Our network security news section contains a range of articles relating to securing networks and blocking cyberattacks, ransomware and malware downloads. This section also features articles on recent network security breaches, alerting organizations to the latest attack trends being used by cybercriminals.
Layered cybersecurity defenses are essential given the increase in hacking incidents and the explosion in ransomware and malware variants over the past two years. Organizations can tackle the threat by investing in new security defenses such as next generation firewalls, end point protection systems, web filtering solutions and advanced anti-malware and antivirus defenses.
While much investment goes on tried and tested solutions that have been highly effective in the past, many cybersecurity solutions – antivirus software – are not as effective as they once were. In order to maintain pace with hackers and cybercriminals and get ahead of the curve, organizations should consider implementing a wide range of new cybersecurity solutions to block network intrusions, prevent data breaches and improve protection against the latest malware and ransomware threats.
This category contains information and advice on alternative network security solutions that can be adopted to improve network security and ensure networks are not infiltrated by hackers and infected with malicious software.
The Federal Bureau of Investigation (FBI) has issued a warning that Chinese hackers are continuing to gain access to Barracuda email security appliances, even those that have been patched against a recently disclosed zero day vulnerability, and has urged organizations to immediately remove the appliances.
The vulnerability, tracked as CVE-2023-2868, affects Barracuda Network’s Email Security Gateway (ESG) appliances and occurs when the appliance screens email attachments. The vulnerability is a remote command injection vulnerability that allows the unauthorized execution of system commands with administrator privileges on the ESG appliance. Barracuda issued a patch to fix the flaw on May 20, 2023, after identifying hacks on May 19.
The vulnerability can be exploited via maliciously formatted TAR file attachments that are sent to an email address affiliated with a domain that has an ESG appliance connected to it. When the attachments are scanned it results in a command injection into the ESG, and system commands are executed with the privileges of the ESG. No user interaction is required to exploit the vulnerability.
According to the FBI, Chinese hackers have been exploiting the vulnerability since October 2022 as part of a state-run cyberespionage operation and have compromised hundreds of appliances. Mandiant assisted with investigating the hacks and said this is the broadest cyber espionage campaign conducted by Chinese state-sponsored hackers since the mass exploitation of a Microsoft Exchange vulnerability in 2021.
In a Flash Alert issued on Wednesday, the FBI recommended all affected devices be immediately replaced. “The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately,” and said the patches released by Barracuda to address the flaw were ineffective.
The advice follows that of Barracuda, which said in June that all hacked Email Security Gateway appliances should be immediately replaced, regardless of whether patches had been applied. Even after the patches had been applied, continued malicious activity was observed on the previously compromised devices. A new form of malware, dubbed Submarine, was deployed on compromised appliances, which resides in a structured query language (SQL) database on the appliance and is a backdoor that provides persistent access.
Vulnerabilities can exist in any software solution, even those that are meant to provide protection. This is why it is important to have multiple layers of protection. If one layer fails, others are there to detect and block threats. Many threats start with a malicious email, which is why email security is so important. Having SpamTitan Plus in place will provide a high degree of protection and will stop malware from reaching its intended recipient. SpamTitan Plus is a leading-edge, AI-driven anti-phishing and anti-malware solution with the newest “zero-day” threat protection and intelligence. The solution includes 100% coverage of all current market-leading anti-phishing feeds and provides 1.6x faster detection of threats than the current market leaders. SpamTitan Plus provides unrivaled protection against malicious links in emails and includes signature-based malware detection and behavioral detection through sandboxing. For more information on SpamTitan Plus, give the TiotanHQ team a call.
A new information stealing malware variant called Mystic Stealer is proving extremely popular with hackers. The malware is currently being promoted on hacking forums and darknet marketplaces under the malware-as-a-service model, where hackers can rent access to the malware by paying a subscription fee, which ranges from $150 for a month to $390 for three months.
Adverts for the malware first started appearing on hacking sites in April 2023 and the combination of low pricing, advanced capabilities, and regular updates to the malware to incorporate requested features has seen it grow in popularity and become a firm favorite with cybercriminals. The team selling access to the malware operates a Telegram channel and seeks feedback from users on new features they would like to be added, shares development news, and discusses various related topics.
Mystic Stealer has many capabilities with more expected to be added. The first update to the malware occurred just a month after the initial release, demonstrating it is under active development and indicating the developers are trying to make Mystic Stealer the malware of choice for a wide range of malicious actors. Mystic Stealer targets 40 different web browsers, 70 browser extensions, 21 cryptocurrency applications, 9 MFA and password management applications (including LastPass Free, Dashlane, Roboform, and NortPass), and 55 cryptocurrency browser extensions. The malware can also inject ads into browser sessions, redirect searches to malicious websites, and steal Steam and Telegram credentials and other sensitive data. The most recent version is also able to download additional payloads from its command-and-control server. The malware targets all Windows versions, does not need any dependencies, and operates in the memory, allowing it to evade antivirus solutions. The malware is believed to be of Russian origin since it cannot be used in the Commonwealth of Independent States.
Mystic Stealer has recently been analyzed by researchers at InQuest, ZScaler, and Cyfirma, who report that the malware communicates with its C2 server via a custom binary protocol over TCP, and currently has at least 50 C2 servers. When the malware identifies data of interest, it compresses it, encrypts it, then transmits it to its C2 server, where users can access the data through their control panel.
The main methods of distribution have yet to be determined, but as more threat actors start using the malware, distribution methods are likely to become more diverse. The best protection is to follow cybersecurity best practices and adopt a defense-in-depth approach, with multiple overlapping layers of security to protect against all of the main attack vectors: email delivery (phishing), web delivery (pirated software, drive-by downloads, malvertising), and the exploitation of vulnerabilities.
Email security solutions should be used that have signature and behavioral-based detection capabilities and machine learning techniques for detecting phishing emails (SpamTitan). Antivirus software should be used, ideally, a solution that can scan the memory, along with advanced intrusion detection systems. To protect against web-based attacks, a web filter (WebTitan) should be used to block malicious file downloads and prevent access to the websites where malware is often downloaded (known malicious sites/warez/torrent). IT teams should ensure that software updates and patches are applied promptly, prioritizing critical vulnerabilities and known exploited vulnerabilities. In the event of infection, damage can be severely limited by having a tested incident response plan in place.
Finally, it is important to train the workforce on the most common threats and how to avoid them. Employees should be trained on how to identify phishing attempts, be told never to download unauthorized software from the Internet, and be taught security best practices. The SafeTitan security awareness training and phishing simulation platform provides comprehensive training and testing to improve human defenses against malware infections and other cyber threats.
The construction firm Interserve has been slapped with a £4.4 million GDPR fine for failing to prevent a phishing attack and the theft of the personal and financial information of up to 113,000 employees.
Interserve is a construction and outsourcing group, which, at the time of the cyberattack in 2020, was a strategic supplier to the UK government, including the Ministry of Defense. An employee received a phishing email and forwarded it to a colleague, who opened the email and downloaded the malicious content, which saw malware installed on its network. What happened next is all too common in cyberattacks. The threat actors had a foothold in the network, then moved laterally, and compromised 283 Interserve systems and 16 accounts.
Interserve’s anti-virus software was then uninstalled by the threat actors, and ransomware was deployed to encrypt files on the network. The information accessed, encrypted, and stolen by the attackers included highly sensitive employee information such as contact information, national insurance numbers, and bank account details. Data classed as special category data under the GDPR was also compromised, including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.
The Information Commissioner’s Office (ICO) investigated the cyberattack and data breach and determined Interserve had failed to put appropriate security measures in place to prevent cyberattacks such as this, and the lack of appropriate safeguards left Interserve vulnerable to cyberattacks from March 2019 to December 2020.
The ICO identified several areas where the attack could have been identified and blocked. The initial phishing email was not blocked, nor was the malicious email detected when it was forwarded internally. The company had anti-virus software installed, which quarantined the malware and generated a security alert, yet Interserve failed to investigate the suspicious activity. Had it been investigated Interserve should have been able to determine that the attacker still had access to its network. The ICO also found outdated software systems and protocols in use, there was a lack of staff training, and insufficient risk assessments had been performed.
The failure to implement appropriate safeguards violated information privacy laws, resulting in a £4.4 million fine being proposed. The response of Interserve to that notice of intent to fine did nothing to warrant any reduction in the penalty.
“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office,” said UK Information Commissioner, John Edwards.
These cybersecurity failures are all too common at businesses and they leave the door wide open for hackers, yet malware and ransomware attacks such as this can easily be prevented. In this case, following cybersecurity best practices, ensuring employees practice good cyber hygiene, and responding to security alerts quickly could have prevented or certainly reduced the severity of the data breach.
An effective email security solution should have been in place for detecting malicious emails, first when the initial email was received and again when it was forwarded. The email should have been quarantined and checked by the IT security team. Had appropriate end-user training been provided, both employees should have been aware of the threat of email-based attacks and known how to identify phishing emails. The IT security team should also have investigated the alert and suspicious network activity.
It is not possible to prevent all cyberattacks but implementing an advanced spam filter and providing security awareness training to employees will go a long way toward improving an organization’s security posture. Those are areas where TitanHQ can help. TitanHQ has developed a suite of cybersecurity solutions including SpamTitan Email Security, the SafeTitan Security Awareness and Phishing Simulation Platform, and the WebTitan DNS Filter for blocking web-based attacks.
For more information on improving your security posture to block cyberattacks, prevent data breaches, and protect against financial penalties from regulators, give the TitanHQ team a call.
Phishing attacks are mostly conducted via email but there has been a major increase in hybrid phishing attacks over the past 12 months, especially callback phishing. Here we explain what callback phishing is, why it poses such a threat to businesses, and why threat actors are favoring this new approach.
What is Callback Phishing?
Email phishing is used for credential theft and malware distribution, but one of the problems with this type of phishing is most businesses have email security solutions that scan inbound emails for malicious content. Phishing emails and malicious files distributed via email are often identified as such and are rejected or quarantined. Some threat actors conduct voice phishing, where an individual is contacted by telephone, and attempts are made to trick them into taking an action that benefits the scammer using a variety of social engineering tactics.
Callback phishing is a type of hybrid phishing where these two methods of phishing are combined. Initially, an email is sent to a targeted individual or company that alerts the recipient to a potential problem. This could be an outstanding invoice, an upcoming payment or charge, a fictitious malware infection or security issue, or any of a long list of phishing lures. Instead of further information being provided in an attachment or on a website linked in the email, a telephone number is provided. The recipient must call the number for more information and to address the issue detailed in the email.
The phone number is manned by the threat actor who uses social engineering techniques to trick the caller into taking an action. That action is usually to disclose credentials, download a malicious file, or open a remote desktop session. In the case of the latter, the remote desktop session is used to deliver malware that serves as a backdoor into the victim’s computer and network.
This hybrid approach to phishing allows threat actors to get around email security solutions. The only malicious element in the initial email is a phone number, which is difficult for email security solutions to identify as malicious and block. That means the emails are likely to reach their targets.
Major Increase in Callback Phishing Attacks
Callback phishing was adopted by the Ryuk ransomware threat group in 2019 to trick people into installing BazarBackdoor malware, in a campaign that was dubbed BazarCall/BazaCall. Typically, the lure used in these attacks was to advise the user about an upcoming payment for a subscription or the end of a free trial, with a payment due to be automatically taken unless the trial/subscription is canceled by phone.
The Ryuk ransomware operation is no more. The threat actors rebranded as Conti, and the Conti ransomware operation has also now shut down; however, three threat groups have been formed by members of the Conti ransomware operation – Silent Ransom, Quantum, and Zeon – and all have adopted callback phishing as one of the main methods for gaining initial access to victims’ networks for conducting ransomware attacks. These three groups impersonate a variety of companies in their initial emails and trick people into believing they are communicating with a genuine company. The aim is to get the user to establish a remote desktop session. While the user is distracted by the call, a second member of the team uses that connection to install a backdoor or probe for ways to attack the company, without the user being aware what is happening.
Callback phishing is also used by other threat groups for credentials theft and malware distribution, often by impersonating a cybersecurity firm and alerting the user to a security threat that needs to be resolved quickly. These attacks see the user tricked into installing malware or disclosing their credentials. According to cybersecurity firm Agari, phishing attacks increased by 6% from Q1, 2022 to Q2, 2022, and over that same time frame hybrid phishing attacks increased by an incredible 625%.
How to Protect Against Callback Phishing Attacks
As is the case with other forms of phishing, the key to defending against attacks is to implement layered defenses. Email security solutions should be implemented that perform a range of checks of inbound emails to identify malicious IP addresses. Email security solutions such as SpamTitan incorporate machine learning mechanisms that can detect emails that deviate from those normally received by an organization. Multi-factor authentication should be implemented on accounts to block attempts to use stolen credentials.
The best defense against callback phishing is to provide security awareness training to the workforce. Employees should be told about the social engineering tactics used in these attacks, the checks everyone should perform before responding to any email, and the signs of callback phishing to look out for. Callback phishing simulations should also be conducted to gauge how susceptible the workforce is to callback phishing. A failed simulation can be turned into a training opportunity to proactively address the lack of understanding.
TitanHQ offers a comprehensive security awareness training platform for businesses – SafeTitan – that covers all forms of phishing and the platform included a phishing simulator for conducting phishing tests on employees. For more information, give the TitanHQ team a call today.
Providing security awareness training to the workforce is necessary for compliance and is often a requirement for getting cybersecurity insurance, but the real purpose of security awareness training is to reduce risk and avoid costly cyberattacks and data breaches.
To get the full benefits you need an effective security awareness training program, where susceptibility to phishing attacks is reduced and your resilience to cyberattacks targeting employees is significantly improved. To help you, we offer some top tips for creating an effective security awareness training program.
Security Awareness Training Must be a Continuous Process
Security awareness training should not be seen as a checkbox item for compliance. To be effective, training needs to be an ongoing process, where the training is reinforced over time. That if unlikely to happen with a once-a-year training session. Another reason for providing ongoing training is cyber threat actors are constantly changing their tactics and regularly come up with new scams. It would be unreasonable to expect employees to be able to recognize these new threats if they have not been covered in training sessions. Through regular training, provided in bite-sized chunks, you can make your employees are made aware of the latest threats which will help them to recognize them when they are encountered.
Make Sure Your Training Content is Interesting
Different employees will respond to different training methods. A classroom-based training session may be good for some employees, but others will respond better to computer-based training, infographics, videos, and quizzes. Keep your training varied to make sure it appeals to a wide audience and try to make the training interesting and engaging to improve knowledge retention, such as using storytelling to trigger emotions and the imagination, and don’t be afraid to use humor. Cybersecurity can be a pretty dry topic for many people and if they can enjoy it, they are more likely to retain the information and apply the training on a day-to-day basis.
Get Buy-in from the C-Suite
If you want to create a security culture in your organization, you will need to get buy in from the C-suite. Any change in culture in an organization needs to start at the top. The C-Suite must be made aware of the importance of security awareness training and cybersecurity, and using data is usually the best approach. Using a security awareness training company that can provide data on the effectiveness of training at reducing risk will help. You will be able to prove the return on investment you are likely to achieve.
Conduct Phishing Simulations After Providing Training
Providing security awareness training is only one step toward developing a security culture and reducing risk. You also need to conduct tests to determine whether your training is being applied on a day-to-day basis, and the best way to test that is with phishing simulations. Conduct realistic simulations to determine whether the training has been effective. If employees fail simulations, provide extra training.
Do Not Punish Employees for Failing Phishing Simulations
Many companies operate a three strikes and you’re out policy for failing phishing simulations or penalize employees in other ways for falling for phishing emails. Around 40% of organizations take disciplinary action against employees for cybersecurity errors such as phishing simulation failures. Punishing employees for failing to identify phishing simulations often does not have the desired effect.
If you want to encourage employees to be more security-aware and create a security culture, creating a culture of fear is unlikely to help. This approach is likely to cause stress and anxiety, which can lead to the creation of a hostile working environment, and that does not help employees become more security aware. Further, when mistakes are made, employees will be much less likely to report their mistakes to the security team out of fear of negative consequences.
Conduct Real-Time Security Awareness Training
Training is likely to be most effective immediately after employees have made a mistake. By using a security awareness training solution such as SafeTitan, the only behavior-driven security training solution that delivers contextual training in real-time, you can deliver relevant training immediately and explain how a mistake was made and how similar errors can be avoided in the future. For instance, if an employee is discovered to be downloading free software from the Internet, an immediate alert can be delivered explaining why it is not allowed and the risks of installing software without approval from the IT department. If a phishing simulation is failed, employees can be alerted immediately, and it can be turned into a relevant training session.
Benchmark to Learn the Effectiveness of Security Awareness Training
Businesses conduct security awareness training to reduce susceptibility to phishing attacks and other cyber threats, but to gauge the effectiveness of the training there must be a benchmark to measure against. Conducting phishing simulations prior to providing training will allow you to measure how effective the training has been. You can use pre-training simulations to determine how many employees are falling for scams and the percentage of simulated phishing emails that are being reported. You can then reassess after providing training and can determine exactly how effective the training has been.
Security Awareness Training and Phishing Simulations are Not Enough
Providing regular security awareness training and conducting phishing simulations are important for improving resilience to cyber threats and will allow you to prove training has been provided for compliance or insurance purposes, but you also need to make sure that training has been absorbed by employees. Don’t just provide training – use quizzes to assess whether the training has been absorbed. You should also analyze the results of phishing simulations to identify any knowledge gaps that need to be addressed with future training courses. If employees are still falling for a certain type of scam, it could be your training that is the issue.
For more information about security awareness training, conducting phishing simulations, and to discover the benefits of real-time security awareness training, contact TitanHQ today for more information about SafeTitan. You can also take advantage of a free trial of the solution before deciding on a purchase.
It is important for security to implement an advanced spam filtering solution to block email threats such as phishing and malware, but security awareness training for the workforce is still necessary. The reason why phishing attacks are successful is that they target a weak point: employees. Humans make mistakes and are one of the biggest vulnerabilities as far as security is concerned. All it takes is for one phishing email to sneak through your defenses and land in an inbox and for the recipient to click a link in the email or open a malicious attachment for a threat actor to get the foothold they need in your network.
The easiest way to target employees is with phishing emails. The majority of phishing emails will be blocked by your spam filter, but some emails will be delivered. It doesn’t matter how advanced and effective your spam filter is, it will not block every single phishing email without also blocking an unacceptable number of genuine emails.
Phishing emails are used to achieve one of three aims: To trick individuals into disclosing credentials, to trick them into emailing sensitive data, or to trick them into installing malware. There are many tactics, techniques, and procedures (TTPs) employed in phishing attacks to make the emails realistic, convincing, and to get employees to act quickly. The emails may closely match standard business emails related to deliveries, job applications, invoices, or requests for collaboration. Spoofing is used to make the messages appear to have come from a trusted sender. Emails can spoof brands and often include the correct corporate logos, formats, and color schemes. While phishing emails include red flags that indicate all is not what it seems, busy employees may not notice those flags. Further, sophisticated, targeted phishing attacks contain very few red flags and are very difficult to identify. Even system administrators can be fooled by these attacks.
Businesses cannot expect every employee to be an expert at identifying phishing emails and other email threats, nor should they assume that employees have a good understanding of security practices that need to be employed. The only way to ensure employees know about security practices and how to recognize a phishing email is to provide security awareness training.
Security Awareness Training Improves Resilience to Phishing Attacks
The purpose of security awareness training is to make the workforce aware of the threats they are likely to encounter and to provide them with the tools they need to recognize and avoid those threats. Security awareness training is not a checkbox item that needs to be completed for compliance, it is one of the most important steps to take to improve your organization’s security posture and it needs to be an ongoing process. You could provide a classroom-based training session or computer-based training session once a year, but the TTPs of cyber threat actors are constantly changing, so that is not going to be sufficient. More frequent training, coupled with security reminders, newsletters, and updates on the latest threats to be wary of will ensure that security is always fresh in the mind, and it will help you to develop a security culture in your organization.
One of the most effective strategies is to augment training with phishing simulations. Phishing simulations involve sending fake but realistic phishing emails to employees to see how they respond. If you do not conduct these tests, you will not know if your training has been effective. The simulations will identify employees that require further training and the simulations will give employees practice at recognizing malicious emails. Reports from these simulations allow security teams to assess how resilient they are to phishing attacks and other email threats and will allow them to take action and focus their efforts to make immediate improvements.
SafeTitan Security Awareness Training & Phishing Simulations
TitanHQ can now help businesses create a human firewall through SafeTitan Security Awareness Training. SafeTitan is the only behavior-driven security awareness platform that delivers training in real-time and will greatly improve resilience to social engineering and advanced phishing attacks.
If you want to improve your resilience to cyberattacks, prevent more data breaches, and avoid the costs and reputation damage caused by those incidents, you need to be training your workforce and running phishing simulations. Get in touch with TitanHQ today for more information and get started creating your human firewall.
2019 was a particularly bad year for ransomware attacks, and while there was a reduction in the use of ransomware in 2020, attacks increased sharply in 2021, with the education sector and government organizations the most attacked sectors, although no industry sector is immune to attacks.
There is growing concern about the increase in attacks on critical infrastructure organizations, which are an attractive target for ransomware gangs. According to the data from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA), 14 of the 16 critical infrastructure sectors in the United States reported ransomware attacks in 2021, including the defense industrial base, emergency services, healthcare, food and agriculture, information technology, and government facilities. Cybersecurity agencies in the United Kingdom and Australia have also said critical infrastructure has been targeted.
Critical Infrastructure Organizations Warned About AvosLocker Ransomware Attacks
This week, a warning has been issued by the Federal Bureau of Investigation (FBI), the U.S. Department of the Treasury, and the U.S. Treasury Financial Crimes Enforcement Network (FinCEN) about ransomware attacks using AvosLocker ransomware.
AvosLocker was first identified as a threat in late June 2021 and despite being a relatively new threat, poses a significant risk. Attacks using the ransomware increased in the latter half of 2021, with spikes in attacks occurring in November and December. Variants of AvosLocker ransomware have now been developed to attack Linux as well as Windows systems.
As is now common, the attackers engage in double extortion and demand payment for the keys to decrypt files and to prevent the release of stolen data. The gang operates a data leak site where a sample of stolen data is uploaded and made accessible to the public. The gang says it then sells the stolen data to cybercriminals if payment is not made. AvosLocker is one of a handful of ransomware operations that also makes contact with victims by phone to encourage them to pay the ransom. The gang is known to issue threats of Distributed Denial of Service (DDoS) to further pressure victims into paying the ransom.
AvosLocker is a ransomware-as-a-service operation where affiliates are recruited to conduct attacks for a percentage of any ransom payments they generate. Consequently, the attack vectors used in attacks depend on the skillsets of the affiliates. Common vulnerabilities are known to be exploited to gain initial access to networks, including vulnerabilities associated with Proxy Shell and unpatched vulnerabilities in on-premises Microsoft Exchange Servers. However, over the past year, spam email campaigns have been a primary attack vector.
Email Filtering Vital for Defending Against Ransomware Attacks
Spam email is a common attack vector used by ransomware gangs. Spam email campaigns are effective and provide low-cost access to victim networks. Phishing and spam campaigns either use malicious attachments or embedded hyperlinks in emails, along with social engineering techniques to convince end users to open the attachments or click the links.
The primary defense against these attacks is email filters. Email filters scan all inbound emails and attachments and prevent malicious messages from being delivered to inboxes. Since cyber actors are constantly changing their lures, social engineering methods, and strategies to bypass email security solutions, it is vital to have an email security solution in place that can respond to changing tactics.
Email security solutions that use artificial intelligence and machine learning to identify and block threats outperform solutions that rely on antivirus engines and blacklists of known malicious IP addresses. SpamTitan incorporates artificial intelligence in addition to blacklists, dual antivirus engines, and sandboxing to identify malicious emails, and has comprehensive threat intelligence feeds to identify new threats rapidly. SpamTitan also provides time-of-click protection against malicious hyperlinks in emails to ensure users are well protected against phishing, malware, ransomware, and other email threats.
Don’t Neglect Security Awareness Training for the Workforce
It is also important to provide security awareness training to all members of the workforce from the CEO down. The FBI and the U.S. Treasury Department recommended in the latest alert to “Focus on cyber security awareness and training,” and “Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).” TitanHQ can help in this regard with SafeTitan – “The only behavior-driven security awareness solution that delivers security training in real-time.”
For more information on improving your defenses against ransomware and other cyber threats, give the TitanHQ team a call to inquire about email filtering, web filtering, and security awareness training for your workforce.
The Lapsus ransomware gang has arrived on the scene and has already claimed several high-profile targets, with victims including Impresa – the largest media conglomerate in Portugal, Brazil’s Ministry of Health (MoH), the Brazilian telecommunications operator Claro, and most recently, the Santa Clara, CA-based GPU vendor NVIDIA.
The Lapsus ransomware gang – also referred to as Lapsus$ – is a relatively new threat actor and is making a reputation for itself in an already crowded ransomware market. Most ransomware gangs now practice double extortion, where prior to encrypting files they exfiltrate sensitive data and threaten to publish the data if the ransom is not paid. Triple extortion tactics are now becoming common, where threats are also issued to notify shareholders, partners, and customers about attacks. The Lapsus gang has taken things a step further still and is boasting about its attacks and causing major embarrassment for victims.
In January, the Lapsus ransomware gang attacked the Brazilian car rental firm Localiza, which is one of the largest car rental firms in South America. In addition to stealing data and encrypting files, the gang redirected the company’s website to an adult website and publicly announced that the company is now a porn site. The redirection was only in place for a few hours, but it was enough to damage the company’s reputation.
Also in January, Impresa was targeted. Impresa is the owner of SIC and Expresso, the largest TV channel and weekly newspaper in Portugal. The attack targeted Impresa’s online IT servers resulting in company websites being taken offline and the temporary loss of Internet streaming services. The gang defaced the company’s websites by adding their ransom note and claimed they had taken control of Impresa’s Amazon Web Services account. The gang then used the hijacked Expresso Twitter account and sent a tweet stating, “Lapsus$ is officially the new president of Portugal.” The gang also gained access to its newsletter and sent phishing emails to subscribers informing them in the emails that the President of Portugal had been murdered.
On February 25, NVIDIA experienced a cyberattack that saw parts of its IT infrastructure taken offline for a couple of days. NVIDIA announced that it was investigating a security incident, and then the Lapsus gang said it was behind the attack and issued a threat to leak around 1TB of data. The gang published screenshots indicating they had leaked password hashes for NVIDIA employees, source code, and highly sensitive proprietary company information.
There was some good news – the Lapsus gang then experienced its own ‘ransomware’ attack. There have been reports in the media that NVIDIA hacked back and gained access to the attackers’ virtual machine and encrypted its data, although security research Marcus Hutchins offered an alternative view, suggesting this could have been due to the gang installing Nvidia’s corporate agent on their virtual machine and then triggering a data loss prevention policy.
In addition to demanding a ransom, the Lapsus ransomware gang also demanded NVIDIA remove its lite hast rate (LHR) limitations on its GeForce 30 series firmware – which halve the hash rate when it detects the GPUs are being used for mining Ethereum – and also requested NVIDIA commits to completely open source their GPU drivers forever. If the demands are not met, the gang said it will release the complete silicon, graphics, and computer chipset files for its most recent GPUs.
While many ransomware gangs are focused purely on extortion, the Lapsus gang appears to like the limelight and brags about their attacks, which makes attacks by the gang even more serious for victims due to the brand and reputation damage they cause.
The extent of the attack vectors used by the gang is not known, but they appear to have used phishing emails to gain access to some victims’ networks, including the attack on Impresa. Phishing is a popular attack vector in ransomware attacks. Around half of all ransomware attacks start with a phishing email, according to a recent Statista survey. Employees respond to phishing emails and disclose their credentials, which give the attackers the foothold in the network they need for a deeper compromise.
Businesses could be lulled into a false sense of security with the disbanding of major ransomware operations and arrests of key gang members. The REvil ransomware gang may be no more, and DarkSide has been shut down, but other ransomware gangs are more than happy to plug the gap. Lapsus only announced its presence on the scene at the start of the year but is already growing into a major threat.
The best defense against Lapsus ransomware attacks and other cyberattacks is to adopt a defense-in-depth strategy. That should include an advanced spam filtering solution to block email phishing attacks, content filtering to prevent employees from visiting malicious websites, multi-factor authentication on all email accounts and local/cloud apps, ensuring patches and software updates are applied promptly, and providing ongoing security awareness training to the workforce to help employees identify and avoid phishing and social engineering attempts.
TitanHQ can help organizations improve their defenses against the full range of cyberattacks by providing advanced cybersecurity solutions for SMBs, enterprises, and Managed Service Providers, including spam filtering, DNS filtering, email encryption, email archiving, and security awareness training.
TitanHQ has been included in the 2021 Deloitte Technology Fast 50 List of the fastest-growing tech companies in Ireland. The Award program has now been running for 22 years and celebrates innovation and entrepreneurship in Ireland’s indigenous technology sector.
Deloitte compiles the list based on percentage revenue growth over the past 4 years, with TitanHQ ranking in position 33 in the list after a long period of sustained growth. That growth continued throughout the COVID-19 pandemic when many businesses have struggled. Not only has the company significantly increased its customer base over the past 4 years, the workforce has also had a major expansion. Between September 2020 and April 2021, TitanHQ’s workforce doubled in size.
As well as impressive organic growth, TitanHQ has benefitted from investment from Livingbridge Investor Group which has allowed the company to continue to recruit the best talent to support its business and invest in product development. As well as making improvements to its existing product portfolio, the company released a new product this month – SpamTitan Plus.
SpamTitan Plus builds on the protection provided by SpamTitan Gateway and SpamTitan Cloud but significantly improves detection of the malicious URLs in emails that are used for phishing and malware distribution. SpamTitan Plus has coverage of all major phishing feeds and has the fastest and best detection rates of malicious URLs than any of the market-leading anti-spam solutions.
“As a result of increased demand globally for our solutions, we have invested heavily in product development and embarked on a recruitment campaign to double our workforce in a program that will allow that growth to continue,” said TitanHQ CEO, Ronan Kavanagh. “The quick move to remote working last year has made us all aware of how important it is to be adaptable and have the right security solutions in place to protect users, customers, company data, and systems.”
TitanHQ’s customer base has now increased to more than 12,000 businesses, including over 2,500 managed service providers in 150 countries, with much of TitanHQ’s growth over the past 4 years due to the increase in overseas customers. That growth was also recognized by Deloitte, which awarded TitanHQ runner-up spot in the Scale Up Award. The Scale Up Award recognizes companies that have enjoyed significant overseas growth over the past 4 years.
“Congratulations to all of the companies that ranked this year. This is the first year we have seen the impact the pandemic has had on revenues of Irish tech companies,” said David Shanahan, Partner, Deloitte “It will come as no surprise that many of this year’s winners have achieved accelerated growth and scale as a result of the pandemic and being able to capitalize on the global move to a digital way of life.”
There has been an alarming surge in ransomware attacks in 2021. Attacks have been conducted on businesses of all sizes, from large international enterprises with multi-million-dollar cybersecurity budgets to small businesses with just a handful of employees. The attacks have shown that no business is to large or small to be targeted.
Ransomware is a form of malware that is used to encrypt files to prevent them from being accessed. The attacker holds the keys to allow data to be decrypted, and those keys will only be provided if a ransom is paid. Ransom demands can range from a few thousand dollars for individual devices up to tens of millions of dollars for large companies.
900% Increase in Ransomware Attacks in 2021
This year has seen ransomware attacks conducted at an alarming level. CybSafe‘s data has revealed a 900% increase in ransomware attacks in the first 6 months of 2021 compared to the corresponding period last year. In addition to the increase in number, the cost of mitigating the attacks has increased and the ransom demands have been growing. This week, for example, Europe’s largest consumer electronics retailer – MediaMarkt – confirmed it was the victim of a Hive ransomware attack. The attackers reportedly demanded a payment of $240 million for the keys to decrypt files.
2021 has shown no company is off limits with multiple attacks conducted on critical infrastructure firms. One attack on Colonial Pipeline in the United States resulted in the shutdown of a fuel pipeline serving the Eastern Seaboard of the United States for a week. A ransom payment of $4.4 million was paid to the attackers to recover data.
The U.S. software company Kaseya, which provides a range of software solutions to businesses and managed service providers, suffered a major ransomware attack involving REvil ransomware. The REvil gang demanded a payment of $70 million for the keys to decrypt files. The attack affected around 40 managed service providers and an estimated 1,500 downstream businesses.
Attacks have also been conducted on many healthcare providers, with those attacks disrupting healthcare services and putting patient safety at risk. In May 2021, Ireland’s Health Service Executive (HSE) suffered a ransomware attack which is believed to have started with a phishing email. The response gave the Conti ransomware gang the access needed to encrypt files. A $20 million ransom demand was issued, although the attackers provided the keys free of charge in the end. Even so, the HSE took months to recover from the attack at considerable cost.
Ransomware Gangs Targeted by Law Enforcement
The above attacks represent just a tiny percentage of the ransomware attacks that have been publicly disclosed this year and it is clear that the threat of attack is unlikely to wane any time soon.
There has been some good news, however. The attacks on critical infrastructure firms have forced the U.S. government to step up its efforts to target ransomware-related crime. Following the attacks, ransomware attacks were elevated to a level akin to terrorist attacks, and with that comes additional resources.
Already the United States and law enforcement partners around the worked have succeeded in disrupting the activities of several ransomware gangs. The REvil ransomware infrastructure taken down and arrests have been made, the Darkside operation shut down and its suspected successor BlackMatter also. Suspected members of the Clop ransomware operation have been arrested, and Europol has arrested 12 individuals in connection with LockerGoga, MegaCortex, and Dharma ransomware attacks.
While the arrests and infrastructure takedowns will have a short-term effect, ransomware threat actors are likely to regroup, set up new operations, and recommence their attacks as they have done in the past.
An Easy Step to Take to Improve Ransomware Defenses
Businesses need to take steps to combat the ransomware threat, but since many different methods are used to gain access to networks, this can be a challenge. The best place to start is to make sure defenses against phishing emails are put in place. Most ransomware attacks start with a phishing email, which either delivers malware or gives attackers credentials that provide them with the foothold in networks that they need to conduct their attacks.
Email security solutions such as SpamTitan filter out malicious messages and prevent them from reaching inboxes where they can fool employees. Technical solutions such as email security gateways are far more effective than end user training at blocking threats, although it is also important to make sure employees are aware of cybersecurity best practices and are taught how to identify a phishing email.
Email filtering solutions such as SpamTitan perform an in-depth analysis of all email content and can detect malicious links and email attachments. When emails fail the checks, they are sent to the quarantine folder where they can be reviewed. This allows security teams to gain a better understanding of the threats that are targeting their organization and also allows false positives to be identified so filtering rules can be updated.
SpamTitan incorporates dual antivirus engines, sandboxing that allows suspicious attachments to be analyzed to identify new malware variants, and machine learning technology to ensure that spam filtering improves over time.
A huge array of checks and controls ensure malicious messages are blocked, but that all happens behind the scenes. Administrators benefit from a clean, easy-to-use interface that requires no technical skills to navigate and use. All information and controls are intuitive.
If you would like to find out more about improving your defenses against ransomware, malware, phishing, and other email and web-based threats, give the TitanHQ team a call. All TitanHQ cybersecurity solutions are available on a free trial, allowing you to put them to the test in your own environment before making a decision about a purchase.
Ransomware attacks have been rife in 2021, with the increase in attacks seen in 2020 continuing throughout 2021. The number of attacks conducted in 2021 has been staggering. There were more attempted ransomware attacks in the first 6 months of 2021 than there were in all of 2020, according to one report.
Ransomware-as-a-service (RaaS) operations that were active throughout 2020 have increased their attacks, and while some RaaS operations have been shut down, attack volume is showing no sign of reducing. There is also a new ransomware threat to defend against. The Federal Bureau of Investigation (FBI) has issued a warning about a new ransomware threat actor that has been particularly active in the United States. The group, known as OnePercent, has been using its ransomware to attack U.S. businesses since at least November 2020, according to a recent FBI Flash Alert. The group is known to use the legitimate penetration testing tool Cobalt Strike in its attacks, and prior to using their OnePercent ransomware variant to encrypt files, the attackers exfiltrate sensitive data from victims’ systems. A ransom demand is issued for the keys to decrypt files and to prevent the publication of the stolen data on the group’s data leak sites on the TOR network and the publicly accessible Internet.
SpamTitan Plus provides multi-layered detection and blocking of malicious URLs. Book a free demo now. Book Free Demo
Like many ransomware gangs, the initial attack vector is phishing emails. Phishing emails are sent to targeted organizations that have malicious .ZIP email attachments which contain Word documents or Excel spreadsheets with malicious macros that deliver the IcedID banking Trojan. The Trojan downloads and installs Cobalt Strike on endpoints to allow the attacker to move laterally within victims’ networks to compromise as many devices as possible. The group is also known to use PowerShell, Mimikatz, SharpKatz, BetterSafetyKatz, and SharpSploit, and Rclone for data extraction.
The attackers are known to take their time within networks to identify and steal critical data. In attacks reported to the FBI, the group has spent up to a month from the initial compromise to the deployment of OnePercent ransomware. During that time, considerable volumes of data are exfiltrated. The ransomware itself encrypts files and uses a random 8-character extension for encrypted files.
As is now the norm, there is no fixed ransom payment. Victims are required to make contact with the attackers to receive ‘technical support’ recovering their files and to discover how much needs to be paid for the decryptors and to ensure data deletion. If the ransom is paid, the attackers say they will deliver the decryption keys within 48 hours. The threat group is also known to contact the victim by telephone using spoofed telephone numbers to pressure victims into paying by threatening to publish the stolen data. The group has also threatened to sell the stolen data to the Sodinokibi ransomware gang to list for sale at a public auction.
Since the group uses phishing emails as the initial attack vector, preventing those messages from reaching inboxes is the best defense against attacks. That requires an advanced spam filtering solution such as SpamTitan. It is also recommended to configure emails to display a warning when they are received from a sender that is outside the organization.
Even greater protection against phishing attacks. Book a free SpamTitan Plus demo. Book Free Demo
It is also important to follow cybersecurity best practices such as network segmentation to limit the potential for lateral movement, to audit user accounts with admin privileges and restrict their use as far as possible, and to configure access controls using the principle of least privilege. All critical data should be backed up offline on an external hard drive or storage device that is disconnected once the backup has been performed. Backups should also be tested to make sure file recovery is possible.
While the OnePercent ransomware gang is only known to use phishing emails as the attack vector, other methods of attack may also be adopted. It is therefore recommended to ensure that remote access and RDP ports are disabled if not used, to monitor remote access/RDP logs, to keep computers and applications up to date and to apply patches promptly, and to ensure that strong passwords are set and multi-factor authentication is implemented.
Ransomware attacks can be incredibly expensive and business email compromise (BEC) scams can result in transfers of millions of dollars to attackers, but these breaches often start with an email.
Phishing emails are sent to employees that ask them to click on a link, which directs them to a webpage where they are asked to provide their login credentials, for Microsoft 365 for example. Once credentials are entered, they are captured and used to access that individual’s account. The employee is often unaware that anything untoward has happened.
The stolen credentials give an attacker the foothold in the network that is needed to launch a major cyberattack on the business. The phisher may use the email account to send further phishing emails to other employees in the company, with the aim being to gain access to the credentials of an individual with administrative privileges or the credentials of an executive.
An executive’s account can be used to send emails to an individual in the company responsible for making wire transfers. A request is sent for a wire transfer to be made and the transfer request is often not recognized as fraudulent until the funds have been transferred and withdrawn from the attacker’s account. These BEC scams often result in tens of thousands of dollars – or even millions – being transferred.
An alternative attack involves compromising the email accounts of employees and sending requests to payroll to have direct deposit information changed. Salaries are then transferred into attacker-controlled accounts.
Phishers may act as affiliates for ransomware-as-a-service (RaaS) gangs and use the access they gain through phishing to compromise other parts of the network, steal data, and then deploy ransomware, or they may simply sell the network access to ransomware gangs.
When email accounts are compromised, they can be used to attack vendors, customers, and other contacts. From a single compromised email account, the damage caused is considerable and often far reaching. Data breaches often cost millions of dollars to mitigate. All this from a single response to a phishing email.
Phishing campaigns require very little skill to conduct and require next to no capital investment. The ease at which phishing attacks can be conducted and the potential profits that can be gained from attacks make this attack method very attractive for cybercriminals. Phishing can be used to attack small businesses with poor cybersecurity defenses, but it is often just as effective when attacking large enterprises with sophisticated perimeter defenses. This is why phishing has long been one of the most common ways that cybercriminals attack businesses.
See how SpamTitan Plus inspects all URLs to identify links to malicious websites. Book a free demo. Book Free Demo
How to Deal with the Phishing Threat
Phishing attacks may lead to the costliest data breaches, but they are one of the easiest types of cyberattacks to prevent; however, some investment in cybersecurity and training is required. The most important first step is to purchase an advanced spam filter. This technical control is essential for preventing phishing emails from reaching end users’ inboxes. If the phishing emails do not arrive in an inbox, they cannot be clicked by an employee.
Not all spam filtering solutions are created equal. Basic spam filters are effective at blocking most threats, but some phishing emails will still be delivered to inboxes. Bear in mind that phishers are constantly changing tactics and are trying to get one step ahead of cybersecurity firms. Most spam filtering solutions will block messages from malicious IP addresses and IP addresses with poor reputations, along with any messages identified in previous phishing campaigns and messages containing known variants of malware.
Advanced spam filtering solutions use AI and machine learning techniques to identify messages that deviate from the normal emails a business typically receives, are able to detect previously unseen phishing emails, and incorporate Sender Policy Framework and DMARC to identify email impersonation attacks. Sandboxing is also included which is used to identify previously unseen malware threats. Greylisting is a feature of advanced spam filters that involves initially rejecting a message and requesting it be resent. The delay in a response, if one is received at all, indicates the mail server is most likely being used for spamming. Spam servers are usually too busy on huge spam runs to resend messages that have initially been rejected.
Advanced spam filters also feature outbound email scanning, which can identify compromised email accounts and can block phishing messages from being sent internally or externally from a hacked mailbox.
SpamTitan incorporates all of these advanced controls, which is why it is capable of blocking more threats than basic spam filters. Independent tests have shown SpamTitan blocks in excess of 99.97% of malicious messages.
SpamTitan Plus provides leading edge anti-phishing protection with “zero-day” threat protection and intelligence. Book Free Demo
Don’t Neglect End User Training
No spam filter will be 100% effective at blocking phishing threats, at least not without also blocking an unacceptable number of genuine emails. It is therefore important to provide regular security awareness training to the workforce, with a strong emphasis on phishing. Employees need to be taught how to identify a phishing email and conditioned how to respond when a threat is received (alert their security team).
Since phishing tactics are constantly changing, regular training is required. When training is reinforced, it is easier to develop a security culture and regular training sessions will raise awareness of the latest phishing threats. It is also recommended to conduct phishing simulation exercises to test the effectiveness of the training program and to identify individuals who require further training.
Web Filtering is an Important Anti-Phishing Control
The key to blocking phishing attacks is to adopt a defense-in-depth approach. That means implementing multiple overlapping layers of security. One important additional layer is a web filtering solution. Spam filters target the phishing emails, whereas web filters work by blocking access to the webpages hosting the phishing kits that harvest credentials. With a spam filter and web filter implemented, you are tackling phishing from different angles and will improve your defenses.
A web filter will block access to known malicious websites, providing time-of-click protection against malicious hyperlinks in phishing emails. A web filter will also prevent employees from being redirected to phishing web pages from malicious website adverts when browsing the Internet. Web filters also analyze the content of web pages and will block access to malicious web content that has not previously been identified as malicious. Web filters will also block malware and ransomware downloads.
WebTitan is a highly effective DNS-based web filtering solution that protects against phishing, malware, and ransomware attacks. The solution can protect office workers but also employees who are working remotely.
SpamTitan Plus provides multi-layered detection and blocking of malicious URLs. Book a free demo now. Book Free Demo
Speak to TitanHQ Today About Improving your Phishing Defenses
TitanHQ has been developing anti-phishing and anti-malware solutions for more than two decades. TitanHQ’s email and web security solutions are cost effective, flexible, easy to implement, and easy to maintain. They are consistently given top marks on software review sites and are a big hit with IT security professionals and managed service providers (MSPs). TitanHQ is the leading provider of email and web security solutions to MSPs serving the SMB market.
If you want to improve your phishing defenses and block more threats, contact the TitanHQ team today for further information on SpamTitan and WebTitan. Both solutions are available on a 100% free trial of the full product complete with product support. Product demonstrations can also be booked on request.
Ransomware attacks have increased significantly since the start of 2020 and that increase has continued in 2021. While these attacks are occurring more frequently than ever, the threat from phishing has not gone away and attacks are still rife. Phishing attacks may not make headline news like ransomware attacks on hospitals that threaten patient safety, but they can still be incredibly damaging.
The aim of many phishing attacks is to obtain credentials. Email credentials are often targeted as email accounts contain a treasure trove of data. That data can be extremely valuable to cybercriminals. In healthcare for example, email accounts contain valuable healthcare data, health insurance information, and Social Security numbers, which can be used to commit identity theft, obtain medical treatment, and for tax fraud. Entire email accounts are often exfiltrated in the attacks and the accounts used to send tailored phishing emails to other individuals in the company.
Many data breaches start with a phishing email, with phishing often used by an attacker to gain a foothold in a network that can be used in a much more extensive attack on an organization. Phishing emails are often the first step in a malware or ransomware attack.
SpamTitan Plus provides leading edge anti-phishing protection with “zero-day” threat protection and intelligence. Book Free Demo
Multiple surveys have recently been conducted on IT leaders and employees that show phishing is a very real and present danger. Two recent surveys conducted in the United States and United Kingdom indicate almost three quarters of businesses have experienced a data breach as a result of a phishing attack in the past 12 months. One study indicated over 50% of IT leaders had seen an increase in phishing attacks in the past 12 months, while the other put the figure at 80%.
During the pandemic, many businesses were faced with the option of switching to a remote workforce or shutting down. The increase in remote working was a godsend for phishers, who increase their attacks on employees. Many IT departments lacked visibility with a remote workforce and found it harder to block phishing attacks than when employees are in the office. Staff shortages in IT have certainly not helped.
Staff training is important to raise awareness of the threat from phishing, but remote working has made that harder. Training needs to be provided regularly as it can easily be forgotten and bad habits can slip in. Phishing tactics are also constantly changing, so regular training is needed to keep employees aware of the latest threats and phishing techniques, so they know what to look for. It does not help that phishing attacks are increasingly targeted and more sophisticated and can be difficult for employees to spot even if they have received regular training.
So how can businesses combat the threat from phishing and avoid being one of the three quarters of companies that experience a phishing data breach each year? Training is important, but the right technology is required.
Two of the most important technical solutions that should be implemented to block phishing attacks are spam filters and web filters. Both are effective at combatting phishing, albeit from different angles. When both are used together, protection is better than the sum of both parts.
SpamTitan Plus provides multi-layered detection and blocking of malicious URLs. Book a free demo now. Book Free Demo
A spam filter must have certain features to block sophisticated phishing threats. Blacklists are great for identifying emails from known malicious IP addresses, but IP addresses frequently change. Machine learning approaches are needed to identify previously unseen phishing tactics and threats from IP addresses not known to be malicious. Multiple AV engines can help to block more malware threats, while sandboxing can be used identify new malware variants. DMARC is also vital to block email impersonation attacks, while outbound scanning is important to rapidly detect compromised mailboxes. All of these features are employed by SpamTitan, which is why the solution has such a high block rate (over 99.97%) and low false positive rate.
Web filters are primarily used to restrict access to malicious and undesirable websites, whether they are sites with pornographic content or malicious sites used for phishing and malware distribution. Web filters, especially DNS-based filters, greatly improve protection against threats and will block access to known malicious websites. They will also block malware downloads and restrict access to questionable websites that serve no work purpose but increase risk. WebTitan will do this and more, and can easily be configured to protect remote workers, no matter where they choose to access the Internet.
With phishing attacks increasing it is important that businesses deploy solutions to counter the threat to stay one step ahead of the phishers. For further information on SpamTitan and WebTitan, and how they can protect your business, give the TitanHQ team a call. Both solutions are available on a free trial to allow you to see for yourself the difference they make. You can sign up for a free trial of SpamTitan here, and WebTitan on this link.
On June 24, 2021, Microsoft announced Windows 11 will soon be released. Windows 11 is a major upgrade of the Windows NT operating system, which will be the successor to Windows 10. Such a major release doesn’t happen that often – Windows 10 was released in 2015 – so there has been a lot of interest in the new operating system. The new Windows version is due for public release at the end of 2021, but there is an opportunity to get an early copy for free.
On June 28, Microsoft revealed the first Insider Preview of Windows 11. Upgrading to the new Windows version is straightforward. For a lucky few (or unlucky few if Windows 11 turns out to be exceptionally buggy), an upgrade just requires a user to enroll in the Dev channel of the Windows Insider Program. That said, many people have been trying to get an upgrade from unofficial sources.
Unsurprisingly, unofficial ISOs that claim to provide Windows 11 do not. Instead, they deliver malware. Threat actors have been distributing these fake Windows 11 installers and using them to deliver a wide range of malicious payloads. At best, these fake Windows 11 installers will deliver adware or unwanted programs. More likely, malware will be installed with various degrees of maliciousness, such as Remote Access Trojans and backdoors that give the attackers full access to the victims’ devices, information stealers such as keyloggers that steal passwords and other sensitive data, cryptocurrency miners, and ransomware.
Researchers at Kaspersky Lab have identified several fake Windows 11 installers doing the rounds, including one seemingly legitimate installer named 86307_windows 11 build 21996.1 x64 + activator.exe. Despite the name and 1.76GB file size, it was not what it seemed. If the user executed the file and agreed to the terms and conditions, the file would proceed to download a different executable that delivers a range of malicious software onto the user’s device.
As the hype builds ahead of the official release date, we can expect there to be many other fake installers released. Hackers do love a major software release, as its easy to get users to double click on executable files. Malicious adverts, websites, and emails offering free copies of Windows 11 will increase, so beware.
Ensure you have an advanced and effective spam filtering solution such as SpamTitan in place to protect against malicious emails, and a web filter such as WebTitan installed to block malicious file downloads. You should also make sure that you only install software or applications from official sources and take care to ensure that you really are on the official website of the software developer before downloading any files. A double click on a malicious executable file could cause a great deal of pain and expense for you and your employer.
Phishing is the most common way that cybercriminals gain access to business networks, and the primary defense against these attacks is a spam filter. Spam filters inspect all inbound emails for the signatures of spam, phishing, and malware and keep inboxes free of these threats.
There are many spam filtering solutions on the market that can protect against advanced email threats, but why have so many managed service providers (MSP) chosen TitanHQ has their email security solution provider? What does SpamTitan provide that is proving to be such a bit hit with MSPs?
Why Managed Service Providers Choose SpamTitan Email Security for Their Clients
SpamTitan in a multi-award-winning anti-spam solution that incorporates powerful features to protect against phishing and other email-based attacks. The solution is currently used by more than 1,500 MSPs worldwide with that number growing steadily each month.
We have listed 10 of the main reasons why SpamTitan is proving to be such a popular choice with MSPs.
Excellent malware protection
SpamTitan includes dual anti-virus engines from two leading AV providers and sandboxing that incorporates machine learning and behavioral analysis to safely detonate suspicious files.
Defense in depth protection for Office 365 environments
SpamTitan includes multiple protection measures that provide defense in depth against email threats, with easy integration into Office 365 environments to significantly improve defenses against phishing and email-based malware attacks.
Advanced email blocking
SpamTitan supports upload block and allow lists per policy, advanced reporting, recipient verification and outbound email scanning, with the ability to whitelist/blacklist at both a global level as well as a domain level.
Protection against zero-day attacks
SpamTitan uses machine learning predictive technology to block zero-day threats, with AI-driven threat intelligence to block zero-minute attacks.
Data leak prevention
Easily set powerful data leak prevention rules and tag data to identify and prevent internal data loss.
Simple integration
SpamTitan is easy to integrate into your existing Service Stack through TitanHQ API’s and MSPs benefit from streamlined management with RMM integrations.
Competitive pricing with monthly billing
MSPs benefit from a fully transparent pricing policy, competitive pricing, generous margins, and monthly billing. There is also a short sales cycle – only 14 days of a free trial is required to fully test the solution.
White label option to reinforce your brand
SpamTitan can be provided to managed service providers as a white label version that can be fully rebranded to reinforce an MSPs brand.
Intuitive multi-tenant dashboard
MSP-client hierarchy enables you to keep clients separated and choose whether to manage client settings in bulk or on an individual basis. SpamTitan is also a set and forget solution, requiring minimal IT service intervention.
Industry-leading customer support
TitanHQ provides the best customer service in the industry. MSPs benefit from world class pre-sales and technical support and sales & technical training. MSPs get a dedicated account manager, assigned sales engineer support, access to the Global Partner Program Hotline, and 24/7 priority technical support.
If you have not yet started offering SpamTitan to your clients, give the TitanHQ channel team a call today for more information, to get started on a free trial, or for a product demonstration.
In April 2021, hackers gained access to the network of Colonial Pipeline and deployed ransomware that forced the shutdown of a fuel pipeline system serving the Eastern Seaboard of the United States. With fuel supplies threatened, there was panic buying of fuel by Americans on the East Coast which led to local fuel shortages. Gasoline prices rose to their highest level in more than 6 years, and stockpiles of gasoline on the East Coast fell by 4.6 million barrels.
The attack has been attributed to the DarkSide ransomware-as-a-service operation, which has since shut down. Prior to the shutdown, Colonial Pipeline paid a $4.4 million ransom for the keys to unlock the encrypted files. The decision to pay the ransom was made because of the threat to fuel supplies. Colonial Pipeline supplied 45% of fuel to the East Coast, and while paying the attackers was a difficult decision, payment was made due to the threat to fuel supplies given how long it was likely to take to recover without the attacker-supplied decryption keys.
Such a major attack on a critical infrastructure firm should have been difficult; however, an investigation into the cyberattack revealed gaining access to the company’s computer system couldn’t have been simpler. The attackers used a compromised password to remotely access Colonial Pipeline’s systems, and that account was not protected with multi-factor authentication.
The password was for a virtual private network account, according to Charles Carmakal, senior vice president at cybersecurity firm Mandiant which was involved in the investigation. The account was not in use, but it was still possible to use the login credentials to access Colonial Pipeline’s network.
It is not known how the hackers obtained the password. The password has since been found in a database of breached passwords that was leaked on the darkweb. It is possible that an individual had set a password for the account that had been used on another account that had been breached. It is common for passwords from data breaches to be attempted in brute force attacks as password reuse is common. Passwords are also often obtained in phishing attacks.
Mandiant looked for evidence of how the password was obtained by the hackers. The researchers found no signs of attacker activity before the April 29, 2021 nor any evidence of phishing. How the password was obtained and the username determined may never be known.
What is clear is that the attack could have easily been prevented had cybersecurity best practices been followed such as conducting audits of accounts and shutting down accounts that are no longer in use, setting unique, complex passwords for each account, implementing multi-factor authentication to stop compromised passwords from being used, and implementing an effective anti-spam solution to block phishing emails.
The two main cybersecurity threats that businesses now have to deal with are phishing and ransomware attacks and those threats have become even more common over the past 12 months. Cybercriminals stepped up their attacks during the pandemic with many phishing campaigns launched using the novel coronavirus as a lure. These campaigns sought to distribute malware and steal credentials.
Ransomware attacks also increased in 2020. Several new ransomware-as-a-service (RaaS) operations were launched in 2020 and the number of attacks on businesses soared. In addition to encrypting files, data theft was also highly prevalent n 2020, with most ransomware operators stealing data prior to encrypting files. This double extortion tactic proved to be very effective. Many businesses were forced to pay the ransom even though they had backups and could have recovered their files. Payments were made to ensure data stolen in the attack was deleted and not misused, published, or sold.
Phishing and ransomware attacks often go hand in hand and are often used together in the same attack. Phishing emails are used to install malware, which in turn is used to provide access for ransomware gangs. The Emotet and TrickBot Trojans are notable examples. Operators of both of those Trojans teamed up with ransomware gangs and sold access once they had achieved their own objectives. The credentials stolen in phishing attacks are also sold onto RaaS affiliates and provide the foothold they need to conduct their devastating attacks.
See how SpamTitan Plus inspects all URLs to identify links to malicious websites. Book a free demo. Book Free Demo
Phishing campaigns are easy to conduct, low cost, and they can be very effective. Largescale campaigns involve millions of messages, and while most of those emails will be blocked by email security solutions or will be identified by employees as a threat, all it takes is for one employee to respond to a phishing email for an attacker to gain the access they need.
TitanHQ recently partnered with Osterman Research to explore how these and other cyber threats have affected businesses over the past 12 months. This new and original study involved an in-depth survey of security professionals to find out how those threats have affected their organization and how effective their defenses are at repelling attackers.
The survey showed the most common security incidents suffered by businesses were business email compromise (BEC) attacks, where employees are tricked into taking an action suggested in a scam email from the CEO, CFO or another high-level executive. These attacks often involve the genuine email account of an executive being compromised in a phishing scam and the attacker using that account to target employees in the same organization.
The next biggest threat was phishing emails that resulted in a malware infection, followed by phishing messages that stole credentials and resulted in an account compromise. The survey showed that these attacks are extremely common. 85% of interviewed security professionals said they had experienced one or more of 17 different types of security breaches in the past 12 months. While attacks were common, only 37% of respondents said their defenses against phishing and ransomware attacks were highly effective.
There are several steps that can be taken to improve defenses against phishing and ransomware attacks. End user training is important to teach employees what to look for and how to identify these types of threats. However, there is always potential for human error, so training alone is not the answer. Email security is the best defense. By blocking these threats at source, they will not land in inboxes and employees will not be tested. Email security should be combined with a web security solution to block the web-based component of phishing attacks and stop malware and ransomware downloads from the Internet.
Even greater protection against phishing attacks. Book a free SpamTitan Plus demo. Book Free Demo
The findings of the Osterman and TitanHQ survey will be explained in detail at an upcoming webinar on June 30, 2021. Attendees will also learn how they can significantly reduce the risk of ransomware and phishing attacks.
The webinar will be conducted by Michael Sampson, Senior Analyst at Osterman Research and Sean Morris, Chief Technology Officer at TitanHQ. You can Register Your Place Here
Reselling Office 365 doesn’t offer much in the way of profit for MSPs, although there are benefits for MSPs that come from offering Office 365 and it is possible to make Office 365 more profitable.
Before explaining where the margin is for MSPs in Office 365, let’s first take a look at the benefits for MSPs from offering Office 365.
Benefits for MSPs from Offering Office 365 to Clients
SMBs are increasingly moving from on-premises solutions to the cloud and Office 365 is one of the most popular cloud services. Office 365 now has more than 135 million commercial monthly users and that number is growing rapidly.
MSPs may not be able to make much from Office 365 alone, but by providing Office 365 MSPs can win more business and gain a competitive advantage. There is no outlay involved with offering Office 365 to clients, the product is great and meets clients’ needs, and money can be made from handling Office 365 migrations.
MSPs can also benefit from migrating existing clients from Exchange or SBS Exchange to Office 365. Office 365 is far easier to manage so they stand to save a great deal of time on troubleshooting and maintenance, which can be a major headache with Exchange.
By offering Office 365 you can win more business, reduce operational costs, and stay competitive. However, the best way to make money from Office 365 is through add-on services.
How MSPs Can Make Office 365 More Profitable
The margins for MSPs on Office 365 are rather thin to say the least. Many MSPs find that offering Office 365 on its own doesn’t provide any profit at all. Charging extra per license to improve profitability is an option, but clients could just go direct to avoid the extra cost.
The margins may be small, but managing Office 365 does not require a great deal of effort. You may only make around 50c or $1 per user but sign up enough clients and you could get a reasonable return. There is an opportunity for profit at scale; however, to make a decent return you need to sell services around Office 365.
One of the best ways to make Office 365 more profitable is by offering additional security services. Security is an area where Office 365 can be significantly improved, especially spam filtering. Microsoft has incorporated a spam filter and anti-phishing protections into Office 365, but they fall short of the protection offered by a dedicated third-party spam filter.
Phishing is the number one security threat faced by businesses and Office 365 anti-phishing protections leave a lot to be desired. By offering enhanced spam and phishing protection through a third-party spam filter, not only can MSPs make a decent margin on the add-on solution, by blocking phishing attacks and malware at source, a considerable amount of time can be saved on support. Offering spam filtering can help to generate additional recurring revenue, with SpamTitan provided as a high margin, subscription based SaaS solution.
There are plenty of other opportunities for selling third-party solutions to make up for the lack of options in Office 365. Email archiving is an easy sell and a quick win for MSPs. An email archive is important for compliance and security, saves on storage space, and improves efficiency, and gives clients access to emails from any location. Email archiving is available with office 365, but the solution has some severe drawbacks, and may not meet compliance requirements. Offering a feature-rich email archiving solution that is fully compliant, easy to use, with lightning fast search and retrieval should be an easy sell to Office 365 users.
Spam filtering, email archiving, web filtering, and encryption can be bundled together as an enhanced security package, with each element providing a decent return for MSPs. Given the cost of mitigating a data breach, by preventing breaches, an enhanced security offering will pay for itself and should not be too difficult to sell to Office 365 users.
Office 365 MSP Add-ons from TitanHQ
For more than 20 years TitanHQ has been developing innovative security solutions for businesses. Today, more than 7,500 businesses are protected by TitanHQ security solutions and more than 2,000 MSPs have signed up to the TitanHQ Alliance Program.
All TitanHQ solutions have been developed from the ground to meet the needs of the SMB marketplace and MSPs. TitanHQ’s spam filtering solution – SpamTitan, email archiving solution – ArcTitan, and web filtering solution – WebTitan, save MSPs support and engineering time, have great margins, and can be easily integrated into MSPs security stacks to make Office 365 more profitable. All TitanHQ solutions are quick and easy to deploy, and can be implemented into your existing Service Stack through API’s and RMM integrations. The MSP-client hierarchy enables you to keep clients separated and choose whether to manage client settings in bulk or on an individual basis. MSPs benefit from competitive pricing strategies, including monthly billing as we understand your clients are billed monthly.
There are multiple hosting options, including hosting the solution within your own data center, and all TitanHQ products can be supplied as a white label, ready to take your own branding. We have made our solutions as easy as possible to use, with intuitive controls and everything placed at your fingertips. However, should you ever have a problem, you will benefit from the best customer service in the industry, as well as scalable pre-sales and technical support and sales & technical training.
Why SpamTitan is Perfect for MSP’s?
The best spam and virus protection for MSPs with dual AV engines and Bitdefender-powered sandboxing
Low management overhead – A set and forget solution
Use our private cloud or your own data center
Extensive suite of APIs for integration into your central management system
Multi-tenant solution with multiple management roles
Scalable to thousands of users
In and outbound email scanning with IP domain protection
Extensive drill down reporting
Flexible pricing models to suit your needs, including monthly billing
Generous margins for MSPs
Fully customizable branding
TitanSHIELD Program for MSPs
To make it as easy as possible for MSPs to incorporate our world class network security solutions into their service stacks, TitanHQ developed the TitanSHIELD program. The TitanShield MSP Program allows MSPs to take advantage of TitanHQ’s proven technology so that they can sell, implement and deliver our advanced network security solutions directly to their client base. Under the TitanSHIELD program you get the following benefits:
TitanSHIELD Benefits
Sales Enablement
Marketing
Partner Support
Private or Public Cloud deployment
Access to the Partner Portal
Dedicated Account Manager
White Label or Co-branding
Co-Branded Evaluation Site
Assigned Sales Engineer Support
API integration
Social Network participation
Access to Global Partner Program Hotline
Free 30-day evaluations
Joint PR
Access to Partner Knowledge Base
Product Discounts
Joint White Papers
Technical Support
Competitive upgrades
Partner Events and Conferences
24/7 Priority Technical Support
Tiered Deal Registration
TitanHQ Newsletter
5 a.m. to 5 p.m. (PST) Technical Support
Renewal Protection
Better Together Webinars
Online Technical Training and FAQs
Advanced Product Information
Partner Certificate – Sales and technical
Access to Partner Technical Knowledge Base
Competitive Information and Research
Sales Campaigns in a box
Not-for-Resale (NFR) Key
Public Relations Program and Customer Testimonials
Product Brochures and Sales Tools
TitanHQ Corporate Style Guide and Logo Usage
Partner Advisory Council Eligibility
TitanHQ Partner Welcome Kit
QTRLY Business Planning and Review
Access to TitanHQ’s MVP Rewards Program
Access to Partner Support
To find out more about TitanHQ’s MSP offerings, for details of pricing and MSP margins, contact the TitanHQ Alliance Program team today and take the first step toward making Office 365 more profitable.
Ransomware attacks on the education sector in the United Kingdom have increased sharply since February, and the sector was already extensively targeted by threat groups long before then. The education sector is an attractive target for cybercriminals as sizeable amounts of sensitive data are stored within computer systems that can be easily monetized if stolen.
Students’ personally identifiable information is of more value than that of adults, and it can often be used for years before any fraud is detected. Higher education institutions often have intellectual property and research data that is incredibly valuable and can easily be sold on for a huge profit. Ransomware attacks prevent access to essential data, and with the pandemic forcing the education sector to largely switch to online learning, when communication channels and websites are taken out of action learning can grind to a halt.
In the United Kingdom, the reopening of schools and universities has only been possible with COVID-19 testing and contact tracing, which is also disrupted by ransomware attacks. Files are encrypted which prevents access to essential testing and monitoring data, further hampering the ability of schools, colleges, and universities to operate.
As is the case with healthcare, which has also seen a major increase in cyberattacks during the pandemic, services are majorly disrupted without access to computer systems, and there is considerable pressure on both industries to pay the ransom demands to recover from the attacks more quickly. Ransoms are more likely to be paid than in other industry sectors.
What makes the education sector an even more attractive prospect for cybercriminals is poorer security defenses than other industries. The lack of security controls makes attacks much more likely to succeed. On top of that, students often use their own devices to connect to networks so security can be very difficult to police, and many departments make their own IT decisions, which can easily result in vulnerabilities being introduced and remaining unaddressed.
The ease and profitability of attacks has made education a top target for ransomware gangs. Emsisoft reports education was the sector most targeted by ransomware gangs in 2020.
The increase in ransomware attacks on educational institutions in the United Kingdom prompted the UK’s National Cyber Security Center to issue a warning in March to all entities in the education sector about the risk of cyberattacks. NCSC noted in its alert that there was a significant increase in attacks in August and September 2020, and a further rise in attacks since February 2021.
University of Hertfordshire Suffers Major Cyberattack
One of the most damaging university cyberattacks in recent months occurred at the University of Hertfordshire. Late on April 14, cybercriminals struck, with the attack impacting all of the university’s systems. No cloud systems were available, nor MS Teams, Canvas, or Zoom. The attack forced the university to cancel all of its online classes for the following day, although in person teaching was able to continue provided computer access was not necessary.
It has been more than a week since the attack, and while some systems are now back online, disruption is still being experienced with student records, university business services, learning resource centre services, data storage, student services, staff services, and the postgraduate application portal, with the email system also considered to be at risk.
The university has not confirmed the nature of the attack, but it has the hallmarks of a ransomware attack, although the university has issued a statement stating that the attack did not involve data theft.
The University of Hertfordshire is certainly not alone. In March, South and City College of Birmingham was hit with a ransomware attack that took all of its computer systems out of action, with the college forced to switch to online learning for its 13,000 students.
UK Schools also Under Attack
The cyberattacks in the United Kingdom have not been limited to universities. School systems have also suffered more than their fair share of attacks. In March, the Harris Federation, which runs 50 schools in the UK, suffered a ransomware attack that took out communications systems and majorly affecting online learning for 37,000 students.
Also in March, the Nova Education Trust suffered a ransomware attack that took its systems out of action and affected 15 schools, all of which lost access to their communication channels including the phone system, email, and websites. The Castle School Education Trust also suffered a ransomware attack in March that disrupted the online functions of 23 schools.
What Can Be Done to Stop Cyberattacks in Education?
Cybersecurity must become a major focus for schools, colleges, and universities. The attacks are being conducted because they are easy and profitable and, until that changes, the attacks are not likely to slow and, in all likelihood, will continue to increase.
To protect against attacks, the education sector needs to implement multi-layered security defenses and find and address vulnerabilities before they are discovered by ransomware gangs and other cybercriminal operations.
The best place to start is by improving security for the two main attack vectors: email and the Internet. That is an area where TitanHQ can help. To find out more, get in touch with the TitanHQ team today and take the first step towards improving your security posture and better protecting your networks and endpoints from extremely damaging cyberattacks.
A previously unknown malware variant dubbed Saint Bot malware is being distributed in phishing emails using a Bitcoin-themed lure. With the value of Bitcoin setting new records, many individuals may be tempted into opening the attachment to get access to a bitcoin wallet. Doing so will trigger a sequence of events that will result in the delivery of Saint Bot malware.
Saint Bot malware is a malware dropper that is currently being used to deliver secondary payloads such as information stealers, although it can be used to drop any malware variant. The malware was first detected and analyzed by researchers at Malwarebytes who report that while the malware does not use any novel techniques, there is a degree of sophistication to the malware and it appears that the malware is being actively developed. At present, detections have been at a relatively low level but Saint Bot malware could develop into a significant threat.
The phishing emails used to distribute the malware claim to include a Bitcoin wallet in the attached Zip file. The contents of the Zip file include a text file with instructions and a LNK file that has an embedded PowerShell script. A PowerShell downloader delivers an obfuscated .Net dropper and downloader, which in turn deliver a BAT script that disables Windows Defender and the Saint Bot malware binary.
The malware is capable of detecting if it is in a controlled environment and terminates and deletes itself should that be the case. Otherwise, the malware will communicate with its hardcoded command and control servers, send information gathered from the infected system, and download secondary payloads to the infected device via Discord.
The malware has not been linked with any specific threat group and could well be distributed to multiple actors via darknet hacking forums, but it could well become a major threat and be used in widespread campaigns to take advantage of the gap in the malware-as-a-service (MaaS) market left by the takedown of the Emotet Trojan.
Protecting against malware downloaders such as Saint Bot malware requires a defense in depth approach. The easiest way of blocking infections is to implement an advanced spam filtering solution such as SpamTitan to block the phishing emails that deliver the malware. Antivirus software should also be installed on all endpoints and set to update automatically, and communication with the C2 servers should be blocked via firewall rules.
In addition to technical defenses, it is important to provide security awareness training to the workforce to help employees identify malicious emails and condition them how to respond when a potential threat is detected.
How SpamTitan Can Protect Against Phishing and Malware Attacks
SpamTitan is an award-winning anti-spam and anti-phishing solution that provides protection against the full range of email threats from productivity-draining spam to dangerous phishing and spear phishing emails, malware and ransomware.
SpamTitan has a catch rate in excess of 99.99% with a low false positive rate and uses a variety of methods to detect malicious emails, including dual antivirus engines, sandboxing for detecting new malware variants, and machine learning techniques to identify zero-day threats.
SpamTitan’s advanced threat protection defenses include inbuilt Bayesian auto learning and heuristics to defend against sophisticated threats and evolving cyberattack techniques, with 6 specialized Real Time Blacklists to block malicious domains and URLs, DMARC to block email impersonation attacks, and outbound email policies for data loss prevention.
SpamTitan is quick and easy to set up and configure and is frequently praised for the level of protection provided and ease of use. SpamTitan is a 5-star rated solution on Spiceworks, Capterra, G2 Crowd and has won no less than 37 consecutive Virus Bulletin Spam awards.
If you want to improve your email defenses at a very reasonable price and benefit from industry-leading customer support, give the TitanHQ team a call today. Product demonstrations can be arranged, and you can trial the solution free of charge, with full support provided during the trial to help you get the most out of SpamTitan.
Threat actors are constantly changing their tactics, techniques, and procedures (TTP) to increase the chances of getting their malicious payloads delivered. Spam and phishing emails are still the most common methods used for delivering malware, with the malicious payloads often downloaded via the web via hyperlinks embedded in emails.
A new tactic that has been adopted by the threat group behind the IcedID banking Trojan cum malware downloader involves hijacking contact forms on company websites. Contact forms are used on most websites to allow individuals to register interest. These contact forms typically have CAPTCHA protections which limit their potential for use in malicious campaigns, as they block bots and require each contact request to be performed manually.
However, the threat actors behind the IcedID banking Trojan have found a way of bypassing CATCHA protections and have been using contact forms to deliver malicious emails. The emails generated by contact forms will usually be delivered to inboxes, as the contact forms are trusted and are often whitelisted, which means email security gateways will not block any malicious messages.
In this campaign, the contact forms are used to send messages threatening legal action over a copyright violation. The messages submitted claim the company has used images on its website that have been added without the image owner’s permission. The message threatens legal action if the images are not immediately removed from the website, and a hyperlink is provided in the message to Google Sites that contains details of the copyrighted images and proof they are the intellectual property of the sender of the message.
Clicking the hyperlink to review the supplied evidence will result in the download of zip file containing an obfuscated .js downloader that will deliver the IcedID payload. Once IcedID is installed, it will deliver secondary payloads such as TrickBot, Qakbot, and Ryuk ransomware.
IcedID distribution has increased in recent weeks, not only via this method but also via phishing emails. A large-scale phishing campaign is underway that uses a variety of business-themed lures in phishing emails with Excel attachments that have Excel 4 macros that deliver the banking Trojan.
The increase in IcedID malware distribution is likely part of a campaign to infect large numbers of devices to create a botnet that can be rented out to other threat groups under the malware-as-a-service model. Now that the Emotet botnet has been taken down, which was used to deliver different malware and ransomware variants, there is a gap in the market and IcedID could be the threat that takes over from Emotet. In many ways the IcedID Trojan is very similar to Emotet and could become the leading malware-as-a-service offering for delivering malware payloads.
To find out how you can protect your business against malware and phishing threats at a reasonable price, give the TitanHQ team a call today and discover for yourself why TitanHQ email and web security solutions consistently get 5-star ratings from users for protection, price, ease of use, and customer service and support.
A phishing attack on an employee of the California State Controller’s Office Unclaimed Property Division highlights how a single response from an employee to a phishing email could easily result in a massive breach. In this case, the phishing attack was detected promptly, with the attacker only having access to an employee’s email account for less than 24 hours from March 18.
In the 24 hours that the attacker had access to the email account, the contents of the account could have been exfiltrated. Emails in the account included unclaimed property holder reports. Those reports included names, dates of birth, addresses, and Social Security numbers – the type of information that could be used to steal identities.
The email that fooled the employee into clicking a link and disclosing login credentials appeared to have been sent from a trusted outside entity, which is why the email was assumed to be legitimate. After stealing the employee’s credentials undetected, the attacker immediately went to work and tried to compromise the email accounts of other state workers.
In the short time that the individual had access to the account, around 9,000 other state workers were sent phishing emails from the compromised account. Fortunately, the attack was detected promptly and all contacts were alerted about the phishing emails and told to delete the messages. That single compromised account could easily have led to a massive email account breach.
Phishing is now the biggest data security threat faced by businesses. The attacks are easy to conduct, require little skill, and can be extremely lucrative. Email accounts often contain a treasure trove of data that can be easily monetized, the accounts can be used to send further phishing emails internally and to external contacts and customers, and a breach of Microsoft 365 credentials could allow a much more extensive attack on a company. Many ransomware attacks start with a single response to a phishing email.
To improve protection against phishing attacks it is important to train the workforce how to identify phishing emails, teach cybersecurity best practices, and condition employees to stop and think before taking any action requested in emails. However, phishing attacks are often highly sophisticated and the emails can be difficult to distinguish from genuine email communications. As this phishing attack demonstrates, emails often come from trusted sources whose accounts have been compromised in previous phishing attacks.
What is needed is an advanced anti-phishing solution that can detect these malicious emails and prevent them from being delivered to employee inboxes. The solution should also include outbound email scanning to identify messages sent from compromised email accounts.
SpamTitan offers protection against these phishing attacks. All incoming emails are subjected to deep analysis using a plethora of detection mechanisms. Machine learning technology is used to identify phishing emails that deviate from typical emails received by employees, and outbound scanning can identify compromised email accounts and block outbound phishing attacks on company employees and contacts.
If you want to improve your defenses against phishing, give the SpamTitan team a call today to find out more. The full product is available on a free trial, and during the trial you will have full access to the product support team who, will help you get the most out of your trial.
Throughout 2020 the healthcare sector has been a major target of ransomware gangs, but the education sector is also facing an increase in attacks, with the Pysa (Mespinoza) ransomware gang now targeting the education sector.
Pysa ransomware is a variant of Mespinoza ransomware that was first observed being used in attacks in October 2019. The threat group behind the attacks, like many other ransomware threat groups, uses double extortion tactics on victims. Files are encrypted and a ransom demand is issued for the keys to decrypt files, but to increase the probability of the ransom being paid, data is exfiltrated prior to file encryption. The gang threatens to monetize the stolen data on the darkweb if the ransom is not paid. Many attacked entities have been forced to pay the ransom demand even when they have backups to prevent the sale of their data.
Since October 2019, the Pysa ransomware gang has targeted large companies, the healthcare sector, and local government agencies, but there has been a recent increase in attacks on the education sector. Attacks have been conducted on K12 schools, higher education institutions, and seminaries, with attacks occurring in 12 U.S. states and the United Kingdom. The rise in attacks prompted the FBI to issue a Flash Alert in March 2020 warning the education sector about the increased risk of attack.
Analyses of attacks revealed the gang conducts network reconnaissance using open source tools such as Advanced Port Scanner and Advanced IP Scanner. Tools such as PowerShell Empire, Koadic, and Mimikatz are used to obtain credentials, escalate privileges, and move laterally within networks. The gang identifies and exfiltrates sensitive data before delivering and executing the ransomware payload. The types of data stolen are those that can be used to pressure victims into paying and can easily be monetized on the darkweb.
Identifying a Pysa ransomware attack in progress is challenging, so it is essential for defenses to be hardened to prevent initial access. Several methods have been used to gain access to networks, although in many cases it is unclear how the attack started. In attacks on French companies and government agencies brute force tactics were used against management consoles and exposed Active Directory accounts. Some attacks have involved exploitation of Remote Desktop Protocol vulnerabilities, with the gang is also known to use spam and phishing emails to obtain credentials to get a foothold in networks.
Since several methods are used for gaining access, there is no single solution that can be implemented to block attacks. Educational institutions need to use a combination of security solutions and cybersecurity best practices to harden their defenses.
Antivirus/antimalware solution is a must, as is ensuring it is kept up to date. Since many attacks start with a phishing email, an advanced email security gateway is also important. Choosing a solution such as SpamTitan that incorporates dual AV engines and sandboxing will maximize the chance of detecting malicious emails. SpamTitan also incorporates machine learning methods to identify new methods of email attacks.
End user training is also important to teach staff how to identify potentially malicious emails and train them on cybersecurity best practices such as setting strong passwords, not reusing passwords, and the dangers of using public Wi-Fi networks. Also consider disabling hyperlinks in emails, flagging emails that arrive from external sources, and implementing multi-factor authentication on accounts.
Patches and security updates should be implemented promptly after they have been released to prevent vulnerabilities from being exploited. You should use the rule of least privilege for accounts, restrict the use of administrative accounts as far as possible, and segment networks to limit the potential for lateral movement. You should also be scanning your network for suspicious activity and configure alerts to allow any potential infiltration to be rapidly identified. All unused RDP ports should be closed, and a VPN used for remote access.
It is essential for backups to be made of all critical data to ensure that file recovery is possible without paying the ransom. Multiple backups of data should be created, those backups should be tested to make sure file recovery is possible, and at least one copy should be stored securely on an air-gapped device.
TitanHQ has been recognized for its email security, web security, and email archiving solutions, collecting not one, not two, but three prestigious awards from Expert Insights.
Expert Insights was launched in 2018 to help businesses find cybersecurity solutions to protect their networks and devices from an ever-increasing number of cyber threats. Researching cybersecurity solutions can be a time-consuming process, and the insights and information provided by Expert Insights considerably shortens that process. Unlike many resources highlighting the best software solutions, Expert Insights includes ratings from verified users of the products to give users of the resource valuable insights about how easy products are to use and how effective they are at blocking threats. Expert Insights has helped more than 100,000 businesses choose cybersecurity solutions and the website is visited by more than 40,000 individuals a month.
Each year, Expert Insights recognizes the best and most innovative cybersecurity solutions on the market in its “Best-Of” Awards. The editorial team at Expert Insights assesses vendors and their products on a range of criteria, including technical features, ease-of-use, market presence, and reviews by verified users of the solutions. Each product is assessed by technology experts to determine the winners in a broad range of categories, including cloud, email, endpoint, web, identity, and backup security.
“2020 was an unprecedented year of cybersecurity challenges, with a rapid rise in remote working causing a massive acceleration in cybercrime,” said Craig MacAlpine, CEO and Founder, Expert Insights. “Expert Insights’ Best-Of awards are designed to recognize innovative cybersecurity providers like TitanHQ that have developed powerful solutions to keep businesses safe against increasingly sophisticated cybercrime.”
Three TitanHQ cybersecurity solutions were selected and named winners in the Expert Insights’ 2021 “Best-Of” Awards in the Email Security Gateway, Web Security, and Email Archiving categories. SpamTitan was named winner in the Email Security Gateway category, WebTitan won in the Web Security category, and ArcTitan was named a winner in the Email Archiving category. SpamTitan and WebTitan were praised for the level of protection provided, while being among the easiest to use and most cost-effective solutions in their respective categories.
All three products are consistently praised for the level of protection provided and are a bit hit with enterprises, SMBs, and MSPs. The solutions attract many 5-star reviews from real users on the Expert Insights site and many other review sites, including Capterra, GetApp, Software Advice, Google Reviews, and G2 Crowd. The cybersecurity solutions are now used by more than 8,500 businesses and over 2,500 MSPs.
“The recent pandemic and the growth of remote working initiatives have further highlighted the need for multiple layers of cybersecurity and our award-winning solutions form key pillars in this security strategy,” said Ronan Kavanagh, CEO, TitanHQ. “We will continue to innovate and provide solutions that MSPs can use to deliver a consistent, secure and reliable experience to their customers.”
Ransomware attacks in 2020 were conducted at twice the rate of the previous year, with many organizations falling victim and having to pay large ransoms to recover their data or risk sensitive information being published or sold to cybercriminal organizations.
At the start of 2020, data exfiltration prior to the deployment of ransomware was still only being conducted by a small number of ransomware gangs, but that soon changed as the year progressed. By the end of the year, at least 17 cybercriminal gangs were using this double extortion tactic and were stealing sensitive data prior to encrypting files. Faced with the threat of publication of sensitive data, many attacked organizations felt they had little alternative other than to pay the ransom demand.
The extent of ransomware attacks in 2020 has been highlighted by various studies by cybersecurity researchers over the past few weeks. Chainalysis recently released a report that suggests more than $350 million has been paid to cybercriminals in 2020 alone, based on an analysis of the transactions to blockchain addresses known to be used by ransomware threat groups. Of course, that figure is likely to be far lower than the true total, as many companies do not disclose that they have suffered ransomware attacks. To put that figure into perspective, a similar analysis in 2019 estimated the losses to be around $90 million. Those figures are for ransom payments alone, not the cost of resolving attacks, which would be several orders of magnitude higher.
The increase in attacks can be partly attributed to the change in working practices due to the pandemic. Many companies switched from office-based working to a distributed remote workforce to prevent the spread of COVID-19 and keep their employees protected. The rapid change involved hastily implementing remote access solutions to support those workers which introduced vulnerabilities that were readily exploited by ransomware gangs.
Most Ransomware Attacks Now Start with Phishing
Throughout 2020, phishing was commonly used as a way to gain access to corporate networks, accounting for between 25% and 30% of all ransomware attacks, but new data released by the ransomware attack remediation firm Coveware shows the attack methods changed in the last quarter of 2020. As companies and organizations addressed vulnerabilities in remote access solutions and VPNs and improved their defenses, phishing became the most common attack method. Coveware’s analysis shows that in the final quarter of 2020, more than 50% of ransomware attacks started with a phishing email.
Ransomware can be delivered directly through phishing emails, although it is more common to use intermediary malware. The most commonly used malware variants for distributing ransomware are Trojans such as Emotet and TrickBot, both of which are extensively delivered via phishing emails. These malware variants are also capable of self-propagating and spreading to other devices on the network.
Access to compromised devices is then sold to ransomware gangs, who access the devices, steal sensitive data, then deploy their ransomware payload. The Emotet botnet played a large role in ransomware attacks in 2020, and while it has now been disrupted following a joint law enforcement operation, other malware variants are certain to take its place.
The same report also highlighted the nature of businesses attacked with ransomware. Far from the gangs targeting large enterprises with deep pockets, most attacks are on small- to medium-sized businesses with under 250 employees. 30.2% of attacks were on businesses with between 11 and 100 employees, with 35.7% on businesses with 101 to 1,000 employees. Healthcare organizations, professional services firms, and financial services companies have all been targeted and commonly fall victim to attacks, although no sector is immune.
70% of ransomware attacks now involve data theft prior to encryption, so even if backups exist and can be used to restore data, it may not be possible to avoid paying the ransom. There is also a growing trend for data to be permanently deleted, which leaves businesses with no way of recovering data after a ransomware attack.
Steps to Take to Block Ransomware Attacks
What all businesses and organizations need to do is to make it as hard as possible for the attacks to succeed. While there is no single solution for blocking ransomware attacks, there are measures that can be taken that make it much harder for the attacks to succeed.
With most ransomware attacks now starting with a phishing email, an advanced email security solution is a must. By deploying best-of-breed solutions such as SpamTitan to proactively protect the Office365 environment it will be much easier to block threats than simply relying on Office 365 anti-spam protections, which are commonly bypassed to deliver Trojans and ransomware.
A web filtering solution can provide protection against ransomware delivered over the internet, including via links sent in phishing emails. Multi-factor authentication should be implemented for email accounts and cloud apps, employees should be trained how to identify threats, and monitoring systems should be implemented to allow attacks in progress to be detected and mitigated before ransomware is deployed.
To protect their clients from phishing attacks, Managed Service Providers (MSPs) need to provide a comprehensive range of cybersecurity solutions. This post explores the risks from phishing and suggests some easy to implement anti-phishing solutions for MSPs to add to their security offerings.
Phishing is the Number One Cyber Threat Faced by SMBs
Phishing is the number one cyber threat faced by businesses and one of the hardest to defend against. All it takes is for an employee to respond to a single phishing email for a costly data breach to occur. The consequences for the company can be severe.
Email accounts contain a wide range of sensitive information. A phishing attack on a UnityPoint Health hospital in Des Moines, IA, in 2018 saw the protected health information of 1.4 million patients compromised. Also in 2018, a phishing attack on the Boys Town National Research Hospital saw one account compromised that contained the information of more than 105,300 patients. Phishing emails are also used to introduce malware and ransomware. These attacks can be even more damaging and costly to mitigate.
The healthcare industry is extensively targeted by phishers due to the high value of healthcare data, although all industry sectors are at risk. In response to the high number of cyberattacks and the current threat levels, the Trump administration recently launched the “Know the Risk, Raise your Shield” campaign. The campaign aims to raise awareness of the threat from phishing and other attack methods and encourage private businesses to do more to improve their defenses.
Phishing will continue to be a major threat to businesses for the foreseeable future. Attacks will continue because they require relatively little skill to conduct, phishing is highly effective, and attacks can be extremely lucrative.
Easy to Implement Anti-Phishing Solutions for MSPs
There is no single solution that will provide total protection against phishing attacks. Businesses need layered defenses, which provides an opportunity for MSPs. SMBs can struggle to implement effective defenses against phishing on their own and look to MSPs for assistance.
MSPs that can provide a comprehensive anti-phishing package will be able to protect their clients, prevent costly phishing attacks, and generate more business. Effective anti-phishing controls are also an easy sell. Given the cost of mitigating attacks, the package is likely to pay for itself. But what solutions should be included in MSPs anti-phishing offerings?
Listed below are three easy-to-implement anti-phishing solutions for MSPs to offer to their clients, either individually or part of an anti-phishing security package.
Advanced Spam Filtering
Advanced spam filtering solutions are essential. They block phishing emails on the server before they can be delivered to inboxes or employees’ spam folders. An advanced spam filter will block in excess of 99.9% of spam and malicious emails and by itself, is the single most important solution to implement.
SpamTitan is an ideal anti-phishing solution for MSPs. This cloud-based solution supports an unlimited number of domains, all of which can be protected through an easy to use interface. The solution supports per domain administrators, with each able to implement elements of their own email such as searches and the release of messages from the quarantine folder. Reports can be generated per domain and those reports can be scheduled and automatically sent to clients. The solution can be fully rebranded to take an MSP logo and color scheme, and the solution can be hosted in TitanHQ’s private cloud or within your own data center.
Security Awareness Training and Testing
While the majority of malicious emails will be blocked at source, a very small percentage may slip through the net. It is therefore essential for employees to be aware of the risks from phishing and to have the skills to identify potential phishing emails. MSPs can help their clients by providing a staff training program. Many security awareness training companies offer MSP programs to help manage training for clients and a platform to conduct phishing simulation exercises to test security awareness.
DNS-Based Web Filtering
Even with training, some employees may be fooled by phishing emails. This is to be expected, since many phishing campaigns use messages which are highly realistic and virtually indistinguishable from genuine emails. Spam filters will block malicious attachments, but a web filter offers protection from malicious hyperlinks that direct users to phishing websites.
A DNS-based web filter blocks attempts by employees to access phishing websites at the DNS-level, before any content is downloaded. When an employee clicks on a phishing email, they will be directed to a block screen rather than the phishing website. Being DNS-based, web filters are easy to implement and no appliances are required.
WebTitan is an ideal web filtering solution for MSPs. WebTitan can be configured in just a couple of minutes and can protect all clients from web-based phishing attacks, with the solution managed and controlled through a single easy-to-use interface. Reports can be automatically scheduled and sent to clients, and the solution is available in full white-label form ready for MSPs branding. A choice of hosting solutions is also offered, and the solution can connect with deployment, billing and management tools through APIs.
Key Product Features of SpamTitan and WebTitan for MSPs
Easy to manage: There is a low management overhead. SpamTitan and WebTitan are set and forget solution. We handle all the updates and are constantly protecting against new threats globally, in real-time.
Scalability: Regardless of your size you can deploy the solution within minutes. SpamTitan and WebTitan are scalable to thousands of users.
Extensive API: MSPs provided with API integration to provision customers through their own centralized management system; a growth-enabling licensing program, with usage-based pricing and monthly billing.
Hosting Options: SpamTitan and WebTitan can be deployed as a cloud based service hosted in the TitanHQ cloud, as a dedicated private cloud, or in the service provider’s own data center.
Extensive drill down reporting: Integration with Active Directory allows detailed end user reporting. Comprehensive reports can be created on demand or via the scheduled reporting options.
Support: World class support – we are renowned for our focus on supporting customers.
Tried & Tested: TitanHQ solutions are used by over 1500 Managed Service Providers worldwide.
Rebrandable: Rebrand the platform with your corporate logo and corporate colors to reinforce your brand or to resell it as a hosted service.
TitanSHIELD Program for MSPs
To make it as easy as possible for MSPs to incorporate our world class network security solutions into their service stacks, TitanHQ developed the TitanSHIELD program. The TitanShield MSP Program allows MSPs to take advantage of TitanHQ’s proven technology so that they can sell, implement and deliver our advanced network security solutions directly to their client base. Under the TitanSHIELD program you get the following benefits:
TitanSHIELD Benefits
Sales Enablement
Marketing
Partner Support
Private or Public Cloud deployment
Access to the Partner Portal
Dedicated Account Manager
White Label or Co-branding
Co-Branded Evaluation Site
Assigned Sales Engineer Support
API integration
Social Network participation
Access to Global Partner Program Hotline
Free 30-day evaluations
Joint PR
Access to Partner Knowledge Base
Product Discounts
Joint White Papers
Technical Support
Competitive upgrades
Partner Events and Conferences
24/7 Priority Technical Support
Tiered Deal Registration
TitanHQ Newsletter
5 a.m. to 5 p.m. (PST) Technical Support
Renewal Protection
Better Together Webinars
Online Technical Training and FAQs
Advanced Product Information
Partner Certificate – Sales and technical
Access to Partner Technical Knowledge Base
Competitive Information and Research
Sales Campaigns in a box
Not-for-Resale (NFR) Key
Public Relations Program and Customer Testimonials
Product Brochures and Sales Tools
TitanHQ Corporate Style Guide and Logo Usage
Partner Advisory Council Eligibility
TitanHQ Partner Welcome Kit
QTRLY Business Planning and Review
Access to TitanHQ’s MVP Rewards Program
Access to Partner Support
For further information on TitanHQ’s anti-phishing solutions for MSPs, contact the TitanHQ team today and enquire about joining the TitanSHIELD program.
Recently, a new technique has been identified that is being used by hackers to conduct cross-site scripting attacks from within PDF files.
PDF files have long been used by hackers for phishing attacks and malware delivery. Oftentimes, emails are sent with PDF file attachments that contain hyperlinks to malicious websites. By adding these links into the files rather than the body of the email message, it is harder for security solutions to identify those malicious links.
The latest attack method also uses PDF files, but instead of tricking employees into revealing their login credentials or visiting a malicious website where malware is downloaded, the attackers attempt to obtain sensitive information contained in PDF files.
The technique is similar to those used to by hackers in web application attacks. Cross-site scripting attacks – or XXS attacks for short – typically involve injecting malicious scripts into trusted websites and applications. When a user visits a website or a hacked application, the script executes. The scripts give the attackers access to user information such as cookies, session tokens, and sensitive data saved in browsers, such as passwords. Since the website or application is trusted, the web browser will not recognize the script as malicious. These attacks are possible in websites and web applications where user input is used to generate output without properly validating or encoding it.
The same technique has been shown to also work within PDF files and is used to inject code and capture data. This is achieved by taking advantage of escape characters such as parentheses, which are commonly used to accept user input. If the input is not validated correctly, hackers can inject malicious URLs or JavaScript code into the PDF files. Even injecting a malicious URL can be enough to capture data in the document and exfiltrate it to the attacker-controlled website, as was demonstrated at the Black Hat online conference this month.
What sort of data could be captured in such an attack? A substantial amount of sensitive data is contained in PDF files. PDF files are used extensively for reports, statements, logs, e-tickets, receipts, boarding passes, and much more. PDF files may contain passport numbers, driver’s license numbers, bank account information, and a range of other sensitive data. The presenters at the conference explained they found some of the largest libraries of PDF files worldwide were sensitive to XXS attacks.
In the most part, the vulnerabilities in PDF files that allow XXS attacks are not due to the PDF files themselves, but improper coding. If PDF libraries fail to properly parse code of escape characters and allow unprotected formats, they will be vulnerable. Fortunately, Adobe released an update on December 9 which prevents this type of security vulnerability from being exploited, although companies that create PDF files must update their software and apply the update to be protected.
This is just one way that malicious attachments can be used to obtain sensitive information. As previously mentioned, malicious macros are commonly added to office documents, executable files are added as attachments to emails and masquerade as legitimate files, and malicious code can be injected into a range of different file types.
One of the best ways to protect against attacks via email using malicious attachments is to use an advanced email security solution that can detect not just known malware but also never-before-seen malicious code. This is an area where SpamTitan Email Security excels.
SpamTitan incorporates dual anti-virus engines (Bitdefender/ClamAV) to catch known malware threats and sandboxing to identify malicious code that has been added to email attachments. Files are subjected to in-depth analysis in the security of the sandbox and are checked for any malicious actions.
To find out more about protecting your organization from malicious emails and malware, give the TitanHQ team a call.
The healthcare industry in the United States has long been targeted by cybercriminals seeking access to sensitive patient data. Patient data is a valuable commodity, as it can be used for a multitude of fraudulent purposes including identity theft, tax fraud, insurance fraud, and blackmail and understandably has a high black market value.
Some of the largest healthcare data breaches ever reported have started with a phishing attack, including the 78.8 million-record data breach at the health insurer Anthem Inc. and the cyberattack on Premera Blue Cross, another U.S. health insurer, which affected around 11 million individuals, both of which were reported in 2015.
While healthcare data breaches on the scale of Anthem’s have been avoided since, large phishing-related breaches are still occurring. The latest phishing-related data breach to be reported by a U.S. health insurer resulted in the exposure of the health records of almost 500,000 Aetna health plan members.
The phishing attack saw the attackers gain access to the email system of a business associate of Aetna. EyeMed manages vision benefits services for the health insurer and has several other healthcare clients. The compromised account contained highly sensitive information such as names, addresses, dates of birth, and full or partial Social Security numbers – information that is extremely valuable to phishers and identity thieves. In total, the records of 484,157 Aetna members were potentially compromised, along with the data of 60,000 members of Tufts Health Plan, and around 1,000 members of Blue Cross Blue Shield of Tennessee. While it was not the largest healthcare data breach of 2020, it does rank in the top 10 healthcare data breaches of the year.
Unfortunately, healthcare industry phishing attacks involving the exposure and/or theft of more than 100,000 patient records are far from unusual. There have been more than a dozen such breaches reported by healthcare organizations and their business associates in 2020, and several dozen smaller phishing attacks.
The healthcare industry is extensively targeted and is vulnerable to phishing attacks. Unfortunately, all it takes is for one employee to respond to a phishing email for their account to be compromised. Emails often contain personal and protected health information and can be downloaded by the attackers, and the compromised account can be used to send further phishing emails to other employees in the organization. In addition to gaining access to multiple email accounts, phishing can give attackers the foothold they need for a more extensive compromise, as was the case with the Anthem and Premera data breaches.
According to a report released by the Healthcare Information and Management Systems Society (HIMSS), its survey of healthcare cybersecurity professionals revealed 57% had experienced a successful phishing attack in the past year.
Securing the email system can be a challenge in healthcare and preventing phishing attacks is a constant struggle. Unfortunately, while there are excellent email security solutions available that will ensure the vast majority of phishing emails are blocked, it is not possible to deploy a single solution and prevent all phishing attacks from succeeding. What is required is a layered approach to phishing defenses. With multiple layers of protection, if one layer fails to block a threat, others will help to ensure the threat is blocked.
At the heart of phishing defenses should be an advanced machine-learning/AI-based anti-phishing solution such as SpamTitan. SpamTitan itself provides multiple layers of protection to block known phishing threats, while the machine-learning components identify new phishing threats that have yet to be seen. SpamTitan also incorporates multiple measures to identify and block email impersonation attacks, has a data loss protection feature, and anti-malware capabilities that block both known and zero-day malware threats.
A web filter is an often-overlooked anti-phishing measure. Web filters target the web-based component of phishing attacks and provide time-of-click protection to stop employees from visiting phishing websites via links in malicious emails.
As Microsoft pointed out in a summer blog post this year, multi-factor authentication is a must. Multi-factor authentication kicks in when credentials are obtained in phishing attacks and stops those credentials from being used to access email accounts. MFA can block more than 99.9% of attacks using compromised credentials.
End user training should also not be neglected. Conditioning employees how to recognize phishing emails and respond appropriately is essential, not just for cybersecurity but also HIPAA compliance.
These measures can be the difference between a successfully thwarted attack and a costly data breach, and the cost of implementing these solutions is cheaper than many people think. To find out more, give the TitanHQ team a call.
After a 2-month break, the Emotet botnet is back up and running and has been observed conducting a phishing email campaign that is delivering between 100,000 and 50,0000 messages to inboxes a day.
Emotet first appeared in 2014 and started life as a banking Trojan; however, over the years the malware has evolved. While Emotet remains a banking Trojan, it is now best known as a malware downloader that is used to deliver a range of secondary payloads. The malware payloads it delivers also act as malware downloaders, so infection with Emotet often results in multiple malware infections, with ransomware often delivered as the final payload.
Once Emotet is installed on an endpoint it is added to the Emotet botnet and is used for spam and phishing campaigns. Emotet sends copies of itself via email to the user’s contacts along with other self-propagation mechanisms to infect other computers on the network. Emotet can be difficult to eradicate from the network. Once one computer is cleaned, it is often reinfected by other infected computers on the network.
Emotet often goes dormant for several weeks or even months, but even with long gaps in activity, Emotet is still the biggest malware threat. Emotet went dormant around February 2020, with activity resuming five months later in July. Activity continued until late October when activity stopped once again until Tuesday this week when it returned in time for Christmas. In 2020, Emotet has been observed delivering TrickBot and other payloads such as Qakbot and ZLoader.
During the periods of inactivity, the threat actors behind the malware are not necessarily inactive, they just stop their distribution campaigns. During the breaks they update their malware and returned with a new and improved version that is more effective at evading defenses.
The latest campaign uses similar tactics to past campaigns to maximize the probability of end users opening a malicious Office document. The phishing emails are usually personalized to make them appear more authentic, with Emotet using hijacked message threats with malicious content inserted. Since the emails appear to be responses to past conversations between colleagues and contacts, there is a greater chance that the recipient will open the email attachment or click a malicious hyperlink.
This campaign favors password-protected files, with the password to open the file supplied in the message body of the email. Since email security solutions cannot open these files, it is more likely that they will be delivered to inboxes. The malicious documents delivered in this campaign contain malicious macros. If the macros are enabled – which the user is told is necessary to view the content of the document – Emotet will be downloaded, after which the TrickBot Trojan will be delivered, usually followed by a ransomware variant such as Ryuk.
Previous campaigns have not displayed any additional content when the macros are enabled; however, this campaign displays an error message after the macros have been enabled instructing the user that Word experienced an error opening the file. This is likely to make the user believe the Word document has been corrupted. A variety of themes are used for the emails, with the latest campaign using holiday season and COVID-19 related lures.
An analysis by Cofense identified several changes in the latest campaign, including switching the malware binary from an executable (.exe) file to a Dynamic Link Library (.dll) file, which is executed using rundll32.exe. The command-and-control infrastructure has been changed and now uses binary data rather than plain text, both of which make the malware harder to detect.
Businesses need to be particularly vigilant and should act quickly if infections are detected and should take steps to ensure their networks are protected with anti-virus software, security policies, spam filters, and web filters.
The threat of phishing is ever present, especially for the healthcare industry which is often targeted by phishers due to the high value of healthcare data and compromised email accounts. Phishing attacks are having a major impact on healthcare providers in the United States, which are reporting record numbers of successful phishing attacks. The industry is also plagued by ransomware attacks, with many of the attacks having their roots in a successful phishing attack. One that delivers a ransomware downloader such as the Emotet and TrickBot Trojans, for example.
A recent survey conducted by HIMSS on U.S. healthcare cybersecurity professionals has confirmed the extent to which phishing attacks are succeeding. The survey, which was conducted between March and September 2020, revealed phishing to be the leading cause of cybersecurity incidents at healthcare organizations in the past year, being cited as the cause of 57% of incidents.
One interesting fact to emerge from the survey is the lack of appropriate protections against phishing and other email attacks. While it is reassuring that 91% of surveyed organizations have implemented antivirus and antimalware solutions, it is extremely concerning that 9% appear to have not. Only 89% said they had implemented firewalls to prevent cybersecurity incidents.
Then there is multi-factor authentication. Multifactor authentication will do nothing to stop phishing emails from being delivered, but it is highly effective at preventing stolen credentials from being used to remotely access email accounts. Microsoft suggested in a Summer 2020 blog post that multifactor authentication will stop 99.9% of attempts to use stolen credential to access accounts, yet multifactor authentication had only been implemented by 64% of healthcare organizations.
That does represent a considerable improvement from 2015 when the survey was last conducted, when just 37% had implemented MFA, but it shows there is still considerable for improvement, especially in an industry that suffers more than its fair share of phishing attacks.
In the data breach reports that are required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Rules, which healthcare organizations in the U.S are required to comply with, it is common for breached organizations to state they are implementing MFA after experiencing a breach, when MFA could have prevented that costly breach from occurring in the first place. The HIMSS survey revealed 75% of organizations augment security after suffering a cyberattack.
These cyberattacks not only take up valuable resources and disrupt busines operations, but they can also have a negative impact on patient care. 28% of respondents said cyberattacks disrupted IT operations, 27% said they disrupted business operations, and 20% said they resulted in monetary losses. 61% of respondents said the attacks had an impact on non-emergency clinical care and 28% said the attacks had disrupted emergency care, with 17% saying they had resulted in patient harm. The latter figure could be underestimated, as many organizations do not have the mechanisms in place to determine whether patient safety has been affected.
The volume of phishing attacks that are succeeding cannot be attributed to a single factor, but what is clear is there needs to be greater investment in cybersecurity to prevent these attacks from succeeding. An effective email security solution should be top of the list – One that can block phishing emails and malware attacks. Training on cybersecurity must be provided to employees for HIPAA compliance, but training should be provided regularly, not just once a year to meet compliance requirements. Implementation of multifactor authentication is also an essential anti-phishing measure.
One area of phishing protection that is often overlooked is a web filter. A web filter blocks the web-based component of phishing attacks, preventing employees from accessing webpages hosting phishing forms. With the sophisticated nature of today’s phishing attacks, and the realistic fake login pages used to capture credentials, this anti-phishing measure is also important.
Many hospitals and physician practices have limited budgets for cybersecurity, so it is important to not only implement effective anti-phishing and anti-malware solutions, but to get effective solutions at a reasonable price. That is an area where TitanHQ excels.
TitanHQ can provide cost-effective cloud-based anti-phishing and anti-malware solutions to protect against the email- and web-based components of cyberattacks and both of these solutions are provided at a very reasonable cost, with flexible payment options.
Further, these solutions have been designed to be easy to use and require no technical skill to set up and maintain. The ease of use, effectiveness, and low price are part of the reason why the solutions are ranked so highly by users, achieving the best rankings on Capterra, GetApp and Software Advice.
If you want to improve your defenses against phishing, prevent costly cyberattacks and data breaches, and the potential regulatory fines that can follow, give the TitanHQ team today and inquire about SpamTitan Email Security and WebTitan Web Security.
Black Friday and Cyber Monday are fast approaching and this year even more shoppers will be heading online to secure their Christmas bargains due to the COVID-19 pandemic. In many countries, such as the UK, lockdowns are in place that have forced retailers to close the doors of their physical shops, meaning Black Friday deals will only be available online. 2020 is likely to see previous records smashed with even more shoppers opting to purchase online due to many shops being closed and to reduce the risk of infection.
Surge in Phishing Attacks in the Run Up to Black Friday
The fact that many consumers have been forced to shop online due to COVID-19 has not been missed by cybercriminals, who have started their holiday season scams early this year. Every year sees a sharp rise in phishing emails and online scams that take advantage of the increase in sales in the run up to Christmas, but this year the data show cybercriminals have stepped up their efforts to spread malware, steal sensitive data, and fool the unwary into making fraudulent purchases.
Recent figures released by Check Point show there has been a 13-fold increase in phishing emails in the past 6 weeks with one in every 826 emails now a phishing attempt. To put that figure into perspective, 1 in 11,000 emails in October 2020 were phishing emails. Check Point reports 80% of the phishing emails were related to online sales, discounts, and special offers, and as Black Friday and Cyber Monday draws ever closer, the emails are likely to increase further.
Local lockdowns have piled pressure on smaller retailers, who are at risk of losing even more busines to the large retailers such as Amazon. In order to get their much-needed share of sales in the run up to Christmas, many have started conducting marketing campaigns via email to showcase their special offers and discounts. Those messages are likely to make it easier for cybercriminals to operate and harder for individuals to distinguish the genuine special offers from the fraudulent messages.
Cybercriminals have also started using a range of different techniques to make it harder for individuals to identify phishing and scam messages. Some campaigns involved the use of CAPTCHAs to fool both security solutions and end users, and the use of legitimate cloud services such as Google Drive and Dropbox for phishing and malware distribution is also rife.
With the scams even harder to spot and the volume of phishing and other scam emails up considerably, it is even more important for businesses to ensure their security measures are up to scratch and scam websites and phishing emails are identified and blocked.
How to Improve your Defenses Against Black Friday Phishing Scams and Other Threats
This is an area where TitanHQ can help. TitanHQ has developed two security solutions that work seamlessly together to provide protection from phishing and malware attacks via email and the Internet, not just protecting against previously seen threats, but also zero-day malware and phishing threats.
The SpamTitan email security and WebTitan web security solutions use a layered approach to threat detection, each incorporating multiple layers of protection to ensure that threats are identified and blocked. Both solutions leverage threat intelligence using a crowd sourced approach, to provide protection against emerging and even zero-minute threats.
SpamTitan uses smart email filtering and scanning, incorporating machine learning and behavioral analysis techniques to detect and isolate suspicious emails, dual antivirus engines, sandboxing to trick cybercriminals into thinking they have reached their target, and SPF, DKIM, and DMARC to detect and block email impersonation attacks.
WebTitan is an AI-powered cloud-based DNS web filtering solution that provides protection from online threats such as malware and ransomware and the web-based component of phishing attacks. The solution uses automation and advanced analytics to search through billions of URLs/IPs and phishing sites that could lead to a malware or ransomware infection or the compromising of employee credentials. The solution is an effective cybersecurity measure for protecting against web-based threats for office-based employees and remote workers alike.
If you want to protect your business this holiday season and beyond and improve your defenses against email and web-based threats, give the TitanHQ team a call. Product demonstrations can be arranged, advice offered on the best deployments, and if the solutions are not suitable for your business, we will tell you so. You can also trial both solutions free of charge to evaluate their performance in your own environment before making a decision on a purchase.
The cybercriminal organization behind Ryuk ransomware – believed to be an eastern European hacking group known as Wizard Spider – has stepped up attacks on hospitals and health systems in the United States. This week has seen a wave of attacks on hospitals from the Californian coast to the eastern seaboard, with 6 Ryuk ransomware attacks on hospitals reported in a single day.
Ryuk ransomware causes widespread file encryption across entire networks, crippling systems and preventing clinicians from accessing patient data. Even when the attacks are detected quickly, systems must be shut down to prevent the spread of the ransomware. While hospitals have disaster protocols for exactly this kind of scenario and patient data can be recorded using pen and paper, the disruption caused is considerable. Non-essential surgeries and appointments often need to be cancelled and, in some cases, hospitals have been forced to divert patients to alternative medical facilities.
It is unclear if any ransomware attacks on U.S. hospitals have resulted in fatalities, but there was recently a fatality in an attack in Germany, where a patient was rerouted to a different hospital and died before lifesaving treatment could be provided. Had the ransomware attack not occurred, treatment could have been provided in time to save the patient’s life. The attacks in the United States also have the potential to result in loss of life, especially in such as large-scale, coordinated campaign.
Earlier in the week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services (HHS) issued an advisory after credible evidence emerged indicating Ryuk ransomware attacks on U.S. hospitals and healthcare providers were about to increase.
It is unclear why the attacks have increased now and the exact motives behind the current campaign, but recently Microsoft and U.S. Cyber Command, in conjunction with several cybersecurity firms, disrupted the TrickBot botnet – A network of devices infected with the TrickBot Trojan. The TrickBot Trojan is operated by a different cybercriminal group to Ryuk, but it was extensively used to deliver Ryuk ransomware. The botnet is back up and running, with the threat actors switching to alternative infrastructure, but there have been suggestions that this could be a response to the takedown.
The Ryuk ransomware attacks on hospitals come at a time when healthcare providers are battling the coronavirus pandemic. In the United States the number of new cases is higher than at any time since the start of the pandemic. Hospitals cannot afford to have systems taken out of action and patient care disrupted. The timing of the attacks is such that hospitals may feel there is little alternative other than paying the ransom to ensure that disruption is kept to a minimum. Ransomware gangs are known to time their attacks to cause maximum disruption.
Ryuk ransomware attacks on hospitals have been steadily increasing in the United States prior to the latest spike. Figures released by Check Point Research in the past few days show ransomware attacks on hospitals increased 71% from September, with healthcare the most targeted industry sector, not only in October, but also Q3, 2020. Ryuk ransomware attacks account for 75% of all ransomware attacks on hospitals in the United States.
There is concern that the latest attacks will be just the tip of the iceberg. Some security experts suggest the gang is looking to target hundreds of hospitals and health systems in the United States in this campaign. Each attack on a health system could see several hospitals affected. The attack this week on the University of Vermont Health Network impacted 7 hospitals.
Defending against ransomware attacks can be a challenge, as multiple methods are used to gain access to healthcare networks. Ryuk ransomware is commonly delivered by the TrickBot Trojan, which is delivered as a secondary payload by the Emotet Trojan. The Buer loader and BazarLoader are also being used to deliver Ryuk ransomware. These malware downloaders are delivered via phishing emails so a good spam filter is therefore important.
Employees should be made aware of the increased threat of attack and advised to exercise extra caution with emails. Software updates need to be applied promptly and all systems kept fully patched and up to date. Default passwords should be changed, and complex passwords used, with multi-factor authentication implemented where possible. If it is not necessary for systems to be connected to the Internet, they should be disconnected, and RDP should be disabled where possible.
It is also essential for regular backups of critical data to be made and for those backups to be stored securely on non-networked devices to ensure that in the event of an attack hospitals have the option to recover their data without having to pay the ransom.
Further information on indicators of compromise and other mitigations are available in the CISA Ryuk ransomware advisory.
The Emotet Trojan is one of the main malware threats currently used to attack businesses. The Trojan is primarily distributed using spam emails, using a variety of lures to convince users to install the Trojan.
The spam emails are generated by the Emotet botnet – an army of zombie devices infected with the Emotet Trojan. The Trojan hijacks the victim’s email account and uses it to send copies of itself to the victim’s business contacts using the email addresses in victims’ address books.
Emotet emails tend to have a business theme, since it is business users that are targeted by the Emotet actors. Campaigns often use tried and tested phishing lures such as fake invoices, purchase orders, shipping notices, and resumes, with the messages often containing limited text and an email attachments that the recipient is required to open to view further information.
Word documents are often used – although not exclusively – with malicious macros which install the Emotet Trojan on the victim’s device. In order for the macros to run, the user is required to ‘Enable Content’ when they open the email attachment.
Users are instructed in the documents to enable content using a variety of tricks, oftentimes the documents state that the Word document has been created on an IoS or mobile device, and content needs to be enabled to allow the content to be viewed or that the contents of the document have been protected and will not be displayed unless content is enabled.
Earlier this month, a new lure was used by the Emotet actors. Spam emails were sent explaining a Windows update needed to be installed to upgrade apps on the device, which were preventing Microsoft Word from displaying the document contents. Users were instructed to Enable Editing – thus disabling Protected View – and then Enable Content – which allowed the macro to run.
The Emotet Trojan does not simply add devices to a botnet and use them to conduct further phishing attacks. One of the main uses of Emotet is to download other malware variants onto infected devices. The operators of the Emotet botnet are paid by other threat actors to distribute their malware payloads, such as the TrickBot Trojan and QBot malware.
The TrickBot Trojan was initially a banking Trojan that first appeared in 2016, but the modular malware has been regularly updated over the past few year to add a host of new functions. TrickBot still acts as a banking Trojan, but is also a stealthy information stealer and malware downloader, as is QBot malware.
As with Emotet, once the operators of these Trojans have achieved their aims, they deliver a secondary malware payload. TrickBot has been used extensively to deliver Ryuk ransomware, one of the biggest ransomware threats currently in use. QBot has teamed up with another threat group and delivers Conti ransomware. From a single phishing email, a victim could therefore receive Emotet, TrickBot/QBot, and then suffer a ransomware attack.
It is therefore essential for businesses to implement an effective spam filtering solution to block the initial malicious emails at source and prevent them from being delivered to their employee’s inboxes. It is also important to provide security awareness training to employees to help them identify malicious messages such as phishing emails in case a threat is not blocked and reaches employees’ inboxes.
Organizations that rely on the default anti-spam defenses that are provided with Office 365 licenses should consider implementing an additional spam filtering solution to improve protection against Emotet and other malware and phishing campaigns. Phishing emails often slip past Office 365 defenses and are delivered to inboxes. With a powerful, advanced spam filtering solution such as SpamTitan layered on top of Office 365 anti-spam protections, users will be better protected.
To find out more about the full features of SpamTitan and how the solution protects businesses from threats such as malware, ransomware, phishing, and spear phishing attacks, give the SpamTitan team a call today.
A product demonstration can be arranged, your questions will be answered, and assistance will be provided to help set you up for a free trial to evaluate the solution in your own environment.
Phishing is a cybersecurity threat that businesses of all sizes are likely to face and one that requires multiple phishing protection measures to prevent. Phishing is the term given to fraudulent attempts to obtain sensitive information such as login credentials to email accounts or employee/customer information. Phishing can take place over the telephone (vishing), via text message (SMiShing), or through social media networks and websites, but the most common phishing attacks take place over email.
When phishing occurs over email, an attack usually consists of two elements. A lure – a reason given in the email that encourages the user to take a particular action – and a web-based component, where sensitive information is collected.
For instance, an email is sent telling the recipient that there has been a security breach that requires immediate action. A link is supplied in the email that directs the recipient to a website where they are required to login and verify their identity. The website is spoofed to make it look like the site it is impersonating and when information is entered it is captured by the attacker.
Phishing protection measures should be deployed to block both of these components. First, you need a solution that stops the phishing attack at source and prevents phishing emails from being delivered to inboxes. You should also have security measures in place to prevent information from being handed over to the attackers at the web stage of the attack. As an additional protection, in case both of those measures fail, you need to prevent stolen credentials from being used to gain access to the account.
SpamTitan Plus provides multi-layered detection and blocking of malicious URLs. Book a free demo now. Book Free Demo
Four Essential Phishing Protection Measures
Phishing protection measures should consist of four elements: a spam filter, a web filter, end user training, and multi-factor authentication – often referred to as layered phishing defenses. If one layer should fail, others are in place to make sure the attack does not succeed.
Spam filtering
A spam filter is your first line of defense and one that will block the vast majority of email threats. An advanced spam filter will block in excess of 99.9% of spam, phishing, and malware-laced emails. Spam filters incorporate several layers of protection. They use blacklists of known spammers – domains, email accounts, and IP addresses that have previously been used for spamming, phishing, and other nefarious activities. Checks are performed on the message headers and the message body is subjected to multiple checks to identify malicious URLs and keywords commonly used in spam and phishing emails. Each message is given a score, and if that score is higher than a pre-defined threshold, the message will be either deleted or quarantined. Spam filters also incorporate antivirus engines that check messages for malicious attachments.
Web filtering
Cybercriminals are constantly changing tactics and developing new methods to obfuscate their phishing attempts to bypass spam filters. Spam filters are updated to block these new attacks, but there will be a lag and some messages will slip through the net on occasion. This is where a web filter kicks into action. A web filter will check a website against several blacklists and will assess the content of the website in real-time. If the website is deemed to be malicious, the user will not be permitted to connect, instead they will be directed to a local block page. Web filters also have AV software to prevent malware being downloaded and can be used to control the types of content users can access – blocking pornography for instance, or social media networks, gaming sites and other productivity drains.
End user training
Technical anti-phishing measures are important, but they will not block all attacks. It is therefore essential to provide end user training to help employees identify phishing and other malicious emails. A once-a-year formal training session should be conducted, with ongoing, regular shorter training sessions throughout the year to raise awareness of new threats and to reinforce the annual training. Phishing simulations should also be conducted to test whether training has been effective and to ensure that any knowledge gaps are identified and addressed.
Multi-factor authentication
If credentials are stolen in a phishing attack, or are otherwise obtained by a cybercriminal, multi-factor authentication can prevent those credentials from being used. In addition to a password, a second factor must be provided before account access is granted. This could be a token, code, or one-time password, with the latter usually sent to a mobile phone. While multi-factor authentication will block the majority of attempts by unauthorized individuals to access accounts, it is not infallible and should not be considered as a replacement for the other protections. Multi-factor authentication will also not stop malware infections.
Even greater protection against phishing attacks. Book a free SpamTitan Plus demo. Book Free Demo
Phishing Protection Solutions from TitanHQ
TitanHQ has developed two powerful cybersecurity solutions to help you protect against phishing and malware attacks: SpamTitan email security and the WebTitan web filter. Both of these solutions have multiple deployment options and are easy to implement, configure, and use. The solutions are consistently rated highly by end users for the level of protection provided, ease of deployment, ease of use, and for the excellent customer support if you ever have any problems or questions.
On top of that, pricing is totally transparent with no hidden extras, and the solutions are very competitively priced. Both are available on a free trial to allow you to test them in your own environment before committing to a purchase.
Over the past few months, cyberattacks involving Netwalker ransomware have been steadily increasing and Netwalker has now become one of the biggest ransomware threats of 2020.
Netwalker ransomware is the new name for a ransomware variant called Mailto, which first appeared a year ago in August 2019. The threat actors behind the ransomware rebranded their malware as Netwalker in late 2019 and in 2020 started advertising for affiliates to distribute the ransomware under the ransomware-as-a-service model. In contrast to many RaaS offerings, the threat group is being particularly choosy about who they recruit to distribute the ransomware and has been attempting to build a select group of affiliates with the ability to conduct network attacks on enterprises that have the means to pay large ransoms and the data to warrant such large payments if attacked.
Netwalker ransomware was used in an attack in February on Toll Group, an Australian logistics and transportation company, which caused widespread disruption although the firm claims not to have paid the ransom. Like several other ransomware gangs, the Netwalker gang took advantage of the COVID-19 pandemic and was using COVID-19 lures in phishing emails to spread the ransomware payload via a malicious email attachment, opting for a Visual Basic Scripting (.vbs) loader attachments.
Then followed attacks on Michigan State University and Columbia College of Chicago, with the frequency of attacks increasing in June. The University of California San Francisco, which was conducting research into COVID-19, was attacked and had little choice other than to pay the $1.14 million ransom demand to regain access to essential research data that was encrypted in the attack. More recently Lorien Health Services, a Maryland operator of assisted living facilities, also had files encrypted by the Netwalker gang.
The recent attacks have seen the attack vector change, suggesting the attacks have been the work of affiliates and the recruitment campaign has worked. Recent attacks have seen a range of techniques used in attacks, including brute force attacks on RDP servers, exploitation of vulnerabilities in unpatched VPN systems such as Pulse Secure VPNs that have not had the patch applied to correct the CVE-2019-11510 vulnerability. Attacks have also been performed exploiting user interface components of web apps, such as the Telerik UI vulnerability CVE-2019-18935, in addition to vulnerabilities in Oracle WebLogic and Apache Tomcat servers.
With the ransoms paid so far, the group is now far better funded and appears to have skilled affiliates working at distributing the ransomware. Netwalker has now become one of the biggest ransomware threats and has joined the ranks of Ryuk and Sodinokibi. Like those threat groups, data is stolen prior to file encryption and threats are issued to publish or sell the data if the ransom is not paid.
The increase in activity and skill of the group at gaining access to enterprise networks prompted the FBI to issue a flash alert warning of the risk of attack in late July. The group appears to be targeting government organizations, educational institutions, healthcare providers and entities involved in COVID-19 research, and the attacks are showing no sign of slowing, in fact they are more than likely to increase.
Defending against the attacks requires a defense in depth approach and adoption of good cyber hygiene. An advanced spam filtering solution should be used to block email attacks, end users should be taught how to recognize malicious emails and shown what to do if a suspicious email is received. Vulnerabilities in software are being exploited so prompt patching is essential. All devices should be running the latest software versions.
Antivirus and anti-malware software should be used on all devices and kept up to date, and policies requiring strong passwords to be implemented should be enforced to prevent brute force tactics from succeeding. Patched VPNs should be used for remote access, two-factor authentication should be implemented, web filters used for secure browsing of the internet, and backups should be performed regularly. Backups should be stored on a non-networked device that is not accessible over the internet to ensure they too are not encrypted in an attack.
A recent survey by Capterra on British SMEs has revealed 30% have fallen victim to a phishing attack during the COVID-19 lockdown. Just under half of the phishing emails received (45%) were related to coronavirus or COVID-19.
COVID-19 phishing emails increased significantly during the first quarter of 2020 as the coronavirus spread around the world. Since the virus was unknown to science, scientists have been working tirelessly to learn about the virus, the disease it causes, how the virus is spread, and what can be done to prevent infection. The public has been craving information as soon as it is available, which creates the perfect environment for phishing attacks. People want information and threat actors are more than happy to offer to provide it.
The Capterra survey highlights the extent to which these campaigns are succeeding. Employees are receiving phishing emails and being fooled by the social engineering tactics the scammers have adopted. The high success rate has seen many threat actors temporarily abandon their tried and tested phishing campaigns that they were running before the SARS-CoV-2 outbreak, and have repurposed their campaigns to take advantage of the public’s thirst for knowledge about the virus. In the first quarter of 2020, KnowBe4 reported a 600% increase in COVID-19 and coronavirus themed phishing emails.
The high percentage of businesses that have experienced phishing attacks during the COVID-19 lockdown indicates many SMEs need to augment their anti-phishing defenses. There is also a need for further training to be provided to employees, as the emails are being opened and links are being clicked.
On the training front, formal training sessions may be harder to administer with so many employees working remotely. Consider conducting short training sessions via teleconferencing platforms and sending regular email alerts warning about the latest techniques, tactics and procedures being used in targeted attacks on remote workers. Phishing simulation exercises can be hugely beneficial and will help to condition workers to check emails thoroughly and report any threats received. These simulations also help identify which employees need further training to help them recognize potential phishing attacks.
Of course, the best way to ensure that employees do not open phishing emails and malicious attachments is to ensure they are not delivered to employees’ inboxes. That requires an advanced spam filtering solution.
Many SMEs and SMBs have now moved to an Office 365 hosted email solution, in which case email filtering will be taking place using Microsoft’s Exchange Online Protection – The default spam filtering service that protects all office 365 users. If you are reliant on this solution for filtering out phishing emails and other types of malicious messages, you should consider adding a third-party solution on top of EOP.
Exchange Online Protection provides a reasonable level of security and can block phishing emails and known malware threats, but it lacks the features of more advanced spam filtering solutions and cloud-based email security gateways, such as machine learning and predictive technology to identify attacks that have not been seen before.
As an additional protection against phishing attacks, a web filtering solution should be considered. In the event of a phishing email arriving in an inbox, a web filter serves as an additional layer of protection to prevent attempts by employees to visit websites linked in the emails. When an attempt is made to visit a known phishing website or web content that violates your acceptable internet usage policies, access will be blocked and the user will be directed to a local web page telling them why access has been denied.
Multi-factor authentication should also be implemented for email to ensure that in the event that credentials are compromised, a second factor must be provided before access to the email account is granted.
For more information on spam filtering and web filtering, and further information on TitanHQ’s advanced cloud-based email security solution – SpamTitan – and DNS-based web filtering solution – WebTitan – give the TitanHQ team a call today.
Security awareness for remote workers has never been more important. It is fair to say that there have never been more people working from home as there are now during the COVID-19 pandemic, and home workers are now being actively targeted by cybercriminals who see them as providing an easy way to gain access to their corporate networks to steal sensitive information, and install malware and ransomware.
Businesses may have already given their employees security awareness training to make sure they are made aware of the risks that they are likely to encounter and to teach them how to recognize threats and respond. However, working from home introduces many more risks and those risks may not have been covered in security awareness training sessions geared toward protecting office workers. It is also important to provide security training for employees, and this is especially important for remote workers, as risk increases when employees are working remotely.
In this post we will highlight some of the key areas that must be addressed in work from home (WFH) security awareness training for the workforce.
Increased Security Awareness for Remote Workers Required as COVID-19 Crisis Deepens
Naturally, as an email security solution provider, we strongly advocate the use of a powerful email security solution and layered technical defenses to protect against phishing, but technical controls, while effective, will not stop all threats from reaching inboxes. It is all too easy to place too much reliance on technical security solutions for securing email environments and work computers. The truth is that even with the best possible email security defenses in place, some threats will end up reaching inboxes.
The importance of providing security awareness training to the workforce and the benefits of doing so have been highlighted by several studies. One benchmarking study, conducted by the security awareness training provider KnowBe4, revealed 37.9% of employees fail phishing tests if they are not provided with security awareness and social engineering training. That figure has increased by 8.3% from the previous year. With security awareness training and phishing email simulations, the figure dropped to 14.1% after 90 days.
During the COVID-19 pandemic, the volume of phishing emails being sent has increased significantly and campaigns are being conducted targeting remote workers. The aim of the phishing campaigns is to obtain login credentials to email accounts, VPNs, and SaaS platforms and to spread malware and ransomware.
With so many employees now working from home, and the speed at which companies have had to transition from a largely office based workforce to having virtually everyone working from home may have seen security awareness training for remote workers put on the back burner. However, with the lockdown likely to be extended for several months and attacks on the rise, it is important to make sure that training is provided, and as soon as possible.
Increase in COVID-19 Domain Registrations and Rise in Web-Based Attacks
Security awareness training for remote workers also needs to cover internet security as not all threats will arrive in inboxes. Most phishing attacks have a web-based component, and malicious websites are being set up for drive-by malware downloads. Currently, the vast majority of threats are using COVID-19 and the Novel Coronavirus as a lure to get remote workers to download malware, ransomware, or part with their login credentials.
Unsurprisingly, cybercriminals have increased web-based attacks, which are being conducted using a plethora of COVID-19 and Novel-Coronavirus themed domains. By the end of March, approximately 42,000 domains related to COVID-19 and coronavirus had been registered. An analysis by Check Point Research revealed those domains were 50% more likely to be malicious than other domains registered over the same period.
It is important to raise awareness of the risks of using corporate laptops for personal use such as browsing the Internet. Steps should also be taken to limit the websites that can be accessed by employees and, at the very least, a solution should be implemented and configured to block access to known malicious websites that are used for phishing, fraud, and malware distribution.
Shadow IT is a Major Security Risk
When employees are office based and connected to the network, identifying shadow IT – unauthorized software and hardware used by employees – is more straightforward. The problem not only becomes harder to identify when employees work from home, the risk of unauthorized software being loaded onto corporate-issued devices increases.
Software downloaded onto work computers carries a risk of a malware infection and potentially offers an easy way to attack the user’s device and the corporate network. IT teams will have little visibility into the unauthorized software on users’ devices and whether it is running the latest version and has been patched against known vulnerabilities. It is important to cover shadow IT in security awareness training for remote workers and to make it clear that no software should be installed on work devices and that personal USB devices should not be connected to corporate devices without the go-ahead being given from the IT department.
The COVID-19 pandemic has seen many workers turn to teleconferencing platforms to communicate with the office, friends, and family. One of the most popular teleconferencing platforms is Zoom. Malicious installers have been identified that install the genuine Zoom client but have been bundled with malware. Installers have been identified that also install adware, Remote Access Trojans, and cryptocurrency miners.
How TitanHQ Can Help Improve Email Security
Several security awareness training firms have made resources available to businesses free of charge during the COVID-19 crisis to help them train the workforce, such as the SANS Institute. Take advantage of these resources and push them out to your workforce. If you are a small SMB, you may also be able to get access to free phishing simulation emails to test the workforce and reinforce training.
TitanHQ can’t help you with your remote worker cybersecurity awareness training, but we can help by ensuring employees have to deal with fewer threats by protecting against email and web-based attacks.
SpamTitan is an advanced and powerful cloud-based email security solution that will protect remote workers from phishing, spear phishing, malware, virus, and ransomware attacks by blocking attacks at source and preventing the threats from reaching inboxes. SpamTitan features dual anti-virus engines to protect against known malware threats and sandboxing to block unknown (zero-day) malware threats. SpamTitan incorporate several real-time threat intelligence feeds to block current and emerging phishing attacks and machine learning technology detects and blocks previously unseen phishing threats. SpamTitan has been developed to work seamlessly with Office 365 to allow businesses to create layered defenses, augmenting Microsoft’s protections and adding advanced threat detection and blocking capabilities.
WebTitan is a DNS filtering solution that will protect all workers from web-based attacks, no matter where they access the internet. WebTitan incorporates zero-minute threat intelligence and blocks malicious domains and webpages as soon as they are identified. The solution can also be used to carefully control the types of websites that remote workers can access on their corporate-owned devices, via keyword and category-based controls. WebTitan can also be configured to block the downloading of malicious files and software installers to control shadow IT.
For more information on protecting your business during the COVID-19 crisis, to arrange a product demonstration of SpamTitan and/or WebTitan, and to register for a free trial of either solution to allow you to start instantly protecting against email and web-based threats, contact TitanHQ today!
When it comes to cybersecurity and home working, CIOs and IT teams have a challenge – How to ensure the same level of protection is provided for remote workers as they get when they are in the office. To help we have compiled a set of cybersecurity best practices for home workers to help IT teams prepare for a massive increase in telecommuting
The cybersecurity protections at home will not be nearly as good for home workers as protections in the office, which are much easier to implement and maintain. IT departments will therefore need to teach telecommuting workers cybersecurity best practices for home working and their devices will need to be configured to access applications and work resources securely. With so many workers having to telecommute, this will be a major challenge.
The coronavirus pandemic has forced businesses to rapidly expand the number of telecommuting workers and having to increase capacity in such a short space of time increases the potential for mistakes. Further, testing may not be nearly as stringent as necessary given the time pressure IT workers are under. Their teams too are likely to be depleted due to self-isolating workers.
One area where standards are likely to slip is staff training on IT. Many employees will be working from home for the first time and will have to use new methods and applications they will not be familiar with. The lack of familiarity can easily lead to mistakes being made. It is important that even though resources are limited you still teach cybersecurity best practices for home workers. Do not assume that telecommuting workers will be aware of the steps they must take to work securely away from the office.
Steps for IT Teams to Take to Improve Cybersecurity for Home Workers
Listed below are some of the key steps that IT teams need to take to improve security for employees that must now work from home.
Ensure VPNs are Provided and Updated
Telecommuting workers should not be able to access their work environment unless they use a VPN. A VPN will ensure that all traffic is encrypted, and data cannot be intercepted in transit. Enterprise-grade VPNs should be used as they are more robust and provide greater security. Ensure there are sufficient licenses for all workers, and you have sufficient bandwidth available. You must also make sure that the VPN is running the latest software version and patches are applied, even if this means some downtime to perform the updates. VPN vulnerabilities are under active attack.
Set up Firewalls for Remote Workers
You will have a firewall in place at the office and remote workers must have similar protections in place. Software firewalls should be implemented to protect remote workers’ devices. Home routers may have inbuilt firewalls. Talk employees through activating hardware firewalls if they have them on their home routers and ensure that passwords are set to prevent unauthorized individuals from connecting to their home Wi-Fi network.
Apply the Rule of Least Privilege
Remote workers introduce new risks, and with large sections of the workforce telecommuting, that risk is considerable. Remote workers are being targeted by cybercriminals and through web- and email-based attacks. In the event of a malware infection or credential theft, damage can be limited by ensuring workers only have access to resources absolutely necessary for them to perform their work duties. If possible, restrict access to sensitive systems and data.
Ensure Strong Passwords are Being Set
To protect against brute force attacks, ensure good password practices are being followed. Consider using a password manager to help employees remember their passwords. The use of complex passwords should be enforced.
Implement Multifactor Authentication
Multifactor authentication should be implemented on all applications that are accessed by remote workers. This measure will ensure that if credentials are compromised, system access is not granted unless a second factor is provided.
Ensure Remote Workers’ Devices Have Antivirus Software installed
Antivirus software must be installed on all devices that are allowed to connect to work networks and the solutions must be set to update automatically.
Set Windows Updates to Automatic
Working remotely makes it harder to monitor user devices and perform updates. Ensure that Windows updates are set to occur automatically outside of office hours. Instruct workers to leave their devices on to allow updates to take place.
Use Cloud-Based Backup Solutions
To prevent accidental data loss and to protect against ransomware attacks, all data must be backed up. By using cloud-based backups, in the event of data loss, data can be restored from the cloud-backup service.
Teach Cybersecurity Best Practices for Home Workers
All telecommuting workers must be shown how they need to access their work environment securely when working away from the office. Reinforce IT best practices with home workers, provide training on the use of VPNs, provide training on cybersecurity dos and don’ts when working remotely, and explain procedures for reporting problems.
Define Procedures for Dealing with a Security Incident
Members of the IT team are also likely to be working remotely so it is essential that everyone is aware of their role and responsibilities. In the event of a security incident, workers should have clear procedures to follow to ensure the incident is resolved quickly and efficiently.
Implement a Web Filter
A web filter will help to protect against web-based malware attacks by blocking access to malicious websites and will help to prevent malware downloads and the installation of shadow IT. Also consider applying content controls to limit employee activities on corporate-owned devices. Drive-by malware attacks have increased and the number of malicious domains registered in the past few weeks has skyrocketed.
Use Encrypted Communication Channels
When you need to communicate with telecommuting workers, ensure you have secure communications channels to use where sensitive information cannot be intercepted. Use encryption for email and secure text message communications, such as Telegram or WhatsApp.
Ensure Your Email Security Controls are Sufficient
One of the most important cybersecurity best practices for home workers is to take extra care when opening emails. Phishing and email-based malware attacks have increased significantly during the coronavirus pandemic. Ensure training is provided to help employees identify phishing emails and other email threats.
Consider augmenting email security to ensure more threats are blocked. If you use Office 365, a third-party email security solution layered on top will provide much better protection. Exchange Online Protection (EOP) is unlikely to provide the level of protection you need against phishing and zero-day malware threats. Consider an email security solutions with data loss protection functions to protect against insider threats.
Monitor for Unauthorized Access
More devices connecting to work environments makes it much easier for threat actors to hide malicious activity. Make sure monitoring is stepped up. An intrusion detection system that can identify anomalous user behavior would be a wide investment.
For further information on enhancing email security and web filtering to protect remote workers during the coronavirus pandemic, contact TitanHQ today.
The first California Consumer Privacy Act lawsuit has been filed over an alleged failure to adequately protect consumer data. The lawsuit has been filed against Hanna Andersson, a children’s clothing company, and its ecommerce platform provider, Salesforce.com.
The California Consumer Privacy Act took effect on January 1, 2020. Under Civil Code 1798.100 – 1798.199, consumers could start exercising their new rights under CCPA from the compliance date. One of those rights is being able to take legal action against companies for privacy violations, such as the theft of personal data in a data breach.
The California Consumer Privacy Act lawsuit was filed in the U.S. District Court for the Northern District of California on behalf of a victim of a 2019 data breach. The lawsuit alleges negligence and a failure to implement reasonable safeguards to protect consumer data, and that the data breach occurred as a direct result of the alleged negligence. A claim for damages has not been stated, although the right has been reserved to seek damages and relief at a later date.
The breach in question was announced by Hanna Andersson on January 15, 2020. Hackers had gained access to its systems and downloaded malware, which allowed the attackers to steal information such as names, personal information, and payment card data. That information was subsequently listed for sale on the dark web.
The California Consumer Privacy Act allows Californians to file for damages of up to $750 per data breach, so a class action California Consumer Privacy Act lawsuit arising from a sizeable data breach could prove extremely costly for a company. In this case, the data breach affected approximately 10,000 California residents, so damages up to $7,500,000 could potentially be claimed.
Enforcement of CCPA
Enforcement of compliance by the California Attorney General has been delayed and will start 6 months after the publication of the final regulations or July 1, 2020, whichever comes sooner. Since the final regulations have yet to be published, the enforcement date will be July 1, 2020. California Attorney General Xavier Bercerra has already stated that he will make an example of businesses that fail to comply with CCPA.
It should be noted that there is nothing in CCPA that prevents the state attorney general from issuing notices of noncompliance before that date and consumers can already file lawsuits to claim damages. It is therefore essential for all entities covered by CCPA to ensure that they are honoring the new consumer rights and have implemented safeguards to protect consumer data.
How TitanHQ Can Help with CCPA Compliance
TitanHQ offers two powerful security solutions that can help covered entities ensure the data of consumers is protected and data breaches are prevented. These two cybersecurity solutions protect against the two most common attack vectors – Email and the internet.
SpamTitan is a powerful anti-spam, anti-malware, and anti-phishing solution that protects email systems from phishing and spear phishing attacks, known and zero-day malware threats, and email-based ransomware attacks.
WebTitan is a companion solution that blocks the web-based element of phishing attacks, exploit kits, and drive-by malware downloads over the internet, while also controlling the content that employees can access on wired and wireless networks.
TitanHQ can also help covered entities comply with the right to know and right to delete consumer rights afforded by CCPA through ArcTitan. ArcTitan is an email archiving solution that allows organizations to meet state and federal email data retention requirements and quickly find emails containing consumer data. If a California resident exercises their right to know what data is held on them by a company, or requests all of their personal data is deleted, that information can quickly be found in the archive. ArcTitan will also allow you to quickly find email data for eDiscovery in the event of any legal disputes.
For further information on these solutions, to schedule a product demonstration, or to arrange a free trial of the full solutions (with full customer support), give the TitanHQ team a call today.
TitanHQ has announced a new partnership with Pax8. The partnership means Pax8 partners now have access to TitanHQ’s cloud-based email security solution – SpamTitan – and its DNS filtering solution, WebTitan.
Pax8 is the leader in cloud distribution. The company simplifies the cloud buying process and empowers businesses to achieve more with the cloud. The company has been named Best in Show for two consecutive years at the Next Gen and XChange conferences and is positioned at number 60 in the 2019 Inc. 5000 list of the fastest growing companies.
Pax8 carefully selects the vendors it works with and only offers market-leading channel friendly solutions to its partners. When searching for further cybersecurity solutions for its partners, TitanHQ was determined to be the perfect fit. TitanHQ is the leading provider of cloud-based email and web security solutions for managed service providers (MSPs) serving the SMB marketplace and its cybersecurity solutions are much loved by users. This was clearly shown in the 2019 G2 Crowd Report on Email Security Gateways where SpamTitan was named leader, having achieved 4- or 5-star ratings by 97% of its users, with 92% saying they would recommend the solution to other businesses.
Phishing, malware, and ransomware attacks have all increased in the past year and the cost of mitigating those attacks continues to rise. By implementing SpamTitan and WebTitan, SMBs and MSPs can secure their email environments and block web-based threats and keep their networks secure.
SpamTitan provides excellent protection for Office 365 environments. The solution detects and blocks phishing and email impersonation attacks and prevents known and zero-day malware and ransomware threats from reaching inboxes. The WebTitan Cloud DNS filtering solution blocks the web-based component of cyberattacks by preventing end users from visiting malicious websites, such as those harboring malware and phishing kits.
Both solutions are quick and easy to implement, can be seamlessly integrated into MSPs service stacks and cloud-management platforms, and Pax8 partners benefit from highly competitive and transparent pricing, centralized billing, and leading customer support.
“I am delighted to partner with the Pax8 team,” said Ronan Kavanagh, CEO, TitanHQ. “Their focus and dedication to the MSP community are completely aligned with ours at TitanHQ, and we look forward to delivering our integrated solutions to their partners and customers.”
TitanHQ has announced a new partnership with Pax8. The partnership means Pax8 partners now have access to TitanHQ’s cloud-based email security solution – SpamTitan – and its DNS filtering solution, WebTitan.