products has proven to be a massive hit with managed service providers, although not by accident. Many companies have developed innovative solutions for SMBs but have only realized the importance of the MSP market later on. Additional features are then added to appeal to MSPs. TitanHQ took a different approach. Its solutions were developed by MSPs for MSPs and MSPs were considered at every stage of product development. The result is a suite of security solutions tailor-made for MSPs.
This approach, along with cutting-edge technology and industry-leading customer support, has seen the company go from strength to strength and become the gold standard in email and web security and the leading global provider of cloud-based security solutions for MSPs servicing the SMB market.
Phishing attacks on businesses are soaring, new malware variants are being released at record levels, and the current ransomware epidemic is threatening to derail businesses. Many SMBs lack the internal resources to block these threats and turn to MSPs to provide the security they need.
To cope with the increased demand, MSPs need solutions with 100% cloud-based architecture that seamlessly integrate into their existing centralized management systems and are easy to implement, use, and maintain. Ideally, those solutions need to be flexible, have a range of hosting options, be available in white-label form to take MSP branding, and also include generous margins. That is a big ask, and many solutions only tick a few of those boxes. However, TitanHQ’s suite of solutions include all those features and more.
TitanHQ also offers extensive sales enablement and marketing support, world-class customer service, and each MSP has a dedicated account manager, engineers, and a support team to help them maximize their sales opportunities and really grow their businesses.
As part of the celebration of the Q3, 2019 MSP growth, TitanHQ has launched a new initiative to ensure Q4 will be an even bigger success.
On October 22, TitanHQ announced a new disruptive price package for a SpamTitan Email Security and WebTitan DNS filtering bundle at an exclusive once-in-a-lifetime price. The initiative has been called Margin Maker for MSPs and is intended to ensure MSPs build profitability instantly in Q4, 2019.
The two solutions are provided in two private clouds, customized to meet MSPs email and web security needs, and secure the most common attack vectors – email and the web. The package includes advanced protection for email, including Office 365 environments, complimented by WebTitan DNS filtering to block web-based threats and implement content control for on-premises and remote workers. These solutions are naturally provided with extensive sales enablement and marketing support.
The aim is to make TitanHQ’s email and web security platforms even more appealing to MSPs and to encourage MSPs to offer both SpamTitan email security and WebTitan web filtering to their clients and maximize revenues.
One MSP that is already boosting its profits and achieving increased, reliable recurring monthly revenues is UK-based OpalIT. The MSP has bases in Newcastle and Edinburgh and a 6,000+ customer base. Prior to joining the TitanShield program, OpalIT was offering its clients firewall filtering and email filtering with Barracuda and Vade. The company has now switched to TitanHQ’s cybersecurity bundle and is pushing SpamTitan Email Security, WebTitan DNS filtering, and ArcTitan email archiving to its clients and is reaping the rewards.
“Opal IT moved to TitanHQ because of our MSP focused solutions, ease of deployments, extensive APIs functionality and the increased margin they’re now making. Our cybersecurity bundle solutions allow MSPs to provide their downstream customers with a layered defense approach” said Rocco Donnino, EVP Strategic Alliances, TitanHQ.
If you are a managed service provider, now is the perfect time to sign up with TitanHQ. Come and meet the TitanHQ channel team at the following MSP events to find out more about the TitanShield program for MSPs, OEMs, and service providers, and take advantage of the amazing new MSP package.
If you are unable to attend any of these events, be sure to give the TitanHQ team a call to find out more and take advantage of this exciting new and exclusive offer.
IT Nation Connect 2019, the ConnectWise conference for the IT professional community, will be taking place on October 30, 31, and November 1 at the Hyatt Regency in Orlando, Florida.
The event is the leading conference for companies that sell, support, and service technology and is focused on helping attendees build a strong business and achieve long-term success. Attendees will gain practical advice from experts in the IT Nation community and will have the opportunity to build meaningful business connections and learn how to work on their businesses.
This year’s topics for the session tracks are mergers & acquisitions, growth & scalability, talent development & leadership, service delivery & customer success, sales & marketing, and security.
Security is a key focus of IT Nation Connect 2019. The event will provide opportunities to discover how security frameworks and IT solutions can help you bulletproof your business and protect your clients’ networks from cyberattacks. Attendees will also gain deep insights into the current state of security in the MSP space.
Leading security experts will be discussing the steps that the government is taking to combat cyber threats, the lessons the government and private firms have learned, and how security experts see the threat landscape evolving over the coming year.
Founders and CEOs of the most successful MSPs and IT firms will explain what it is like to be a trailblazer, how they achieved their successes, the mistakes they made on the way, and what the future holds for the IT Nation community.
More than 80 thought leaders, ConnectWise partners, and ConnectWise colleagues will taking over 130 educational, networking and panel sessions and will be sharing success stories, best practices, and the lessons they have learned to help attendees succeed and grow their businesses.
The conference offers an exceptional opportunity for learning, networking, and discovering technology solutions that can save you time, money, and boost the profitability of your business. Such an important event for the IT community is not to be missed.
TitanHQ will be attending the event to explain why TitanHQ is the global leader in cloud-based email and web security solutions for MSPs servicing the SMB market, the advantages of doing business with TitanHQ, and how TitanHQ solutions can help you better protect your environment and those of your clients from increasingly sophisticated cyber threats.
TitanHQ Marketing Director Dryden Geary, Sales Director Conor Madden, and Inside Sales Executive Peter Cooke will explain the benefits of the TitanShield program for MSPs, OEMs, technology partners, and Wi-Fi providers and show you just how easy it is to incorporate SpamTitan email security, WebTitan DNS filtering, and ArcTitan email archiving into your security stacks.
If you are attending the event, be sure to make time to meet with TitanHQ and feel free to reach out in advance of the event if you have any questions.
The 2019 Canalys Cybersecurity Forum will be taking place in Barcelona on October 16-17, 2019. The event is the only independent conference dedicated to the cybersecurity channel and is one of the most important events of the year for managed service providers (MSPs).
The event provides an incredible opportunity for MSPs looking to enhance their security stacks, provide greater value, and better protect their clients from increasingly sophisticated security threats. Attendees will have the opportunity to have 1:1 meetings with more than 700 established and new partners and discover best practices to adopt to get the most out of their cybersecurity solutions.
The event is also a must for MSPs who have yet to start offering managed security services as it will allow them to form new partnerships with Europe’s best cybersecurity solution partners who will help them grow their businesses significantly over the coming year.
Leading cybersecurity vendors will be taking thought-crunching sessions and sharing their knowledge to help partners succeed. Attendees will be able to engage in intense debates and interact with some of the brightest minds in the field of cybersecurity. Questions can be posed in multi-vendor theatre panels to get the answers from the leading cybersecurity solution providers in the EMEA region.
Highlights of this year’s event include panels, theatre and keynotes exploring the re-imaging of the idea of solutions, generalist vs. specialist in the cybersecurity channel, the next catalyst that will drive security sales, and how the role of the CSO is evolving in the hybrid IT world.
Canalys analysts will also be providing keynote speeches and sharing their insights into the current threat landscape and some of the burning issues of the moment. The event will also see Canalys name the new Threat Fighter and MSSP winners in the Canalys Channel Partner Awards.
TitanHQ Sales Director, Conor Madden
The event provides an amazing opportunity for networking with more than 200 channel partner delegates in attendance. New alliances can be formed and along with the knowledge gained, attendees will be able to make important decisions that will have a major positive impact on growth for the coming year.
TitanHQ is a proud sponsor of the 2019 Canalys Cybersecurity Forum and the team will be on hand to answer questions and explain why TitanHQ is the global leader in cloud-based email and web security solutions for the MSP that services the SMB market.
TitanHQ Strategic Alliance Manager, Marc Ludden
At the event you will be able to discover the considerable benefits of using SpamTItan email security, WebTitan DNS filtering, and ArcTitan email archiving to solve your clients security issues, better protect them from cybersecurity threats, and help them achieve their compliance objectives… and how easy TitanHQ makes this for MSPs.
TitanHQ Sales Director Conor Madden will be a panelist at the event and will be answering questions from attendees on email security, web security, email archiving and how to get the most out of TitanHQ’s cybersecurity solutions for MSPS and SMBs.
Marc Ludden, TitanHQ’s Strategic Alliance Manager, will also be attending and meeting with enterprise-level clients and major MSPs and ISPs to help them push TitanHQ products downstream to their customers, grow their businesses, and improve their bottom lines.
You can find out more about this one in a year opportunity here – Canalys Cybersecurity Forum 2019 – and feel free to reach out to TitanHQ in advance of the event.
If you are unable to attend this year’s Canalys event, TitanHQ will be on the road throughout October and November. Be sure to connect at one of the other fall 2019 events below:
If you are looking for a Cisco Umbrella alternative you are certainly not alone. TitanHQ has helped hundreds of businesses change from Cisco Umbrella to WebTitan Cloud. In most cases, the main reason why businesses seek a Cisco Umbrella alternative is to save money. Cisco Umbrella pricing reflects the comprehensive nature of the product, but the Cisco Umbrella cost is seen as too expensive by many small- to medium-sized businesses who are only looking for malware and phishing protection and to control the websites their employees can access.
The cost of Cisco Umbrella is hard to justify for many SMBs and managed service providers (MSPs). The cost per user is considerably higher than many other solutions on the market. In fact, you may be surprised at just how much money can be saved by changing your web filter provider.
Cisco Umbrella Pricing
Cisco Umbrella pricing is not particularly transparent. For a start, you cannot easily find out how much Cisco Umbrella is likely to cost and there is no Cisco Umbrella cost calculator on the website nor any price list. If you search for information on Cisco Umbrella pricing online, you are likely to find prices from various resellers, but the prices are usually out of date. You can tell as they refer to the old packages of Cisco Umbrella Professional, Cisco Umbrella Insights, and Cisco Umbrella Platform.
Cisco Umbrella pricing depends on several factors, including the level of protection you want, the number of users you need to protect, and the contract term. You must also factor in any add-ons you may need. For instance, basic email-only support is provided but advanced support comes at an additional cost. Because there are many different options, you must contact Cisco for an individual quote for your business.
How Much Does Cisco Umbrella Cost?
For a business with 100 users, the cost of Cisco Umbrella in 2021 is $2.70 per user, per month. That is certainly a reasonable price given the level of protection provided by Cisco Umbrella, but there are Cisco Umbrella alternatives that are available for a fraction of the Cisco Umbrella cost that provide an equivalent level of protection against web-based threats and allow careful control of the types of content that can be accessed by end users.
If you have 100 users, you will be spending $270 a month on Cisco Umbrella, which is $3,240 per year. The Cisco Umbrella price is reasonable if you compare it to the cost of a malware infection, ransomware attack, data breach, or phishing attack, but it is possible to have a similar level of protection at a third of Cisco Umbrella Cost if you change from Cisco Umbrella to WebTitan Cloud.
How much can be saved by switching from Cisco Umbrella to WebTitan Cloud? The cost of WebTitan Cloud is $0.90 per user, per month. That adds up to a monthly cost of $90, which is $1,080 per year. Just making this simple change will save your business $2,160 per year!
Cisco Umbrella Licensing
Cisco Umbrella licensing is based on three packages of Cisco Umbrella. The most basic package is DNS Security Essentials, which used to be known as Cisco Umbrella Professional. The next tier of the product is DNS Security Advantage, formerly Cisco Umbrella Insights. The most comprehensive solution in the Cisco Umbrella family is DNS Secure Internet Gateway, formerly Cisco Umbrella Platform.
Cisco Umbrella licensing is based on the number of users that need to be protected, with the Cisco Umbrella price per user decreasing slightly the more users need to be protected. Cisco Umbrella licensing has a minimum contract term of 1-year, although longer contracts can be purchased with an associated discount. There is no option for paying monthly to spread the cost.
Can the Cisco Umbrella Price be Justified?
The Cisco Umbrella price has been set based on the comprehensive nature of the product, which does not only provide DNS filtering, but includes a host of other security features. Some businesses, especially large enterprises that have a huge workforce, are frequently targeted by threat actors and need an extensive suite of cybersecurity solutions to block attacks and conduct extensive investigations. For those organizations, the features included in the most comprehensive Cisco Umbrella package are likely to be attractive, and for those businesses the Cisco Umbrella price can easily be justified in terms of the protection provided.
For example, the DNS Security Advantage includes Umbrella Investigate, which provides deep context for investigations and uses an API to send Umbrella data to other security solutions. The DNS Secure Internet Gateway package includes a cloud-delivered firewall and a cloud access security broker to discover and block shadow IT. These features are not available in many other DNS filtering solutions and would need to be purchased separately if required. Small- to medium-sized businesses may find the additional features of the second and third tiers of the solutions to be surplus to requirements.
Since the features of the first tier of the Cisco Umbrella solution – DNS Security Essentials – are included in many other DNS filtering solutions that are sold at a fraction of the Cisco Umbrella price, it is understandable why many choose to purchase a different DNS filtering solution, especially since there are several features lacking in the most basic Cisco Umbrella package which many would feel are essential, as we explain below.
Cisco Umbrella Review
There are three versions of Cisco Umbrella for businesses use, as previously mentioned. Let’s consider the top product package, Secure Internet Gateway (SIG) Essentials. SIG Essentials is the most comprehensive DNS security solution offered by Cisco. In terms of DNS security, the solution uses the same web filtering and content filtering mechanisms of the two cheaper packages. However, additional capabilities are included, such as the ability to decrypt and inspect all HTTPS traffic. In the DNS Security Advantage package, you can only decrypt and inspect SSL traffic for “risky” domains, and you do not have that feature at all in the most basic package.
Since threat actors often use encryption to hide malicious activity, SSL inspection really is important, yet for full inspection capabilities you need to pay for the top-level product. That top-level solution comes with other additional features, such as a cloud security broker for discovering and blocking shadow IT and a cloud-delivered firewall. Many businesses will already have a firewall that provides those capabilities.
The level of protection provided by the basic package will be insufficient for many SMBs, the middle package lacks important features available in many lower cost Cisco Umbrella alternatives, and the top level product includes feature that many SMBs are unlikely to use.
Given the high cost of the top level package and the availability of many Cisco Umbrella alternatives at a fraction of the cost, unless you really need all the features of SIG essentials, the alternatives from other providers should be fully explored as the cost savings are considerable.
An Ideal Cisco Umbrella Alternative
Cost is not the only consideration when looking for a Cisco Umbrella alternative. If you are changing solution provider you will need to make sure that the new product has all the features you need. Since WebTitan Cloud and Cisco Umbrella are built around the same core principles, in many respects the solutions are equivalent, but there are several features of WebTitan Cloud that are not available with Cisco Umbrella and there are some important benefits that come with WebTitan Cloud for SMBs and MSPs.
TitanHQ has a perfectly transparent pricing policy. You pay one price and you get all the features of the solution. There are no optional extras that bump up the cost and no premium packages to give you extra protection. Every user receives the same high level of protection. TitanHQ is also happy to negotiate with businesses and MSPs and enters into commercial arrangements that suit all parties.
One of the features of WebTitan Cloud that is particularly attractive to MSPs is the ability to host the solution locally within their own environment. Most businesses will choose to host WebTitan Cloud with TitanHQ, but the option is available if this suits you better. MSPs can also be supplied with WebTitan Cloud in white label form. TitanHQ branding can be removed from the solution to allow you to add your own branding if you so wish.
There may be times when you need to bypass filtering controls. To make this as easy as possible, we developed cloud keys. These can be used to bypass some or all of your filtering controls rather than having to change policies for a user and change back again when a particular task has been performed. Cloud keys can be set to expire after a certain number of uses or after a certain period of time.
We have developed WebTitan Cloud to be easy to configure, use, and maintain, but there will naturally be times when things don’t go according to plan. In the event of a problem, all users benefit from world class support. Our skilled engineers and customer service staff are on hand to get you back on track quickly and painlessly. That applies to all users, even those on the free product trial. Support is not an optional extra that will cost you more money.
WebTitan Cloud Benefits for MSPs
As previously covered, there are key benefits of WebTitan Cloud over Cisco Umbrella for MSPs.
Flexible pricing including monthly billing
Multiple hosing options, including within your own data center
Product can be supplied in white label form ready to take your branding
There are no monthly minimums, yearly commitments, and the product can scale to meet your needs (and will shrink too if needed)
Fully transparent pricing
Easy integration into existing security and customer management systems through a suite of APIs
World-class customer support included in the cost
Easy implementation, use, and a low management overhead
Generous margins for MSPs
Access to an extensive library of support materials
How do Users Rate WebTitan vs Cisco Umbrella
Not all web filtering solutions provide the same level of protection and many fail to live up to expectations one they are installed. In the case of WebTitan Cloud, not only can you save a considerable amount of money, our DNS filtering solution is easy to set up, use and maintain. Plus, if you ever experience any problems or need help, you benefit from industry-leading customer service.
Naturally we will sing the praises of WebTitan Cloud as we are trying to sell our product, but most users of WebTitan agree with us and love using the product. This can be seen on review sites such as G2 Crowd.
G2 Crowd is an independent business software review site that is trusted by business leaders to provide information on the best software solutions on the market. The site has more than 650,000 user reviews from verified users and gives you insights into products to let you know if they perform as well as vendors say they do.
Web filtering solutions are rated on whether they meet requirements, ease of use, ease of setup, ease of admin, quality of support, and ease of doing business with the company. WebTitan Cloud consistently ranks higher than Cisco Umbrella in all 6 categories.
If you have any questions about WebTitan Cloud, would like information on how you can switch from Cisco Umbrella, would like a product demonstration or to sign up for the free trial, give us a call today and we will be happy to help. The sooner you get in touch, the sooner you can start saving money on web filtering!
The cost of a ransomware attack can be considerable. Several attacks in the United States have seen payments of hundreds of thousands of dollars made for the keys to unlock the encryption. While those payments are certainly high, they are a fraction of the total cost of a ransomware attack which are usually several times the cost of any ransom payment.
Recovery without paying a ransom can be considerably more. The ransomware attack on the city of Baltimore saw a ransom demand of around $76,000 issued. Baltimore refused to pay. The attack is estimated to have cost the city at least $18.2 million.
The cost of that ransomware attack is high, but nowhere the cost of a suspected September 2019 ransomware attack on the Danish hearing aid manufacturer Demant. The firm experienced the attack on or around September 3, 2019. One month on and the firm still hasn’t recovered. In a recent message to its investors, the firm said the cyberattack would cost an estimated $80 million to $95 million, even though the company held a cyber insurance policy. Without that policy the bill would have been $14.6 million higher.
According to a notice on the firm’s website, it experienced “a critical incident” when its “IT infrastructure was hit by cyber-crime.” Ransomware was not mentioned by the firm although it has been reported as a ransomware attack by the Danish media.
The attack impacted its Polish production and distribution facilities, French cochlear implants production sites, Mexican production and service sites, its amplifier production site in Denmark, its entire Asia-Pacific network, and its enterprise resource planning (ERP) system.
The firm is recovering its IT infrastructure and believes it will take a further two weeks for systems to be restored and business operations to approach normality. However, the effects of the attack are expected to be long-lasting.
The inability to access its systems across all these areas has caused major disruption to the company. The firm has been unable to supply its products, receive and process orders, and clinics in its network have had difficulty servicing end users.
Due to the limited information released it is unclear whether the company refused to pay a ransom, if the attackers could not supply valid keys to unlock the encryption, of if this was a sabotage attack akin to the NotPetya wiper malware attacks of 2017.
If this was a ransomware attack, the losses far exceed those of the Norwegian aluminum and energy company Norsk Hydro, whose ransomware attack cost the firm around $70 million, although it is a fraction of the cost of the NotPetya attacks on the shipping firm Maersk and FedEx, both of which caused losses of around $300 million.
These incidents all demonstrate just how damaging cyberattacks can be and the massive costs of recovery. As is typical, the cost of recovering its IT systems accounted for a small proportion of the total cost – around $7.3 million. The bulk of the losses were due to lost sales and the inability to process orders, which the company says make up around half of the estimated losses.
In a press release, the firm said in addition to the lost sales, “the incident has prevented us from executing our ambitious growth activities in some of the most important months of the year – particularly in the US, which is our biggest market.”
Malware, ransomware and wiper malware are most commonly delivered via a small number of attack vectors. All too often they start with a phishing email, exploitation of RDP, drive-by malware download, or the exploitation of unpatched vulnerabilities. The cost of preventative measures to block these attack vectors is pocket change by comparison to the cost of recovery from an attack.
TitanHQ cannot help businesses with securing RDP and patching promptly, but we can help businesses secure the email system and protect against drive-by malware downloads and other web-based attacks.
To find out more about how you can improve security against email- and web-based attacks, from a cost of as little as 90 cents per user per month, give our sales team a call.
The sales team will be happy to explain the ins and outs of our web and email security solutions, schedule product demonstrations, and help set you up for a free trial of our SpamTitan email security and WebTitan web security solutions and greatly improve your defenses against phishing, ransomware, malware, and wiper attacks.
The dangers of ransomware attacks have been made abundantly clear to more than 5,000 patients in California whose medical records have been permanently lost as a result of a ransomware attack on their healthcare provider.
Simi Valley, CA-based Wood Ranch Medical experienced the attack on August 10, 2019 which saw ransomware deployed and executed on its servers which contained the medical records of 5,835 patients. The attack caused permanent damage to computer systems, and since backup copies of patient records were also encrypted, those records have been permanently lost. It is unclear how much the attackers demanded as payment for the keys and whether those keys would have worked had the ransom been paid.
Without patient records and faced with the prospect of having to totally rebuild the medical practice from scratch, the decision was taken to permanently close the business. Patients have been forced to find alternative healthcare providers and no longer have access to their medical records.
This is the second healthcare provider in the United States that has been forced out of business due to a ransomware attack. Brookside ENT and Hearing Center in Battle Creek, Michigan also closed its practice this year as a result of a ransomware attack. In that case, the practice owners refused to pay the ransom demand and patient records were permanently encrypted. The practice owners decided it was not possible to rebuild the practice from scratch and announced their early retirement.
It is unclear exactly how the ransomware was installed in each of these incidents, so it is not possible to determine what defenses could have been improved to prevent the attacks. However, in both cases, recovery of files from backups was not possible.
The purpose of a backup is to ensure that in the event of disaster, data will be recoverable. File recovery may be time consuming and downtime due to the attack likely to be expensive, but data will not be permanently lost.
In order to ensure file recovery is possible, backups must be tested. Files may be corrupted during the backup process and data restoration may not be possible. If backups are not tested to make sure files can be recovered, it will not be possible to guarantee file recovery in the event of disaster.
These incidents also highlight another fundamental rule of backing up. NEVER store the only copy of a backup on a networked or internet-connected computer.
In the event of ransomware attack, it is highly likely that backup copies on networked devices will be encrypted along with shadow volume copies. Ransomware encrypts these files to make sure the only way of recovering data is paying the ransom.
Even paying a ransom comes with no guarantee that data will be recoverable. Files may be corrupted through the encryption/decryption process – some data loss is inevitable – and the attackers may not be able to supply valid keys to decrypt files.
A good backup approach to adopt to prevent disasters such as these is a 3-2-1 strategy. 3 backups should be created, which should be stored on 2 different media, with 1 copy stored securely off site on a device that is not networked or connected to the internet.
After a quiet summer, the Emotet botnet is back in action. The threat actors behind Emotet are sending hundreds of thousands of malicious spam emails spreading the Emotet Trojan via malicious Word documents.
Emotet first appeared in 2014 and was initially a banking Trojan used to obtain credentials to online bank accounts. The stolen credentials are used to make fraudulent wire transfers and empty business accounts. Over the years the Trojan has evolved considerably, with new modules being added to give the malware a host of new features. Emotet is also polymorphic, which means it can change itself each time it is downloaded to avoid being detected by signature-based anti-malware solutions. Up until the start of 2019, more than 750 variants of Emotet had been detected.
The latest iteration of Emotet is capable of stealing banking credentials and other types of information. It is also capable of downloading other malware variants, which has led to security researchers naming it ‘triple-threat malware,’ as it has been used recently to download the TrickBot Trojan and Ryuk ransomware. These three malware threats along with the scale of the operation make Emotet one of the most dangerous threats faced by businesses. It is arguably the costliest and most destructive botnet ever seen.
Last summer, Emotet activity was so high and the threat so severe that the Department of Homeland Security issued an alert to all businesses in July 2018 warning them of the threat. That warning was mirrored by the UK National Cyber Security Center which published its own warning about the malware in September 2018. Activity remained high well into 2019, but suddenly stopped at the start of June when command and control server activity fell to next to nothing.
The hiatus in activity was only brief. Researchers at Cofense Labs discovered its command and control servers had been activated again in late August and a massive spamming campaign commenced on September 16 using bots in Germany. The campaign was initially focused on businesses in the United States, Germany, and United Kingdom but the campaign has now spread to Austria, Italy, Poland, Spain, and Switzerland.
After being downloaded, Emotet spreads laterally and infects as many devices as possible on the network. Email accounts on infected machines are hijacked and used to send further spam emails to all contacts in the account. Finally the malware downloader module is used to a secondary and often tertiary malware variant.
The latest campaign uses Word documents containing malicious macros, which launch PowerShell scripts that fetch the Emotet Trojan from a variety of different compromised websites, many of which are running the WordPress CMS.
The campaign uses a variety of lures including invoices, payment remittance advice, and statements, the details of which are contained in Word documents that require content to be enabled to view the document content.
Upon opening the document, the user is requested to accept the Office 365 license agreement. Failure to enable content, so the document claims, will result in Microsoft Word features being disabled.
This campaign includes personalized subject lines including the recipients name to increase the likelihood of a user taking the requested action. Genuine email thread are also hijacked to make it appear that the user has already been communicating with the sender of the email. Around a quarter of attacks use hijacked email threads. Data from Cofense indicates emails are being sent from 3,362 hijacked email accounts from 1,875 domains.
It is currently unclear whether Ryuk ransomware is being distributed in this campaign. Several researchers have confirmed that TrickBot is being downloaded as a secondary payload.
The key to blocking attacks with polymorphic malware is to implement layered defenses, including an advanced spam filtering solution, anti-virus software, and web filter. It is also important to ensure that the staff is made aware of the threat of attack and the types of email that are being used to spread the Trojan.